449cfe9708
Added comprehensive section-by-section PE comparison that reads the executable from disk, parses PE sections, and compares them against memory using SHA-256 hashing. Detects: - Modified code sections (>5% difference from disk) - Missing PE sections in memory - Section hash mismatches This catches sophisticated hollowing techniques that modify specific code sections while preserving the PE header structure.
36 lines
858 B
TOML
36 lines
858 B
TOML
[package]
|
|
name = "ghost-core"
|
|
version.workspace = true
|
|
edition.workspace = true
|
|
authors.workspace = true
|
|
license.workspace = true
|
|
|
|
[dependencies]
|
|
anyhow.workspace = true
|
|
thiserror.workspace = true
|
|
log.workspace = true
|
|
tokio = { version = "1.0", features = ["full"] }
|
|
serde = { version = "1.0", features = ["derive"] }
|
|
serde_json = "1.0"
|
|
uuid = { version = "1.0", features = ["v4"] }
|
|
toml = "0.8"
|
|
chrono = "0.4"
|
|
yara = "0.28"
|
|
sha2 = "0.10"
|
|
|
|
[target.'cfg(windows)'.dependencies]
|
|
windows = { version = "0.58", features = [
|
|
"Win32_Foundation",
|
|
"Win32_System_Diagnostics_ToolHelp",
|
|
"Win32_System_Diagnostics_Debug",
|
|
"Win32_System_Threading",
|
|
"Win32_System_ProcessStatus",
|
|
"Win32_System_Memory",
|
|
"Win32_System_LibraryLoader",
|
|
"Win32_Security",
|
|
"Win32_UI_WindowsAndMessaging",
|
|
] }
|
|
|
|
[target.'cfg(unix)'.dependencies]
|
|
libc = "0.2"
|