47 lines
1.1 KiB
Markdown
47 lines
1.1 KiB
Markdown
# Ghost
|
|
|
|
Cross-platform process injection detection framework.
|
|
|
|
## Overview
|
|
|
|
Ghost is a real-time detection system for identifying process injection techniques across Windows, Linux, and macOS platforms. It combines kernel-level monitoring with behavioral analysis to detect advanced injection methods.
|
|
|
|
## Architecture
|
|
|
|
- **ghost-core**: Core detection engine and platform abstraction
|
|
- **ghost-drivers**: Platform-specific kernel components
|
|
- **ghost-tui**: Terminal user interface
|
|
- **ghost-lib**: Shared libraries and utilities
|
|
- **ghost-rules**: Detection rules and signatures
|
|
|
|
## Supported Techniques
|
|
|
|
### Windows
|
|
- Classic DLL injection (CreateRemoteThread)
|
|
- APC injection (NtQueueApcThread)
|
|
- Process hollowing
|
|
- Thread hijacking
|
|
- SetWindowsHookEx injection
|
|
- Reflective DLL injection
|
|
|
|
### Linux
|
|
- ptrace injection
|
|
- LD_PRELOAD manipulation
|
|
- process_vm_writev injection
|
|
- Shared memory injection
|
|
|
|
### macOS
|
|
- DYLD_INSERT_LIBRARIES
|
|
- task_for_pid injection
|
|
- Mach port manipulation
|
|
|
|
## Building
|
|
|
|
```bash
|
|
cargo build --release
|
|
```
|
|
|
|
## Status
|
|
|
|
Early development. Windows support in progress.
|