admin/ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d6eeb9e018822e38a30cc187eebba5ca65f50462
ghost/README.md

7.1 KiB
Raw Blame History

Ghost

Cross-platform process injection detection framework written in Rust.

Overview

Ghost is a security framework for detecting process injection, memory manipulation, and suspicious process behavior. It provides memory analysis, behavioral monitoring, and MITRE ATT&CK technique mapping for security research and defensive purposes.

Features

  • Memory Analysis: RWX region detection, shellcode pattern scanning, memory protection analysis
  • MITRE ATT&CK Mapping: Technique identification using the ATT&CK framework
  • Cross-platform Support:
    • Windows: Process enumeration, memory reading (ReadProcessMemory), thread analysis (NtQueryInformationThread), inline hook detection, PE header validation
    • Linux: Process enumeration via procfs, memory region analysis (/proc/[pid]/maps), thread state monitoring, LD_PRELOAD detection, ptrace detection
    • macOS: Process enumeration via sysctl/KERN_PROC_ALL
  • Real-time Monitoring: Continuous scanning with configurable intervals
  • Threat Intelligence: IOC storage and correlation framework

Architecture

ghost/
├── ghost-core/     # Core detection engine and platform abstractions
├── ghost-cli/      # Command-line interface
├── ghost-tui/      # Interactive terminal UI (Ratatui-based)
├── examples/       # Configuration examples
└── docs/           # Technical documentation

Core Modules

  • Detection Engine (detection.rs): Orchestrates analysis and threat scoring
  • Memory Analysis (memory.rs): Platform-specific memory enumeration and reading
  • Process Enumeration (process.rs): Cross-platform process listing
  • Thread Analysis (thread.rs): Thread enumeration with start address and creation time
  • Hook Detection (hooks.rs): Inline hook detection via JMP pattern analysis
  • MITRE ATT&CK (mitre.rs): Technique mapping and categorization
  • Configuration (config.rs): TOML-based configuration with validation

Supported Detection Techniques

Process Injection (T1055)

  • RWX memory region detection
  • Private executable memory analysis
  • Thread count anomaly detection
  • Inline hook detection (JMP patches on ntdll.dll, kernel32.dll, user32.dll)
  • LD_PRELOAD and LD_LIBRARY_PATH detection (Linux)
  • Ptrace injection detection (Linux)
  • SetWindowsHookEx hook enumeration
  • Thread hijacking indicators (T1055.003)
  • Process hollowing detection with PE header validation (T1055.012)

Memory Analysis

  • Memory protection flags (R/W/X combinations)
  • Region type classification (IMAGE, PRIVATE, MAPPED, HEAP, STACK)
  • Small executable region detection (shellcode indicators)
  • Memory region size anomalies

Behavioral Monitoring

  • Thread count changes from baseline
  • New thread creation detection
  • Process parent-child relationships
  • System process identification

Installation

Requirements

  • Rust 1.70+ (stable)
  • Platform-specific dependencies:
    • Windows: MSVC Build Tools, Windows SDK
    • Linux: GCC/Clang, libelf-dev (for eBPF)
    • macOS: Xcode Command Line Tools

Building

# Release build (recommended)
cargo build --release

# Development build
cargo build

# Run tests
cargo test

# Generate documentation
cargo doc --open

Usage

CLI

# Basic scan
cargo run --bin ghost-cli

# Target specific process
cargo run --bin ghost-cli -- --pid 1234

# JSON output
cargo run --bin ghost-cli -- --format json

# Load custom configuration
cargo run --bin ghost-cli -- --config examples/ghost.toml

# Show MITRE ATT&CK statistics
cargo run --bin ghost-cli -- --mitre-stats

# Verbose output with debug logging
cargo run --bin ghost-cli -- -v -d

TUI (Terminal User Interface)

cargo run --bin ghost-tui

The TUI provides:

  • Real-time process monitoring dashboard
  • Detection history with threat levels
  • System statistics and performance metrics
  • Interactive process exploration
  • Live system logs

Keyboard Controls:

  • Tab: Switch between views
  • Up/Down: Navigate lists
  • Enter: Select item
  • R: Force refresh
  • C: Clear history
  • Q: Quit

Configuration

Create a configuration file (see examples/ghost.toml):

shellcode_detection = true
hollowing_detection = true
hook_detection = true
confidence_threshold = 0.3
skip_system_processes = true
max_memory_scan_size = 104857600  # 100MB
thread_analysis_enabled = true
evasion_detection = true
mitre_mapping = true
scan_interval_ms = 2000

Exit Codes

  • 0: Clean scan, no suspicious activity
  • 1: Suspicious processes found
  • 2: Error occurred during scanning

Performance

Ghost is designed for low-overhead monitoring:

  • Memory enumeration: <100ms per process
  • Thread analysis: <50ms per process
  • Detection engine: <10ms per analysis
  • Full system scan: <5s for 200 processes

Documentation

License

MIT License. See LICENSE for details.

Contributing

Contributions are welcome. Please read CONTRIBUTING.md for guidelines on:

  • Code style (rustfmt, clippy)
  • Performance requirements
  • Testing standards
  • Pull request process

Security

Please review SECURITY.md for:

  • Responsible disclosure policy
  • Security considerations
  • Threat model

Platform Support Matrix

Feature Windows Linux macOS
Process Enumeration CreateToolhelp32Snapshot /proc filesystem sysctl KERN_PROC_ALL
Memory Enumeration VirtualQueryEx /proc/[pid]/maps Not implemented
Memory Reading ReadProcessMemory /proc/[pid]/mem Not implemented
Thread Enumeration Thread32First/Next /proc/[pid]/task Not implemented
Thread Start Address NtQueryInformationThread /proc/[pid]/task/[tid]/syscall Not implemented
Thread Creation Time GetThreadTimes /proc/[pid]/task/[tid]/stat Not implemented
Hook Detection Inline JMP pattern scanning LD_PRELOAD/ptrace detection Not applicable
PE Header Validation Full PE validation Not applicable Not applicable
Process Path GetProcessImageFileNameW /proc/[pid]/exe proc_pidpath

Status

Active development. Core detection engine functional with cross-platform abstractions. Windows support most complete. Linux support via procfs. macOS has process enumeration but limited memory/thread analysis.

Known Limitations

  • macOS memory enumeration and reading not yet implemented (requires vm_read and mach_vm_region)
  • Windows SetWindowsHookEx chain enumeration requires parsing undocumented USER32.dll structures
  • Shellcode pattern matching currently uses heuristics (no actual signature database)
  • No kernel-level monitoring (all userspace APIs)
Reference in New Issue View Git Blame Copy Permalink