Patriot

Small research project for detecting various kinds of in-memory stealth techniques.

For the v0.1 release, we detect Ekko by searching memory for timers which point to NtContinue. Hat tip to Austin Hudson for his excellent research on the topic.

Version v0.2 adds a capability for identifying suspicious CONTEXT structures. These are used in ROP chains to modify memory region protections.

Future improvements should include optimizations to reduce scan time, enumerate thread pool timers, apc’s, and check for things like RtlRestoreContext as well.

image

Release

Download the latest

GitHub

View Github