Small research project for detecting various kinds of in-memory stealth techniques.
Version v0.2 adds a capability for identifying suspicious CONTEXT structures. These are used in ROP chains to modify memory region protections.
Future improvements should include optimizations to reduce scan time, enumerate thread pool timers, apc’s, and check for things like RtlRestoreContext as well.
Download the latest