MapDetection

Detect manualmapped images remotely, without hassle

Confirmed Detections

Extreme Injector -> detected
Xenos -> detected (even with Add Loader reference enabled)

How does it work?

MapDetection has two modes, deep and quick.

Quick mode

Iterates every process thread, collecting allocation bases from thread starts and instruction pointers. It then scans every unique allocation base for any anomalies.

Deep mode

Run quick scan, then traverse the virtual memory space for any executable pages that do not belong to a module. (Will lead to false positives)

Anomalies MapDetection looks for

Valid PE headers (MZ signature, PE magic bytes and architecture)
Module is linked correctly to module list
Valid allocation type (MEM_IMAGE)
Valid allocation flags

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

MapDetection

Confirmed Detections

How does it work?

Quick mode

Deep mode

Anomalies MapDetection looks for

Example of a manually mapped, possibly malicious, image that was picked up by MapDetection

Files

README.md

Latest commit

History

README.md

File metadata and controls

MapDetection

Confirmed Detections

How does it work?

Quick mode

Deep mode

Anomalies MapDetection looks for

Example of a manually mapped, possibly malicious, image that was picked up by MapDetection