Memhunter : Live Hunting Of Code Injection Techniques

Memhunter is an endpoint sensor tool that is specialized in detecing resident malware, improving the threat hunter analysis process and remediation times. The tool detects and reports memory-resident malware living on endpoint processes. Memhunter detects known malicious memory injection techniques. The detection process is performed through live analysis and without needing memory dumps.

The tool was designed as a replacement of memory forensic volatility plugins such as malfind and hollowfind. The idea of not requiring memory dumps helps on performing the memory resident malware threat hunting at scale, without manual analysis, and without the complex infrastructure needed to move dumps to forensic environments.

The detection process is performed through a combination of endpoint data collection and memory inspection scanners. The tool is a standalone binary that, upon execution, deploys itself as a windows service. Once running as a service, memhunter starts the collection of ETW events that might indicate code injection attacks.

The live stream of collected data events is feed into memory inspection scanners that use detection heuristics to down select the potential attacks. The entire detection process does not require human intervention, neither memory dumps, and it can be performed by the tool itself at scale.

Besides the data collection and hunting heuristics, the project has also led to the creation of a companion tool called “minjector” that contains +15 code injection techniques. The minjector tool cannot onlybe used to exercise memhunter detections, but also as a one-stop location to learn on well-known code injection techniques out there.

Also Read – KsDumper : Dumping Processes Using The Power Of Kernel Space

Example 1: Manual run to exercise detection of reflective DLL injection

Example 2: Manual run to exercise detection of process hollowing injection

R K

Recent Posts

SpyAI : Intelligent Malware With Advanced Capabilities

SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…

19 hours ago

Proxmark3 : The Ultimate Tool For RFID Security And Analysis

The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…

19 hours ago

Awesome Solana Security : Enhancing Program Development

The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…

19 hours ago

IngressNightmare-POCs : Understanding The Vulnerability Exploitation Flow

The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…

20 hours ago

AdaptixC2 : Enhancing Penetration Testing With Advanced Framework Capabilities

AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…

20 hours ago

Bincrypter : Enhancing Linux Binary Security through Runtime Encryption And Obfuscation

Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…

20 hours ago