Releases: ignacioj/WhacAMole
Releases · ignacioj/WhacAMole
File Version: 6.9.22.2531
Improved detection of suspicious callbacks in thread pools.
File Version: 6.9.1.2494
Shows information and alerts for DllNotificationCallbacks. View @dec0ne_DllNotificationInjection: https://shorsec.io/blog/dll-notification-injection/.
File Version: 6.8.25.2462
Information about remote RDP sessions is displayed.
File version 6.8.4.2430
- Added option "--nx": Used with -a/-p. Detected memory areas are never saved to files.
- Thread Name-Calling - using Thread Name for offense. New alert: [Thread-Suspicious Name].
https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/
https://github.com/hasherezade/thread_namecalling
File Version: 6.5.27.2315
- Displays Job Handle information.
- [Hook in weighted function]: Created special alert for hooks in: EtwEventWrite, AmsiScanBuffer, AmsiOpenSession, SleepEx, NtTraceEvent.(https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/)(https://whiteknightlabs.com/2021/12/11/bypassing-etw-for-fun-and-profit/).
- Changed the alert [Modifications in exported functions] to [Hook in exported function].
- Html file: The row with the process name is floating in its information area.
File Version: 6.5.21.2270
- PoolParty attack alert created (https://www.safebreach.com/blog/process-injection-using-windows-thread-pools/): [Handle-TpWorkerFactory PoolParty].
But limited to attacks:- Worker Factory Start Routine Overwrite
- Remote TP_WORK Work Item Insertion
- Remote TP_TIMER Work Item Insertion
- Added that when there is private memory in the images its start address is shown.
File Version: 6.5.6.2128
- Improved search for previously executable memory that is no longer executable.
- Added valid string check for Imports and DelayImports for Mapped modules.
- Mark processes that are GUARD_CF in the process tree with italics.
File Version: 6.4.29.2108
Detect regions that were executable and now are not using the Control Flow Guard Bitmap: alert [Memory-Region previously executable].
Added displaying the text of DLLCharacteristics values. Show GUARD protection type memory with: +GUARD.
File Version: 6.4.7.2080
Added check to ensure that the address of the exported functions points to a code in an executable memory page.
File Version: 6.4.1.2073
Added detection of forked processes.
Several improvements.