Scan all running Windows processes for signs of module stomping.
Monitor newly loaded libraries in real time using ETW mode.
Study the pdata-section technique as a way to detect memory tampering.
Use as a starting point for building a more complete anti-stomping scanner.
| 0xjbb/modulestomped | deftruth/lite.ai.toolkit | sofiafvbiub2935447/fl-product-version-25 | |
|---|---|---|---|
| Stars | 34 | 33 | 35 |
| Language | C++ | C++ | C++ |
| Last pushed | — | 2025-03-30 | — |
| Maintenance | — | Stale | — |
| Setup difficulty | moderate | moderate | hard |
| Complexity | 4/5 | 3/5 | 1/5 |
| Audience | developer | developer | general |
Figures from each repo's GitHub metadata at analysis time.
Requires Administrator privileges and only runs on Windows.
ModuleStomped is a proof-of-concept security tool for detecting a specific attack technique called module stomping. Module stomping is a method used by malware and offensive security tools to hide malicious code inside memory that belongs to a legitimate Windows library, making it harder for security software to spot. The detection approach this tool uses focuses on a section of each loaded library file called the pdata section, which stores data about the program's functions for error handling purposes. Unlike the main code section of a library (which attackers can overwrite with their own code), the pdata section has no reason to change during normal operation. If it has been modified, that is a sign the library has been tampered with. The author notes this is more reliable than checking the main code section because the code section is the very thing being replaced in a stomping attack. The tool runs in two modes. In process scanner mode, it scans every accessible running process on the system, checks all loaded libraries in each process, and flags any whose pdata section looks wrong. This scan takes a few seconds to complete. In ETW mode, it listens for system events that fire whenever a new library is loaded into a process, and only scans that process when a relevant library appears. ETW is a built-in Windows event tracing system. The README notes that the tool was written as a rough demonstration rather than a production-ready scanner. It also describes an obvious bypass: an attacker could avoid detection by also copying the pdata section from their injected code, which this tool does not currently account for. Administrator privileges are required to run it.
A proof-of-concept Windows security tool that detects module stomping, a technique malware uses to hide inside legitimate libraries.
Mainly C++. The stack also includes C++, Windows, ETW.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.