MCPcopy Create free account
hub / github.com/D4stiny/PeaceMaker

github.com/D4stiny/PeaceMaker @v1.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.0 ↗ · + Follow
189 symbols 303 edges 41 files 120 documented · 63% updated 6y agov1.0 · 2021-03-18★ 4312 open issues

Browse by type

Functions 139 Types & classes 50
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

PeaceMaker Threat Detection

PeaceMaker Threat Detection is a kernel-mode utility designed to detect a variety of methods commonly used in advanced forms of malware. Compared to a stereotypical anti-virus that may detect via hashes or patterns, PeaceMaker targets the techniques malware commonly uses in order to catch them in the act. Furthermore, PeaceMaker is designed to provide an incredible amount of detail when a malicious technique is detected, allowing for effective containment and response.

Motivation

PeaceMaker was designed primarily as a weapon to detect custom malware in virtualized environments. Specifically, this project was started in pursuit of preparing for the Information Security Talent Search blue/red team competition hosted by RIT's Security Club, RITSEC. The competition's red team is primarily industry security professionals, which is why I decided my own defense platform would be useful. In a project like this, I can make sacrifices to factors such as performance that widely-employed AV/EDR companies can't make, allowing me to make decisions I couldn't get away with in a real product.

Features

  • View what code started a process (stack trace).
  • View what code loaded an image into a process (stack trace).
  • Detect unmapped (hidden) code via Stack Walking common operations such as:
    • Process Creation
    • Image Load
    • Thread Creation
  • Detect remote thread creation.
  • Detect parent process ID spoofing.
  • Detect threat creation on unmapped (hidden) code.
  • Block basic tamper operations on the GUI Client.
  • Block filesystem/registry write, delete, or execute operations that violate a user-specified filter.
  • Detect filesystem/registry write, delete, or execute operations that violate a user-specified filter.
    • Logs the source process and stack of the operation.
  • Filter for known false positives.

Notable properties

  • Heavily commented code.
  • All detection routines are in the kernel driver.
  • Designed to detect user-mode malware.
  • Tested using Driver Verifier standard configuration.
  • Tested by putting it on my "daily driver" laptop and monitoring for issues (none occurred).

Shortcomings

  • Inefficient time and space complexity.
    • Performs useful, but expensive forensics that slow down common operations.
    • Often allocates more memory than needed, doesn't utilize space optimization techniques such as compression.
  • Weak operation filtering mechanism.
    • For example, filters that prevent deletion of a file or registry key can be bypassed.
    • You can only filter on the target of an operation (i.e file/key name).
  • Weak tamper protection.
    • Only protects against process termination of the GUI, nothing else.
  • Incomplete GUI.

Screenshots

Alerts Tab Processes Tab Filters Tab Process Information

Core symbols most depended-on inside this repo

Shape

Method 127
Class 46
Function 12
Enum 4

Languages

C++100%

Modules by API surface

PeaceMakerGUI/mainwindow.cpp19 symbols
PeaceMaker Kernel/shared.h19 symbols
PeaceMaker CLI/IOCTLCommunicationUser.cpp14 symbols
PeaceMaker Kernel/ImageHistoryFilter.cpp12 symbols
PeaceMakerGUI/InvestigateProcessWindow.cpp11 symbols
PeaceMaker Kernel/FSFilter.cpp10 symbols
PeaceMaker Kernel/ntdef.h8 symbols
PeaceMaker Kernel/StringFilters.cpp8 symbols
PeaceMaker Kernel/DetectionLogic.cpp8 symbols
PeaceMakerGUI/ClickableTab.cpp6 symbols
PeaceMaker Kernel/IOCTLCommunication.cpp6 symbols
PeaceMaker Kernel/AlertQueue.cpp6 symbols

For agents

$ claude mcp add PeaceMaker \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page