Skip to content

visiongaiatechnology/winxdr

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

21 Commits
Core.cs
Core.cs
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
malwarehunter3.ps1
malwarehunter3.ps1
Β 
Β 
malwarehunter4.ps1
malwarehunter4.ps1
Β 
Β 

Repository files navigation

πŸ”¬ VGT Malware Hunter X-Ray (MHX) β€” Experimental Windows EDR (R&D Project)

License: AGPLv3 License: MIT Platform Version Status Architecture VGT

AGPLv3 (MHX Core) / MIT (C# Native Engine) β€” Open Source. Open Knowledge.

⚠️ DISCLAIMER: EXPERIMENTAL R&D PROJECT

VGT Malware Hunter X-Ray is a Proof of Concept (PoC) exploring behavioral endpoint detection using PowerShell, .NET/C# interop, and Windows native APIs. It is not a replacement for enterprise EDR solutions.

Architectural limitations to be aware of:

  • Runs as a PowerShell daemon β€” subject to PowerShell execution constraints and startup latency
  • Detection runs on a 2-second polling interval β€” real-time kernel-level hooks are not implemented
  • Process termination via Stop-Process can be circumvented by sufficiently privileged malware
  • The AMSI integrity check relies on known patch signatures β€” novel bypass techniques may go undetected

For production environments, we recommend established solutions like Microsoft Defender for Endpoint, CrowdStrike, or SentinelOne alongside this tool β€” not instead of them.

πŸ’Ž Support the Project

Donate via PayPal

Method Address
PayPal paypal.me/dergoldenelotus
Bitcoin bc1q3ue5gq822tddmkdrek79adlkm36fatat3lz0dm
ETH / USDT (ERC-20) 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85

πŸ”¬ What is VGT MHX?

VGT Malware Hunter X-Ray started as an experiment: Can we build a meaningful behavioral EDR daemon using only PowerShell + C# interop, running as a background system tray process?

Version 4.0 DIAMANT APEX is a major architectural leap. It introduces a fully native C# GDI+ / DWMAPI UI engine β€” including a live Command Center dashboard and hardware-accelerated toast notifications β€” while hardening the detection core with the Ouroboros Fix that prevents the engine from terminating its own async subroutines.

V3.1 β€” Detection engines + basic toast notifications
V4.0 β€” Native C# OSD Engine + Command Center HUD + expanded TI feeds + Ouroboros Fix

πŸ†• What's New in V4.0 DIAMANT APEX

Ouroboros Fix

The most critical stability patch in MHX history. V3.x had a self-termination bug where the network engine's Zero-Trust loop could detect its own background TISyncJob as an "untrusted" external connection and kill it. V4.0 resolves this by tracking all child PIDs spawned by the core ($Script:CorePID) and explicitly exempting them from all detection engines.

{8C76F6E6-E6E0-4FBE-8D54-BC6833AAB551}

Native C# Command Center Dashboard

A full GDI+/DWMAPI live dashboard β€” accessible from the system tray β€” showing:

  • Live incident log viewer with color-coded severity (Crimson = Error, Orange = Warning, Cyan = Info)
  • Timestamp-highlighted log entries with cyberpunk indicator blocks
  • Real-time memory working set and session uptime telemetry
  • Animated holographic radar grid with sweeping VGT Cyan laser line
  • Windows 11 rounded corners via DwmSetWindowAttribute + dark scrollbar injection via SetWindowTheme
{D419908A-4138-4F17-88D6-8E53B4A101C0}

Native C# Toast Notifications (Hardware GDI+)

Completely rewritten from ShowBalloonTip to a custom NotificationForm with:

  • 60fps kinetik animation engine (animTimer at 15ms interval) β€” slide-up on appear, float-up on dismiss
  • DWMAPI rounded corners (DWMWCP_ROUND)
  • Dynamic accent color: Cyan for system events, Crimson for threat strikes
  • WS_EX_NOACTIVATE β€” toasts never steal focus from the user's active window
  • Offset stacking: multiple simultaneous toasts stack vertically without overlapping
  • Click-to-dismiss with immediate fade-out

Expanded Threat Intelligence Feeds (9 Sources)

V3.1 had 4 feeds. V4.0 aggregates 9:

Feed Source
Feodo Tracker IP Blocklist abuse.ch
Spamhaus DROP spamhaus.org
Spamhaus EDROP spamhaus.org
CINS Score Bad Guys cinsscore.com
Blocklist.de All IPs blocklist.de
Emerging Threats Block IPs emergingthreats.net
IPsum (Community Threat Intel) github/stamparm
FireHOL Level 1 github/firehol
Tor Exit Nodes github/SecOps-Institute

Alert Cache / Deduplication

A 5-minute AlertCache prevents duplicate alerts for the same PID+IP combination β€” no more notification floods during sustained C2 connections.

Threat IP Export

New tray menu entry exports the full live threat IP cache to a timestamped text file, instantly opened in Notepad for manual review or sharing.

πŸ›‘οΈ Detection Engines

Engine 1 β€” Process Lineage Validation

Enforces strict parent-child process relationships for critical system processes. A lsass.exe spawned by anything other than wininit.exe is terminated immediately. Boot-time grace window (2 minutes post-boot) prevents false positives on legitimate startup sequences.

Engine 2 β€” KillerDom Command-Line Heuristics

Four compiled regex signatures scan process command-line arguments for known malicious patterns:

Signature Detects
CLI_RCE_OBFUSCATION PowerShell -enc, -decode, bypass, Invoke-, DownloadString, WebClient etc.
CLI_HIGH_ENTROPY Base64 blobs (15+ groups), hex escape sequences
CLI_EXPLOIT_STRINGS JNDI injection (${jndi:ldap://...}), cryptocurrency miners (coinhive, monero, stratum)
CLI_LOTL_NATIVE cmd.exe /c, vssadmin delete, certutil -urlcache, bitsadmin /transfer

Engine 3 β€” Zero-Trust Network + Threat Intelligence

Monitors all established TCP connections against 9 live threat feeds. Untrusted processes with external connections that fail path and whitelist validation are terminated. Includes masquerading detection via executable path verification and Temp-directory DLL injection detection.

Ouroboros-safe: The engine explicitly skips the core PID and all VGT subroutine PIDs, preventing self-termination.

Engine 4 β€” AMSI Memory Integrity Scanner

Uses ReadProcessMemory via P/Invoke to inspect in-memory bytes of AmsiScanBuffer in all high-risk LotL processes. Detects known AMSI bypass techniques:

Byte Signature Technique
B8 57 00 07 80 mov eax, 0x80070057 β€” returns E_INVALIDARG
EB / E9 Unconditional JMP β€” hooks or redirects the scan function
C3 RET β€” immediate return, scan is skipped entirely
31 C0 C3 xor eax, eax; ret β€” returns clean without scanning

πŸ—ΊοΈ MITRE ATT&CK Coverage

Technique ID Technique Name Engine
T1055 Process Injection Engine 4 (AMSI Memory Scan)
T1548.002 Abuse Elevation Control β€” Bypass UAC Engine 1 (Lineage)
T1134 Access Token Manipulation Engine 1 (Lineage)
T1036 Masquerading Engine 3 (Path Verification)
T1036.005 Match Legitimate Name or Location Engine 3
T1059.001 Command & Scripting β€” PowerShell Engine 2 (KillerDom)
T1059.003 Command & Scripting β€” Windows Command Shell Engine 2 (KillerDom)
T1027 Obfuscated Files or Information Engine 2 (Base64/Hex Detection)
T1027.010 Command Obfuscation Engine 2 (KillerDom)
T1218 System Binary Proxy Execution (LotL) Engine 2 (KillerDom)
T1218.005 Mshta Engine 2
T1218.010 Regsvr32 Engine 2
T1218.011 Rundll32 Engine 2
T1105 Ingress Tool Transfer (certutil/bitsadmin) Engine 2 (KillerDom)
T1071 Application Layer Protocol (C2) Engine 3 (TI Feeds)
T1071.001 Web Protocols β€” C2 Beaconing Engine 3
T1562.001 Impair Defenses β€” Disable or Modify Tools Engine 4 (AMSI Patch)
T1055.001 DLL Injection Engine 3 (Temp DLL Detection)
T1547.001 Boot/Logon Autostart β€” Registry Run Keys Scheduled Task Persistence
T1078 Valid Accounts (Credential Theft via LSASS) Engine 1 (lsass Lineage Guard)

βš™οΈ Installation & Configuration

Requirements

  • Windows 10 / Windows 11
  • PowerShell 5.1+
  • Administrator privileges (required for SeDebugPrivilege and ReadProcessMemory)
  • .NET Framework 4.x (pre-installed on all modern Windows)

Step 1 β€” Configure your Network Whitelist

⚠️ Do this before running. The network engine will terminate untrusted processes with external connections.

Open the script and locate the ZERO-TRUST CONFIGURATION section:

$Script:WhitelistedNetworkProcs = @(
    "chrome", "firefox", "msedge",          # Browsers
    "vscodium", "code",                      # Editors
    "ollama",                                # Local AI
    "svchost", "mpdefendercoreservice",      # Windows System
    "telegram", "discord", "spotify",        # Apps
    "putty", "python"                        # Dev Tools
    # ADD YOUR OWN SOFTWARE HERE (lowercase, without .exe)
)

Step 2 β€” Configure Threat Intelligence Feeds

Locate the THREAT INTELLIGENCE SYNC section. The default 9 feeds are pre-configured. Add custom feeds that return plain IPv4 lists:

$feeds = @(
    "https://feodotracker.abuse.ch/downloads/ipblocklist.txt",
    # ... existing feeds ...
    # ADD YOUR OWN FEEDS HERE (plain IP list format, one per line)
)

Feeds sync every 4 hours in a background job.

Step 3 β€” Run

# Right-click β†’ Run with PowerShell (as Administrator)
# Or from an elevated terminal:
powershell.exe -ExecutionPolicy Bypass -File .\vgt-mhx.ps1

The daemon will auto-elevate, hide its console window, register a Scheduled Task (VGT-MHX) for autostart, appear in the system tray, and immediately begin the TI feed sync.

System Tray Menu

Menu Item Function
VGT Command Center (Live HUD) Opens the native GDI+ dashboard with live log viewer and telemetry
Raw Incident Log (Notepad) Opens the raw incidents.log file
Aktive Threat-IPs exportieren Exports the full live TI IP cache to a text file
Hunter Core beenden Cleanly shuts down the daemon

πŸ“‹ Incident Log & Event IDs

All detections are written to C:\ProgramData\VGT_Omega\incidents.log (UTF-16LE) and to the Windows Event Log under source VGT-MHX.

Event ID Type Meaning
100 Information MHX core initialized successfully
101 Information Threat Intel sync completed β€” N IPs loaded
202 Warning Untrusted process with external network connection
203 Error Masquerading β€” known process name, wrong executable path
204 Error Suspicious DLL loaded from Temp directory
301 Error Critical process lineage breach
666 Error KillerDom strike β€” malicious command-line detected
900 Error C2 beacon intercepted and connection terminated
999 Error AMSI memory patch detected β€” process neutralized

πŸ“œ License

Component License
MHX Core (PowerShell daemon, detection engines, TI sync, UI orchestration) AGPLv3
C# Native Engine (VGT.Omega β€” Win32TokenXDR, MemoryScanner, VGT.UI β€” OverlayManager, NotificationForm, DashboardForm) MIT

πŸ”— VGT Ecosystem

Tool Type Purpose
πŸ”¬ VGT MHX R&D / Experimental Behavioral EDR daemon β€” AMSI, Lineage, Network, KillerDom
πŸ”₯ VGT Windows Firewall Burner Preventive 280,000+ APT IPs blocked in native Windows Firewall
πŸ” VGT Civilian Checker Audit Windows security posture assessment
βš”οΈ VGT Auto-Punisher Linux R&D Experimental userspace IDS for Linux servers
πŸ›‘οΈ VGT Sentinel WAF / IDS Zero-Trust WordPress security suite

🀝 Contributing

Pull requests welcome. For major changes, open an issue first.

Licensed under AGPLv3 β€” "Open Source. Open Knowledge."

🏒 About VisionGaia Technology

VGT

VisionGaia Technology is an R&D collective exploring experimental architectures, AI integration, and cybersecurity paradigms. We build to learn, we break things to understand them, and we share the results.

VGT Malware Hunter X-Ray v4.0 DIAMANT APEX β€” Experimental Windows EDR // Native GDI+ OSD Engine // Process Lineage + KillerDom + Zero-Trust Network + AMSI Memory Integrity // Ouroboros Fix Applied

About

VGT Malware Hunter X-Ray is a Proof of Concept (PoC) exploring behavioral endpoint detection using PowerShell, .NET/C# interop, and Windows native APIs. It is not a replacement for enterprise EDR solutions.

visiongaiatechnology.de

Topics

windows security-tools c2 edr windowssecurity mhx visiongaiatechnology

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages