-AGPLv3-green?style=for-the-badge){kind=icon}
-MIT-blue?style=for-the-badge){kind=icon}
AGPLv3 (MHX Core) / MIT (C# Native Engine) β Open Source. Open Knowledge.
VGT Malware Hunter X-Ray is a Proof of Concept (PoC) exploring behavioral endpoint detection using PowerShell, .NET/C# interop, and Windows native APIs. It is not a replacement for enterprise EDR solutions.
Architectural limitations to be aware of:
- Runs as a PowerShell daemon β subject to PowerShell execution constraints and startup latency
- Process detection triggers in under 100ms via WMI events (V4.1) β kernel-level hooks are not implemented
- Process termination via
Stop-Processcan be circumvented by sufficiently privileged malware - The AMSI integrity check relies on known patch signatures β novel bypass techniques may go undetected
For production environments, we recommend established solutions like Microsoft Defender for Endpoint, CrowdStrike, or SentinelOne alongside this tool β not instead of them.
V4.1 is a stability and performance overhaul. Seven structural fixes β from a 0ms detection gap to JIT crash elimination to Defender false-positive flooding.
| Fix | V4.0 | V4.1 |
|---|---|---|
| Detection Latency | 2s polling interval | <100ms WMI event trigger β gap closed |
| CPU Load (Standby) | Cyclic all-process scan every 2s | Passive event-driven β near 0% standby load |
| JIT Crashes | Multiple Add-Type blocks β .NET memory overlap |
$CS_Unified_Definition β single load, no overlap |
| Concurrent Log Writes | Race conditions β file lock crashes | Mutex lock (_logLock) β writes serialized |
| Defender False Positives | PPL path blocks β masquerade flood | KERNEL_PROTECTED classification + trusted path |
| Core Timer Crash | Get-Date.AddDays(-1) β string, not DateTime β JIT fault |
(Get-Date).AddDays(-1) + -is [System.DateTime] guards |
| Wow64 / 32-bit Processes | ReadProcessMemory on 32-bit target β access violation β crash |
IsWow64Process check β incompatible targets skipped silently |
| Method | Address |
|---|---|
| PayPal | paypal.me/dergoldenelotus |
| Bitcoin | bc1q3ue5gq822tddmkdrek79adlkm36fatat3lz0dm |
| ETH / USDT (ERC-20) | 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85 |
VGT Malware Hunter X-Ray started as an experiment: Can we build a meaningful behavioral EDR daemon using only PowerShell + C# interop, running as a background system tray process?
Version 4.1 DIAMANT APEX closes the last major stability gaps from 4.0 β eliminating JIT crashes, false-positive floods, and the 2-second detection window β while preserving the full native C# UI engine introduced in 4.0.
V3.1 β Detection engines + basic toast notifications
V4.0 β Native C# OSD Engine + Command Center HUD + expanded TI feeds + Ouroboros Fix
V4.1 β WMI event detection (<100ms) + Unified Memory Core + thread-safe logging +
Wow64 protection + Defender false-positive fix + crash-safe timer
The most significant detection improvement in MHX history. V4.0 polled all running processes every 2 seconds β giving an attacker a theoretical 2-second execution window before detection. V4.1 replaces the polling loop with a real-time WMI event subscription:
Register-CimIndicationEvent -Query "SELECT * FROM Win32_ProcessStartTrace WITHIN 0.1"Every new process start triggers MHX in under 100 milliseconds. Malicious payloads that spawn and self-terminate within seconds β a common evasion pattern β are now caught before they complete execution.
Side effect: The 2-second timer no longer scans all processes. It now handles only minimal network monitoring and cache cleanup. Standby CPU load drops to near 0%.
V4.0 scattered Add-Type calls across multiple locations in the script. When MHX restarted or the script was reloaded, the .NET JIT compiler encountered duplicate class definitions in the same AppDomain β causing fatal memory overlap crashes with no recoverable error state.
V4.1 consolidates all native C# code into a single block:
$CS_Unified_Definition = @"
// VGT.Omega.MemoryScanner
// VGT.Omega.TokenPrivileges
// VGT.Omega.Logger (thread-safe)
// VGT.UI.OverlayManager
// VGT.UI.NotificationForm
// VGT.UI.DashboardForm
"@
Add-Type -TypeDefinition $CS_Unified_Definition # Called exactly onceOne load. No overlap. JIT crash surface eliminated.
V4.0's async detection engines could trigger simultaneously for multiple process starts. All threads wrote to incidents.log concurrently β producing file lock errors and .NET crashes under load.
V4.1's C# logging engine serializes all writes behind a system-wide mutex:
private static readonly object _logLock = new object();
public static void WriteLog(string entry) {
lock (_logLock) {
File.AppendAllText(logPath, entry);
}
}Concurrent detections queue cleanly. File lock crashes are structurally impossible.
V4.0's masquerading engine read the executable path of every running process. PPL-protected processes (Protected Process Light β used by msmpeng.exe and other Defender components) block path reads at the OS level, returning an empty string. The engine interpreted an empty path as a masquerade attempt and triggered continuous false-positive alerts β flooding the dashboard without a target path.
V4.1 closes this with two targeted fixes:
# Fix 1: Trusted path for Windows Defender
$trustedPaths = @(
"C:\Windows\System32",
"C:\Program Files\",
"C:\ProgramData\Microsoft\Windows Defender" # NEW β covers Defender update paths
)
# Fix 2: Empty Path Guard β PPL blocks classified as KERNEL_PROTECTED
if ([string]::IsNullOrWhiteSpace($rawPath)) {
return "KERNEL_PROTECTED" # Skip masquerade check silently
}Defender processes no longer generate false alerts. PPL-protected system components are classified and skipped cleanly.
V4.0 contained a PowerShell syntax error:
# BROKEN β Get-Date without parentheses returns a string object
$cutoff = Get-Date.AddDays(-1)
# When .NET attempted DateTime subtraction on a string β op_Subtraction crash
# Result: JIT error dialog, core timer terminatesV4.1 fix:
# FIXED β parentheses force DateTime evaluation first
$cutoff = (Get-Date).AddDays(-1)
# Additional guard β protects against corrupted system date data
if ($timestamp -is [System.DateTime] -and $cutoff -is [System.DateTime]) {
# safe to subtract
}The core timer no longer crashes on date arithmetic. Even with corrupted system date state, execution continues.
V4.0's AMSI memory scanner attempted ReadProcessMemory against all processes regardless of architecture. When a 64-bit PowerShell process tried to read the memory of a 32-bit (Wow64) target, the Windows memory model produced access violations β immediately terminating MHX.
V4.1 adds an architecture check before every memory read:
[DllImport("kernel32.dll")]
static extern bool IsWow64Process(IntPtr hProcess, out bool isWow64);
// Before ReadProcessMemory:
IsWow64Process(hProcess, out bool targetIsWow64);
if (targetIsWow64) return; // Skip β incompatible architecture, no crash32-bit processes are skipped silently. No access violations. No crashes.
The critical self-termination bug from V3.x β where the network engine detected its own TISyncJob background process as an untrusted external connection and killed it. V4.0 resolved this by tracking all child PIDs spawned by the core ($Script:CorePID) and explicitly exempting them from all detection engines.
A full GDI+/DWMAPI live dashboard showing live incident logs, real-time memory telemetry, session uptime, and an animated holographic radar grid with sweeping VGT Cyan laser line.
60fps kinetic animation engine, DWMAPI rounded corners, dynamic Cyan/Crimson accent colors, WS_EX_NOACTIVATE focus protection, and vertical offset stacking for simultaneous alerts.
Feodo Tracker, Spamhaus DROP/EDROP, CINS Score, Blocklist.de, Emerging Threats, IPsum, FireHOL Level 1, Tor Exit Nodes.
5-minute AlertCache prevents duplicate alerts for the same PID+IP combination during sustained C2 connections.
Enforces strict parent-child process relationships for critical system processes. A lsass.exe spawned by anything other than wininit.exe is terminated immediately. Boot-time grace window (2 minutes) prevents false positives on legitimate startup sequences.
V4.1: Triggered via WMI event β response time <100ms from process start.
Four compiled regex signatures scan process command-line arguments:
| Signature | Detects |
|---|---|
CLI_RCE_OBFUSCATION |
PowerShell -enc, -decode, bypass, Invoke-, DownloadString, WebClient |
CLI_HIGH_ENTROPY |
Base64 blobs (15+ groups), hex escape sequences |
CLI_EXPLOIT_STRINGS |
JNDI injection, cryptocurrency miners (coinhive, monero, stratum) |
CLI_LOTL_NATIVE |
cmd.exe /c, vssadmin delete, certutil -urlcache, bitsadmin /transfer |
V4.1: Event-driven β fires on process start, not on next 2s poll cycle.
Monitors all established TCP connections against 9 live threat feeds. Untrusted processes with external connections that fail path and whitelist validation are terminated. Includes masquerading detection and Temp-directory DLL injection detection.
V4.1: PPL empty-path guard prevents Defender false-positive flood. Trusted Defender paths added. Ouroboros-safe: Core PID and all VGT subroutine PIDs explicitly exempted.
Uses ReadProcessMemory via P/Invoke to inspect in-memory bytes of AmsiScanBuffer in high-risk LotL processes.
| Byte Signature | Technique |
|---|---|
B8 57 00 07 80 |
mov eax, 0x80070057 β returns E_INVALIDARG |
EB / E9 |
Unconditional JMP β redirects scan function |
C3 |
RET β immediate return, scan skipped entirely |
31 C0 C3 |
xor eax, eax; ret β returns clean without scanning |
V4.1: IsWow64Process check added β 32-bit targets skipped silently. No more access violation crashes.
| Technique ID | Technique Name | Engine |
|---|---|---|
| T1055 | Process Injection | Engine 4 (AMSI Memory Scan) |
| T1548.002 | Bypass UAC | Engine 1 (Lineage) |
| T1134 | Access Token Manipulation | Engine 1 (Lineage) |
| T1036 | Masquerading | Engine 3 (Path Verification) |
| T1036.005 | Match Legitimate Name or Location | Engine 3 |
| T1059.001 | Command & Scripting β PowerShell | Engine 2 (KillerDom) |
| T1059.003 | Command & Scripting β Windows Command Shell | Engine 2 (KillerDom) |
| T1027 | Obfuscated Files or Information | Engine 2 (Base64/Hex Detection) |
| T1027.010 | Command Obfuscation | Engine 2 (KillerDom) |
| T1218 | System Binary Proxy Execution (LotL) | Engine 2 (KillerDom) |
| T1218.005 | Mshta | Engine 2 |
| T1218.010 | Regsvr32 | Engine 2 |
| T1218.011 | Rundll32 | Engine 2 |
| T1105 | Ingress Tool Transfer | Engine 2 (KillerDom) |
| T1071 | Application Layer Protocol (C2) | Engine 3 (TI Feeds) |
| T1071.001 | Web Protocols β C2 Beaconing | Engine 3 |
| T1562.001 | Impair Defenses β Disable or Modify Tools | Engine 4 (AMSI Patch) |
| T1055.001 | DLL Injection | Engine 3 (Temp DLL Detection) |
| T1547.001 | Boot/Logon Autostart β Registry Run Keys | Scheduled Task Persistence |
| T1078 | Valid Accounts (Credential Theft via LSASS) | Engine 1 (lsass Lineage Guard) |
- Windows 10 / Windows 11
- PowerShell 5.1+
- Administrator privileges (required for
SeDebugPrivilege,ReadProcessMemory, WMI event subscription) - .NET Framework 4.x (pre-installed on all modern Windows)
β οΈ Do this before running. The network engine will terminate untrusted processes with external connections.
$Script:WhitelistedNetworkProcs = @(
"chrome", "firefox", "msedge", # Browsers
"vscodium", "code", # Editors
"ollama", # Local AI
"svchost", "mpdefendercoreservice", # Windows System
"telegram", "discord", "spotify", # Apps
"putty", "python" # Dev Tools
# ADD YOUR OWN SOFTWARE HERE (lowercase, without .exe)
)$feeds = @(
"https://feodotracker.abuse.ch/downloads/ipblocklist.txt",
# ... existing 9 feeds ...
# ADD YOUR OWN FEEDS HERE (plain IP list format, one per line)
)Feeds sync every 4 hours in a background job.
# Right-click β Run with PowerShell (as Administrator)
# Or from an elevated terminal:
powershell.exe -ExecutionPolicy Bypass -File .\vgt-mhx.ps1The daemon auto-elevates, hides its console, registers VGT-MHX Scheduled Task for autostart, appears in the system tray, and immediately begins TI feed sync. The WMI event subscription activates automatically β detection is live in under 1 second.
| Menu Item | Function |
|---|---|
| VGT Command Center (Live HUD) | Opens native GDI+ dashboard with live log viewer and telemetry |
| Raw Incident Log (Notepad) | Opens raw incidents.log |
| Aktive Threat-IPs exportieren | Exports full live TI IP cache to timestamped text file |
| Hunter Core beenden | Clean daemon shutdown |
All detections written to C:\ProgramData\VGT_Omega\incidents.log (UTF-16LE) and Windows Event Log under source VGT-MHX.
| Event ID | Type | Meaning |
|---|---|---|
100 |
Information | MHX core initialized β WMI event subscription active |
101 |
Information | Threat Intel sync completed β N IPs loaded |
202 |
Warning | Untrusted process with external network connection |
203 |
Error | Masquerading β known process name, wrong executable path |
204 |
Error | Suspicious DLL loaded from Temp directory |
301 |
Error | Critical process lineage breach |
666 |
Error | KillerDom strike β malicious command-line detected |
900 |
Error | C2 beacon intercepted and connection terminated |
999 |
Error | AMSI memory patch detected β process neutralized |
| Component | License |
|---|---|
| MHX Core (PowerShell daemon, detection engines, TI sync, UI orchestration) | AGPLv3 |
C# Native Engine (VGT.Omega β Win32TokenXDR, MemoryScanner, VGT.UI β OverlayManager, NotificationForm, DashboardForm) |
MIT |
| Tool | Type | Purpose |
|---|---|---|
| π¬ VGT MHX | R&D / Experimental | Behavioral EDR daemon β AMSI, Lineage, Network, KillerDom |
| π₯ VGT Windows Firewall Burner | Preventive | 280,000+ APT IPs blocked in native Windows Firewall |
| π VGT Civilian Checker | Audit | Windows security posture assessment |
| β‘ VGT Auto-Punisher | Linux R&D | Experimental userspace IDS for Linux servers |
| βοΈ VGT Sentinel | WAF / IDS | Zero-Trust WordPress security suite |
Pull requests welcome. For major changes, open an issue first.
Licensed under AGPLv3 β "Open Source. Open Knowledge."
VisionGaia Technology is an R&D collective exploring experimental architectures, AI integration, and cybersecurity paradigms. We build to learn, we break things to understand them, and we share the results.
VGT Malware Hunter X-Ray v4.1 DIAMANT APEX β Experimental Windows EDR // WMI Event Detection <100ms // Unified Memory Core // Thread-Safe Logging // Wow64 Protection // Native GDI+ OSD Engine // Process Lineage + KillerDom + Zero-Trust Network + AMSI Memory Integrity // Ouroboros Fix Applied