Open-source research: Detecting manually mapped images in Windows processes
MappedImagesDetector is an open-source Windows memory scanner tool designed to detect manually mapped DLLs and suspicious in-memory images that evade traditional antivirus detection. It inspects process memory directly, identifying anomalies such as erased PE headers, fake import address tables, and executable regions not registered with the Windows loader. The tool uses heuristics focusing on import thunk patterns to detect manually mapped images. It is intended for antivirus, EDR developers, blue teams, and malware researchers to improve detection of in-memory malware techniques. This project is research-focused and not an offensive tool.
AI Analysis
Technical Summary
MappedImagesDetector is a native C++20 Windows tool that scans process virtual memory regions to detect malicious DLL injection techniques, including manual mapping, erased PE headers, and suspicious executable memory regions that traditional disk-based antivirus solutions miss. It avoids relying on standard module enumeration methods and instead uses NtQueryVirtualMemory and NtReadVirtualMemory to identify executable regions and analyze import thunk patterns (notably x64 import stubs FF 25) indicative of manually mapped PE images. The tool flags anomalies such as missing or corrupted PE headers and executable memory regions not associated with legitimate modules. It is designed as a defensive research project to enhance visibility into process memory for AV/EDR pipelines and malware research.
Potential Impact
This tool addresses the challenge posed by modern malware that operates entirely in memory, bypassing disk-based detection by manually mapping DLLs or erasing PE headers. While MappedImagesDetector itself is not a vulnerability or exploit, it enhances detection capabilities against advanced in-memory malware techniques that evade traditional antivirus solutions. It does not introduce new vulnerabilities but provides defenders with improved visibility into stealthy malicious code residing in process memory.
Mitigation Recommendations
This is a defensive detection tool and not a vulnerability requiring patching. No remediation or patch is applicable. Security teams and AV/EDR developers can integrate or use MappedImagesDetector to improve detection of manual DLL injection and in-memory malware. The project is research-focused and intended to complement existing security solutions by providing memory-based detection heuristics.
Open-source research: Detecting manually mapped images in Windows processes
Description
MappedImagesDetector is an open-source Windows memory scanner tool designed to detect manually mapped DLLs and suspicious in-memory images that evade traditional antivirus detection. It inspects process memory directly, identifying anomalies such as erased PE headers, fake import address tables, and executable regions not registered with the Windows loader. The tool uses heuristics focusing on import thunk patterns to detect manually mapped images. It is intended for antivirus, EDR developers, blue teams, and malware researchers to improve detection of in-memory malware techniques. This project is research-focused and not an offensive tool.
Reddit Discussion
I’ve been spending some time researching different techniques for detecting manually mapped (reflectively loaded) PE images in user mode, and I decided to open-source one of the approaches I’ve been experimenting with.
The detector avoids relying on traditional module enumeration (e.g. PEB/LDR lists or EnumProcessModules). Instead, it walks the target process’s virtual address space with NtQueryVirtualMemory, identifies executable memory regions, and reads them using NtReadVirtualMemory.
The current heuristic focuses on import thunk patterns. After scanning an executable region, it looks for contiguous sequences of x64 import stubs (FF 25), which are commonly emitted by the compiler for imported functions. A sufficiently large cluster of these thunks inside executable memory can indicate the presence of a manually mapped PE image that was never registered with the Windows loader.
The goal isn’t to claim this is a universal detection technique, it’s a research project exploring one heuristic and its effectiveness.
The repository is here:
https://github.com/adem-hosni/MappedImagesDetector
I’m hoping this can serve as a useful discussion point and maybe evolve into a more robust detection technique with community feedback.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
MappedImagesDetector is a native C++20 Windows tool that scans process virtual memory regions to detect malicious DLL injection techniques, including manual mapping, erased PE headers, and suspicious executable memory regions that traditional disk-based antivirus solutions miss. It avoids relying on standard module enumeration methods and instead uses NtQueryVirtualMemory and NtReadVirtualMemory to identify executable regions and analyze import thunk patterns (notably x64 import stubs FF 25) indicative of manually mapped PE images. The tool flags anomalies such as missing or corrupted PE headers and executable memory regions not associated with legitimate modules. It is designed as a defensive research project to enhance visibility into process memory for AV/EDR pipelines and malware research.
Potential Impact
This tool addresses the challenge posed by modern malware that operates entirely in memory, bypassing disk-based detection by manually mapping DLLs or erasing PE headers. While MappedImagesDetector itself is not a vulnerability or exploit, it enhances detection capabilities against advanced in-memory malware techniques that evade traditional antivirus solutions. It does not introduce new vulnerabilities but provides defenders with improved visibility into stealthy malicious code residing in process memory.
Mitigation Recommendations
This is a defensive detection tool and not a vulnerability requiring patching. No remediation or patch is applicable. Security teams and AV/EDR developers can integrate or use MappedImagesDetector to improve detection of manual DLL injection and in-memory malware. The project is research-focused and intended to complement existing security solutions by providing memory-based detection heuristics.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:rce","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["rce"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a57c42a68715ace431f19c1
Added to database: 07/15/2026, 17:32:26 UTC
Last enriched: 07/15/2026, 17:32:35 UTC
Last updated: 07/15/2026, 18:17:20 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.