Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Open-source research: Detecting manually mapped images in Windows processes

0
Medium
Published: 07/15/2026 (07/15/2026, 17:26:01 UTC)
Source: Reddit Cybersecurity

Description

MappedImagesDetector is an open-source Windows memory scanner tool designed to detect manually mapped DLLs and suspicious in-memory images that evade traditional antivirus detection. It inspects process memory directly, identifying anomalies such as erased PE headers, fake import address tables, and executable regions not registered with the Windows loader. The tool uses heuristics focusing on import thunk patterns to detect manually mapped images. It is intended for antivirus, EDR developers, blue teams, and malware researchers to improve detection of in-memory malware techniques. This project is research-focused and not an offensive tool.

Reddit Discussion

r/cybersecurity·posted by u/Last_Operation2527
00

I’ve been spending some time researching different techniques for detecting manually mapped (reflectively loaded) PE images in user mode, and I decided to open-source one of the approaches I’ve been experimenting with.

The detector avoids relying on traditional module enumeration (e.g. PEB/LDR lists or EnumProcessModules). Instead, it walks the target process’s virtual address space with NtQueryVirtualMemory, identifies executable memory regions, and reads them using NtReadVirtualMemory.

The current heuristic focuses on import thunk patterns. After scanning an executable region, it looks for contiguous sequences of x64 import stubs (FF 25), which are commonly emitted by the compiler for imported functions. A sufficiently large cluster of these thunks inside executable memory can indicate the presence of a manually mapped PE image that was never registered with the Windows loader.

The goal isn’t to claim this is a universal detection technique, it’s a research project exploring one heuristic and its effectiveness.

The repository is here:
https://github.com/adem-hosni/MappedImagesDetector

I’m hoping this can serve as a useful discussion point and maybe evolve into a more robust detection technique with community feedback.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/15/2026, 17:32:35 UTC

Technical Analysis

MappedImagesDetector is a native C++20 Windows tool that scans process virtual memory regions to detect malicious DLL injection techniques, including manual mapping, erased PE headers, and suspicious executable memory regions that traditional disk-based antivirus solutions miss. It avoids relying on standard module enumeration methods and instead uses NtQueryVirtualMemory and NtReadVirtualMemory to identify executable regions and analyze import thunk patterns (notably x64 import stubs FF 25) indicative of manually mapped PE images. The tool flags anomalies such as missing or corrupted PE headers and executable memory regions not associated with legitimate modules. It is designed as a defensive research project to enhance visibility into process memory for AV/EDR pipelines and malware research.

Potential Impact

This tool addresses the challenge posed by modern malware that operates entirely in memory, bypassing disk-based detection by manually mapping DLLs or erasing PE headers. While MappedImagesDetector itself is not a vulnerability or exploit, it enhances detection capabilities against advanced in-memory malware techniques that evade traditional antivirus solutions. It does not introduce new vulnerabilities but provides defenders with improved visibility into stealthy malicious code residing in process memory.

Mitigation Recommendations

This is a defensive detection tool and not a vulnerability requiring patching. No remediation or patch is applicable. Security teams and AV/EDR developers can integrate or use MappedImagesDetector to improve detection of manual DLL injection and in-memory malware. The project is research-focused and intended to complement existing security solutions by providing memory-based detection heuristics.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Source Type
reddit
Subreddit
cybersecurity
Reddit Score
0
Discussion Level
minimal
Content Source
reddit_link_post
Post Type
link
Domain
null
Newsworthiness Assessment
{"score":30,"reasons":["external_link","newsworthy_keywords:rce","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["rce"],"foundNonNewsworthy":[]}
Has External Source
true
Trusted Domain
false

Threat ID: 6a57c42a68715ace431f19c1

Added to database: 07/15/2026, 17:32:26 UTC

Last enriched: 07/15/2026, 17:32:35 UTC

Last updated: 07/15/2026, 18:17:20 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses