A professional-grade Windows malware detection and containment application designed to compete with commercial EDR solutions. Prioritizes safety, accuracy, and controlled remediation over aggressive deletion.
- ETW-based monitoring: Event-driven detection of service creation, file operations, and process execution
- Signature validation: Authenticode verification for all executables
- Behavioral analysis: Clipboard hijacking and screen capture detection
- Heuristic scoring: Multi-factor threat assessment
- Process suspension: Freeze malicious processes without termination
- Execution blocking: NTFS ACL-based prevention
- Network isolation: Windows Firewall integration
- Service disabling: Prevent malicious service restart
- Persistence removal: Clean registry, scheduled tasks, startup folders
- Quarantine system: Isolate threats without deletion
- Boot-time removal: Schedule deletion for locked files
- Offline remediation: Windows Defender Offline integration
- Manual confirmation: Never delete without user approval
- Detects fake system binaries (sihostw.exe vs sihost.exe)
- Identifies unsigned executables in System32/SysWOW64
- Flags 32-bit processes masquerading as system processes
- Detects PSEXESVC without legitimate PsExec
- Identifies clipboard hijackers and screenshot capture malware
- ❌ Delete files immediately upon detection
- ❌ Delete Microsoft-signed binaries
- ❌ Delete from System32 without offline context
- ❌ Proceed without user confirmation
- ❌ Damage Windows system files
- ✅ Contain threats before deletion
- ✅ Require manual confirmation for remediation
- ✅ Provide rollback capability
- ✅ Log comprehensive forensic details
- ✅ Warn users of credential compromise
- Windows 10/11 (64-bit)
- .NET 6.0 Runtime
- Administrator privileges
- 100MB disk space
- 2GB RAM minimum
dotnet build -c Release# Must run as Administrator
.\bin\Release\net6.0-windows\MalwareDefense.exesc create MalwareDefense binPath= "C:\Path\To\MalwareDefense.exe"
sc config MalwareDefense start= auto
sc start MalwareDefense- Unsigned binaries in protected paths (Score: 50)
- Non-Microsoft signatures in System32 (Score: 40)
- Revoked or expired certificates (Score: 35)
- Typosquatting patterns (Score: 45)
- System processes in wrong locations (Score: 35)
- PSEXESVC without PsExec (Score: 50)
- Services from suspicious locations (Score: 30)
- Clipboard hijacking (Score: 50 - CRITICAL)
- Screen capture without UI (Score: 45)
- Keylogger indicators (Score: 50 - CRITICAL)
- Suspicious (30-49): Logged and alerted
- Malicious (50-79): Contained and alerted
- Critical (80+): Contained, alerted, offline remediation recommended
┌─────────────────────────────────────────────────────────┐
│ User Interface │
│ (Tray Icon, Alerts, Remediation Console, Dashboard) │
└─────────────────────────────────────────────────────────┘
│
┌─────────────────────────────────────────────────────────┐
│ Malware Defense Engine │
│ (Orchestration & Event Handling) │
└─────────────────────────────────────────────────────────┘
│ │ │
┌──────────┴──────┐ ┌───┴────────┐ ┌─┴──────────────┐
│ Detection │ │ Monitoring │ │ Containment │
│ Engine │ │ Subsystems │ │ Engine │
│ │ │ │ │ │
│ • Signature │ │ • ETW │ │ • Process │
│ • Heuristics │ │ • WMI │ │ Suspension │
│ • Scoring │ │ • Behavior │ │ • ACL Blocking │
└─────────────────┘ └────────────┘ │ • Network │
│ Isolation │
└────────────────┘
│
┌──────────┴──────────────┐
│ Remediation Controller │
│ │
│ • Quarantine │
│ • Boot-time Delete │
│ • Offline Remediation │
└─────────────────────────┘
MalwareDefense/
├── src/
│ ├── Core/
│ │ └── MalwareDefenseEngine.cs # Main orchestrator
│ ├── DetectionEngine/
│ │ └── ThreatDetector.cs # Threat analysis
│ ├── Monitoring/
│ │ ├── ETWMonitor.cs # Event Tracing
│ │ ├── ServiceMonitor.cs # Service monitoring
│ │ └── BehaviorMonitor.cs # Behavioral detection
│ ├── Containment/
│ │ └── ContainmentEngine.cs # Safe containment
│ ├── Remediation/
│ │ └── RemediationController.cs # Controlled removal
│ └── UI/
│ └── AlertSystem.cs # User notifications
├── ARCHITECTURE.md # System design
├── DETECTION_RULES.md # Detection logic
├── IMPLEMENTATION_GUIDE.md # Development guide
├── SECURITY_DISCLAIMER.md # Legal notice
└── README.md # This file
The system automatically detects threats in real-time. When a threat is detected:
- Immediate Containment: Process suspended, network blocked
- User Alert: Tray notification with threat details
- Forensic Logging: Complete threat report saved
- Remediation Options: User chooses next action
# View forensic logs
Get-Content "$env:ProgramData\MalwareDefense\Logs\forensic.log"
# List quarantined files
Get-ChildItem "$env:ProgramData\MalwareDefense\Quarantine"- Open remediation console from tray icon
- Review threat details and indicators
- Choose remediation action:
- Quarantine only (safest)
- Delete now (if safe)
- Boot-time delete (for locked files)
- Offline remediation (for SYSTEM-level threats)
- Confirm action
- Verify removal
⚠️ CLIPBOARD HIJACKING DETECTED
Any cryptocurrency addresses copied may have been compromised.
Recommendation: Verify all crypto transactions from a clean device.
⚠️ SCREEN CAPTURE DETECTED
Sensitive information displayed on screen may have been captured.
Recommendation: Change passwords from a clean device.
⚠️ SYSTEM-LEVEL COMPROMISE
Attacker had full system access. Assume complete compromise.
Recommendations:
1. Disconnect from network immediately
2. Change all passwords from a clean device
3. Review financial transactions
4. Run offline remediation
5. Consider full system reinstall
dotnet test --filter Category=Unitdotnet test --filter Category=Integration# Deploy test malware samples
.\tests\deploy-samples.ps1
# Run detection tests
dotnet test --filter Category=System- Detection Latency: < 500ms
- CPU Usage: < 2% idle, < 10% active
- Memory: < 100MB
- Disk I/O: Minimal (event-driven)
This is a security-critical application. Contributions must:
- Include comprehensive tests
- Follow safety-first principles
- Never compromise system stability
- Include documentation updates
[Your License Here]
This software is provided for defensive security purposes only. Users are responsible for:
- Compliance with local laws and regulations
- Proper authorization before deployment
- Data privacy and retention policies
- Incident response procedures
CRITICAL: If SYSTEM-level spyware, clipboard hijacking, or screenshot capture is detected, users must assume:
- All credentials entered on the system are compromised
- All cryptocurrency transactions may have been intercepted
- All sensitive data displayed on screen may have been captured
- Complete system reinstallation may be necessary
- Documentation: See
IMPLEMENTATION_GUIDE.md - Detection Rules: See
DETECTION_RULES.md - Architecture: See
ARCHITECTURE.md - Issues: [GitHub Issues]
- Security: Report vulnerabilities privately
- Microsoft for Windows ETW and security APIs
- Sysinternals for inspiration on system-level tools
- Security research community for threat intelligence
Built with safety and accuracy as top priorities. Designed to protect, not to damage.