Usermode Features
Ring 3Comprehensive process monitoring and manipulation using Windows APIs. These features work without the kernel driver and provide powerful capabilities for security research and analysis.
Overview
The usermode features are implemented in the following Rust crates:
process— Process enumeration, threads, handles, modules, memory regions, string scanningnetwork— TCP/UDP connection enumeration via IP Helper APIservice— Windows Service Control Manager operationsmisc— DLL injection, shellcode injection, process creation, token theft, unhooking
Features
Process Monitoring
Enumerate processes, threads, handles, modules, and memory regions
DLL Injection
7 injection methods from LoadLibrary to Manual Mapping
Shellcode Injection
Classic, Web Staging, and Threadless injection techniques
Process Creation
Hollowing, Ghosting, Herpaderping, and PPID Spoofing
Hook Detection
IAT scanning and automatic DLL unhooking
Memory Operations
Commit, decommit, free memory regions with hex dump viewer
Token Theft
Steal and impersonate process tokens
Key Capabilities
Process Tree View
Hierarchical view of parent-child process relationships with expand/collapse controls
Real-time Graphs
Per-process CPU and memory usage graphs with 60-second rolling history
String Scanning
Extract ASCII and UTF-16 strings from process memory with export capability
CSV Export
Export process, network, and service data to CSV files