Project AEGIS is a sophisticated defensive research framework designed to provide deep observability into Windows endpoint behaviors. It specializes in identifying "Unbacked Code Execution"—the primary footprint of modern fileless malware, shellcode injection, and advanced post-exploitation frameworks.
AEGIS operates on a consensus-based detection model, correlating signals from multiple low-level system sensors:
- Memory Integrity Audit: Full virtual address space walking to identify
RX/RWXregions that lack a backing file on disk (Private/Mapped memory). - Remote Stack Unwinding: Cross-process thread context capture using
DbgHelpandStackWalk64to detect ROP (Return-Oriented Programming) and stack spoofing. - Telemetry Health Monitoring: Real-time auditing of ETW (Event Tracing for Windows) providers to identify defensive "blinding" attempts.
- Intelligence Correlation: A heuristic scoring engine that weights forensic signals to provide a high-confidence "Malicious" or "Anomalous" verdict.
Project_AEGIS/
├── src/ # Core C++ Engine (Inspectors, Analyzers, Context)
├── include/ # C++ Interface Definitions and Headers
├── simulations/ # Defensive Test Scenarios (Threat Simulator)
├── visualization/ # Python Dashboards & Memory Heatmaps
├── reports/ # Auto-generated Forensic JSON & HTML Reports
├── docs/ # Technical Research & Internal Documentation
└── research/ # Scholarship on Windows Internals & EDR Theory
- Visual Studio 2022 (with C++ Desktop Development)
- Windows SDK (for
DbgHelp.libandTdh.lib) - Python 3.9+ (for visualization)
- Admin Privileges (Required for cross-process memory inspection)
- Build the MemoryAnomalySim project to create a test target.
- Build the AegisEngine project (Ensure you link
dbghelp.libandtdh.lib).
- Launch Simulation: Run
MemoryAnomalySim.exe. It will create a safe, unbacked executable region. - Execute Inspection: Run
AegisEngine.exe. AEGIS will locate the simulator and perform a full forensic audit. - Visualize Results:
python visualization/dashboards/system_overview.py python visualization/graphs/memory_visualizer.py
AEGIS is built for Detection Education. Every detection is accompanied by a technical explanation in the Intelligence Summary to help researchers understand why a specific memory state or thread behavior is considered a risk in Windows Internals.
This project is for defensive research only. It does not contain offensive code, evasion techniques, or malware components. Please review ETHICS.md before use.
---
### File 29: `ETHICS.md` (THE SAFETY PROTOCOL)
This file is critical for your professional reputation. It explains that the project is "Read-Only" and intended for defense, preventing any misunderstanding that this could be used maliciously.
```markdown
# Ethics and Safety Protocol - Project AEGIS
## 1. Professional Intent
Project AEGIS is developed as a **Defensive Research and Visualization Framework**. Its primary goal is to empower security researchers and students to understand the internal mechanics of Windows endpoints and how modern defensive stacks (EDR/AV) interpret system events.
## 2. The "Read-Only" Philosophy
The AEGIS engine is strictly designed to **Observe and Report**.
- It does not modify process memory.
- It does not "kill" or terminate system processes.
- It does not perform any form of code injection.
- It does not modify system registry keys or persistent settings.
## 3. Simulation Safety
The provided `simulations/` directory contains "benign anomalies." These are designed to trigger defensive sensors by creating unusual—but harmless—memory states (e.g., NOP-filled executable regions). No simulation in this framework performs network callbacks, data exfiltration, or encryption.
## 4. Usage Restrictions
Project AEGIS should only be used in:
- Isolated lab environments.
- Personal workstations for educational purposes.
- Authorized security research environments.
## 5. Liability Disclaimer
The developers of Project AEGIS are not responsible for any misuse of the information or code provided. Users are expected to comply with all local and international laws regarding cybersecurity and system auditing.
## 6. Prohibited Use Cases
- **Offensive Operations:** AEGIS is not a tool for red-teaming or exploitation.
- **Malware Development:** No code in this repository should be adapted for malicious persistence or evasion.
- **Unauthorized Auditing:** Do not use AEGIS to inspect processes on systems where you do not have explicit, written authorization.