explaingit

0xjbb/modulestomped

Analysis updated 2026-05-18

34C++Audience · developerComplexity · 4/5Setup · moderate

TLDR

A proof-of-concept Windows security tool that detects module stomping, a technique malware uses to hide inside legitimate libraries.

Mindmap

mindmap
  root((ModuleStomped))
    What it does
      Detects module stomping
      Checks pdata section
    Tech stack
      C++
      Windows
      ETW
    Use cases
      Process scanning
      Real time monitoring
    Audience
      Security researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan all running Windows processes for signs of module stomping.

USE CASE 2

Monitor newly loaded libraries in real time using ETW mode.

USE CASE 3

Study the pdata-section technique as a way to detect memory tampering.

USE CASE 4

Use as a starting point for building a more complete anti-stomping scanner.

What is it built with?

C++WindowsETW

How does it compare?

0xjbb/modulestompeddeftruth/lite.ai.toolkitsofiafvbiub2935447/fl-product-version-25
Stars343335
LanguageC++C++C++
Last pushed2025-03-30
MaintenanceStale
Setup difficultymoderatemoderatehard
Complexity4/53/51/5
Audiencedeveloperdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Administrator privileges and only runs on Windows.

In plain English

ModuleStomped is a proof-of-concept security tool for detecting a specific attack technique called module stomping. Module stomping is a method used by malware and offensive security tools to hide malicious code inside memory that belongs to a legitimate Windows library, making it harder for security software to spot. The detection approach this tool uses focuses on a section of each loaded library file called the pdata section, which stores data about the program's functions for error handling purposes. Unlike the main code section of a library (which attackers can overwrite with their own code), the pdata section has no reason to change during normal operation. If it has been modified, that is a sign the library has been tampered with. The author notes this is more reliable than checking the main code section because the code section is the very thing being replaced in a stomping attack. The tool runs in two modes. In process scanner mode, it scans every accessible running process on the system, checks all loaded libraries in each process, and flags any whose pdata section looks wrong. This scan takes a few seconds to complete. In ETW mode, it listens for system events that fire whenever a new library is loaded into a process, and only scans that process when a relevant library appears. ETW is a built-in Windows event tracing system. The README notes that the tool was written as a rough demonstration rather than a production-ready scanner. It also describes an obvious bypass: an attacker could avoid detection by also copying the pdata section from their injected code, which this tool does not currently account for. Administrator privileges are required to run it.

Copy-paste prompts

Prompt 1
Walk me through building and running ModuleStomped's process scanner mode on Windows.
Prompt 2
Explain why ModuleStomped checks the pdata section instead of the main code section of a library.
Prompt 3
Show me how ETW mode works in ModuleStomped and how it differs from the full process scan.
Prompt 4
Help me understand the bypass ModuleStomped's README describes and how I might fix it.

Frequently asked questions

What is modulestomped?

A proof-of-concept Windows security tool that detects module stomping, a technique malware uses to hide inside legitimate libraries.

What language is modulestomped written in?

Mainly C++. The stack also includes C++, Windows, ETW.

How hard is modulestomped to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is modulestomped for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.