Aether

Structural Scanning

Last updated June 22, 2026

Aether can detect advanced malware behaviour and reduce the amount of false positive. it is built with a unique detection’s confidence module that can detect a wide list of malware behaviours:

  • APC code injection
  • Thread hijacking and Start address spoofing
  • Module Stomping
  • Process Hollowing
  • Shellcode patterns based on entropies
  • XOR PE encryption

Aether layers five filters on top of the raw working-set signal so a finding requires multiple agreeing indicators before it is reported with FP filtering:

LayerFilterPurpose
L1StructuralOnly executable IMAGE sub-regions are considered (eliminates .data / .rdata COW noise)
L2QuantitativeGrade by private_pages count and private_ratio (low / medium / high)
L3CorroborationPromote only if an independent signal agrees on the same allocation base — signature hit, missing_peb_entryprivate_rwx, hook prologue, or on-disk diff
L4CLR-awarePer-module suppression for ngen / R2R / tiered-JIT targets (*.ni.dllmscor*clr*coreclrsystem.private.corelib*) instead of blanket-skipping when the CLR is loaded
L5On-disk diffMap the module file with CreateFileMappingW(SEC_IMAGE_NO_EXECUTE); compare the first 16 bytes of each private executable page against the same RVA on disk. Any divergence is a real-modification IOC

Other structural checks:

  • PEB module cross-reference : MEM_IMAGE allocations that are not in the PEB module list (DLL hollowing / module stomping)
  • Working-set scan : modified-code page detection via K32QueryWorkingSetExbatched with one syscall per region instead of one per 4 KB page (≈ 50-100× faster than the naïve loop)
  • Private RWX detection : flags MEM_PRIVATE + PAGE_EXECUTE_* (it produces FP results) allocations (shellcode, JIT spray, dynamic code stub allocations)
  • Hook-prologue probe — reads the first 16 bytes of each private code page and matches classic x86/x64 trampolines:
    • E9 ?? ?? ?? ?? — JMP rel32
    • FF 25 ?? ?? ?? ?? — JMP [rip+disp32]
    • 68 ?? ?? ?? ?? C3 — PUSH imm32 ; RET
    • 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? FF E0 — MOV RAX, imm64 ; JMP RAX
    • 49 BB ?? ?? ?? ?? ?? ?? ?? ?? 41 FF E3 — Detours-style MOV R11, imm64 ; JMP R11
  • CLR detection — section-object probe for Cor_Private_IPCBlock_v4_<PID> and the v2 Cor_Private_IPCBlock_<PID> (legacy .NET 2/3 / mscorwks), so noisy app-pools running old runtimes are not misclassified

In this section

Thread Start-Address Validation (TSAV / L8)Entropy analysis & Shellcode heuristicsIndicators of Suspicion (IoS)