memory-forensics-evasion

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content explicitly documents and instructs on multiple anti-forensics and evasion techniques (DKOM/pool‑tag manipulation, VAD modification, module stomping/phantom DLL hollowing, sleep‑mask memory encryption, stack spoofing, anti‑dump/LSASS evasion, direct syscalls and C2 concealment) that are clearly designed to enable stealthy backdoors, credential theft, and data exfiltration.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). It includes explicit privileged operations (e.g., "sudo insmod lime...") and detailed red‑team instructions (module stomping, changing memory protections RW→RX, unmapping/zeroing memory, LSASS dump evasion, direct syscalls) that direct the agent to modify kernel/process memory and other system state, which clearly pushes to compromise the host.