Get-InjectedThreadEx.exe scans all running threads looking for suspicious Win32StartAddresses.
Win32Startaddress anomalies include -
- not MEM_IMAGE
- non-MEM_IMAGE return address within the first 5 stack frames
- MEM_IMAGE and on a private (modified) page
- MEM_IMAGE and x64 dll and not a valid indirect call target
- MEM_IMAGE and unexpected Win32 dll
- MEM_IMAGE and x64 and unexpected prolog
- MEM_IMAGE and preceded by unexpected bytes
See my BSides Canberra 2023 talk and Elastic Security Labs blog for more details.