The memory walk check was broken because it assumed that memory regions would be executable. It also started at the wrong address - AllocationBase is the start of the allocator region, whereas BaseAddress is the actual start of the region. This has now been fixed.
This commit also adds a new check, which scans for memory structures that the .NET runtime creates to track loaded modules. This should catch injected modules even if they're dynamically loaded from memory.
The memory walk check was broken because it assumed that memory regions would be executable. It also started at the wrong address - AllocationBase is the start of the allocator region, whereas BaseAddress is the actual start of the region. This has now been fixed.
This commit also adds a new check, which scans for memory structures that the .NET runtime creates to track loaded modules. This should catch injected modules even if they're dynamically loaded from memory.
This fixes #234 and #237.