A proactive anti-malware solution with memory forensics, which is specifically designed for malware analysts who performs manual dynamic analysis, comes with a kernel driver (written in C/C++) that protects the system in real time similarly to End Point Protection (EPP) solutions.

The author of the article has a simple but one could say, the most effective solution to the entire malware problem, including their worst versions, namely ransomwares, which prevents their operation at the kernel level before any damage can occur.

Real-time kernel-level features:

  • Identifies whether the PE file (EXE, DLL or a kernel driver) has a digital signature or not
  • Block any process from loading a DLL without a digital signature
  • Detects whether a newly launched process is digitally signed and, depending on the settings, prevents this process from starting if it is not
  • Zero day protection
  • BYOVD protection (detects admin to kernel transition that is used in kernel mode malwares)

* * * The majority of ransomware is not digitally signed for obvious reasons.

Therefore, the aforementioned features are easily the most important because the solution can detect and prevent ransomware activity in real time before it causes any damage. This solution employs a simple yet effective novel approach to a problem that is missing from almost all of the current competing solutions as of 06/2024.

  • Detects a previously unknown malware, and in a certain situations including those operating in the kernel memory
  • Self-integrity checks that detects if the malware attempted to disable the protection at the user or kernel level. Proactivity in this context means that the solution responds to this in real-time according to predefined measures
  • Secure IOCTL communication (The exploitation mentioned in the article is not possible with this protection)

Depending on the settings, the solution either reduces the attack surface or completely prevents the operation of the malware in most situations.

For instance, the solution is able to detect and block the operation of LockBit 3.0 ramsomware and all it's variants in real-time without the need to define a predefined pattern.

In other words the Keuda.fi case would have been detected and prevented with this protection in real time.

* * * The author will provide soon a video presentation with a real-life example where the operation of notorious ransomware is prevented in real time without the need to remediate anything.

If the running user-level process is protected even a little with the kernel's built-in features, then in practice before the malware can do anything, the user must run the malicious code with an administrator user rights. If the malware runs as the current user, it can only inject itself to a process with the same privilige.

The user interface (UI) has been coded with .NET 8.0 so that the project would be easier to customize and be more easily modifiable for the buyers of the source code.

HEX DEREF ANTI-MALWARE works alongside your other security software, such as Windows Defender or any other.

Availability of the source code

Malware analysts are as good as the softwares they use. The source code is available for purchase as a software work non-exclusively without resale rights for internal use within a company.

For instance, if an educational institution wants to independently start developing a version that suits their purposes right away. As a result, the further development of the solution may no longer necessarily depend on the original developer.

The source code has many kernel-level anti-cheat features because they work pretty much the same way as an anti-malware solutions. Therefore, a product derived from the source code could, for example, be sold to foreign gaming companies who do not have proper kernel-level protection developed. With this source code, you can almost immediately reach the same level as what the best competing products on the market offer if the user interface (UI) is not counted.

Despite all the efforts (as of 06/2024, 2.5+ years of constant development by the author), the solution is a work in progress (WiP).


A ransomware that uses a zero-day vulnerability begins ruthlessly encrypting files and destroying backups immediately, as happened in the case of Keuda. There is no other option but to stop the ransomware's operation in real-time, and a mere antivirus (AV) is no longer necessarily sufficient.

Proactivity means that the solution can automatically perform a predefined action, for example, take a physical memory dump and upload it to a remote server for further analysis.


I am self taught coder (a total of 14 years of coding experience as of 06/2024 in PHP/C#/C/C++). I am also a hobbyist windows internals researcher and reverse engineer. My motto is. If I need to get something done. I will just do it and I am usually very good at what I do.