Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Would it be beneficial for me to implement looking for pages that are executable but not backed by any files on disk or do we already have something like this? Example, let’s say a process is backed by notepad.exe, and it has an address in memory starting with MZ... but that address isn’t backed by any dll on disk, i.e., it’s not kernel32, user32.dll, etc. loaded from disk.

Definitely sounds interesting; would this be accomplished as an extra column within, say, the `processes` table?

Might be better as a join with processes since a single process would have many. Want to minimize performance hit for * query if we add to processes.

I can say that it will be definitely interesting to have it. Mind that a lot of hit will be related to anti malware using this type of injection. But for sure you will be able to catch some malware as well. I can say meterpreter and cobaltstrike use this kind of injection as well. 

Yeah, pretty much the only three types of programs that would do this are: antivirus, malware, or JIT’d code.