A lightweight EDR (Endpoint Detection and Response) agent written in C++ designed to monitor Windows processes in real-time. The program detects new processes, analyzes their metadata, and automatically terminates unauthorized applications.
- Process Monitoring: Captures system snapshots every 500ms using the Toolhelp32 API to detect new PIDs.
- Metadata Collection: For every new process, the agent retrieves the full executable path and the Parent Process ID (PPID).
- Path Heuristics: Verifies if critical system binaries (e.g.,
svchost.exe,lsass.exe) are executing from the correctSystem32directory. Mismatches are flagged as suspicious. - Active Response (Kill-switch): Automatically terminates processes found on a hardcoded blacklist (e.g.,
powershell.exe). - Forensic Logging: Writes events to
incident_log.txtwith severity levels:- INFO: Standard process execution telemetry.
- WARN: Suspicious file location detected.
- CRITICAL: Blacklisted process detected and terminated.
- Language: C++17
- Platform: Windows API (Win32)
- Libraries:
TlHelp32.h,Windows.h,Chrono(for high-resolution timestamps).
- Initialization: On startup, the agent builds an in-memory map of currently running processes to establish a baseline and avoid alerting on existing safe processes.
- Detection Loop: The program continuously takes system snapshots to identify new PIDs.
- Security Pipeline:
- Attempts to open the process with
PROCESS_QUERY_LIMITED_INFORMATIONrights. - Resolves the absolute path of the binary on the disk.
- Cross-references the process name against the blacklist and trusted path map.
- Attempts to open the process with
- Audit: Every action is committed to a local log file with precise timestamps.
- Move from user-mode polling (Sleep/Snapshots) to Event Tracing for Windows (ETW) or a Kernel-mode notify routine for better performance and stealth.
- Implement DLL Injection detection via remote thread monitoring.
- Add Registry monitoring for common persistence mechanisms (Run keys).