https://github.com/0xbitx/dedsec_proc-hacker
Linux based process analyzer for hackers.
https://github.com/0xbitx/dedsec_proc-hacker
analyzer backdoor kalilinux linux linux-shell malware malware-analysis process
Last synced: 21 days ago
JSON representation
Linux based process analyzer for hackers.
- Host: GitHub
- URL: https://github.com/0xbitx/dedsec_proc-hacker
- Owner: 0xbitx
- License: mit
- Created: 2024-07-30T17:14:22.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2026-02-21T05:19:16.000Z (4 months ago)
- Last Synced: 2026-02-21T12:26:58.319Z (4 months ago)
- Topics: analyzer, backdoor, kalilinux, linux, linux-shell, malware, malware-analysis, process
- Homepage:
- Size: 50.1 MB
- Stars: 3
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
PROC-HACKER
Linux based process analyzer for hackers.
### DESCRIPTION
PROC-HACKER is a comprehensive Linux-based command-line tool designed to provide deep insights into system processes, security threats, and file system activities. It combines process analysis, malware detection, and real-time file monitoring into a single powerful utility specifically engineered for threat hunting and incident response operations.
## Key Capabilities
* **Process Analysis**: Detailed view of running processes with hierarchical tree display
* **Security Monitoring**: Detect malicious activities and suspicious behavior
* **Forensic Evidence**: Capture and analyze process snapshots for investigation
* **File Integrity**: Monitor file changes, creations, and deletions in real-time
* **Malware Detection**: Hash-based malware checking against known threat databases
### FEATURES
## 1. Process Analysis
* Hierarchical tree view of processes showing parent-child relationships
### Comprehensive process details including:
* CPU and memory usage
* Open files with metadata (size, timestamps, checksums)
* Network connections (local/remote IPs, ports, connection types)
* Thread information and current working directory
* Process ownership and command-line arguments
## 2. Monitoring Modes
### Snapshot Mode
* Capture a one-time snapshot of any process
* View complete process state including all open files and connections
* Ideal for quick investigations and spot checks
### Realtime Mode
* Continuously monitor processes at user-defined intervals
* Adjustable delay (seconds or milliseconds)
* Option to record all snapshots for later analysis
* Real-time tracking of process behavior changes
### Sniper Mode
* Launch and monitor any command in a dedicated terminal
* Automatically track the spawned process
* Perfect for analyzing suspicious executables in isolation
## 3. Evidence Management System
* Automatic Recording: Capture multiple snapshots during monitoring sessions
* Structured Storage: Save evidence in JSON and human-readable TXT formats
* Evidence Viewer: Browse and analyze historical data
* Smart Filtering: Filter snapshots with activity vs. idle processes
* Network Analysis: Categorize connections as internal/external/local
* File Tracking: Monitor file access patterns and changes over time
## 4. File Catcher - Real-time File Monitor
### Monitor file system activities with precision:
* Track file creation, modification, and deletion
* Monitor single files, multiple files from list, or entire directories
* Automatic content capture when changes occur
* File metadata preservation (permissions, ownership, timestamps)
* SHA256 hash calculation for integrity verification
* Intelligent filename handling with path preservation
## 5. Malware Detection
* Hash-based Checking: Compare file hashes against known malware database
* VirusTotal Integration: Direct links to VirusTotal for confirmed malware
* SHA256 Validation: Ensures hash format correctness
* Quick Scanning: Instant malware status reporting
These monitoring options provide flexibility in how users can track and analyze process activities, making PROC-HACKER a versatile tool for both immediate and ongoing process investigation.
### Feature List
Process Information
Process Name: The name of the process.
PID: The Process ID.
Parent ID: The Parent Process ID.
Command: The command line used to start the process.
Executable Path: The path to the executable file of the process.
User: The username of the process owner.
CPU Times: The amount of time the process has spent in user and system mode.
Memory Info: Resident Set Size (RSS) and Virtual Memory Size (VMS).
Start Time: The time when the process started.
Current Working Directory: The current working directory of the process.
Open Files
File Path: The path of the open file.
File Descriptor (System Reference Number): The file descriptor used by the system to reference the open file.
File Type: The type of the file (e.g., Python script, ELF binary, text file).
File Size: The size of the file in bytes.
Creation Time: The time when the file was created.
Modification Time: The time when the file was last modified.
Access Time: The time when the file was last accessed.
MD5 checksum: checksum of a file.
Network Connections
Local Address: The local IP address and port.
Remote Address: The remote IP address and port.
Status: The status of the connection (e.g., ESTABLISHED, LISTEN).
Child Processes
Process Name: The name of the child process.
PID: The Process ID of the child process.
Parent ID: The Parent Process ID (should be the PID of the parent process).
Command: The command line used to start the child process.
Executable Path: The path to the executable file of the child process.
User: The username of the child process owner.
CPU Times: The amount of time the child process has spent in user and system mode.
Memory Info: Resident Set Size (RSS) and Virtual Memory Size (VMS) of the child process.
Start Time: The time when the child process started.
Current Working Directory: The current working directory of the child process.
Process Search
By PID: Allows searching for a process using its Process ID.
By Name: Allows searching for processes by their name.
User Interface
Color Coding: Uses color coding to distinguish different types of information (e.g., process details, file details, network details).
Hierarchical Display: Indents child processes under their parent process, creating a tree-like structure.
SAMPLE OUTPUT:
```php
[●] Process Name: konsole PID: 93256
├─ Parent ID: 58841
├─ Command: /usr/bin/konsole --workdir /home/dedsec/Desktop/
├─ Executable: /usr/bin/konsole
├─ User: dedsec
├─ CPU Times: User Time: 5.67, System Time: 0.77
├─ Memory Info: RSS: 162873344, VMS: 1486295040
├─ Start Time: Wed Jul 31 00:26:07 2024
└─ Current Working Directory: /home/dedsec/Desktop/
[●] Open Files:
├─ File Path: /home/dedsec/.local/share/mime/mime.cache
│ ├─ File Descriptor (System Reference Number): 23
│ ├─ File Type: application/octet-stream
│ ├─ File Size: 123456 bytes
│ ├─ Creation Time: Wed Jul 31 00:26:07 2024
│ ├─ Modification Time: Wed Jul 31 00:26:07 2024
│ └─ Access Time: Wed Jul 31 00:26:07 2024
├─ File Path: /var/lib/flatpak/exports/share/mime/mime.cache
│ ├─ File Descriptor (System Reference Number): 24
│ ├─ File Type: application/octet-stream
│ ├─ File Size: 123456 bytes
│ ├─ Creation Time: Wed Jul 31 00:26:07 2024
│ ├─ Modification Time: Wed Jul 31 00:26:07 2024
│ └─ Access Time: Wed Jul 31 00:26:07 2024
[●] Network Connections:
└─ Local Address: 192.168.1.36 PORT: 39922 - Remote Address: 192.168.1.1 PORT: 23 - Status: SYN_SENT
[●] Child Processes:
└─ Process Name: zsh PID: 93272
├─ Parent ID: 93256
├─ Command: /usr/bin/zsh
├─ Executable: /usr/bin/zsh
├─ User: dedsec
├─ CPU Times: User Time: 0.13, System Time: 0.09
├─ Memory Info: RSS: 8085504, VMS: 9871360
├─ Start Time: Wed Jul 31 00:26:07 2024
└─ Current Working Directory: /home/dedsec/Desktop/
[●] Open Files:
├─ File Path: /usr/share/zsh/functions/Completion.zwc
│ ├─ File Descriptor (System Reference Number): 13
│ ├─ File Type: application/octet-stream
│ ├─ File Size: 123456 bytes
│ ├─ Creation Time: Wed Jul 31 00:26:07 2024
│ ├─ Modification Time: Wed Jul 31 00:26:07 2024
│ └─ Access Time: Wed Jul 31 00:26:07 2024
[●] Network Connections:
└─ No Network Connection found
[●] Child Processes:
└─ Process Name: code1.py PID: 94076
├─ Parent ID: 93272
├─ Command: /bin/python3 ./code1.py
├─ Executable: /usr/bin/python3.11
├─ User: dedsec
├─ CPU Times: User Time: 0.05, System Time: 0.07
├─ Memory Info: RSS: 14934016, VMS: 19804160
├─ Start Time: Wed Jul 31 00:37:02 2024
└─ Current Working Directory: /home/dedsec/Desktop/
[●] Open Files:
└─ No open files found
[●] Network Connections:
└─ Local Address: 192.168.1.36 PORT: 31726 - Remote Address: 34.207.243.93 PORT: 443 - Status: ESTABLISHED
└─ Local Address: 192.168.1.36 PORT: 43546 - Remote Address: 140.12.113.25 PORT: 443 - Status: ESTABLISHED
└─ Local Address: 192.168.1.36 PORT: 43298 - Remote Address: 34.127.148.161 PORT: 443 - Status: ESTABLISHED
└─ Local Address: 192.168.1.36 PORT: 33156 - Remote Address: 34.117.223.93 PORT: 443 - Status: ESTABLISHED
```
## INSTALLATION
* git clone https://github.com/0xbitx/DEDSEC_PROC-HACKER.git
* cd DEDSEC_PROC-HACKER
* sudo pip3 install psutil tabulate bcc
* sudo apt install bpfcc-tools libbpfcc-dev python3-bpfcc
* chmod +x dedsec_proc-hacker
* sudo ./dedsec_proc-hacker
### TESTED ON FOLLOWING
* Kali Linux
* Parrot OS
* Ubuntu
## Support
If you find my work helpful and want to support me, consider making a donation. Your contribution will help me continue working on open-source projects.
**Bitcoin Address: `36ALguYpTgFF3RztL4h2uFb3cRMzQALAcm`**
DISCLAIMER
I'm not responsible for anything you do with this program, so please only use it for good and educational purposes.