A lightweight CLI tool written in C++ using the Windows API that monitors running processes in real-time and flags suspicious behavior using heuristic analysis.
- Real-time process monitoring via
CreateToolhelp32Snapshot - Heuristic-based suspicion detection:
- Processes running from
AppData,Temp,Downloads, etc. - Orphan processes (parent PID doesn't exist)
- Double file extensions (e.g.,
invoice.pdf.exe) - System process name impersonation (e.g.,
svchost.exefrom wrong path) - Suspicious process name patterns
- Processes running from
- New process / terminated process detection (delta analysis)
- Timestamped logging to file and console with color-coded output
- Efficient polling with configurable intervals (<1% CPU overhead)
- Graceful shutdown with Ctrl+C signal handling
- Windows 10/11
- CMake 3.15+
- MSVC (Visual Studio 2019+) or MinGW-w64
mkdir build
cd build
cmake ..
cmake --build . --config Release# Default (2-second polling interval)
./bin/Sentinell.exe
# Custom interval (500ms)
./bin/Sentinell.exe --interval 500
# Show all process activity
./bin/Sentinell.exe --log-all
# Help
./bin/Sentinell.exe --help┌─────────────┐ ┌──���───────────────┐ ┌──────────────────┐
│ main.cpp │────▶│ SentinellEngine │────▶│ ProcessSnapshot │
│ (CLI/Args) │ │ (Polling Loop) │ │ (WinAPI Enum) │
└─────────────┘ └────────┬─────────┘ └──────────────────┘
│
┌────────▼─────────┐ ┌──────────────────┐
│ ProcessAnalyzer │ │ Logger │
│ (Heuristics) │ │ (File + Console) │
└──────────────────┘ └──────────────────┘
| # | Heuristic | Why It Matters |
|---|---|---|
| 1 | Suspicious path | Malware often runs from %TEMP%, %APPDATA% |
| 2 | Orphan process | No parent = possibly injected or detached |
| 3 | Suspicious name | Known malware tool names |
| 4 | Double extension | Social engineering trick (file.pdf.exe) |
| 5 | System impersonation | svchost.exe from Desktop = red flag |
- Language: C++17
- APIs: Windows API (
TlHelp32,Psapi,Kernel32) - Build: CMake
- No external dependencies — pure Win32
MIT