Heuristic Process Scanner for Windows
ProcHunt enumerates processes, parses PEB → RTL_USER_PROCESS_PARAMETERS to extract ImagePathName, CommandLine, CurrentDirectory, WindowTitle, DesktopInfo, ShellInfo, RuntimeData, etc., verifies code signing via WinVerifyTrust, and computes a suspicion score using path/CWD anomalies, LOLBins, masquerading, and simple obfuscation checks.
Works fully in
user-mode; supports cross-bitness (WOW64). Requires appropriate rights (ideallyAdminforSeDebugPrivilege).PPL/Protected processes may be unreadable.
PEB/ProcessParametersparsing:ImagePathName,CommandLine,CurrentDirectory,WindowTitle,DesktopInfo,ShellInfo,RuntimeData.- Cross-bitness read (
x64host →x86targets viaWOW64view). - Code-signing check (
WinVerifyTrust); extractspublisherandthumbprint. - Heuristics engine with
score 0–100and human-readable reasons. Whitelists:publisherandpath.TextorJSONoutput;threshold filtering.- Zero drivers; single binary.
- Image path in user-writable /
Temp/Downloads/UNC/Web. CWDanomalies (Temp/UNC;CWD ≠ image directory; non-system binary withSystem32 CWD).LOLBins& suspicious flags (powershell -enc,wscript/cscript,mshta,regsvr32 /i:http,rundll32,certutil,bitsadmin,curl/wget,schtasks /create, etc.).- Masquerading (system names out of system folders; digit/letter look-alikes).
- Obfuscation hints (
long base64 tokens,very long command lines). - Code signing: trusted lowers score when
publisher/pathare whitelisted; invalid/unsigned increases score.
- Reading some processes may fail (
PPL/TS/RPCSS/Secure System). RTL_USER_PROCESS_PARAMETERSlayout is not a stable ABI; fields beyond those used may vary by OS build.- Heuristics are best-effort and may yield false positives/negatives.
ProcHunt.exe [options]
-a,--allenumerate all processes (default)-p,--pid <PID>single process--jsonJSON output--min-score|--threshold Nshow only results withscore >= N (0–100)-t Nalias for--min-score--whitelist-pub <file>publisher whitelist (one per line)--whitelist-path <file>path-prefix whitelist (one per line)-o,--output <file>write output to UTF-8 file (recommended for JSON)-h,--helpusage
# All processes, text
.\ProcHunt.exe -a
# High-suspicion only (>=70), text
.\ProcHunt.exe --min-score 70 -a
# JSON + filter (>=50)
.\ProcHunt.exe --json --threshold 50 -a -o out.json
# Single PID
.\ProcHunt.exe -p 4321--whitelist-pub pubs.txt— one publisher per line (e.g.,Microsoft Corporation).--whitelist-path paths.txt— absolute path prefixes (e.g.,C:\Program Files).
The GIF above is displayed at 640px width for better visibility. Click to open in a new tab for full resolution.
Watch a quick demo of ProcHunt in action.
[
{
"pid": 4321,
"name": "powershell.exe",
"imagePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"commandLine": "powershell -nop -w hidden -enc ...",
"currentDirectory": "C:\\Windows\\System32",
"signature": { "trusted": true, "status": "ERROR_SUCCESS", "publisher": "Microsoft Corporation", "thumbprint": "..." },
"heuristics": { "score": 80, "reasons": ["LOLBin/suspicious command line", "Obfuscated/encoded command line"] }
}
]You can use jq to filter and process ProcHunt's JSON output. Here are some examples:
# Show all entries with score >= 40
jq --argjson min 40 '.[] | select(.heuristics.score >= $min)' out.json
# Output PID, name, and score as tab-separated values for score >= 40
jq -r --argjson min 40 '.[] | select(.heuristics.score >= $min) | [.pid, .name, .heuristics.score] | @tsv' out.jsonThese commands help you quickly extract high-suspicion processes or format results for further analysis.
Builds are produced by the CI pipeline under .github/workflows/build.yml.
Local build (optional): open ProcHunt.sln in Visual Studio 2022 (x64), or use MSBuild:
msbuild .\ProcHunt.sln /t:Build /p:Configuration=Release /p:Platform=x64 /m