GhostProcess is a lightweight behavioral analysis tool that monitors background processes and detects suspicious activity based on CPU, network, and idle-time behavior. Instead of using signatures, it focuses on how programs act when the user is away, helping reveal hidden or silent processes in a transparent and educational way.
GhostProcess Devlog — GhostProcess is a lightweight behavioral analysis tool designed to monitor background programs and flag suspicious activity based on how processes behave when the user is idle. Unlike signature-based scanners, it focuses on behavioral heuristics to highlight unusual CPU, memory, network, and idle interactions.
Recent work has refined the risk scoring engine, improved real-time process tracking, and polished the CustomTkinter GUI with color-coded risk levels, real-time tables, and responsiveness while scanning. The repository now includes clear modular separation between scanners (scanner/) and analysis logic (analyzer/), with main.py orchestrating collection and scoring and the UI reflecting the latest findings.
GhostProcess emphasizes transparency and safety: it does not delete, kill, or modify any system process, and it avoids databases or signatures, instead generating suspicion purely from runtime patterns. Future improvements aim at logging, whitelisting trusted software, and exploring parent-child process relationships to reduce false positives.
Built for educational purposes for the Hack Club community.
Log in to leave a comment
👻 GhostProcess Devlog: Behavioral Analysis
GhostProcess is a background monitoring tool built for the Hack Club community. Unlike traditional signature based antiviruses, it relies entirely on behavioral analysis to detect suspicious background activity that appears when the user is away from the computer.
Many malicious processes remain silent while the user is active, then increase CPU and network usage during idle periods. GhostProcess automatically switches to a more sensitive scan mode when the system enters IDLE state to catch these behaviors.
The system consists of an idle detector using Windows GetLastInputInfo, a process and network monitor powered by psutil, and a heuristic risk engine that scores activity based on usage patterns. Results are shown in a modern CustomTkinter interface with real time updates and color coded risk levels.
Future plans include logging, process whitelisting, and parent child process analysis.
Developed for educational purposes. Hack Club!!!!
Log in to leave a comment
I’m working on my first project! This is so exciting. I can’t wait to share more updates as I build.
Log in to leave a comment