A Windows-based background service that monitors real-time process creation using ETW (Event Tracing for Windows) and injects a Frida script into suspicious processes to hook and log WinAPI calls. Designed for malware analysis, threat detection, and behavioral monitoring.
- Real-time monitoring of process creation via ETW
- Detects suspicious execution paths and PPID spoofing
- Automatically injects a Frida-based API hooker into targets
- Logs WinAPI calls to structured JSON
- Dynamic path resolution (no hardcoded folders)
- Can run silently as a service or background task
Download the latest release from the Releases page and extract it.
To run the monitor:
✅ Simply execute the
process_monitor.exein the same folder as theinjector.exe.
No additional setup is required.
For advanced users or contributors who want to modify the tool.
Here’s the corrected and properly formatted version of that section in Markdown:
- Windows 10 or later
- Visual Studio (C++ workload)
- Python 3.8+ installed
- Required Python packages:
pip install frida pyinstallerUse the provided injector.spec file to build the Python component with PyInstaller:
pyinstaller injector.specEdit the config.ini file to specify where logs should be saved:
[monitor]
log_file_path = logs/output.jsonThe path is resolved dynamically at runtime.
Each API call hook is logged as a structured JSON object:
{
"timestamp": "2025-05-01T23:18:53.152446",
"process_name": "example.exe",
"pid": 17696,
"data": [
"CreateThread",
"..."
]
}A short screen recording showing real-time process detection, Frida injection, and WinAPI logging in action.
