charitha-98/win32-network-activity-monitor

# 🛡️ Windows Host-Based Data Exfiltration Monitoring Tool ## 🚀 Key Features * **Dynamic Directory Auditing:** Utilizes the Win32 `ReadDirectoryChangesW` API to capture asynchronous file system modifications in real-time. * **Extended Network Polling:** Employs a 10-second polling cycle with `GetExtendedTcpTable` to catch lazy connection handshakes initiated by web browsers during active multi-part file uploads (e.g., Google Drive, Gmail, Telegram). * **Process Resolution:** Leverages `EnumProcessModules` and `GetModuleBaseNameA` to trace active connection ownership back to its native source process (.exe). * **Tabular Forensic Logging:** Commits all intercepted events cleanly into a structured, single-line log format optimized for SIEM integration. * **Background Service Integration:** Fully compatible with Service Control Managers (SCM) via NSSM to execute seamlessly post-reboot without user interaction. ## 🛠️ Architecture & Log Schema Every recorded runtime event maps directly into a flat-file tabular format: `[Timestamp] [PID] [Protocol] [Local Endpoint] [Remote Endpoint] [Process Name] [Detected File & Data Vol.]` ## 💻 Prerequisites & Compilation * **OS:** Windows 10 / 11 (64-bit) * **Compiler:** GCC via MinGW-w64 toolchain * **Privileges:** Administrative shell (Required for network and module enumeration) ### Compilation Command: Open PowerShell or Command Prompt as an **Administrator** inside the project root and link the necessary Windows Sockets and IP Helper APIs: gcc monitor.c -o data_exfiltration_monitor.exe -liphlpapi -lpsapi -lws2_32

标签：客户端加密