What happens when you combine low-level Windows C-programming with a Zero-Dependency WebSocket dashboard? You get OS Terminalβa hyper-lean alternative to bloated modern monitoring tools.
The Objective: Zero Bloat, Total Visibility
Most monitoring tools today are Electron-based or rely on heavy WMI queries that spike your CPU. I wanted to see how far I could push the Win32 API to create a forensic tool that uses less than 30MB of RAM while providing "Extreme Observability."
The Tech Stack
Native C-Engine: Directly hooks into ntdll.dll and advapi32.dll.
Node.js Bridge: Acting as a high-speed asynchronous relay.
Vanilla CSS/JS Dashboard: 100% dependency-free. No React. No Vite. No 150MB node_modules folder.
Key Technical Challenges Overcome
Ripping Process Strings from the PEB
Standard APIs often mask command-line arguments for protected processes. OS Terminal uses NtQueryInformationProcess with ProcessCommandLineInformation (Class 60). By elevating the process to SeDebugPrivilege, we can reach into the remote Process Environment Block (PEB) of any binary and extract the raw execution parameters before they are obfuscated.Shannon Entropy Analysis in C
Detecting malware often comes down to unpredictability. I implemented a Shannon Entropy formula in the polling loop. If a process starts running a Base64-encoded script, its entropy score spikes (usually > 5.0). The UI detects this delta and red-flags it instantly.Async Kernel Registry Traps
Polling the Registry is slow. Instead, I built an asynchronous C-thread that "crashes" into a Kernel wait state using RegNotifyChangeKeyValue. It sits silently at 0% CPU usage until a Persistence Key (like HKLM\Run) is touched, at which point it drains a thread-safe Ring Buffer straight to the dashboard.
Check out the source code and the architecture here: π GitHub Repository [https://github.com/SecByShresth/OS-Terminal.git]
Top comments (0)