Hunt. Detect. Exorcise.
A cybersecurity tool that detects malicious processes, rogue network connections, suspicious services, and evil files lurking on your system — with a dark terminal Web UI and a powerful CLI.
| Hunt Mode | Exorcise Mode |
|---|---|
| Full scan with threat score, findings by category | Remediation commands to kill every demon |
| Category | What's hunted |
|---|---|
| 🔴 Process Demons | nc, nmap, xmrig, metasploit, hydra, cryptominers, reverse shells... |
| 🌐 Network Demons | Suspicious open ports (4444, 1337, 6666...), rogue DNS servers, active C2 connections |
| ⚙️ Service Demons | Malicious cron jobs, unknown systemd services, suspicious init.d scripts |
| 📁 File Demons | Executables in /tmp, world-writable sensitive files, unusual SUID binaries |
# Python 3.8+ required
python3 --version
# No external dependencies — uses only stdlibgit clone https://github.com/YOUR_USERNAME/demonhunter.git
cd demonhunter
chmod +x demonhunter.pypython3 demonhunter.py --huntpython3 demonhunter.py --huntScans processes, network, services, and files. Outputs a threat score and categorized findings.
python3 demonhunter.py --hunt --quickFaster scan for rapid triage.
python3 demonhunter.py --exorciseRuns a full scan, then generates ready-to-run kill commands for every demon found.
⚡ Kill PID 3421 (nc):
$ sudo kill -9 3421
⚡ Block port 4444:
$ sudo iptables -A INPUT -p tcp --dport 4444 -j DROP
$ sudo iptables -A OUTPUT -p tcp --dport 4444 -j DROP
python3 demonhunter.py --watchMonitors your system every 5 seconds. Alerts you in real time when a new demon spawns.
[17:09:42] ⚡ DEMON SPAWNED: nc (PID: 9001)
[17:09:47] ⚠ 18 new processes spawned
python3 demonhunter.py --hunt --reportSaves a demonhunter_report.json file you can load into the Web UI for visual analysis.
Open demonhunter_ui.html in any browser — no server required.
Features:
- Real-time threat score & severity meter
- Findings categorized in 4 panels (Processes / Network / Services / Files)
- Exorcise modal with one-click remediation commands
- Live watch feed with event timeline
- Load report from CLI via drag & drop
Workflow:
# Step 1 — Run the real scan on your machine
python3 demonhunter.py --hunt --report
# Step 2 — Open the UI
firefox demonhunter_ui.html # or any browser
# Step 3 — Click "LOAD REPORT" and drop demonhunter_report.json| Score | Level | Meaning |
|---|---|---|
| 0 | ✅ CLEAN | No demons found |
| 1–3 | Minor anomalies detected | |
| 4–8 | 🔴 DANGER | Active threats present |
| 9+ | ☠️ CRITICAL | System heavily compromised |
Each finding is scored:
critical→ +3 pointshigh→ +2 pointsmedium→ +1 point
demonhunter/
├── demonhunter.py # CLI — the main hunter
├── demonhunter_ui.html # Web UI — dark terminal dashboard
└── README.md # You are here
# Hunt with full output + save report
python3 demonhunter.py --hunt --report
# Quick triage + exorcise
python3 demonhunter.py --exorcise --quick
# Background watch + log to file
python3 demonhunter.py --watch > demon_log.txt 2>&1 &
# Check help
python3 demonhunter.py --helpSuspicious processes (click to expand)
netcat nc ncat nmap masscan hydra john hashcat metasploit msfconsole msfvenom wireshark tcpdump keylogger mimikatz cobalt beacon empire pupy backdoor rootkit cryptominer xmrig minerd reverse_shell ngrok frpc
Evil ports (click to expand)
| Port | Known for |
|---|---|
| 4444 | Metasploit default |
| 1337 | Common backdoor |
| 31337 | Back Orifice / elite backdoor |
| 6666–6669 | IRC botnet C2 |
| 9001 / 9050 | Tor relay / SOCKS proxy |
| 12345 | NetBus RAT |
| 3333 / 14444 | Cryptominer pools |
DemonHunter is built for educational purposes and authorized security assessments only. Only run it on systems you own or have explicit permission to test. The authors are not responsible for any misuse.
Pull requests welcome. To add new demon signatures, edit the SUSPICIOUS_PROCESSES and SUSPICIOUS_PORTS dictionaries in demonhunter.py.
MIT — free to use, modify, and distribute.