Endpoint security monitor — watches your system and screams when something changes.
Project description
ghostcanary
Endpoint security monitor. Watches your system and screams when something changes.
A loud, visible desktop canary. Not an EDR. Not a blocker. Just a watcher that talks.
What It Monitors
- Kernel drivers - new loads, disappearances
- Windows services - new services, state changes
- Processes - new process names, suspicious parent-child relationships, encoded PowerShell, download cradles
- Network connections - new outbound destinations, new listening ports, connection spikes, beaconing detection
- DNS cache - new resolutions, suspicious/DGA-like domains
- Registry autoruns - Run/RunOnce key changes
- Scheduled tasks - new tasks, removed tasks
- File system - new executables in monitored paths, startup folder modifications, System32 changes
- DLLs - unusual load paths, unsigned DLLs in signed processes
- Named pipes - new pipe creation (common C2 channel)
- WMI subscriptions - event subscription creation
- COM objects - hijack detection
- Event logs - gaps, cleared logs
Cross-platform: Windows (full support), Linux and macOS (core monitoring via psutil fallback).
Install
pip install ghostcanary
With desktop UI support (Pillow for mascot images):
pip install ghostcanary[ui]
With all optional dependencies (psutil for deeper process/network monitoring):
pip install ghostcanary[full]
Quick Start
Run the scanner
ghostcanary-scan # Continuous scanning (30s interval)
ghostcanary-scan --interval 10 # Faster scanning
ghostcanary-scan --once # Single scan and exit
ghostcanary-scan --list-logs # List monitored Windows Event Logs
Run the desktop UI
ghostcanary-ui # Floating desktop mascot with speech bubbles
ghostcanary-ui --test # Show a test bubble and exit
Run the daemon (manages scanner + UI)
ghostcanary-daemon run # Start both scanner and UI, auto-restart on crash
ghostcanary-daemon install # Add to Windows startup (requires admin)
ghostcanary-daemon uninstall # Remove from Windows startup
ghostcanary-daemon status # Check if running/installed
ghostcanary-daemon stop # Stop the daemon
How It Works
- Edge Parser scans system surfaces on a configurable interval
- Compares current state against a SQLite-backed baseline
- Emits typed signals with severity levels (INFO, WARN, ALERT, CRITICAL)
- Canary UI picks up signals and displays speech bubbles on your desktop
- Notification Center provides filterable history of all signals
No inference. No correlation. No blocking. Just facts.
Configuration
On first run, a config.yaml is created in the package directory with defaults. Key sections:
scan- interval, parallel workersbaseline- aging, frequency tracking, anomaly thresholdnetwork- spike detection, beaconing parametersbeaconing- trusted processes/destinations, scoring thresholdsprocess- suspicious parent/child relationshipsalert- sound, snooze, rate limitingui- color mode, theme
Using as a Library
import ghostcanary
# Check version
print(ghostcanary.__version__)
# Access signal types
print(ghostcanary.SignalTypes.NEW_KERNEL_DRIVER)
# Create a signal
sig = ghostcanary.Signal.create(
signal_type=ghostcanary.SignalTypes.NEW_KERNEL_DRIVER,
source_surface="CustomMonitor",
artifacts={"name": "suspicious.sys"},
severity=ghostcanary.Severity.CRITICAL,
category=ghostcanary.Category.KERNEL,
)
# Store in the signals database
db = ghostcanary.get_signals_db()
db.store(sig)
# Query signals
recent = db.get_recent(limit=10)
Signal Flow
System State (drivers, services, processes, network, ...)
|
v
Edge Parser (scan surfaces, compare baseline, emit signals)
|
v
signals.json (file-based queue) + signals.db (SQLite history)
|
v
Canary UI (poll queue, translate signal, show bubble)
Design Principles
- No inference - only detects changes, never interprets them
- No correlation - each surface is independent
- No blocking - observes, never prevents
- Local only - everything stays on this machine
- Expendable - raw logs exist elsewhere, these files can be deleted
- Visible - canary is always on screen, not hidden
- Loud - every signal gets a bubble
- Factual - dry tone, no alarm, no "attack" language
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
ghostcanary-0.1.0.tar.gz
(71.0 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ghostcanary-0.1.0.tar.gz.
File metadata
- Download URL: ghostcanary-0.1.0.tar.gz
- Upload date:
- Size: 71.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b189ee9292f0a327fd04a1106dc469df0faef01cac05854cc72db8b768f760be
|
|
| MD5 |
dd4caf1248484c8c9600c51855c38b2b
|
|
| BLAKE2b-256 |
41a5091ff22e1da6344e6ba389b86af01f955df9f4111c7355397444f27240ff
|
File details
Details for the file ghostcanary-0.1.0-py3-none-any.whl.
File metadata
- Download URL: ghostcanary-0.1.0-py3-none-any.whl
- Upload date:
- Size: 64.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
51a09c04075e666696ce001ca11c8aaeb43021f0d267a35440dc35e6d5d3e843
|
|
| MD5 |
61e6dbdd2bc653475fbc217943de24a9
|
|
| BLAKE2b-256 |
660e3b8c30517ddf5714ecfc99e3323f70d621d5cddb9cc474a94db6d21f0c54
|
