Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/HavocFramework/Havoc/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The proc command provides comprehensive process management functionality including enumeration, creation, termination, and memory analysis of processes on the target system.

Syntax

proc [subcommand] [parameters]

Subcommands

list

Enumerate all running processes on the target system. 
proc list
processes
array
Array of process objects containing:
name
string
Process executable name
pid
integer
Process identifier
ppid
integer
Parent process identifier
arch
string
Process architecture (x86 or x64)
user
string
User context the process is running under
session
integer
Session ID the process belongs to

grep

Search for processes by name. 
proc grep [process_name]
process_name
string
required
The process name to search for (case-insensitive, supports partial matches)
Returns: Process Name, Process ID, Parent PID, User, and Architecture for matching processes.

kill

Terminate a process by PID. 
proc kill [pid]
pid
integer
required
The process identifier of the process to terminate

create

Start a new process in suspended or running state. 
proc create [state] [process] [args]
state
string
required
Process creation state:
  • normal - Start process in running state
  • suspended - Start process in suspended state (useful for injection)
process
string
required
Full path to the executable to launch
args
string
Command-line arguments to pass to the process

module

List loaded modules (DLLs) from a specified process. 
proc module [pid]
pid
integer
required
Process identifier to enumerate modules from
modules
array
name
string
Module/DLL name
base_address
hex
Base address where the module is loaded
size
integer
Size of the module in bytes
path
string
Full path to the module file

memory

Query process memory pages with specified protection flags. 
proc memory [pid] [protection]
pid
integer
required
Process identifier to query memory from
protection
string
required
Memory protection flag to filter by:
  • PAGE_NOACCESS - No access
  • PAGE_READONLY - Read-only
  • PAGE_READWRITE - Read and write
  • PAGE_WRITECOPY - Copy-on-write
  • PAGE_EXECUTE - Execute only
  • PAGE_EXECUTE_READ - Execute and read
  • PAGE_EXECUTE_READWRITE - Execute, read, and write
  • PAGE_EXECUTE_WRITECOPY - Execute and copy-on-write
  • PAGE_GUARD - Guard page
memory_regions
array
base_address
hex
Starting address of the memory region
size
integer
Size of the memory region in bytes
protection
string
Current protection flags
type
string
Memory type (Image, Mapped, Private)

Examples

List All Processes

proc list
Example Output: 
PID   | PPID | Session | Arch | User              | Process Name
------|------|---------|------|-------------------|-------------
4     | 0    | 0       | x64  | NT AUTHORITY\SYSTEM | System
644   | 4    | 0       | x64  | NT AUTHORITY\SYSTEM | smss.exe
1520  | 644  | 1       | x64  | CORP\jdoe          | explorer.exe

Search for Specific Process

proc grep chrome
Finds all processes with “chrome” in the name.

Create Suspended Process for Injection

proc create suspended C:\Windows\System32\notepad.exe
Creates notepad.exe in suspended state, useful for process injection: 
# Create suspended process
proc create suspended C:\Windows\System32\notepad.exe

# Note the PID from output (e.g., 4521)
# Inject shellcode
shellcode inject x64 4521 /path/to/shellcode.bin

List Modules in Process

proc module 1520
Enumerates all loaded DLLs in process 1520.

Find Executable Memory Regions

proc memory 1520 PAGE_EXECUTE_READWRITE
Lists all memory regions with RWX permissions in process 1520 (useful for detecting injected code).

Kill Process

proc kill 4521
Terminates process 4521.

OPSEC Considerations

Process Enumeration

  • Process listing may trigger ETW events
  • Some EDR solutions monitor process enumeration APIs
  • Consider using proc grep for targeted searches instead of full enumeration

Process Creation

Creating processes in suspended state:
  • Advantage: Allows injection before process initialization
  • Risk: Suspended processes may appear suspicious to monitoring tools
  • Use Case: Process injection and hollowing techniques

Memory Scanning

  • Querying process memory can trigger:
    • OpenProcess monitoring
    • Memory access alerts in EDR
    • Anti-debugging protections
  • Use sparingly and only when necessary

Process Termination

  • Killing protected processes may fail or trigger alerts
  • Some processes are critical and terminating them may cause system instability
  • Consider the impact on system stability before killing processes

Use Cases

Pre-Injection Reconnaissance

# Find target process
proc grep explorer

# Check process architecture
proc list | grep explorer

# Enumerate modules to find injection target
proc module 1520

# Inject payload
shellcode inject x64 1520 /path/to/payload.bin

Detecting Injected Code

# Look for suspicious RWX memory regions
proc memory 1520 PAGE_EXECUTE_READWRITE

Clean Process Creation

# Create a legitimate-looking process
proc create normal C:\Windows\System32\svchost.exe "-k netsvcs"

Advanced Usage

PPID Spoofing

Combine with proc ppidspoof command to set a specific parent process: 
# Set parent PID to explorer.exe (PID 1520)
proc ppidspoof 1520

# Create process with spoofed parent
proc create normal C:\Windows\System32\cmd.exe

Notes

  • Process listing requires SeDebugPrivilege for full visibility
  • Some processes may be protected and inaccessible
  • Memory queries may fail for protected processes (PPL/PPL-Antimalware)
  • Always verify process architecture before injection to avoid crashes
  • Suspended processes must be resumed or terminated to avoid resource leaks