diff --git a/.claude/settings.local.json b/.claude/settings.local.json
index 2998dc6..757b8df 100644
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -2,7 +2,8 @@
   "permissions": {
     "allow": [
       "Bash(git add:*)",
-      "Bash(git commit:*)"
+      "Bash(git commit:*)",
+      "Bash(cargo new:*)"
     ],
     "deny": [],
     "ask": []
diff --git a/Cargo.toml b/Cargo.toml
index e6e7f77..5d732d6 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,5 +1,5 @@
 [workspace]
-members = [
+members = [ "ghost-cli",
     "ghost-core",
 ]
 resolver = "2"
diff --git a/ghost-cli/Cargo.toml b/ghost-cli/Cargo.toml
new file mode 100644
index 0000000..f77fd44
--- /dev/null
+++ b/ghost-cli/Cargo.toml
@@ -0,0 +1,12 @@
+[package]
+name = "ghost-cli"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+
+[dependencies]
+ghost-core = { path = "../ghost-core" }
+anyhow.workspace = true
+env_logger.workspace = true
+log.workspace = true
diff --git a/ghost-cli/src/main.rs b/ghost-cli/src/main.rs
new file mode 100644
index 0000000..1907aba
--- /dev/null
+++ b/ghost-cli/src/main.rs
@@ -0,0 +1,28 @@
+use anyhow::Result;
+use ghost_core::{memory, process};
+
+fn main() -> Result<()> {
+    env_logger::init();
+
+    println!("Ghost - Process Injection Detection\n");
+
+    let processes = process::enumerate_processes()?;
+    println!("Found {} processes\n", processes.len());
+
+    for proc in processes.iter().take(10) {
+        println!("{}", proc);
+
+        if let Ok(regions) = memory::enumerate_memory_regions(proc.pid) {
+            let rwx_regions: Vec<_> = regions
+                .iter()
+                .filter(|r| r.protection == ghost_core::MemoryProtection::ReadWriteExecute)
+                .collect();
+
+            if !rwx_regions.is_empty() {
+                println!("  RWX regions: {}", rwx_regions.len());
+            }
+        }
+    }
+
+    Ok(())
+}