ProcDOT

From aldeid
Jump to navigation Jump to search

Description

ProcDOT is a tool developed by Christian Wojner from Cert.at. It processes Sysinternals Process Monitor (procmon) logfiles and PCAP logs (Windump, tcpdump) to generate a graph via the GraphViz suite. This graph visualizes any relevant activities (customizable) and can be interactively analyzed. It is very convenient for malware analysts.

Installation

Prerequisites

ProcDOT

ProcDOT for Windows is available here: http://www.cert.at/static/downloads/software/procdot/procdot_1_0_31_windows.zip

Configuration of ProcDOT

In order to be able to run ProcDOT, you will need to specify the path to WinDump and Graphviz.

Go to Edit > Options and complete the paths as follows:

Usage / Example

Capture (procmon + network traffic)

Procmon export

ProcDOT expects some columns in the export from procmon. In procmon, ensure that you:

  • don't include the "Sequence Number" column
  • include the "Thread ID" column

Also ensure that network addresses are not resolved:

Then export (File > Save) the output under a CSV file as follows:

ProcDOT inputs

Now, it's time to start ProcDOT.

  1. Specify the path to your procmon CSV export...
  2. ...as well as your pcap file
  3. Click the Launcher browser button...
  4. ...and choose the process to analyze as entry point (double click on it)

Then optionnaly check the "no paths" (won't show full paths) and "compressed" (only includes some registry keys) boxes and click on the "Refresh" button.

You should be able to display such a graph:

Here is how the graph would look like with paths ("no paths" unchecked) and uncompressed ("compressed" unchecked) options:

Comments

Retrieved from "https://www.aldeid.com/w/index.php?title=ProcDOT&oldid=27227"