ProcDOT

From aldeid
Jump to: navigation, search

Description

ProcDOT is a tool developed by Christian Wojner from Cert.at. It processes Sysinternals Process Monitor (procmon) logfiles and PCAP logs (Windump, tcpdump) to generate a graph via the GraphViz suite. This graph visualizes any relevant activities (customizable) and can be interactively analyzed. It is very convenient for malware analysts.

Installation

Prerequisites

ProcDOT

ProcDOT for Windows is available here: http://www.cert.at/static/downloads/software/procdot/procdot_1_0_31_windows.zip

Configuration of ProcDOT

In order to be able to run ProcDOT, you will need to specify the path to WinDump and Graphviz.

Go to Edit > Options and complete the paths as follows:

ProcDOT-options.png

Usage / Example

Capture (procmon + network traffic)

Procmon export

ProcDOT expects some columns in the export from procmon. In procmon, ensure that you:

  • don't include the "Sequence Number" column
  • include the "Thread ID" column

Procmon-columns-for-procdot.png

Also ensure that network addresses are not resolved:

Procmon-show-resolved-network-addresses.png

Then export (File > Save) the output under a CSV file as follows:

Procmon-export-csv.png

ProcDOT inputs

Now, it's time to start ProcDOT.

  1. Specify the path to your procmon CSV export...
  2. ...as well as your pcap file
  3. Click the Launcher browser button...
  4. ...and choose the process to analyze as entry point (double click on it)

Procdot-001.png

Then optionnaly check the "no paths" (won't show full paths) and "compressed" (only includes some registry keys) boxes and click on the "Refresh" button.

You should be able to display such a graph:

Procdot-002.png

Here is how the graph would look like with paths ("no paths" unchecked) and uncompressed ("compressed" unchecked) options:

Procdot-003.png

Comments

blog comments powered by Disqus