ProcDOT: Visual Malware Analysis

Applications, Games, Tools, User libs and useful stuff coded in PureBasic
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

ProcDOT: Visual Malware Analysis

Post by Didelphodon »

Folks, I'm very proud to announce that one of my biggest projects has finally reached beta state and is therefore now publicly available.

The software is called ProcDOT and is an absolutely innovative approach in doing behavorial malware analysis.

It already got a lot of attention when I initially presented the alpha at SANS Forensics Summit in Prague last year.

Once more we hereby have a good example of what is possible using Purebasic. According credits are in the credits box of ProcDOT - hopefully this gives Purebasic another push of attention and publicity.

Find more details about ProcDOT at our website: http://www.cert.at/downloads/software/procdot_en.html

Cheers,
Didel
Go, tell it on the mountains.
cxAlex
User
User
Posts: 88
Joined: Fri Oct 24, 2008 11:29 pm
Location: Austria
Contact:

Re: ProcDOT: Visual Malware Analysis

Post by cxAlex »

Interesting tool.

I'd like to try it but i allways get an error when I click on refresh:
---------------------------
ProcDOT
---------------------------
Error: Couldn't open PNG!
---------------------------
OK
---------------------------
I downloaded and installed the latest version of windump, winpcap, graphviz and set the path to windum.exe und dot.exe in the configuration. Then i selected my exported CSV from procmon, and the error happened, in x86 and x64 Version.

Greets, Alex
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: ProcDOT: Visual Malware Analysis

Post by Didelphodon »

cxAlex wrote:Interesting tool.

I'd like to try it but i allways get an error when I click on refresh:
---------------------------
ProcDOT
---------------------------
Error: Couldn't open PNG!
---------------------------
OK
---------------------------
I downloaded and installed the latest version of windump, winpcap, graphviz and set the path to windum.exe und dot.exe in the configuration. Then i selected my exported CSV from procmon, and the error happened, in x86 and x64 Version.

Greets, Alex
Thx for trying!
Did you follow the according instructions in the readme how to configure Procmon properly?

Didel.
Go, tell it on the mountains.
cxAlex
User
User
Posts: 88
Joined: Fri Oct 24, 2008 11:29 pm
Location: Austria
Contact:

Re: ProcDOT: Visual Malware Analysis

Post by cxAlex »

Thanks, the Tread - ID was missing in the procmon configuration :P

But now it only shows a blank white image, i think also have to specifiy a windump - logfile? But how do i get this file?

Greets, Alex
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: ProcDOT: Visual Malware Analysis

Post by Didelphodon »

cxAlex wrote:Thanks, the Tread - ID was missing in the procmon configuration :P

But now it only shows a blank white image, i think also have to specifiy a windump - logfile? But how do i get this file?

Greets, Alex
That's already good!
You don't need a windump logfile.
The problem is you have to select a "launcher", otherwise ProcDOT doesn't know where to start with it's smart following algorithms.
Besides that you can check the "dumb" option and ProcDOT will show everything that happened.
All this details/aspects are covered in the tutorial videos, by the way.

However, maybe I should push the users attention more to the readme, the tutorials, and the quick-start guide on the website.
Thanks a lot for your feedback.

Cheers,
Didel.
Go, tell it on the mountains.
cxAlex
User
User
Posts: 88
Joined: Fri Oct 24, 2008 11:29 pm
Location: Austria
Contact:

Re: ProcDOT: Visual Malware Analysis

Post by cxAlex »

Thanks, now everything works as expected, great tool :D

I've played around with it a while, and I think i found something to improve:

I tried to load a ~ 3GByte Logfile, but when I try to select a Launcher, my system freezes and I've to reset my machine the hard way, on x86 and x64 :(
Do you load the hole file at once into the Ram? It also seems that you parse the hole file every time when i change the launcher, maybe parse line-by-line and save everything in a internal not so memory consuming structure?

Greets, Alex
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: ProcDOT: Visual Malware Analysis

Post by Didelphodon »

cxAlex wrote:Thanks, now everything works as expected, great tool :D

I've played around with it a while, and I think i found something to improve:

I tried to load a ~ 3GByte Logfile, but when I try to select a Launcher, my system freezes and I've to reset my machine the hard way, on x86 and x64 :(
Do you load the hole file at once into the Ram? It also seems that you parse the hole file every time when i change the launcher, maybe parse line-by-line and save everything in a internal not so memory consuming structure?

Greets, Alex
Yup, the procmon log is loaded entirely. Usually procmon logs resulting out of lab runs stay way beyond 500 megs. However, thx for mentioning that. I have to say that this might be quite easy to change for the launcher but "in the end of the day" - at least in the current state - the partner executable procmon2dot needs to load the Procmon logs entirely in RAM anyway. This is (at least currently) necessary because procmon2dot "learns" what happened during monitoring trying to reduce most of the noise by following the infection on its way through the system.
However, it's added to our wishlist.

Cheers,
Christian.
Go, tell it on the mountains.
User avatar
idle
Always Here
Always Here
Posts: 5049
Joined: Fri Sep 21, 2007 5:52 am
Location: New Zealand

Re: ProcDOT: Visual Malware Analysis

Post by idle »

How cool is that!
Suddenly I'm looking forward to fixing up the next clients windows infestation.
Windows 11, Manjaro, Raspberry Pi OS
Image
JumpingJacks800
New User
New User
Posts: 1
Joined: Wed Mar 27, 2013 9:19 am

Re: ProcDOT: Visual Malware Analysis

Post by JumpingJacks800 »

Hi

I found that when I save my file to CSV on procmon the Procdot program can not read the file contents.

I get a error :
ERROR: Procmon file has a unknown format!

I also tried refreshing but the I gives me an ERROR: Couldn't open PNG!

Please help

Regards

JumpingJacks800
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: ProcDOT: Visual Malware Analysis

Post by Didelphodon »

JumpingJacks800 wrote:Hi

I found that when I save my file to CSV on procmon the Procdot program can not read the file contents.

I get a error :
ERROR: Procmon file has a unknown format!

I also tried refreshing but the I gives me an ERROR: Couldn't open PNG!

Please help

Regards

JumpingJacks800
Did you follow the instructions in the readme.txt?
You need to configure Procmon properly (add TID column) - otherwise Procmon exports insufficient information.

Cheers,
Didel.
Go, tell it on the mountains.
Golfy
User
User
Posts: 97
Joined: Wed Mar 21, 2012 6:10 pm

Re: ProcDOT: Visual Malware Analysis

Post by Golfy »

@Didelphodon:

Hello,

I want to use WinpCAP in my program... do you know if there is a library for actual 5.20LTS version of Purebasic ?

Thanks,
Golfy
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: ProcDOT: Visual Malware Analysis

Post by Didelphodon »

Golfy wrote:@Didelphodon:

Hello,

I want to use WinpCAP in my program... do you know if there is a library for actual 5.20LTS version of Purebasic ?

Thanks,
Golfy
Hm, I don't think that there is one. However, in my programs with an according flavor I use a backpacked windump/tcpdump to work with pcaps.

Cheers, didel
Go, tell it on the mountains.
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: ProcDOT: Visual Malware Analysis

Post by Didelphodon »

New website, new version, get it from ...
Http://procdot.com

Cheers didel
Go, tell it on the mountains.
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: ProcDOT: Visual Malware Analysis

Post by Didelphodon »

The problem with blanks within paths is fixed now - again => Build 46 is online.
However, there's also an issue with GraphViz itself on Windows XP. Seems to be hard to get current GraphViz installations running on Windows XP. Time to move to a newer OS ;-)
Go, tell it on the mountains.
User avatar
Didelphodon
PureBasic Expert
PureBasic Expert
Posts: 448
Joined: Sat Dec 18, 2004 11:56 am
Location: Vienna - Austria
Contact:

Re: ProcDOT: Visual Malware Analysis

Post by Didelphodon »

Just for your info: Version 1.2 introducing native rendering and thus infinite zooming is available for download.
Go, tell it on the mountains.
Post Reply