ProcDOT: Visual Malware Analysis
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
ProcDOT: Visual Malware Analysis
Folks, I'm very proud to announce that one of my biggest projects has finally reached beta state and is therefore now publicly available.
The software is called ProcDOT and is an absolutely innovative approach in doing behavorial malware analysis.
It already got a lot of attention when I initially presented the alpha at SANS Forensics Summit in Prague last year.
Once more we hereby have a good example of what is possible using Purebasic. According credits are in the credits box of ProcDOT - hopefully this gives Purebasic another push of attention and publicity.
Find more details about ProcDOT at our website: http://www.cert.at/downloads/software/procdot_en.html
Cheers,
Didel
The software is called ProcDOT and is an absolutely innovative approach in doing behavorial malware analysis.
It already got a lot of attention when I initially presented the alpha at SANS Forensics Summit in Prague last year.
Once more we hereby have a good example of what is possible using Purebasic. According credits are in the credits box of ProcDOT - hopefully this gives Purebasic another push of attention and publicity.
Find more details about ProcDOT at our website: http://www.cert.at/downloads/software/procdot_en.html
Cheers,
Didel
Go, tell it on the mountains.
Re: ProcDOT: Visual Malware Analysis
Interesting tool.
I'd like to try it but i allways get an error when I click on refresh:
Greets, Alex
I'd like to try it but i allways get an error when I click on refresh:
I downloaded and installed the latest version of windump, winpcap, graphviz and set the path to windum.exe und dot.exe in the configuration. Then i selected my exported CSV from procmon, and the error happened, in x86 and x64 Version.---------------------------
ProcDOT
---------------------------
Error: Couldn't open PNG!
---------------------------
OK
---------------------------
Greets, Alex
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: ProcDOT: Visual Malware Analysis
Thx for trying!cxAlex wrote:Interesting tool.
I'd like to try it but i allways get an error when I click on refresh:I downloaded and installed the latest version of windump, winpcap, graphviz and set the path to windum.exe und dot.exe in the configuration. Then i selected my exported CSV from procmon, and the error happened, in x86 and x64 Version.---------------------------
ProcDOT
---------------------------
Error: Couldn't open PNG!
---------------------------
OK
---------------------------
Greets, Alex
Did you follow the according instructions in the readme how to configure Procmon properly?
Didel.
Go, tell it on the mountains.
Re: ProcDOT: Visual Malware Analysis
Thanks, the Tread - ID was missing in the procmon configuration
But now it only shows a blank white image, i think also have to specifiy a windump - logfile? But how do i get this file?
Greets, Alex
But now it only shows a blank white image, i think also have to specifiy a windump - logfile? But how do i get this file?
Greets, Alex
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: ProcDOT: Visual Malware Analysis
That's already good!cxAlex wrote:Thanks, the Tread - ID was missing in the procmon configuration
But now it only shows a blank white image, i think also have to specifiy a windump - logfile? But how do i get this file?
Greets, Alex
You don't need a windump logfile.
The problem is you have to select a "launcher", otherwise ProcDOT doesn't know where to start with it's smart following algorithms.
Besides that you can check the "dumb" option and ProcDOT will show everything that happened.
All this details/aspects are covered in the tutorial videos, by the way.
However, maybe I should push the users attention more to the readme, the tutorials, and the quick-start guide on the website.
Thanks a lot for your feedback.
Cheers,
Didel.
Go, tell it on the mountains.
Re: ProcDOT: Visual Malware Analysis
Thanks, now everything works as expected, great tool
I've played around with it a while, and I think i found something to improve:
I tried to load a ~ 3GByte Logfile, but when I try to select a Launcher, my system freezes and I've to reset my machine the hard way, on x86 and x64
Do you load the hole file at once into the Ram? It also seems that you parse the hole file every time when i change the launcher, maybe parse line-by-line and save everything in a internal not so memory consuming structure?
Greets, Alex
I've played around with it a while, and I think i found something to improve:
I tried to load a ~ 3GByte Logfile, but when I try to select a Launcher, my system freezes and I've to reset my machine the hard way, on x86 and x64
Do you load the hole file at once into the Ram? It also seems that you parse the hole file every time when i change the launcher, maybe parse line-by-line and save everything in a internal not so memory consuming structure?
Greets, Alex
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: ProcDOT: Visual Malware Analysis
Yup, the procmon log is loaded entirely. Usually procmon logs resulting out of lab runs stay way beyond 500 megs. However, thx for mentioning that. I have to say that this might be quite easy to change for the launcher but "in the end of the day" - at least in the current state - the partner executable procmon2dot needs to load the Procmon logs entirely in RAM anyway. This is (at least currently) necessary because procmon2dot "learns" what happened during monitoring trying to reduce most of the noise by following the infection on its way through the system.cxAlex wrote:Thanks, now everything works as expected, great tool
I've played around with it a while, and I think i found something to improve:
I tried to load a ~ 3GByte Logfile, but when I try to select a Launcher, my system freezes and I've to reset my machine the hard way, on x86 and x64
Do you load the hole file at once into the Ram? It also seems that you parse the hole file every time when i change the launcher, maybe parse line-by-line and save everything in a internal not so memory consuming structure?
Greets, Alex
However, it's added to our wishlist.
Cheers,
Christian.
Go, tell it on the mountains.
Re: ProcDOT: Visual Malware Analysis
How cool is that!
Suddenly I'm looking forward to fixing up the next clients windows infestation.
Suddenly I'm looking forward to fixing up the next clients windows infestation.
Windows 11, Manjaro, Raspberry Pi OS
-
- New User
- Posts: 1
- Joined: Wed Mar 27, 2013 9:19 am
Re: ProcDOT: Visual Malware Analysis
Hi
I found that when I save my file to CSV on procmon the Procdot program can not read the file contents.
I get a error :
ERROR: Procmon file has a unknown format!
I also tried refreshing but the I gives me an ERROR: Couldn't open PNG!
Please help
Regards
JumpingJacks800
I found that when I save my file to CSV on procmon the Procdot program can not read the file contents.
I get a error :
ERROR: Procmon file has a unknown format!
I also tried refreshing but the I gives me an ERROR: Couldn't open PNG!
Please help
Regards
JumpingJacks800
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: ProcDOT: Visual Malware Analysis
Did you follow the instructions in the readme.txt?JumpingJacks800 wrote:Hi
I found that when I save my file to CSV on procmon the Procdot program can not read the file contents.
I get a error :
ERROR: Procmon file has a unknown format!
I also tried refreshing but the I gives me an ERROR: Couldn't open PNG!
Please help
Regards
JumpingJacks800
You need to configure Procmon properly (add TID column) - otherwise Procmon exports insufficient information.
Cheers,
Didel.
Go, tell it on the mountains.
Re: ProcDOT: Visual Malware Analysis
@Didelphodon:
Hello,
I want to use WinpCAP in my program... do you know if there is a library for actual 5.20LTS version of Purebasic ?
Thanks,
Golfy
Hello,
I want to use WinpCAP in my program... do you know if there is a library for actual 5.20LTS version of Purebasic ?
Thanks,
Golfy
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: ProcDOT: Visual Malware Analysis
Hm, I don't think that there is one. However, in my programs with an according flavor I use a backpacked windump/tcpdump to work with pcaps.Golfy wrote:@Didelphodon:
Hello,
I want to use WinpCAP in my program... do you know if there is a library for actual 5.20LTS version of Purebasic ?
Thanks,
Golfy
Cheers, didel
Go, tell it on the mountains.
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: ProcDOT: Visual Malware Analysis
Go, tell it on the mountains.
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: ProcDOT: Visual Malware Analysis
The problem with blanks within paths is fixed now - again => Build 46 is online.
However, there's also an issue with GraphViz itself on Windows XP. Seems to be hard to get current GraphViz installations running on Windows XP. Time to move to a newer OS
However, there's also an issue with GraphViz itself on Windows XP. Seems to be hard to get current GraphViz installations running on Windows XP. Time to move to a newer OS
Go, tell it on the mountains.
- Didelphodon
- PureBasic Expert
- Posts: 448
- Joined: Sat Dec 18, 2004 11:56 am
- Location: Vienna - Austria
- Contact:
Re: ProcDOT: Visual Malware Analysis
Just for your info: Version 1.2 introducing native rendering and thus infinite zooming is available for download.
Go, tell it on the mountains.