PureBasic Forums - English

Folks, I'm very proud to announce that one of my biggest projects has finally reached beta state and is therefore now publicly available.

The software is called ProcDOT and is an absolutely innovative approach in doing behavorial malware analysis.

It already got a lot of attention when I initially presented the alpha at SANS Forensics Summit in Prague last year.

Once more we hereby have a good example of what is possible using Purebasic. According credits are in the credits box of ProcDOT - hopefully this gives Purebasic another push of attention and publicity.

Find more details about ProcDOT at our website: http://www.cert.at/downloads/software/procdot_en.html

Cheers,
Didel

Interesting tool.

I'd like to try it but i allways get an error when I click on refresh:

---------------------------
ProcDOT
---------------------------
Error: Couldn't open PNG!
---------------------------
OK
---------------------------

I downloaded and installed the latest version of windump, winpcap, graphviz and set the path to windum.exe und dot.exe in the configuration. Then i selected my exported CSV from procmon, and the error happened, in x86 and x64 Version.

Greets, Alex

cxAlex wrote:Interesting tool.

I'd like to try it but i allways get an error when I click on refresh:

---------------------------
ProcDOT
---------------------------
Error: Couldn't open PNG!
---------------------------
OK
---------------------------

I downloaded and installed the latest version of windump, winpcap, graphviz and set the path to windum.exe und dot.exe in the configuration. Then i selected my exported CSV from procmon, and the error happened, in x86 and x64 Version.

Greets, Alex

Thx for trying!
Did you follow the according instructions in the readme how to configure Procmon properly?

Didel.

Thanks, the Tread - ID was missing in the procmon configuration

But now it only shows a blank white image, i think also have to specifiy a windump - logfile? But how do i get this file?

Greets, Alex

cxAlex wrote:Thanks, the Tread - ID was missing in the procmon configuration

But now it only shows a blank white image, i think also have to specifiy a windump - logfile? But how do i get this file?

Greets, Alex

That's already good!
You don't need a windump logfile.
The problem is you have to select a "launcher", otherwise ProcDOT doesn't know where to start with it's smart following algorithms.
Besides that you can check the "dumb" option and ProcDOT will show everything that happened.
All this details/aspects are covered in the tutorial videos, by the way.

However, maybe I should push the users attention more to the readme, the tutorials, and the quick-start guide on the website.
Thanks a lot for your feedback.

Cheers,
Didel.

Thanks, now everything works as expected, great tool

I've played around with it a while, and I think i found something to improve:

I tried to load a ~ 3GByte Logfile, but when I try to select a Launcher, my system freezes and I've to reset my machine the hard way, on x86 and x64
Do you load the hole file at once into the Ram? It also seems that you parse the hole file every time when i change the launcher, maybe parse line-by-line and save everything in a internal not so memory consuming structure?

Greets, Alex

cxAlex wrote:Thanks, now everything works as expected, great tool

I've played around with it a while, and I think i found something to improve:

I tried to load a ~ 3GByte Logfile, but when I try to select a Launcher, my system freezes and I've to reset my machine the hard way, on x86 and x64
Do you load the hole file at once into the Ram? It also seems that you parse the hole file every time when i change the launcher, maybe parse line-by-line and save everything in a internal not so memory consuming structure?

Greets, Alex

Yup, the procmon log is loaded entirely. Usually procmon logs resulting out of lab runs stay way beyond 500 megs. However, thx for mentioning that. I have to say that this might be quite easy to change for the launcher but "in the end of the day" - at least in the current state - the partner executable procmon2dot needs to load the Procmon logs entirely in RAM anyway. This is (at least currently) necessary because procmon2dot "learns" what happened during monitoring trying to reduce most of the noise by following the infection on its way through the system.
However, it's added to our wishlist.

Cheers,
Christian.

How cool is that!
Suddenly I'm looking forward to fixing up the next clients windows infestation.

Hi

I found that when I save my file to CSV on procmon the Procdot program can not read the file contents.

I get a error :
ERROR: Procmon file has a unknown format!

I also tried refreshing but the I gives me an ERROR: Couldn't open PNG!

Please help

Regards

JumpingJacks800

JumpingJacks800 wrote:Hi

I found that when I save my file to CSV on procmon the Procdot program can not read the file contents.

I get a error :
ERROR: Procmon file has a unknown format!

I also tried refreshing but the I gives me an ERROR: Couldn't open PNG!

Please help

Regards

JumpingJacks800

Did you follow the instructions in the readme.txt?
You need to configure Procmon properly (add TID column) - otherwise Procmon exports insufficient information.

Cheers,
Didel.

@Didelphodon:

Hello,

I want to use WinpCAP in my program... do you know if there is a library for actual 5.20LTS version of Purebasic ?

Thanks,
Golfy

Golfy wrote:@Didelphodon:

Hello,

I want to use WinpCAP in my program... do you know if there is a library for actual 5.20LTS version of Purebasic ?

Thanks,
Golfy

Hm, I don't think that there is one. However, in my programs with an according flavor I use a backpacked windump/tcpdump to work with pcaps.

Cheers, didel

New website, new version, get it from ...
Http://procdot.com

Cheers didel

The problem with blanks within paths is fixed now - again => Build 46 is online.
However, there's also an issue with GraphViz itself on Windows XP. Seems to be hard to get current GraphViz installations running on Windows XP. Time to move to a newer OS

Just for your info: Version 1.2 introducing native rendering and thus infinite zooming is available for download.