Deutsch | English

ProcDOT

This tool processes Sysinternals Process Monitor (Procmon) logfiles and PCAP-logs (Windump, Tcpdump) to generate a graph via the GraphViz suite. This graph visualizes any relevant activities (customizable) and can be interactively analyzed.
Download latest Windows version

Download latest Linux version

Author

Christian Wojner

Language

English

License

View ...

Donationware

Support the ProcDOT project ...

News on Twitter

https://twitter.com/ProcDOT

Forum

https://groups.google.com/forum/#!forum/procdot

Project website of ProcDOT

http://www.procdot.com

Releases

Changes

1.0 (Build 31) -     x

You've got some feedback (issues, ideas, etc.)?
Join our ProcDOT forum or drop us a line: team@cert.at


ProcDOT now has its own dedicated website: http://www.procdot.com

Important

ProcDOT depends on third party software! Please follow the instructions in the included readme.txt to install and configure ProcDOT properly.

Quickstart-Guide

  1. Select your logfiles
    Sad but true, the specs for Procmon's native file-format (.PML) are not (publicly) available. Therefore you have to export your .PML file to .CSV which can be easily done via the "Save" menuitem in Procmon. Be sure to select "all events".
  2. choose graphing mode (no paths, compressed)
  3. select the first relevant (malicious) process (launching process)
  4. click "Refresh"

Navigation-Guide

  • Node legend:
    F1
  • Moving the Graph:
    Drag with mouse (left button)
  • Zooming the Graph (in steps):
    Ctrl + Scroll wheel
  • Zooming the Graph (100%):
    Left double click (double click again to go back to previous scope)
  • Going back to previous scope:
    Right double click (double lick again to re-fit and center graph to window)
  • Finding text:
    Ctrl+F
  • Clear found text:
    Esc
  • Contextmenu for nodes:
    Get details, add filter rule

Screenshot

Instruction-Media

Cheatsheet: The User Interface

Tutorial-Video 1: The User Interface
Tutorial-Video 2: The Graph
Tutorial-Video 3: Analysis (Part 1)
Tutorial-Video 4: Analysis (Part 2): The Timeline

FAQs

ProcDOT whines about an "unknown format" of the used Procmon file.

Most probably you forgot to pre-configure Procmon properly. Please follow the instructions in the readme.txt!

ProcDOT whines about a not available PNG file.

Most probably you forgot to pre-configure Procmon properly. Please follow the instructions in the readme.txt!
However, with build 22 this error message will change to a more precise one. Actually the same "unknown format" message the "launcher" button uses if the Procmon file format doesn't match.

I get a blank (white) screen instead of a graph.

Most probably you forgot to choose a "launcher" process. If you just monitored a running system without invoking a specific process which can be chosen as a "launcher" keep the "launcher" empty, check the "dumb" checkbox, and refresh the graph.

Which executables shall I choose in ProcDOT's options?

For windump choose the according WinDump.exe (under Linux choose the according tcpdump with a fully qualified path, otherwise it won't work).
For the (DOT) executable of the Graphviz-Suite go to the according "bin"-folder and choose dot.exe (or dot under Linux).
Email: reports@cert.at
Phone: +43 1 5056416 78
more ...
New PGP keys
2014/03/28 | At CERT ...
Completed: Maintenance work on Wednesday, December 4th, 2013
2013/11/25 | Because ...
more ...
Last Change: 2014/2/28 - 17:20:08
Haftungsausschluss