ProcDOT

This tool processes Sysinternals Process Monitor (Procmon) logfiles and PCAP-logs (Windump, Tcpdump) to generate a graph via the GraphViz suite. This graph visualizes any relevant activities (customizable) and can be interactively analyzed.

Author

Christian Wojner

Language

English

License

View ...

Donationware

Support the ProcDOT project ...

News on Twitter

https://twitter.com/ProcDOT

Forum

https://groups.google.com/forum/#!forum/procdot

Project website of ProcDOT

http://www.procdot.com

Releases

Changes
1.2 (Build 55) See changelog included in the ZIP archive     x
1.1 (Build 47) See changelog included in the ZIP archive     x
1.1 (Build 46) See changelog included in the ZIP archive   x x
1.1 (Build 44) Fixed: Issue with "'" in paths     x
1.1 (Build 43) Fixed: Performance issues     x
1.1 (Build 42) -     x
1.0 (Build 31) -     x

You've got some feedback (issues, ideas, etc.)?
Join our ProcDOT forum or drop us a line: team@cert.at

ProcDOT now has its own dedicated website: http://www.procdot.com

Important

ProcDOT depends on third party software! Please follow the instructions in the included readme.txt to install and configure ProcDOT properly.

Quickstart-Guide

  1. Select your logfiles
    Sad but true, the specs for Procmon's native file-format (.PML) are not (publicly) available. Therefore you have to export your .PML file to .CSV which can be easily done via the "Save" menuitem in Procmon. Be sure to select "all events".
  2. choose graphing mode (no paths, compressed)
  3. select the first relevant (malicious) process (launching process)
  4. click "Refresh"

Navigation-Guide

  • Node legend:
    F1
  • Moving the Graph:
    Drag with mouse (left button)
  • Zooming the Graph (in steps):
    Ctrl + Scroll wheel
  • Zooming the Graph (100%):
    Left double click (double click again to go back to previous scope)
  • Going back to previous scope:
    Right double click (double lick again to re-fit and center graph to window)
  • Finding text:
    Ctrl+F
  • Clear found text:
    Esc
  • Contextmenu for nodes:
    Get details, add filter rule

Screenshot

Instruction-Media

Cheatsheet: The User Interface

Tutorial-Video 1: The User Interface
Tutorial-Video 2: The Graph
Tutorial-Video 3: Analysis (Part 1)
Tutorial-Video 4: Analysis (Part 2): The Timeline

FAQs

Most issues can be solved by following the instructions in the readme.txt!

ProcDOT whines about an "unknown format" of the used Procmon file.

Most probably you forgot to pre-configure Procmon properly. Please follow the instructions in the readme.txt!

ProcDOT whines about a not available PNG file.

Most probably you forgot to pre-configure Procmon properly. Please follow the instructions in the readme.txt!
However, with build 22 this error message will change to a more precise one. Actually the same "unknown format" message the "launcher" button uses if the Procmon file format doesn't match.

I get a blank (white) screen instead of a graph.

Most probably you forgot to choose a "launcher" process. If you just monitored a running system without invoking a specific process which can be chosen as a "launcher" keep the "launcher" empty, check the "dumb" checkbox, and refresh the graph.

Which executables shall I choose in ProcDOT's options?

For windump choose the according WinDump.exe (under Linux choose the according tcpdump with a fully qualified path, otherwise it won't work).
For the (DOT) executable of the Graphviz-Suite go to the according "bin"-folder and choose dot.exe (or dot under Linux).

I can't see any file-activities in the graph but in Procmon I can.

There can be multiple reasons for that ... - Procmon filters (choose "Export all events") - Procmon option "Filter > Enable Advanced Output" (should be disabled!) - ProcDOT filters for files (Session and Global)

I can't see any plugins in the plugins mainmenu/plugins manager.

Most probably you haven't downloaded/installed them so far. You've got to download the plugins archive and extract its content beneath your ProcDOT executable.

Support the ProcDOT project

ProcDOT's copyright is held by nic.at GmbH (the company behind CERT.at) and is therefore an official part of my work at CERT.at.

However, still a considerable portion of the work and efforts put into ProcDOT is and will be done in my sparetime.

Specifically this applies to the ...

  • implementation of upcoming (post version 1.0) features, especially those not inherently necessary for CERT.at's main business as a national/governmental computer emergency response team,
  • documentation and tutorials,
  • handling of support cases,
  • community support.

To keep ProcDOT available for free we therefore decided to define it as Donationware. Hence with your donation, you support the ongoing development and the evolution of ProcDOT.

Thanks a lot in advance,

Christian Wojner
Author of ProcDOT