Visual Malware Analysis
There are plenty of tools for behavioral malware analysis. The defacto standard ones, though, are Sysinternals’s Process Monitor (also known as Procmon) and PCAP generating network sniffers like Windump, Tcpdump, Wireshark, and the like. These “two” tools cover almost everything a malware analyst might be interested in when doing behavioral malware analysis.
But there’s a major problem with these tools. Any of them works in a so to say separated or isolated way, not knowing anything from each other. Hence it’s kinda hard to get accordingly recorded activities together in one piece or picture. That’s where ProcDOT enters the stage. It fills this actual gap by merging those records together.
But ProcDOT does much more. It turns those thousands of monitored activities into a big behavioral picture – actually a graph – which can be interactively explored making behavioral malware analysis as efficient as it never was before.
In this terms, regardless if you are already an expert in malware analysis or a beginner scratching on the latters surface, ProcDOT enables you to
Get an overall guts feeling for an entire situation within a glance,
Spot relevant parts and understand the correlation between them in minutes.
Features:
Correlation of Procmon and PCAP data
Visualization as an interactive graph
Animation mode to easily understand timing aspects
Smart following algorithms to focus only relevant stuff
Detection and visualization of thread injection
Correlation of network activities and the causing processes
Activity time-line
Full text search and find of graph content also showing up in activity time-line
Filters to cleanup noise (global and session wise)
Support of various matching modes
Full string match
Heading string match
Trailing string match
Sub string match
Regular expressionso
Suppressing specific
Registry keys
Files
Servers
Filter to match long and short paths
Graph content customization options
Show paths
Topical compression
Select which node/edge types (information) to show/suppress
Dumb mode if malware tries to play tricks on ProcDOT or if you just want to take a look at all running processes
Rich graph exporter supporting annotations
Fully fledged but still easy to use plugin engine
And after all: ProcDOT is absolutely free!
Docs
Download
