ProcDOT – Tool to Process Procmon and PCAP Logs

ProcDOT is a tool that process Sysinternals Process Monitor (Procmon) logfiles and PCAP-logs (Windump, Tcpdump) to generate a graph via the GraphViz suite. This graph visualizes any relevant activities (customizable) and can be interactively analyzed.

There are plenty of tools for behavioral malware analysis. The defacto standard ones, though, are Sysinternals’s Process Monitor (also known as Procmon) and PCAP generating network sniffers like Windump, Tcpdump, Wireshark, and the like. These “two” tools cover almost everything a malware analyst might be interested in when doing behavioral malware analysis.

ProcDOT - Tool to Process Procmon and PCAP Logs
ProcDOT – Tool to Process Procmon and PCAP Logs

The tool include the following features:

  • Correlation of Procmon and PCAP data
  • Visualization as an interactive graph
  • Animation mode to easily understand timing aspects
  • Smart following algorithms to focus only relevant stuff
  • Detection and visualization of thread injection
  • Correlation of network activities and the causing processes
  • Activity time-line
  • Full text search and find of graph content also showing up in activity time-line
  • Filters to cleanup noise (global and session wise)
  • Support of various matching modes
  • Full string match
  • Filter to match long and short paths
  • Graph content customization options
  • Show paths
  • Dumb mode if malware tries to play tricks on ProcDOT or if you just want to take a look at all running processes

Most modern Incident response and forensics tools will include similar features for visualization. This will help in map the threat and see the exact suspicious behavior.

You can read and download this tool over here: