[2015-06-23] Edges for file renames and process kills.
With build 47 ProcDOT introduced brand new edges to visualize situations where a file is being renamed or a process is being killed by some thread. While the latter was quite easy to
implement it’s the renaming of files which stands out of the mass of typical frames/events in terms of ProcDOT’s animation capabilities.
So, for the situation of one thread killing a process I chose an orange edge as it’s comparable to a deletion of a file. Initially I assumed to have two different edges, one for threads killing
their own process and another one for threads killing foreign processes. Currently it’s implemented that way, actually, but it turned out that regardless which way a foreign process got killed in
Process Monitor I only saw threads killing their own processes. So, my interpretation (I have not analyzed this under the hood) is, even if you use TerminateProcess (API) or taskkill on a
(foreign) PID it’s only a signal being sent, but the effective “Process Exit” is always invoked by the process’ main thread in such cases. To keep a long story short: From now on you will see “kill
own process” edges but do not expect to see the thickened “kill foreign process” edge.
However, as I already mentioned, renaming a file cannot be visualized that easily. While a classical file creation, deletion, read, write and the like is visualized by 3 nodes (process, thread,
file) and 2 edges (has thread, actual action) a file rename event needs more. Well the one edge going from the old filename to the new filename is a no-brainer, but what about the attribution to
the initiating process/thread? So I came up with the idea to introduce 2 dashed edges which act as a kind of support-edges: namely “rename from” and “rename to”, linking the initiating
process/thread with the old filename and the new filename accordingly. The major edge (and this one is solid, of course) is named “rename” linking the old and the new filename. Regarding the
colors I found “rename to” and “rename” to be similar to a create edge, so I went for pink. The “rename from” edge, however, is comparable to a delete edge as from that moment on the old
file(name) is not here anymore, actually. This aspect is also considered for the font-color of the according file-node which is red, appropriately.
This is a simple example for the new edges/events in action ...
ProcDOT - Visual Malware Analysis