[2015-06-28] Edge label modes.
Besides the new edges for file-renames and process-kills build 47 of ProcDOT also introduced a new feature which is called “Edge label mode”. With this feature now one can choose the
expressiveness of the graphs edges and thus match her individual taste from “Extensive” to “None” at all. You’ll find the according switch in ProcDOT’s options ...
As you can see their are 5 modes to choose:
•
Default
•
None
•
Short
•
Long
•
Extensive
The following screenshots show the different modes in action ...
“Default” ...
“None” ...
“Short” ...
“Long” ...
“Extensive” ...
Well, the differences are easy to spot - only “Default” and “Long” are equal with this actual example graph, “Long” would differ from “Default” in edges for loading a module “load as module” in
constrast to ”loads”.
However, as you can see each of the modes has its pros and cons. “Extensive” labeled edges may be more informative but the graph gets bigger. No edge labels (”None”) at all shrink the graph
but require an expert in / one familiar with ProcDOT graphs to be able to read them properly. I’m also thinking of adding “Custom” in the future so everyone can actually choose the actual content
of the labels, this would furthermore make it possible to localize ProcDOT graphs - but I’m not sure about the relevance of that, though, we’ll see.
So, choose your own taste of edge labels. Happy graphing!
Blog
ProcDOT - Visual Malware Analysis Christian Wojner, 2022