FAQs - Frequently asked questions. GENERAL Who is the author of this software? The author of ProcDOT is me - Christian Wojner. I work for CERT.at - the Austrian computer emergency response team (CERT) - as malware analyst and reverse engineer. What is the difference between ProcDOT on “www.cert.at” and the one available on “www.procdot.com”? Actually, the first version of ProcDOT was developed as an internal project of CERT.at. Since then the (further) development of ProcDOT switched from an internal project status to a private project of mine. As ProcDOT evolved and got more complex in its possibilities and features it was quite obvious that “www.cert.at” wasn’t the right place for doing the whole presentation stuff (downloads, tutorials, documentation, forum, references, etc.) any more. In this respect as well as to accommodate the fact of ProcDOT being now a private project “www.procdot.com” was born to deal with this task. However, ProcDOT’s presentation on “www.cert.at” will of course stay there but be kept quite abstract. What about the license of this software? At the moment it’s an ISC license but it will be soon switched to an open source one. How can such a cool software be free? ProcDOT is a contribution to the CERT/IT-Security community, that’s just the way our community works. However, as already mentioned ProcDOT is now in the status of a private and hence spare time project of mine. So, if you like ProcDOT and want to support it please consider a donation. My anti virus product does not like this software! What is the reason? ProcDOT is developed in very uncommon programming language called Purebasic. But this language hasn’t been selected by accident, in fact Purebasic is probably the most appropriate programming language for such a kind of software. The downside of this decision is that most of the anti-virus products out there do not know anything about Purebasic hence pro-actively tagging accordingly compiled executables as potentially unwanted software or even worse. Yes, the Purebasic community tried to get in touch with the AV vendors but it turned out that this might be a loooooooooooooooooooooooooooooooooooooooong way. USAGE, INSTALLATION and COMMON ISSUES Most issues can be solved by following the instructions in the readme.txt! ProcDOT whines about an "unknown format" of the used Procmon file. Most probably you forgot to pre-configure Procmon properly. Please follow the instructions in the readme.txt! ProcDOT whines about a not available PNG file. Most probably you forgot to pre-configure Procmon properly. Please follow the instructions in the readme.txt! However, with build 22 this error message will change to a more precise one. Actually the same "unknown format" message the "launcher" button uses if the Procmon file format doesn't match. Under Linux with build 46 there was also a similar issue - with build 47 this issue is solved. I get a blank (white) screen instead of a graph. Most probably you forgot to choose a "launcher" process. If you just monitored a running system without invoking a specific process which can be chosen as a "launcher" keep the "launcher" empty, check the "dumb" checkbox, and refresh the graph. Which executables shall I choose in ProcDOT's options? For windump choose the according WinDump.exe (under Linux choose the according tcpdump with a fully qualified path, otherwise it won't work). For the (DOT) executable of the Graphviz-Suite go to the according "bin"-folder and choose dot.exe (or dot under Linux). I can’t see any file-activities in the graph but in Procmon I can. There can be multiple reasons for that ... - Procmon filters (choose “Export all events”) - Procmon option “Filter > Enable Advanced Output” (should be disabled!) - ProcDOT filters for files (Session and Global) I can’t see any plugins in the plugins mainmenu/plugins manager. Most probably you haven’t downloaded/installed them so far. You’ve got to download the plugins archive and extract its content beneath your ProcDOT executable.
ProcDOT - Visual Malware Analysis Christian Wojner, 2022
download the plugins archive from