Intro

Welcome to ProcDOT, a new way of analyzing infections!

But to be more precisely, ProcDOT is not necessarily a malware analysis tool per se. ProcDOT is a tool that visualizes system activities in a very convenient way.

Hence ProcDOT can be used in various scenarios - regardless if you are

• a normal user who wants to know something about her system,
• an admin who wants to go into details due to an issue,
• a forensic guy who is interested in the footprints of specific software, or
• a malware analyst who wants to analyze the behaviour of malicious software.

However, as one might imagine the latter was my intention to develop ProcDOT.

The base idea was to have "something" that reduces my efforts for behavioral analysis to an absolute minimum.

So, in this respect I thought of ...

• something that lets me get an overall guts feeling for an entire situation within a glance,
• something that enables me to spot relevant parts and understand the correlation between them in minutes, and finally
• something that provides me a perfect starting point for deeper, detailed and even code level analysis if necessary.

And that's actually what ProcDOT does.

But, having said this there's one thing to keep in mind: ProcDOT is not a monitoring software!

There are defacto standard tools out there which one can use for that aspect:

• Sysinternal's Process Monitor (aka Procmon)
• PCAP generating network sniffing tools like Tcpdump, Windump, Wireshark, and the like.

These tools are really great - but they have a major problem:

• they do not "know" about each other and
• they are "only" data-provider.

ProcDOT's goal is to solve this problems by ...

• merging,
• post-processing, and finally
• visualizing these tool's invaluable output.