Wednesday, August 13, 2014

Python Parser for Process Monitor CSV Output

Created a quick parser for Process Monitor csv output files.  I designed it to organize the output based on PID and Operation.  Then I chose to remove the timestamp and deduplicate the remaining information.

This was built to be a tool that can be used in conjunction with Process Monitor to help identify interesting activity.

# Script is designed to parse a Process Monitor script and output organized by process and operation

# In my limited testing it took a 29M file down to 5M (At least a little easier to digest)
# It will deduplicate the rows in the output without the timestamp
# This tool is not to replace the output of Process Monitor it is only used as a tool to assist in finding valuable information

import sys
import os
import csv


file = open(csvFile,'r')
reader = csv.reader(file)
# Gather the PIDs and make a uniq list of them
uniqPID = set() # This will store the unique PIDs found in the csv file
uniqOperation = set() # This will store the unique Operations found in the csv file
for row in reader:
    # Time of Day, Process Name, PID, Operation, Path, Result, Detail
    #      0             1        2       3       4      5       6
    if (row[2] != 'PID'):    # Remove the header out of the set

uniqPID = list(uniqPID) # Take the set and place it into a list
uniqOperation = list(uniqOperation)
uniqPID.sort(key=int)   # Sort the list based on an integer value

for pid in uniqPID:
        print "\n\n"
    for operation in uniqOperation:
        operationAppearanceCounter = 0
        uniqRow = set()
        file = open(csvFile,'r')
        reader = csv.reader(file)
        for row in reader:
            if (row[2] == pid):
                if (row[3] == operation):
                    if (operationAppearanceCounter == 0):
                        print "\nPID: " + pid + "     Operation: " + operation
                        print "----------------------------------------------"
                        operationAppearanceCounter = 1
                    newRow = row[1] + " " + row[2] + " " + row[3] + " " + row[4] + " " + row[5] + " " + row[6]
        for deduplicatedRow in uniqRow:
            print deduplicatedRow

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...