Skip to content

asquigglytwist/SeeBee

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

147 Commits
Samples
Samples
 
 
Src
Src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SeeBee.sln
SeeBee.sln
 
 

Repository files navigation

SeeBee

A ProcMon Logs (PML) Analyzer.

CI (via AppVeyor) Build status

Disclaimer:

Please note that this is a work-in-progress and most likely will always be.

What is it?

SeeBee is a (currently command-line only) tool to parse the ProcMon Logs (PML) which is in a binary format. Although PMLs can be read by ProcMon itself, the filtering and querying capabilities of the tool is very limited.

How does it work?

SeeBee uses ProcMon to convert the PML to XML and then enables filtering on top of the XML data. Currently, the filtering engine supports a limited subset of properties and filtering mechanisms.

How to use?

SeeBee is currently a CMD only version. Eventually, I plan to add a GUI and improve the filtering engine.

Without further ado, here's how: SeeBeeCmd pm "C:\T\SeeBee\Procmon.exe" in "C:\T\SeeBee\Logfile.PML" c "C:\T\SeeBee\SeeBee.sbc" where,

  • pm -> path to the ProcMon executable
  • in -> the input PML or XML file
  • c -> the configuration file for SeeBee

Configuring SeeBee

The config file - .SBC (SeeBeeConfig) is a simple XML file and can be edited with any text editor. Below is an example:

<?xml version="1.0" encoding="UTF-8"?>
<SeeBee>
	<Filters>
		<Create>
			<Filter name="DefaultUserProcesses" appliesOn="Processes" property="ProcessName" operator="Equals">
				notepad.exe, explorer.exe, iexplore.exe, firefox.exe, chrome.exe
			</Filter>
			<Filter name="DefaultSystemProcesses" appliesOn="Processes" property="ImagePath" operator="StartsWith">
				gpupdate.exe, conhost.exe, svchost.exe, winlogon.exe, csrss.exe, lsass.exe, WUDFHost.exe, spoolsv.exe, unsecapp.exe
			</Filter>
			<Filter name="RunningProcesses" appliesOn="Processes" property="FinishTime" operator="Equals">
				0
			</Filter>
			<Filter name="CompletedProcesses" appliesOn="Processes" property="FinishTime" operator="NotEquals">
				0
			</Filter>
			<Filter name="HasLoadedWindowsDlls" appliesOn="Processes" property="Modules" operator="Contains">
				user32.dll, advapi32.dll
			</Filter>
			<Filter name="SomeGenericProcesses" appliesOn="Events" property="Operation" operator="Equals">
				"Load Image", QueryBasicInformationFile
			</Filter>
			<Filter name="SomeGenericProcesses" appliesOn="Events" property="Operation" operator="Equals">
				"Load Image", QueryBasicInformationFile
			</Filter>
		</Create>
		<Conditions>
			<Condition action="Exclude" operator="And">
				DefaultUserProcesses, DefaultSystemProcesses
			</Condition>
			<Condition action="Include" operator="Or">
				RunningProcesses, HasLoadedWindowsDlls
			</Condition>
			<Condition action="Include" operator="Only">
				HasLoadedWindowsDlls
			</Condition>
		</Conditions>
	</Filters>
</SeeBee>

Sample Output

# of Processes read from file: 9.
# of Events that match the criteria: 108.
Press any key to continue...

About

A PML Analyzer.

Topics

analyzer pml procmon chsarp seebee

Resources

Readme

License

MPL-2.0 license
Activity

Stars

7 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages