Noriben can't load the CSVfile made by procmon

[Noribentou]

Hello.
And sorry for my bad English.
Sadly no one doesn't know about this great tool Noriben.
And I can't find the way to resolve this problem.
So I have to ask you.

The text file that is created by Noriben and timeline.csv terminated only default information.
Like this.

-=] Sandbox Analysis Report generated by Noriben v1.8.3
-=] Developed by Brian Baskin: brian @@ thebaskins.com @bbaskin
-=] The latest release can be found at https://github.com/Rurik/Noriben

-=] Analysis time: 1.34 seconds

Processes Created:

File Activity:

Registry Activity:

Network Traffic:

Unique Hosts:

As you know there are a similer case
"Textfile doesnt contain any data " issue on Mar 2015 · 17
I read it. And I guess this is the same case.
In this case this problem is resolved by installing latest version.
But I can't.

python version is 3.8.2
OS is win7
And this deploy on virtual box.
CSV is written.

[portalek]

try to copy ProcmonConfiguration.pmc from folder filters to root folder.

[Rurik]

I'm sorry this is happening.

Can you run it with the --debug option to verify there's content there.

It's important to see where the break happens. If there's data in the PML, and the raw CSV, then there may be an issue in converting from there.

Why can't you install the latest version?

[Noribentou]

Thank you for your reply.
I left my laptop in my office.
So it's going to be Monday to try --debug option and copy ProcmonConfiguration.pmc from folder filters to root folder.

By the way I install Noriben at here on last week or 2 week ago.
From https://github.com/Rurik/Noriben/archive/master.zip
But now I notice Noriben v1.8.3 is not a latest one.

I'm new to GitHub , so I don't know the way to updating.
I'm going to try update this by copy source code from code tab and paste it on my local Noriben.py.
Is it the right way to update?

[Noribentou]

I tried --debug option
This is the result.

C:\Users*****\Downloads\Noriben-master2\Noriben-master>Noriben.py --debug
[+] Python module "requests" not found. Internet functionality is disabled.
[+] This is acceptable if you do not wish to upload data to VirusTotal.

--===[ Noriben v1.8.3
--===[ Brian Baskin [[email protected] / @bbaskin]
[!] Filter file ProcmonConfiguration.PMC not found. Continuing without filters.
[] Log output directory:
[] YARA directory:
[+] Features: (Debug: True Internet: False VirusTotal: False)
[] Using procmon EXE: procmon.exe
[] Procmon session saved to: Noriben_23_Mar_20__12_08_317790.pml
[] Launching Procmon ...
[] Running cmdline: "procmon.exe" /BackingFile "Noriben_23_Mar_20__12_08_317790
.pml" /Quiet /Minimized
[] Procmon is running. Run your executable now.
[] When runtime is complete, press CTRL+C to stop logging.

Then I stop logging.(CTRL+C)

[] Termination of Procmon commencing... please wait
[] Running cmdline: "procmon.exe" /Terminate
[] Procmon terminated
[] Converting session to CSV: Noriben_23_Mar_20__12_08_317790.csv
[] Running cmdline: "procmon.exe" /OpenLog "Noriben_23_Mar_20__12_08_317790.pml
" /SaveApplyFilter /saveas "Noriben_23_Mar_20__12_08_317790.csv"
[] Processing CSV: Noriben_23_Mar_20__12_08_317790.csv
[] Writing 0 Process Events results to report
[] Writing 0 Filesystem Events results to report
[] Writing 0 Registry Events results to report
[] Writing 0 Network Events results to report
[] Writing 0 Remote Servers results to report
[] Saving report to: Noriben_23_Mar_20__12_08_317790.txt
[] Saving timeline to: Noriben_23_Mar_20__12_08_317790_timeline.csv
[] Exiting with error code: 0: Normal exit

And the text exported.

-=] Sandbox Analysis Report generated by Noriben v1.8.3
-=] Developed by Brian Baskin: brian @@ thebaskins.com @bbaskin
-=] The latest release can be found at https://github.com/Rurik/Noriben

-=] Analysis time: 1.34 seconds

Processes Created:

File Activity:

Registry Activity:

Network Traffic:

Unique Hosts:

Logs is written in csv files.
Like what kind of files has created,and about registry.

After this I copyed ProcmonConfiguration.pmc from folder filters to root folder.
But problem doesn't solve.

C:\Users*****\Desktop\Noriben-master>Noriben.py --debug
[+] Python module "requests" not found. Internet functionality is disabled.
[+] This is acceptable if you do not wish to upload data to VirusTotal.

--===[ Noriben v1.8.3
--===[ Brian Baskin [[email protected] / @bbaskin]
[!] Filter file ProcmonConfiguration.PMC not found. Continuing without filters.
[] Log output directory:
[] YARA directory:
[+] Features: (Debug: True Internet: False VirusTotal: False)
[] Using procmon EXE: procmon.exe
[] Procmon session saved to: Noriben_23_Mar_20__12_57_094085.pml
[] Launching Procmon ...
[] Running cmdline: "procmon.exe" /BackingFile "Noriben_23_Mar_20__12_57_094085
.pml" /Quiet /Minimized
[] Procmon is running. Run your executable now.
[] When runtime is complete, press CTRL+C to stop logging.

[] Termination of Procmon commencing... please wait
[] Running cmdline: "procmon.exe" /Terminate
[] Procmon terminated
[] Converting session to CSV: Noriben_23_Mar_20__12_57_094085.csv
[] Running cmdline: "procmon.exe" /OpenLog "Noriben_23_Mar_20__12_57_094085.pml
" /SaveApplyFilter /saveas "Noriben_23_Mar_20__12_57_094085.csv"
[] Processing CSV: Noriben_23_Mar_20__12_57_094085.csv
[] Writing 0 Process Events results to report
[] Writing 0 Filesystem Events results to report
[] Writing 0 Registry Events results to report
[] Writing 0 Network Events results to report
[] Writing 0 Remote Servers results to report
[] Saving report to: Noriben_23_Mar_20__12_57_094085.txt
[] Saving timeline to: Noriben_23_Mar_20__12_57_094085_timeline.csv
[] Exiting with error code: 0: Normal exit

Then this txt exported.

-=] Sandbox Analysis Report generated by Noriben v1.8.3
-=] Developed by Brian Baskin: brian @@ thebaskins.com @bbaskin
-=] The latest release can be found at https://github.com/Rurik/Noriben

-=] Execution time: 82.60 seconds
-=] Processing time: 90.42 seconds
-=] Analysis time: 5.89 seconds

Processes Created:

File Activity:

Registry Activity:

Network Traffic:

Unique Hosts:

※Now I have not update noriben yet.
※I check the Filter.Then any filter is not set.

[Noribentou]

Sorry. I miss the updated noriben.py script.
I will try it tomorrow.

[Rurik]

Please check that the .PML and the .CSV both exist and have data. There: Noriben_23_Mar_20__12_57_094085.pml and Noriben_23_Mar_20__12_57_094085.csv.

If the CSV is zero bytes there could be an error in Procmon converting the data.

[Kenya31]

Did you add the path to procmon.exe to your Path environment variable ?
Try to run below.

procmon.exe /OpenLog Test.pml /SaveApplyFilter /saveas Test.csv

[Noribentou]

Sorry.I accidentally applyed snapshot back the OS.

So I tried debug again.And this is the result.
And later I'll try to describe about the pml and csv.

C:\Users*****\Downloads\Noriben-master2\Noriben-master>Noriben.py --debug

[+] Python module "requests" not found. Internet functionality is disabled.
[+] This is acceptable if you do not wish to upload data to VirusTotal.

--===[ Noriben v1.8.3
--===[ Brian Baskin [[email protected] / @bbaskin]
[!] Filter file ProcmonConfiguration.PMC not found. Continuing without filters.
[] Log output directory:
[] YARA directory:
[+] Features: (Debug: True Internet: False VirusTotal: False)
[] Using procmon EXE: procmon.exe
[] Procmon session saved to: Noriben_24_Mar_20__10_07_544646.pml
[] Launching Procmon ...
[] Running cmdline: "procmon.exe" /BackingFile "Noriben_24_Mar_20__10_07_544646
.pml" /Quiet /Minimized
[] Procmon is running. Run your executable now.
[] When runtime is complete, press CTRL+C to stop logging.

[+] Python module "requests" not found. Internet functionality is disabled.
[+] This is acceptable if you do not wish to upload data to VirusTotal.

[] Termination of Procmon commencing... please wait
[] Running cmdline: "procmon.exe" /Terminate
[] Procmon terminated
[] Converting session to CSV: Noriben_24_Mar_20__10_07_544646.csv
[] Running cmdline: "procmon.exe" /OpenLog "Noriben_24_Mar_20__10_07_544646.pml
" /SaveApplyFilter /saveas "Noriben_24_Mar_20__10_07_544646.csv"
[] Processing CSV: Noriben_24_Mar_20__10_07_544646.csv
[*] Writing 0 Process Events results to report

-=] Sandbox Analysis Report generated by Noriben v1.8.3
-=] Developed by Brian Baskin: brian @@ thebaskins.com @bbaskin
-=] The latest release can be found at https://github.com/Rurik/Noriben

-=] Execution time: 73.44 seconds
-=] Processing time: 60.95 seconds
-=] Analysis time: 5.28 seconds

Processes Created:

File Activity:

Registry Activity:

Network Traffic:

Unique Hosts:

[Noribentou]

This is the 544646.csv file.

10:07:34.4918788,"Explorer.EXE","1380","RegQueryValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr","SUCCESS","Type: REG_BINARY, Length: 72, Data: 00 00 00 00 13 00 00 00 8F 00 00 00 E1 B3 52 00"
10:07:34.4919084,"Explorer.EXE","1380","RegSetValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr","SUCCESS","Type: REG_BINARY, Length: 72, Data: 00 00 00 00 13 00 00 00 8F 00 00 00 AC B4 52 00"

10:07:34.4925666,"Explorer.EXE","1380","CreateFile","C:\Users*\AppData\Local\Temp\procmon64.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 10:07:34.4925898,"Explorer.EXE","1380","QueryBasicInformationFile","C:\Users*\AppData\Local\Temp\procmon64.exe","SUCCESS","CreationTime: 2020/03/24 10:07:31, LastAccessTime: 2020/03/24 10:07:34, LastWriteTime: 2020/03/24 10:07:31, ChangeTime: 2020/03/24 10:07:31, FileAttributes: HA"
10:07:34.4926021,"Explorer.EXE","1380","CloseFile","C:\Users******\AppData\Local\Temp\procmon64.exe","SUCCESS",""
10:07:34.4926461,"Explorer.EXE","1380","CreateFile","C:","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
10:07:34.4926955,"Explorer.EXE","1380","QueryDirectory","C:\Users","SUCCESS","Filter: Users, 1: Users, FileInformationClass: FileBothDirectoryInformation"
10:07:34.4927288,"Explorer.EXE","1380","CloseFile","C:","SUCCESS",""
・
・
I guess csvfile works normally.
And pml file works too.(I cant paste this file though)

Now I'm gonna try adding the path to procmon.exe and update my noriben.py using code
in Pull requests.

But I don't know the way to forecast update old noriben.py.
I'm going to edit old one and paste it. Is it the right way to do it?

[Noribentou]

Did you add the path to procmon.exe to your Path environment variable ?
Try to run below.

procmon.exe /OpenLog Test.pml /SaveApplyFilter /saveas Test.csv

I added the path to procmon.exe to my Path.

After making a Noriben2.py(copy from pull request,and pasted in wordpad) and run procmon.exe /OpenLog Test.pml /SaveApplyFilter /saveas Test.csv.

ProcessMonitor returns messages.
Invalid argument: Test.csv

[Noribentou]

Now I notice timeline.csv is 0 bites.
Is there any problem?

[Rurik]

Thank you. I'm sorry you're having this problem. This SHOULD work and I'd like to troubleshoot more.

Can you email me the PML file? brian [@] thebaskins [.] com

I want to try and troubleshoot directly from it.

[Rurik]

Currently still troubleshooting. Based on the PML you send, I am able to get results with 1.8.4:

-rw-rw-rw-  1 Admin 0 222936641 2020-03-27 03:45 Noriben_24_Mar_20__14_26_213888.pml
-rw-rw-rw-  1 Admin 0     12567 2020-03-29 09:02 Noriben_24_Mar_20__14_26_213888.txt
-rw-rw-rw-  1 Admin 0     25608 2020-03-29 09:02 Noriben_24_Mar_20__14_26_213888_timeline.csv

I'm reviewing across multiple versions of Windows to see if there's a difference that's causing it.