Noriben Execution - Rurik/Noriben GitHub Wiki

Noriben is simply a Python wrapper to SysInternal's Process Monitor (procmon.exe). Procmon is a system artifact collection tool that stores millions of events into a massive database. To work Noriben needs only a few components:

• Python 3.x
• Noriben itself and any accompanied files
• SysInternals ProcMon.exe in %PATH% or current working directory

In its simplest form of execution, running Noriben.py with no arguments will perform a basic collection of data. Simply run the script and wait for it to start listening to the system. Once prompted, run your malware or perform your attack actions. When the malware or attack has reached a point of activity necessary for analysis, stop Noriben by pressing Ctrl-C. Noriben will then stop the logging, gather all of the data, and process a report for you.

Place your Noriben files (Noriben.py, procmon.exe, and the recommended ProcmonConfiguration.pmc) into any standard Windows virtual machine. Then copy your malware to the VM. Run Noriben and you will receive the following output:

TODO

More here...