Capture BAT

Usr6 · November 16, 2011

Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.

Capture BAT provides a powerful mechanism to exclude event noise that naturally occurs on an idle system or when using a specific application. This mechanism is fine-grained and allows an analyst to take into account the process that cause the various state changes. As a result, this mechanism even allows Capture to analyze the behavior of documents that execute within the context of an application, for example the behavior of a malicious Microsoft Word document

The program has a console interface and a small set of parameters:

-L output.txt output to a file.

-C Copy all the deleted or modified files folder logs

-N Save all incoming and outgoing traffic to a file. Pcap in logs

-H Displays help

Prerequisites:

Microsoft Windows 2000 sp 4; Microsoft Windows XP sp 2; for Microsoft Vista no service pack is needed.
Microsoft Visual C++ 2005 Redistributable Package
f the network dump functionality is used, Capture BAT requires the WinPcap 4.0.1 libraries.

The application will be installed into C:\program files\capture. Note that a reboot will be forced by the setup program.