Skip to content

Commit

Permalink
Fix issue #5 and minor README update (#7)
Browse files Browse the repository at this point in the history 
* Fix bugg where specifying additional executables names by using `-x` flag caused WYC to crash due to improper instantiation of the processes as tracked processes. Realised the potential of adding these to be added to the tracking dict without relying on them to start, but whereas the TCPIP/DNS listeners could initiate the processes just as the event occurs.

* Minor README update
  • Loading branch information
@H4NM
H4NM authored Oct 20, 2024
1 parent 9eae258 commit 468b147
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 39 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ However, there are some downsides:
- Creates a full packet capture .pcap file per process.
- Records TCPIP activities made by a processes, netflow style.
- Records DNS requests and responses made and retrieved by applications.
- Creates Wireshark filter for domains queried via DNS with the DNS responses
- Can specify pcap filtering to only record TCPIP activity being sent from the process. This is applied to the recorded .pcap.
- Can be automated with a timer.
- By default all monitoring is applied to all spawned child processes.
Expand Down
4 changes: 2 additions & 2 deletions WhoYouCalling/ETW/DNSClientListener.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ private void DnsClientEvent(TraceEvent data)
{
case "EventID(3006)":
{
if (IsAMonitoredProcess(data.ProcessID))
if (Program.IsAMonitoredProcess(data.ProcessID))
{
string retrievedQuery = data.PayloadByName("QueryName").ToString().Trim();
string dnsDomainQueried = string.IsNullOrWhiteSpace(retrievedQuery) ? "N/A" : retrievedQuery;
Expand Down Expand Up @@ -61,7 +61,7 @@ private void DnsClientEvent(TraceEvent data)
}
case "EventID(3008)":
{
if (IsAMonitoredProcess(data.ProcessID))
if (Program.IsAMonitoredProcess(data.ProcessID))
{
string retrievedQuery = data.PayloadByName("QueryName").ToString().Trim();
string dnsQuery = string.IsNullOrWhiteSpace(retrievedQuery) ? "N/A" : retrievedQuery;
Expand Down
28 changes: 13 additions & 15 deletions WhoYouCalling/ETW/KernelListener.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
using System.Security.Cryptography;
using WhoYouCalling.Network;
using WhoYouCalling.Process;
using WhoYouCalling.Utilities;

namespace WhoYouCalling.ETW
{
Expand All @@ -30,7 +31,7 @@ public void Listen()
_session.Source.Kernel.UdpIpSendIPV6 += Ipv6UdpIpStart;

// Process
_session.Source.Kernel.ProcessStart += childProcessStarted;
_session.Source.Kernel.ProcessStart += processStarted;
_session.Source.Kernel.ProcessStop += processStopped;

// Start Kernel ETW session
Expand Down Expand Up @@ -59,43 +60,44 @@ private void ProcessNetworkPacket(dynamic data, IPVersion ipVersion, TransportPr

private void Ipv4TcpStart(TcpIpSendTraceData data)
{
if (IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process
if (Program.IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process
{
ProcessNetworkPacket(data, ipVersion: Network.IPVersion.IPv4, transportProto: Network.TransportProtocol.TCP);
}
}

private void Ipv6TcpStart(TcpIpV6SendTraceData data)
{
if (IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process
if (Program.IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process
{
ProcessNetworkPacket(data, ipVersion: Network.IPVersion.IPv6, transportProto: Network.TransportProtocol.TCP);
}
}

private void Ipv4UdpIpStart(UdpIpTraceData data)
{
if (IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process
if (Program.IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process
{
ProcessNetworkPacket(data, ipVersion: Network.IPVersion.IPv4, transportProto: Network.TransportProtocol.UDP);
}
}

private void Ipv6UdpIpStart(UpdIpV6TraceData data)
{
if (IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process
if (Program.IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process
{
ProcessNetworkPacket(data, ipVersion: Network.IPVersion.IPv6, transportProto: Network.TransportProtocol.UDP);
}
}

private void childProcessStarted(ProcessTraceData data)
private void processStarted(ProcessTraceData data)
{

if (IsAMonitoredProcess(data.ParentID)) //Tracks child processes by monitored process
if (Program.IsAMonitoredProcess(data.ParentID)) //If current process is child process of already started process
{
string parentExectuable = Program.GetTrackedPIDImageName(data.ParentID);

ConsoleOutput.Print($"DEBUGIN_FROM_IS_MONITORED_PPID: {parentExectuable}", PrintType.Fatal);

Program.CatalogETWActivity(eventType: EventType.Childprocess,
executable: parentExectuable,
execAction: "started",
Expand All @@ -111,22 +113,18 @@ private void childProcessStarted(ProcessTraceData data)
}
else if(Program.TrackExecutablesByName() && Program.IsTrackedExecutableName(data.ProcessID))
{
string parentExectuable = ProcessManager.GetProcessFileName(data.ParentID);

Program.InstantiateProcessVariables(pid: data.ProcessID, executable: data.ImageFileName, commandLine: data.CommandLine);
Program.CatalogETWActivity(eventType: EventType.Childprocess,
executable: parentExectuable,
Program.CatalogETWActivity(eventType: EventType.Process,
executable: data.ImageFileName,
execAction: "started by name",
execObject: data.ImageFileName,
execObjectCommandLine: data.CommandLine,
execPID: data.ProcessID,
parentExecPID: data.ParentID);
}
}

private void processStopped(ProcessTraceData data)
{
if (IsAMonitoredProcess(data.ProcessID)) // Main or child process stopped
if (Program.IsAMonitoredProcess(data.ProcessID)) // Main or child process stopped
{
Program.CatalogETWActivity(eventType: EventType.Process,
executable: data.ImageFileName,
Expand Down
20 changes: 0 additions & 20 deletions WhoYouCalling/ETW/Listener.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,29 +4,9 @@ namespace WhoYouCalling.ETW
{
internal class Listener
{
protected int _trackedProcessId = 0;
protected string _mainExecutableFileName = "";
protected TraceEventSession _session;
public string SourceName = "";

public bool IsAMonitoredProcess(int pid)
{
if (_trackedProcessId == pid || Program.IsTrackedChildPID(pid))
{
return true;
}
else
{
return false;
}
}

public void SetPIDAndImageToTrack(int pid, string executable)
{
_mainExecutableFileName = executable;
_trackedProcessId = pid;
}

public void StopSession()
{
_session.Dispose();
Expand Down
14 changes: 12 additions & 2 deletions WhoYouCalling/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,8 +180,6 @@ static void Main(string[] args)
CatalogETWActivity(eventType: EventType.Process, executable: s_mainExecutableFileName, execAction: "being listened to", execPID: s_trackedMainPid);
}

s_etwDnsClientListener.SetPIDAndImageToTrack(s_trackedMainPid, s_mainExecutableFileName);
s_etwKernelListener.SetPIDAndImageToTrack(s_trackedMainPid, s_mainExecutableFileName);
InstantiateProcessVariables(pid: s_trackedMainPid, executable: s_mainExecutableFileName, commandLine: s_mainExecutableCommandLine);

if (s_argumentData.ProcessRunTimerWasProvided)
Expand Down Expand Up @@ -393,6 +391,18 @@ private static void ShutdownMonitoring()
ConsoleOutput.Print($"Finished! Monitor duration: {monitorDuration}. Results are in the folder {s_rootFolderName}", PrintType.InfoTime);
}

public static bool IsAMonitoredProcess(int pid)
{
if (s_collectiveProcessInfo.ContainsKey(pid))
{
return true;
}
else
{
return false;
}
}

private static bool ProcessHasNoRecordedNetworkActivity(MonitoredProcess monitoredProcess)
{
if (monitoredProcess.DNSQueries.Count() == 0 &&
Expand Down

0 comments on commit 468b147

Please sign in to comment.