From 468b14796feb2e1d7066356822a1acc3c5ef3aa3 Mon Sep 17 00:00:00 2001 From: Hannes Michel <33238676+H4NM@users.noreply.github.com> Date: Sun, 20 Oct 2024 19:37:28 +0200 Subject: [PATCH] Fix issue #5 and minor README update (#7) * Fix bugg where specifying additional executables names by using `-x` flag caused WYC to crash due to improper instantiation of the processes as tracked processes. Realised the potential of adding these to be added to the tracking dict without relying on them to start, but whereas the TCPIP/DNS listeners could initiate the processes just as the event occurs. * Minor README update --- README.md | 1 + WhoYouCalling/ETW/DNSClientListener.cs | 4 ++-- WhoYouCalling/ETW/KernelListener.cs | 28 ++++++++++++-------------- WhoYouCalling/ETW/Listener.cs | 20 ------------------ WhoYouCalling/Program.cs | 14 +++++++++++-- 5 files changed, 28 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index 9346ded..137e1a9 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,7 @@ However, there are some downsides: - Creates a full packet capture .pcap file per process. - Records TCPIP activities made by a processes, netflow style. - Records DNS requests and responses made and retrieved by applications. +- Creates Wireshark filter for domains queried via DNS with the DNS responses - Can specify pcap filtering to only record TCPIP activity being sent from the process. This is applied to the recorded .pcap. - Can be automated with a timer. - By default all monitoring is applied to all spawned child processes. diff --git a/WhoYouCalling/ETW/DNSClientListener.cs b/WhoYouCalling/ETW/DNSClientListener.cs index dfa7b44..bae816f 100644 --- a/WhoYouCalling/ETW/DNSClientListener.cs +++ b/WhoYouCalling/ETW/DNSClientListener.cs @@ -31,7 +31,7 @@ private void DnsClientEvent(TraceEvent data) { case "EventID(3006)": { - if (IsAMonitoredProcess(data.ProcessID)) + if (Program.IsAMonitoredProcess(data.ProcessID)) { string retrievedQuery = data.PayloadByName("QueryName").ToString().Trim(); string dnsDomainQueried = string.IsNullOrWhiteSpace(retrievedQuery) ? "N/A" : retrievedQuery; @@ -61,7 +61,7 @@ private void DnsClientEvent(TraceEvent data) } case "EventID(3008)": { - if (IsAMonitoredProcess(data.ProcessID)) + if (Program.IsAMonitoredProcess(data.ProcessID)) { string retrievedQuery = data.PayloadByName("QueryName").ToString().Trim(); string dnsQuery = string.IsNullOrWhiteSpace(retrievedQuery) ? "N/A" : retrievedQuery; diff --git a/WhoYouCalling/ETW/KernelListener.cs b/WhoYouCalling/ETW/KernelListener.cs index 6aa9cd8..9bd3556 100644 --- a/WhoYouCalling/ETW/KernelListener.cs +++ b/WhoYouCalling/ETW/KernelListener.cs @@ -4,6 +4,7 @@ using System.Security.Cryptography; using WhoYouCalling.Network; using WhoYouCalling.Process; +using WhoYouCalling.Utilities; namespace WhoYouCalling.ETW { @@ -30,7 +31,7 @@ public void Listen() _session.Source.Kernel.UdpIpSendIPV6 += Ipv6UdpIpStart; // Process - _session.Source.Kernel.ProcessStart += childProcessStarted; + _session.Source.Kernel.ProcessStart += processStarted; _session.Source.Kernel.ProcessStop += processStopped; // Start Kernel ETW session @@ -59,7 +60,7 @@ private void ProcessNetworkPacket(dynamic data, IPVersion ipVersion, TransportPr private void Ipv4TcpStart(TcpIpSendTraceData data) { - if (IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process + if (Program.IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process { ProcessNetworkPacket(data, ipVersion: Network.IPVersion.IPv4, transportProto: Network.TransportProtocol.TCP); } @@ -67,7 +68,7 @@ private void Ipv4TcpStart(TcpIpSendTraceData data) private void Ipv6TcpStart(TcpIpV6SendTraceData data) { - if (IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process + if (Program.IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process { ProcessNetworkPacket(data, ipVersion: Network.IPVersion.IPv6, transportProto: Network.TransportProtocol.TCP); } @@ -75,7 +76,7 @@ private void Ipv6TcpStart(TcpIpV6SendTraceData data) private void Ipv4UdpIpStart(UdpIpTraceData data) { - if (IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process + if (Program.IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process { ProcessNetworkPacket(data, ipVersion: Network.IPVersion.IPv4, transportProto: Network.TransportProtocol.UDP); } @@ -83,19 +84,20 @@ private void Ipv4UdpIpStart(UdpIpTraceData data) private void Ipv6UdpIpStart(UpdIpV6TraceData data) { - if (IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process + if (Program.IsAMonitoredProcess(data.ProcessID)) // If main or child monitored process { ProcessNetworkPacket(data, ipVersion: Network.IPVersion.IPv6, transportProto: Network.TransportProtocol.UDP); } } - private void childProcessStarted(ProcessTraceData data) + private void processStarted(ProcessTraceData data) { - if (IsAMonitoredProcess(data.ParentID)) //Tracks child processes by monitored process + if (Program.IsAMonitoredProcess(data.ParentID)) //If current process is child process of already started process { string parentExectuable = Program.GetTrackedPIDImageName(data.ParentID); - + ConsoleOutput.Print($"DEBUGIN_FROM_IS_MONITORED_PPID: {parentExectuable}", PrintType.Fatal); + Program.CatalogETWActivity(eventType: EventType.Childprocess, executable: parentExectuable, execAction: "started", @@ -111,14 +113,10 @@ private void childProcessStarted(ProcessTraceData data) } else if(Program.TrackExecutablesByName() && Program.IsTrackedExecutableName(data.ProcessID)) { - string parentExectuable = ProcessManager.GetProcessFileName(data.ParentID); - Program.InstantiateProcessVariables(pid: data.ProcessID, executable: data.ImageFileName, commandLine: data.CommandLine); - Program.CatalogETWActivity(eventType: EventType.Childprocess, - executable: parentExectuable, + Program.CatalogETWActivity(eventType: EventType.Process, + executable: data.ImageFileName, execAction: "started by name", - execObject: data.ImageFileName, - execObjectCommandLine: data.CommandLine, execPID: data.ProcessID, parentExecPID: data.ParentID); } @@ -126,7 +124,7 @@ private void childProcessStarted(ProcessTraceData data) private void processStopped(ProcessTraceData data) { - if (IsAMonitoredProcess(data.ProcessID)) // Main or child process stopped + if (Program.IsAMonitoredProcess(data.ProcessID)) // Main or child process stopped { Program.CatalogETWActivity(eventType: EventType.Process, executable: data.ImageFileName, diff --git a/WhoYouCalling/ETW/Listener.cs b/WhoYouCalling/ETW/Listener.cs index e4b8a71..8480455 100644 --- a/WhoYouCalling/ETW/Listener.cs +++ b/WhoYouCalling/ETW/Listener.cs @@ -4,29 +4,9 @@ namespace WhoYouCalling.ETW { internal class Listener { - protected int _trackedProcessId = 0; - protected string _mainExecutableFileName = ""; protected TraceEventSession _session; public string SourceName = ""; - public bool IsAMonitoredProcess(int pid) - { - if (_trackedProcessId == pid || Program.IsTrackedChildPID(pid)) - { - return true; - } - else - { - return false; - } - } - - public void SetPIDAndImageToTrack(int pid, string executable) - { - _mainExecutableFileName = executable; - _trackedProcessId = pid; - } - public void StopSession() { _session.Dispose(); diff --git a/WhoYouCalling/Program.cs b/WhoYouCalling/Program.cs index 003a2b4..3a3fb41 100644 --- a/WhoYouCalling/Program.cs +++ b/WhoYouCalling/Program.cs @@ -180,8 +180,6 @@ static void Main(string[] args) CatalogETWActivity(eventType: EventType.Process, executable: s_mainExecutableFileName, execAction: "being listened to", execPID: s_trackedMainPid); } - s_etwDnsClientListener.SetPIDAndImageToTrack(s_trackedMainPid, s_mainExecutableFileName); - s_etwKernelListener.SetPIDAndImageToTrack(s_trackedMainPid, s_mainExecutableFileName); InstantiateProcessVariables(pid: s_trackedMainPid, executable: s_mainExecutableFileName, commandLine: s_mainExecutableCommandLine); if (s_argumentData.ProcessRunTimerWasProvided) @@ -393,6 +391,18 @@ private static void ShutdownMonitoring() ConsoleOutput.Print($"Finished! Monitor duration: {monitorDuration}. Results are in the folder {s_rootFolderName}", PrintType.InfoTime); } + public static bool IsAMonitoredProcess(int pid) + { + if (s_collectiveProcessInfo.ContainsKey(pid)) + { + return true; + } + else + { + return false; + } + } + private static bool ProcessHasNoRecordedNetworkActivity(MonitoredProcess monitoredProcess) { if (monitoredProcess.DNSQueries.Count() == 0 &&