Skip to content

Releases: H4NM/WhoYouCalling

WhoYouCalling v1.5 🗺️

18 Feb 20:56
@H4NM H4NM
v1.5
1c64327
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
WhoYouCalling v1.5 🗺️ Latest
Latest

This release includes some minor changes and one medium and one minor bug fix, but above all it includes CallMapper - a Python and JavaScript solution for that enables an interactive network graph of all the processes and their respective network activity from a WhoYouCalling session. CallMapper also allows for conducting automatic API lookups for all of the endpoints identified - except ofcourse of single-label domains, private or localhost IPs. Currently, i've only integrated VirusTotal and AbuseIPDB as available APIs, in which you need to supply API-keys for them. I also came to the realization that a solution that integrates API lookups is the most applicable if you as end users are able to add your own REST APIs for enriching data as you see fit - especially since there are tons of different IP and domain lookup APIs.... Therefore, CallMapper includes functionality to streamline the process of adding custom REST APIs. See CallMapper README.md for more instructions on how to do so. I've also extended the GitHub actions to better catch potential bugs that may be introduced. Now they execute all three WYC modes (Execute, Listen and Illuminate). If you appreciate this MIT-project and want to buy me a coffee, i've added my link ☕ #WhoYouCallingET :suspect:

Changelog

✨Features:

  • Add interactive network graph visualization of data and possibility of automatically performing API lookups to get reputation
  • Add Hostname to the summary output

📄Changes:

  • Change main folder name for when listening to a specific PID where it now takes the process name rather than the executable as it sometimes was problematic due to protected processes
  • Rename ProcessID to PID in for ChildProcessInfo for consistency
  • Expanded GitHub actions to execute WYC with the three main modes
  • Set default value of CommandLine to null rather than empty string for monitored processes for consitency
  • Adressed build warnings
  • Update README.md
  • Update LICENSE

🛠️ Fixes:

  • Fix logic for indexing short lived processes that are started where WYC would state that that they couldn't be succcessfully be mapped.
  • Fix logic for when executing a binary to correctly retrieve its process name.
  • Fix bug where it was not possible to execute an application unprivileged, see #11. The extended GitHub actions is meant to catch this as early as possible
  • Fix issue with Listen mode where the retrieved process name of the PID wasn't successfully added as a monitored process
Get-FileHash -path .\*1.5*.zip -algo sha256

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          1CC76FAC345C46773C640F3DB6E58E660CB800D60CE069C8C6715C52563CDB64       CallMapper-1.5.zip
SHA256          FEB8729C28A4A4D9D3B2D30E6FE2DFD75CDB73622A7C3E11635C29B505D5D0ED       WhoYouCalling-1.5-x64-selfcontained.zip
SHA256          4C9D0779712A41213B8B59C40CE2878F7C0698988A8E38D1C8B5B8FF657E871A       WhoYouCalling-1.5-x86-selfcontained.zip
Assets 5
Loading

WhoYouCalling v1.4 📄🛠️

06 Jan 20:38
@H4NM H4NM
v1.4
1e8d78d
Compare
Choose a tag to compare
WhoYouCalling v1.4 📄🛠️

This release mainly adresses issues such as race conditions and mapping of processes. I've also added a summary text file that provides with a slight overview of all of the processes that have network activity and the entire monitoring session. It can be useful for when there are a lot of processes with network activity and its faster to review one file than reviewing multiple folders.

✨ Features

  • Added a monitoring summary text file

📄 Changes

  • Change compiled executable name from WhoYouCalling.exe to wyc.exe - its a cli tool after all :-)
  • Changed file names to be shorter and more concise
  • Remove JSON flag and create the JSON file regardless to avoid scenarios of missing crucial data.
  • Change default process name when unable to sucesfully map it
  • Added a spinner wheel to filtering processes
  • Changed default values for process start and stop time, and executable name to null for cleaner and consistent data output
  • Added github actions to ensure that wyc can be compiled from the source code
  • Updated and cleaned up README to reflect the changes
  • Refactoring and cleaning code

🛠️ Fixes:

  • Fix so that the DNS wireshark filter folder is not created if there are no wireshark filters to be created
  • Fix issue where entire BPF filter was not written to file
  • Solve issue with short lived processes that perform DNS queries that do not have process names included.
  • Solve issue where the DNS ETW event registers the process PID before the process start ETW does, causes for adding a process twice.
  • Implement fix against race condition issue with short lived processes that perform DNS queries as they're labeled as unmapped processes.
    • This is done by checking if the unmapped process has the same PID as the correctly mapped process and if it was added to monitoring close to the same time
  • Solve issue for possible duplicate processname, indicating they're the same process, although launched separately and happend to get the same PID. Likely hood is very small but it could happen that would make results add to the same process even though they're separate.

🚀 Next up:

  • Adress code that produces build warnings
  • Add IP and domain lookup for analysis. This will also be complemented by a network graph visualization to see the entire hierarchy of processes and child processes and the related DNS queries and TCP activity (v1.5)

If you have any suggestions, feedback or bug reports. I'd love to hear them

Get-FileHash -path .\WhoYouCalling-1.4*-selfcontained.zip -algo sha256

Algorithm       Hash                                                                   Path                                                                                      
---------       ----                                                                   ----                                                                                      
SHA256          91B578CA10707B68D7D71116E2FD914B2C090D190FE3991AB518D8C856CF84BC       WhoYouCalling-1.4-x64-selfcontained.zip
SHA256          4A8B8C9DE18D436ACFE54A7EFD93089790B4B282832E98E7A7E21C1D2A3631E6       WhoYouCalling-1.4-x86-selfcontained.zip
Loading

WhoYouCalling v1.3.2 💡

07 Dec 01:07
@H4NM H4NM
v1.3
2409d11
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
WhoYouCalling v1.3.2 💡

Features ✨:

  • Added third monitoring option called illuminate. By passing capital i flag (-I), WhoYouCalling records every TCPIP and DNS activity made by every running process on the machine. Can be used with packet capture. Ideally used for incident response, or simply when you're bored or curious for what processes are doing on your machine. This option is currently experimental so please report any issues that you may experience.
  • Changed the flag from --execnames to --names where a case insensitive pattern can be applied being checked towards processname and executable file name.
  • Enriched console output with spinner wheel and line indicating how many processes are being processed for outputting their results.
    (Updated the release for v1.3.1 and v1.3.2 to remove creating a filtered pcap based on the network traffic for all processes when using illuminate since that's not needed. I recommend using -s or --savefullpcap for retaining pcap with including traffic. Also added fail-safe handling for cataloging events that may be subjected to rare race condition events.

Get-FileHash -path .\WhoYouCalling-1.3*-selfcontained.zip -algo sha256

Algorithm       Hash                                                                   Path                            
---------       ----                                                                   ----                            
SHA256          1EF5FA3D51BA2282C9C709B7DECC48E896DF79C589729C86FC353D0DC6A0C712       WhoYouCalling-1.3.2-x64-selfcontained.zip
SHA256          6D1BD2E1E5A2497CD3CC22C92C87D224880221CD08D7711A83AF11713833400F       WhoYouCalling-1.3.2-x86-selfcontained.zip
Loading

WhoYouCalling v1.2 🛰️

20 Oct 20:00
@H4NM H4NM
v1.2
468b147
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
WhoYouCalling v1.2 🛰️

Features ✨

  • A Wireshark filter is created per DNS response. In other words, when a process wants to communicate with example-domain.com, a DNS request is made for that domain to retrieve an IP-adresses to communicate with. The response for that requests, if it includes an IP-adress or more, will result in a Wireshark filter. This can be used with a generated pcap for that process, further helping in analysing process telemetry.
  • Added the command line of started processes. This provides additional insight to the use and intent of spawned processes, which may also fill in some gaps where some endpoints are communicated with or domain names being resolved.
  • Add output of assigned IP-adresses to interfaces to make it easier identify which interface to monitor for packet capture.
Get-FileHash -path .\WhoYouCalling-1.2-*-selfcontained.zip -algo sha256

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          081AFC562CC9618C4CACE4A3407FF01BC374A9F2D8151266E62878F18EB63781       WhoYouCalling-1.2-x64-s...
SHA256          94F69313A677F7D33FCC1229C668326230A7DFDF3E8ADAC597E1E759F1722855       WhoYouCalling-1.2-x86-s...

#WhyMyLsassPingingReddit :suspect:

Loading

WhoYouCalling v1.1.1 🛠️

12 Oct 11:33
@H4NM H4NM
v1.1.1
51d15d8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
WhoYouCalling v1.1.1 🛠️

Added functionality to run without npcap drivers. This will of course not allow for packet capture, but it makes WhoYouCalling more lightweight and suitable for the cases where only understanding IF a process is reaching out and where is of importance, rather than seeing exactly what is being sent and/or received. To run without packet capture simply append the flag --nopcap. However, if you want packet capture, you can download the npcap drivers from here: https://npcap.com/#download

In the future only major and minor version updates will include release files. This was an exception as making the npcap drivers optional was worth the new release.

Get-FileHash -path .\WhoYouCalling-1.1.1-*-selfcontained.zip -algo sha256

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          ABBEBD8DFB1F15782E84DDBE8B3B9E412A385CE98FD304F5C7E3FED85D59E178       WhoYouCalling-1.1.1-x64-s...
SHA256          5CA6BA74DC5487BD4B98395FFE91D54E280D1E79F1C01AA7519D2B87E9A8E5B8       WhoYouCalling-1.1.1-x86-s...
Loading

WhoYouCalling v1.1 🚀

07 Oct 21:40
@H4NM H4NM
v1.1
e4983f5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
WhoYouCalling v1.1 🚀

Notable changes are the addition of two arguments. One for executing applications in an elevated state and the second being able to run them as another user. Please read the limitations part in the README.md to see exactly how it works. Also changed the flag of specifying the PID to captial P rather than lower case in order to conform to some form of standardization when providing username and password (-u and -p).

Note: To run WhoYoucalling, you need to have npcap installed on Windows. Download --> https://npcap.com/#download. If it's not installed it will complain that wpcap.dll is missing.

Get-FileHash -path .\WhoYouCalling-1.1-*-selfcontained.zip -algo sha256

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          0AEDAFAB8EB49859C2C3C784648EE623EC51D50D2DB9925A7243746E1B0A4FCB   WhoYouCalling-1.1-x64-selfcontained.zip
SHA256          2A3EE815BA688FD1E29ADE9C4EBFFCE6861DC8293D188C0101208F829EDC77E1   WhoYouCalling-1.1-x86-selfcontained.zip
Loading

WhoYouCalling v1.0

29 Sep 19:18
@H4NM H4NM
v1.0
f34c724
Compare
Choose a tag to compare
WhoYouCalling v1.0

First Release ✨ (1.0)

Note: You need to have npcap installed on Windows before running. Download --> https://npcap.com/#download. If it's not installed it will complain that wpcap.dll is missing.

In the future single binaries with statically packed libraries will be provided. The following releases are self contained and should be ready to for direct use.

sha256
WhoYouCalling-1.0-x64-selfcontained.zip: 9DBE3CAF6B01B2468727BB9D002613AD630BDD50FCC9D3E4153A9B13AE63417E
WhoYouCalling-1.0-x86-selfcontained.zip: EDEE00DC1D0B51AAC0295806AB68FB979E2B13A55E7197213E83A63C50A6742E

Loading