static public string FindMostRecentHost(List <HostNameEntry> cacheEntries) { if (cacheEntries == null) { return(null); } HostNameEntry bestEntry = null; foreach (var curEntry in cacheEntries) { if (bestEntry == null || curEntry.TimeStamp > bestEntry.TimeStamp) { bestEntry = curEntry; } } return(bestEntry?.HostName); }
private void OnDnsQueryEvent(Microsoft.O365.Security.ETW.IEventRecord record) { // WARNING: this function is called from the worker thread if (record.Id != 1001 && record.Id != 1004) { return; } DateTime TimeStamp = record.Timestamp; UInt32 Status = record.GetUInt32("Status", 0); int ProcessId = (int)record.ProcessId; int ThreadId = (int)record.ThreadId; var HostName = record.GetUnicodeString("NodeName", null); var Results = record.GetUnicodeString("Result", null); if (ProcessId == ProcFunc.CurID) { return; // ignore these events as thay are the result of reverse dns querries.... } /* * "192.168.163.1" "192.168.163.1;" * "localhost" "[::1]:8307;127.0.0.1:8307;" <- wtf is this why is there a port?! * "DESKTOP" "fe80::189a:f1c3:3e87:be81%12;192.168.10.12;" * "telemetry.malwarebytes.com" "54.149.69.204;54.200.191.52;54.70.191.27;54.149.66.105;54.244.17.248;54.148.98.86;" * "web.whatsapp.com" "31.13.84.51;" */ AppLog.Debug("Etw dns_query {0} => {1} for {2}", HostName, Results, ProcessId); App.engine?.RunInEngineThread(() => { // Note: this happens in the engine thread List <IPAddress> RemoteAddresses = new List <IPAddress>(); foreach (string Result in Results.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries)) { IPAddress Address = null; if (!IPAddress.TryParse(Result, out Address) && !IPAddress.TryParse(TextHelpers.Split2(Result, ":", true).Item1, out Address)) { continue; } RemoteAddresses.Add(Address); Dictionary <IPAddress, Dictionary <string, HostNameEntry> > dnsCache = dnsQueryCache.GetOrCreate(ProcessId); Dictionary <string, HostNameEntry> cacheEntries = dnsCache.GetOrCreate(Address); HostNameEntry cacheEntry; if (!cacheEntries.TryGetValue(HostName, out cacheEntry)) { cacheEntry = new HostNameEntry() { HostName = HostName }; cacheEntries.Add(HostName, cacheEntry); } cacheEntry.TimeStamp = TimeStamp; } DnsQueryEvent?.Invoke(this, new DnsEvent() { ProcessId = ProcessId, HostName = HostName, RemoteAddresses = RemoteAddresses, TimeStamp = TimeStamp }); }); }