Example #1
0
        static public string FindMostRecentHost(List <HostNameEntry> cacheEntries)
        {
            if (cacheEntries == null)
            {
                return(null);
            }

            HostNameEntry bestEntry = null;

            foreach (var curEntry in cacheEntries)
            {
                if (bestEntry == null || curEntry.TimeStamp > bestEntry.TimeStamp)
                {
                    bestEntry = curEntry;
                }
            }
            return(bestEntry?.HostName);
        }
Example #2
0
        private void OnDnsQueryEvent(Microsoft.O365.Security.ETW.IEventRecord record)
        {
            // WARNING: this function is called from the worker thread

            if (record.Id != 1001 && record.Id != 1004)
            {
                return;
            }

            DateTime TimeStamp = record.Timestamp;
            UInt32   Status    = record.GetUInt32("Status", 0);
            int      ProcessId = (int)record.ProcessId;
            int      ThreadId  = (int)record.ThreadId;
            var      HostName  = record.GetUnicodeString("NodeName", null);
            var      Results   = record.GetUnicodeString("Result", null);

            if (ProcessId == ProcFunc.CurID)
            {
                return; // ignore these events as thay are the result of reverse dns querries....
            }

            /*
             * "192.168.163.1" "192.168.163.1;"
             * "localhost" "[::1]:8307;127.0.0.1:8307;" <- wtf is this why is there a port?!
             * "DESKTOP" "fe80::189a:f1c3:3e87:be81%12;192.168.10.12;"
             * "telemetry.malwarebytes.com" "54.149.69.204;54.200.191.52;54.70.191.27;54.149.66.105;54.244.17.248;54.148.98.86;"
             * "web.whatsapp.com" "31.13.84.51;"
             */

            AppLog.Debug("Etw dns_query {0} => {1} for {2}", HostName, Results, ProcessId);

            App.engine?.RunInEngineThread(() =>
            {
                // Note: this happens in the engine thread

                List <IPAddress> RemoteAddresses = new List <IPAddress>();

                foreach (string Result in Results.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
                {
                    IPAddress Address = null;
                    if (!IPAddress.TryParse(Result, out Address) && !IPAddress.TryParse(TextHelpers.Split2(Result, ":", true).Item1, out Address))
                    {
                        continue;
                    }

                    RemoteAddresses.Add(Address);

                    Dictionary <IPAddress, Dictionary <string, HostNameEntry> > dnsCache = dnsQueryCache.GetOrCreate(ProcessId);

                    Dictionary <string, HostNameEntry> cacheEntries = dnsCache.GetOrCreate(Address);

                    HostNameEntry cacheEntry;
                    if (!cacheEntries.TryGetValue(HostName, out cacheEntry))
                    {
                        cacheEntry = new HostNameEntry()
                        {
                            HostName = HostName
                        };
                        cacheEntries.Add(HostName, cacheEntry);
                    }

                    cacheEntry.TimeStamp = TimeStamp;
                }

                DnsQueryEvent?.Invoke(this, new DnsEvent()
                {
                    ProcessId = ProcessId, HostName = HostName, RemoteAddresses = RemoteAddresses, TimeStamp = TimeStamp
                });
            });
        }