コード例 #1
0
ファイル: Program.cs プロジェクト: safino9/priv10
        public void AddSocket(NetworkSocket socket)
        {
            Sockets.Add(socket.guid, socket);

            socket.HostNameChanged += OnHostChanged;
            OnHostChanged(socket, null);
        }
コード例 #2
0
ファイル: Program.cs プロジェクト: safino9/priv10
        public void RemoveSocket(NetworkSocket socket)
        {
            OldUpload   += socket.Stats.SentBytes;
            OldDownload += socket.Stats.ReceivedBytes;

            Sockets.Remove(socket.guid);

            DnsEntry Entry = GetDnsEntry(socket.RemoteHostName, socket.RemoteAddress);

            if (Entry != null)
            {
                Entry.OldUpload   += socket.Stats.SentBytes;
                Entry.OldDownload += socket.Stats.ReceivedBytes;
                Entry.OldConCounter++;
            }
        }
コード例 #3
0
ファイル: NetworkSocket.cs プロジェクト: Spartinus/priv10
        public NetworkSocket(int processId, UInt32 protocolType, IPAddress localAddress, UInt16 localPort, IPAddress remoteAddress, UInt16 remotePort)
        {
            guid = Guid.NewGuid();

            Stats = new NetworkStats();

            ProcessId = processId;

            ProtocolType  = protocolType;
            LocalAddress  = localAddress;
            LocalPort     = localPort;
            RemoteAddress = remoteAddress;
            RemotePort    = remotePort;

            HashID = NetworkSocket.MkHash(ProcessId, ProtocolType, LocalAddress, LocalPort, RemoteAddress, RemotePort);
        }
コード例 #4
0
ファイル: NetworkMonitor.cs プロジェクト: goofwear/priv10
        private NetworkSocket FindSocket(MultiValueDictionary <UInt64, NetworkSocket> List, int ProcessId, UInt32 ProtocolType, IPAddress LocalAddress, UInt16 LocalPort, IPAddress RemoteAddress, UInt16 RemotePort, NetworkSocket.MatchMode Mode)
        {
            UInt64 HashID = NetworkSocket.MkHash(ProcessId, ProtocolType, LocalAddress, LocalPort, RemoteAddress, RemotePort);

            List <NetworkSocket> Matches = List.GetValues(HashID, false);

            if (Matches != null)
            {
                foreach (NetworkSocket CurSocket in Matches)
                {
                    if (CurSocket.Match(ProcessId, ProtocolType, LocalAddress, LocalPort, RemoteAddress, RemotePort, Mode))
                    {
                        return(CurSocket);
                    }
                }
            }

            return(null);
        }
コード例 #5
0
 protected byte[] PutSock(NetworkSocket socket)
 {
     return(PutXmlObj(socket));
 }
コード例 #6
0
 public void RemoveSocket(NetworkSocket socket)
 {
     Sockets.Remove(socket.guid);
 }
コード例 #7
0
 public void AddSocket(NetworkSocket socket)
 {
     socket.Assigned = true;
     Sockets.Add(socket.guid, socket);
 }
コード例 #8
0
        public Tuple <int, int> LookupRuleAccess(NetworkSocket Socket)
        {
            int AllowOutProfiles = 0;
            int BlockOutProfiles = 0;
            int AllowInProfiles  = 0;
            int BlockInProfiles  = 0;

            int Protocol = 0;

            if ((Socket.ProtocolType & (UInt32)IPHelper.AF_PROT.TCP) != 0)
            {
                Protocol = (int)IPHelper.AF_PROT.TCP;
            }
            else if ((Socket.ProtocolType & (UInt32)IPHelper.AF_PROT.UDP) != 0)
            {
                Protocol = (int)IPHelper.AF_PROT.UDP;
            }
            else
            {
                return(Tuple.Create(0, 0));
            }

            foreach (FirewallRule rule in Rules.Values)
            {
                if (!rule.Enabled)
                {
                    continue;
                }

                if (rule.Protocol != (int)NetFunc.KnownProtocols.Any && Protocol != rule.Protocol)
                {
                    continue;
                }
                if (Protocol == (int)IPHelper.AF_PROT.TCP)
                {
                    if (!FirewallRule.MatchEndpoint(rule.RemoteAddresses, rule.RemotePorts, Socket.RemoteAddress, Socket.RemotePort))
                    {
                        continue;
                    }
                }
                if (!FirewallRule.MatchEndpoint(rule.LocalAddresses, rule.LocalPorts, Socket.LocalAddress, Socket.LocalPort))
                {
                    continue;
                }

                switch (rule.Direction)
                {
                case FirewallRule.Directions.Outboun:
                {
                    if (rule.Action == FirewallRule.Actions.Allow)
                    {
                        AllowOutProfiles |= rule.Profile;
                    }
                    else if (rule.Action == FirewallRule.Actions.Block)
                    {
                        BlockOutProfiles |= rule.Profile;
                    }
                    break;
                }

                case FirewallRule.Directions.Inbound:
                {
                    if (rule.Action == FirewallRule.Actions.Allow)
                    {
                        AllowInProfiles |= rule.Profile;
                    }
                    else if (rule.Action == FirewallRule.Actions.Block)
                    {
                        BlockInProfiles |= rule.Profile;
                    }
                    break;
                }
                }
            }

            for (int i = 0; i < FirewallManager.FwProfiles.Length; i++)
            {
                if ((AllowOutProfiles & (int)FirewallManager.FwProfiles[i]) == 0 &&
                    (BlockOutProfiles & (int)FirewallManager.FwProfiles[i]) == 0)
                {
                    if (App.engine.FirewallManager.GetDefaultOutboundAction(FirewallManager.FwProfiles[i]) == FirewallRule.Actions.Allow)
                    {
                        AllowOutProfiles |= (int)FirewallManager.FwProfiles[i];
                    }
                    else
                    {
                        BlockOutProfiles |= (int)FirewallManager.FwProfiles[i];
                    }
                }

                if ((AllowInProfiles & (int)FirewallManager.FwProfiles[i]) == 0 &&
                    (BlockInProfiles & (int)FirewallManager.FwProfiles[i]) == 0)
                {
                    if (App.engine.FirewallManager.GetDefaultInboundAction(FirewallManager.FwProfiles[i]) == FirewallRule.Actions.Allow)
                    {
                        AllowInProfiles |= (int)FirewallManager.FwProfiles[i];
                    }
                    else
                    {
                        BlockInProfiles |= (int)FirewallManager.FwProfiles[i];
                    }
                }
            }

            AllowOutProfiles &= ~BlockOutProfiles;
            AllowInProfiles  &= ~BlockInProfiles;

            return(Tuple.Create(AllowOutProfiles, AllowInProfiles));
        }
コード例 #9
0
ファイル: NetworkMonitor.cs プロジェクト: goofwear/priv10
        public void UpdateSockets()
        {
            UInt64 curTick  = MiscFunc.GetTickCount64();
            UInt64 Interval = curTick - LastUpdate;

            LastUpdate = curTick;

            List <IPHelper.I_SOCKET_ROW> Sockets = new List <IPHelper.I_SOCKET_ROW>();

            // enum all ockets
            IntPtr tcp4Table = IPHelper.GetTcpSockets(ref Sockets);
            IntPtr tcp6Table = IPHelper.GetTcp6Sockets(ref Sockets);
            IntPtr udp4Table = IPHelper.GetUdpSockets(ref Sockets);
            IntPtr udp6Table = IPHelper.GetUdp6Sockets(ref Sockets);

            MultiValueDictionary <UInt64, NetworkSocket> OldSocketList = SocketList.Clone();

            for (int i = 0; i < Sockets.Count; i++)
            {
                IPHelper.I_SOCKET_ROW SocketRow = Sockets[i];

                NetworkSocket Socket = FindSocket(OldSocketList, SocketRow.ProcessId, SocketRow.ProtocolType, SocketRow.LocalAddress, SocketRow.LocalPort, SocketRow.RemoteAddress, SocketRow.RemotePort, NetworkSocket.MatchMode.Strict);
                if (Socket != null)
                {
                    //AppLog.Debug("Found Socket {0}:{1} {2}:{3}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort);
                    OldSocketList.Remove(Socket.HashID, Socket);
                }
                else
                {
                    Socket = new NetworkSocket(SocketRow.ProcessId, SocketRow.ProtocolType, SocketRow.LocalAddress, SocketRow.LocalPort, SocketRow.RemoteAddress, SocketRow.RemotePort);
                    //AppLog.Debug("Added Socket {0}:{1} {2}:{3}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort);
                    SocketList.Add(Socket.HashID, Socket);
                }

                // Note: sockets observed using ETW are not yet initialized as we are missing owner informations there
                if (Socket.ProgID == null)
                {
                    Socket.CreationTime = SocketRow.CreationTime;

                    if (App.engine.DnsInspector != null && Socket.RemoteAddress != null)
                    {
                        App.engine.DnsInspector.GetHostName(Socket.ProcessId, Socket.RemoteAddress, Socket, NetworkSocket.HostSetter);
                    }

                    var moduleInfo = SocketRow.Module;
                    if (moduleInfo == null || moduleInfo.ModulePath.Equals("System", StringComparison.OrdinalIgnoreCase))
                    {
                        Socket.ProgID = ProgramID.NewID(ProgramID.Types.System);
                    }
                    else
                    {
                        string fileName   = moduleInfo.ModulePath;
                        string serviceTag = moduleInfo.ModuleName;

                        // Note: for services and system TCPIP_OWNER_MODULE_BASIC_INFO.pModuleName is the same TCPIP_OWNER_MODULE_BASIC_INFO.pModulePath
                        // hence we don't have the actuall exe path and we will have to resolve it.
                        if (serviceTag.Equals(fileName))
                        {
                            fileName = null; // filename not valid
                        }
                        else
                        {
                            serviceTag = null; // service tag not valid
                        }
                        Socket.ProgID = App.engine.GetProgIDbyPID(Socket.ProcessId, serviceTag, fileName);
                    }
                }

                Socket.Update(SocketRow, Interval);

                //IPHelper.ModuleInfo Info = SocketRow.Module;
                //AppLog.Debug("Socket {0}:{1} {2}:{3} {4}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort, (Info != null ? (Info.ModulePath + " (" + Info.ModuleName + ")") : "") + " [PID: " + Socket.ProcessId + "]");
            }

            foreach (NetworkSocket Socket in OldSocketList.GetAllValues())
            {
                bool bIsUDPPseudoCon = (Socket.ProtocolType & (UInt32)IPHelper.AF_PROT.UDP) == (UInt32)IPHelper.AF_PROT.UDP && Socket.RemotePort != 0;

                // Note: sockets observed using ETW are not yet initialized as we are missing owner informations there
                if (Socket.ProgID == null)
                {
                    Socket.CreationTime = DateTime.Now;

                    if (App.engine.DnsInspector != null && Socket.RemoteAddress != null)
                    {
                        App.engine.DnsInspector.GetHostName(Socket.ProcessId, Socket.RemoteAddress, Socket, NetworkSocket.HostSetter);
                    }

                    // Note: etw captured connections does not handle services to well :/
                    Socket.ProgID = App.engine.GetProgIDbyPID(Socket.ProcessId, null, null);
                }

                Socket.Update(null, Interval);

                if (bIsUDPPseudoCon && (DateTime.Now - Socket.LastActivity).TotalMilliseconds < 5000) // 5 sec // todo: customize udp pseudo con time
                {
                    OldSocketList.Remove(Socket.HashID, Socket);

                    if (Socket.RemovedTimeStamp != 0)
                    {
                        Socket.RemovedTimeStamp = 0;
                    }
                }
                else
                {
                    Socket.State = (int)IPHelper.MIB_TCP_STATE.CLOSED;
                }
            }

            UInt64 CurTick = MiscFunc.GetCurTick();

            foreach (NetworkSocket Socket in OldSocketList.GetAllValues())
            {
                if (Socket.RemovedTimeStamp == 0)
                {
                    Socket.RemovedTimeStamp = CurTick;
                }
                else if (Socket.RemovedTimeStamp < CurTick + 3000) // todo: customize retention time
                {
                    SocketList.Remove(Socket.HashID, Socket);

                    Socket.Program?.RemoveSocket(Socket);
                }

                //AppLog.Debug("Removed Socket {0}:{1} {2}:{3}", CurSocket.LocalAddress, CurSocket.LocalPort, CurSocket.RemoteAddress, CurSocket.RemotePort);
            }

            // cleanup
            if (tcp4Table != IntPtr.Zero)
            {
                Marshal.FreeHGlobal(tcp4Table);
            }
            if (tcp6Table != IntPtr.Zero)
            {
                Marshal.FreeHGlobal(tcp6Table);
            }
            if (udp4Table != IntPtr.Zero)
            {
                Marshal.FreeHGlobal(udp4Table);
            }
            if (udp6Table != IntPtr.Zero)
            {
                Marshal.FreeHGlobal(udp6Table);
            }
        }
コード例 #10
0
ファイル: NetworkMonitor.cs プロジェクト: goofwear/priv10
        private void OnNetworkEvent(Microsoft.O365.Security.ETW.IEventRecord record)
        {
            // WARNING: this function is called from the worker thread

            EtwNetEventType Type         = EtwNetEventType.Unknown;
            UInt32          ProtocolType = 0;

            switch (record.Opcode)
            {
            case 0x0a:     // send
                Type         = EtwNetEventType.Send;
                ProtocolType = (UInt32)IPHelper.AF_INET.IP4 << 8;
                break;

            case 0x0b:     // receive
                Type         = EtwNetEventType.Recv;
                ProtocolType = (UInt32)IPHelper.AF_INET.IP4 << 8;
                break;

            case 0x0a + 16:     // send ipv6
                Type         = EtwNetEventType.Send;
                ProtocolType = (UInt32)IPHelper.AF_INET.IP6 << 8;
                break;

            case 0x0b + 16:     // receive ipv6
                Type         = EtwNetEventType.Recv;
                ProtocolType = (UInt32)IPHelper.AF_INET.IP6 << 8;
                break;

            default:
                return;
            }

            if (record.ProviderId.Equals(TcpIpGuid))
            {
                ProtocolType |= (UInt32)IPHelper.AF_PROT.TCP;
            }
            else if (record.ProviderId.Equals(UdpIpGuid))
            {
                ProtocolType |= (UInt32)IPHelper.AF_PROT.UDP;
            }
            else
            {
                return;
            }

            int    ProcessId    = -1;
            UInt32 TransferSize = 0;

            IPAddress LocalAddress  = null;
            UInt16    LocalPort     = 0;
            IPAddress RemoteAddress = null;
            UInt16    RemotePort    = 0;

            if ((ProtocolType & ((UInt32)IPHelper.AF_INET.IP4 << 8)) == ((UInt32)IPHelper.AF_INET.IP4 << 8))
            {
                TcpIpOrUdpIp_IPV4_Header data = (TcpIpOrUdpIp_IPV4_Header)Marshal.PtrToStructure(record.UserData, typeof(TcpIpOrUdpIp_IPV4_Header));

                ProcessId    = (int)data.PID;
                TransferSize = data.size;

                LocalAddress = new IPAddress((UInt32)data.saddr);
                LocalPort    = (UInt16)IPAddress.NetworkToHostOrder((short)data.sport);

                RemoteAddress = new IPAddress((UInt32)data.daddr);
                RemotePort    = (UInt16)IPAddress.NetworkToHostOrder((short)data.dport);
            }
            else if ((ProtocolType & ((UInt32)IPHelper.AF_INET.IP6 << 8)) == ((UInt32)IPHelper.AF_INET.IP6 << 8))
            {
                TcpIpOrUdpIp_IPV6_Header data = (TcpIpOrUdpIp_IPV6_Header)Marshal.PtrToStructure(record.UserData, typeof(TcpIpOrUdpIp_IPV6_Header));

                ProcessId    = (int)data.PID;
                TransferSize = data.size;

                LocalAddress = new IPAddress(data.saddr);
                LocalPort    = (UInt16)IPAddress.NetworkToHostOrder((short)data.sport);

                RemoteAddress = new IPAddress(data.daddr);
                RemotePort    = (UInt16)IPAddress.NetworkToHostOrder((short)data.dport);
            }
            else
            {
                return;
            }

            // Note: Incomming UDP packets have the endpoints swaped :/
            if ((ProtocolType & (UInt32)IPHelper.AF_PROT.UDP) == (UInt32)IPHelper.AF_PROT.UDP && Type == EtwNetEventType.Recv)
            {
                IPAddress TempAddresss = LocalAddress;
                UInt16    TempPort     = LocalPort;
                LocalAddress  = RemoteAddress;
                LocalPort     = RemotePort;
                RemoteAddress = TempAddresss;
                RemotePort    = TempPort;
            }

            App.engine?.RunInEngineThread(() =>
            {
                // Note: this happens in the engine thread

                NetworkSocket Socket = FindSocket(SocketList, ProcessId, ProtocolType, LocalAddress, LocalPort, RemoteAddress, RemotePort, NetworkSocket.MatchMode.Strict);
                if (Socket == null)
                {
                    Socket = new NetworkSocket(ProcessId, ProtocolType, LocalAddress, LocalPort, RemoteAddress, RemotePort);
                    SocketList.Add(Socket.HashID, Socket);
                }

                switch (Type)
                {
                case EtwNetEventType.Send:  Socket.CountUpload(TransferSize); break;

                case EtwNetEventType.Recv:  Socket.CountDownload(TransferSize); break;
                }
            });
        }
コード例 #11
0
        public void UpdateSockets()
        {
            UInt64 curTick  = MiscFunc.GetTickCount64();
            UInt64 Interval = curTick - LastUpdate;

            LastUpdate = curTick;

            List <IPHelper.I_SOCKET_ROW> Sockets = new List <IPHelper.I_SOCKET_ROW>();

            // enum all ockets
            IntPtr tcp4Table = IPHelper.GetTcpSockets(ref Sockets);
            IntPtr tcp6Table = IPHelper.GetTcp6Sockets(ref Sockets);
            IntPtr udp4Table = IPHelper.GetUdpSockets(ref Sockets);
            IntPtr udp6Table = IPHelper.GetUdp6Sockets(ref Sockets);

            MultiValueDictionary <UInt64, NetworkSocket> OldSocketList = SocketList.Clone();

            for (int i = 0; i < Sockets.Count; i++)
            {
                IPHelper.I_SOCKET_ROW SocketRow = Sockets[i];

                NetworkSocket Socket = FindSocket(OldSocketList, SocketRow.ProcessId, SocketRow.ProtocolType, SocketRow.LocalAddress, SocketRow.LocalPort, SocketRow.RemoteAddress, SocketRow.RemotePort, NetworkSocket.MatchMode.Strict);
                if (Socket != null)
                {
                    //AppLog.Debug("Found Socket {0}:{1} {2}:{3}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort);
                    OldSocketList.Remove(Socket.HashID, Socket);
                }
                else
                {
                    Socket = new NetworkSocket(SocketRow.ProcessId, SocketRow.ProtocolType, SocketRow.LocalAddress, SocketRow.LocalPort, SocketRow.RemoteAddress, SocketRow.RemotePort);
                    //AppLog.Debug("Added Socket {0}:{1} {2}:{3}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort);
                    SocketList.Add(Socket.HashID, Socket);
                }

                // Note: sockets observed using ETW are not yet initialized as we are missing owner informations there
                if (Socket.ProgID == null)
                {
                    Socket.CreationTime = SocketRow.CreationTime;

                    if (Socket.RemoteAddress != null)
                    {
                        App.engine.DnsInspector.GetHostName(Socket.ProcessId, Socket.RemoteAddress, Socket, NetworkSocket.HostSetter);
                    }

                    var moduleInfo = SocketRow.Module;
                    if (moduleInfo == null || moduleInfo.ModulePath.Equals("System", StringComparison.OrdinalIgnoreCase))
                    {
                        Socket.ProgID = ProgramID.NewID(ProgramID.Types.System);
                    }
                    else
                    {
                        string fileName   = moduleInfo.ModulePath;
                        string serviceTag = moduleInfo.ModuleName;

                        // Note: for services and system TCPIP_OWNER_MODULE_BASIC_INFO.pModuleName is the same TCPIP_OWNER_MODULE_BASIC_INFO.pModulePath
                        // hence we don't have the actuall exe path and we will have to resolve it.
                        if (serviceTag.Equals(fileName))
                        {
                            fileName = null; // filename not valid
                        }
                        else
                        {
                            serviceTag = null; // service tag not valid
                        }
                        Socket.ProgID = App.engine.GetProgIDbyPID(Socket.ProcessId, serviceTag, fileName);
                    }
                }

                // a program may have been removed than the sockets get unasigned and has to be re asigned
                if (Socket.Assigned == false)
                {
                    Program prog = Socket.ProgID == null ? null : App.engine.ProgramList.GetProgram(Socket.ProgID, true, ProgramList.FuzzyModes.Any);
                    prog?.AddSocket(Socket);
                    if (prog != null)
                    {
                        Socket.Access = prog.LookupRuleAccess(Socket);
                    }
                }

                Socket.Update(SocketRow, Interval);

                //IPHelper.ModuleInfo Info = SocketRow.Module;
                //AppLog.Debug("Socket {0}:{1} {2}:{3} {4}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort, (Info != null ? (Info.ModulePath + " (" + Info.ModuleName + ")") : "") + " [PID: " + Socket.ProcessId + "]");
            }

            UInt64 CurTick = MiscFunc.GetCurTick();

            foreach (NetworkSocket Socket in OldSocketList.GetAllValues())
            {
                if (Socket.RemovedTimeStamp == 0)
                {
                    Socket.RemovedTimeStamp = CurTick;
                }
                else if (Socket.RemovedTimeStamp < CurTick + 3000) // todo: customize retention time
                {
                    SocketList.Remove(Socket.HashID, Socket);

                    Program prog = Socket.ProgID == null ? null : App.engine.ProgramList.GetProgram(Socket.ProgID);
                    prog?.RemoveSocket(Socket);
                }

                //AppLog.Debug("Removed Socket {0}:{1} {2}:{3}", CurSocket.LocalAddress, CurSocket.LocalPort, CurSocket.RemoteAddress, CurSocket.RemotePort);
            }

            // cleanup
            if (tcp4Table != IntPtr.Zero)
            {
                Marshal.FreeHGlobal(tcp4Table);
            }
            if (tcp6Table != IntPtr.Zero)
            {
                Marshal.FreeHGlobal(tcp6Table);
            }
            if (udp4Table != IntPtr.Zero)
            {
                Marshal.FreeHGlobal(udp4Table);
            }
            if (udp6Table != IntPtr.Zero)
            {
                Marshal.FreeHGlobal(udp6Table);
            }
        }