public void AddSocket(NetworkSocket socket)
{
Sockets.Add(socket.guid, socket);
socket.HostNameChanged += OnHostChanged;
OnHostChanged(socket, null);
}
public void RemoveSocket(NetworkSocket socket)
{
OldUpload += socket.Stats.SentBytes;
OldDownload += socket.Stats.ReceivedBytes;
Sockets.Remove(socket.guid);
DnsEntry Entry = GetDnsEntry(socket.RemoteHostName, socket.RemoteAddress);
if (Entry != null)
{
Entry.OldUpload += socket.Stats.SentBytes;
Entry.OldDownload += socket.Stats.ReceivedBytes;
Entry.OldConCounter++;
}
}
public NetworkSocket(int processId, UInt32 protocolType, IPAddress localAddress, UInt16 localPort, IPAddress remoteAddress, UInt16 remotePort)
{
guid = Guid.NewGuid();
Stats = new NetworkStats();
ProcessId = processId;
ProtocolType = protocolType;
LocalAddress = localAddress;
LocalPort = localPort;
RemoteAddress = remoteAddress;
RemotePort = remotePort;
HashID = NetworkSocket.MkHash(ProcessId, ProtocolType, LocalAddress, LocalPort, RemoteAddress, RemotePort);
}
private NetworkSocket FindSocket(MultiValueDictionary <UInt64, NetworkSocket> List, int ProcessId, UInt32 ProtocolType, IPAddress LocalAddress, UInt16 LocalPort, IPAddress RemoteAddress, UInt16 RemotePort, NetworkSocket.MatchMode Mode)
{
UInt64 HashID = NetworkSocket.MkHash(ProcessId, ProtocolType, LocalAddress, LocalPort, RemoteAddress, RemotePort);
List <NetworkSocket> Matches = List.GetValues(HashID, false);
if (Matches != null)
{
foreach (NetworkSocket CurSocket in Matches)
{
if (CurSocket.Match(ProcessId, ProtocolType, LocalAddress, LocalPort, RemoteAddress, RemotePort, Mode))
{
return(CurSocket);
}
}
}
return(null);
}
protected byte[] PutSock(NetworkSocket socket)
{
return(PutXmlObj(socket));
}
public void RemoveSocket(NetworkSocket socket)
{
Sockets.Remove(socket.guid);
}
public void AddSocket(NetworkSocket socket)
{
socket.Assigned = true;
Sockets.Add(socket.guid, socket);
}
public Tuple <int, int> LookupRuleAccess(NetworkSocket Socket)
{
int AllowOutProfiles = 0;
int BlockOutProfiles = 0;
int AllowInProfiles = 0;
int BlockInProfiles = 0;
int Protocol = 0;
if ((Socket.ProtocolType & (UInt32)IPHelper.AF_PROT.TCP) != 0)
{
Protocol = (int)IPHelper.AF_PROT.TCP;
}
else if ((Socket.ProtocolType & (UInt32)IPHelper.AF_PROT.UDP) != 0)
{
Protocol = (int)IPHelper.AF_PROT.UDP;
}
else
{
return(Tuple.Create(0, 0));
}
foreach (FirewallRule rule in Rules.Values)
{
if (!rule.Enabled)
{
continue;
}
if (rule.Protocol != (int)NetFunc.KnownProtocols.Any && Protocol != rule.Protocol)
{
continue;
}
if (Protocol == (int)IPHelper.AF_PROT.TCP)
{
if (!FirewallRule.MatchEndpoint(rule.RemoteAddresses, rule.RemotePorts, Socket.RemoteAddress, Socket.RemotePort))
{
continue;
}
}
if (!FirewallRule.MatchEndpoint(rule.LocalAddresses, rule.LocalPorts, Socket.LocalAddress, Socket.LocalPort))
{
continue;
}
switch (rule.Direction)
{
case FirewallRule.Directions.Outboun:
{
if (rule.Action == FirewallRule.Actions.Allow)
{
AllowOutProfiles |= rule.Profile;
}
else if (rule.Action == FirewallRule.Actions.Block)
{
BlockOutProfiles |= rule.Profile;
}
break;
}
case FirewallRule.Directions.Inbound:
{
if (rule.Action == FirewallRule.Actions.Allow)
{
AllowInProfiles |= rule.Profile;
}
else if (rule.Action == FirewallRule.Actions.Block)
{
BlockInProfiles |= rule.Profile;
}
break;
}
}
}
for (int i = 0; i < FirewallManager.FwProfiles.Length; i++)
{
if ((AllowOutProfiles & (int)FirewallManager.FwProfiles[i]) == 0 &&
(BlockOutProfiles & (int)FirewallManager.FwProfiles[i]) == 0)
{
if (App.engine.FirewallManager.GetDefaultOutboundAction(FirewallManager.FwProfiles[i]) == FirewallRule.Actions.Allow)
{
AllowOutProfiles |= (int)FirewallManager.FwProfiles[i];
}
else
{
BlockOutProfiles |= (int)FirewallManager.FwProfiles[i];
}
}
if ((AllowInProfiles & (int)FirewallManager.FwProfiles[i]) == 0 &&
(BlockInProfiles & (int)FirewallManager.FwProfiles[i]) == 0)
{
if (App.engine.FirewallManager.GetDefaultInboundAction(FirewallManager.FwProfiles[i]) == FirewallRule.Actions.Allow)
{
AllowInProfiles |= (int)FirewallManager.FwProfiles[i];
}
else
{
BlockInProfiles |= (int)FirewallManager.FwProfiles[i];
}
}
}
AllowOutProfiles &= ~BlockOutProfiles;
AllowInProfiles &= ~BlockInProfiles;
return(Tuple.Create(AllowOutProfiles, AllowInProfiles));
}
public void UpdateSockets()
{
UInt64 curTick = MiscFunc.GetTickCount64();
UInt64 Interval = curTick - LastUpdate;
LastUpdate = curTick;
List <IPHelper.I_SOCKET_ROW> Sockets = new List <IPHelper.I_SOCKET_ROW>();
// enum all ockets
IntPtr tcp4Table = IPHelper.GetTcpSockets(ref Sockets);
IntPtr tcp6Table = IPHelper.GetTcp6Sockets(ref Sockets);
IntPtr udp4Table = IPHelper.GetUdpSockets(ref Sockets);
IntPtr udp6Table = IPHelper.GetUdp6Sockets(ref Sockets);
MultiValueDictionary <UInt64, NetworkSocket> OldSocketList = SocketList.Clone();
for (int i = 0; i < Sockets.Count; i++)
{
IPHelper.I_SOCKET_ROW SocketRow = Sockets[i];
NetworkSocket Socket = FindSocket(OldSocketList, SocketRow.ProcessId, SocketRow.ProtocolType, SocketRow.LocalAddress, SocketRow.LocalPort, SocketRow.RemoteAddress, SocketRow.RemotePort, NetworkSocket.MatchMode.Strict);
if (Socket != null)
{
//AppLog.Debug("Found Socket {0}:{1} {2}:{3}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort);
OldSocketList.Remove(Socket.HashID, Socket);
}
else
{
Socket = new NetworkSocket(SocketRow.ProcessId, SocketRow.ProtocolType, SocketRow.LocalAddress, SocketRow.LocalPort, SocketRow.RemoteAddress, SocketRow.RemotePort);
//AppLog.Debug("Added Socket {0}:{1} {2}:{3}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort);
SocketList.Add(Socket.HashID, Socket);
}
// Note: sockets observed using ETW are not yet initialized as we are missing owner informations there
if (Socket.ProgID == null)
{
Socket.CreationTime = SocketRow.CreationTime;
if (App.engine.DnsInspector != null && Socket.RemoteAddress != null)
{
App.engine.DnsInspector.GetHostName(Socket.ProcessId, Socket.RemoteAddress, Socket, NetworkSocket.HostSetter);
}
var moduleInfo = SocketRow.Module;
if (moduleInfo == null || moduleInfo.ModulePath.Equals("System", StringComparison.OrdinalIgnoreCase))
{
Socket.ProgID = ProgramID.NewID(ProgramID.Types.System);
}
else
{
string fileName = moduleInfo.ModulePath;
string serviceTag = moduleInfo.ModuleName;
// Note: for services and system TCPIP_OWNER_MODULE_BASIC_INFO.pModuleName is the same TCPIP_OWNER_MODULE_BASIC_INFO.pModulePath
// hence we don't have the actuall exe path and we will have to resolve it.
if (serviceTag.Equals(fileName))
{
fileName = null; // filename not valid
}
else
{
serviceTag = null; // service tag not valid
}
Socket.ProgID = App.engine.GetProgIDbyPID(Socket.ProcessId, serviceTag, fileName);
}
}
Socket.Update(SocketRow, Interval);
//IPHelper.ModuleInfo Info = SocketRow.Module;
//AppLog.Debug("Socket {0}:{1} {2}:{3} {4}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort, (Info != null ? (Info.ModulePath + " (" + Info.ModuleName + ")") : "") + " [PID: " + Socket.ProcessId + "]");
}
foreach (NetworkSocket Socket in OldSocketList.GetAllValues())
{
bool bIsUDPPseudoCon = (Socket.ProtocolType & (UInt32)IPHelper.AF_PROT.UDP) == (UInt32)IPHelper.AF_PROT.UDP && Socket.RemotePort != 0;
// Note: sockets observed using ETW are not yet initialized as we are missing owner informations there
if (Socket.ProgID == null)
{
Socket.CreationTime = DateTime.Now;
if (App.engine.DnsInspector != null && Socket.RemoteAddress != null)
{
App.engine.DnsInspector.GetHostName(Socket.ProcessId, Socket.RemoteAddress, Socket, NetworkSocket.HostSetter);
}
// Note: etw captured connections does not handle services to well :/
Socket.ProgID = App.engine.GetProgIDbyPID(Socket.ProcessId, null, null);
}
Socket.Update(null, Interval);
if (bIsUDPPseudoCon && (DateTime.Now - Socket.LastActivity).TotalMilliseconds < 5000) // 5 sec // todo: customize udp pseudo con time
{
OldSocketList.Remove(Socket.HashID, Socket);
if (Socket.RemovedTimeStamp != 0)
{
Socket.RemovedTimeStamp = 0;
}
}
else
{
Socket.State = (int)IPHelper.MIB_TCP_STATE.CLOSED;
}
}
UInt64 CurTick = MiscFunc.GetCurTick();
foreach (NetworkSocket Socket in OldSocketList.GetAllValues())
{
if (Socket.RemovedTimeStamp == 0)
{
Socket.RemovedTimeStamp = CurTick;
}
else if (Socket.RemovedTimeStamp < CurTick + 3000) // todo: customize retention time
{
SocketList.Remove(Socket.HashID, Socket);
Socket.Program?.RemoveSocket(Socket);
}
//AppLog.Debug("Removed Socket {0}:{1} {2}:{3}", CurSocket.LocalAddress, CurSocket.LocalPort, CurSocket.RemoteAddress, CurSocket.RemotePort);
}
// cleanup
if (tcp4Table != IntPtr.Zero)
{
Marshal.FreeHGlobal(tcp4Table);
}
if (tcp6Table != IntPtr.Zero)
{
Marshal.FreeHGlobal(tcp6Table);
}
if (udp4Table != IntPtr.Zero)
{
Marshal.FreeHGlobal(udp4Table);
}
if (udp6Table != IntPtr.Zero)
{
Marshal.FreeHGlobal(udp6Table);
}
}
private void OnNetworkEvent(Microsoft.O365.Security.ETW.IEventRecord record)
{
// WARNING: this function is called from the worker thread
EtwNetEventType Type = EtwNetEventType.Unknown;
UInt32 ProtocolType = 0;
switch (record.Opcode)
{
case 0x0a: // send
Type = EtwNetEventType.Send;
ProtocolType = (UInt32)IPHelper.AF_INET.IP4 << 8;
break;
case 0x0b: // receive
Type = EtwNetEventType.Recv;
ProtocolType = (UInt32)IPHelper.AF_INET.IP4 << 8;
break;
case 0x0a + 16: // send ipv6
Type = EtwNetEventType.Send;
ProtocolType = (UInt32)IPHelper.AF_INET.IP6 << 8;
break;
case 0x0b + 16: // receive ipv6
Type = EtwNetEventType.Recv;
ProtocolType = (UInt32)IPHelper.AF_INET.IP6 << 8;
break;
default:
return;
}
if (record.ProviderId.Equals(TcpIpGuid))
{
ProtocolType |= (UInt32)IPHelper.AF_PROT.TCP;
}
else if (record.ProviderId.Equals(UdpIpGuid))
{
ProtocolType |= (UInt32)IPHelper.AF_PROT.UDP;
}
else
{
return;
}
int ProcessId = -1;
UInt32 TransferSize = 0;
IPAddress LocalAddress = null;
UInt16 LocalPort = 0;
IPAddress RemoteAddress = null;
UInt16 RemotePort = 0;
if ((ProtocolType & ((UInt32)IPHelper.AF_INET.IP4 << 8)) == ((UInt32)IPHelper.AF_INET.IP4 << 8))
{
TcpIpOrUdpIp_IPV4_Header data = (TcpIpOrUdpIp_IPV4_Header)Marshal.PtrToStructure(record.UserData, typeof(TcpIpOrUdpIp_IPV4_Header));
ProcessId = (int)data.PID;
TransferSize = data.size;
LocalAddress = new IPAddress((UInt32)data.saddr);
LocalPort = (UInt16)IPAddress.NetworkToHostOrder((short)data.sport);
RemoteAddress = new IPAddress((UInt32)data.daddr);
RemotePort = (UInt16)IPAddress.NetworkToHostOrder((short)data.dport);
}
else if ((ProtocolType & ((UInt32)IPHelper.AF_INET.IP6 << 8)) == ((UInt32)IPHelper.AF_INET.IP6 << 8))
{
TcpIpOrUdpIp_IPV6_Header data = (TcpIpOrUdpIp_IPV6_Header)Marshal.PtrToStructure(record.UserData, typeof(TcpIpOrUdpIp_IPV6_Header));
ProcessId = (int)data.PID;
TransferSize = data.size;
LocalAddress = new IPAddress(data.saddr);
LocalPort = (UInt16)IPAddress.NetworkToHostOrder((short)data.sport);
RemoteAddress = new IPAddress(data.daddr);
RemotePort = (UInt16)IPAddress.NetworkToHostOrder((short)data.dport);
}
else
{
return;
}
// Note: Incomming UDP packets have the endpoints swaped :/
if ((ProtocolType & (UInt32)IPHelper.AF_PROT.UDP) == (UInt32)IPHelper.AF_PROT.UDP && Type == EtwNetEventType.Recv)
{
IPAddress TempAddresss = LocalAddress;
UInt16 TempPort = LocalPort;
LocalAddress = RemoteAddress;
LocalPort = RemotePort;
RemoteAddress = TempAddresss;
RemotePort = TempPort;
}
App.engine?.RunInEngineThread(() =>
{
// Note: this happens in the engine thread
NetworkSocket Socket = FindSocket(SocketList, ProcessId, ProtocolType, LocalAddress, LocalPort, RemoteAddress, RemotePort, NetworkSocket.MatchMode.Strict);
if (Socket == null)
{
Socket = new NetworkSocket(ProcessId, ProtocolType, LocalAddress, LocalPort, RemoteAddress, RemotePort);
SocketList.Add(Socket.HashID, Socket);
}
switch (Type)
{
case EtwNetEventType.Send: Socket.CountUpload(TransferSize); break;
case EtwNetEventType.Recv: Socket.CountDownload(TransferSize); break;
}
});
}
public void UpdateSockets()
{
UInt64 curTick = MiscFunc.GetTickCount64();
UInt64 Interval = curTick - LastUpdate;
LastUpdate = curTick;
List <IPHelper.I_SOCKET_ROW> Sockets = new List <IPHelper.I_SOCKET_ROW>();
// enum all ockets
IntPtr tcp4Table = IPHelper.GetTcpSockets(ref Sockets);
IntPtr tcp6Table = IPHelper.GetTcp6Sockets(ref Sockets);
IntPtr udp4Table = IPHelper.GetUdpSockets(ref Sockets);
IntPtr udp6Table = IPHelper.GetUdp6Sockets(ref Sockets);
MultiValueDictionary <UInt64, NetworkSocket> OldSocketList = SocketList.Clone();
for (int i = 0; i < Sockets.Count; i++)
{
IPHelper.I_SOCKET_ROW SocketRow = Sockets[i];
NetworkSocket Socket = FindSocket(OldSocketList, SocketRow.ProcessId, SocketRow.ProtocolType, SocketRow.LocalAddress, SocketRow.LocalPort, SocketRow.RemoteAddress, SocketRow.RemotePort, NetworkSocket.MatchMode.Strict);
if (Socket != null)
{
//AppLog.Debug("Found Socket {0}:{1} {2}:{3}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort);
OldSocketList.Remove(Socket.HashID, Socket);
}
else
{
Socket = new NetworkSocket(SocketRow.ProcessId, SocketRow.ProtocolType, SocketRow.LocalAddress, SocketRow.LocalPort, SocketRow.RemoteAddress, SocketRow.RemotePort);
//AppLog.Debug("Added Socket {0}:{1} {2}:{3}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort);
SocketList.Add(Socket.HashID, Socket);
}
// Note: sockets observed using ETW are not yet initialized as we are missing owner informations there
if (Socket.ProgID == null)
{
Socket.CreationTime = SocketRow.CreationTime;
if (Socket.RemoteAddress != null)
{
App.engine.DnsInspector.GetHostName(Socket.ProcessId, Socket.RemoteAddress, Socket, NetworkSocket.HostSetter);
}
var moduleInfo = SocketRow.Module;
if (moduleInfo == null || moduleInfo.ModulePath.Equals("System", StringComparison.OrdinalIgnoreCase))
{
Socket.ProgID = ProgramID.NewID(ProgramID.Types.System);
}
else
{
string fileName = moduleInfo.ModulePath;
string serviceTag = moduleInfo.ModuleName;
// Note: for services and system TCPIP_OWNER_MODULE_BASIC_INFO.pModuleName is the same TCPIP_OWNER_MODULE_BASIC_INFO.pModulePath
// hence we don't have the actuall exe path and we will have to resolve it.
if (serviceTag.Equals(fileName))
{
fileName = null; // filename not valid
}
else
{
serviceTag = null; // service tag not valid
}
Socket.ProgID = App.engine.GetProgIDbyPID(Socket.ProcessId, serviceTag, fileName);
}
}
// a program may have been removed than the sockets get unasigned and has to be re asigned
if (Socket.Assigned == false)
{
Program prog = Socket.ProgID == null ? null : App.engine.ProgramList.GetProgram(Socket.ProgID, true, ProgramList.FuzzyModes.Any);
prog?.AddSocket(Socket);
if (prog != null)
{
Socket.Access = prog.LookupRuleAccess(Socket);
}
}
Socket.Update(SocketRow, Interval);
//IPHelper.ModuleInfo Info = SocketRow.Module;
//AppLog.Debug("Socket {0}:{1} {2}:{3} {4}", Socket.LocalAddress, Socket.LocalPort, Socket.RemoteAddress, Socket.RemotePort, (Info != null ? (Info.ModulePath + " (" + Info.ModuleName + ")") : "") + " [PID: " + Socket.ProcessId + "]");
}
UInt64 CurTick = MiscFunc.GetCurTick();
foreach (NetworkSocket Socket in OldSocketList.GetAllValues())
{
if (Socket.RemovedTimeStamp == 0)
{
Socket.RemovedTimeStamp = CurTick;
}
else if (Socket.RemovedTimeStamp < CurTick + 3000) // todo: customize retention time
{
SocketList.Remove(Socket.HashID, Socket);
Program prog = Socket.ProgID == null ? null : App.engine.ProgramList.GetProgram(Socket.ProgID);
prog?.RemoveSocket(Socket);
}
//AppLog.Debug("Removed Socket {0}:{1} {2}:{3}", CurSocket.LocalAddress, CurSocket.LocalPort, CurSocket.RemoteAddress, CurSocket.RemotePort);
}
// cleanup
if (tcp4Table != IntPtr.Zero)
{
Marshal.FreeHGlobal(tcp4Table);
}
if (tcp6Table != IntPtr.Zero)
{
Marshal.FreeHGlobal(tcp6Table);
}
if (udp4Table != IntPtr.Zero)
{
Marshal.FreeHGlobal(udp4Table);
}
if (udp6Table != IntPtr.Zero)
{
Marshal.FreeHGlobal(udp6Table);
}
}