No commit message

CHANGELOG.md

@@ -3,6 +3,21 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
 
+## [1.0.2] - 2019-12-24
+
+### Added
+- settign for reverse DNS to disable it when desired
+- when flushing dns cache the dns cache retention is reset as well
+
+### Changed
+- most "unknown" values now shows teh numeric value encountered
+- updated PHlib to version 3.0.2812
+
+### Fixed
+- an issue with the DNS cache monitoring
+- fixed issue with etw event tracking for UDP traffic
+- fixed issue with thread service tag not being resolved properly
+
 
 ## [1.0.1] - 2019-11-15
 

TaskExplorer/API/DNSEntry.cpp

@@ -53,15 +53,20 @@ CDnsCacheEntry::CDnsCacheEntry(const QString& HostName, quint16 Type, const QHos
 
 QString CDnsCacheEntry::GetTypeString() const
 {
-	switch (GetType())
+	return GetTypeString(GetType());
+}
+
+QString CDnsCacheEntry::GetTypeString(quint16 Type)
+{
+	switch (Type)
 	{
 		case DNS_TYPE_A:	return "A";
 		case DNS_TYPE_AAAA:	return "AAAA";
 		case DNS_TYPE_PTR:	return "PTR";
 		case DNS_TYPE_CNAME:return "CNAME";
 		case DNS_TYPE_SRV:	return "SRV";
 		case DNS_TYPE_MX:	return "MX";
-		default:			return "UNKNOWN";
+		default:			return QString("UNKNOWN (%1)").arg(Type);
 	}
 }
 

TaskExplorer/API/DNSEntry.h

@@ -82,6 +82,7 @@ class CDnsCacheEntry: public CAbstractInfoEx
 	virtual QHostAddress GetAddress() const			{ QReadLocker Locker(&m_Mutex); return m_Address; }
 	virtual quint16 GetType() const					{ QReadLocker Locker(&m_Mutex); return m_Type; }
 	virtual QString GetTypeString() const;
+	static QString GetTypeString(quint16 Type);
 
 	virtual quint64 GetTTL() const					{ QReadLocker Locker(&m_Mutex); return m_TTL > 0 ? m_TTL : 0; }
 	virtual quint64 GetDeadTime() const				{ QReadLocker Locker(&m_Mutex); return m_TTL < 0 ? -m_TTL : 0; }

TaskExplorer/API/SocketInfo.cpp

@@ -155,6 +155,6 @@ QString CSocketInfo::GetStateString()
     case MIB_TCP_STATE_TIME_WAIT:	return tr("Time wait");
     case MIB_TCP_STATE_DELETE_TCB:	return tr("Delete TCB");
 	case -1:						return tr("Blocked");
-    default:						return tr("Unknown");
+    default:						return tr("Unknown %1").arg(m_State);
     }
 }

TaskExplorer/API/Windows/DnsResolver.cpp

@@ -173,14 +173,14 @@ PDNS_RECORD TraverseDnsCacheTable(SDnsResolver* m)
     if (!m->DnsGetCacheDataTable_I(&dnsCacheDataTable))
         goto CleanupExit;
 
-	PDNS_RECORD root
-	while (PDNS_CACHE_ENTRY tablePtr = dnsCacheDataTable; tablePtr; tablePtr = tablePtr->Next)
+	PDNS_RECORD root = NULL;
+	for (PDNS_CACHE_ENTRY tablePtr = dnsCacheDataTable; tablePtr; tablePtr = tablePtr->Next)
 	{
         for (USHORT i = 0; i < ARRSIZE(typeList); i++)
         {
             PDNS_RECORD dnsQueryResultPtr;
-            if (DnsQuery(tablePtr->Name, typeList[i], DNS_QUERY_NO_WIRE_QUERY | DNS_QUERY_APPEND_MULTILABEL, NULL, &dnsQueryResultPtr, NULL) == ERROR_SUCCESS)
-			//if (DnsQuery(tablePtr->Name, tablePtr->Type, DNS_QUERY_NO_WIRE_QUERY | DNS_QUERY_APPEND_MULTILABEL, NULL, &dnsQueryResultPtr, NULL) == ERROR_SUCCESS)
+            if (DnsQuery(tablePtr->Name, typeList[i], DNS_QUERY_NO_WIRE_QUERY | 32768 /*Undocumented flags*/, NULL, &dnsQueryResultPtr, NULL) == ERROR_SUCCESS)
+			//if (DnsQuery(tablePtr->Name, tablePtr->Type, DNS_QUERY_NO_WIRE_QUERY | 32768 /*Undocumented flags*/, NULL, &dnsQueryResultPtr, NULL) == ERROR_SUCCESS)
             {
                 for (PDNS_RECORD dnsRecordPtr = dnsQueryResultPtr; dnsRecordPtr; dnsRecordPtr = dnsRecordPtr->pNext)
                 {
@@ -209,13 +209,15 @@ PDNS_RECORD TraverseDnsCacheTable(SDnsResolver* m)
 bool CDnsResolver::UpdateDnsCache()
 {
 #ifdef DNS_SCRAPE
-	PDNS_RECORD dnsRecordRootPtr = TraverseDnsCacheTable(m, NULL); 
+	PDNS_RECORD dnsRecordRootPtr = TraverseDnsCacheTable(m); 
 #else
     PDNS_CACHE_ENTRY dnsCacheDataTable = NULL;
 	if (!m->DnsGetCacheDataTable_I(&dnsCacheDataTable))
 		return false;
 #endif
 
+//#define DUMP_DNS
+
 	// Copy the emtry map Map
 	QMultiMap<QString, CDnsCacheEntryPtr> OldEntries = GetEntryList();
 
@@ -228,12 +230,22 @@ bool CDnsResolver::UpdateDnsCache()
 		//QString HostName_ = QString::fromWCharArray(tablePtr->Name);
 		//quint16 Type_ = tablePtr->Type;
 
+#ifdef DUMP_DNS
+		qDebug() << "Dns Table Entry:" << QString::fromWCharArray(tablePtr->Name) << "Type:" << CDnsCacheEntry::GetTypeString(tablePtr->Type);
+#endif
+
 		PDNS_RECORD dnsQueryResultPtr;
-		if (DnsQuery(tablePtr->Name, tablePtr->Type, DNS_QUERY_NO_WIRE_QUERY | DNS_QUERY_APPEND_MULTILABEL, NULL, &dnsQueryResultPtr, NULL) != ERROR_SUCCESS)
+
+		DNS_STATUS ret = DnsQuery(tablePtr->Name, tablePtr->Type, DNS_QUERY_NO_WIRE_QUERY | 32768 /*Undocumented flags*/, NULL, &dnsQueryResultPtr, NULL);
+		if (ret != ERROR_SUCCESS)
 			continue;
 
 		for (PDNS_RECORD dnsRecordPtr = dnsQueryResultPtr; dnsRecordPtr; dnsRecordPtr = dnsRecordPtr->pNext)
 		{
+
+#ifdef DUMP_DNS
+			qDebug() << "Dns Query Result:" << QString::fromWCharArray(dnsRecordPtr->pName) << "Type:" << CDnsCacheEntry::GetTypeString(dnsRecordPtr->wType);
+#endif
 #endif	
 			QString HostName = QString::fromWCharArray(dnsRecordPtr->pName);
 			quint16 Type = dnsRecordPtr->wType;
@@ -243,31 +255,11 @@ bool CDnsResolver::UpdateDnsCache()
 			QMultiMap<QString, CDnsCacheEntryPtr>::iterator I;
 			if (Type == DNS_TYPE_A || Type == DNS_TYPE_AAAA)
 			{
-				//WCHAR ipAddrString[INET6_ADDRSTRLEN] = L"";
 				switch (Type)
 				{
-					case DNS_TYPE_A:
-					{
-						Address = QHostAddress(ntohl(dnsRecordPtr->Data.A.IpAddress));
-
-						/*IN_ADDR ipv4Address = { 0 };
-						ipv4Address.s_addr = dnsRecordPtr->Data.A.IpAddress;
-
-						RtlIpv4AddressToString(&ipv4Address, ipAddrString);*/
-						break;
-					}
-					case DNS_TYPE_AAAA:
-					{
-						Address = QHostAddress(dnsRecordPtr->Data.AAAA.Ip6Address.IP6Byte);
-
-						/*IN6_ADDR ipv6Address = { 0 };
-						memcpy_s(ipv6Address.s6_addr, sizeof(ipv6Address.s6_addr), dnsRecordPtr->Data.AAAA.Ip6Address.IP6Byte, sizeof(dnsRecordPtr->Data.AAAA.Ip6Address.IP6Byte));
-
-						RtlIpv6AddressToString(&ipv6Address, ipAddrString);*/
-						break;
-					}
+					case DNS_TYPE_A:	Address = QHostAddress(ntohl(dnsRecordPtr->Data.A.IpAddress)); break;
+					case DNS_TYPE_AAAA:	Address = QHostAddress(dnsRecordPtr->Data.AAAA.Ip6Address.IP6Byte); break;
 				}
-				//ResolvedString = QString::fromWCharArray(ipAddrString);
 				ResolvedString = Address.toString();
 
 				if (Address == QHostAddress::LocalHost || Address == QHostAddress::LocalHostIPv6)
@@ -288,6 +280,10 @@ bool CDnsResolver::UpdateDnsCache()
 				switch (Type)
 				{
 				case DNS_TYPE_PTR:		ResolvedString = QString::fromWCharArray(dnsRecordPtr->Data.PTR.pNameHost);	break;
+										Address = RevDnsHost2Address(HostName);
+										// we don't care for entries without a valid address
+										if (Address.isNull())
+											continue;
 				//case DNS_TYPE_DNAME:	ResolvedString = QString::fromWCharArray(dnsRecordPtr->Data.DNAME.pNameHost); break; // entire zone
 				case DNS_TYPE_CNAME:	ResolvedString = QString::fromWCharArray(dnsRecordPtr->Data.CNAME.pNameHost); break; // one host
 				case DNS_TYPE_SRV:		ResolvedString = QString("%1:%2").arg(QString::fromWCharArray(dnsRecordPtr->Data.SRV.pNameTarget)).arg((quint16)dnsRecordPtr->Data.SRV.wPort); break;
@@ -307,18 +303,13 @@ bool CDnsResolver::UpdateDnsCache()
 				}
 			}
 
+#ifdef DUMP_DNS
+			//qDebug() << "Dns Query Result:" << HostName << "Type:" << CDnsCacheEntry::GetTypeString(Type) << ResolvedString;
+#endif
+
 			CDnsCacheEntryPtr pEntry;
 			if (I == OldEntries.end())
 			{
-				if (Type == DNS_TYPE_PTR)
-				{
-					Address = RevDnsHost2Address(HostName);
-
-					// we don't care for entries without a valid address
-					if (Address.isNull())
-						continue;
-				}
-
 				pEntry = CDnsCacheEntryPtr(new CDnsCacheEntry(HostName, Type, Address, ResolvedString));
 				QWriteLocker Locker(&m_Mutex);
 				m_DnsCache.insertMulti(HostName, pEntry);
@@ -395,6 +386,10 @@ void CDnsResolver::FlushDnsCache()
 {
     if (m->DnsFlushResolverCache_I)
         m->DnsFlushResolverCache_I();
+
+	m_DnsCache.clear();
+	m_AddressCache.clear();
+	m_RedirectionCache.clear();
 }
 
 QString CDnsResolver::GetHostName(const QHostAddress& Address, QObject *receiver, const char *member)
@@ -438,7 +433,7 @@ QString CDnsResolver::GetHostName(const QHostAddress& Address, QObject *receiver
 
 	// if we dont have a valid entry start a lookup job and finisch asynchroniously
 	//if (ValidReverseEntries == 0)
-	if(RevHostNames.size() == 0)
+	if(RevHostNames.size() == 0 && theConf->GetBool("Options/UserReverseDns", false))
 	{
 		QMutexLocker Locker(&m_JobMutex);
 
@@ -504,7 +499,7 @@ QString CDnsResolver::GetHostNameSmart(const QHostAddress& Address, const QStrin
 #endif
 
 	QMultiMap<quint64, CDnsCacheEntryPtr> Entries;
-	if (theConf->GetBool("Options/SmartHostNameResolution", false))
+	if (theConf->GetBool("Options/MonitorDnsCache", false))
 	{
 		QReadLocker Locker(&m_Mutex);
 

TaskExplorer/API/Windows/Monitors/Etw/krabs/kernel_providers.hpp

@@ -141,6 +141,14 @@ namespace krabs { namespace kernel {
         EVENT_TRACE_FLAG_NETWORK_TCPIP,
         krabs::guids::tcp_ip);
 
+    /**
+     * <summary>A provider that enables network udp/ip events.</summary>
+     */
+    CREATE_CONVENIENCE_KERNEL_PROVIDER(
+        network_udpip_provider,
+        EVENT_TRACE_FLAG_NETWORK_TCPIP,
+        krabs::guids::udp_ip);
+
     /**
      * <summary>A provider that enables process events.</summary>
      */

TaskExplorer/API/Windows/Monitors/Etw/krabs/testing/event_filter_proxy.hpp

@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+#pragma once
+
+#define INITGUID
+
+
+#include "../compiler_check.hpp"
+#include "../filtering/event_filter.hpp"
+#include "synth_record.hpp"
+
+namespace krabs { namespace testing {
+
+    /**
+     * <summary>
+     *   Serves as a fill-in for the event_filter class for testing purposes.
+     *   It acts as a liason for the actual filter instance and allows for forced event
+     *   testing.
+     * </summary>
+     */
+    class event_filter_proxy {
+    public:
+
+        /**
+         * <summary>
+         * Constructs a proxy for the given event_filter.
+         * </summary>
+         * <example>
+         *     krabs::event_filter event_filter;
+         *     krabs::testing::event_filter_proxy proxy(event_filter);
+         * </example>
+         */
+        event_filter_proxy(krabs::event_filter &filter);
+
+        /**
+         * <summary>
+         * Pushes an event through to the proxied filter instance.
+         * </summary>
+         * <example>
+         *     krabs::event_filter event_filter;
+         *     krabs::testing::event_filter_proxy proxy(event_filter);
+         *
+         *     krabs::guid powershell(L"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}");
+         *     krabs::testing::record_builder builder(powershell, krabs::id(7942), krabs::version(1));
+         *
+         *     builder.add_properties()
+         *             (L"ClassName", L"FakeETWEventForRealz")
+         *             (L"Message", L"This message is completely faked");
+         *
+         *     auto record = builder.pack_incomplete();
+         *     proxy.push_event(record);
+         * </example>
+         */
+        void push_event(const synth_record &record);
+
+    private:
+        krabs::event_filter &event_filter_;
+    };
+
+    // Implementation
+    // ------------------------------------------------------------------------
+
+    inline event_filter_proxy::event_filter_proxy(krabs::event_filter &event_filter)
+    : event_filter_(event_filter)
+    {
+    }
+
+    inline void event_filter_proxy::push_event(const synth_record &record)
+    {
+        event_filter_.on_event(record);
+    }
+
+} /* namespace testing */ } /* namespace krabs */