Skip to content

WhoYouCalling v1.4 πŸ“„πŸ› οΈ

Latest
Latest
Compare
Choose a tag to compare
@H4NM H4NM released this 06 Jan 20:38
v1.4
1e8d78d

This release mainly adresses issues such as race conditions and mapping of processes. I've also added a summary text file that provides with a slight overview of all of the processes that have network activity and the entire monitoring session. It can be useful for when there are a lot of processes with network activity and its faster to review one file than reviewing multiple folders.

✨ Features

  • Added a monitoring summary text file

πŸ“„ Changes

  • Change compiled executable name from WhoYouCalling.exe to wyc.exe - its a cli tool after all :-)
  • Changed file names to be shorter and more concise
  • Remove JSON flag and create the JSON file regardless to avoid scenarios of missing crucial data.
  • Change default process name when unable to sucesfully map it
  • Added a spinner wheel to filtering processes
  • Changed default values for process start and stop time, and executable name to null for cleaner and consistent data output
  • Added github actions to ensure that wyc can be compiled from the source code
  • Updated and cleaned up README to reflect the changes
  • Refactoring and cleaning code

πŸ› οΈ Fixes:

  • Fix so that the DNS wireshark filter folder is not created if there are no wireshark filters to be created
  • Fix issue where entire BPF filter was not written to file
  • Solve issue with short lived processes that perform DNS queries that do not have process names included.
  • Solve issue where the DNS ETW event registers the process PID before the process start ETW does, causes for adding a process twice.
  • Implement fix against race condition issue with short lived processes that perform DNS queries as they're labeled as unmapped processes.
    • This is done by checking if the unmapped process has the same PID as the correctly mapped process and if it was added to monitoring close to the same time
  • Solve issue for possible duplicate processname, indicating they're the same process, although launched separately and happend to get the same PID. Likely hood is very small but it could happen that would make results add to the same process even though they're separate.

πŸš€ Next up:

  • Adress code that produces build warnings
  • Add IP and domain lookup for analysis. This will also be complemented by a network graph visualization to see the entire hierarchy of processes and child processes and the related DNS queries and TCP activity

If you have any suggestions, feedback or bug reports. I'd love to hear them

Get-FileHash -path .\WhoYouCalling-1.4*-selfcontained.zip -algo sha256

Algorithm       Hash                                                                   Path                                                                                      
---------       ----                                                                   ----                                                                                      
SHA256          91B578CA10707B68D7D71116E2FD914B2C090D190FE3991AB518D8C856CF84BC       WhoYouCalling-1.4-x64-selfcontained.zip
SHA256          4A8B8C9DE18D436ACFE54A7EFD93089790B4B282832E98E7A7E21C1D2A3631E6       WhoYouCalling-1.4-x86-selfcontained.zip
Assets 4
Loading