Monitors a process network activity using Windows Event Tracing (ETW) and Full Packet Capture (FPC). A packet capture file (.pcap) is generated and filtered based on the recorded TCPIP activity, allowing for a pcap file per process.
WhoYouCalling makes process network monitoring hella' easy.
"Why not just use ProcMon+Wireshark??"🤔🤔
One of the best methods of monitoring activities by a process in Windows is with the Sysinternal tool ProcMon. However, there are some downsides:
- Manual Work: To get a Full Packet Capture per process you need to manually start a packet capture with a tool like Wireshark/Tshark, and create a filter for endpoints based on the results of ProcMon, which can be timeconsuming and potential endpoints may be missed due to human error if the process is not automated.
- Child processes: It can be tedious to maintain a track record of all of the child processes that may spawn and the endpoints they're communicating with.
- DNS queries: (AFAIK) ProcMon doesn't support capturing DNS queries. It does provide with UDP/TCP sent to port 53, but no information of the actual domain name that's queried nor the given address response.
- Start or monitor an already running process.
- Monitor every running process simultaneously.
- Create a full packet capture (.pcap) file per process.
- Monitor processes based on process name.
- Run executables as other users and in elevated or unelevated state.
- Record TCPIP activities, IPv4 and IPv6.
- Record DNS requests and responses.
- Create Wireshark filter based on DNS responses for domains.
- Specify pcap filtering to only record TCPIP activity being sent from the process.
- Timer for automated monitoring.
- Monitoring is applied to all spawned child processes by default.
- Spawned process and its childprocesses can be killed on stop.
- JSON output of results.
- Generate a Wireshark DFL filter per process.
- Generate a BPF filter per process.
(Must be run as administrator - for packet capture and listening to ETW)
Get a list of available interfaces to monitor:
wyc.exe --getinterfaces
[*] Available interfaces:
0) WAN Miniport (Network Monitor)
1) WAN Miniport (IPv6)
...
8) Realtek USB GbE Family Controller
IPv4: 192.168.1.10
IPv6: fd12:3456:789a:1::2
Capture every network and process activity from everything:
wyc.exe --illuminate --interface 8
Execute a binary with arguments. Output the results to a folder on the user desktop:
wyc.exe --executable C:\Users\H4NM\Desktop\TestApplication.exe --arguments "--pass=ETph0n3H0m3" --interface 4 --output C:\Users\H4NM\Desktop
Listen to process with PID 24037 and skip packet capture:
wyc.exe --PID 24037 --nopcap --output C:\Users\H4NM\AppData\Local\Temp
Run sus.exe for 60 seconds with FPC on the 8th interface. When the timer expires, kill tracked processes - including child processes:
wyc.exe -e C:\Users\H4NM\Desktop\sus.exe -t 60 -k -i 8 -o C:\Users\H4NM\Desktop
Execute firefox.exe and monitor for other processes with an including name pattern (This is especially needed if the main processes calls an already running process like explorer.exe
to start a child process, if only the PID or executable is provided at start.)
wyc.exe -e "C:\Program Files\Mozilla Firefox\firefox.exe" --nopcap --names "firefox.exe,svchost,cmd"
There are other tools that can compliment your quest of application network analysis:
- Frida: Provides the most granular interaction with applications in which you can view API calls made.
- "It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, watchOS, tvOS, Android, FreeBSD, and QNX."
- Deluder and PETEP (PEnetration TEsting Proxy): Deluder uses frida but acts as an interface towards capturing the network traffic made by the application, similar to WhoYoucalling. Deluder also allows for many other fun things, including integration with the PETEP proxy for viewing and editing packets live.
- Windows Sandbox: A simple and native sandbox in Windows. I strongly recommend using a sandbox or VM when when executing unknown applications. There's also the possibility of adding your own configuration for the Windows Sandbox to harden it a bit further or include WhoYouCalling with the sandbox on start. See more here
- DNS: In ETW,
Microsoft-Windows-DNS-Client
only logs A and AAAA queries, neglecting other DNS query types such as PTR, TXT, MX, SOA etc. It does capture CNAME and it's respective adresses, which are part of the DNS response. However, with the FPC the requests are captured either way, just not portrayed as in registered DNS traffic by the application. The FPC and registered TCPIP activity helps identify processes that do not utilize Windows DNS Client Service (e.g.nslookup
) since they're not logged in the DNS ETW. - Execution integrity: It's currently not possible to delegate the privilege of executing applications in an elevated state to other users, meaning that if you want to run the application elevated you need to be signed in as the user with administrator rights.
Since WhoYouCalling requires elevated privileges to run (ETW + FPC), spawned processes naturally inherits the security token making them also posess the same integrity level - and .NET api does not work too well with creating less privileged processes from an already elevated state. The best and most reliable approach was to duplicate the low privileged token of the desktop shell in an interactive logon (explorer.exe). However, there may be use cases in which WhoYouCalling is executed via a remote management tool like PowerShell, SSH or PsExec, where there is no instance of a desktop shell, in these case you need to provide a username and password of a user that may execute it.
This project has been tested and works with .NET 8 with two nuget packages, and drivers for capturing network packets:
- FPC:
- ETW: Microsoft.Diagnostics.Tracing.TraceEvent
Follow these steps for compiling from source:
-
Install .NET 8
Ensure .NET 8 is installed on your system. -
(Optional) Install Npcap
Download and install Npcap to enable packet capture in Windows.Note: Npcap is not required and you may provide the flag to disable packet capture when running the program.
-
Clone the Repository
Download the source code by cloning this repository:
git clone https://github.com/H4NM/WhoYouCalling.git
- Enter project
cd WhoYouCalling
- Install the related packages (SharpCap and TraceEvent).
dotnet restore
- Build the project
dotnet publish -c Release -r win-x64 --self-contained true
- Run it
bin\Release\net8.0\win-x64\wyc.exe [arguments]...
- Refactor. Lots and lots to refactor and make more tidy :)
- Network graph visualizing the process tree and summarized network traffic by each process
- IP and domain name lookup option to get reputation
- Process network redirect to proxy for TLS inspection