Skip to content

A simple example application to collect DNS queries logs using etw-api

Notifications You must be signed in to change notification settings

asgarciap/etw-dns

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 

Repository files navigation

etw-dns

Simple Windows console application that listen for DNS resolutions events using the ETW Win32 API.

The application opens a real time event session and register to the Microsoft-Windows-DNS-Client providers to wait for DNS related events. It generates two log files app.log with application specific logs and audit.log where it write every query performed in the OS.

It also store some statistics and print them out to stdout every 5 seconds and when finishing the application, with a summary of the total queries intercepted, the top 10 most resolved domains and the top 10 most active process resolving DNS queries.

app.log output example

[INFO][2020-04-24.13:54:53] - Starting Agentx Application
[INFO][2020-04-24.13:54:53] - Starting Microsoft-Windows-DNS-Client sensor
[INFO][2020-04-24.13:54:53] - Event trace session succesfully started
[INFO][2020-04-24.13:54:53] - Event provider succesfully enabled in event trace session.
[INFO][2020-04-24.13:54:53] - Sensor Microsoft-Windows-DNS-Client started.
[DEBUG][2020-04-24.13:54:55] - Event ID: 3006
[DEBUG][2020-04-24.13:54:55] - Event Time: 04/24/2020 13:54:53.548885500
[DEBUG][2020-04-24.13:54:55] - Received DNS Event generated by ProcessId: 16388
[DEBUG][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe
[DEBUG][2020-04-24.13:54:55] - Event ID: 3006
[DEBUG][2020-04-24.13:54:55] - Event Time: 04/24/2020 13:54:53.548924100
[DEBUG][2020-04-24.13:54:55] - Received DNS Event generated by ProcessId: 16388
[DEBUG][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe
[DEBUG][2020-04-24.13:54:55] - Event ID: 3008
[DEBUG][2020-04-24.13:54:55] - Event Time: 04/24/2020 13:54:53.548930700
[DEBUG][2020-04-24.13:54:55] - Received DNS Event generated by ProcessId: 16388
[DEBUG][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe

audit.log output example

[AUDIT][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe
[AUDIT][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe
[AUDIT][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe

Statistics Summary

DNS Sensor Info
{
        Total Queries Received: 103
        Total Process Generating Queries: 6
        TOP Most Queried Domains:
                26% - vortex.data.microsoft.com : 27
                19% - checkappexec.microsoft.com : 20
                13% - presence.teams.microsoft.com : 14
                13% - play.google.com : 14
                13% - drive.google.com : 14
                8% - wpad : 9
                4% - clients4.google.com : 5
        TOP Most Active Process:
                76% - [PID: 3068] : 79
                7% - [PID: 8128] : 8
                5% - chrome.exe : 6
                3% - smartscreen.exe : 4
                3% - [PID: 16060] : 4
                1% - Teams.exe : 2
}

Running the application

To start the application just run the compiled process as an Administrator, to stop collecting logs just use CTRL+C

Compiling

A Visual Studio 2019 solution and project is available within the source code, just use it to compile the project.

Limitations and assumptions

The DNS Provider UUID is hardcoded and should be the same across all Windows versions, but in case it registered internally with a different UUID this wont work out of the box as this value needs to be updated. The application opens a real time mode trace session, so keep in mind this note taken from MS docs:

Only users with administrative privileges, users in the Performance Log Users group, and applications running as LocalSystem, > LocalService, NetworkService can consume events in real time. To grant a restricted user the ability to consume events in real time, add them to the Performance Log Users group

About

A simple example application to collect DNS queries logs using etw-api

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages