Releases: H4NM/WhoYouCalling
WhoYouCalling v1.4 📄🛠️
This release mainly adresses issues such as race conditions and mapping of processes. I've also added a summary text file that provides with a slight overview of all of the processes that have network activity and the entire monitoring session. It can be useful for when there are a lot of processes with network activity and its faster to review one file than reviewing multiple folders.
✨ Features
- Added a monitoring summary text file
📄 Changes
- Change compiled executable name from
WhoYouCalling.exetowyc.exe- its a cli tool after all :-) - Changed file names to be shorter and more concise
- Remove JSON flag and create the JSON file regardless to avoid scenarios of missing crucial data.
- Change default process name when unable to sucesfully map it
- Added a spinner wheel to filtering processes
- Changed default values for process start and stop time, and executable name to null for cleaner and consistent data output
- Added github actions to ensure that wyc can be compiled from the source code
- Updated and cleaned up README to reflect the changes
- Refactoring and cleaning code
🛠️ Fixes:
- Fix so that the DNS wireshark filter folder is not created if there are no wireshark filters to be created
- Fix issue where entire BPF filter was not written to file
- Solve issue with short lived processes that perform DNS queries that do not have process names included.
- Solve issue where the DNS ETW event registers the process PID before the process start ETW does, causes for adding a process twice.
- Implement fix against race condition issue with short lived processes that perform DNS queries as they're labeled as unmapped processes.
- This is done by checking if the unmapped process has the same PID as the correctly mapped process and if it was added to monitoring close to the same time
- Solve issue for possible duplicate processname, indicating they're the same process, although launched separately and happend to get the same PID. Likely hood is very small but it could happen that would make results add to the same process even though they're separate.
🚀 Next up:
-
Adress code that produces build warnings - Add IP and domain lookup for analysis. This will also be complemented by a network graph visualization to see the entire hierarchy of processes and child processes and the related DNS queries and TCP activity
If you have any suggestions, feedback or bug reports. I'd love to hear them
Get-FileHash -path .\WhoYouCalling-1.4*-selfcontained.zip -algo sha256
Algorithm Hash Path
--------- ---- ----
SHA256 91B578CA10707B68D7D71116E2FD914B2C090D190FE3991AB518D8C856CF84BC WhoYouCalling-1.4-x64-selfcontained.zip
SHA256 4A8B8C9DE18D436ACFE54A7EFD93089790B4B282832E98E7A7E21C1D2A3631E6 WhoYouCalling-1.4-x86-selfcontained.zip
WhoYouCalling v1.3.2 💡
Features ✨:
- Added third monitoring option called illuminate. By passing capital i flag (-I), WhoYouCalling records every TCPIP and DNS activity made by every running process on the machine. Can be used with packet capture. Ideally used for incident response, or simply when you're bored or curious for what processes are doing on your machine. This option is currently experimental so please report any issues that you may experience.
- Changed the flag from
--execnamesto--nameswhere a case insensitive pattern can be applied being checked towards processname and executable file name. - Enriched console output with spinner wheel and line indicating how many processes are being processed for outputting their results.
(Updated the release for v1.3.1 and v1.3.2 to remove creating a filtered pcap based on the network traffic for all processes when using illuminate since that's not needed. I recommend using-sor--savefullpcapfor retaining pcap with including traffic. Also added fail-safe handling for cataloging events that may be subjected to rare race condition events.
Get-FileHash -path .\WhoYouCalling-1.3*-selfcontained.zip -algo sha256
Algorithm Hash Path
--------- ---- ----
SHA256 1EF5FA3D51BA2282C9C709B7DECC48E896DF79C589729C86FC353D0DC6A0C712 WhoYouCalling-1.3.2-x64-selfcontained.zip
SHA256 6D1BD2E1E5A2497CD3CC22C92C87D224880221CD08D7711A83AF11713833400F WhoYouCalling-1.3.2-x86-selfcontained.zipWhoYouCalling v1.2 🛰️
Features ✨
- A Wireshark filter is created per DNS response. In other words, when a process wants to communicate with example-domain.com, a DNS request is made for that domain to retrieve an IP-adresses to communicate with. The response for that requests, if it includes an IP-adress or more, will result in a Wireshark filter. This can be used with a generated pcap for that process, further helping in analysing process telemetry.
- Added the command line of started processes. This provides additional insight to the use and intent of spawned processes, which may also fill in some gaps where some endpoints are communicated with or domain names being resolved.
- Add output of assigned IP-adresses to interfaces to make it easier identify which interface to monitor for packet capture.
Get-FileHash -path .\WhoYouCalling-1.2-*-selfcontained.zip -algo sha256
Algorithm Hash Path
--------- ---- ----
SHA256 081AFC562CC9618C4CACE4A3407FF01BC374A9F2D8151266E62878F18EB63781 WhoYouCalling-1.2-x64-s...
SHA256 94F69313A677F7D33FCC1229C668326230A7DFDF3E8ADAC597E1E759F1722855 WhoYouCalling-1.2-x86-s...#WhyMyLsassPingingReddit 
WhoYouCalling v1.1.1 🛠️
Added functionality to run without npcap drivers. This will of course not allow for packet capture, but it makes WhoYouCalling more lightweight and suitable for the cases where only understanding IF a process is reaching out and where is of importance, rather than seeing exactly what is being sent and/or received. To run without packet capture simply append the flag --nopcap. However, if you want packet capture, you can download the npcap drivers from here: https://npcap.com/#download
In the future only major and minor version updates will include release files. This was an exception as making the npcap drivers optional was worth the new release.
Get-FileHash -path .\WhoYouCalling-1.1.1-*-selfcontained.zip -algo sha256
Algorithm Hash Path
--------- ---- ----
SHA256 ABBEBD8DFB1F15782E84DDBE8B3B9E412A385CE98FD304F5C7E3FED85D59E178 WhoYouCalling-1.1.1-x64-s...
SHA256 5CA6BA74DC5487BD4B98395FFE91D54E280D1E79F1C01AA7519D2B87E9A8E5B8 WhoYouCalling-1.1.1-x86-s...WhoYouCalling v1.1 🚀
Notable changes are the addition of two arguments. One for executing applications in an elevated state and the second being able to run them as another user. Please read the limitations part in the README.md to see exactly how it works. Also changed the flag of specifying the PID to captial P rather than lower case in order to conform to some form of standardization when providing username and password (-u and -p).
Note: To run WhoYoucalling, you need to have npcap installed on Windows. Download --> https://npcap.com/#download. If it's not installed it will complain that wpcap.dll is missing.
Get-FileHash -path .\WhoYouCalling-1.1-*-selfcontained.zip -algo sha256
Algorithm Hash Path
--------- ---- ----
SHA256 0AEDAFAB8EB49859C2C3C784648EE623EC51D50D2DB9925A7243746E1B0A4FCB WhoYouCalling-1.1-x64-selfcontained.zip
SHA256 2A3EE815BA688FD1E29ADE9C4EBFFCE6861DC8293D188C0101208F829EDC77E1 WhoYouCalling-1.1-x86-selfcontained.zipWhoYouCalling v1.0
First Release ✨ (1.0)
Note: You need to have npcap installed on Windows before running. Download --> https://npcap.com/#download. If it's not installed it will complain that wpcap.dll is missing.
In the future single binaries with statically packed libraries will be provided. The following releases are self contained and should be ready to for direct use.
sha256
WhoYouCalling-1.0-x64-selfcontained.zip: 9DBE3CAF6B01B2468727BB9D002613AD630BDD50FCC9D3E4153A9B13AE63417E
WhoYouCalling-1.0-x86-selfcontained.zip: EDEE00DC1D0B51AAC0295806AB68FB979E2B13A55E7197213E83A63C50A6742E