Tuesday 24 September 2013

DNSLogger

Apparently, there's no in-built utility to log DNS requests in non-server editions of Windows, and I cannot seem to find any third-party tools either.

The aim here is to run a scheduled task at log on that would log DNS queries.

A simple way would be to use dumpcap (~ command line Wireshark) with arguments in Task Scheduler. But that results in an ugly console window that will pop up and stay on your screen for the remainder of your session. dumpcap will write to file in temp directory, which has a tendency to get wiped. You can specify a filename with the -w flag but that would only be useful for a single run.

Python wouldn't really help me here*. I turned to C#, in which I haven't written anything before, so that should help.

A console app's window can be hidden by setting the Output type property to Windows Application in project properties.

Processes can be started using System.Diagnostic.Process. They can be hidden too:

proc = new System.Diagnostics.Process();
proc.StartInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;

So, dumpcap's console window is also handled.

Now to restart dumpcap whenever it unexpectedly terminates:

DNSLogger logger = new DNSLogger();
logger.createProc();
while (true)
{
    logger.proc.WaitForExit();
    logger.createProc();
}

I cannot say if this is neat, but it works.

Finally, a basic task can be added in Windows Task Scheduler to run the executable at log on.
I suppose this can be useful during malware analysis over multiple sessions and a prolonged duration.

Source is up on Github

* You could possibly make it work using wxPython / Tkinter, etc. But it would be too much work for such a small project. Besides, for distribution purposes, the compiled (py2exe, PyInstaller) binary would be huge compared to one produced by C#.

No comments:

Post a Comment