Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add PID in ETW DNS event in the integration dll #1768

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from

Conversation

vlabo
Copy link
Member

@vlabo vlabo commented Dec 6, 2024

Summary by CodeRabbit

  • New Features

    • Enhanced callback functionality in the DNS monitor to include process ID information for improved event handling.
    • Updated domain saving mechanism to incorporate dynamic profile scope.
    • Improved retrieval of domain information related to connection's remote IP by isolating profile scope.
  • Bug Fixes

    • Corrected minor typos in comments for better clarity and documentation accuracy.

Copy link
Contributor

coderabbitai bot commented Dec 6, 2024

📝 Walkthrough

Walkthrough

The pull request introduces modifications to the dnsmonitor package, enhancing the NewSession function and the processEvent method to accept an additional process ID parameter. The callback functions are updated to accommodate this change, allowing for more detailed event handling. Similar updates are made in the dllmain.cpp file and the processAnswer method in the Linux version of the listener. Minor corrections to comments are included to improve clarity. These changes refine the callback mechanism while maintaining the existing functionality of the DNS monitoring process.

Changes

File Path Change Summary
service/firewall/interception/dnsmonitor/etwlink_windows.go Updated NewSession function signature to include pid parameter. Modified internal callback to handle pid. Minor comment corrections.
service/firewall/interception/dnsmonitor/eventlistener_windows.go Updated processEvent method signature to include pid parameter. Adjusted logic to use pid for profile scope. Minor comment corrections.
windows_core_dll/dllmain.cpp Modified GoEventRecordCallback type signature to include pid. Updated EventRecordCallback function to pass pid. Minor comment corrections.
service/firewall/interception/dnsmonitor/eventlistener_linux.go Updated call to saveDomain in processAnswer method to include profileScope. No changes to logic.
service/firewall/interception/dnsmonitor/module.go Updated saveDomain function signature to include profileScope parameter. Adjusted internal calls accordingly.
service/network/connection.go Enhanced GatherConnectionInfo method to use a variable for profileScope. Improved DNS resolution handling.

Possibly related PRs

  • Fix Missing dll failure #1763: The changes in this PR also modify the NewSession function in the dnsmonitor package, updating its signature to accept a pointer to ETWFunctions, which is related to the changes made in the main PR that also involve modifications to the NewSession function.

Suggested reviewers

  • dhaavi

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14e21e4 and 32a4dbe.

📒 Files selected for processing (1)
  • service/firewall/interception/dnsmonitor/eventlistener_windows.go (4 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • service/firewall/interception/dnsmonitor/eventlistener_windows.go

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)
windows_core_dll/dllmain.cpp (1)

163-163: Fix typo in function comment

The comment has a typo: "recourses" should be "resources".

-    // PM_ETWFlushTrace Closes the session and frees recourses.
+    // PM_ETWFlushTrace Closes the session and frees resources.
service/firewall/interception/dnsmonitor/eventlistener_windows.go (1)

82-82: Consider documenting the new PID parameter

While the unused parameter is correctly prefixed with underscore, it would be helpful to document why the PID parameter was added and any future plans for its usage.

-func (l *Listener) processEvent(domain string, _pid uint32, result string) {
+// processEvent processes DNS events from ETW
+// Parameters:
+//   domain: The DNS query domain name
+//   _pid: Process ID of the DNS query originator (reserved for future use)
+//   result: The DNS query result
+func (l *Listener) processEvent(domain string, _pid uint32, result string) {
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 6e173e3 and 00f6103.

📒 Files selected for processing (3)
  • service/firewall/interception/dnsmonitor/etwlink_windows.go (3 hunks)
  • service/firewall/interception/dnsmonitor/eventlistener_windows.go (1 hunks)
  • windows_core_dll/dllmain.cpp (4 hunks)
🔇 Additional comments (5)
windows_core_dll/dllmain.cpp (2)

25-25: LGTM: Callback signature updated to include process ID

The callback type now includes the process ID parameter, properly typed as uint32_t.


82-82: LGTM: Process ID correctly propagated from event header

The process ID is correctly retrieved from eventRecord->EventHeader.ProcessId and passed to the callback.

service/firewall/interception/dnsmonitor/etwlink_windows.go (2)

25-26: LGTM: NewSession signature updated to include process ID

The function signature properly includes the process ID parameter, maintaining type consistency with the C++ layer.


38-39: LGTM: Process ID correctly forwarded in callback

The Windows callback correctly forwards the process ID from C++ to Go without any type conversion issues.

service/firewall/interception/dnsmonitor/eventlistener_windows.go (1)

82-82: Verify the impact of unused PID parameter

The PID parameter is currently unused. Consider if there are any immediate use cases for this information, such as:

  • Logging the process information for debugging
  • Filtering DNS queries based on process
  • Security auditing
✅ Verification successful

Let me gather more context about the usage of PID in DNS monitoring and event handling.


Let me try a different approach to understand the DNS event handling implementation.


Keep the PID parameter for future DNS monitoring capabilities

The PID parameter should be retained as it's part of a broader DNS monitoring system:

  • The ETW (Event Tracing for Windows) session explicitly collects PID information (etwlink_windows.go)
  • The codebase has infrastructure for PID-based DNS request tracking (network/dns.go)
  • While currently unused in processEvent, the PID parameter provides valuable context for potential future features like process-based DNS filtering or debugging
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if PID is used in logging or filtering elsewhere in the codebase
rg -g '!vendor' 'pid.*dns|dns.*pid' .

Length of output: 564


Script:

#!/bin/bash
# Check for PID usage in DNS monitoring and event handling
ast-grep --pattern 'func $_($_ *Listener) processEvent(domain string, pid uint32, $_) {
  $$$
}'

# Check for other DNS event handling with PID
rg -g '!vendor' -B 2 -A 2 'processEvent.*pid.*domain|domain.*pid.*processEvent' .

Length of output: 182


Script:

#!/bin/bash
# Look for DNS event handling implementations
rg -g '!vendor' -B 3 -A 3 'type.*Listener.*struct|func.*Listener.*Event' .

# Check for any PID usage in the DNS monitor package
fd . -t f -e go | grep -i dns | xargs rg 'pid'

Length of output: 4418

@vlabo vlabo requested a review from Copilot December 12, 2024 08:07

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 3 changed files in this pull request and generated no suggestions.

Files not reviewed (1)
  • windows_core_dll/dllmain.cpp: Language not supported
Comments skipped due to low confidence (2)

service/firewall/interception/dnsmonitor/etwlink_windows.go:25

  • Corrected spelling of 'initilizes' to 'initializes' and 'DestorySession' to 'DestroySession'.
// NewSession creates new ETW event listener and initializes it. This is a low level interface, make sure to call DestroySession when you are done using it.

service/firewall/interception/dnsmonitor/etwlink_windows.go:86

  • Corrected spelling of 'stopes' to 'stops'.
// StopTrace stops the trace. This will cause StartTrace to return.
@vlabo vlabo requested a review from Copilot January 15, 2025 14:05

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Files not reviewed (1)
  • windows_core_dll/dllmain.cpp: Language not supported
Comments suppressed due to low confidence (1)

service/firewall/interception/dnsmonitor/eventlistener_windows.go:85

  • The pid parameter should be validated before use to ensure it is a valid process ID.
func (l *Listener) processEvent(domain string, pid uint32, result string) {
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
service/network/connection.go (1)

541-543: LGTM! Consider reducing code duplication in domain lookup retries.

The changes correctly implement profile scope-based domain lookup with proper fallback to global scope. The implementation effectively handles Windows-specific behavior.

Consider extracting the domain lookup logic into a helper function to reduce code duplication:

+func tryGetIPInfo(profileScope, ip string) (*resolver.IPInfo, error) {
+    // Try with profile scope first
+    ipinfo, err := resolver.GetIPInfo(profileScope, ip)
+    if err != nil {
+        // Try again with the global scope
+        ipinfo, err = resolver.GetIPInfo(resolver.IPInfoProfileScopeGlobal, ip)
+    }
+    return ipinfo, err
+}

 func (conn *Connection) GatherConnectionInfo(pkt packet.Packet) (err error) {
     // ...
-    profileScope := conn.process.Profile().LocalProfile().ID
-    ipinfo, err := resolver.GetIPInfo(profileScope, pkt.Info().RemoteIP().String())
-    if err != nil {
-        ipinfo, err = resolver.GetIPInfo(resolver.IPInfoProfileScopeGlobal, pkt.Info().RemoteIP().String())
-    }
+    profileScope := conn.process.Profile().LocalProfile().ID
+    ipinfo, err := tryGetIPInfo(profileScope, pkt.Info().RemoteIP().String())

     if runtime.GOOS == "windows" && err != nil {
         // ...
         for i := range 4 {
             // ...
-            ipinfo, err = resolver.GetIPInfo(profileScope, pkt.Info().RemoteIP().String())
-            if err == nil {
-                log.Tracer(pkt.Ctx()).Debugf("network: found domain with scope (%s) from dnsmonitor after %d tries", profileScope, i+1)
-                break
-            }
-            ipinfo, err = resolver.GetIPInfo(resolver.IPInfoProfileScopeGlobal, pkt.Info().RemoteIP().String())
+            ipinfo, err = tryGetIPInfo(profileScope, pkt.Info().RemoteIP().String())
             if err == nil {
+                log.Tracer(pkt.Ctx()).Debugf("network: found domain with scope (%s) from dnsmonitor after %d tries", profileScope, i+1)
                 break
             }
             // ...
         }
     }
     // ...
 }

Also applies to: 559-564

service/firewall/interception/dnsmonitor/eventlistener_windows.go (1)

85-85: LGTM! Consider adding error logging for process lookup failures.

The changes correctly integrate the process ID parameter and profile scope handling. The implementation properly initializes the profile scope and maintains good error handling.

Consider logging process lookup errors to help with debugging:

 func (l *Listener) processEvent(domain string, pid uint32, result string) {
     // ...
     profileScope := resolver.IPInfoProfileScopeGlobal
-    if proc, err := process.GetOrFindProcess(context.Background(), int(pid)); err == nil {
+    if proc, err := process.GetOrFindProcess(context.Background(), int(pid)); err != nil {
+        log.Debugf("dnsmonitor: failed to get process for PID %d: %s", pid, err)
+    } else {
         profileScope = proc.Profile().LocalProfile().ID
     }
     // ...
 }

Also applies to: 96-99, 125-125

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 00f6103 and 14e21e4.

📒 Files selected for processing (4)
  • service/firewall/interception/dnsmonitor/eventlistener_linux.go (1 hunks)
  • service/firewall/interception/dnsmonitor/eventlistener_windows.go (4 hunks)
  • service/firewall/interception/dnsmonitor/module.go (2 hunks)
  • service/network/connection.go (2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (1)
  • GitHub Check: Test & Build
🔇 Additional comments (2)
service/firewall/interception/dnsmonitor/module.go (1)

64-64: LGTM! The profile scope parameter addition is well-integrated.

The changes correctly integrate the new profileScope parameter into the domain saving logic, maintaining consistency with both Linux and Windows event listeners.

Also applies to: 78-78

service/firewall/interception/dnsmonitor/eventlistener_linux.go (1)

144-144: LGTM! Consistent use of global profile scope for Linux systems.

The change correctly uses resolver.IPInfoProfileScopeGlobal for Linux systems, maintaining platform-specific behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant