-
-
Notifications
You must be signed in to change notification settings - Fork 315
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PID in ETW DNS event in the integration dll #1768
base: develop
Are you sure you want to change the base?
Conversation
📝 WalkthroughWalkthroughThe pull request introduces modifications to the Changes
Possibly related PRs
Suggested reviewers
📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
🧹 Outside diff range and nitpick comments (2)
windows_core_dll/dllmain.cpp (1)
163-163
: Fix typo in function commentThe comment has a typo: "recourses" should be "resources".
- // PM_ETWFlushTrace Closes the session and frees recourses. + // PM_ETWFlushTrace Closes the session and frees resources.service/firewall/interception/dnsmonitor/eventlistener_windows.go (1)
82-82
: Consider documenting the new PID parameterWhile the unused parameter is correctly prefixed with underscore, it would be helpful to document why the PID parameter was added and any future plans for its usage.
-func (l *Listener) processEvent(domain string, _pid uint32, result string) { +// processEvent processes DNS events from ETW +// Parameters: +// domain: The DNS query domain name +// _pid: Process ID of the DNS query originator (reserved for future use) +// result: The DNS query result +func (l *Listener) processEvent(domain string, _pid uint32, result string) {
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (3)
service/firewall/interception/dnsmonitor/etwlink_windows.go
(3 hunks)service/firewall/interception/dnsmonitor/eventlistener_windows.go
(1 hunks)windows_core_dll/dllmain.cpp
(4 hunks)
🔇 Additional comments (5)
windows_core_dll/dllmain.cpp (2)
25-25
: LGTM: Callback signature updated to include process ID
The callback type now includes the process ID parameter, properly typed as uint32_t.
82-82
: LGTM: Process ID correctly propagated from event header
The process ID is correctly retrieved from eventRecord->EventHeader.ProcessId and passed to the callback.
service/firewall/interception/dnsmonitor/etwlink_windows.go (2)
25-26
: LGTM: NewSession signature updated to include process ID
The function signature properly includes the process ID parameter, maintaining type consistency with the C++ layer.
38-39
: LGTM: Process ID correctly forwarded in callback
The Windows callback correctly forwards the process ID from C++ to Go without any type conversion issues.
service/firewall/interception/dnsmonitor/eventlistener_windows.go (1)
82-82
: Verify the impact of unused PID parameter
The PID parameter is currently unused. Consider if there are any immediate use cases for this information, such as:
- Logging the process information for debugging
- Filtering DNS queries based on process
- Security auditing
✅ Verification successful
Let me gather more context about the usage of PID in DNS monitoring and event handling.
Let me try a different approach to understand the DNS event handling implementation.
Keep the PID parameter for future DNS monitoring capabilities
The PID parameter should be retained as it's part of a broader DNS monitoring system:
- The ETW (Event Tracing for Windows) session explicitly collects PID information (
etwlink_windows.go
) - The codebase has infrastructure for PID-based DNS request tracking (
network/dns.go
) - While currently unused in
processEvent
, the PID parameter provides valuable context for potential future features like process-based DNS filtering or debugging
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Check if PID is used in logging or filtering elsewhere in the codebase
rg -g '!vendor' 'pid.*dns|dns.*pid' .
Length of output: 564
Script:
#!/bin/bash
# Check for PID usage in DNS monitoring and event handling
ast-grep --pattern 'func $_($_ *Listener) processEvent(domain string, pid uint32, $_) {
$$$
}'
# Check for other DNS event handling with PID
rg -g '!vendor' -B 2 -A 2 'processEvent.*pid.*domain|domain.*pid.*processEvent' .
Length of output: 182
Script:
#!/bin/bash
# Look for DNS event handling implementations
rg -g '!vendor' -B 3 -A 3 'type.*Listener.*struct|func.*Listener.*Event' .
# Check for any PID usage in the DNS monitor package
fd . -t f -e go | grep -i dns | xargs rg 'pid'
Length of output: 4418
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copilot reviewed 2 out of 3 changed files in this pull request and generated no suggestions.
Files not reviewed (1)
- windows_core_dll/dllmain.cpp: Language not supported
Comments skipped due to low confidence (2)
service/firewall/interception/dnsmonitor/etwlink_windows.go:25
- Corrected spelling of 'initilizes' to 'initializes' and 'DestorySession' to 'DestroySession'.
// NewSession creates new ETW event listener and initializes it. This is a low level interface, make sure to call DestroySession when you are done using it.
service/firewall/interception/dnsmonitor/etwlink_windows.go:86
- Corrected spelling of 'stopes' to 'stops'.
// StopTrace stops the trace. This will cause StartTrace to return.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.
Files not reviewed (1)
- windows_core_dll/dllmain.cpp: Language not supported
Comments suppressed due to low confidence (1)
service/firewall/interception/dnsmonitor/eventlistener_windows.go:85
- The
pid
parameter should be validated before use to ensure it is a valid process ID.
func (l *Listener) processEvent(domain string, pid uint32, result string) {
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
🧹 Nitpick comments (2)
service/network/connection.go (1)
541-543
: LGTM! Consider reducing code duplication in domain lookup retries.The changes correctly implement profile scope-based domain lookup with proper fallback to global scope. The implementation effectively handles Windows-specific behavior.
Consider extracting the domain lookup logic into a helper function to reduce code duplication:
+func tryGetIPInfo(profileScope, ip string) (*resolver.IPInfo, error) { + // Try with profile scope first + ipinfo, err := resolver.GetIPInfo(profileScope, ip) + if err != nil { + // Try again with the global scope + ipinfo, err = resolver.GetIPInfo(resolver.IPInfoProfileScopeGlobal, ip) + } + return ipinfo, err +} func (conn *Connection) GatherConnectionInfo(pkt packet.Packet) (err error) { // ... - profileScope := conn.process.Profile().LocalProfile().ID - ipinfo, err := resolver.GetIPInfo(profileScope, pkt.Info().RemoteIP().String()) - if err != nil { - ipinfo, err = resolver.GetIPInfo(resolver.IPInfoProfileScopeGlobal, pkt.Info().RemoteIP().String()) - } + profileScope := conn.process.Profile().LocalProfile().ID + ipinfo, err := tryGetIPInfo(profileScope, pkt.Info().RemoteIP().String()) if runtime.GOOS == "windows" && err != nil { // ... for i := range 4 { // ... - ipinfo, err = resolver.GetIPInfo(profileScope, pkt.Info().RemoteIP().String()) - if err == nil { - log.Tracer(pkt.Ctx()).Debugf("network: found domain with scope (%s) from dnsmonitor after %d tries", profileScope, i+1) - break - } - ipinfo, err = resolver.GetIPInfo(resolver.IPInfoProfileScopeGlobal, pkt.Info().RemoteIP().String()) + ipinfo, err = tryGetIPInfo(profileScope, pkt.Info().RemoteIP().String()) if err == nil { + log.Tracer(pkt.Ctx()).Debugf("network: found domain with scope (%s) from dnsmonitor after %d tries", profileScope, i+1) break } // ... } } // ... }Also applies to: 559-564
service/firewall/interception/dnsmonitor/eventlistener_windows.go (1)
85-85
: LGTM! Consider adding error logging for process lookup failures.The changes correctly integrate the process ID parameter and profile scope handling. The implementation properly initializes the profile scope and maintains good error handling.
Consider logging process lookup errors to help with debugging:
func (l *Listener) processEvent(domain string, pid uint32, result string) { // ... profileScope := resolver.IPInfoProfileScopeGlobal - if proc, err := process.GetOrFindProcess(context.Background(), int(pid)); err == nil { + if proc, err := process.GetOrFindProcess(context.Background(), int(pid)); err != nil { + log.Debugf("dnsmonitor: failed to get process for PID %d: %s", pid, err) + } else { profileScope = proc.Profile().LocalProfile().ID } // ... }Also applies to: 96-99, 125-125
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (4)
service/firewall/interception/dnsmonitor/eventlistener_linux.go
(1 hunks)service/firewall/interception/dnsmonitor/eventlistener_windows.go
(4 hunks)service/firewall/interception/dnsmonitor/module.go
(2 hunks)service/network/connection.go
(2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: Test & Build
🔇 Additional comments (2)
service/firewall/interception/dnsmonitor/module.go (1)
64-64
: LGTM! The profile scope parameter addition is well-integrated.The changes correctly integrate the new
profileScope
parameter into the domain saving logic, maintaining consistency with both Linux and Windows event listeners.Also applies to: 78-78
service/firewall/interception/dnsmonitor/eventlistener_linux.go (1)
144-144
: LGTM! Consistent use of global profile scope for Linux systems.The change correctly uses
resolver.IPInfoProfileScopeGlobal
for Linux systems, maintaining platform-specific behavior.
Summary by CodeRabbit
New Features
Bug Fixes