We require a command line executable and injectable DLL to monitors a specified process' winsock activity and log it to a file.
Executable:
[login to view URL] -dll=[path to DLL] -log=[path to output log] -cmd=[path to executable] [command line arguments]
* Launches executable specified by cmd argument with the command line arguments specified.
* Injects dll into the process
* Informs DLL of the location of the log file (via IPC, registry, other other mechanism)
[login to view URL]
This DLL is injected into the process.
It monitors winsock activity and logs this (and some other information) to the log.
It also records the process name, SHA256 checksum and file info during process start.
It also records when the process ends.
Tracks name lookups
## Deliverables
The log file content/format is critical to delivery, and an example has been included below:
(MSN Live/Messenger has been used as example data)
[start]
PID: 2345
Time: (process start time here, in UTC time)
Image: [login to view URL]
Path: C:\Program Files\Windows Live\Messenger
File Description: Windows Live Messenger
File Version: 14.0.8117.416
Product Name: Windows Live Messenger
Size: 3872080
Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[function]
Name: gethostbyname
Thread ID: 0
Time: (utc time)
Hostname: [login to view URL]
IP Address: [login to view URL], [login to view URL] (may be one or more than one result)
[function]
Name: Send
Thread ID: 455
Time: (time in UTC)
Socket ID: 4678
Local: [login to view URL] [localhost]. (IP is assumed always to be [login to view URL] unless can be otherwise determined)
Remote: [login to view URL] [[login to view URL]](remote IP and port, and last resolved hostname)
Size: (length of data in bytes)
Data: 00 BB FF CC 2A 00 41 (show entire buffer as space delimited hex).
[end]
Time: (process end time, in UTC time)
Many functions require host name/ip data to be logged. This may not directly be available and may need be inferred from the available socket information. Therefore all host name resolution functions and connects/disconnects should be tracked and logged to ensure this information is available when needed.
The following winsock functions should be tracked. Each should have a UTC timestamp, the name of the function, and the thread ID. Some require additional information to be logged:
Any functions not shown below should return only the basic information required above. This includes functions listed as obsolete (eg GetAddrInfo)
Async functions must, of course, be logged on the callback wherever the log requires that result data is saved.
* AcceptEx, ConnectEx
Include the following items in the log:
Socket ID, Local Port, Remote IP address/host/port.
Data Length ("size") if data was transmitted
Hex reprentation of the entire contents of the buffer if data was transmitted
* Accept, Bind, listen, CloseSocket, Connect, DisconnectExm, WSAAccept,
Include the following items in the log:
Socket ID
Local Port, Remote IP address/host/port, wherever obtainable (from socket or from tracking connects/[login to view URL]).
* WSAConnectByList
Include the following items in the log:
Socket ID
Local Port, Remote IP address/host/port, wherever obtainable (from socket or from tracking connects/[login to view URL]).
Should include connection info for each item in the list (Named 'Remote1' 'Remote2' etc)
* getaddrinfo, GetAddrInfoW
Include the following items in the log:
Requested hostname, resolved IP address(es).
* GetAddrInfoEx, SetAddrInfoEx, WSAAsyncGetHostByName
Include the following items in the log:
Requested hostname, servicename/port, namespace (as a string reprentation of the constant rather than the constant itself), resolved IP address.
* recv, send, recvfrom, sendto, TransmitPackets,
* WSARecv, WSARecvEx, WSARecvDisconnect, WSARecvFrom, WSARecvMsg,
* WSASend, WSASendDisconnect, WSASendMsg, WSASendTo
Include the following items in the log:
Socket ID, Local Port, Remote IP address/host/port.
Data Length ("size") if data was transmitted
Hex reprentation of the entire contents of the buffer
* TransmitFile,
Include the following items in the log:
Filespec/name and checksum.
Socket ID, Local Port, Remote IP address/host/port.
Number of bytes to send
Number of bytes to write
(Data itself is not recorded)
* WSAConnect
Include the following items in the log:
Socket ID, Local Port, Remote IP address/host/port.
Data Length ("size") if data was transmitted
Hex reprentation of the entire contents of the buffer if data was transmitted
Data Length ("size") if data was received
Hex reprentation of the entire contents of the buffer if data was received
We will use this MSDN article as our reference:
[login to view URL]%28v=VS.85%[login to view URL]
Testing:
The applicaiton will be tested against MSN Live/Messenger, Internet Explorer 8, and Google Chrome 12.
Wireshark trace logs will be compared to the logs generated here to determine if the messages and data are as expected.
Windows Internals' process monitor logs will also be compared to the logs generated here to determine accuract of API call logging.
The project will be considered acceptable if there is a 90% correlation of tests and logs averaged across all three products.
* * *This broadcast message was sent to all bidders on Thursday Jul 28, 2011 1:07:37 PM:
I have a lot of well-qualified looking reasonable bids to decide between. To help me pick the winner, please provide some additional information. I have other projects that depend on this one, so please provide your typical hourly rate (these are fixed projects, but it helps me estimate) and whether you are full time freelance or part time. I'll assume anyone who doesn't respond isn't likely to provide as much communication as the ongoing projects will need.