From ee2dd9233c5e5905649788cb8afff7b51ad2f2c6 Mon Sep 17 00:00:00 2001
From: hasherezade <hasherezade@gmail.com>
Date: Mon, 2 Sep 2024 12:54:15 -0700
Subject: [PATCH] [FEATURE] In ETW: print the destination IP of the connection

---
 etw_listener.cpp | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/etw_listener.cpp b/etw_listener.cpp
index 5701d19..d5757e9 100644
--- a/etw_listener.cpp
+++ b/etw_listener.cpp
@@ -299,6 +299,18 @@ void printAllProperties(krabs::parser &parser)
     }
 }
 
+std::string ipv4FromDword(DWORD ip_dword)
+{
+    std::ostringstream oss;
+    unsigned int octet1 = (ip_dword >> 24) & 0xFF;
+    unsigned int octet2 = (ip_dword >> 16) & 0xFF;
+    unsigned int octet3 = (ip_dword >> 8) & 0xFF;
+    unsigned int octet4 = ip_dword & 0xFF;
+
+    oss << ip_dword & 0xFF << '.' << octet3 << '.' << octet2 << '.' << octet1;
+    return oss.str();
+}
+
 bool ETWstart()
 {
     krabs::kernel_trace trace(L"HollowsHunter");
@@ -374,9 +386,17 @@ bool ETWstart()
             krabs::parser parser(schema);
             std::uint32_t pid = parser.parse<std::uint32_t>(L"PID");
             if (!isWatchedPid(pid)) return;
+
+            krabs::ip_address daddr = parser.parse<krabs::ip_address>(L"daddr");
+
             if (!g_hh_args.quiet) {
                 const std::lock_guard<std::mutex> stdOutLock(g_stdOutMutex);
-                std::wcout << std::dec << pid << " : " << schema.task_name() << " : " << schema.opcode_name() << "\n";
+                std::wcout << std::dec << pid << " : " << schema.task_name() << " : " << schema.opcode_name();
+                if (!daddr.is_ipv6) {
+                    long ipv4 = daddr.v4;
+                    std::cout << " -> " << ipv4FromDword(ipv4);
+                }
+                std::wcout <<"\n";
             }
             runHHScan(pid);
         });