Hi,i’m using WFP to block dns query,i had set condition of udp port 53,and then i catch all of the dns query,but when I check the process path of these query,i found that the result is all svchost,i really want the real process,if i don’t want to disable DNScache(DNS client),what else i can do to get real process path?
Thanks…
AFAIK, nothing.
There is certainly no systemic way to do this. And there is probably no good reason why you would want to, but if there is a certain process that you want to provide false DNS responses to, then UM hooks would be by far the easiest way. I don’t think I need to provide any further hints on how to do that, but if you have another goal, please let us know and we can probably help you
@MBond2 said:
There is certainly no systemic way to do this. And there is probably no good reason why you would want to, but if there is a certain process that you want to provide false DNS responses to, then UM hooks would be by far the easiest way. I don’t think I need to provide any further hints on how to do that, but if you have another goal, please let us know and we can probably help you
Thanks,i’m doing a sandbox program(just like sandboxie),i hope when process queries DNS,i can block the query in the sandbox and permit it out the sandbox,so i need to get the real process id of the dns query,i know disable DNSCache service can do it,but i can’t disable it,It will affect performance of the dns query…can you help me ?
use a hypervisor or don’t try
@MBond2 said:
use a hypervisor or don’t try
Thank you.Finally, i decide to hook dns api to resolve this problem…