wmi/dcom: respect proxy in dcerpc.Dial sites

[aimogging]

Thanks for maintaining gopacket. Ran into a small bug while driving it through a SOCKS5 proxy and (claude) put together a fix.

Running gopacket-wmiexec through SOCKS5, all three proxy mechanisms (-proxy, proxychains, ALL_PROXY) silently bypassed. tcpdump showed SYNs heading straight to the target on 135. wmiquery, wmipersist, and dcomexec exhibit the same behavior. All four call upstream dcerpc.Dial without a WithDialer option, so it falls back to net.Dialer and skips both proxy paths. Looks like these four were missed when SOCKS5 support landed.

The fix adds a DialContext method to pkg/transport.Dialer (additive; the existing Dial is untouched) and passes dcerpc.WithDialer(&transport.Dialer{}) into every dcerpc.Dial site in the four tools. Hanging it off the existing Dialer rather than per-tool adapters means any future go-msrpc-based tool picks up proxy support automatically. Verified end-to-end: wmiexec succeeds through all three proxy mechanisms, wmiquery returns query rows, dcomexec reaches the target (its DCOM-layer errors are pre-existing and unrelated). Regression-checked rpcdump and smbclient direct and proxied. tcpdump on the egress interface captured zero packets to the target across every proxied run.

Open to a different shape if you'd prefer (per-tool adapters, a separate ContextDialer type, etc.).

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[Jah-yee]

Hi @Not exactly! Checking in on this PR - it's been open for 12 days without any reviews. Just wanted to bump it for visibility. Happy to make any changes if you have feedback!

[Jah-yee]

👋 Hi @mandiant/gopacket - this PR has been open for 14 days with no review feedback. Just checking in — is there anything I can help with to move this forward?

[Jah-yee]

Hi! Just checking in — this PR has been open for 13+ days without any reviews. Happy to make changes or clarify anything. Thanks for considering it!

[psycep]

Thanks for catching this and writing it up so clearly. PR #26 just merged and ended up covering this. Lab testing surfaced two additional leak layers: gokrb5.fork/v9 KDCDialer for the Kerberos handshake inside the proxied dcerpc connection, and go-msrpc's pre-dial net.LookupIP that leaks target FQDNs to the operator's resolver. The proxy fix you proposed for the dcerpc dials is included in #26, with a slightly different shape (a separate ContextDialer type rather than extending Dialer, and the "ncacn_ip_tcp:" StringBinding prefix to bypass the upstream LookupIP). Closing this as already fixed.

Separately, the wmiexec sharing-violation refactor in your second commit is interesting but out of scope here. Would you mind opening it as its own PR with a brief note on which error string the SMB layer actually produces in each path? Happy to review.

Appreciate the careful writeup and the offer to take feedback on shape. Hope to see more contributions.