VC++實現獲取進程端口檢測木馬
我們都知道病毒木馬都要與外面通信,如何檢測呢,今天我們來時間檢測進程端口來檢測木馬
#include <windows.h>include <Tlhelp32.h>
include <winsock.h>
include <stdio.h>
pragma comment(lib, "ws2_32.lib")
//--------------------------------------------------------------------------- // 以下為與TCP相關的結構. typedef struct tagMIB_TCPEXROW{ DWORD dwState; // 連接狀態. DWORD dwLocalAddr; // 本地計算機地址. DWORD dwLocalPort; // 本地計算機端口. DWORD dwRemoteAddr; // 遠程計算機地址. DWORD dwRemotePort; // 遠程計算機端口. DWORD dwProcessId; } MIB_TCPEXROW, *PMIB_TCPEXROW;
typedef struct tagMIB_TCPEXTABLE{ DWORD dwNumEntries; MIB_TCPEXROW table[100]; // 任意大小數組變量. } MIB_TCPEXTABLE, *PMIB_TCPEXTABLE;
//--------------------------------------------------------------------------- // 以下為與UDP相關的結構. typedef struct tagMIB_UDPEXROW{ DWORD dwLocalAddr; // 本地計算機地址. DWORD dwLocalPort; // 本地計算機端口. DWORD dwProcessId; } MIB_UDPEXROW, *PMIB_UDPEXROW;
typedef struct tagMIB_UDPEXTABLE{ DWORD dwNumEntries; MIB_UDPEXROW table[100]; // 任意大小數組變量. } MIB_UDPEXTABLE, *PMIB_UDPEXTABLE;
//--------------------------------------------------------------------------- // 所用的iphlpapi.dll中的函數原型定義. typedef DWORD (WINAPI PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK)( PMIB_TCPEXTABLE pTcpTable, // 連接表緩沖區. BOOL bOrder,
HANDLE heap, DWORD zero, DWORD flags );typedef DWORD (WINAPI PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK)( PMIB_UDPEXTABLE pUdpTable, // 連接表緩沖區. BOOL bOrder,
HANDLE heap, DWORD zero, DWORD flags );static PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK pAllocateAndGetTcpExTableFromStack = NULL;
static PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK pAllocateAndGetUdpExTableFromStack = NULL;
//--------------------------------------------------------------------------- // // 可能的 TCP 端點狀態. // static char TcpState[][32] = { TEXT("???"), TEXT("CLOSED"), TEXT("LISTENING"), TEXT("SYN_SENT"), TEXT("SYN_RCVD"), TEXT("ESTABLISHED"), TEXT("FIN_WAIT1"), TEXT("FIN_WAIT2"), TEXT("CLOSE_WAIT"), TEXT("CLOSING"), TEXT("LAST_ACK"), TEXT("TIME_WAIT"), TEXT("DELETE_TCB") };
//--------------------------------------------------------------------------- // // 生成IP地址字符串. // PCHAR GetIP(unsigned int ipaddr) { static char pIP[20]; unsigned int nipaddr = htonl(ipaddr); sprintf(pIP, "%d.%d.%d.%d", (nipaddr >>24) &0xFF, (nipaddr>>16) &0xFF, (nipaddr>>8) &0xFF, (nipaddr)&0xFF); return pIP; }
//--------------------------------------------------------------------------- // // 由進程號獲得全程文件名. // char* ProcessPidToName(DWORD ProcessId) { HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 processEntry = { 0 }; processEntry.dwSize = sizeof(PROCESSENTRY32); static char ProcessName[256];
lstrcpy(ProcessName, "Idle"); if (hProcessSnap == INVALID_HANDLE_VALUE) return ProcessName; BOOL bRet=Process32First(hProcessSnap, &processEntry); while(bRet) { if (processEntry.th32ProcessID == ProcessId) { MODULEENTRY32 me32 = {0}; me32.dwSize = sizeof(MODULEENTRY32); HANDLE hModuleSnap = CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, processEntry.th32ProcessID); Module32First(hModuleSnap, &me32); // 獲得全程路徑. lstrcpy(ProcessName, me32.szExePath); CloseHandle(hProcessSnap); return ProcessName; } bRet=Process32Next(hProcessSnap, &processEntry); } CloseHandle(hProcessSnap); return ProcessName;}
//--------------------------------------------------------------------------- // // 顯示進程、端口和文件名之間的關聯. // void DisplayPort() { DWORD i; PMIB_TCPEXTABLE TCPExTable; PMIB_UDPEXTABLE UDPExTable; char szLocalAddress[256]; char szRemoteAddress[256];
if(pAllocateAndGetTcpExTableFromStack( &TCPExTable, TRUE, GetProcessHeap(), 2, 2)) { printf("AllocateAndGetTcpExTableFromStack Error!\n"); return; } if(pAllocateAndGetUdpExTableFromStack (&UDPExTable, TRUE, GetProcessHeap(), 2, 2 )) { printf("AllocateAndGetUdpExTableFromStack Error!.\n"); return; } // 獲得TCP列表. printf("%-6s%-22s%-22s%-11s%s\n", TEXT("Proto"), TEXT("Local Address"), TEXT("Foreign Address"), TEXT("State"), TEXT("Process")); for( i = 0; i <TCPExTable->dwNumEntries; i++ ) { sprintf( szLocalAddress, "%s:%d", GetIP(TCPExTable->table[i].dwLocalAddr), htons( (WORD) TCPExTable->table[i].dwLocalPort)); sprintf( szRemoteAddress, "%s:%d", GetIP(TCPExTable->table[i].dwRemoteAddr), htons((WORD)TCPExTable->table[i].dwRemotePort)); printf("%-6s%-22s%-22s%-11s%s:%d\n", TEXT("TCP"), szLocalAddress, szRemoteAddress, TcpState[TCPExTable->table[i].dwState], ProcessPidToName(TCPExTable->table[i].dwProcessId), TCPExTable->table[i].dwProcessId); } // 獲得UDP列表. for( i = 0; i < UDPExTable->dwNumEntries; i++ ) { sprintf( szLocalAddress, "%s:%d", GetIP(UDPExTable->table[i].dwLocalAddr), htons((WORD)UDPExTable->table[i].dwLocalPort)); sprintf( szRemoteAddress, "%s","*:*"); printf("%-6s%-22s%-33s%s:%d\n", TEXT("UDP"), szLocalAddress, szRemoteAddress, ProcessPidToName(UDPExTable->table[i].dwProcessId), UDPExTable->table[i].dwProcessId); }}
//--------------------------------------------------------------------------- // // 進程與端口關聯程序的主函數. // void main() { WSADATA WSAData; if( WSAStartup(MAKEWORD(1, 1), &WSAData )) { printf("WSAStartup error!\n"); return; }
HMODULE hIpDLL = LoadLibrary( "iphlpapi.dll"); if ( !hIpDLL) return; pAllocateAndGetTcpExTableFromStack = (PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK) GetProcAddress( hIpDLL, "AllocateAndGetTcpExTableFromStack"); pAllocateAndGetUdpExTableFromStack = (PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK) GetProcAddress(hIpDLL, "AllocateAndGetUdpExTableFromStack" ); // 顯示進程與端口關聯. DisplayPort(); FreeLibrary(hIpDLL); WSACleanup(); getchar(); // 暫停.}</pre>