VC++实现获取进程端口检测木马


我们都知道病毒木马都要与外面通信,如何检测呢,今天我们来时间检测进程端口来检测木马

请见代码与注释




#include <windows.h>
#include <Tlhelp32.h>
#include <winsock.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")

//---------------------------------------------------------------------------
// 以下为与TCP相关的结构. 
typedef struct tagMIB_TCPEXROW{
	DWORD dwState;      		// 连接状态.
	DWORD dwLocalAddr;     		// 本地计算机地址.
	DWORD dwLocalPort;       	// 本地计算机端口.
	DWORD dwRemoteAddr;    		// 远程计算机地址.
	DWORD dwRemotePort;     	// 远程计算机端口.
	DWORD dwProcessId;
} MIB_TCPEXROW, *PMIB_TCPEXROW;

typedef struct tagMIB_TCPEXTABLE{
	DWORD dwNumEntries;
	MIB_TCPEXROW table[100];    // 任意大小数组变量.
} MIB_TCPEXTABLE, *PMIB_TCPEXTABLE;

//---------------------------------------------------------------------------
// 以下为与UDP相关的结构. 
typedef struct tagMIB_UDPEXROW{
	DWORD dwLocalAddr;     	    // 本地计算机地址.
	DWORD dwLocalPort;     	    // 本地计算机端口.
	DWORD dwProcessId;
} MIB_UDPEXROW, *PMIB_UDPEXROW;

typedef struct tagMIB_UDPEXTABLE{
	DWORD dwNumEntries;
	MIB_UDPEXROW table[100];    // 任意大小数组变量. 
} MIB_UDPEXTABLE, *PMIB_UDPEXTABLE;

//---------------------------------------------------------------------------
// 所用的iphlpapi.dll中的函数原型定义.
typedef DWORD (WINAPI *PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK)(
	PMIB_TCPEXTABLE *pTcpTable, // 连接表缓冲区.
	BOOL bOrder,                
	HANDLE heap,
	DWORD zero,
	DWORD flags
	);

typedef DWORD (WINAPI *PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK)(
	PMIB_UDPEXTABLE *pUdpTable, // 连接表缓冲区.
	BOOL bOrder,                
	HANDLE heap,
	DWORD zero,
	DWORD flags
	);

static PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK
          pAllocateAndGetTcpExTableFromStack = NULL;

static PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK
          pAllocateAndGetUdpExTableFromStack = NULL;

//---------------------------------------------------------------------------
//
// 可能的 TCP 端点状态.
//
static char TcpState[][32] = {
    TEXT("???"),
	TEXT("CLOSED"),
	TEXT("LISTENING"),
	TEXT("SYN_SENT"),
	TEXT("SYN_RCVD"),
	TEXT("ESTABLISHED"),
	TEXT("FIN_WAIT1"),
	TEXT("FIN_WAIT2"),
	TEXT("CLOSE_WAIT"),
	TEXT("CLOSING"),
	TEXT("LAST_ACK"),
	TEXT("TIME_WAIT"),
	TEXT("DELETE_TCB")
};

//---------------------------------------------------------------------------
//
// 生成IP地址字符串.
//
PCHAR GetIP(unsigned int ipaddr)
{
	static char pIP[20];
	unsigned int nipaddr = htonl(ipaddr);
	sprintf(pIP, "%d.%d.%d.%d",
		(nipaddr >>24) &0xFF,
		(nipaddr>>16) &0xFF,
		(nipaddr>>8) &0xFF,
		(nipaddr)&0xFF);
	return pIP;
}

//---------------------------------------------------------------------------
//
// 由进程号获得全程文件名.
//
char* ProcessPidToName(DWORD ProcessId)
{
	HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	PROCESSENTRY32 processEntry = { 0 };
	processEntry.dwSize = sizeof(PROCESSENTRY32); 
	static char ProcessName[256];
	
	lstrcpy(ProcessName, "Idle");
	if (hProcessSnap == INVALID_HANDLE_VALUE) 
		return ProcessName;
	
	BOOL bRet=Process32First(hProcessSnap, &processEntry);
	
	while(bRet) 
	{
		if (processEntry.th32ProcessID == ProcessId)
		{
			MODULEENTRY32 me32 = {0}; 
			me32.dwSize = sizeof(MODULEENTRY32); 
		    HANDLE hModuleSnap = CreateToolhelp32Snapshot
				(TH32CS_SNAPMODULE, processEntry.th32ProcessID); 

            Module32First(hModuleSnap, &me32); // 获得全程路径.
			lstrcpy(ProcessName, me32.szExePath);
			CloseHandle(hProcessSnap);
			return ProcessName;
		}

    	bRet=Process32Next(hProcessSnap, &processEntry);
	} 	
	
	CloseHandle(hProcessSnap);
	return ProcessName;
}

//---------------------------------------------------------------------------
//
// 显示进程、端口和文件名之间的关联.
//
void DisplayPort()
{
	DWORD i;
	PMIB_TCPEXTABLE TCPExTable;
	PMIB_UDPEXTABLE UDPExTable;
	char szLocalAddress[256];
	char szRemoteAddress[256];

	if(pAllocateAndGetTcpExTableFromStack(
		&TCPExTable, TRUE, GetProcessHeap(), 2, 2))
	{
		printf("AllocateAndGetTcpExTableFromStack Error!\n");
		return;
	}

	if(pAllocateAndGetUdpExTableFromStack
		(&UDPExTable, TRUE, GetProcessHeap(), 2, 2 ))
	{
		printf("AllocateAndGetUdpExTableFromStack Error!.\n");
		return;
	}

	// 获得TCP列表.
	printf("%-6s%-22s%-22s%-11s%s\n",
		TEXT("Proto"),
		TEXT("Local Address"),
		TEXT("Foreign Address"),
		TEXT("State"),
		TEXT("Process"));

	for( i = 0; i <TCPExTable->dwNumEntries; i++ )
	{
		sprintf( szLocalAddress, "%s:%d",
			GetIP(TCPExTable->table[i].dwLocalAddr),
			htons( (WORD) TCPExTable->table[i].dwLocalPort));

		sprintf( szRemoteAddress, "%s:%d",
			GetIP(TCPExTable->table[i].dwRemoteAddr),
			htons((WORD)TCPExTable->table[i].dwRemotePort));
		
		printf("%-6s%-22s%-22s%-11s%s:%d\n", TEXT("TCP"),
			szLocalAddress, szRemoteAddress,
			TcpState[TCPExTable->table[i].dwState],
			ProcessPidToName(TCPExTable->table[i].dwProcessId),
			TCPExTable->table[i].dwProcessId);
	}

	// 获得UDP列表.
	for( i = 0; i < UDPExTable->dwNumEntries; i++ )
	{
		sprintf( szLocalAddress, "%s:%d",
			GetIP(UDPExTable->table[i].dwLocalAddr),
			htons((WORD)UDPExTable->table[i].dwLocalPort));

		sprintf( szRemoteAddress, "%s","*:*");

		printf("%-6s%-22s%-33s%s:%d\n", TEXT("UDP"),
			szLocalAddress, szRemoteAddress,
			ProcessPidToName(UDPExTable->table[i].dwProcessId),
			UDPExTable->table[i].dwProcessId);
	}
}

//---------------------------------------------------------------------------
//
// 进程与端口关联程序的主函数.
//
void main()
{
	WSADATA WSAData;
	if( WSAStartup(MAKEWORD(1, 1), &WSAData ))
	{
		printf("WSAStartup error!\n");
		return;
	}

	HMODULE hIpDLL = LoadLibrary( "iphlpapi.dll");
    if ( !hIpDLL)
        return;

	pAllocateAndGetTcpExTableFromStack =
        (PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK) 
		GetProcAddress( hIpDLL,	"AllocateAndGetTcpExTableFromStack");
	
	pAllocateAndGetUdpExTableFromStack =
       (PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK) 
		GetProcAddress(hIpDLL, "AllocateAndGetUdpExTableFromStack" );
   
	// 显示进程与端口关联.
	DisplayPort();
     
	FreeLibrary(hIpDLL);
	WSACleanup();

	getchar();  // 暂停.
}


你可能感兴趣的:(VC++实现获取进程端口检测木马)