VC++实现获取进程端口检测木马
我们都知道病毒木马都要与外面通信,如何检测呢,今天我们来时间检测进程端口来检测木马
#include <windows.h> #include <Tlhelp32.h> #include <winsock.h> #include <stdio.h> #pragma comment(lib, "ws2_32.lib") //--------------------------------------------------------------------------- // 以下为与TCP相关的结构. typedef struct tagMIB_TCPEXROW{ DWORD dwState; // 连接状态. DWORD dwLocalAddr; // 本地计算机地址. DWORD dwLocalPort; // 本地计算机端口. DWORD dwRemoteAddr; // 远程计算机地址. DWORD dwRemotePort; // 远程计算机端口. DWORD dwProcessId; } MIB_TCPEXROW, *PMIB_TCPEXROW; typedef struct tagMIB_TCPEXTABLE{ DWORD dwNumEntries; MIB_TCPEXROW table[100]; // 任意大小数组变量. } MIB_TCPEXTABLE, *PMIB_TCPEXTABLE; //--------------------------------------------------------------------------- // 以下为与UDP相关的结构. typedef struct tagMIB_UDPEXROW{ DWORD dwLocalAddr; // 本地计算机地址. DWORD dwLocalPort; // 本地计算机端口. DWORD dwProcessId; } MIB_UDPEXROW, *PMIB_UDPEXROW; typedef struct tagMIB_UDPEXTABLE{ DWORD dwNumEntries; MIB_UDPEXROW table[100]; // 任意大小数组变量. } MIB_UDPEXTABLE, *PMIB_UDPEXTABLE; //--------------------------------------------------------------------------- // 所用的iphlpapi.dll中的函数原型定义. typedef DWORD (WINAPI *PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK)( PMIB_TCPEXTABLE *pTcpTable, // 连接表缓冲区. BOOL bOrder, HANDLE heap, DWORD zero, DWORD flags ); typedef DWORD (WINAPI *PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK)( PMIB_UDPEXTABLE *pUdpTable, // 连接表缓冲区. BOOL bOrder, HANDLE heap, DWORD zero, DWORD flags ); static PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK pAllocateAndGetTcpExTableFromStack = NULL; static PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK pAllocateAndGetUdpExTableFromStack = NULL; //--------------------------------------------------------------------------- // // 可能的 TCP 端点状态. // static char TcpState[][32] = { TEXT("???"), TEXT("CLOSED"), TEXT("LISTENING"), TEXT("SYN_SENT"), TEXT("SYN_RCVD"), TEXT("ESTABLISHED"), TEXT("FIN_WAIT1"), TEXT("FIN_WAIT2"), TEXT("CLOSE_WAIT"), TEXT("CLOSING"), TEXT("LAST_ACK"), TEXT("TIME_WAIT"), TEXT("DELETE_TCB") }; //--------------------------------------------------------------------------- // // 生成IP地址字符串. // PCHAR GetIP(unsigned int ipaddr) { static char pIP[20]; unsigned int nipaddr = htonl(ipaddr); sprintf(pIP, "%d.%d.%d.%d", (nipaddr >>24) &0xFF, (nipaddr>>16) &0xFF, (nipaddr>>8) &0xFF, (nipaddr)&0xFF); return pIP; } //--------------------------------------------------------------------------- // // 由进程号获得全程文件名. // char* ProcessPidToName(DWORD ProcessId) { HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 processEntry = { 0 }; processEntry.dwSize = sizeof(PROCESSENTRY32); static char ProcessName[256]; lstrcpy(ProcessName, "Idle"); if (hProcessSnap == INVALID_HANDLE_VALUE) return ProcessName; BOOL bRet=Process32First(hProcessSnap, &processEntry); while(bRet) { if (processEntry.th32ProcessID == ProcessId) { MODULEENTRY32 me32 = {0}; me32.dwSize = sizeof(MODULEENTRY32); HANDLE hModuleSnap = CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, processEntry.th32ProcessID); Module32First(hModuleSnap, &me32); // 获得全程路径. lstrcpy(ProcessName, me32.szExePath); CloseHandle(hProcessSnap); return ProcessName; } bRet=Process32Next(hProcessSnap, &processEntry); } CloseHandle(hProcessSnap); return ProcessName; } //--------------------------------------------------------------------------- // // 显示进程、端口和文件名之间的关联. // void DisplayPort() { DWORD i; PMIB_TCPEXTABLE TCPExTable; PMIB_UDPEXTABLE UDPExTable; char szLocalAddress[256]; char szRemoteAddress[256]; if(pAllocateAndGetTcpExTableFromStack( &TCPExTable, TRUE, GetProcessHeap(), 2, 2)) { printf("AllocateAndGetTcpExTableFromStack Error!\n"); return; } if(pAllocateAndGetUdpExTableFromStack (&UDPExTable, TRUE, GetProcessHeap(), 2, 2 )) { printf("AllocateAndGetUdpExTableFromStack Error!.\n"); return; } // 获得TCP列表. printf("%-6s%-22s%-22s%-11s%s\n", TEXT("Proto"), TEXT("Local Address"), TEXT("Foreign Address"), TEXT("State"), TEXT("Process")); for( i = 0; i <TCPExTable->dwNumEntries; i++ ) { sprintf( szLocalAddress, "%s:%d", GetIP(TCPExTable->table[i].dwLocalAddr), htons( (WORD) TCPExTable->table[i].dwLocalPort)); sprintf( szRemoteAddress, "%s:%d", GetIP(TCPExTable->table[i].dwRemoteAddr), htons((WORD)TCPExTable->table[i].dwRemotePort)); printf("%-6s%-22s%-22s%-11s%s:%d\n", TEXT("TCP"), szLocalAddress, szRemoteAddress, TcpState[TCPExTable->table[i].dwState], ProcessPidToName(TCPExTable->table[i].dwProcessId), TCPExTable->table[i].dwProcessId); } // 获得UDP列表. for( i = 0; i < UDPExTable->dwNumEntries; i++ ) { sprintf( szLocalAddress, "%s:%d", GetIP(UDPExTable->table[i].dwLocalAddr), htons((WORD)UDPExTable->table[i].dwLocalPort)); sprintf( szRemoteAddress, "%s","*:*"); printf("%-6s%-22s%-33s%s:%d\n", TEXT("UDP"), szLocalAddress, szRemoteAddress, ProcessPidToName(UDPExTable->table[i].dwProcessId), UDPExTable->table[i].dwProcessId); } } //--------------------------------------------------------------------------- // // 进程与端口关联程序的主函数. // void main() { WSADATA WSAData; if( WSAStartup(MAKEWORD(1, 1), &WSAData )) { printf("WSAStartup error!\n"); return; } HMODULE hIpDLL = LoadLibrary( "iphlpapi.dll"); if ( !hIpDLL) return; pAllocateAndGetTcpExTableFromStack = (PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK) GetProcAddress( hIpDLL, "AllocateAndGetTcpExTableFromStack"); pAllocateAndGetUdpExTableFromStack = (PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK) GetProcAddress(hIpDLL, "AllocateAndGetUdpExTableFromStack" ); // 显示进程与端口关联. DisplayPort(); FreeLibrary(hIpDLL); WSACleanup(); getchar(); // 暂停. }