VC++实现获取进程端口检测木马
来源:互联网 发布:tsql编程入门经典 pdf 编辑:程序博客网 时间:2024/05/01 20:22
我们都知道病毒木马都要与外面通信,如何检测呢,今天我们来时间检测进程端口来检测木马
请见代码与注释
#include <windows.h>#include <Tlhelp32.h>#include <winsock.h>#include <stdio.h>#pragma comment(lib, "ws2_32.lib")//---------------------------------------------------------------------------// 以下为与TCP相关的结构. typedef struct tagMIB_TCPEXROW{DWORD dwState; // 连接状态.DWORD dwLocalAddr; // 本地计算机地址.DWORD dwLocalPort; // 本地计算机端口.DWORD dwRemoteAddr; // 远程计算机地址.DWORD dwRemotePort; // 远程计算机端口.DWORD dwProcessId;} MIB_TCPEXROW, *PMIB_TCPEXROW;typedef struct tagMIB_TCPEXTABLE{DWORD dwNumEntries;MIB_TCPEXROW table[100]; // 任意大小数组变量.} MIB_TCPEXTABLE, *PMIB_TCPEXTABLE;//---------------------------------------------------------------------------// 以下为与UDP相关的结构. typedef struct tagMIB_UDPEXROW{DWORD dwLocalAddr; // 本地计算机地址.DWORD dwLocalPort; // 本地计算机端口.DWORD dwProcessId;} MIB_UDPEXROW, *PMIB_UDPEXROW;typedef struct tagMIB_UDPEXTABLE{DWORD dwNumEntries;MIB_UDPEXROW table[100]; // 任意大小数组变量. } MIB_UDPEXTABLE, *PMIB_UDPEXTABLE;//---------------------------------------------------------------------------// 所用的iphlpapi.dll中的函数原型定义.typedef DWORD (WINAPI *PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK)(PMIB_TCPEXTABLE *pTcpTable, // 连接表缓冲区.BOOL bOrder, HANDLE heap,DWORD zero,DWORD flags);typedef DWORD (WINAPI *PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK)(PMIB_UDPEXTABLE *pUdpTable, // 连接表缓冲区.BOOL bOrder, HANDLE heap,DWORD zero,DWORD flags);static PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK pAllocateAndGetTcpExTableFromStack = NULL;static PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK pAllocateAndGetUdpExTableFromStack = NULL;//---------------------------------------------------------------------------//// 可能的 TCP 端点状态.//static char TcpState[][32] = { TEXT("???"),TEXT("CLOSED"),TEXT("LISTENING"),TEXT("SYN_SENT"),TEXT("SYN_RCVD"),TEXT("ESTABLISHED"),TEXT("FIN_WAIT1"),TEXT("FIN_WAIT2"),TEXT("CLOSE_WAIT"),TEXT("CLOSING"),TEXT("LAST_ACK"),TEXT("TIME_WAIT"),TEXT("DELETE_TCB")};//---------------------------------------------------------------------------//// 生成IP地址字符串.//PCHAR GetIP(unsigned int ipaddr){static char pIP[20];unsigned int nipaddr = htonl(ipaddr);sprintf(pIP, "%d.%d.%d.%d",(nipaddr >>24) &0xFF,(nipaddr>>16) &0xFF,(nipaddr>>8) &0xFF,(nipaddr)&0xFF);return pIP;}//---------------------------------------------------------------------------//// 由进程号获得全程文件名.//char* ProcessPidToName(DWORD ProcessId){HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);PROCESSENTRY32 processEntry = { 0 };processEntry.dwSize = sizeof(PROCESSENTRY32); static char ProcessName[256];lstrcpy(ProcessName, "Idle");if (hProcessSnap == INVALID_HANDLE_VALUE) return ProcessName;BOOL bRet=Process32First(hProcessSnap, &processEntry);while(bRet) {if (processEntry.th32ProcessID == ProcessId){MODULEENTRY32 me32 = {0}; me32.dwSize = sizeof(MODULEENTRY32); HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, processEntry.th32ProcessID); Module32First(hModuleSnap, &me32); // 获得全程路径.lstrcpy(ProcessName, me32.szExePath);CloseHandle(hProcessSnap);return ProcessName;} bRet=Process32Next(hProcessSnap, &processEntry);} CloseHandle(hProcessSnap);return ProcessName;}//---------------------------------------------------------------------------//// 显示进程、端口和文件名之间的关联.//void DisplayPort(){DWORD i;PMIB_TCPEXTABLE TCPExTable;PMIB_UDPEXTABLE UDPExTable;char szLocalAddress[256];char szRemoteAddress[256];if(pAllocateAndGetTcpExTableFromStack(&TCPExTable, TRUE, GetProcessHeap(), 2, 2)){printf("AllocateAndGetTcpExTableFromStack Error!\n");return;}if(pAllocateAndGetUdpExTableFromStack(&UDPExTable, TRUE, GetProcessHeap(), 2, 2 )){printf("AllocateAndGetUdpExTableFromStack Error!.\n");return;}// 获得TCP列表.printf("%-6s%-22s%-22s%-11s%s\n",TEXT("Proto"),TEXT("Local Address"),TEXT("Foreign Address"),TEXT("State"),TEXT("Process"));for( i = 0; i <TCPExTable->dwNumEntries; i++ ){sprintf( szLocalAddress, "%s:%d",GetIP(TCPExTable->table[i].dwLocalAddr),htons( (WORD) TCPExTable->table[i].dwLocalPort));sprintf( szRemoteAddress, "%s:%d",GetIP(TCPExTable->table[i].dwRemoteAddr),htons((WORD)TCPExTable->table[i].dwRemotePort));printf("%-6s%-22s%-22s%-11s%s:%d\n", TEXT("TCP"),szLocalAddress, szRemoteAddress,TcpState[TCPExTable->table[i].dwState],ProcessPidToName(TCPExTable->table[i].dwProcessId),TCPExTable->table[i].dwProcessId);}// 获得UDP列表.for( i = 0; i < UDPExTable->dwNumEntries; i++ ){sprintf( szLocalAddress, "%s:%d",GetIP(UDPExTable->table[i].dwLocalAddr),htons((WORD)UDPExTable->table[i].dwLocalPort));sprintf( szRemoteAddress, "%s","*:*");printf("%-6s%-22s%-33s%s:%d\n", TEXT("UDP"),szLocalAddress, szRemoteAddress,ProcessPidToName(UDPExTable->table[i].dwProcessId),UDPExTable->table[i].dwProcessId);}}//---------------------------------------------------------------------------//// 进程与端口关联程序的主函数.//void main(){WSADATA WSAData;if( WSAStartup(MAKEWORD(1, 1), &WSAData )){printf("WSAStartup error!\n");return;}HMODULE hIpDLL = LoadLibrary( "iphlpapi.dll"); if ( !hIpDLL) return;pAllocateAndGetTcpExTableFromStack = (PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK) GetProcAddress( hIpDLL,"AllocateAndGetTcpExTableFromStack");pAllocateAndGetUdpExTableFromStack = (PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK) GetProcAddress(hIpDLL, "AllocateAndGetUdpExTableFromStack" ); // 显示进程与端口关联.DisplayPort(); FreeLibrary(hIpDLL);WSACleanup();getchar(); // 暂停.}
- VC++实现获取进程端口检测木马
- VC++实现获取进程端口检测木马
- vc++网络安全编程范例(20)木马防范检测数据端口与进程
- VC实现端口复用木马
- VC--检测应用程序进程
- VC无进程木马下载器源码
- windows获取进程端口
- Python语言实现获取主机名根据端口杀死进程
- 检测木马
- 检测木马
- VC控制台获取进程
- NT系统下木马进程的隐藏与检测
- NT系统下木马进程的隐藏与检测
- NT系统下木马进程的隐藏与检测(转)
- NT系统下木马进程的隐藏与检测
- 【转自koma】 VC无进程木马下载器源码
- VC++实现端口截听
- VC实现Rootkit端口隐藏
- segmentation fault----在Linux下真是一个蛋疼的错误,总结一下出现这错误的经历
- 关于Microsoft Speech SDK 中TTS的研究
- 牵手是伤,放手是痛:伤感QQ空间日志
- IOS OOP-过程式编程
- WinCE6.0新特性
- VC++实现获取进程端口检测木马
- No Alert is present/No modal dialog found — WebDriver unable to catch JS error
- Linux下PHP删除一个目录下所有文件夹和子目录
- Web前端研发工程师编程能力飞升之路 (发现自己处于入门)
- .Net中通过反射技术的应用----插件程序的开发入门
- 以C#编写的Socket服务器的Android手机聊天室Demo
- C/C++_对被调函数的声明
- C语言 malloc(0)的问题
- 同时寻找一个数组中的最大元素和最小元素--你会有所收获