VC++实现获取进程端口检测木马

我们都知道病毒木马都要与外面通信，如何检测呢，今天我们来时间检测进程端口来检测木马

请见代码与注释

#include <windows.h>#include <Tlhelp32.h>#include <winsock.h>#include <stdio.h>#pragma comment(lib, "ws2_32.lib")//---------------------------------------------------------------------------// 以下为与TCP相关的结构. typedef struct tagMIB_TCPEXROW{DWORD dwState;      // 连接状态.DWORD dwLocalAddr;     // 本地计算机地址.DWORD dwLocalPort;       // 本地计算机端口.DWORD dwRemoteAddr;    // 远程计算机地址.DWORD dwRemotePort;     // 远程计算机端口.DWORD dwProcessId;} MIB_TCPEXROW, *PMIB_TCPEXROW;typedef struct tagMIB_TCPEXTABLE{DWORD dwNumEntries;MIB_TCPEXROW table[100];    // 任意大小数组变量.} MIB_TCPEXTABLE, *PMIB_TCPEXTABLE;//---------------------------------------------------------------------------// 以下为与UDP相关的结构. typedef struct tagMIB_UDPEXROW{DWORD dwLocalAddr;         // 本地计算机地址.DWORD dwLocalPort;         // 本地计算机端口.DWORD dwProcessId;} MIB_UDPEXROW, *PMIB_UDPEXROW;typedef struct tagMIB_UDPEXTABLE{DWORD dwNumEntries;MIB_UDPEXROW table[100];    // 任意大小数组变量. } MIB_UDPEXTABLE, *PMIB_UDPEXTABLE;//---------------------------------------------------------------------------// 所用的iphlpapi.dll中的函数原型定义.typedef DWORD (WINAPI *PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK)(PMIB_TCPEXTABLE *pTcpTable, // 连接表缓冲区.BOOL bOrder,                HANDLE heap,DWORD zero,DWORD flags);typedef DWORD (WINAPI *PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK)(PMIB_UDPEXTABLE *pUdpTable, // 连接表缓冲区.BOOL bOrder,                HANDLE heap,DWORD zero,DWORD flags);static PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK          pAllocateAndGetTcpExTableFromStack = NULL;static PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK          pAllocateAndGetUdpExTableFromStack = NULL;//---------------------------------------------------------------------------//// 可能的 TCP 端点状态.//static char TcpState[][32] = {    TEXT("???"),TEXT("CLOSED"),TEXT("LISTENING"),TEXT("SYN_SENT"),TEXT("SYN_RCVD"),TEXT("ESTABLISHED"),TEXT("FIN_WAIT1"),TEXT("FIN_WAIT2"),TEXT("CLOSE_WAIT"),TEXT("CLOSING"),TEXT("LAST_ACK"),TEXT("TIME_WAIT"),TEXT("DELETE_TCB")};//---------------------------------------------------------------------------//// 生成IP地址字符串.//PCHAR GetIP(unsigned int ipaddr){static char pIP[20];unsigned int nipaddr = htonl(ipaddr);sprintf(pIP, "%d.%d.%d.%d",(nipaddr >>24) &0xFF,(nipaddr>>16) &0xFF,(nipaddr>>8) &0xFF,(nipaddr)&0xFF);return pIP;}//---------------------------------------------------------------------------//// 由进程号获得全程文件名.//char* ProcessPidToName(DWORD ProcessId){HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);PROCESSENTRY32 processEntry = { 0 };processEntry.dwSize = sizeof(PROCESSENTRY32); static char ProcessName[256];lstrcpy(ProcessName, "Idle");if (hProcessSnap == INVALID_HANDLE_VALUE) return ProcessName;BOOL bRet=Process32First(hProcessSnap, &processEntry);while(bRet) {if (processEntry.th32ProcessID == ProcessId){MODULEENTRY32 me32 = {0}; me32.dwSize = sizeof(MODULEENTRY32);     HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, processEntry.th32ProcessID);             Module32First(hModuleSnap, &me32); // 获得全程路径.lstrcpy(ProcessName, me32.szExePath);CloseHandle(hProcessSnap);return ProcessName;}    bRet=Process32Next(hProcessSnap, &processEntry);} CloseHandle(hProcessSnap);return ProcessName;}//---------------------------------------------------------------------------//// 显示进程、端口和文件名之间的关联.//void DisplayPort(){DWORD i;PMIB_TCPEXTABLE TCPExTable;PMIB_UDPEXTABLE UDPExTable;char szLocalAddress[256];char szRemoteAddress[256];if(pAllocateAndGetTcpExTableFromStack(&TCPExTable, TRUE, GetProcessHeap(), 2, 2)){printf("AllocateAndGetTcpExTableFromStack Error!\n");return;}if(pAllocateAndGetUdpExTableFromStack(&UDPExTable, TRUE, GetProcessHeap(), 2, 2 )){printf("AllocateAndGetUdpExTableFromStack Error!.\n");return;}// 获得TCP列表.printf("%-6s%-22s%-22s%-11s%s\n",TEXT("Proto"),TEXT("Local Address"),TEXT("Foreign Address"),TEXT("State"),TEXT("Process"));for( i = 0; i <TCPExTable->dwNumEntries; i++ ){sprintf( szLocalAddress, "%s:%d",GetIP(TCPExTable->table[i].dwLocalAddr),htons( (WORD) TCPExTable->table[i].dwLocalPort));sprintf( szRemoteAddress, "%s:%d",GetIP(TCPExTable->table[i].dwRemoteAddr),htons((WORD)TCPExTable->table[i].dwRemotePort));printf("%-6s%-22s%-22s%-11s%s:%d\n", TEXT("TCP"),szLocalAddress, szRemoteAddress,TcpState[TCPExTable->table[i].dwState],ProcessPidToName(TCPExTable->table[i].dwProcessId),TCPExTable->table[i].dwProcessId);}// 获得UDP列表.for( i = 0; i < UDPExTable->dwNumEntries; i++ ){sprintf( szLocalAddress, "%s:%d",GetIP(UDPExTable->table[i].dwLocalAddr),htons((WORD)UDPExTable->table[i].dwLocalPort));sprintf( szRemoteAddress, "%s","*:*");printf("%-6s%-22s%-33s%s:%d\n", TEXT("UDP"),szLocalAddress, szRemoteAddress,ProcessPidToName(UDPExTable->table[i].dwProcessId),UDPExTable->table[i].dwProcessId);}}//---------------------------------------------------------------------------//// 进程与端口关联程序的主函数.//void main(){WSADATA WSAData;if( WSAStartup(MAKEWORD(1, 1), &WSAData )){printf("WSAStartup error!\n");return;}HMODULE hIpDLL = LoadLibrary( "iphlpapi.dll");    if ( !hIpDLL)        return;pAllocateAndGetTcpExTableFromStack =        (PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK) GetProcAddress( hIpDLL,"AllocateAndGetTcpExTableFromStack");pAllocateAndGetUdpExTableFromStack =       (PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK) GetProcAddress(hIpDLL, "AllocateAndGetUdpExTableFromStack" );   // 显示进程与端口关联.DisplayPort();     FreeLibrary(hIpDLL);WSACleanup();getchar();  // 暂停.}