VC++實現獲取程序埠檢測木馬
阿新 • • 發佈:2019-01-23
我們都知道病毒木馬都要與外面通訊,如何檢測呢,今天我們來時間檢測程序埠來檢測木馬
請見程式碼與註釋
#include <windows.h> #include <Tlhelp32.h> #include <winsock.h> #include <stdio.h> #pragma comment(lib, "ws2_32.lib") //--------------------------------------------------------------------------- // 以下為與TCP相關的結構. typedef struct tagMIB_TCPEXROW{ DWORD dwState; // 連線狀態. DWORD dwLocalAddr; // 本地計算機地址. DWORD dwLocalPort; // 本地計算機埠. DWORD dwRemoteAddr; // 遠端計算機地址. DWORD dwRemotePort; // 遠端計算機埠. DWORD dwProcessId; } MIB_TCPEXROW, *PMIB_TCPEXROW; typedef struct tagMIB_TCPEXTABLE{ DWORD dwNumEntries; MIB_TCPEXROW table[100]; // 任意大小陣列變數. } MIB_TCPEXTABLE, *PMIB_TCPEXTABLE; //--------------------------------------------------------------------------- // 以下為與UDP相關的結構. typedef struct tagMIB_UDPEXROW{ DWORD dwLocalAddr; // 本地計算機地址. DWORD dwLocalPort; // 本地計算機埠. DWORD dwProcessId; } MIB_UDPEXROW, *PMIB_UDPEXROW; typedef struct tagMIB_UDPEXTABLE{ DWORD dwNumEntries; MIB_UDPEXROW table[100]; // 任意大小陣列變數. } MIB_UDPEXTABLE, *PMIB_UDPEXTABLE; //--------------------------------------------------------------------------- // 所用的iphlpapi.dll中的函式原型定義. typedef DWORD (WINAPI *PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK)( PMIB_TCPEXTABLE *pTcpTable, // 連線表緩衝區. BOOL bOrder, HANDLE heap, DWORD zero, DWORD flags ); typedef DWORD (WINAPI *PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK)( PMIB_UDPEXTABLE *pUdpTable, // 連線表緩衝區. BOOL bOrder, HANDLE heap, DWORD zero, DWORD flags ); static PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK pAllocateAndGetTcpExTableFromStack = NULL; static PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK pAllocateAndGetUdpExTableFromStack = NULL; //--------------------------------------------------------------------------- // // 可能的 TCP 端點狀態. // static char TcpState[][32] = { TEXT("???"), TEXT("CLOSED"), TEXT("LISTENING"), TEXT("SYN_SENT"), TEXT("SYN_RCVD"), TEXT("ESTABLISHED"), TEXT("FIN_WAIT1"), TEXT("FIN_WAIT2"), TEXT("CLOSE_WAIT"), TEXT("CLOSING"), TEXT("LAST_ACK"), TEXT("TIME_WAIT"), TEXT("DELETE_TCB") }; //--------------------------------------------------------------------------- // // 生成IP地址字串. // PCHAR GetIP(unsigned int ipaddr) { static char pIP[20]; unsigned int nipaddr = htonl(ipaddr); sprintf(pIP, "%d.%d.%d.%d", (nipaddr >>24) &0xFF, (nipaddr>>16) &0xFF, (nipaddr>>8) &0xFF, (nipaddr)&0xFF); return pIP; } //--------------------------------------------------------------------------- // // 由程序號獲得全程檔名. // char* ProcessPidToName(DWORD ProcessId) { HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 processEntry = { 0 }; processEntry.dwSize = sizeof(PROCESSENTRY32); static char ProcessName[256]; lstrcpy(ProcessName, "Idle"); if (hProcessSnap == INVALID_HANDLE_VALUE) return ProcessName; BOOL bRet=Process32First(hProcessSnap, &processEntry); while(bRet) { if (processEntry.th32ProcessID == ProcessId) { MODULEENTRY32 me32 = {0}; me32.dwSize = sizeof(MODULEENTRY32); HANDLE hModuleSnap = CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, processEntry.th32ProcessID); Module32First(hModuleSnap, &me32); // 獲得全程路徑. lstrcpy(ProcessName, me32.szExePath); CloseHandle(hProcessSnap); return ProcessName; } bRet=Process32Next(hProcessSnap, &processEntry); } CloseHandle(hProcessSnap); return ProcessName; } //--------------------------------------------------------------------------- // // 顯示程序、埠和檔名之間的關聯. // void DisplayPort() { DWORD i; PMIB_TCPEXTABLE TCPExTable; PMIB_UDPEXTABLE UDPExTable; char szLocalAddress[256]; char szRemoteAddress[256]; if(pAllocateAndGetTcpExTableFromStack( &TCPExTable, TRUE, GetProcessHeap(), 2, 2)) { printf("AllocateAndGetTcpExTableFromStack Error!\n"); return; } if(pAllocateAndGetUdpExTableFromStack (&UDPExTable, TRUE, GetProcessHeap(), 2, 2 )) { printf("AllocateAndGetUdpExTableFromStack Error!.\n"); return; } // 獲得TCP列表. printf("%-6s%-22s%-22s%-11s%s\n", TEXT("Proto"), TEXT("Local Address"), TEXT("Foreign Address"), TEXT("State"), TEXT("Process")); for( i = 0; i <TCPExTable->dwNumEntries; i++ ) { sprintf( szLocalAddress, "%s:%d", GetIP(TCPExTable->table[i].dwLocalAddr), htons( (WORD) TCPExTable->table[i].dwLocalPort)); sprintf( szRemoteAddress, "%s:%d", GetIP(TCPExTable->table[i].dwRemoteAddr), htons((WORD)TCPExTable->table[i].dwRemotePort)); printf("%-6s%-22s%-22s%-11s%s:%d\n", TEXT("TCP"), szLocalAddress, szRemoteAddress, TcpState[TCPExTable->table[i].dwState], ProcessPidToName(TCPExTable->table[i].dwProcessId), TCPExTable->table[i].dwProcessId); } // 獲得UDP列表. for( i = 0; i < UDPExTable->dwNumEntries; i++ ) { sprintf( szLocalAddress, "%s:%d", GetIP(UDPExTable->table[i].dwLocalAddr), htons((WORD)UDPExTable->table[i].dwLocalPort)); sprintf( szRemoteAddress, "%s","*:*"); printf("%-6s%-22s%-33s%s:%d\n", TEXT("UDP"), szLocalAddress, szRemoteAddress, ProcessPidToName(UDPExTable->table[i].dwProcessId), UDPExTable->table[i].dwProcessId); } } //--------------------------------------------------------------------------- // // 程序與埠關聯程式的主函式. // void main() { WSADATA WSAData; if( WSAStartup(MAKEWORD(1, 1), &WSAData )) { printf("WSAStartup error!\n"); return; } HMODULE hIpDLL = LoadLibrary( "iphlpapi.dll"); if ( !hIpDLL) return; pAllocateAndGetTcpExTableFromStack = (PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK) GetProcAddress( hIpDLL, "AllocateAndGetTcpExTableFromStack"); pAllocateAndGetUdpExTableFromStack = (PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK) GetProcAddress(hIpDLL, "AllocateAndGetUdpExTableFromStack" ); // 顯示程序與埠關聯. DisplayPort(); FreeLibrary(hIpDLL); WSACleanup(); getchar(); // 暫停. }