VC++实现获取进程端口检测木马

2015/07/01 44764

清华大佬耗费三个月吐血整理的几百G的资源,免费分享!....>>>

我们都知道病毒木马都要与外面通信,如何检测呢,今天我们来时间检测进程端口来检测木马

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
#include <windows.h>
#include <Tlhelp32.h>
#include <winsock.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
  
//---------------------------------------------------------------------------
// 以下为与TCP相关的结构.
typedef struct tagMIB_TCPEXROW{
    DWORD dwState;              // 连接状态.
    DWORD dwLocalAddr;          // 本地计算机地址.
    DWORD dwLocalPort;          // 本地计算机端口.
    DWORD dwRemoteAddr;         // 远程计算机地址.
    DWORD dwRemotePort;         // 远程计算机端口.
    DWORD dwProcessId;
} MIB_TCPEXROW, *PMIB_TCPEXROW;
  
typedef struct tagMIB_TCPEXTABLE{
    DWORD dwNumEntries;
    MIB_TCPEXROW table[100];    // 任意大小数组变量.
} MIB_TCPEXTABLE, *PMIB_TCPEXTABLE;
  
//---------------------------------------------------------------------------
// 以下为与UDP相关的结构.
typedef struct tagMIB_UDPEXROW{
    DWORD dwLocalAddr;          // 本地计算机地址.
    DWORD dwLocalPort;          // 本地计算机端口.
    DWORD dwProcessId;
} MIB_UDPEXROW, *PMIB_UDPEXROW;
  
typedef struct tagMIB_UDPEXTABLE{
    DWORD dwNumEntries;
    MIB_UDPEXROW table[100];    // 任意大小数组变量.
} MIB_UDPEXTABLE, *PMIB_UDPEXTABLE;
  
//---------------------------------------------------------------------------
// 所用的iphlpapi.dll中的函数原型定义.
typedef DWORD (WINAPI *PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK)(
    PMIB_TCPEXTABLE *pTcpTable, // 连接表缓冲区.
    BOOL bOrder,              
    HANDLE heap,
    DWORD zero,
    DWORD flags
    );
  
typedef DWORD (WINAPI *PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK)(
    PMIB_UDPEXTABLE *pUdpTable, // 连接表缓冲区.
    BOOL bOrder,              
    HANDLE heap,
    DWORD zero,
    DWORD flags
    );
  
static PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK
          pAllocateAndGetTcpExTableFromStack = NULL;
  
static PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK
          pAllocateAndGetUdpExTableFromStack = NULL;
  
//---------------------------------------------------------------------------
//
// 可能的 TCP 端点状态.
//
static char TcpState[][32] = {
    TEXT("???"),
    TEXT("CLOSED"),
    TEXT("LISTENING"),
    TEXT("SYN_SENT"),
    TEXT("SYN_RCVD"),
    TEXT("ESTABLISHED"),
    TEXT("FIN_WAIT1"),
    TEXT("FIN_WAIT2"),
    TEXT("CLOSE_WAIT"),
    TEXT("CLOSING"),
    TEXT("LAST_ACK"),
    TEXT("TIME_WAIT"),
    TEXT("DELETE_TCB")
};
  
//---------------------------------------------------------------------------
//
// 生成IP地址字符串.
//
PCHAR GetIP(unsigned int ipaddr)
{
    static char pIP[20];
    unsigned int nipaddr = htonl(ipaddr);
    sprintf(pIP, "%d.%d.%d.%d",
        (nipaddr >>24) &0xFF,
        (nipaddr>>16) &0xFF,
        (nipaddr>>8) &0xFF,
        (nipaddr)&0xFF);
    return pIP;
}
  
//---------------------------------------------------------------------------
//
// 由进程号获得全程文件名.
//
char* ProcessPidToName(DWORD ProcessId)
{
    HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 processEntry = { 0 };
    processEntry.dwSize = sizeof(PROCESSENTRY32);
    static char ProcessName[256];
      
    lstrcpy(ProcessName, "Idle");
    if (hProcessSnap == INVALID_HANDLE_VALUE)
        return ProcessName;
      
    BOOL bRet=Process32First(hProcessSnap, &processEntry);
      
    while(bRet)
    {
        if (processEntry.th32ProcessID == ProcessId)
        {
            MODULEENTRY32 me32 = {0};
            me32.dwSize = sizeof(MODULEENTRY32);
            HANDLE hModuleSnap = CreateToolhelp32Snapshot
                (TH32CS_SNAPMODULE, processEntry.th32ProcessID);
  
            Module32First(hModuleSnap, &me32); // 获得全程路径.
            lstrcpy(ProcessName, me32.szExePath);
            CloseHandle(hProcessSnap);
            return ProcessName;
        }
  
        bRet=Process32Next(hProcessSnap, &processEntry);
    
      
    CloseHandle(hProcessSnap);
    return ProcessName;
}
  
//---------------------------------------------------------------------------
//
// 显示进程、端口和文件名之间的关联.
//
void DisplayPort()
{
    DWORD i;
    PMIB_TCPEXTABLE TCPExTable;
    PMIB_UDPEXTABLE UDPExTable;
    char szLocalAddress[256];
    char szRemoteAddress[256];
  
    if(pAllocateAndGetTcpExTableFromStack(
        &TCPExTable, TRUE, GetProcessHeap(), 2, 2))
    {
        printf("AllocateAndGetTcpExTableFromStack Error!\n");
        return;
    }
  
    if(pAllocateAndGetUdpExTableFromStack
        (&UDPExTable, TRUE, GetProcessHeap(), 2, 2 ))
    {
        printf("AllocateAndGetUdpExTableFromStack Error!.\n");
        return;
    }
  
    // 获得TCP列表.
    printf("%-6s%-22s%-22s%-11s%s\n",
        TEXT("Proto"),
        TEXT("Local Address"),
        TEXT("Foreign Address"),
        TEXT("State"),
        TEXT("Process"));
  
    for( i = 0; i <TCPExTable->dwNumEntries; i++ )
    {
        sprintf( szLocalAddress, "%s:%d",
            GetIP(TCPExTable->table[i].dwLocalAddr),
            htons( (WORD) TCPExTable->table[i].dwLocalPort));
  
        sprintf( szRemoteAddress, "%s:%d",
            GetIP(TCPExTable->table[i].dwRemoteAddr),
            htons((WORD)TCPExTable->table[i].dwRemotePort));
          
        printf("%-6s%-22s%-22s%-11s%s:%d\n", TEXT("TCP"),
            szLocalAddress, szRemoteAddress,
            TcpState[TCPExTable->table[i].dwState],
            ProcessPidToName(TCPExTable->table[i].dwProcessId),
            TCPExTable->table[i].dwProcessId);
    }
  
    // 获得UDP列表.
    for( i = 0; i < UDPExTable->dwNumEntries; i++ )
    {
        sprintf( szLocalAddress, "%s:%d",
            GetIP(UDPExTable->table[i].dwLocalAddr),
            htons((WORD)UDPExTable->table[i].dwLocalPort));
  
        sprintf( szRemoteAddress, "%s","*:*");
  
        printf("%-6s%-22s%-33s%s:%d\n", TEXT("UDP"),
            szLocalAddress, szRemoteAddress,
            ProcessPidToName(UDPExTable->table[i].dwProcessId),
            UDPExTable->table[i].dwProcessId);
    }
}
  
//---------------------------------------------------------------------------
//
// 进程与端口关联程序的主函数.
//
void main()
{
    WSADATA WSAData;
    if( WSAStartup(MAKEWORD(1, 1), &WSAData ))
    {
        printf("WSAStartup error!\n");
        return;
    }
  
    HMODULE hIpDLL = LoadLibrary( "iphlpapi.dll");
    if ( !hIpDLL)
        return;
  
    pAllocateAndGetTcpExTableFromStack =
        (PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK)
        GetProcAddress( hIpDLL, "AllocateAndGetTcpExTableFromStack");
      
    pAllocateAndGetUdpExTableFromStack =
       (PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK)
        GetProcAddress(hIpDLL, "AllocateAndGetUdpExTableFromStack" );
     
    // 显示进程与端口关联.
    DisplayPort();
       
    FreeLibrary(hIpDLL);
    WSACleanup();
  
    getchar();  // 暂停.
}