Get the currently open port (TCP.UDP) status of the system, as well as the IP of the connection. port

zhaozj2021-02-11  203

Simple Practical Anti-Black Resort Campass (China) International Information Service Co., Ltd. Ma Wenzhen 01-7-6 02:00:55

When we are worried that the hacker attacks or suspects that the computer is implanted into the Trojan, we tend to firewall. In fact, there are many means to avoid the means of slaughter, this article is to achieve anti-black by monitoring all TCP connections in real time.

First, monitor TCP connection

The essence of a hacker program or Trojan is a data transmission. TCP and UDP (User Data Network Protocol) are two most commonly used data transfer protocols, which use methods for setting up listening ports to complete data transfer.

Monitor all ports in real time, promptly issue an exception connection and prompting the user to delete an abnormal connection, it can effectively achieve anti-black purposes.

Using Microsoft IP Assistive Brake Functions (iPhlPapi.dll) is a shortcut. The GetTcptable function returns all valid TCP connections in the current system. It is defined as:

DWORD GETTCPTABLE

PMIB_TCPTABLE PTCPTABLE, / / ​​BUFFER for the Connection Table

PDWORD PDWSIZE, / / ​​SIZE OF THE BUFFER

BOOL BORDER / / SORT THE TABLE?

);

The parameter first is the pointer of the TCP connection table buffer, the parameter 2 is the buffer size (when the buffer is not large enough, the parameter returns the actual size), the parameter three indicates whether the connection table needs to be "Local IP" , "LocalPort", "Remote IP", "Remote Port" sequentially.

For monitoring UDP connection tables, you can use the getudptable function. Since the use is completely similar, the discussion is discussed here (the monitoring of UDP is slightly discussed).

Second, abnormal warnings and delete connections

By timing compare two TCP connection tables, we can immediately discover an exception and issue a warning. The following instance programs use sounds and alarms to remind users to pay attention to possible external invasion.

After receiving the warning signal, we should first delete the suspicious connection, then look at the security vulnerability in the system or have a suspicious process at work. The SetTCPENTRY function in the IP Assistance Bank function can help us delete suspicious connections. It is defined as:

DWORD SETTCPENTRY

PMIB_TCPROW PTCPROW / / POINTER TO STRUCT. WITH New State Info

);

Before calling this function, the status to delete is set to mib_tcp_state_delete_tcb (delete). MIB_TCP_STATE_DELETE_TCB is also the only state currently set at runtime.

Third, the example program and its operation

The following three schematic shows: (1) The condition before the system is attacked, (2) The system issues a warning after the system is currently invading the "Ice" remote attack software invading, and (3) users are clearing suspicious connection Time.

Below is the full code of the example program:

'Hacker intrusion monitor (VB6)

Option expedition

Private type mib_tcprow 'structure in TCP connection table

DWSTATE AS long '

DWLOCALADDR AS Long 'Local IP

DWLOCALPORT AS Long 'Local Port

DWREMOTEADDR AS long 'Remote IP

DWREMOTEPORT As Long 'Remote Port

End Type

Private type mib_tcptable

DWNUM_OF_ENTRIES AS Long 'The total number of TCP connections TCP_TABLE (120) AS MIB_TCPROW' reserved 120 rows of buffers

End Type

Private declare function gettcptable lib "iphlpapi.dll" (byref ptcptable _

AS MIB_TCPTABLE, BYREF PDWSIZE AS Long, Byval Border As Long AS LONG

Private Declare Sub CopyMemory Lib "kernel32" Alias ​​"RTLMOVEMEMORY" (Byref _

PDEST AS Any, Byref Psource As Any, ByVal Length As long

Private Declare Function SndPlaySound Lib "Winmm.dll" Alias ​​"SNDPLAYSOUNDA" _

(Byval LpszsoundName As String, ByVal uflags as long) AS Long

Private Declare Function GetWindowsDirectory LIB "kernel32" Alias ​​_

"GetWindowsDirectorya" (Byval Lpbuffer AS String, Byval Nsize As Long) As long

Private Declare Function SetTcpensry LIB "iPhlpapi.dll" (byref ptcptable _

As mib_tcprow) as long

DIM LAST_NUM_OF_ENTRIES AS Long

DIM TCP1 AS MIB_TCPTABLE

Private sub flow_load ()

Timer1.interval = 10000 'Timer Monitor

Timer1_timer

End Sub

Private sub timer1_timer ()

DIM RETURN1 AS Long, I as long, TMP1 AS Long, TMP2 As Long

DIM IP_BUF (1 to 4) as Byte

DIM WIN_PATH AS STRING, TMP3 AS STRING

Return1 = gettcptable (TCP1, LEN (TCP1), 1) 'Returns TCP connection table

If last_num_of_entries <> 0 and _

Last_num_of_entries <> tcp1.dwnum_of_entries the 'has an unusual warning

Picture1.visible = true 'Set warning sign

ON Error ResMe next

Win_Path = String (145, 0)

I = getWindowsDirectory (win_path, 145)

Win_Path = Left (win_path, i)

I = SNDPLAYSOUND (win_path "/media/ding.wav", & h1) 'issuance alarm sound

ON Error Goto 0

Else

IF pictures1.visible = true kilse1.visible = false

END IF

Last_num_of_entries = tcp1.dwnum_of_entries

SELECT CASE RETURN1 'Judgment Return Value Case 0 &:

TEXT1 = "": combo1.clear

For i = 0 to tcp1.dwnum_of_entries - 1

TMP3 = STR (i 1) ""

SELECT CASE TCP1.TCP_TABLE (i) .dwstate 'Display connection status

Case 1: TMP3 = TMP3 "closed"

Case 2: TMP3 = TMP3 "Listening"

Case 3: TMP3 = TMP3 "SYN_SENT"

Case 4: TMP3 = TMP3 "SYN_RCVD"

Case 5: TMP3 = TMP3 "ESTABLISHED"

Case 6: TMP3 = TMP3 "FIN_WAIT1"

Case 7: TMP3 = TMP3 "FIN_WAIT2"

Case 8: TMP3 = TMP3 "close_wait"

Case 9: TMP3 = TMP3 "closing"

Case 10: TMP3 = TMP3 "Last_ack"

Case 11: TMP3 = TMP3 "TIME_WAIT"

Case 12: TMP3 = TMP3 "delete_tcb"

End SELECT

Combo1.additem TMP3 'enrichment list for users to delete

TMP3 = TMP3 ":" VBCRLF VBTAB "Local:" "Local IP

CopyMemory IP_BUF (1), TCP1.TCP_TABLE (i) .dwlocaladdr, 4

TMP3 = TMP3 CSTR (IP_BUF (1)) "." CSTR (ip_buf (2)) "."

CSTR (IP_BUF (3)) "." CSTR (ip_buf (4))

TMP1 = TCP1.TCP_TABLE (i) .dwlocalport 'local port

TMP2 = TMP1 / 256 (TMP1 MOD 256) * 256

TMP3 = TMP3 ":" STR (TMP2) VBTAB "Remote:" 'Remote IP

CopyMemory ip_buf (1), TCP1.TCP_TABLE (i) .dwremoteaddr, 4

TMP3 = TMP3 CSTR (IP_BUF (1)) "." CSTR (ip_buf (2)) "."

CSTR (IP_BUF (3)) "." CSTR (ip_buf (4))

TMP1 = TCP1.TCP_TABLE (i) .dwremoteport 'Remote Port

TMP2 = TMP1 / 256 (TMP1 MOD 256) * 256

TMP3 = TMP3 ":" STR (TMP2) VBCRLFTEXT1 = Text1 TMP3

Next i

Case 50 &:

MsgBox "The system does not support this API function": END

Case 87:

MSGBOX "invalid parameters": END

Case 111 &:

Msgbox "buffer overflow": END

Case 232 &:

Msgbox "No Data": END

End SELECT

End Sub

Private sub delete the connection _Click ()

DIM RETURN1 AS Long

IF Combo1.listIndex <0 THEN EXIT SUB

'State to delete the connection to miB_tcp_state_delete_tcb (value 12)

TCP1.TCP_TABLE (Combo1.ListIndex) .dwstate = 12

Return1 = settcpenTry (tcp1.tcp_table (combo1.listindex)) 'Execute Delete

If return1 = 0 THEN

MsgBox "successfully deletes the current connection"

Else

Msgbox "Delete Connection Fail"

END IF

Timer1_timer

End Sub

转载请注明原文地址:https://www.9cbs.com/read-4793.html

New Post(0)