Simple Practical Anti-Black Resort Campass (China) International Information Service Co., Ltd. Ma Wenzhen 01-7-6 02:00:55
When we are worried that the hacker attacks or suspects that the computer is implanted into the Trojan, we tend to firewall. In fact, there are many means to avoid the means of slaughter, this article is to achieve anti-black by monitoring all TCP connections in real time.
First, monitor TCP connection
The essence of a hacker program or Trojan is a data transmission. TCP and UDP (User Data Network Protocol) are two most commonly used data transfer protocols, which use methods for setting up listening ports to complete data transfer.
Monitor all ports in real time, promptly issue an exception connection and prompting the user to delete an abnormal connection, it can effectively achieve anti-black purposes.
Using Microsoft IP Assistive Brake Functions (iPhlPapi.dll) is a shortcut. The GetTcptable function returns all valid TCP connections in the current system. It is defined as:
DWORD GETTCPTABLE
PMIB_TCPTABLE PTCPTABLE, / / BUFFER for the Connection Table
PDWORD PDWSIZE, / / SIZE OF THE BUFFER
BOOL BORDER / / SORT THE TABLE?
);
The parameter first is the pointer of the TCP connection table buffer, the parameter 2 is the buffer size (when the buffer is not large enough, the parameter returns the actual size), the parameter three indicates whether the connection table needs to be "Local IP" , "LocalPort", "Remote IP", "Remote Port" sequentially.
For monitoring UDP connection tables, you can use the getudptable function. Since the use is completely similar, the discussion is discussed here (the monitoring of UDP is slightly discussed).
Second, abnormal warnings and delete connections
By timing compare two TCP connection tables, we can immediately discover an exception and issue a warning. The following instance programs use sounds and alarms to remind users to pay attention to possible external invasion.
After receiving the warning signal, we should first delete the suspicious connection, then look at the security vulnerability in the system or have a suspicious process at work. The SetTCPENTRY function in the IP Assistance Bank function can help us delete suspicious connections. It is defined as:
DWORD SETTCPENTRY
PMIB_TCPROW PTCPROW / / POINTER TO STRUCT. WITH New State Info
);
Before calling this function, the status to delete is set to mib_tcp_state_delete_tcb (delete). MIB_TCP_STATE_DELETE_TCB is also the only state currently set at runtime.
Third, the example program and its operation
The following three schematic shows: (1) The condition before the system is attacked, (2) The system issues a warning after the system is currently invading the "Ice" remote attack software invading, and (3) users are clearing suspicious connection Time.
Below is the full code of the example program:
'Hacker intrusion monitor (VB6)
Option expedition
Private type mib_tcprow 'structure in TCP connection table
DWSTATE AS long '
DWLOCALADDR AS Long 'Local IP
DWLOCALPORT AS Long 'Local Port
DWREMOTEADDR AS long 'Remote IP
DWREMOTEPORT As Long 'Remote Port
End Type
Private type mib_tcptable
DWNUM_OF_ENTRIES AS Long 'The total number of TCP connections TCP_TABLE (120) AS MIB_TCPROW' reserved 120 rows of buffers
End Type
Private declare function gettcptable lib "iphlpapi.dll" (byref ptcptable _
AS MIB_TCPTABLE, BYREF PDWSIZE AS Long, Byval Border As Long AS LONG
Private Declare Sub CopyMemory Lib "kernel32" Alias "RTLMOVEMEMORY" (Byref _
PDEST AS Any, Byref Psource As Any, ByVal Length As long
Private Declare Function SndPlaySound Lib "Winmm.dll" Alias "SNDPLAYSOUNDA" _
(Byval LpszsoundName As String, ByVal uflags as long) AS Long
Private Declare Function GetWindowsDirectory LIB "kernel32" Alias _
"GetWindowsDirectorya" (Byval Lpbuffer AS String, Byval Nsize As Long) As long
Private Declare Function SetTcpensry LIB "iPhlpapi.dll" (byref ptcptable _
As mib_tcprow) as long
DIM LAST_NUM_OF_ENTRIES AS Long
DIM TCP1 AS MIB_TCPTABLE
Private sub flow_load ()
Timer1.interval = 10000 'Timer Monitor
Timer1_timer
End Sub
Private sub timer1_timer ()
DIM RETURN1 AS Long, I as long, TMP1 AS Long, TMP2 As Long
DIM IP_BUF (1 to 4) as Byte
DIM WIN_PATH AS STRING, TMP3 AS STRING
Return1 = gettcptable (TCP1, LEN (TCP1), 1) 'Returns TCP connection table
If last_num_of_entries <> 0 and _
Last_num_of_entries <> tcp1.dwnum_of_entries the 'has an unusual warning
Picture1.visible = true 'Set warning sign
ON Error ResMe next
Win_Path = String (145, 0)
I = getWindowsDirectory (win_path, 145)
Win_Path = Left (win_path, i)
I = SNDPLAYSOUND (win_path "/media/ding.wav", & h1) 'issuance alarm sound
ON Error Goto 0
Else
IF pictures1.visible = true kilse1.visible = false
END IF
Last_num_of_entries = tcp1.dwnum_of_entries
SELECT CASE RETURN1 'Judgment Return Value Case 0 &:
TEXT1 = "": combo1.clear
For i = 0 to tcp1.dwnum_of_entries - 1
TMP3 = STR (i 1) ""
SELECT CASE TCP1.TCP_TABLE (i) .dwstate 'Display connection status
Case 1: TMP3 = TMP3 "closed"
Case 2: TMP3 = TMP3 "Listening"
Case 3: TMP3 = TMP3 "SYN_SENT"
Case 4: TMP3 = TMP3 "SYN_RCVD"
Case 5: TMP3 = TMP3 "ESTABLISHED"
Case 6: TMP3 = TMP3 "FIN_WAIT1"
Case 7: TMP3 = TMP3 "FIN_WAIT2"
Case 8: TMP3 = TMP3 "close_wait"
Case 9: TMP3 = TMP3 "closing"
Case 10: TMP3 = TMP3 "Last_ack"
Case 11: TMP3 = TMP3 "TIME_WAIT"
Case 12: TMP3 = TMP3 "delete_tcb"
End SELECT
Combo1.additem TMP3 'enrichment list for users to delete
TMP3 = TMP3 ":" VBCRLF VBTAB "Local:" "Local IP
CopyMemory IP_BUF (1), TCP1.TCP_TABLE (i) .dwlocaladdr, 4
TMP3 = TMP3 CSTR (IP_BUF (1)) "." CSTR (ip_buf (2)) "."
CSTR (IP_BUF (3)) "." CSTR (ip_buf (4))
TMP1 = TCP1.TCP_TABLE (i) .dwlocalport 'local port
TMP2 = TMP1 / 256 (TMP1 MOD 256) * 256
TMP3 = TMP3 ":" STR (TMP2) VBTAB "Remote:" 'Remote IP
CopyMemory ip_buf (1), TCP1.TCP_TABLE (i) .dwremoteaddr, 4
TMP3 = TMP3 CSTR (IP_BUF (1)) "." CSTR (ip_buf (2)) "."
CSTR (IP_BUF (3)) "." CSTR (ip_buf (4))
TMP1 = TCP1.TCP_TABLE (i) .dwremoteport 'Remote Port
TMP2 = TMP1 / 256 (TMP1 MOD 256) * 256
TMP3 = TMP3 ":" STR (TMP2) VBCRLFTEXT1 = Text1 TMP3
Next i
Case 50 &:
MsgBox "The system does not support this API function": END
Case 87:
MSGBOX "invalid parameters": END
Case 111 &:
Msgbox "buffer overflow": END
Case 232 &:
Msgbox "No Data": END
End SELECT
End Sub
Private sub delete the connection _Click ()
DIM RETURN1 AS Long
IF Combo1.listIndex <0 THEN EXIT SUB
'State to delete the connection to miB_tcp_state_delete_tcb (value 12)
TCP1.TCP_TABLE (Combo1.ListIndex) .dwstate = 12
Return1 = settcpenTry (tcp1.tcp_table (combo1.listindex)) 'Execute Delete
If return1 = 0 THEN
MsgBox "successfully deletes the current connection"
Else
Msgbox "Delete Connection Fail"
END IF
Timer1_timer
End Sub