Source code for port association process

Author: flashsky

# Need to install SDK # Currently only test under 2000 platforms, no problem # Obtained in the FPORT Net: Flashsky # Time: 2002-5-7 # include #include #include #include #include #include #include #pragma Comment (lib, "ws2_32.lib") #define nt_handle_list 16 # define OBJECT_TYPE_SOCKET 0x1A # define MAX_HANDLE_LIST_BUF 0x200000typedef struct _HandleInfo {USHORT dwPid; USHORT CreatorBackTraceIndex; BYTE ObjType; BYTE HandleAttributes; USHORT HndlOffset; DWORD dwKeObject; ULONG GrantedAccess;} HANDLEINFO, * PHANDLEINFO; typedef struct _IO_STATUS_BLOCK {DWORD Status; ULONG Information;} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; typedef struct _LSA_UNICODE_STRING {USHORT Length; USHORT MaximumLength; PWSTR Buffer;} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING; typedef LSA_UNICODE_STRING UNICODE_STRING, * PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES {ULONG Length; HANDLE RootDirectory; UNICODE_STRI NG * ObjectName; ULONG Attributes; PSECURITY_DESCRIPTOR SecurityDescriptor; PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; // declare the NtQuerySystemInformation () function typedef DWORD (CALLBACK * NTQUERYSYSTEMINFORMATION) (DWORD, PDWORD, DWORD, PVOID); NTQUERYSYSTEMINFORMATION NtQuerySystemInformation; typedef VOID (CALLBACK * RTLINITUNICODESTRING) (PUNICODE_STRING, PCWSTR); RTLINITUNICODESTRING RtlInitUnicodeString; typedef DWORD (CALLBACK * ZWOPENSECTION) (PVOID, DWORD, POBJECT_ATTRIBUTES); ZWOPENSECTION ZwOpenSection; typedef DWORD (CALLBACK * ZWOPENFILE) (pHANDLE, DWORD, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, ULONG, ULONG) Zwopenfile Zwopenfile;

// This function is to convert DWORD GETMAP (PHANDEINFO GET1, LPVOID ADDR, HANDEINFO GET1, LPVOID ADDR, HANDE PM, CHAR * BUF) {DWord Readset; LPVOID PMADDR1; INT I; Readset = (Get1-> dwkeObject >> 0x16); Readset = * ((DWORD) ADDR 4 * Readset); IF ((Readset & 0x000000FF) <1) {return 0;} IF ((Readset & 0x000000FF) <0x80) {pmaddr1 = mappviewoffile (PM, 4, 0 , readset & 0xfffff000,0x1000); readset = (get1-> dwKeObject >> 0x0c) & 0x3ff; readset = * ((LPDWORD) ((DWORD) pmaddr1 4 * readset)); UnmapViewOfFile (pmaddr1); readset = readset & 0x0FFFFF000; } else {readset = (readset & 0xfffff000) (get1-> dwKeObject & 0x003ff000);} pmaddr1 = MapViewOfFile (pm, 4,0, readset, 0x1000); if (! pmaddr1 = NULL) {readset = get1-> dwKeObject & 0x00000fff; readset = ( DWORD) PMADDR1 READSET; for (i = 0; i <0x70; i ) buf [i] = * ((more *)); unmapViewoffile;} else {return 0;} Return Readset ; } Int main () {DWORD readset1; DWORD readset2; DWORD readset3; OVERLAPPED la; HMODULE hNtdll = NULL; DWORD dwNumEntries; PHANDLEINFO pHandleInfo; HANDLE htcp; HANDLE pmy; HANDLE hudp; HANDLE myhand; HANDLE h1 = NULL; hNtdll = LoadLibrary ( "ntdll.dll"); DWORD status; LPVOID pmaddr; TOKEN_PRIVILEGES NewState; DWORD dwNumBytes = MAX_HANDLE_LIST_BUF; PDWORD pdwHandleList; PDWORD pdwHandInfo; DWORD dwNumBytesRet; HANDLE hToken; DWORD isok; UNICODE_STRING dn; IO_STATUS_BLOCK ch3; int port1;

Handle hproc; wchar_t * ch1 = l "/ device / tcp"; wchar_t * ch2 = L "/ device / udp"; object_attributes OFS; DWORD I; DWORD P = 0; char BUF1 [0x70]; char buf2 [0x70]; char buf3 [0x70]; char in [0x18]; char in1 [0x18]; unsigned char out [0x38]; unsigned char out1 [0x30]; PHANDLEINFO tcpdnum; PHANDLEINFO udpdnum; if (hNtdll!) {printf ( "LoadLibrary (NTDLL .DLL) Error:% dn ", GetLastError ()); return false;} NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION) GetProcAddress (hNtdll," NtQuerySystemInformation "); RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress (hNtdll," RtlInitUnicodeString "); ZwOpenSection = (ZWOPENSECTION ) GetProcAddress (hNtdll, "ZwOpenSection") ;; ZwOpenFile = (ZWOPENFILE) GetProcAddress (hNtdll, "ZwOpenFile") ;; RtlInitUnicodeString (& dn, L "/ Device / PhysicalMemory"); OBJECT_ATTRIBUTES udm = {sizeof (OBJECT_ATTRIBUTES), // Length NULL, // RootDirectory & dn, // ObjectName 0, // Attributes NULL, // SecurityDescriptor NULL, // SecurityQualityOfService}; status = ZwOpenSection (& h1, SECTION_MAP_READ, & udm); if (status == 0) {pmy = GetCurrentProcess (); pmaddr = mappviewoffile (H1, 4, 0, 0x30000, 0X1000); newState.privilegect = 1; newState.privileges [0] .attributes = 2;

NewState.Privileges [0] .Luid.HighPart = 0; NewState.Privileges [0] .Luid.LowPart = 0; isok = LookupPrivilegeValue (0, SE_DEBUG_NAME, & NewState.Privileges [0] .Luid); isok = OpenProcessToken (pmy, 0x20, & hToken); isok = AdjustTokenPrivileges (hToken, 0, & NewState, 0x10,0,0); CloseHandle (hToken); RtlInitUnicodeString (& dn, ch1); ofs.SecurityDescriptor = 0; ofs.ObjectName = & dn; ofs.Length = 0x18; ofs.RootDirectory = 0; ofs.Attributes = 0x40; ofs.SecurityQualityOfService = 0; status = ZwOpenFile (& htcp, 0x100000, & ofs, & ch3,3,0); RtlInitUnicodeString (& dn, ch2); ofs.ObjectName = & dn; status = ZwOpenFile (& hudp, 0x100000, & ofs, & ch3,3,0); pdwHandleList = (PDWORD) malloc (dwNumBytes); pdwHandInfo = (PDWORD) malloc (2048); dwNumBytesRet = 0x10; isok = (* NtQuerySystemInformation) (0x10, PDWHANDLELIST, DWNUMBYTES, & DWNUMBYTESRET; if (! isok) {dwnumentries = PDWHANDLELIST [0]; PHANDEINFO = (Phandleinfo) (PDWHANDLELIST 1); for (i = 0; i dwpid == getCurrentProcessId () && phandleinfo-> hndloffset == (int) HTCP) {tcpdnum = PHANDEINFO; Break;} Phandleinfo ;} Phandleinfo = (Phandleinfo) (PDWHANDLELIST 1); for (i = 0; i

) {If (pHandleInfo-> dwPid == GetCurrentProcessId () && pHandleInfo-> HndlOffset == (int) hudp) {udpdnum = pHandleInfo; break;} pHandleInfo ;} ZeroMemory (buf1,0x70); ZeroMemory (buf2,0x70); Readset1 = GETMAP (TCPDNUM, PMADDR, H1, BUF1); if (readset1 == 0) {Printf ("Map TCP FAILEN"); return 0;} readset2 = GetMap (Udpdnum, Pmaddr, H1, BUF2); if (Readset2 == 0) {Printf ("Map UDP Failen"); return 0;} la.hevent = CreateEvent (0, 1, 0, 0); la.Internal = 0; la.internalHigh = 0; la.offset = 0; la.offsethiGH = 0; Phandleinfo = (Phandleinfo) (PDWHANDLELIST 1); for (i = 0; i ObjType == Tcpdnum-> objtype) {readset3 = getmap (Phandleinfo, Pmaddr, H1, BUF3); if (readset3 == 0) {PhandleInfo ; Continue;} if (BUF3 [4] == buf1 [ 4] && buf3 [5] == buf1 [5] && buf3 [6] == buf1 [6] && buf3 [7] == buf1 [7]) {ix (((buf3 [16] == 1 || BUF3 [16] == 2) && buf3 [17] == 0 && buf3 [18] =

= 0 && buf3 [19] == 0) {HPROC = OpenProcess (0x40, 0, phandleinfo-> dwpid); if (hproc == null) {PhandleInfo ; Continue;} duplicateHandle (HProc, (Handle) Phandleinfo-> HNDLOFFSET , PMY, & myHand, 0, 0, 2); CloseHandle (HPROC); if (MyHand == Null) {Phandleinfo ; Continue;} ZeromeMory (OUT1, 0X30); ZeromeMory (out, 0x38); ZeromeMory (in, 0x18) ZeromeMory (in1, 0x18); in [0x10] = 4; IN1 [0x10] = 3; IF (buf3 [16] == 2) { p = 0; isok = DeviceIoControl (myhand, 0x210012, & in, 0x18, & out, 0x38, & p, & la); if (isok == FALSE) {pHandleInfo ; continue;}} isok = DeviceIoControl (myhand, 0x210012, & in1,0x18 , & out1, 0x30, & p, & la); if (ISOK) {port1 =

NTOHS (* (unsigned _INT16 *) (OUT1 12)); Printf ("TCP PID:% D; Port:% DN", Phandleinfo-> dwpid, port1);}}}}} Phandleinfo ;}}} Phandleinfo = (PdwhandleList 1); for (i = 0; i ObjType == udpdnum-> objtype) {readset3 = getMap (PhandleInfo , PMADDR, H1, BUF3); if (readset3 == 0) {PHANDLEINFO ; Continue;} IF (BUF3 [4] == BUF2 [4] && buf3 [5] == buf2 [5] && buf3 [6] = = BUF2 [6] && buf3 [7] == BUF2 [7]) { IF ((BUF3 [16] == 1 || BUF3 [16] == 2) && buf3 [17] == 0 && buf3 [18] == 0 && buf3 [19] == 0) {hproc = OpenProcess 0x40, 0, PHANDEINFO-> DWPID; if (hproc == null) {Phandleinfo ; Continue;} duplicateHandle (HProc, (Handle) Phandleinfo-> Hndloffset, PMY, & MyHand, 0, 0, 2);

CloseHandle (HPROC); if (myHand == null) {PHANDEINFO ; Continue;} ZeromeMory (out1, 0x30); ZeromeMory (out, 0x38); ZeromeMory (in, 0x18); ZeromeMory (in1, 0x18); in [0x10] = 4; in1 [0x10] = 3; if (BUF3 [16] == 2) {p = 0; isok = DeviceioControl (myhand, 0x210012, & in, 0x18, & out, 0x38, & p, & la); if (isok = = False) {PhandleInfo ; Continue;}} isokue = DeviceioControl (myhand, 0x210012, & in 1,0x18, & out1, 0x30, & p, & la); if (isok) {port1 = NTOHS (* (unsigned _int16 *) (OUT1 12)); Printf ("UDP PID:% D; Port:% DN", Phandleinfo-> dwpid, port1);} closehandle (myhand);}}} Phandleinfo ;} closehandle (la.hevent);