One,
TCP scanning technology
Common port scanning technology has many kinds, such as TCP Connect () scan, TCP SYN scan, TCP FIN scan, etc., there are many articles on the Internet, such as: http://www.antai-genecon.com/suml/zhishiyy The most basic scanning technology used by my procedure: TCP scan is introduced on /jingong/duankougj.htm.
The Connect () system call provided by the operating system is used to connect with the port of each of interest target. If the port is listening, connect () can succeed. Otherwise, this port cannot be used, that is, no service is available. One of the biggest advantages of this technology is that you don't need any permissions. Any user in the system has the right to use this call. Another benefit is the speed. If you use a separate connect () call to each target port, you will take a long time, you can accelerate the scan by opening multiple sockets at the same time. Using Non-Block I / O allows you to set up a low time to use, while observing multiple sockets. But the disadvantage of this method is to be very easy to find and is filtered out. The logs file of the target computer displays a series of connection and connection is an error-friendly service message and can quickly turn it off.
Author Tip: The computer port of others is not allowed to be illegal. This program only shows a port scan technology, please do not use it for illegal purposes, otherwise the consequences are at your own risk.
two,
Profile
In order to improve the scanning speed, this program uses multi-threaded technology and non-blocking I / O technology. The main interface of the program is a dialog, the following is a program framework diagram:
1. Global variables:
The following is the definition of all global variables:
HWND G_HWND = NULL; / / Handle Handle Handling Messages
Unsigned long g_uladdr = incdr_none; // Scan host address
DWORD g_dwtimeout = 1000; // Connection timeout, with an MS
BOOL g_bterminate = false; // Whether the user issues a sign of ending scanning
Short g_nmaxthread = 200; // The maximum number of scanned threads, the test should not be greater than 200
Short g_nthreadcount = 0; // The number of processes currently being scanned 2, Startscan thread:
The task of this thread is to start the specific scan DoscanPort thread and scan a port. The maximum number of doscanport threads started within the process is within the set value range, and if the number of threads has reached, it will wait for some threads to start a new thread. If the user issues an end scan information, no new thread is stopped, while the thread waiting to be turned back will return. Here is the executive code of this thread:
DWORD WINAPI Startscan (LPVOID LPPARAM)
{
Tag_ports * pscanparam = (tag_ports *) LPPARAM;
DWORD DWTHREADID;
UNSIGNED SHORT I;
IF (pscanparam-> bsepecifiedport)
{
For (i = 0; i <= pscanparam-> ncount; i )
{
IF (g_bterminate)
{
Break; // User has issued end scan commands
}
While (g_nthreadcount> = g_nmaxthread)
{
Sleep (10);
}
IF (CreateThread (NULL,
0,
Doscanport,
(LPVOID) New Short (pscanparam-> narrofports [i]), 0,
& dwthreadid)! = NULL)
{
g_nthreadcount ;
}
}
}
Else
{
For (i = pscanparam-> iStartport; i <= pscanparam-> iendport; i )
{
IF (g_bterminate)
{
Break; // User has issued end scan commands
}
While (g_nthreadcount> = g_nmaxthread)
{
Sleep (10);
}
IF (Createthread (NULL, 0, Doscanport, (LPVOID) New Short (i), 0, & DWTHREADID)! = null)
{
g_nthreadcount ;
}
}
}
// Waiting for each port scan thread end
While (g_nthreadcount> 0)
{
Sleep (50);
}
:: SendMessage (g_hwnd, scan_thread, startscan_complete, 0);
Delete pscanparam;
Return Error_Success;
} 3, doscanport thread:
This thread is responsible for scanning the specified port and will send the result SendMessage to the main dialog. Below is its code:
DWORD WINAPI Doscanport (LPVOID LPPARAM)
{
DWORD DWRET;
Short nport = * (short *) LPPARAM;
Delete lpparam;
Socket Sock = Socket (AF_INET, SOCK_STREAM, 0);
IF (Sock == Invalid_socket)
{
AfxMessageBox ("Create a socket failed!");
DWRET = Error_create_socket;
}
Else
{
UNSIGNED long flag = 1;
IF (IOCK, Fionbio, & Flag)! = 0))
{
AfxMessageBox ("Failure to be changed to non-blocking mode!");
DWRET = Error_Modify_fionbio;
}
Else
{
SockAddr_in severaddr;
Severaddr.sin_family = af_INet;
Severaddr.sin_port = htons (nport);
Severaddr.sin_addr.s_un.s_addr = g_uladdr;
Connect (Sock, (SockAddr *) & severaddr, sizeof (severaddr));
Struct fd_set mask;
FD_ZERO (& MASK);
FD_SET (SOCK, & MASK);
Struct TimeVal Timeout;
Timeout.tv_sec = g_dwtimeout / 1000;
Timeout.tv_usec = g_dwtimeout% 1000;
Switch (SELECT (0, NULL, & MASK, NULL, & TIMEOUT)
{
Case -1:
DWRET = Error_select;
Break;
Case 0:
DWRET = Error_Select_timeout;
Break;
DEFAULT:
DWRET = Error_Success;};
}
CloseSocket (SOCK);
}
g_nthreadcount -;
IF (dwret == error_success)
{
:: SendMessage (g_hwnd, scan_thread, doscan_find_port, nPort);
}
Else
{
:: SendMessage (g_hwnd, scan_thread, doscan_end_port, nPort);
}
Return dwret;
}
Third, the result
This program is written correctly in VC6 WinXP and runs correctly in Win98.
Scan the number 1-5000 port of this machine in my computer, set up 1000ms, 200 max threads, about 45 seconds. When the timeout setting is shorter, the speed can reach 150 ports per second.
Fourth, conclude
In fact, the speed should be improved, and other methods may be needed. If the number of threads is too much, the speed is reduced due to excessive scheduling overhead of the thread. If the timeout is too short, it may cause the scan to be incorrect (this must be determined by the network), and because the time when it is multi-thread, the timeout waiting time may be less than the time of thread scheduling, or the speed is not improved.
In addition, I found a problem, when scanning this machine, if IP address 127.0.0.1, the 139 # port is not open; if set to this machine's actual IP, the 139 # port is open, this is not known What is the reason?
There is also a place in this program that needs to be improved, that is, it is not like most port scanners to scan the specified IP segment, but only designed to scan a host of the specified host.
