木马防范检测数据端口与进程

我们进行系统安防的时候,需要防范木马,木马的存在就有网络连接,我们检测数据端口与进程的模式来防范木马。

我们来用VC++实现检测数据端口与进程,请见代码实现与注释讲解

 

#include <windows.h>
#include <Tlhelp32.h>
#include <winsock.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
//---------------------------------------------------------------------------
// 以下为与TCP相关的结构. 
typedef struct tagMIB_TCPEXROW{
    DWORD dwState;              // 连接状态.
    DWORD dwLocalAddr;          // 本地计算机地址.
    DWORD dwLocalPort;          // 本地计算机端口.
    DWORD dwRemoteAddr;         // 远程计算机地址.
    DWORD dwRemotePort;         // 远程计算机端口.
    DWORD dwProcessId;
} MIB_TCPEXROW, *PMIB_TCPEXROW;
typedef struct tagMIB_TCPEXTABLE{
    DWORD dwNumEntries;
    MIB_TCPEXROW table[100];    // 任意大小数组变量.
} MIB_TCPEXTABLE, *PMIB_TCPEXTABLE;
//---------------------------------------------------------------------------
// 以下为与UDP相关的结构. 
typedef struct tagMIB_UDPEXROW{
    DWORD dwLocalAddr;          // 本地计算机地址.
    DWORD dwLocalPort;          // 本地计算机端口.
    DWORD dwProcessId;
} MIB_UDPEXROW, *PMIB_UDPEXROW;
typedef struct tagMIB_UDPEXTABLE{
    DWORD dwNumEntries;
    MIB_UDPEXROW table[100];    // 任意大小数组变量. 
} MIB_UDPEXTABLE, *PMIB_UDPEXTABLE;
//---------------------------------------------------------------------------
// 所用的iphlpapi.dll中的函数原型定义.
typedef DWORD (WINAPI *PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK)(
    PMIB_TCPEXTABLE *pTcpTable, // 连接表缓冲区.
    BOOL bOrder,                
    HANDLE heap,
    DWORD zero,
    DWORD flags
    );
typedef DWORD (WINAPI *PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK)(
    PMIB_UDPEXTABLE *pUdpTable, // 连接表缓冲区.
    BOOL bOrder,                
    HANDLE heap,
    DWORD zero,
    DWORD flags
    );
static PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK
          pAllocateAndGetTcpExTableFromStack = NULL;
static PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK
          pAllocateAndGetUdpExTableFromStack = NULL;
//---------------------------------------------------------------------------
//
// 可能的 TCP 端点状态.
//
static char TcpState[][32] = {
    TEXT("???"),
    TEXT("CLOSED"),
    TEXT("LISTENING"),
    TEXT("SYN_SENT"),
    TEXT("SYN_RCVD"),
    TEXT("ESTABLISHED"),
    TEXT("FIN_WAIT1"),
    TEXT("FIN_WAIT2"),
    TEXT("CLOSE_WAIT"),
    TEXT("CLOSING"),
    TEXT("LAST_ACK"),
    TEXT("TIME_WAIT"),
    TEXT("DELETE_TCB")
};
//---------------------------------------------------------------------------
//
// 生成IP地址字符串.
//
PCHAR GetIP(unsigned int ipaddr)
{
    static char pIP[20];
    unsigned int nipaddr = htonl(ipaddr);
    sprintf(pIP, "%d.%d.%d.%d",
        (nipaddr >>24) &0xFF,
        (nipaddr>>16) &0xFF,
        (nipaddr>>8) &0xFF,
        (nipaddr)&0xFF);
    return pIP;
}
//---------------------------------------------------------------------------
//
// 由进程号获得全程文件名.
//
char* ProcessPidToName(DWORD ProcessId)
{
    HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 processEntry = { 0 };
    processEntry.dwSize = sizeof(PROCESSENTRY32); 
    static char ProcessName[256];
    
    lstrcpy(ProcessName, "Idle");
    if (hProcessSnap == INVALID_HANDLE_VALUE) 
        return ProcessName;
    
    BOOL bRet=Process32First(hProcessSnap, &processEntry);
    
    while(bRet) 
    {
        if (processEntry.th32ProcessID == ProcessId)
        {
            MODULEENTRY32 me32 = {0}; 
            me32.dwSize = sizeof(MODULEENTRY32); 
            HANDLE hModuleSnap = CreateToolhelp32Snapshot
                (TH32CS_SNAPMODULE, processEntry.th32ProcessID); 
            Module32First(hModuleSnap, &me32); // 获得全程路径.
            lstrcpy(ProcessName, me32.szExePath);
            CloseHandle(hProcessSnap);
            return ProcessName;
        }
        bRet=Process32Next(hProcessSnap, &processEntry);
    }   
    
    CloseHandle(hProcessSnap);
    return ProcessName;
}
//---------------------------------------------------------------------------
//
// 显示进程、端口和文件名之间的关联.
//
void DisplayPort()
{
    DWORD i;
    PMIB_TCPEXTABLE TCPExTable;
    PMIB_UDPEXTABLE UDPExTable;
    char szLocalAddress[256];
    char szRemoteAddress[256];
    if(pAllocateAndGetTcpExTableFromStack(
        &TCPExTable, TRUE, GetProcessHeap(), 2, 2))
    {
        printf("AllocateAndGetTcpExTableFromStack Error!\n");
        return;
    }
    if(pAllocateAndGetUdpExTableFromStack
        (&UDPExTable, TRUE, GetProcessHeap(), 2, 2 ))
    {
        printf("AllocateAndGetUdpExTableFromStack Error!.\n");
        return;
    }
    // 获得TCP列表.
    printf("%-6s%-22s%-22s%-11s%s\n",
        TEXT("Proto"),
        TEXT("Local Address"),
        TEXT("Foreign Address"),
        TEXT("State"),
        TEXT("Process"));
    for( i = 0; i <TCPExTable->dwNumEntries; i++ )
    {
        sprintf( szLocalAddress, "%s:%d",
            GetIP(TCPExTable->table[i].dwLocalAddr),
            htons( (WORD) TCPExTable->table[i].dwLocalPort));
        sprintf( szRemoteAddress, "%s:%d",
            GetIP(TCPExTable->table[i].dwRemoteAddr),
            htons((WORD)TCPExTable->table[i].dwRemotePort));
        
        printf("%-6s%-22s%-22s%-11s%s:%d\n", TEXT("TCP"),
            szLocalAddress, szRemoteAddress,
            TcpState[TCPExTable->table[i].dwState],
            ProcessPidToName(TCPExTable->table[i].dwProcessId),
            TCPExTable->table[i].dwProcessId);
    }
    // 获得UDP列表.
    for( i = 0; i < UDPExTable->dwNumEntries; i++ )
    {
        sprintf( szLocalAddress, "%s:%d",
            GetIP(UDPExTable->table[i].dwLocalAddr),
            htons((WORD)UDPExTable->table[i].dwLocalPort));
        sprintf( szRemoteAddress, "%s","*:*");
        printf("%-6s%-22s%-33s%s:%d\n", TEXT("UDP"),
            szLocalAddress, szRemoteAddress,
            ProcessPidToName(UDPExTable->table[i].dwProcessId),
            UDPExTable->table[i].dwProcessId);
    }
}
//---------------------------------------------------------------------------
//
// 进程与端口关联程序的主函数.
//
void main()
{
    WSADATA WSAData;
    if( WSAStartup(MAKEWORD(1, 1), &WSAData ))
    {
        printf("WSAStartup error!\n");
        return;
    }
    HMODULE hIpDLL = LoadLibrary( "iphlpapi.dll");
    if ( !hIpDLL)
        return;
    pAllocateAndGetTcpExTableFromStack =
        (PALLOCATE_AND_GET_TCPEXTABLE_FROM_STACK) 
        GetProcAddress( hIpDLL, "AllocateAndGetTcpExTableFromStack");
    
    pAllocateAndGetUdpExTableFromStack =
       (PALLOCATE_AND_GET_UDPEXTABLE_FROM_STACK) 
        GetProcAddress(hIpDLL, "AllocateAndGetUdpExTableFromStack" );
   
    // 显示进程与端口关联.
    DisplayPort();
     
    FreeLibrary(hIpDLL);
    WSACleanup();
    getchar();  // 暂停.
}