进程-端口-IP地址关联演示

本文介绍了一段代码,该代码利用ZwQuerySystemInformation和ZwQueryObject函数来关联进程、端口和IP地址。通过检查句柄路径中是否包含特定字符串来识别网络对象,但目前无法获取远程IP和端口。这种方法可以绕过某些隐藏IP和端口的程序。代码来源于VC文章的改编,作者鼓励熟悉此领域的专家进行改进。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

这篇文章是我看了一篇VC的文章增加修改而来,原文章地址我也忘记了,作者也不是很清楚,在这里希望原作者能原谅. 

此代码演示了进程和端口以及IP地址的关联,程序使用了ZwQuerySystemInformation函数来枚举所有打开的句柄然后再使用ZwQueryObject函数来获取句柄所对应的路径,如果发现路径正包含/device/rawip或者/device/tcp或者/device/udp即是我们需要查找的对象.目前程序还有个缺陷就是无法获取远程IP地址和端口,我目前也还没找到方法,如果有懂这方面的高手可以把代码继续完善一下,好方便大家使用.

使用此方法枚举的信息可以躲过拦截相关的API函数来隐藏IP地址和端口的程序.

话不多说了,本来想把注释写详细些,一个由于时间太晚得睡觉了,还有就是我我基本上都是用的解锁文件的代码Copy过来的稍微修改了下.比如获取进程路径,枚举句柄等,如果不懂的可以在我的博客查看我"解锁文件"的相关文件有详细注释.下面我就把完整代码贴上来.

VERSION 5.00

Begin VB.Form frmMain 

   BorderStyle     =   1  'Fixed Single

   Caption         =   "进程-端口-IP地址关联演示"

   ClientHeight    =   6120

   ClientLeft      =   45

   ClientTop       =   420

   ClientWidth     =   9600

   LinkTopic       =   "Form1"

   MaxButton       =   0   'False

   MinButton       =   0   'False

   ScaleHeight     =   6120

   ScaleWidth      =   9600

   StartUpPosition =   2  '屏幕中心

   Begin VB.CommandButton cmdExit 

      Cancel          =   -1  'True

      Caption         =   "退出(&C)"

      Height          =   375

      Left            =   8520

      TabIndex        =   2

      Top             =   5595

      Width           =   975

   End

   Begin VB.CommandButton cmdRefresh 

      Caption         =   "刷新(&R)"

      Default         =   -1  'True

      Height          =   375

      Left            =   7440

      TabIndex        =   1

      Top             =   5595

      Width           =   975

   End

   Begin VB.ListBox lstInfo 

      Height          =   5460

      Left            =   0

      TabIndex        =   0

      Top             =   0

      Width           =   9615

   End

End

Attribute VB_Name = "frmMain"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = False

Private Declare Sub InitCommonControls Lib "comctl32.dll" ()



Private Sub Form_Initialize()

    InitCommonControls

End Sub

Private Sub cmdExit_Click()

    Unload Me

End Sub



Private Sub cmdRefresh_Click()

    Me.lstInfo.Clear

    EmunNetInfo

End Sub



Private Sub Form_Load()

    EnablePrivilege

    EmunNetInfo

End Sub



Attribute VB_Name = "modPrivilege"

Option Explicit



Private Const STANDARD_RIGHTS_REQUIRED = &HF0000

Private Const TOKEN_ASSIGN_PRIMARY = &H1

Private Const TOKEN_DUPLICATE = (&H2)

Private Const TOKEN_IMPERSONATE = (&H4)

Private Const TOKEN_QUERY = (&H8)

Private Const TOKEN_QUERY_SOURCE = (&H10)

Private Const TOKEN_ADJUST_PRIVILEGES = (&H20)

Private Const TOKEN_ADJUST_GROUPS = (&H40)

Private Const TOKEN_ALL_ACCESS = 983551

Private Const SE_PRIVILEGE_ENABLED = &H2

Private Const ANYSIZE_ARRAY = 1

Private Const SE_DEBUG_NAME = "SeDebugPrivilege"



Private Type LUID

    lowpart As Long

    highpart As Long

End Type



Private Type LUID_AND_ATTRIBUTES

    pLuid As LUID

    Attributes As Long

End Type



Private Type TOKEN_PRIVILEGES

    PrivilegeCount As Long

    Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES

End Type



Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long

Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPriv As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long                'Used to adjust your program's security privileges, can't restore without it!

Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As Any, ByVal lpName As String, lpLuid As LUID) As Long

Private Declare Function GetCurrentProcess Lib "kernel32" () As Long '获取当前进程句柄



Public Function EnablePrivilege() As Boolean

    Dim hdlProcessHandle As Long

    Dim hdlTokenHandle As Long

    Dim tmpLuid As LUID

    Dim tkp As TOKEN_PRIVILEGES

    Dim tkpNewButIgnored As TOKEN_PRIVILEGES

    Dim lBufferNeeded As Long

    Dim lp As Long

    hdlProcessHandle = GetCurrentProcess()

    lp = OpenProcessToken(hdlProcessHandle, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hdlTokenHandle)

    lp = LookupPrivilegeValue(vbNullString, "SeDebugPrivilege", tmpLuid)

    tkp.PrivilegeCount = 1

    tkp.Privileges(0).pLuid = tmpLuid

    tkp.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED

    EnablePrivilege = AdjustTokenPrivileges(hdlTokenHandle, False, tkp, Len(tkpNewButIgnored), tkpNewButIgnored, lBufferNeeded)

End Function



Attribute VB_Name = "modNetInfo"

Option Explicit



Private Declare Function NtQueryInformationProcess Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, _

                                ByVal ProcessInformationClass As PROCESSINFOCLASS, _

                                ByVal ProcessInformation As Long, _

                                ByVal ProcessInformationLength As Long, _

                                ByRef ReturnLength As Long) As Long



Private Enum PROCESSINFOCLASS

    ProcessBasicInformation = 0

    ProcessQuotaLimits

    ProcessIoCounters

    ProcessVmCounters

    ProcessTimes

    ProcessBasePriority

    ProcessRaisePriority

    ProcessDebugPort

    ProcessExceptionPort

    ProcessAccessToken

    ProcessLdtInformation

    ProcessLdtSize

    ProcessDefaultHardErrorMode

    ProcessIoPortHandlers

    ProcessPooledUsageAndLimits

    ProcessWorkingSetWatch

    ProcessUserModeIOPL

    ProcessEnableAlignmentFaultFixup

    ProcessPriorityClass

    ProcessWx86Information

    ProcessHandleCount

    ProcessAffinityMask

    ProcessPriorityBoost

    ProcessDeviceMap

    ProcessSessionInformation

    ProcessForegroundInformation

    ProcessWow64Information

    ProcessImageFileName

    ProcessLUIDDeviceMapsEnabled

    ProcessBreakOnTermination

    ProcessDebugObjectHandle

    ProcessDebugFlags

    ProcessHandleTracing

    ProcessIoPriority

    ProcessExecuteFlags

    ProcessResourceManagement

    ProcessCookie

    ProcessImageInformation

    MaxProcessInfoClass

End Enum



Private Type PROCESS_BASIC_INFORMATION

    ExitStatus As Long 'NTSTATUS

    PebBaseAddress As Long 'PPEB

    AffinityMask As Long 'ULONG_PTR

    BasePriority As Long 'KPRIORITY

    UniqueProcessId As Long 'ULONG_PTR

    InheritedFromUniqueProcessId As Long 'ULONG_PTR

End Type



Private Type FILE_NAME_INFORMATION

     FileNameLength As Long

     FileName(3) As Byte

End Type



Private Type NM_INFO

    Info As FILE_NAME_INFORMATION

    strName(259) As Byte

End Type



Private Enum FileInformationClass

    FileDirectoryInformation = 1

    FileFullDirectoryInformation = 2

    FileBothDirectoryInformation = 3

    FileBasicInformation = 4

    FileStandardInformation = 5

    FileInternalInformation = 6

    FileEaInformation = 7

    FileAccessInformation = 8

    FileNameInformation = 9

    FileRenameInformation = 10

    FileLinkInformation = 11

    FileNamesInformation = 12

    FileDispositionInformation = 13

    FilePositionInformation = 14

    FileFullEaInformation = 15

    FileModeInformation = 16

    FileAlignmentInformation = 17

    FileAllInformation = 18

    FileAllocationInformation = 19

    FileE
评论 4
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值