|
List Processes and Ports with Native API
|
Email
|
| Submitted on: |
6/1/2004 5:57:56 AM |
| By: |
Luprix
|
| Level: |
Advanced |
| User Rating: |
By 70 Users |
| Compatibility: |
VB 4.0 (32-bit), VB 5.0, VB 6.0, VB Script, ASP (Active Server Pages) , VBA MS Access, VBA MS Excel |
| Views: |
88382 |
|
|
|
|
|
It lists all the Processes with open Ports using the Native API, not documented, NtQuerySystemInformation().
To know the processes with open ports we will access at the TDI level (Transport Driver Interface) helping us of the native functions located in the system library NTDLL.DLL.
This library is part of the system base of WINDOWS NT.
Attention: the use of undocumented functions implies risk that Microsoft modifies or eliminate them in a future.
At the moment it works perfectly in NT, W2K, XP and W2003.
In the same way that the Process Explorer application of Systernals (www.systernals.com), we will be able to enumerate all handles of all processes on execution in the system.
These handles (HANDLE) are not unique in the system, but yes in the process (PID). They don't have any relation with handles of window (HWND) that they are unique.
There are a group of unique handles by process, and they can be of different types:
files, pipes, mailslots, key's of the base of registry, ...
My code is a port of sources C++ to VB known in Internet (search Google).
Our programs use most times protected memory zones (User-Mode). (Do you remember memory page access violation?)
The controllers and drivers use real access to memory and hardware (Kernel-Mode). We need to transfer information located in Kernel-Mode to our application (User-Mode). One of the uses methods is making a call IOCTL to the driver using a buffer created by our application (Win32 function DeviceIoControl())
To synchronize the driver and the application we will use CreateEvent(). The named event i automatically created in the Object Manager's BaseNamedObjects directory.
Description of function:
It´s good Known that we need at least administrators rights to get access to all running processes.
Obtain execution privileges in the system by means of the function LoadPrivilege(), getting SeDebugPrivilege.
Then list all the processes (PID's) using NtQuerySystemInformation(), function of NTDLL.DLL, allowing us the access to the memory shared in Kernel-Mode.
Using NtQueryObject(), we will list all the hadles belonging to each process. To look for open ports we will filter the handles type "File" named "\device\tcp" and "\device\udp."
Then we look for information of each handle using NtDeviceIoControlFile(), that returns us the port like a integer number as the sockets API uses it. We convert that number through Swap of their Bytes using the IpHelper API function ntohs() and we convert it to a Long type of VB.
The rest is very easy: The function ProcessPathByPID lists the complete path of the requested PID.
This code is very useful in firewalls, netstat's and similar applications.
Other interesting use of the native API is to hide our program (process) in the TasksList by hook's.
That is on I am working at the moment, and I would upload it to PSC on depending of your votes :)
Excuse for my bad english. Greetings for all. Un saludo para todos.
Luprix
.
|
 |
| |
|
 Download code
Note: Due to the size or complexity of this submission, the author has submitted it as a .zip file to shorten your download time. Afterdownloading it, you will need a program like Winzip to decompress it.Virus note:All files are scanned once-a-day by Planet Source Code for viruses, but new viruses come
out every day, so no prevention program can catch 100% of them. For your own safety, please:
- Re-scan downloaded files using your personal virus checker before using it.
- NEVER, EVER run compiled files (.exe's, .ocx's, .dll's etc.)--only run source code.
- Scan the source code with Minnow's Project Scanner
If you don't have a virus scanner, you can get one at many places on the net
including:McAfee.com
|
Terms of Agreement:
By using this code, you agree to the following terms...
- You may use
this code in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
- You MAY NOT redistribute this code (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
- You may link to this code from another website, but ONLY if it is not wrapped in a frame.
- You will abide by any additional copyright restrictions which the author may have placed in the code or code's description.
|
Report Bad Submission
|
Your Vote
|
| |
Other User Comments
|
 6/1/2004 7:15:12 AM: Light Templer
hard stuff! thx for and °°°°° !
LiTe
(If this comment was disrespectful, please report it.)
|
6/2/2004 8:53:03 AM:
Very Cool stuff!
(If this comment was disrespectful, please report it.)
|
6/3/2004 5:33:08 AM: Sahir
excellent 5 ***** for u
(If this comment was disrespectful, please report it.)
|
6/4/2004 1:15:57 AM: mugman21
Great Code! First of it's kind on PSC that doesn't rely on XP's 'netstat -o'
5 globes from me
(If this comment was disrespectful, please report it.)
|
6/4/2004 7:10:05 AM: Libor Blaheta
great
do you have more source codes about using NTAPI in VB?
(If this comment was disrespectful, please report it.)
|
6/4/2004 12:30:16 PM: Luprix
Thank's for all
I am working at the moment in a function to hide the application in the TasksList by hooking Native API :))
(If this comment was disrespectful, please report it.)
|
6/7/2004 4:32:43 PM: Libor Blaheta
hooking api - all code in VB?
(If this comment was disrespectful, please report it.)
|
6/9/2004 2:07:34 PM:
congratulations for you 5 ballons
(If this comment was disrespectful, please report it.)
|
6/14/2004 6:38:44 PM: Ziad Said
Brilliant piece of code ***** globes :)!!
by the way can you get the bytes received\sent
by the application(s).
Thx, For sharing.
And Waiting for a new upload………->
(If this comment was disrespectful, please report it.)
|
6/22/2004 8:39:30 AM: gridrun
O M G!!!!
O M G !!!!!!
I've been looking for this since AGES!!!
O M G !!! W00H000!! YOU ROCK, MAN :D
(If this comment was disrespectful, please report it.)
|
6/27/2004 5:49:50 PM: Luprix
For all:
I have interest in proving if these routines work in 64 bits architecture.
Can somebody prove it?
Tnx.
(If this comment was disrespectful, please report it.)
|
6/28/2004 4:02:08 AM: Light Templer
After a closer look:
Works fine on W2K, on NT4 SP6a it doesn't find any 'handle names' with "\device\tcp" in it in function 'GetPortFromTcpHandle()'. (Yes, checked on more than one machine and yes, in a large network, this machines have lot of open ports ;) ) Any ideas? Thx for any hint and kind regards
LiTe
(If this comment was disrespectful, please report it.)
|
6/28/2004 6:58:52 AM: Luprix
Tnx Light Templer.
NtDeviceIoControlFile not work in NT4?
http://24.229.94.2/tables/imports/adptif_imports.html
Or Yes:
http://24.229.94.2/cgi-bin/query.cgi?version=winnt4-sp6a-4.0.1381&type=E&dll =ntdll
I don't have NT4 for check this.
The HandleInfo array is empty?
(If this comment was disrespectful, please report it.)
|
6/29/2004 7:39:57 AM: Light Templer
The array isn't empty, in fact it is a long list. But there are no handle names with "\device\tcp" in it ...
LiTe
(If this comment was disrespectful, please report it.)
|
6/29/2004 8:44:41 AM: Luprix
The HandleInfo as only the PID and the Handle for calling GetPortFromTcpHandle function. Trace it.
(If this comment was disrespectful, please report it.)
|
7/17/2004 10:43:45 AM: Mike Wilson
source for native api calls
http://undocumented.ntinternals.net/
(If this comment was disrespectful, please report it.)
|
7/25/2004 6:00:31 PM:
Thanks for this great program. Is there a way to display processes that use serial ports. They typically have handle names of "\device\Serial0".
(If this comment was disrespectful, please report it.)
|
7/30/2004 4:06:52 PM:
Great Code. I'd like to see if there is a way to see what application owns a serial port
(If this comment was disrespectful, please report it.)
|
8/3/2004 11:13:14 AM:
Really a nice code, the only improvement I miss is to have everything divided into modules...
(If this comment was disrespectful, please report it.)
|
8/7/2004 9:29:05 AM: Erwan L.
really nice piece of code.
but it does not get all tcp/udp handles.
might be a privilege issue (?).
compare results with fport or opports.
(If this comment was disrespectful, please report it.)
|
8/24/2004 10:41:25 AM:
Great stuff! Can you give the link to the C code. I understand C better!
(If this comment was disrespectful, please report it.)
|
9/3/2004 11:07:19 AM: Luprix
In my machine (W2K A.S.), it lists ALL the hadles the same as fport.
The sources C is of fport.
Regards.
Luprix.
luprixnet@hotmail.com
(If this comment was disrespectful, please report it.)
|
9/4/2004 4:33:38 AM: Erwan L.
indeed fport based code will work on NT4 and W2K, but fport will give incomplete results on XP and W2K3.
on XP / W2k3 you need to use AllocateAndGetTcpExTableFromStack api.
(If this comment was disrespectful, please report it.)
|
9/4/2004 3:15:50 PM: Erwan L.
luprix : i took your code and translate it into delphi. i also put there code using iphlpapi.
code is here : http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=1455&lngWId=7
(If this comment was disrespectful, please report it.)
|
9/5/2004 6:53:24 AM: Luprix
Erwan:
Your sniffer is an excellent work using IPHelper and Subclassing.
AllocateAndGetTcpExTableFromStack is
a NEW API included ONLY in last windows
releases.
(If this comment was disrespectful, please report it.)
|
9/5/2004 7:10:52 AM: Luprix
NTQuerySystemInformation exists in ALL NT machine, and is the MS-documented to obtain multiple informations on the system. It is used by FPORT and for TCP VIEW for ages.
(If this comment was disrespectful, please report it.)
|
12/3/2004 4:21:41 AM: Regard
Luprix:
Your code is great!
Could you give a link to the fport source code?
Thank you,
Mike.
(If this comment was disrespectful, please report it.)
|
6/3/2005 7:19:12 AM:
great code is it possible to implement the same using vc++ 6.0 ..if so please help me thanks in advance..
(If this comment was disrespectful, please report it.)
|
6/3/2005 7:22:20 AM:
great work is it possible to implement this in vc++ 6.0 please help me as i need this code in vc++ very urgently thanks in advance
(If this comment was disrespectful, please report it.)
|
6/4/2005 10:29:41 PM: Luprix
search "fport" in google
(If this comment was disrespectful, please report it.)
|
6/6/2005 2:27:59 AM:
fport is good but can i get the source code for fport if so please let me know
(If this comment was disrespectful, please report it.)
|
6/23/2006 11:43:10 AM: Common26
Excellent work, can you contact me at cgsales@gmail.com for hiding processes?
Carlos desde Panama
(If this comment was disrespectful, please report it.)
|
9/11/2006 12:33:01 PM: Proxy Avoidance
The 'NtDeviceIoControlFile' API appears to corrupt the stack space. It also seems to cause quite a few more problems too (I have recently installed a new firewall, and now the NtDeviceIoControlFile completely freezes up).
Apparently it's been replaced by the DeviceIoControl function. Although its a bit beyond me, maybe you could figure out how to migrate the code to the new API command. Maybe it would solve the stack space problem.
Please email me if you have any ideas :)
(If this comment was disrespectful, please report it.)
|
10/10/2009 7:48:48 PM: jim sie
low level in VC++ use in Vb .. You are genius..
(If this comment was disrespectful, please report it.)
|
12/11/2009 10:59:45 AM: Huddy
Still cant find something like that in C++ :-( anybody help please??
(If this comment was disrespectful, please report it.)
|
Add Your Feedback
Your feedback will be posted below and an email sent to
the author. Please remember that the author was kind enough to
share this with you, so any criticisms must be stated politely, or they
will be deleted. (For feedback not related to this particular code, please
click here instead.)
To post feedback, first please login.
|
