Announcement

**Florent Heyworth** · 5 Oct 2000, 07:48 AM

Wayne

I'm not clear about what you mean: by definition if your program
is listening for incoming connections it obviously know what ports
it's listening on.

Please explain what you mean in greater detail.

Cheers

Florent

------------------

**Wayne Diamond** · 5 Oct 2000, 08:22 AM

Florent, Inzider has two exported functions in its main dll - inject, and eject... what goes on in the middle im not sure, but it is able to produce a result like this:

Code:

 Found UDP port  2903 bound at 127.0.0.1 by C:\Program Files\Microsoft Internet\iexplore.exe (PID=316) [UDP Client]
 Found UDP port  3340 bound at 127.0.0.1 by C:\Program Files\Microsoft Internet\iexplore.exe (PID=316) [UDP Client]

Typically my program would know what sockets it is listening on just by querying the local port property of the socket, easy... but in this case I cant, and there may be sockets bound to my program that I cant 'read'. Hard to explain, but _why_ is irrelevant - does anybody know _how_?

The main URL for Inzider is http://www.ntsecurity.nu/toolbox/inzider/
the author doesnt seem willing to respond to email :|
I basically need to do exactly what Inzider does, but just for my process - that's all ... apparently these values are all stored away for easy access under 'nix, but not under Windows

Any thoughts are very much appreciated

------------------

**Florent Heyworth** · 5 Oct 2000, 09:55 AM

What you say does not make real sense: what you want is a port
scanner but you just want to scan the ports opened by your own
process?

I don't really care why you need this functionality - I can tell
you though that there are MANY different ways if which a port
scanner may be written.

The author of the program at the link you posted says that
"[...]moment I haven't seen any other program that does what
inzider does" although this does not mean that the way he
did it is the only way.

One of the simplest forms of port scanning is literally to try to
connect to every port on a system; you can also do ping (icmp) sweeps),
etc...

If you want to get some ideas about how you could implement such
a beast I'd recommend you have a look for "nmap": I believe it comes
with source and although it's a Linux program you'll probably be
able to glean many usefule techniques.

Cheers

Florent

------------------

**Florent Heyworth** · 5 Oct 2000, 10:22 AM

Wayne

I just re-read your post and now see that I probably didn't realise
what it is that you actually want. You are probably injecting your
program into another process and you'd like to find out what ports
if any the process is bound to or listening on.

An interesting challenge. Here's a tip: files, sockets, processes, etc
all have handles.

Cheers

Florent

------------------

**Wayne Diamond** · 5 Oct 2000, 10:57 AM

Florent, I think you get where im getting at now - I am going to have to inject my program (using AttachThreadProcess perhaps - although Inzider doesnt use that)... I agree it will be an interesting challenge. Handles handles handles... hmm... if I could somehow enumerate all the handles that a program was using, i could get somewhere...

I know this is uncharted territory and I probably wont have much luck in succeeding, but its a good challenge...

This API may be used?

Code:

DWORD GetFileType(
  HANDLE hFile   // handle to file
);
returns:
FILE_TYPE_UNKNOWN The type of the specified file is unknown. 
FILE_TYPE_DISK The specified file is a disk file. 
FILE_TYPE_CHAR The specified file is a character file, typically an LPT device or a console. 
FILE_TYPE_PIPE The specified file is either a named or anonymous pipe.

Here's a dump of the API calls from inz.dll:

Code:

GetModuleFileNameA
GetCurrentProcessId
KERNEL32.dll
CallNextHookEx,SetWindowsHookExA,UnhookWindowsHookEx
USER32.dll
RegQueryValueExA,RegOpenKeyExA
ADVAPI32.dll
WSOCK32.dll
GetCommandLineA,GetProcAddress,GetModuleHandleA,GetVersion,
InitializeCriticalSection,DeleteCriticalSection,EnterCriticalSection,
LeaveCriticalSection,ExitProcess,HeapFree,GetLastError,CloseHandle,
GetCurrentThreadId,TlsSetValue,TlsAlloc,TlsFree,SetLastError,TlsGetValue,
HeapCreate,HeapDestroy,SetHandleCount,GetFileType,GetStdHandle,
GetStartupInfoA,GetCPInfo,GetACP,GetOEMCP,FreeEnvironmentStringsA,
GetEnvironmentStrings,FreeEnvironmentStringsW,GetEnvironmentStringsW,
WideCharToMultiByte,WriteFile,HeapAlloc,SetStdHandle,FlushFileBuffers,
SetFilePointer,CreateFileA,LoadLibraryA,SetEndOfFile,ReadFile

Ill start at GetModuleFileNameA and work my way down... msdn and a slab of coke here I come ...

[This message has been edited by Wayne Diamond (edited October 05, 2000).]

**Scott Turchin** · 5 Oct 2000, 01:42 PM

From yer local NT administrator (That's me *Grin*)

Netstat -a from a command prompt will give you what you want.
Pipe it into a file if it goes too fast....

Netstat -a > c:\Net.txt

Or something like that.

You will see anything from LISTENING, ESTABLISHED, TIME_WAIT etc etc..

Scott

------------------
Scott
mailto:[email protected][email protected]</A>

**Florent Heyworth** · 5 Oct 2000, 06:28 PM

Wayne

if all you want is to monitor winsock calls, i.e, monitor TCP/UDP
traffic based on the winsock stack: instead of injecting of injecting
your program into another's space there is a much better way of
doing it.

It's called winsock hooking which is basically a winsock layered
service provider. Look it up but note that as far as I know it'll
only work withe winsock 2.x not 1.0

Cheers

Florent

------------------

**Wayne Diamond** · 5 Oct 2000, 09:25 PM

Scottie, unfortunately I cant use netstat because it doesn't tell me which ports are my programs, and which are used by other programs...

Florent, I think I may have to look into the 'socket hooking' youve described, I dont know if it will help or not but it sounds like a blast anyway

------------------

**Knuth Konrad** · 6 Oct 2000, 12:27 AM

Originally posted by Wayne Diamond:
Scottie, unfortunately I cant use netstat because it doesn't tell me which ports are my programs, and which are used by other programs...

Wayne,

talking about NETSTAT, I just remebered this one:

2)See all open winsock connections - API replacement for Netstat!

Category: Windows API Call/ Explanation
Level: Advanced

Description: This is a complete API call replacement for the dos Netstat
command. The example will show all open connections, and the API calls are
encapsulated in a Class module that can also retrieve all listening ports on
the local computer.
This module and demonstration project also allow you to kill TCP
connections - in the demonstration right click on a current connection...
Includes caching DNS lookup code to get the domain names of the servers you
are connecting to! Credit to Michael Tutty for the original DNS client code.

Complete source code is at:
http://www.planet-source-code.com/vb...11834&lngWId=1

Knuth

------------------
http://www.softAware.de

**Wayne Diamond** · 6 Oct 2000, 12:49 AM

Knuth,
I saw that sample the other day - killing connections is a cute feature, but unfortunately I don't think the solution to this problem has anything to do with Winsock or SNMP (which netstat uses) ... there are no API calls in Inzider that relate to either Winsock or SNMP, so I believe that Florent may be on the right track with handles ... there are various Handle API calls that it uses
The plot thickens ...

------------------

Announcement

What ports am i listening on?

What ports am i listening on?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment