Announcement

Collapse
No announcement yet.

What ports am i listening on?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Wayne Diamond
    replied
    Knuth,
    I saw that sample the other day - killing connections is a cute feature, but unfortunately I don't think the solution to this problem has anything to do with Winsock or SNMP (which netstat uses) ... there are no API calls in Inzider that relate to either Winsock or SNMP, so I believe that Florent may be on the right track with handles ... there are various Handle API calls that it uses
    The plot thickens ...



    ------------------

    Leave a comment:


  • Knuth Konrad
    replied
    Originally posted by Wayne Diamond:
    Scottie, unfortunately I cant use netstat because it doesn't tell me which ports are my programs, and which are used by other programs...
    Wayne,

    talking about NETSTAT, I just remebered this one:
    2)See all open winsock connections - API replacement for Netstat!

    Category: Windows API Call/ Explanation
    Level: Advanced

    Description: This is a complete API call replacement for the dos Netstat
    command. The example will show all open connections, and the API calls are
    encapsulated in a Class module that can also retrieve all listening ports on
    the local computer.
    This module and demonstration project also allow you to kill TCP
    connections - in the demonstration right click on a current connection...
    Includes caching DNS lookup code to get the domain names of the servers you
    are connecting to! Credit to Michael Tutty for the original DNS client code.

    Complete source code is at:
    http://www.planet-source-code.com/vb...11834&lngWId=1
    Knuth

    ------------------
    http://www.softAware.de

    Leave a comment:


  • Wayne Diamond
    replied
    Scottie, unfortunately I cant use netstat because it doesn't tell me which ports are my programs, and which are used by other programs...

    Florent, I think I may have to look into the 'socket hooking' youve described, I dont know if it will help or not but it sounds like a blast anyway




    ------------------

    Leave a comment:


  • Florent Heyworth
    replied
    Wayne

    if all you want is to monitor winsock calls, i.e, monitor TCP/UDP
    traffic based on the winsock stack: instead of injecting of injecting
    your program into another's space there is a much better way of
    doing it.

    It's called winsock hooking which is basically a winsock layered
    service provider. Look it up but note that as far as I know it'll
    only work withe winsock 2.x not 1.0

    Cheers

    Florent

    ------------------

    Leave a comment:


  • Scott Turchin
    replied
    From yer local NT administrator (That's me *Grin*)

    Netstat -a from a command prompt will give you what you want.
    Pipe it into a file if it goes too fast....

    Netstat -a > c:\Net.txt

    Or something like that.

    You will see anything from LISTENING, ESTABLISHED, TIME_WAIT etc etc..


    Scott

    ------------------
    Scott
    mailto:[email protected][email protected]</A>

    Leave a comment:


  • Wayne Diamond
    replied
    Florent, I think you get where im getting at now - I am going to have to inject my program (using AttachThreadProcess perhaps - although Inzider doesnt use that)... I agree it will be an interesting challenge. Handles handles handles... hmm... if I could somehow enumerate all the handles that a program was using, i could get somewhere...

    I know this is uncharted territory and I probably wont have much luck in succeeding, but its a good challenge...

    This API may be used?
    Code:
    DWORD GetFileType(
      HANDLE hFile   // handle to file
    );
    returns:
    FILE_TYPE_UNKNOWN The type of the specified file is unknown. 
    FILE_TYPE_DISK The specified file is a disk file. 
    FILE_TYPE_CHAR The specified file is a character file, typically an LPT device or a console. 
    FILE_TYPE_PIPE The specified file is either a named or anonymous pipe.
    Here's a dump of the API calls from inz.dll:
    Code:
    GetModuleFileNameA
    GetCurrentProcessId
    KERNEL32.dll
    CallNextHookEx,SetWindowsHookExA,UnhookWindowsHookEx
    USER32.dll
    RegQueryValueExA,RegOpenKeyExA
    ADVAPI32.dll
    WSOCK32.dll
    GetCommandLineA,GetProcAddress,GetModuleHandleA,GetVersion,
    InitializeCriticalSection,DeleteCriticalSection,EnterCriticalSection,
    LeaveCriticalSection,ExitProcess,HeapFree,GetLastError,CloseHandle,
    GetCurrentThreadId,TlsSetValue,TlsAlloc,TlsFree,SetLastError,TlsGetValue,
    HeapCreate,HeapDestroy,SetHandleCount,GetFileType,GetStdHandle,
    GetStartupInfoA,GetCPInfo,GetACP,GetOEMCP,FreeEnvironmentStringsA,
    GetEnvironmentStrings,FreeEnvironmentStringsW,GetEnvironmentStringsW,
    WideCharToMultiByte,WriteFile,HeapAlloc,SetStdHandle,FlushFileBuffers,
    SetFilePointer,CreateFileA,LoadLibraryA,SetEndOfFile,ReadFile
    Ill start at GetModuleFileNameA and work my way down... msdn and a slab of coke here I come ...


    [This message has been edited by Wayne Diamond (edited October 05, 2000).]

    Leave a comment:


  • Florent Heyworth
    replied
    Wayne

    I just re-read your post and now see that I probably didn't realise
    what it is that you actually want. You are probably injecting your
    program into another process and you'd like to find out what ports
    if any the process is bound to or listening on.

    An interesting challenge. Here's a tip: files, sockets, processes, etc
    all have handles.

    Cheers

    Florent

    ------------------

    Leave a comment:


  • Florent Heyworth
    replied
    What you say does not make real sense: what you want is a port
    scanner but you just want to scan the ports opened by your own
    process?

    I don't really care why you need this functionality - I can tell
    you though that there are MANY different ways if which a port
    scanner may be written.

    The author of the program at the link you posted says that
    "[...]moment I haven't seen any other program that does what
    inzider does" although this does not mean that the way he
    did it is the only way.

    One of the simplest forms of port scanning is literally to try to
    connect to every port on a system; you can also do ping (icmp) sweeps),
    etc...

    If you want to get some ideas about how you could implement such
    a beast I'd recommend you have a look for "nmap": I believe it comes
    with source and although it's a Linux program you'll probably be
    able to glean many usefule techniques.

    Cheers

    Florent

    ------------------

    Leave a comment:


  • Wayne Diamond
    replied
    Florent, Inzider has two exported functions in its main dll - inject, and eject... what goes on in the middle im not sure, but it is able to produce a result like this:
    Code:
     Found UDP port  2903 bound at 127.0.0.1 by C:\Program Files\Microsoft Internet\iexplore.exe (PID=316) [UDP Client]
     Found UDP port  3340 bound at 127.0.0.1 by C:\Program Files\Microsoft Internet\iexplore.exe (PID=316) [UDP Client]
    Typically my program would know what sockets it is listening on just by querying the local port property of the socket, easy... but in this case I cant, and there may be sockets bound to my program that I cant 'read'. Hard to explain, but _why_ is irrelevant - does anybody know _how_?
    The main URL for Inzider is http://www.ntsecurity.nu/toolbox/inzider/
    the author doesnt seem willing to respond to email :|
    I basically need to do exactly what Inzider does, but just for my process - that's all ... apparently these values are all stored away for easy access under 'nix, but not under Windows
    Any thoughts are very much appreciated

    ------------------

    Leave a comment:


  • Florent Heyworth
    replied
    Wayne

    I'm not clear about what you mean: by definition if your program
    is listening for incoming connections it obviously know what ports
    it's listening on.

    Please explain what you mean in greater detail.

    Cheers

    Florent

    ------------------

    Leave a comment:


  • Wayne Diamond
    started a topic What ports am i listening on?

    What ports am i listening on?

    I am hoping somebody can point me in the right direction... there is apparently no documented way of doing this. What i need to do is find out what TCP & UDP ports (if any) my program is listening on. There is a program called Inzider (www.ntsecurity.nu) that can find the ports attached to all processes - i only need to find out the ones that my program is attached to though so it should be just a little bit easier than that... i think it may be via SetWindowsHookEx(), but i am not sure - it doesnt appear to use any winsock APIs...
    does anyone have any ideas about this???


    ------------------
Working...
X