摘要://
// Coded By Napalm
// Modified By ZwelL
//
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include "psapi.h"
#include <shlwapi.h>
#pragma comment(lib, "psapi.lib")
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "shlwapi.lib")
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef void (WINAPI * PIO_APC_ROUTINE)(PVOID, PIO_STATUS_BLOCK, DWORD);
typedef LONG TDI_STATUS;
typedef PVOID CONNECTION_CONTEXT; // connection context
typedef struct _TDI_REQUEST {
union {
HANDLE AddressHandle;
CONNECTION_CONTEXT ConnectionContext;
HANDLE ControlChannel;
} Handle;
PVOID RequestNotifyObject;
PVOID RequestContext;
TDI_STATUS TdiStatus;
} TDI_REQUEST, *PTDI_REQUEST;
typedef struct _TDI_CONNECTION_INFORMATION {
LONG UserDataLength; // length of user data buffer
PVOID UserData; // pointer to user data buffer
LONG OptionsLength; // length of following buffer
PVOID Options; // pointer to buffer containing options
LONG RemoteAddressLength; // length of following buffer
PVOID RemoteAddress; // buffer containing the remote address
} TDI_CONNECTION_INFORMATION, *PTDI_CONNECTION_INFORMATION;
typedef struct _TDI_REQUEST_QUERY_INFORMATION {
TDI_REQUEST Request;
ULONG QueryType; // class of information to be queried.
PTDI_CONNECTION_INFORMATION RequestConnectionInformation;
} TDI_REQUEST_QUERY_INFORMATION, *PTDI_REQUEST_QUERY_INFORMATION;
#define TDI_QUERY_ADDRESS_INFO 0x00000003
#define IOCTL_TDI_QUERY_INFORMATION CTL_CODE(FILE_DEVICE_TRANSPORT, 4, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
typedef VOID *POBJECT;
typedef struct _SYSTEM_HANDLE {
ULONG uIdProcess;
UCHAR ObjectType; // OB_TYPE_* (OB_TYPE_TYPE, etc.)
UCHAR Flags; // HANDLE_FLAG_* (HANDLE_FLAG_INHERIT, etc.)
USHORT Handle;
POBJECT pObject;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG uCount;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef UNICODE_STRING OBJECT_NAME_INFORMATION;
typedef UNICODE_STRING *POBJECT_NAME_INFORMATION;
#define SystemHandleInformation 16
#define ObjectNameInformation 1
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L)
// -------------------------------------------------------------------------
typedef NTSTATUS (WINAPI *tNTQSI)(DWORD SystemInformationClass, PVOID SystemInformation,
DWORD SystemInformationLength, PDWORD ReturnLength);
typedef NTSTATUS (WINAPI *tNTQO)(HANDLE ObjectHandle, DWORD ObjectInformationClass, PVOID ObjectInformation,
DWORD Length, PDWORD ResultLength);
typedef NTSTATUS (WINAPI *tNTDIOCF)(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock, DWORD IoControlCode,
PVOID InputBuffer, DWORD InputBufferLength,
PVOID OutputBuffer, DWORD OutputBufferLength);
void EnableDebugPrivilege()
{
HANDLE hToken;
TOKEN_PRIVILEGES tokenPriv;
LUID luidDebug;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) != FALSE) {
if(LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidDebug) != FALSE)
{
tokenPriv.PrivilegeCount = 1;
tokenPriv.Privileges [0].Luid = luidDebug;
tokenPriv.Privileges [0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(tokenPriv), NULL, NULL);
}
}
}
LPWSTR GetObjectName(HANDLE hObject)
{
LPWSTR lpwsReturn = NULL;
tNTQO pNTQO = (tNTQO)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtQueryObject");
if(pNTQO != NULL){
DWORD dwSize = sizeof(OBJECT_NAME_INFORMATION);
POBJECT_NAME_INFORMATION pObjectInfo = (POBJECT_NAME_INFORMATION) new BYTE[dwSize];
NTSTATUS ntReturn = pNTQO(hObject, ObjectNameInformation, pObjectInfo, dwSize, &dwSize);
if(ntReturn == STATUS_BUFFER_OVERFLOW){
delete pObjectInfo;
pObjectInfo = (POBJECT_NAME_INFORMATION) new BYTE[dwSize];
ntReturn = pNTQO(hObject, ObjectNameInformation, pObjectInfo, dwSize, &dwSize);
}
if((ntReturn >= STATUS_SUCCESS) && (pObjectInfo->Buffer != NULL))
{
lpwsReturn = (LPWSTR) new BYTE[pObjectInfo->Length + sizeof(WCHAR)];
ZeroMemory(lpwsReturn, pObjectInfo->Length + sizeof(WCHAR));
CopyMemory(lpwsReturn, pObjectInfo->Buffer, pObjectInfo->Length);
}
delete pObjectInfo;
}
return lpwsReturn;
}
void OutputConnectionDetails(HANDLE hObject, in_addr *ip, DWORD *port)
{
tNTDIOCF pNTDIOCF = (tNTDIOCF)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtDeviceIoControlFile");
if(pNTDIOCF != NULL){
IO_STATUS_BLOCK IoStatusBlock;
TDI_REQUEST_QUERY_INFORMATION tdiRequestAddress = {{0}, TDI_QUERY_ADDRESS_INFO};
BYTE tdiAddress[128];
HANDLE hEvent2 = CreateEvent(NULL, TRUE, FALSE, NULL);
NTSTATUS ntReturn2 = pNTDIOCF(hObject, hEvent2, NULL, NULL, &IoStatusBlock, IOCTL_TDI_QUERY_INFORMATION,
&tdiRequestAddress, sizeof(tdiRequestAddress), &tdiAddress, sizeof(tdiAddress));
if(hEvent2) CloseHandle(hEvent2);
if(ntReturn2 == STATUS_SUCCESS){
struct in_addr *pAddr = (struct in_addr *)&tdiAddress[14];
*ip = *pAddr;
*port = ntohs(*(PUSHORT)&tdiAddress[12]);
}
}
}
int main(int argc, char *argv[])
{
printf("TCP/UDP Handle List - by Napalm/n");
printf("Modified by ZwelL/n");
printf("===============================/n/n");
EnableDebugPrivilege();
tNTQSI pNTQSI = (tNTQSI)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtQuerySystemInformation");
if(pNTQSI != NULL){
DWORD dwSize = sizeof(SYSTEM_HANDLE_INFORMATION);
PSYSTEM_HANDLE_INFORMATION pHandleInfo = (PSYSTEM_HANDLE_INFORMATION) new BYTE[dwSize];
NTSTATUS ntReturn = pNTQSI(SystemHandleInformation, pHandleInfo, dwSize, &dwSize);
if(ntReturn == STATUS_INFO_LENGTH_MISMATCH){
delete pHandleInfo;
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION) new BYTE[dwSize];
ntReturn = pNTQSI(SystemHandleInformation, pHandleInfo, dwSize, &dwSize);
}
if(ntReturn == STATUS_SUCCESS){
printf(" Found %d Handles. Listing TCP/UDP Handles.../n/n", pHandleInfo->uCount);
printf(" PID/tHandle/t%-16sHandle Name/tIP Address/tPort/n", "Process Name");
for(DWORD dwIdx = 0; dwIdx < pHandleInfo->uCount; dwIdx++)
{
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE, pHandleInfo->Handles[dwIdx].uIdProcess);
if(hProcess != INVALID_HANDLE_VALUE)
{
HANDLE hObject = NULL;
if(DuplicateHandle(hProcess, (HANDLE)pHandleInfo->Handles[dwIdx].Handle,
GetCurrentProcess(), &hObject, STANDARD_RIGHTS_REQUIRED, FALSE, 0) != FALSE)
{
LPWSTR lpwsName = GetObjectName(hObject);
if(lpwsName != NULL){
if(!wcscmp(lpwsName, L"//Device//Tcp") || !wcscmp(lpwsName, L"//Device//Udp"))
{
LPSTR lpszProcess = new CHAR[MAX_PATH];
struct in_addr ipaddr;
DWORD port;
OutputConnectionDetails(hObject, &ipaddr, &port);
ZeroMemory(lpszProcess, MAX_PATH);
GetModuleFileNameEx(hProcess, NULL, lpszProcess, MAX_PATH);
printf("%5d/t%6d/t%-16s%-20ws%12s%7d/t%s/n",
pHandleInfo->Handles[dwIdx].uIdProcess,
pHandleInfo->Handles[dwIdx].Handle,
((lstrlen(lpszProcess) > 0)?PathFindFileName(lpszProcess):"[System]"),
lpwsName,
inet_ntoa(ipaddr),
port,
lpszProcess);
delete lpszProcess;
}
delete lpwsName;
}
CloseHandle(hObject);
}
CloseHandle(hProcess);
}
}
printf("/n/n");
}else{
printf("Error while trying to allocate memory for System Handle Information./n");
}
delete pHandleInfo;
}else{
printf("Cannot find NtQuerySystemInformation API... Is this system not Win2K and above?");
}
return 0;
}