Notice
Recent Posts
Recent Comments
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 |
Tags
- data distribution
- mock.patch
- idb2pat
- NumPy Unicode Error
- idapython
- open office xml
- hex-rays
- idapro
- h5py.File
- why error
- error
- svn update
- TensorFlow
- Injection
- error fix
- MySQL
- javascript
- 포인터 매핑
- ida pro
- x64
- commandline
- Rat
- Python
- Analysis
- ecma
- ida
- debugging
- Ransomware
- malware
- pytest
Archives
- Today
- Total
13 Security Lab
netstat 구현소스 분석 - wnetstat 본문
GetTcpTable MSDN : http://msdn.microsoft.com/en-us/library/windows/desktop/aa366026(v=vs.85).aspx
wnetstat 소스 실질적 netstat기능을 하는 함수부분 ; tcp 부분
void CWnetstatDlg::check()
{
// TODO: Add your control notification handler code here
numEntries = 0; //numEntries = 0; 는 class CWnetstatDlg 클래스의 멤버변수. 데이터개수 체크한다.
bool found = false;
CString msg = ""; //msg를 담기위한 스트링을 초기화시킨다.
GetDlgItemText(IDC_EDIT_PORTFILTER, portFilter); // 콤보박스에서 받은 포트 필터링값
GetDlgItemText(IDC_EDIT_IPFILTER, ipFilter); // 콤보박스에서 받은 아이피 필터링값
struct tm *utc_time; //time.h에 정의된 시간 구조체(초분시날달년 등 int변수를 멤버로 가짐 ex)int tm_sec;)
time_t thetime; //마찬가지로 time 관련
time(&thetime); //마찬가지 ㅡㅡ
utc_time = gmtime(&thetime); // 이상 자세한 설명은 생략한다.
CString tmp = ""; //tmp 스트링 선언 및 초기화
tmp.Format("%02u-%02u-%04u %02u:%02u:%02u\r\n",(utc_time->tm_year + 1900), (utc_time->tm_mon + 1), utc_time->tm_mday, utc_time->tm_hour, utc_time->tm_min, utc_time->tm_sec);
//여기따 년-월-일 시:분:초
log_str = tmp; //로그 기록할려고 담는듯
SetDlgItemText(IDC_EDIT_STATS, log_str); // 시간을 에디트박스에 드디어 찍는다.
((CEdit *) GetDlgItem(IDC_EDIT_STATS))->LineScroll( ((CEdit *) GetDlgItem(IDC_EDIT_STATS))->GetLineCount(), 0);
// 카운트해서 자동스크롤링
char srcIpBuffer[128], dstIpBuffer[128], state[32], fullSrcBuffer[140], fullDstBuffer[140], localPortName[16], remotePortName[16]; unsigned short localPort, remotePort;
int x, y, curr, breakOut = 0;
srcIpBuffer[sizeof(srcIpBuffer)-1] = 0;
dstIpBuffer[sizeof(dstIpBuffer)-1] = 0;
fullSrcBuffer[sizeof(fullSrcBuffer)-1] = 0;
fullDstBuffer[sizeof(fullDstBuffer)-1] = 0;
localPortName[sizeof(localPortName)-1] = 0;
remotePortName[sizeof(remotePortName)-1] = 0;
log_str += " Proto Local Address Remote Address State\r\n";
//각 필드를 나타냄
if((protocolFilter.CompareNoCase("TCP") == 0) || (protocolFilter.CompareNoCase("NONE") == 0)) // TCP
{//콤보박스에서 필터를 tcp로 하거나 선택안했을때,
DWORD tcpTableSize = sizeof(MIB_TCPTABLE) * 128; //tcp table 사이즈 MIB_TCPTABLE는 아래 추가설명
MIB_TCPTABLE *tcpTable = (MIB_TCPTABLE *)malloc(tcpTableSize);
tcpTable->dwNumEntries = 0; // tcp 데이터 개수 0개 초기화
GetTcpTable(tcpTable, &tcpTableSize, TRUE); //몽땅받아오긔
numEntries += tcpTable->dwNumEntries; //tcp 연결 또는 오픈 개수만큼 카운트값 설정
for (x = 0; x < (int)tcpTable->dwNumEntries; x++) //카운트값만큼
{
breakOut = 0;
if ((tcpTable->table[x].dwState == MIB_TCP_STATE_LISTEN) && (! 1/*netstat.display.allConnectAndListening*/))
continue;
// Hide subnet check.
for (curr = 0; hideSubnets[curr].subnet; curr++)
{
DWORD currSubnet = inet_addr(hideSubnets[curr].subnet), currNetmask = inet_addr(hideSubnets[curr].netmask);
// If this hosts matches one of the hide subnets.
if ((breakOut = ((currSubnet & currNetmask) == (tcpTable->table[x].dwRemoteAddr & currNetmask))))
break;
}
if (breakOut)
continue;
// Hide listen port check.
localPort = ntohs((unsigned short)(tcpTable->table[x].dwLocalPort & 0xFFFF)); // 로컬포트부분스트링으로 바꿔서 저장한다.
remotePort = ntohs((unsigned short)(tcpTable->table[x].dwRemotePort & 0xFFFF)); // 리모트포트
if (tcpTable->table[x].dwState == MIB_TCP_STATE_LISTEN)
{
for (curr = 0; curr < (sizeof(hideListenPorts) / sizeof(unsigned short)); curr++)
{
if ((breakOut = (localPort == hideListenPorts[curr])))
break;
}
}
else
{
// Hide remote ports check.
for (curr = 0; curr < (sizeof(hideRemotePorts) / sizeof(unsigned short)); curr++)
{
if ((breakOut = (remotePort == hideRemotePorts[curr])))
break;
}
}
if (breakOut)
continue;
resolveAddress(tcpTable->table[x].dwLocalAddr, srcIpBuffer, sizeof(srcIpBuffer)-1, 1);
resolveAddress(tcpTable->table[x].dwRemoteAddr, dstIpBuffer, sizeof(dstIpBuffer)-1, 0);
switch (tcpTable->table[x].dwState) // 연결상태
{
case MIB_TCP_STATE_CLOSED:
strcpy(state,"CLOSED"); break;
case MIB_TCP_STATE_LISTEN:
strcpy(state,"LISTENING"); break;
case MIB_TCP_STATE_SYN_SENT:
strcpy(state,"SYN_SENT"); break;
case MIB_TCP_STATE_SYN_RCVD:
strcpy(state,"SYN_RCVD"); break;
case MIB_TCP_STATE_ESTAB:
strcpy(state,"ESTABLISHED"); break;
case MIB_TCP_STATE_FIN_WAIT1:
strcpy(state,"FIN_WAIT1"); break;
case MIB_TCP_STATE_FIN_WAIT2:
strcpy(state,"FIN_WAIT2"); break;
case MIB_TCP_STATE_CLOSE_WAIT:
strcpy(state,"CLOSE_WAIT"); break;
case MIB_TCP_STATE_CLOSING:
strcpy(state,"CLOSING"); break;
case MIB_TCP_STATE_LAST_ACK:
strcpy(state,"LAST_ACK"); break;
case MIB_TCP_STATE_TIME_WAIT:
strcpy(state,"TIME_WAIT"); break;
case MIB_TCP_STATE_DELETE_TCB:
strcpy(state,"DELETE_TCB"); break;
}
memset(fullSrcBuffer, 0, sizeof(fullSrcBuffer));
memset(fullDstBuffer, 0, sizeof(fullDstBuffer));
if (tcpTable->table[x].dwState == MIB_TCP_STATE_LISTEN)
remotePort = 0;
resolvePort(localPort, localPortName, sizeof(localPortName)-1, "TCP");
resolvePort(remotePort, remotePortName, sizeof(remotePortName)-1, "TCP");
_snprintf(fullSrcBuffer, sizeof(fullSrcBuffer) - 1, "%s:%s", srcIpBuffer, localPortName);
_snprintf(fullDstBuffer, sizeof(fullDstBuffer) - 1, "%s:%s", dstIpBuffer, remotePortName);
for (y = strlen(fullSrcBuffer); y < 23; y++)
fullSrcBuffer[y] = ' ';
for (y = strlen(fullDstBuffer); y < 23; y++)
fullDstBuffer[y] = ' ';
CString str = ""; // 연결상태 한라인 받을 스트링
if( (stateFilter.CompareNoCase("NONE") == 0) &&
(IsDlgButtonChecked(IDC_CHECK_PORTFILTER) == 0) &&
(IsDlgButtonChecked(IDC_CHECK_IPFILTER) == 0) )
{
if (strlen(fullDstBuffer) >= 23)
str.Format(" TCP %23s%s %s\r\n", fullSrcBuffer, fullDstBuffer, state); //연결 한라인 받기
else
str.Format(" TCP %23s%s%s\r\n", fullSrcBuffer, fullDstBuffer, state);
}
else
{
CString pName = localPortName;
CString aName = dstIpBuffer;
if( ((stateFilter.CompareNoCase(state) == 0) || (stateFilter.CompareNoCase("NONE") == 0)) &&
((IsDlgButtonChecked(IDC_CHECK_PORTFILTER) == 0) || (pName.Find(portFilter) != -1)) &&
((IsDlgButtonChecked(IDC_CHECK_IPFILTER) == 0) || (aName.Find(ipFilter) != -1)) )
{
if (strlen(fullDstBuffer) >= 23)
str.Format(" TCP %23s%s %s\r\n", fullSrcBuffer, fullDstBuffer, state);
else
str.Format(" TCP %23s%s%s\r\n", fullSrcBuffer, fullDstBuffer, state);
msg += str; // 이부분은 다른 부가기능을 위한것이므로 신경안써도된다 그냥 msg를 신경쓰지말자
found = true;
}
}
log_str += str; //연결 한라인을 루프마다 log_str에 차곡 차곡 쌓는다.
}
free(tcpTable);
}
if(IsDlgButtonChecked(IDC_CHECK_LOG) != 0)
{
log << log_str; //로그 남기기위해 -> ofstream log;
}
SetDlgItemText(IDC_EDIT_STATS, log_str); //드디어 출력화면인 에디트컨트롤에 때려박는 부분ㅋㅋ
((CEdit *) GetDlgItem(IDC_EDIT_STATS))->LineScroll( ((CEdit *) GetDlgItem(IDC_EDIT_STATS))->GetLineCount(), 0); //스크롤링해준다. 신경안써도됨
}
MIB_TCPTABLE 추가설명 & trace
"tcpmib.h"
typedef struct _MIB_TCPTABLE {
DWORD dwNumEntries;
MIB_TCPROW table[ANY_SIZE];
} MIB_TCPTABLE, *PMIB_TCPTABLE;
typedef MIB_TCPROW_LH MIB_TCPROW; //정의 부분
typedef struct _MIB_TCPROW_LH {
union {
DWORD dwState; // Old field used DWORD type.
MIB_TCP_STATE State; // New field uses enum type.
};
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwRemoteAddr;
DWORD dwRemotePort;
} MIB_TCPROW_LH, *PMIB_TCPROW_LH;
typedef enum {
MIB_TCP_STATE_CLOSED = 1,
MIB_TCP_STATE_LISTEN = 2,
MIB_TCP_STATE_SYN_SENT = 3,
MIB_TCP_STATE_SYN_RCVD = 4,
MIB_TCP_STATE_ESTAB = 5,
MIB_TCP_STATE_FIN_WAIT1 = 6,
MIB_TCP_STATE_FIN_WAIT2 = 7,
MIB_TCP_STATE_CLOSE_WAIT = 8,
MIB_TCP_STATE_CLOSING = 9,
MIB_TCP_STATE_LAST_ACK = 10,
MIB_TCP_STATE_TIME_WAIT = 11,
MIB_TCP_STATE_DELETE_TCB = 12,
} MIB_TCP_STATE;
'Computer Science/Projects' Related Articles
more
Comments