TCP and UDP tables + PID

[Armoured]

I'm started from the peteb code to make my version that display the PID attached to all the active connections

Code: Select all

#AF_INET = 2 ;IPV4
#AF_INET6 = 23 ;IPV6

#TCP_TABLE_BASIC_LISTENER = 0
#TCP_TABLE_BASIC_CONNECTIONS = 1
#TCP_TABLE_BASIC_ALL = 2
#TCP_TABLE_OWNER_PID_LISTENER = 3
#TCP_TABLE_OWNER_PID_CONNECTIONS = 4
#TCP_TABLE_OWNER_PID_ALL = 5
#TCP_TABLE_OWNER_MODULE_LISTENER = 6
#TCP_TABLE_OWNER_MODULE_CONNECTIONS = 7
#TCP_TABLE_OWNER_MODULE_ALL = 8

#UDP_TABLE_BASIC = 0
#UDP_TABLE_OWNER_PID = 1
#UDP_TABLE_OWNER_MODULE = 0

Dim TCPstate.s(15)

For k = 1 To 15
    TCPstate(k) = StringField("Closed|Listening|SYN Sent|SYN Received|Established|Waiting For FIN|Waiting For FIN|Waiting For Close|Closing|Last ACK|Time Wait|TCB deleted", k, "|")
Next

Structure MIB_TCPTABLE_OWNER_PID 
  dwStats.l 
  dwLocalAddr.l 
  dwLocalPort.l 
  dwRemoteAddr.l 
  dwRemotePort.l
  dwOwningPid.l 
EndStructure 

Structure MIB_TCPTABLE 
  dwNumEntries.l 
  table.MIB_TCPTABLE_OWNER_PID[2048] 
EndStructure 


Structure MIB_UDPTABLE_OWNER_PID 
  dwLocalAddr.l 
  dwLocalPort.l
  dwOwningPid.l 
EndStructure 

Structure MIB_UDPTABLE
  dwNumEntries.l 
  table.MIB_UDPTABLE_OWNER_PID[2048] 
EndStructure 


If OpenLibrary(0, "iphlpapi.dll")
    dwSize = $0
    If CallFunction(0,"GetExtendedTcpTable",@tcpTable.MIB_TCPTABLE , @dwSize, #True,#AF_INET,#TCP_TABLE_OWNER_PID_ALL,0)   
    If CallFunction(0,"GetExtendedTcpTable",@tcpTable.MIB_TCPTABLE , @dwSize, #True,#AF_INET,#TCP_TABLE_OWNER_PID_ALL,0) = #NO_ERROR
        For cnt = 0 To tcpTable\dwNumEntries - 1
            Debug("type: TCP")
            Debug("state: " + TCPstate (tcpTable\table[cnt]\dwStats))
            Debug("local IP: "    + IPString(tcpTable\table[cnt]\dwLocalAddr))
            Debug("local port: "  + Str(htons_(tcpTable\table[cnt]\dwLocalPort)))
            Debug("remote IP: "   + IPString(tcpTable\table[cnt]\dwRemoteAddr))
            Debug("remote port: " + Str(htons_(tcpTable\table[cnt]\dwRemotePort)))
            Debug("PID: " + Str(tcpTable\table[cnt]\dwOwningPid))
            Debug("")
        Next
    EndIf
    EndIf
    
    dwSize = $0
    If CallFunction(0,"GetExtendedUdpTable",@udpTable.MIB_UDPTABLE , @dwSize, #True,#AF_INET,#UDP_TABLE_OWNER_PID,0)
    If CallFunction(0,"GetExtendedUdpTable",@udpTable.MIB_UDPTABLE , @dwSize, #True,#AF_INET,#UDP_TABLE_OWNER_PID,0) = #NO_ERROR
        For cnt = 0 To udpTable\dwNumEntries - 1
            Debug("type UDP")
            Debug("local IP: " + IPString(udpTable\table[cnt]\dwLocalAddr))
            Debug("local port: " + Str(htons_(udpTable\table[cnt]\dwLocalPort)))
            Debug("PID: " + Str(udpTable\table[cnt]\dwOwningPid))
            Debug("")
        Next
    EndIf
    EndIf
      
    CloseLibrary(0)
EndIf

End

[newbie]

Sadly, there is no API (documented or known undocumented) available for Windows 2000 Programs working on Windows 2000 uses a driver.

[Armoured]

Sadly, there is no API (documented or known undocumented) available for Windows 2000 Programs working on Windows 2000 uses a driver.

here there is a solution but in vb6: http://www.planet-source-code.com/vb/sc ... 9&lngWId=1

[newbie]

The author says explicitely that he uses Native API, and that it's app communicate with a driver. Native API can only be accessed from a driver.
From the description, it seems that the app made in VB is only communicating with the driver. However this last one must have been done in C++ with the Microsoft DDK.

Please correct me If I'm wrong.

[Armoured]

he author says explicitely that he uses Native API, and that it's app communicate with a driver. Native API can only be accessed from a driver.
From the description, it seems that the app made in VB is only communicating with the driver. However this last one must have been done in C++ with the Microsoft DDK.

You can remake the Vb part in purebasic and extract the driver for use it on your application.

[Henrik]

Thanx Armoured
Working nicely on Xp sp2

Best regrads Henrik.

[jpd]

Hi Armoured,

this code work fine and is really nice,

but me interest is the VB example.

The author says explicitely that he uses Native API, and that it's app communicate with a driver. Native API can only be accessed from a driver.
From the description, it seems that the app made in VB is only communicating with the driver. However this last one must have been done in C++ with the Microsoft DDK.

Please correct me If I'm wrong.

the programmer describe a methode to communicate with the driver.

here a snippet of the description:

Our programs use most times protected memory zones (User-Mode).
The controllers and drivers use real access to memory and hardware (Kernel-Mode).
We need to transfer information located in Kernel-Mode to our application (User-Mode).
One of the uses methods is making a call IOCTL to the driver using a buffer created by our application (Win32 function DeviceIoControl()) To synchronize the driver and the application we will use CreateEvent(). The named event i automatically created in the Object Manager's BaseNamedObjects directory.

Description of function: It´s good Known that we need at least administrators rights to get access to all running processes. Obtain execution privileges in the system by means of the function LoadPrivilege(), getting SeDebugPrivilege. Then list all the processes (PID's) using NtQuerySystemInformation(), function of NTDLL.DLL, allowing us the access to the memory shared in Kernel-Mode. Using NtQueryObject(), we will list all the hadles belonging to each process. To look for open ports we will filter the handles type "File" named "\device\tcp" and "\device\udp." Then we look for information of each handle using NtDeviceIoControlFile(), that returns us the port like a integer number as the sockets API uses it. We convert that number through Swap of their Bytes using the IpHelper API function ntohs() and we convert it to a Long type of VB. The rest is very easy: ......

Best

jpd

[klaver]

Code: Select all

Procedure SomeFunc()
  If OpenLibrary(0, "iphlpapi.dll")
    If CallFunction(0,"GetExtendedTcpTable", @tcpTable.MIB_TCPTABLE, @dwSize.l, #True,#AF_INET,#TCP_TABLE_OWNER_PID_ALL,0)   
      If CallFunction(0,"GetExtendedTcpTable", @tcpTable.MIB_TCPTABLE, @dwSize, #True,#AF_INET,#TCP_TABLE_OWNER_PID_ALL,0) = #NO_ERROR
        For cnt = 0 To tcpTable\dwNumEntries - 1
            Debug("Type: TCP ("+ TCPstate(tcpTable\table[cnt]\dwStats) +")")
            Debug("Local: "+ IPString(tcpTable\table[cnt]\dwLocalAddr) +":"+ Str(htons_(tcpTable\table[cnt]\dwLocalPort)))
            Debug("Remote: "+ IPString(tcpTable\table[cnt]\dwRemoteAddr) +":"+ Str(htons_(tcpTable\table[cnt]\dwRemotePort)))
            Debug("PID: " + Str(tcpTable\table[cnt]\dwOwningPid))
            Debug("")
        Next
      EndIf
    EndIf
  CloseLibrary(0)
  EndIf
EndProcedure

Debug "Hello!"
SomeFunc()
Debug "Bye!"

My application gets terminated when I'm trying to put the code from the first post in a procedure... does it occur for any1 else too?

[Dummy]

First of all: thanks for sharing that great code

Code: Select all

Procedure SomeFunc()
  If OpenLibrary(0, "iphlpapi.dll")
    If CallFunction(0,"GetExtendedTcpTable", @tcpTable.MIB_TCPTABLE, @dwSize.l, #True,#AF_INET,#TCP_TABLE_OWNER_PID_ALL,0)   
      If CallFunction(0,"GetExtendedTcpTable", @tcpTable.MIB_TCPTABLE, @dwSize, #True,#AF_INET,#TCP_TABLE_OWNER_PID_ALL,0) = #NO_ERROR
        For cnt = 0 To tcpTable\dwNumEntries - 1
            Debug("Type: TCP ("+ TCPstate(tcpTable\table[cnt]\dwStats) +")")
            Debug("Local: "+ IPString(tcpTable\table[cnt]\dwLocalAddr) +":"+ Str(htons_(tcpTable\table[cnt]\dwLocalPort)))
            Debug("Remote: "+ IPString(tcpTable\table[cnt]\dwRemoteAddr) +":"+ Str(htons_(tcpTable\table[cnt]\dwRemotePort)))
            Debug("PID: " + Str(tcpTable\table[cnt]\dwOwningPid))
            Debug("")
        Next
      EndIf
    EndIf
  CloseLibrary(0)
  EndIf
EndProcedure

Debug "Hello!"
SomeFunc()
Debug "Bye!"

My application gets terminated when I'm trying to put the code from the first post in a procedure... does it occur for any1 else too?

try this:

Code: Select all

#AF_INET = 2 ;IPV4
#AF_INET6 = 23 ;IPV6

#TCP_TABLE_BASIC_LISTENER = 0
#TCP_TABLE_BASIC_CONNECTIONS = 1
#TCP_TABLE_BASIC_ALL = 2
#TCP_TABLE_OWNER_PID_LISTENER = 3
#TCP_TABLE_OWNER_PID_CONNECTIONS = 4
#TCP_TABLE_OWNER_PID_ALL = 5
#TCP_TABLE_OWNER_MODULE_LISTENER = 6
#TCP_TABLE_OWNER_MODULE_CONNECTIONS = 7
#TCP_TABLE_OWNER_MODULE_ALL = 8

Dim TCPstate.s(15)

For k = 1 To 15
  TCPstate(k) = StringField("Closed|Listening|SYN Sent|SYN Received|Established|Waiting For FIN|Waiting For FIN|Waiting For Close|Closing|Last ACK|Time Wait|TCB deleted", k, "|")
Next

Structure MIB_TCPTABLE_OWNER_PID
  dwStats.l
  dwLocalAddr.l
  dwLocalPort.l
  dwRemoteAddr.l
  dwRemotePort.l
  dwOwningPid.l
EndStructure

Structure MIB_TCPTABLE
  dwNumEntries.l
  table.MIB_TCPTABLE_OWNER_PID[2048]
EndStructure

Define tcpTable.MIB_TCPTABLE

Procedure SomeFunc()
  Shared TCPstate(), tcpTable
  
  If OpenLibrary(0, "iphlpapi.dll")
    If CallFunction(0,"GetExtendedTcpTable", @tcpTable.MIB_TCPTABLE, @dwSize.l, #True,#AF_INET,#TCP_TABLE_OWNER_PID_ALL,0)   
      If CallFunction(0,"GetExtendedTcpTable", @tcpTable.MIB_TCPTABLE, @dwSize, #True,#AF_INET,#TCP_TABLE_OWNER_PID_ALL,0) = #NO_ERROR
        For cnt = 0 To tcpTable\dwNumEntries - 1
          Debug("Type: TCP ("+ TCPstate(tcpTable\table[cnt]\dwStats) +")")
          Debug("Local: "+ IPString(tcpTable\table[cnt]\dwLocalAddr) +":"+ Str(htons_(tcpTable\table[cnt]\dwLocalPort)))
          Debug("Remote: "+ IPString(tcpTable\table[cnt]\dwRemoteAddr) +":"+ Str(htons_(tcpTable\table[cnt]\dwRemotePort)))
          Debug("PID: " + Str(tcpTable\table[cnt]\dwOwningPid))
          Debug("")
        Next
      EndIf
    EndIf
    CloseLibrary(0)
  EndIf
EndProcedure

Debug "Hello!"
SomeFunc()
Debug "Bye!"

The memory that GetExtendedTcpTable() writes to mustn't be stack-space as protected structured variables are... You'd have to allocate the memory via

Code: Select all

*tcpTable.MIB_TCPTABLE = AllocateMemory(SizeOf(MIB_TCPTABLE))