TCPView软件如何取得进程对应的端口号?

通过OD跟踪,很容易发现TCPView使用了Windows的两个关键的API来实现这个功能。两个API的定义:

DWORD GetExtendedTcpTable(
  _Out_    PVOID pTcpTable,
  _Inout_  PDWORD pdwSize,
  _In_     BOOL bOrder,
  _In_     ULONG ulAf,
  _In_     TCP_TABLE_CLASS TableClass,
  _In_     ULONG Reserved
);

DWORD GetExtendedUdpTable(
  _Out_    PVOID pUdpTable,
  _Inout_  PDWORD pdwSize,
  _In_     BOOL bOrder,
  _In_     ULONG ulAf,
  _In_     UDP_TABLE_CLASS TableClass,
  _In_     ULONG Reserved
);

使用这两个函数,可以获取所有的TCP/UDP连接的列表,保存在以下两个结构体中(IPv6类似,这里不列出了):

typedef struct {
  DWORD                dwNumEntries;
  MIB_TCPROW_OWNER_PID table[ANY_SIZE];
} MIB_TCPTABLE_OWNER_PID, *PMIB_TCPTABLE_OWNER_PID;

typedef struct _MIB_UDPTABLE_OWNER_PID {
  DWORD                dwNumEntries;
  MIB_UDPROW_OWNER_PID table[ANY_SIZE];
} MIB_UDPTABLE_OWNER_PID, *PMIB_UDPTABLE_OWNER_PID;

以上结构体中都有一个数组,而进程与端口号的关联信息,都保存在数组中每一个MIB_TCPROW_OWNER_PIDMIB_UDPROW_OWNER_PID结构体中。他们的定义如下:

typedef struct _MIB_TCPROW_OWNER_PID {
  DWORD dwState;
  DWORD dwLocalAddr;
  DWORD dwLocalPort;
  DWORD dwRemoteAddr;
  DWORD dwRemotePort;
  DWORD dwOwningPid;
} MIB_TCPROW_OWNER_PID, *PMIB_TCPROW_OWNER_PID;

typedef struct _MIB_UDPROW_OWNER_PID {
  DWORD dwLocalAddr;
  DWORD dwLocalPort;
  DWORD dwOwningPid;
} MIB_UDPROW_OWNER_PID, *PMIB_UDPROW_OWNER_PID;

结构体中的dwOwningPid就是PID信息。

TCPView程序中使用这两个函数的关键地方:

0040D3B5   .  83C1 07       add ecx,0x7
0040D3B8   .  51            push ecx
0040D3B9   .  6A 02         push 0x2
0040D3BB   .  55            push ebp
0040D3BC   .  52            push edx
0040D3BD   .  55            push ebp
0040D3BE   .  FF15 3C6B4400 call dword ptr ds:[0x446B3C]             ;  IPHLPAPI.GetExtendedTcpTable
0040D3C4   .  83F8 7A       cmp eax,0x7A
0040D3C7   .  75 47         jnz XTcpview.0040D410
0040D3C9   .  8DA424 000000>lea esp,dword ptr ss:[esp]
0040D3D0   >  3BFD          cmp edi,ebp
0040D3D2   .  74 09         je XTcpview.0040D3DD
0040D3D4   .  57            push edi
0040D3D5   .  E8 EB540000   call Tcpview.004128C5
0040D3DA   .  83C4 04       add esp,0x4
0040D3DD   >  8B4424 14     mov eax,dword ptr ss:[esp+0x14]
0040D3E1   .  50            push eax
0040D3E2   .  E8 AC500000   call Tcpview.00412493
0040D3E7   .  83C4 04       add esp,0x4
0040D3EA   .  33C9          xor ecx,ecx
0040D3EC   .  380D 156E4400 cmp byte ptr ds:[0x446E15],cl
0040D3F2   .  55            push ebp
0040D3F3   .  0F95C1        setne cl
0040D3F6   .  8D5424 18     lea edx,dword ptr ss:[esp+0x18]
0040D3FA   .  8BF8          mov edi,eax
0040D3FC   .  83C1 07       add ecx,0x7
0040D3FF   .  51            push ecx
0040D400   .  6A 02         push 0x2
0040D402   .  55            push ebp
0040D403   .  52            push edx
0040D404   .  57            push edi
0040D405   .  FF15 3C6B4400 call dword ptr ds:[0x446B3C]             ;  IPHLPAPI.GetExtendedTcpTable
0040D40B   .  83F8 7A       cmp eax,0x7A
0040D40E   .^ 74 C0         je XTcpview.0040D3D0

0040D494   .  57            push edi
0040D495   .  6A 01         push 0x1
0040D497   .  6A 02         push 0x2
0040D499   .  57            push edi
0040D49A   .  8D5424 24     lea edx,dword ptr ss:[esp+0x24]
0040D49E   .  52            push edx
0040D49F   .  57            push edi
0040D4A0   .  C74424 2C 000>mov dword ptr ss:[esp+0x2C],0x0
0040D4A8   .  FF15 286E4400 call dword ptr ds:[0x446E28]             ;  IPHLPAPI.GetExtendedUdpTable
0040D4AE   .  83F8 7A       cmp eax,0x7A
0040D4B1   .  75 35         jnz XTcpview.0040D4E8
0040D4B3   >  85FF          test edi,edi
0040D4B5   .  74 09         je XTcpview.0040D4C0
0040D4B7   .  57            push edi
0040D4B8   .  E8 08540000   call Tcpview.004128C5
0040D4BD   .  83C4 04       add esp,0x4
0040D4C0   >  8B4424 14     mov eax,dword ptr ss:[esp+0x14]
0040D4C4   .  50            push eax
0040D4C5   .  E8 C94F0000   call Tcpview.00412493
0040D4CA   .  83C4 04       add esp,0x4
0040D4CD   .  6A 00         push 0x0
0040D4CF   .  6A 01         push 0x1
0040D4D1   .  6A 02         push 0x2
0040D4D3   .  6A 00         push 0x0
0040D4D5   .  8D4C24 24     lea ecx,dword ptr ss:[esp+0x24]
0040D4D9   .  8BF8          mov edi,eax
0040D4DB   .  51            push ecx
0040D4DC   .  57            push edi
0040D4DD   .  FF15 286E4400 call dword ptr ds:[0x446E28]             ;  IPHLPAPI.GetExtendedUdpTable
0040D4E3   .  83F8 7A       cmp eax,0x7A
0040D4E6   .^ 74 CB         je XTcpview.0040D4B3
0040D4E8   >  85C0          test eax,eax

发表评论

电子邮件地址不会被公开。