winzip icon

List Processes and Ports with Native API

Email
Submitted on: 2/7/2015 1:59:00 PM
By: Luprix (from psc cd)  
Level: Advanced
User Rating: By 70 Users
Compatibility: VB 4.0 (32-bit), VB 5.0, VB 6.0, VB Script, ASP (Active Server Pages) , VBA MS Access, VBA MS Excel
Views: 3973
 
     It lists all the Processes with open Ports using the Native API, not documented, NtQuerySystemInformation(). To know the processes with open ports we will access at the TDI level (Transport Driver Interface) helping us of the native functions located in the system library NTDLL.DLL. This library is part of the system base of WINDOWS NT. Attention: the use of undocumented functions implies risk that Microsoft modifies or eliminate them in a future. At the moment it works perfectly in NT, W2K, XP and W2003. In the same way that the Process Explorer application of Systernals (www.systernals.com), we will be able to enumerate all handles of all processes on execution in the system. These handles (HANDLE) are not unique in the system, but yes in the process (PID). They don't have any relation with handles of window (HWND) that they are unique. There are a group of unique handles by process, and they can be of different types: files, pipes, mailslots, key's of the base of registry, ... My code is a port of sources C++ to VB known in Internet (search Google). Our programs use most times protected memory zones (User-Mode). (Do you remember memory page access violation?) The controllers and drivers use real access to memory and hardware (Kernel-Mode). We need to transfer information located in Kernel-Mode to our application (User-Mode). One of the uses methods is making a call IOCTL to the driver using a buffer created by our application (Win32 function DeviceIoControl()) To synchronize the driver and the application we will use CreateEvent(). The named event i automatically created in the Object Manager's BaseNamedObjects directory. Description of function: It´s good Known that we need at least administrators rights to get access to all running processes. Obtain execution privileges in the system by means of the function LoadPrivilege(), getting SeDebugPrivilege. Then list all the processes (PID's) using NtQuerySystemInformation(), function of NTDLL.DLL, allowing us the access to the memory shared in Kernel-Mode. Using NtQueryObject(), we will list all the hadles belonging to each process. To look for open ports we will filter the handles type "File" named "\device\tcp" and "\device\udp." Then we look for information of each handle using NtDeviceIoControlFile(), that returns us the port like a integer number as the sockets API uses it. We convert that number through Swap of their Bytes using the IpHelper API function ntohs() and we convert it to a Long type of VB. The rest is very easy: The function ProcessPathByPID lists the complete path of the requested PID. This code is very useful in firewalls, netstat's and similar applications. Other interesting use of the native API is to hide our program (process) in the TasksList by hook's. That is on I am working at the moment, and I would upload it to PSC on depending of your votes :) Excuse for my bad english. Greetings for all. Un saludo para todos. Luprix .

 
winzip iconDownload code

Note: Due to the size or complexity of this submission, the author has submitted it as a .zip file to shorten your download time. Afterdownloading it, you will need a program like Winzip to decompress it.Virus note:All files are scanned once-a-day by Planet Source Code for viruses, but new viruses come out every day, so no prevention program can catch 100% of them. For your own safety, please:
  1. Re-scan downloaded files using your personal virus checker before using it.
  2. NEVER, EVER run compiled files (.exe's, .ocx's, .dll's etc.)--only run source code.
  3. Scan the source code with Minnow's Project Scanner

If you don't have a virus scanner, you can get one at many places on the net including:McAfee.com


Report Bad Submission
Use this form to tell us if this entry should be deleted (i.e contains no code, is a virus, etc.).
This submission should be removed because:

Your Vote

What do you think of this code (in the Advanced category)?
(The code with your highest vote will win this month's coding contest!)
Excellent  Good  Average  Below Average  Poor (See voting log ...)
 

Other User Comments


 There are no comments on this submission.
 

Add Your Feedback
Your feedback will be posted below and an email sent to the author. Please remember that the author was kind enough to share this with you, so any criticisms must be stated politely, or they will be deleted. (For feedback not related to this particular code, please click here instead.)
 

To post feedback, first please login.