Who is occupying the local port:
The netstat-a command described above can only query which port is currently in use and cannot find what is actually ProgramUse the corresponding port. In this way, we can find out the troubles caused by Trojans. If we find that a Suspicious Port is occupied, is it useful for programs to use it or infected Trojans or black software? Therefore, finding out which program calls a port is the key to preventing unknown Trojans and hacking.
The method is simple. Run the netstat-a-o-B command and enter the preceding multi-parameter command in command line mode. The system displays one more column. The column name is PID, which indicates which PID is using the corresponding port, of course, if multiple programs are injected into the same process PID, you can use this command to query the file name corresponding to the PID at the end of each connection. (4)
Figure 4 (click to view the large image)
Figure 4 shows that the first line of connection is called by PID 1276. the main program is svchost.exe. During the connection, four DLL dynamic link library files under the system folder C: \ windows \ system32 are called. With this command, we can hide our Trojans and blacklisted Trojans by Using DLL injection.
After running the netstat-a-o-B command, the system constantly monitors network connections and queries programs that call a port, displays all DLL files called by the program. If we want to terminate the display process, execute Ctrl + C.
The netstat-a-o-B command is an extension of the netstat-a command described above. It not only helps us understand the current system port usage, it further finds out which program is calling the corresponding port, and provides a powerful guarantee for us to identify the Suspicious Port, identify the suspicious process, and discover the suspicious program. This method can be used to find Trojans hidden by DLL injection.
For example:
Solution: Enter netstat-ABN-> C:/port80.txt In the CMD command window and find the program PID that occupies port 80 in the cdisk port80.txt file. Write down the PID. Open the task manager, click "View"/Select column, select "PID (process identifier)", and click the "process" tab to find the PID corresponding to port 80, you can see that the program is occupied. Change the port of the program or end the process.