Abstract ://
// Coded by napalm
// Modified by Zwell
//
# Include <winsock2.h>
# Include <windows. h>
# Include <stdio. h>
# Include "psapi. H"
# Include <shlwapi. h>
# Pragma comment (Lib, "psapi. lib ")
# Pragma comment (Lib, "ws2_32.lib ")
# Pragma comment (Lib, "shlwapi. lib ")
Typedef long ntstatus;
Typedef struct _ io_status_block {
Union {
Ntstatus status;
Pvoid pointer;
};
Ulong_ptr information;
} Io_status_block, * pio_status_block;
Typedef void (winapi * pio_apc_routine) (pvoid, pio_status_block, DWORD );
Typedef long tdi_status;
Typedef pvoid connection_context; // connection Context
Typedef struct _ tdi_request {
Union {
Handle addresshandle;
Connection_context connectioncontext;
Handle controlchannel;
} Handle;
Pvoid requestpolicyobject;
Pvoid requestcontext;
Tdi_status tdistatus;
} Tdi_request, * ptdi_request;
Typedef struct _ tdi_connection_information {
Long userdatalength; // length of user data buffer
Pvoid userdata; // pointer to user data buffer
Long optionslength; // length of following Buffer
Pvoid options; // pointer to buffer containing options
Long remoteaddresslength; // length of following Buffer
Pvoid remoteaddress; // buffer containing the remote address
} Tdi_connection_information, * ptdi_connection_information;
Typedef struct _ tdi_request_query_information {
Tdi_request request;
Ulong querytype; // class of information to be queried.
Ptdi_connection_information requestconnectioninformation;
} Tdi_request_query_information, * ptdi_request_query_information;
# Define tdi_query_address_info 0x00000003
# Define ioctl_tdi_query_information ctl_code (file_device_transport, 4, method_out_direct, file_any_access)
Typedef void * pobject;
Typedef struct _ system_handle {
Ulong uidprocess;
Uchar objecttype; // ob_type _ * (ob_type_type, etc .)
Uchar flags; // handle_flag _ * (handle_flag_inherit, etc .)
Ushort handle;
Pobject;
Access_mask grantedaccess;
} System_handle, * psystem_handle;
Typedef struct _ system_handle_information {
Ulong ucount;
System_handle handles [1];
} System_handle_information, * psystem_handle_information;
Typedef struct _ unicode_string {
Ushort length;
Ushort maximumlength;
Pwstr buffer;
} Unicode_string;
Typedef unicode_string * punicode_string;
Typedef const unicode_string * pcunicode_string;
Typedef unicode_string object_name_information;
Typedef unicode_string * pobject_name_information;
# Define systemhandleinformation 16
# Define objectnameinformation 1
# Define STATUS_SUCCESS (ntstatus) 0x000000000000l)
# Define status_info_length_mismatch (ntstatus) 0xc0000004l)
# Define status_buffer_overflow (ntstatus) 0x80000005l)
//-------------------------------------------------------------------------
Typedef ntstatus (winapi * tntqsi) (DWORD systeminformationclass, pvoid systeminformation,
DWORD systeminformationlength, pdword returnlength );
Typedef ntstatus (winapi * tntqo) (handle objecthandle, DWORD objectinformationclass, pvoid objectinformation,
DWORD length, pdword resultlength );
Typedef ntstatus (winapi * tntdiocf) (handle filehandle, handle event, pio_apc_routine apcroutine, pvoid apccontext,
Pio_status_block iostatusblock, DWORD iocontrolcode,
Pvoid inputbuffer, DWORD inputbufferlength,
Pvoid outputbuffer, DWORD outputbufferlength );
Void enabledebugprivilege ()
{
Handle htoken;
Token_privileges tokenpriv;
Luid luiddebug;
If (openprocesstoken (getcurrentprocess (), token_adjust_privileges, & htoken )! = False ){
If (lookupprivilegevalue (null, se_debug_name, & luiddebug )! = False)
{
Tokenpriv. privilegecount = 1;
Tokenpriv. Privileges [0]. luid = luiddebug;
Tokenpriv. Privileges [0]. Attributes = se_privilege_enabled;
Adjusttokenprivileges (htoken, false, & tokenpriv, sizeof (tokenpriv), null, null );
}
}
}
Lpwstr getobjectname (handle hobject)
{
Lpwstr lpwsreturn = NULL;
Tntqo pntqo = (tntqo) getprocaddress (getmodulehandle ("NTDLL. dll"), "ntqueryobject ");
If (pntqo! = NULL ){
DWORD dwsize = sizeof (object_name_information );
Pobject_name_information pobjectinfo = (pobject_name_information) New byte [dwsize];
Ntstatus ntreturn = pntqo (hobject, objectnameinformation, pobjectinfo, dwsize, & dwsize );
If (ntreturn = status_buffer_overflow ){
Delete pobjectinfo;
Pobjectinfo = (pobject_name_information) New byte [dwsize];
Ntreturn = pntqo (hobject, objectnameinformation, pobjectinfo, dwsize, & dwsize );
}
If (ntreturn> = STATUS_SUCCESS) & (pobjectinfo-> buffer! = NULL ))
{
Lpwsreturn = (lpwstr) New byte [pobjectinfo-> Length + sizeof (wchar)];
Zeromemory (lpwsreturn, pobjectinfo-> Length + sizeof (wchar ));
Copymemory (lpwsreturn, pobjectinfo-> buffer, pobjectinfo-> length );
}
Delete pobjectinfo;
}
Return lpwsreturn;
}
Void outputconnectiondetails (handle hobject, in_addr * IP, DWORD * port)
{
Tntdiocf pntdiocf = (tntdiocf) getprocaddress (getmodulehandle ("NTDLL. dll"), "ntdeviceiocontrolfile ");
If (pntdiocf! = NULL ){
Io_status_block iostatusblock;
Tdi_request_query_information tdirequestaddress = {0}, tdi_query_address_info };
Byte tdiaddress [128];
Handle hevent2 = createevent (null, true, false, null );
Ntstatus ntreturn2 = pntdiocf (hobject, hevent2, null, null, & iostatusblock, ioctl_tdi_query_information,
& Tdirequestaddress, sizeof (tdirequestaddress), & tdiaddress, sizeof (tdiaddress ));
If (hevent2) closehandle (hevent2 );
If (ntreturn2 = STATUS_SUCCESS ){
Struct in_addr * paddr = (struct in_addr *) & tdiaddress [14];
* IP = * paddr;
* Port = ntohs (* (pushort) & tdiaddress [12]);
}
}
}
Int main (INT argc, char * argv [])
{
Printf ("TCP/UDP handle list-by napalm/N ");
Printf ("modified by Zwell/N ");
Printf ("===================================/n ");
Enabledebugprivilege ();
Tntqsi pntqsi = (tntqsi) getprocaddress (getmodulehandle ("NTDLL. dll"), "ntquerysysteminformation ");
If (pntqsi! = NULL ){
DWORD dwsize = sizeof (system_handle_information );
Psystem_handle_information phandleinfo = (psystem_handle_information) New byte [dwsize];
Ntstatus ntreturn = pntqsi (systemhandleinformation, phandleinfo, dwsize, & dwsize );
If (ntreturn = status_info_length_mismatch ){
Delete phandleinfo;
Phandleinfo = (psystem_handle_information) New byte [dwsize];
Ntreturn = pntqsi (systemhandleinformation, phandleinfo, dwsize, & dwsize );
}
If (ntreturn = STATUS_SUCCESS ){
Printf ("found % d handles. Listing TCP/UDP handles.../n", phandleinfo-> ucount );
Printf ("PID/thandle/T %-16 shandle name/tip address/tport/N", "process name ");
For (DWORD dwidx = 0; dwidx <phandleinfo-> ucount; dwidx ++)
{
Handle hprocess = OpenProcess (process_dup_handle | process_query_information | process_vm_read,
False, phandleinfo-> handles [dwidx]. uidprocess );
If (hprocess! = Invalid_handle_value)
{
Handle hobject = NULL;
If (duplicatehandle (hprocess, (handle) phandleinfo-> handles [dwidx]. handle,
Getcurrentprocess (), & hobject, standard_rights_required, false, 0 )! = False)
{
Lpwstr lpwsname = getobjectname (hobject );
If (lpwsname! = NULL ){
If (! Wcscmp (lpwsname, l "// device // TCP") |! Wcscmp (lpwsname, l "// device // UDP "))
{
Lpstr lpszprocess = new char [max_path];
Struct in_addr ipaddr;
DWORD port;
Outputconnectiondetails (hobject, & ipaddr, & Port );
Zeromemory (lpszprocess, max_path );
Getmodulefilenameex (hprocess, null, lpszprocess, max_path );
Printf ("% 5d/T % 6D/T %-16 S %-20ws % 12 S % 7D/T % s/n ",
Phandleinfo-> handles [dwidx]. uidprocess,
Phandleinfo-> handles [dwidx]. handle,
(Lstrlen (lpszprocess)> 0 )? Pathfindfilename (lpszprocess): "[system]"),
Lpwsname,
Inet_ntoa (ipaddr ),
Port,
Lpszprocess );
Delete lpszprocess;
}
Delete lpwsname;
}
Closehandle (hobject );
}
Closehandle (hprocess );
}
}
Printf ("/n ");
} Else {
Printf ("error while trying to allocate memory for system handle information./N ");
}
Delete phandleinfo;
} Else {
Printf ("cannot find ntquerysysteminformation API... is this system not Win2k and above? ");
}
Return 0;
}