System Overview
The system consists of two subsystems: server-side system and client (Workstation) system. The server system is installed on the computer of the network administrator to perform various monitoring operations on networked computers. The client system is installed on each networked computer, it appears in the prompt area of the system taskbar as an icon, without affecting other operations on the workstation. It is only used to respond to monitoring commands on the server and according to service needs, the corresponding data of the sampling workstation is returned to the server in a timely manner. The running environment of the system can run under Win98, Win95, WINNT, and win2000. In system development, the Winsock communication control is introduced. In addition, several API functions are used to better implement various monitoring operations.
System Functions
1. monitor all TCP connections: monitors the connections of all server ports in real time, warns of abnormal connections in a timely manner, and prompts the user to delete abnormal connections;
2. Screen monitoring: This function allows the server to capture the screen images of the monitored workstation to the server at any time, and the network administrator can perform operations on the corresponding workstation at a glance, if an illegal operation is found, a warning or forcible action can be taken to force the operation to stop;
3. Lock the workstation, shut down, and restrict mouse activity;
4. Information exchange between servers and workstation.
Function implementation
1. monitor all TCP connections
TCP/IP (Transmission Control Protocol/Internet Protocol: Transmission Control Protocol/Internet Protocol) is a set of network protocols including TCP, IP, UDP, ARP, RARP and ICMP. TCP/IP is often referred to as the adhesive for binding the Internet together. It allows multiple information networks separated in space to join together to form a huge virtual network. TCP and UDP (User Datagram Protocol) are two of the most common data transmission protocols. They all use the method of setting the listening port to complete data transmission.
This article discusses TCP connections. By using TCP, the Internet client can open a virtual connection to another Internet client and transmit data streams. Different from UDP, TCP ensures transmission reliability through retransmission of lost data packets. It also ensures applications at the receiving endProgramReassemble the received bits and bytes in the order of sending to obtain the complete data.
To obtain all valid TCP connections to the server system, use the gettcptable API function, which is defined as follows:
| Private declare function gettcptable lib "iphlpapi. DLL "(byref ptcptable as mib_tcptable, byref Pdwsize as long, byval border as long) as long |
The ppcptable parameter is the pointer to the buffer of the generated TCP connection table, and the pdwsize parameter is the buffer size (when the buffer is not large enough, this parameter returns the actual size ), the border parameter indicates whether the connection table needs to be sorted by "local IP", "localport", "remote IP", and "remote port.
Compare the two TCP connection tables using the timer event of a timeer control. We can immediately detect an exception and issue a warning. The system uses sound and alarm signs to remind users of possible external intrusion. After receiving the warning signal, we should first Delete the suspicious connection. The settcpentry function can help us Delete the suspicious connection. It is defined:
| Private declare function settcpentry lib "iphlpapi. DLL "(byref ptcptable as mib_tcprow) as long |
The ptcptable parameter is the pointer to the TCP table row. Then, set the status of the connection to be deleted to mib_tcp_state_delete_tcb (value: 12) to delete the connection.
Timer eventSource code:
| Private sub timer1_timer () Dim return1 as long, I as long Dim tmp1 as long, tmp2 as long Dim ip_buf (1 to 4) as byte Dim win_path as string, tmp3 as string Return1 = gettcptable (TCP1, Len (TCP1), 1) If last_num_of_entries <> 0 and _ Last_num_of_entries <> tcp1.dwnum _ of_entries then 'Warn when exceptions occur Picture1.visible = true' warning flag On Error resume next Win_path = string (145, 0) 'Use the API function getwindowsdirectory to obtain the current system directory. I = getwindowsdirectory (win_path, 145) Win_path = left (win_path, I) 'Use the API function sndplaysound to send an alarm. I = sndplaysound (win_path + "\ media \ ding.wav", & H1) On Error goto 0 Else If picture1.visible = true then Picture1.visible = false End if End if Last_num_of_entries = tcp1.dwnum _ of_entries Select case return1 Case 0 &: Text1 = "": combo1.clear For I = 0 to tcp1.dwnum _ of_entries-1 Tmp3 = STR (I + 1) + "" Select case tcp1.tcp _ TABLE (I). dwstate 'Display connection status Case 1: tmp3 = tmp3 + "closed" Case 2: tmp3 = tmp3 + "listening" Case 3: tmp3 = tmp3 + "syn_sent" Case 4: tmp3 = tmp3 + "syn_rcvd" Case 5: tmp3 = tmp3 + "established" Case 6: tmp3 = tmp3 + "fin_wait1" Case 7: tmp3 = tmp3 + "fin_wait2" Case 8: tmp3 = tmp3 + "close_wait" Case 9: tmp3 = tmp3 + "Closing" Case 10: tmp3 = tmp3 + "last_ack" Case 11: tmp3 = tmp3 + "time_wait" Case 12: tmp3 = tmp3 + "delete_tcb" End select Combo1.additem tmp3 fill list for deletion 'Local IP Address Tmp3 = tmp3 + ":" + vbcrlf + vbtab + "Local :" 'Copymemory is an API function. Copymemory ip_buf (1), tcp1.tcp _ TABLE (I). dwlocaladdr, 4 Tmp3 = tmp3 + CSTR (ip_buf (1) + "." + _ CSTR (ip_buf (2) + "." + CSTR (ip_buf (3 ))_ + "." + CSTR (ip_buf (4 )) Tmp1 = tcp1.tcp _ TABLE (I). dwlocalport 'Local Port Tmp2 = tmp1/256 + (tmp1 mod 256) * 256 'Remote IP Address Tmp3 = tmp3 + ":" + STR (tmp2) + vbtab + "remote :" Copymemory ip_buf (1), tcp1.tcp _ TABLE (I). dwremoteaddr, 4 Tmp3 = tmp3 + CSTR (ip_buf (1) + "." + CSTR (ip_buf (2 ))_ + "." + CSTR (ip_buf (3) + "." + CSTR (ip_buf (4 )) 'Remote Port Tmp1 = tcp1.tcp _ TABLE (I). dwremoteport Tmp2 = tmp1/256 + (tmp1 mod 256) * 256 Tmp3 = tmp3 + ":" + STR (tmp2) + vbcrlf Text1 = text1 + tmp3 Next I Case 50 &: Msgbox "the system does not support this API function": End Case 87: Msgbox "invalid parameter": End Case 111 &: Msgbox "buffer overflow": End Case 232 &: Msgbox "no data": End End select End sub
|
Click Event sources used to delete connectionsCode:
| Private sub delete_click () Dim return1 as long If combo1.listindex <0 Then exit sub 'Set the status of the connection to be deleted to 12 Tcp1.tcp _ TABLE (combo1.listindex). dwstate = 12 'Execute Deletion Return1 = settcpentry (tcp1.tcp _ TABLE (combo1.listindex )) If return1 = 0 then Msgbox "deleted successfully" Else Msgbox "deletion failed" End if Timer1_timer End sub |
2. Screen monitoring
When the server system detects a TCP abnormal connection, you can use the screen monitoring function to capture the screen of the monitored workstation in the LAN to the server and implement corresponding measures, such as locking or shutting down the workstation. The Winsock control is used here. For the communication principle, see related materials. The screen monitoring function uses the TCP protocol. To achieve better results, you can add the timer control to the form to set the timer event.
(1) workstation end
Listen for and respond to connection requests and screen captures from the server. The screen capture function can be implemented through the API function:
| dim A as string winsock1.getdata, vbstring select case a case "ZP" picture1.autoredraw = true picture1.scalemode = 1 ldesktop = getshorttopwindow () LDC = getdc (ldesktop) bitblt picture1.hdc, 0, 0, screen. width, _ |
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
