 |
|
|
Hi, I'm trying to close connections using SetTcpEntry BUT it always returns 87!! the demo you provide works on my machine...
I can't figure out why 
Can u help please?
:: YOU make history ::
|
|
|
|
|
|
|
AllocateAndGetTcpExTableFromStack exists only in XP and 2003. It has been already deprecated and *not supported* in Vista (http://msdn.microsoft.com/library/en-us/iphlp/iphlp/allocateandgettcpextablefromstack.asp).
Therefore use at your onw risk...
|
|
|
|
|
|
|
netstat -b is the answer to: The Answer to Life, the Universe, and Everything
"A pint of sweat, saves a gallon of blood."
- General George S. Patton (1885-1945)
|
|
|
|
|
|
|
"The GetTcpTable or GetExtendedTcpTable functions should be used to retrieve the TCP connection table instead of using the AllocateAndGetTcpExTableFromStack function."
Don't know if the replacement APIs existed at the time of writing but I thought someone searching for this issue might like to know that there are APIs for Vista which do the same job in a slightly different way.
GetTcpTable is also supported and documented for Win2k, and there's an IPv6 version too, so it looks like the way to go.
|
|
|
|
|
|
|
How to find priter printing status. print or not, if the yes, how many pages prited
|
|
|
|
|
|
|
How to find the system weather connct to internet or not
and how to find the cd-writer Writting status
|
|
|
|
|
|
|
Hi,
I compared the connection obtained from your code (i.e. from TCP Tables) and found out that it does not return every connection opened.
I check with Ethereal and apparently there are some ports "conversation" in Ethereal which is not listed by the Tcp Table.
This happens once in a few connections.
How does TCP Table actually work?
Thanks!
|
|
|
|
|
|
|
Enetstat make use of GetTCPTableFromStack API that kindly interogate the OS and finally return the tcp stack. At this point it gather information regarding all TCP and UDP connections.
If there are any mismaches between OS's tcp stack and ethernet's log may lead to the following assumptions:
1. as far as I know if there is no proc binded to the related connection it will not be found in os's tcp stack. Actually it is not manage by OS.
2. a rootkit hook a function used to gather os's tcp stack and hides connection infos. (see www.rootkit.sk)
"A pint of sweat, saves a gallon of blood."
- General George S. Patton (1885-1945)
|
|
|
|
|
|
|
Is it possible to add transfer
rate for a single connection ?
|
|
|
|
|
|
|
Hi,
You can take a look at http://www.codeproject.com/internet/EnetstatX.asp. This tool has support for sniffing using raw sock. By default sniffing is not activated. All you have to do is:
-> activate sniffing module (programming stuff ...)
-> enhance connection management module by adding workload connection.
y0d4
"A pint of sweat, saves a gallon of blood."
- General George S. Patton (1885-1945)
|
|
|
|
|
|
|
Thank you very much  )
regards,
Kate
|
|
|
|
|
|
|
I wonder if there is a way to clear the memory leak in the allocatetcpextablefromstack. Or otherwise if there is any other way to get the stack? Thanks.
|
|
|
|
|
|
|
Hi,
I would like to improve (adding new features, profiling the code - remove mem leaks ...) this version of Enetstax, but I cannot find the time 
I did notice your suggestions and as soon possible I'll release a new version. In the meanwhile feel free to contribute to this tool and let your ideeas/dreams become true
Best regards,
y0d4
"A pint of sweat, saves a gallon of blood."
- General George S. Patton (1885-1945)
|
|
|
|
|
|
|
the cause of leak is due to the heap not freed in that function. Anyway, you could add in a few lines of psapi to get to full path from the process id. Nice work of art. I appreciate it.
|
|
|
|
|
|
|
Hi Mervick,
You're right, there is no heap free sequence in this version of enetstat
I have been published another article similar with ths one. Basicaly it's the
same ideea, but with more features and some improvements like no mem leaks so far
If you're interested take a look at:
http://www.codeproject.com/internet/EnetstatX.asp
Here you can easily notice that the destructor of TCPTable class contain:
CTCPTable::~CTCPTable()
{
//free used mem
if(m_pBuffTcpTableEx != NULL)
m_dwLastError = HeapFree(GetProcessHeap(), 0, m_pBuffTcpTableEx);
CBase::Unitialize();
}
Regards,
y0d4
"A pint of sweat, saves a gallon of blood."
- General George S. Patton (1885-1945)
|
|
|
|
|
|
|
Hi guys,
As I got some questions regarding the functionality of this tool on other winxx box I thought you might use the following link to get detailed answers:
http://rootkit.host.sk/knowhow/hidingen.txt
-> 10 Ports
-> 10.1 Netstat, OpPorts on WinXP, FPort on WinXP
-> 10.2 OpPorts on Win2k and NT4, FPort on Win2k
Regards
y0da
|
|
|
|
|
|
|
Great article.
Was wondering if anyone knew how to achieve the functionality of AllocateAndGetTcpExTableFromStack for windows 2000? Is the functionality achievable by using another API?
Thanks
|
|
|
|
|
|
|
I'm afraid not. There are some tools like fport, aports or tcpview ...
As far as I know these tools read memory(tcp stack) from driver level in order to enumerate the handles from this area.
If you need more informations regarding this issue you'll better search rootkit dox.
|
|
|
|
|
|
|
Thanks a lot Anonymous. I've checked out Fport etc, but it's something I want to code myself so I'll check out the rootkit docs. If/When I find something usefull I'll post it here. Seems as if a few people want to do this on win2k.
Thanks again.
|
|
|
|
|
|
|
Hi !
How can I close UDP ports ?
Thank you
|
|
|
|
|
|
|
UDP proto is based on datagrams. It has nothing to do with oriented connections topic.
In our case, we can close any established connection, but UDP does not support something like this.
|
|
|
|
|
|
|
A free tool called Active Ports can work under Windows 2K. Could you please explain how this could be achieved?
Regards
Johannowic
|
|
|
|
|
|
|
I know. It makes use of IO calls to \\Device\\Tcp and \\Device\\Udp. The same think is made by TcpView from www.sysinternals.com.
These guys know something that we don't. I'm sure APorts is not comming with its own driver.It knows to interogate the tcp stack. I would like to have some information about it, too.
I'll try to make a decompile session with IDA pro.
Cheers
y0da
|
|
|
|
|
|
|
Hi !
Works fine in Windows XP... but in Windows 2000 dont show process name... why ?
|
|
|
|
|
|
|
It seems that iphlpapi.dll was not updated. Try to make an update sdk core or to import iphlpapi.dll from winXP to win2000. It's all about "AllocateAndGetUdpExTableFromStack" and "AllocateAndGetTcpExTableFromStack" functions.
Good luck
y0da
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Rant 
Admin