EvilZone
Community => General discussion => : CorruptedByte December 30, 2011, 07:45:10 PM
-
hi, how can i close the connections from the netstat information? in the netstat information appears connections like this:
Conexiones activas
Proto Direcci¢n local Direcci¢n remota Estado
TCP 0.0.0.0:135 CorruptedPC:0 LISTENING
TCP 0.0.0.0:445 CorruptedPC:0 LISTENING
TCP 0.0.0.0:1025 CorruptedPC:0 LISTENING
TCP 0.0.0.0:1026 CorruptedPC:0 LISTENING
TCP 0.0.0.0:1027 CorruptedPC:0 LISTENING
TCP 0.0.0.0:1028 CorruptedPC:0 LISTENING
TCP 0.0.0.0:1030 CorruptedPC:0 LISTENING
TCP 0.0.0.0:1031 CorruptedPC:0 LISTENING
TCP 0.0.0.0:3306 CorruptedPC:0 LISTENING
TCP 0.0.0.0:5357 CorruptedPC:0 LISTENING
TCP 127.0.0.1:1029 CorruptedPC:5354 ESTABLISHED
TCP 127.0.0.1:1035 CorruptedPC:27015 ESTABLISHED
TCP 127.0.0.1:1786 CorruptedPC:1787 ESTABLISHED
TCP 127.0.0.1:1787 CorruptedPC:1786 ESTABLISHED
TCP 127.0.0.1:1790 CorruptedPC:1791 ESTABLISHED
TCP 127.0.0.1:1791 CorruptedPC:1790 ESTABLISHED
TCP 127.0.0.1:1940 CorruptedPC:5354 ESTABLISHED
TCP 127.0.0.1:1944 CorruptedPC:5354 ESTABLISHED
TCP 127.0.0.1:1945 CorruptedPC:5354 ESTABLISHED
TCP 127.0.0.1:1952 CorruptedPC:27015 ESTABLISHED
TCP 127.0.0.1:5354 CorruptedPC:0 LISTENING
TCP 127.0.0.1:5354 CorruptedPC:1029 ESTABLISHED
TCP 127.0.0.1:5354 CorruptedPC:1940 ESTABLISHED
TCP 127.0.0.1:5354 CorruptedPC:close-combat ESTABLISHED
TCP 127.0.0.1:5354 CorruptedPC:1945 ESTABLISHED
TCP 127.0.0.1:27015 CorruptedPC:0 LISTENING
TCP 127.0.0.1:27015 CorruptedPC:1035 ESTABLISHED
TCP 127.0.0.1:27015 CorruptedPC:1952 ESTABLISHED
TCP 192.168.1.108:139 CorruptedPC:0 LISTENING
TCP 192.168.1.108:1905 channel-ji-13-01-snc7:https ESTABLISHED
TCP 192.168.1.108:1953 a63-80-4-50:http CLOSE_WAIT
TCP 192.168.1.108:2350 www-14-05-prn1:https TIME_WAIT
TCP 192.168.1.108:2591 nuq04s07-in-f11:http ESTABLISHED
TCP 192.168.1.108:2597 pz-in-f120:http ESTABLISHED
TCP 192.168.1.108:2600 www-15-06-prn1:https ESTABLISHED
TCP 192.168.1.108:2614 nuq04s07-in-f2:http ESTABLISHED
TCP 192.168.1.108:2627 nuq04s07-in-f12:https ESTABLISHED
TCP 192.168.1.108:2638 nuq04s07-in-f10:https ESTABLISHED
and others with the remote ip, how can i close the connection with the remote ip and the port?
I need program this in c #, any idea?
thanks ;)
-
i Found this on net.
TcpListener listener = new TcpListener(IPAddress.Any, Port);
System.Console.WriteLine("Server Initialized, listening for incoming connections");
listener.Start();
while (listen)
{
// Step 0: Client connection
TcpClient client = listener.AcceptTcpClient();
Thread clientThread = new Thread(new ParameterizedThreadStart(HandleConnection));
clientThread.Start(client.GetStream());
client.Close();
}
-
i Found this on net.
TcpListener listener = new TcpListener(IPAddress.Any, Port);
System.Console.WriteLine("Server Initialized, listening for incoming connections");
listener.Start();
while (listen)
{
// Step 0: Client connection
TcpClient client = listener.AcceptTcpClient();
Thread clientThread = new Thread(new ParameterizedThreadStart(HandleConnection));
clientThread.Start(client.GetStream());
client.Close();
}
Thats a server example.
Not sure if there is an easy way doing this, awaiting response.
-
With netstat -b (run as administrator) you get also which exe is owning that connection. Get that output (pipes), get process name, kill it (OpenProcess, TerminateProcess).
Edit/ with netstat -o you get process pid directly. No need to find it by name.
-
With netstat -b (run as administrator) you get also which exe is owning that connection. Get that output (pipes), get process name, kill it (OpenProcess, TerminateProcess).
That will kill the entire process? Thats rather unpractical.
-
Oh, just kill the connection? Well, then you have to code a DLL, inject it in the process, get open file descriptors, check which of them are sockets, check if socket is connected to desired IP, and call close.
Kinda more complex. No time now, byebye.
-
yes thats the other solution kill the proccess of the connection like kill the process of a malware or a msn client or other tpc/ip connection. waiting for other answers, thanks
-
X-netstat!
-
Get CurrPorts, it can do all of that with a small protable executable :)
(http://www.nirsoft.net/utils/cports.gif)
http://www.nirsoft.net/utils/cports.zip
-
Meh, I have not been able to fully do it. This is the result.
Exe:
/*
Connection Killer v0.1
Closes connections of selected process mathing port and ip
By ca0s [st4ck-3rr0r.blogspot.com] [ka0labs.org]
*/
#include <stdio.h>
#include <windows.h>
#include <Tlhelp32.h>
void error(char *err);
HANDLE myProc=NULL;
int main(int argc, char *argv[])
{
int rPort = 0, lPort = 0;
char *process = NULL, *ip = NULL;
int i=0;
FILE *args;
printf("-- Connection killer [ca0s] --\n");
char dll[]="KillConnect.dll";
for(i=1; i<argc-1; i++) {
if(strcmp(argv[i], "-lp") ==0) lPort = atoi(argv[i+1]);
if(strcmp(argv[i], "-rp") ==0) rPort = atoi(argv[i+1]);
if(strcmp(argv[i], "-p") ==0) process = argv[i+1];
if(strcmp(argv[i], "-ip") ==0) ip = argv[i+1];
}
if(!process) {
printf("Usage: %s -p PROCESS -rp REMOTE_PORT -lp LOCAL_PORT -ip REMOTE_IP\n", argv[0]);
printf("If argument left blank, assuming ALL. Process cannot be left empty.\n");
return -1;
}
printf("[/] Killing connections from:\n");
printf("\tProcess: %s\n", process);
printf("\tLocal port: %i\n", lPort);
printf("\tRemote port: %i\n", rPort);
printf("\tRemote IP: %s\n", ip);
HANDLE processList=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pInfo;
BOOL st=TRUE;
pInfo.dwSize=sizeof(PROCESSENTRY32);
Process32First(processList, &pInfo);
int myPid=0;
do {
if(strcmp(pInfo.szExeFile, process)==0)
{
myPid=pInfo.th32ProcessID;
break;
}
st=Process32Next(processList, &pInfo);
}
while(st!=FALSE);
// Open process
printf("[+] Opening process %i\n", myPid);
myProc=OpenProcess(PROCESS_ALL_ACCESS, FALSE, myPid);
if(myProc==NULL) error("[-] Error opening process.\n");
else printf("[+] Process opened.\n");
// Reserve memory for argument (our DLL's name)
LPVOID dirToArg=VirtualAllocEx(myProc, NULL, strlen(dll), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(dirToArg==NULL) error("[-] Error allocating arg memory.\n");
else printf("[+] Arg memory reserved (%i bytes).\n", strlen(dll));
// Write dll's name / handle in reserved memory
SIZE_T written=0;
if(WriteProcessMemory(myProc, dirToArg, (LPVOID)&dll, strlen(dll), &written)==0) error("[-] Error writing memory.\n");
else printf("[+] Memory successfuly written (arg %i bytes).\n", written);
// Write arguments to file
args = fopen("args.txt", "w");
if(!args) error("[-] Cannot create text file for arguments. Run me with elevated privileges.\n");
if(lPort) fprintf(args, "L%i\n", lPort);
if(rPort) fprintf(args, "R%i\n", rPort);
if(ip) fprintf(args, "I%s\n", ip);
fclose(args);
// Create thread in LoadLibrary()'s address
HANDLE rThread=CreateRemoteThread(myProc, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary("Kernel32.dll"), "LoadLibraryA"), dirToArg, 0, NULL);
if(rThread==NULL) error("[-] Error creating remote thread.\n");
else printf("[+] Remote thread created.\n");
CloseHandle(myProc);
//unlink("args.txt");
printf("[+] Selected connections should have been killed.\n");
}
void error(char *err)
{
if(myProc!=NULL) CloseHandle(myProc);
printf("%s (%d)", err, GetLastError());
exit(0);
}
DLL:
/*
Connection Killer v0.1 DLL
Closes connections of selected process mathing port and ip
By ca0s [st4ck-3rr0r.blogspot.com] [ka0labs.org]
*/
#include <windows.h>
#include <process.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
int getLine(char *linea, int len, FILE *file)
{
memset(linea, 0, len);
char *buf=(char *)malloc(sizeof(char));
memset(buf, 0, 1);
int count=0;
do
{
fread(buf, 1, 1, file);
strncat(linea, buf, 1);
count++;
}
while((!feof(file)) && (*buf!='\n') && (count<len));
free(buf);
if((!feof(file)) && (count<=1))
return 1;
else return count-1;
}
BOOL doShit(void)
{
char name[MAX_PATH], line[255];
char *a, *b;
struct sockaddr_in raddr, laddr;
struct linger slinger;
int i;
long n;
FILE *log, *args;
int len=sizeof(struct sockaddr_in);
BOOL isSock=FALSE;
int rPort = 0, lPort = 0;
char *ip = NULL;
slinger.l_onoff = 1;
slinger.l_linger = 0;
log = fopen("log.txt", "a");
if(!log) return FALSE;
GetModuleFileName(NULL, name, MAX_PATH);
fprintf(log, "[+] Attached to %s PID: %i\n", name, getpid());
// Get arguments
args = fopen("args.txt", "r");
if(!args) {
fprintf(log, "[-] Cannot get arguments.\n");
return FALSE;
}
i=getLine(line, 255, args);
do {
if(line[0] == 'I') { // IP
ip = (char*)malloc(i);
memset(ip, 0, i);
strncpy(ip, line+1, i-1);
}
if(line[0] == 'R') { // Remote Port
rPort = atoi(line+1);
}
if(line[0] == 'L') { // Local Port
lPort = atoi(line+1);
}
i=getLine(line, 255, args);
} while(i>1);
fprintf(log, "[+] LP: %i | RP: %i | IP: %s\n", lPort, rPort, ip);
for(i=0; i<256; i++)
{
isSock = FALSE;
if (getpeername(i, (struct sockaddr *)&raddr, &len)!=-1) isSock=TRUE;
if (getsockname(i, (struct sockaddr *)&laddr, &len)!=-1) isSock=TRUE;
if(!isSock) continue;
a=inet_ntoa(raddr.sin_addr);
b=inet_ntoa(laddr.sin_addr);
if ((ip) && (strcmp(ip, a)!=0) && (strcmp(ip, b)!=0)) continue;
if( ((rPort!=0) && (htons(rPort)!=raddr.sin_port)) && ((lPort!=0) && (htons(lPort)!=laddr.sin_port))) continue;
fprintf(log, "[/] Found %i\n", i);
setsockopt(i, SOL_SOCKET, SO_LINGER, (char *)&slinger, sizeof(struct linger));
if(closesocket(i)!=0) fprintf(log, "[-] Error %i\n", WSAGetLastError());
}
fclose(log);
return TRUE;
}
BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
{
BOOL st;
if(reason == DLL_PROCESS_ATTACH)
st = doShit();
return st;
}
But there are connections which won't shut down. IDK why.
-
Oh sorry I didn't see "I want to program this in C#" ^^'
I'm sure there are many examples if you google for it.
Here's a good example I think: http://alperguc.blogspot.com/2008/11/c-process-processgetprocessesbyname.html
-
Just thought of something I did a while back. Using Microsofts IPSec to block connections. You could block the connection long enough for it to timeout then unblock it :P You can do it all by command line, so doing it in C# should work.
-
thanks, that will be very useful ;)