信息來源:/
火墻主要有日誌,網絡狀態列表,網絡狀態控制(如攔截)組成的。所以,我們要3個界面,壹個是主界面——狀態列表。壹個是日誌界面,壹個是控制界面。
打開VB新建壹個工程,添加壹個窗體。壹***要3個窗體,2個模塊。太復雜了,我也在考慮怎麽寫才能讓大家理解。文章寫的不好,還請大家包含。說下原理:
壹、監控 TCP連接
黑客程序或木馬程序的本質是實現數據傳輸。TCP和UDP(用戶數據文報協議)是兩個最常用的數據傳輸協議,它們都使用設置監聽端口的方法來完成數據傳輸。
實時監控所有端口的連接情況、及時對異常連接發出警告並提示用戶刪除異常連接,就可以有效地達到防黑目的。
使用微軟的IP助手庫函數(iphlpapi.dll)是壹個捷徑。其中的 GetTcpTable函數能返回當前系統中全部有效的 TCP連接。其定義為:
Declare Function GetTcpTable Lib "iphlpapi.dll" (ByRef pTcpTable As MIB_TCPTABLE, ByRef pdwSize As Long, ByVal bOrder As Long) As Long
其中參數壹是 TCP連接表緩沖區的指針,參數二是緩沖區大小(當緩沖區不夠大時,該參數返回實際需要的大小),參數三指示連接表是否需要按“Local IP”、“Localport”、“Remote IP”、“Remote port”依次進行排序。
對於監控 UDP連接表,可使用 GetUdpTable函數完成。由於在使用上完全類似,這裏略去討論。
二、異常警告及刪除連接
通過定時比較前後兩個 TCP連接表,我們可以立即發現異常並發出警告。收到警告信號後,我們應首先將可疑連接刪除掉,然後再仔細查找系統中是否有安全漏洞或有可疑進程在工作。IP助手庫函數中的 SetTcpEntry函數可以幫助我們刪除可疑連接。其定義為:
Public Declare Function SetTcpEntry Lib "IPhlpAPI" (pTcpRow As MIB_TCPROW) As Long 'This is used to close an open port.
在調用此函數之前,應將欲刪連接的狀態置為 MIB_TCP_STATE_DELETE_TCB(刪除)。MIB_TCP_STATE_DELETE_TCB也是目前唯壹可在運行時設置的狀態。
好了,有了這些,壹個放火墻的基本原理以及方法已經知道了,哈哈,我們想將這些函數,API封裝起來。建立壹個類模塊,名稱為modNetstat,代碼如下
‘-------------------------------------------------modNetstat-------------------------------
Option Explicit
'定義壹些ICMP協議
Public MIBICMPSTATS As MIBICMPSTATS
Public Type MIBICMPSTATS
dwEchos As Long
dwEchoReps As Long
End Type
Public MIBICMPINFO As MIBICMPINFO
Public Type MIBICMPINFO
icmpOutStats As MIBICMPSTATS
End Type
Public MIB_ICMP As MIB_ICMP
Public Type MIB_ICMP
stats As MIBICMPINFO
End Type
'GetIcmpStatistics函數能夠讓妳查看當前ICMP數據報的流量
Public Declare Function GetIcmpStatistics Lib "iphlpapi.dll" (pStats As MIBICMPINFO) As Long
Public Last_ICMP_Cnt As Integer
'-------------------------------------------------------------------------------
'定義壹些TCP協議
Type MIB_TCPROW
dwState As Long
dwLocalAddr As Long
dwLocalPort As Long
dwRemoteAddr As Long
dwRemotePort As Long
End Type
Type MIB_TCPTABLE
dwNumEntries As Long
table(100) As MIB_TCPROW
End Type
Public MIB_TCPTABLE As MIB_TCPTABLE
'GetTcpTable函數能返回當前系統中全部有效的 TCP連接
Declare Function GetTcpTable Lib "iphlpapi.dll" (ByRef pTcpTable As MIB_TCPTABLE, ByRef pdwSize As Long, ByVal bOrder As Long) As Long
'SetTcpEntry函數可以幫助我們刪除可疑連接
Public Declare Function SetTcpEntry Lib "IPhlpAPI" (pTcpRow As MIB_TCPROW) As Long 'This is used to close an open port.
'定義連接狀態為13個
Public IP_States(13) As String
Private Last_Tcp_Cnt As Integer
'-------------------------------------------------------------------------------
'定義winsock相關內容
Private Const AF_INET = 2
Private Const IP_SUCCESS As Long = 0
Private Const MAX_WSADescription = 256
Private Const MAX_WSASYSStatus = 128
Private Const SOCKET_ERROR As Long = -1
Private Const WS_VERSION_REQD As Long = &H101
Type HOSTENT
h_name As Long ' official name of host
h_aliases As Long ' alias list
h_addrtype As Integer ' host address type
h_length As Integer ' length of address
h_addr_list As Long ' list of addresses
End Type
Type servent
s_name As Long ' (pointer to string) official service name
s_aliases As Long ' (pointer to string) alias list (might be null-seperated with 2null terminated)
s_port As Long ' port #
s_proto As Long ' (pointer to) protocol to use
End Type
Private Type WSADATA
wVersion As Integer
wHighVersion As Integer
szDescription(0 To MAX_WSADescription) As Byte
szSystemStatus(0 To MAX_WSASYSStatus) As Byte
wMaxSockets As Long
wMaxUDPDG As Long
dwVendorInfo As Long
End Type
Public Declare Function ntohs Lib "WSOCK32.DLL" (ByVal netshort As Long) As Long
'inet_addr將IP地址從 點數格式轉換成無符號長整型
Private Declare Function inet_addr Lib "WSOCK32.DLL" (ByVal CP As String) As Long
'inet_ntoa將IP地址從 點數格式轉換成ascii
Private Declare Function inet_ntoa Lib "WSOCK32.DLL" (ByVal inn As Long) As Long
Private Declare Function gethostbyaddr Lib "WSOCK32.DLL" (Addr As Long, ByVal addr_len As Long, ByVal addr_type As Long) As Long
Private Declare Function gethostbyname Lib "WSOCK32.DLL" (ByVal host_name As String) As Long
Private Declare Function WSAStartup Lib "WSOCK32.DLL" (ByVal wVersionRequired As Long, lpWSADATA As WSADATA) As Long
Private Declare Function WSACleanup Lib "WSOCK32.DLL" () As Long
'若該函數的返回值非0,則為存儲器的地址。由於VB不能直接操作地址,所以還必須調用RtlMoveMemory函數將數據寫入地址中
Private Declare Sub RtlMoveMemory Lib "kernel32" (hpvDest As Any, ByVal hpvSource As Long, ByVal cbCopy As Long)
'將數據轉換為內存二進制形式字符串
Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal cb&)
Declare Function lstrlen Lib "kernel32" (ByVal lpString As Any) As Integer
Private Blocked As Boolean
'定義網絡狀態
Sub InitStates()
IP_States(0) = "未知"
IP_States(1) = "已經關閉"
IP_States(2) = "監聽"
IP_States(3) = "發送同步空閑字符"
IP_States(4) = "接收同步空閑字符"
IP_States(5) = "數據交換中"
IP_States(6) = "結束等待1"
IP_States(7) = "結束等待2"
IP_States(8) = "關閉等待"
IP_States(9) = "關閉中"
IP_States(10) = "命令正確應答"
IP_States(11) = "連接等待"
IP_States(12) = "刪除TCP連接"
End Sub
Public Function GetAscIP(ByVal inn As Long) As String
Dim nStr&
Dim lpStr As Long
Dim retString As String
retString = String(32, 0)
lpStr = inet_ntoa(inn)
If lpStr Then
nStr = lstrlen(lpStr)
If nStr > 32 Then nStr = 32
CopyMemory ByVal retString, ByVal lpStr, nStr
retString = Left(retString, nStr)
GetAscIP = retString
Else
GetAscIP = "無法取得IP"
End If
End Function
好了,日誌是建立壹個LOG文件,所以我們將所需要的函數封裝壹個類模塊裏。建立壹個public模塊。代碼如下
'對日誌的定義
Public Function Log(RemA As String, RemP As String, LocP As String, Txt As String)
Dim ff As Long
ff = FreeFile
‘打開log文件
Open App.Path & "\log.log" For Append As #ff
‘向log文件寫入數據
Write #ff, Time & "-" & Date, RemA, RemP, LocP, Txt
‘將數據在日誌窗口中顯示出來
Frmlog.lstLog.ListItems.Add , , Time & "-" & Date
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(1) = RemA
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(2) = RemP
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(3) = LocP
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(4) = Txt
‘結束日誌操作
Close #ff
End Function
好了,封裝好了函數以及API數據庫,下面是設計界面,以及功能結合了:)
先建立主窗體,這裏將名稱改為frmMain,我不想抹殺妳們的創意,但是為了代碼的最後測試成功,請妳不要改變:)
點工程——部件,插入microsoft windows common controls 6.0 (sp4)如圖1:
前面點上小鉤,確定:)
回到桌面,雙點擊Toolbar,加入後,在上面右鍵屬性。
依次插入按鈕,如圖2:
索引 標題 樣式 圖象
1 停止攔截 1-tbrcheck 暫時不說
2 刷新 0- tbrdefault
3 (空) 3-tbrseparator
4 查看日誌 0- tbrdefault
插入2個ImageList空間,命名為imgHot和imgCold
依次插入圖片,其實就是“停止攔截”等按鈕上面顯示的圖片
在Toolbar上面右鍵屬性如圖3:
修改圖象列表為imgcold,熱圖象列表為imghot
好了,在圖2,我們看到圖象圖象後面的數字,著就是imgcold圖片列表的數字:)
加入ListView控件
右鍵——屬性——列首
索引 文本 寬度
1 遠程IP 自己調節吧:)
2 遠程端口
3 本地端口
4 狀態
好了,在加入壹個timer控件,名稱為tmrRefresh,這個是用來刷新網絡狀態列表的。
將Interval設頂為250
最後完成界面如圖:
添加代碼如下:
‘定義壹些常量
Private lC As Integer
Public Blk As String
Private a_RemA(1000) As String
Private a_LocP(1000) As String
Private a_RemP(1000) As String
Private a_Count As Long
‘下面是刷新網絡狀態的函數
Public Function RefreshTable(Optional force As Boolean = False)
On Error Resume Next
Dim tcpt As MIB_TCPTABLE, l As Long
Dim x As Integer, i As Integer
Dim RemA As String, LocP As String, RemP As String
l = Len(MIB_TCPTABLE)
GetTcpTable tcpt, l, 0
x = tcpt.dwNumEntries
If x < lC Or x > lC Or force Then
lC = x
ListView1.ListItems.Clear
For i = 0 To x - 1
RemA = GetAscIP(tcpt.table(i).dwRemoteAddr)
RemP = ntohs(tcpt.table(i).dwRemotePort)
LocP = ntohs(tcpt.table(i).dwLocalPort)
ListView1.ListItems.Add , "x" & i, RemA
ListView1.ListItems(ListView1.ListItems.Count).SubItems(1) = RemP
ListView1.ListItems(ListView1.ListItems.Count).SubItems(2) = LocP
ListView1.ListItems(ListView1.ListItems.Count).SubItems(3) = modNetstat.IP_States(state)
Next i
End If
End Function
Private Sub Form_Load()
‘調用網絡狀態函數
modNetstat.InitStates
‘壹開始就刷新網絡狀態列表
RefreshTable
End Sub
Private Sub ListView1_MouseUp(Button As Integer, Shift As Integer, x As Single, y As Single)
‘判斷是否為鼠標右鍵按下
If Button = 2 And ListView1.ListItems.Count > 0 Then
‘調用控制按鈕,在下面將說到
frmMain.PopupMenu frmMenu.mnuConn
End If
End Sub
Private Sub tmrRefresh_Timer()
‘定時刷新網絡狀態列表
RefreshTable
End Sub
Public Sub Toolbar1_ButtonClick(ByVal Button As MSComctlLib.Button)
Select Case Button.Index
Case 1
‘停止功能按鈕
If Button.Caption = "停止" Then
Button.Caption = "繼續"
Button.ToolTipText = "繼續開始工作"
tmrRefresh.Enabled = False
‘停止刷新網絡狀態列表,先面反之
Else
Button.Caption = "停止"
Button.ToolTipText = "停止工作"
tmrRefresh.Enabled = True
End If
Case 2
‘刷新按鈕功能
RefreshTable
Case 4
‘顯示日誌
Frmlog.Show
End Select
End Sub
好了,下面定義控制按鈕:)也就是網絡狀態上右鍵顯示的攔截連接
新建壹個窗體,命名為frmMenu,只需要有壹個菜單,如圖:
修改菜單屬性:
標題 名稱
mnuConn mnuConn
攔截連接 mnuDis
如圖:
好了,添加代碼如下:
Private Sub mnuDis_Click()
Dim tcpt As MIB_TCPTABLE
Dim l As Long
Dim i As Long
Dim RemA As String, RemP As String, LocP As String
i = Right(frmMain.ListView1.SelectedItem.Key, Len(frmMain.ListView1.SelectedItem.Key) - 1) + 1
RemA = frmMain.ListView1.ListItems(i)
RemP = frmMain.ListView1.ListItems(i).SubItems(1)
LocP = frmMain.ListView1.ListItems(i).SubItems(2)
l = Len(MIB_TCPTABLE)
GetTcpTable tcpt, l, 0
tcpt.table(i - 1).dwState = 12
‘斷開TCP連接,還記得壹開始說的函數嗎?
SetTcpEntry tcpt.table(i - 1)
DoEvents
‘寫入日誌
Log RemA, RemP, LocP, "攔截連接"
End Sub
好了,最後是壹個日誌操作窗體,建立壹個名稱為Frmlog的窗體
壹個用壹個listview和command控件,調整位置如圖
listview屬性
名稱 lstLog
列首索引 文本 大小自己調節
1 時間
2 IP
3 遠程端口
4 本地端口
5 說明
添加代碼如下
Private Sub Command1_Click()
Dim r As String
r = MsgBox("防火墻日誌是有效檢查黑客入侵的手段!" & vbCrLf & vbCrLf & "清楚日誌?", vbQuestion & vbYesNo, "註意!")
‘如果按的是“是”那麽
If r = vbYes Then
Dim ff As Long
ff = FreeFile
‘打開日誌寫入空數據,也就是清空日誌
Open App.Path & "\log.log" For Output As #ff
Close #ff
‘清空列表
lstLog.ListItems.Clear
End If
End Sub
程序運行後,成功攔截我以前開發的壹個盜取撥號密碼的木馬,如圖:
第壹次獲得密碼是沒攔截,攔截後提示無法連接