Sign in to follow this  
irreversible

dns look-up and port-to-process methods

Recommended Posts

irreversible    2860
I'm trying to write a small traffic observer on the local system - basically just to get up to speed with Winsock to ready myself to write a working WAN simulator. In the process I got somewhat interested in some of the traffic that's going on on my computer, so I made a little detour and started to expand on the traffic observer. I've run into some questions, though. 1. gethostbyaddr() fails for some IP -> address look-ups, such as 64.233.183.103 (www.google.com) - is that because of the quality of the DNS server? If not, then why? 2. port scanning can be used to determine which port is listening on a given computer. That information isn't quite enough for resolving a port to a process id. I've read up on the issue a little and it seems there's no truly reliable way of doing this, so what I'd like to do is a brute-force method for those processes that can actually be opened. Code injection seems to be the next possibility - I don't want to do that. DiamondCS with its PortExplorer seems to've worked out a few methods to resolve open ports to processes fast and effectively, but they're also holding on to their little secrets. Thus, brute force is the way to go for me. The problem is, I can't find any information on how it's actually done. How is the connection made between a port and a process? I assume the first step is port scanning (although knowing the ports, it's a little more reasonable to do a reverse lookup from the list of ports that are known to be open). Cheers

Share this post


Link to post
Share on other sites
hplus0603    11348
For commands, "netstat -nao" on Windows, and "netstat -nap" on UNIX will tell you what process owns what endpoint.

If you really want to know how to do this, then either read the source for netstat (if you're on UNIX -- likely gropes around /proc) or disassemble the netstat binary on Windows.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster   
Guest Anonymous Poster
or download netstatp source code as previously posted :)

Share this post


Link to post
Share on other sites
irreversible    2860
Well. Silly me, hoping for a nice snippet-like example... There's nothing more annoying than getting side-tracked and having to do rigorous research to get things working that are only remotely related to your primary goal. Ahh - I suppose I should hate myself for it...

As far as port-to-process mapping goes, I'd be content with a description of what to do - I think I could write the code myself. The problem is, there isn't much on this on the web.

Apparently it's the same for implementing a custom digital signature validator - there's just no simple way; you have to go through a heap of documentation and get mangled up in all the non-essentials before you can get something working.

Sigh, I say. Sigh!

Share this post


Link to post
Share on other sites
irreversible    2860
Okay - my previous post was rash-ish: netstatp's source code provides exactly what I need with a very small code surplus. Yay! And thanks!

That leaves the first question, though. Why can't some IP's be resolved to their respective addresses (Google [64.233.183.103] is a prime example)?

Share this post


Link to post
Share on other sites
irreversible    2860
A related question - can windows DLL's be redistributed freely (for hatever sick occasion they might not be present on a target system)? More specifically, IpHlpAPI.dll. And why does MSDN say it should only work on Vista, but at least portions of it run just fine on my XP. Furthermore, with the DLL being redistributed with the exe, can it be presumed to work on Windows 2000?

Share this post


Link to post
Share on other sites
hplus0603    11348
Quote:
Why can't some IP's be resolved to their respective addresses


Probably because they haven't bothered setting up reverse DNS mapping. For each a.b.c.d A record, there's supposed to be a d.c.b.a.ip-addr.arpa PTR record that does the reverse. However, not everyone actually sets this up.

Quote:
can windows DLL's be redistributed freely


That depends on the DLL. The re-distributable DLLs are listed on various parts of the Microsoft web site. Only if it is explicitly redistributable (with an SDK license, etc), can you actually redistribute it, and you must comply with any conditions (such as using microsoft installer, etc).

If a DLL is intended to work on Windows Vista only, and "happens" to work on XP, I would not assume that it'll work on Win2k.

However, at least certain functions in the iphlpapi.dll have the following description on MSDN:
Quote:
Requires Windows Vista, Windows XP, Windows 2000 Professional, Windows NT Workstation 4.0 SP4 and later, Windows Me, or Windows 98.


Which seems to indicate support is widespread. Check the function in question.

Last, there is a special networking improvement for Windows XP, called the "advanced networking pack" (which adds IPv6, among other things). Read more about it In the Microsoft Knowledgebase.

Share this post


Link to post
Share on other sites
irreversible    2860
The function in question is AllocateAndGetTcpExTableFromStack.

Notice that:


Requirements
Client Requires Windows Vista.
Server Requires Windows Server "Longhorn".
Header Iphlpapi.h.
Library Iphlpapi.lib.
DLL Iphlpapi.dll.


Works like candy on my XP.

edit:

"Probably because they haven't bothered setting up reverse DNS mapping. For each a.b.c.d A record, there's supposed to be a d.c.b.a.ip-addr.arpa PTR record that does the reverse. However, not everyone actually sets this up."

So that still means that my default DNS is no good and that by querying some other DNS I might get the resolved address? This prompts two questions:

1) is there any way to specify a DNS server for a single query in WinSock?
2) is there a list of the "most reliable"/complete DNS servers on the web?

[Edited by - irreversible on August 20, 2006 8:32:35 AM]

Share this post


Link to post
Share on other sites
hplus0603    11348
Quote:
So that still means that my default DNS is no good


Not likely. The reverse IP for an IP range is mastered by the owner of that IP block, and has little to nothing to do with your default DNS. I'm assuming this is the case where you can't get the reverse of some server that you got www.google.com mapped to. If the problem is actually that a domain you have doesn't have a reverse, then the problem is with the ISP for your server.

As an example:

[jwatte@newextssh ~]$ host www.mindcontrol.org
www.mindcontrol.org has address 69.17.45.136
[jwatte@newextssh ~]$ host -r 69.17.45.136
136.45.17.69.in-addr.arpa has no PTR record
[jwatte@newextssh ~]$


This tells me that my ISP (Speakeasy) actually aren't running reverse DNS for the IP address they gave me -- badness! I need to get on them about that.

Most DNS servers on the web don't allow recursive querying from hosts not on their local network, so pointing your machine at a DNS server other than your ISP (or a DNS server you run on your own) is unlikely to work. If you want, download and install the latest version of BIND, point it at the root servers, and have fun!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this