How do I know which process used the specific TCP port using kernel Functions ?
thanks.
On 9/10/2010 10:08 AM, xxxxx@gmail.com wrote:
How do I know which process used the specific TCP port using kernel Functions ?
Are you running pre-Vista? If so, then you need to go with a filter of
which Mr. Divine offers, check out his site pcausa.com. Otherwise you
can leverage the WFP framework. Using one of these methods you can, most
of the time, determine the process since the upper layers are called in
context or at least while impersonating.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
thanks.
but, I need more detail.
On 9/10/2010 9:50 PM, xxxxx@gmail.com wrote:
thanks.
but, I need more detail.
Not sure what you are asking for short of code … in either model the
port access is called in the process context. Hence just call
PsGetCurrentProcess() while you are in the context of process, this will
give the process who is accessing some given port. You know which port
is being accessed by maintaining context as to which process is
connected to which port.
You should start with the WFP framework, there are several examples
which show you how to track port access.
Pete
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
I think the OP is probably interested in making that correlation during
network packet processing and in general (and especially for receive) the
packet processing is not necessarily in the context of any related process.
Regards,
Dave Cattley
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Scott
Sent: Saturday, September 11, 2010 12:39 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How do I know which process used the specific TCP port
using kernel Functions ?
On 9/10/2010 9:50 PM, xxxxx@gmail.com wrote:
thanks.
but, I need more detail.
Not sure what you are asking for short of code … in either model the
port access is called in the process context. Hence just call
PsGetCurrentProcess() while you are in the context of process, this will
give the process who is accessing some given port. You know which port
is being accessed by maintaining context as to which process is
connected to which port.
You should start with the WFP framework, there are several examples
which show you how to track port access.
Pete
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer