有许多不同的方法可以找到哪个进程在计算机系统中发送TCP / UDP流量,但对ICMP流量不多。

这是一个摘要,以便做到这一点。

1.安装本地防火墙

您可以随时尝试安装阻止传出流量或使用Windows防火墙的防火墙。生成流量时,它可以提示您询问您是否要允许或不允许。在许多情况下,它会告诉您哪些应用程序正在生成流量。

2.命令

2.1 NetStat命令

NetStat命令对TCP / UDP流量有利。

例如: netstat -tabn 10 |找到“:80”

netstat [-a] [-b] [-f] [-n-n] [-o] [-p proto] [-s] [-t] [间隔]

  -a显示所有连接和侦听端口。
  -b显示创建每个连接或的可执行文件
                听力港口。在某些情况下,已知的可执行文件主机
                多个独立组件,在这些情况下
                创建连接的组件序列
                显示或侦听端口。在这种情况下,可执行文件
                名称在[]底部,顶部是它调用的组件,
                等等,直到达到TCP / IP。请注意,此选项
                可以耗时,除非你有足够的
                permissions.
  -e显示以太网统计信息。这可以与-s组合
                option.
  -f显示外国的完全限定域名(FQDN)
                addresses.
  -N以数字形式显示地址和端口号。
  -O显示与每个连接关联的拥有进程ID。
  -p proto显示了ProTO指定的协议的连接; PROTO
                可以是:TCP,UDP,TCPv6或UDPv6中的任何一种。如果与-s一起使用
                显示每协议统计信息的选项,PROTO可能是以下任何一种:
                IP,IPv6,ICMP,ICMPv6,TCP,TCPv6,UDP或UDPv6。
  -r显示路由表。
  -s显示每协议统计信息。默认情况下,统计数据是
                显示为IP,IPv6,ICMP,ICMPv6,TCP,TCPv6,UDP和UDPv6;
                -p选项可用于指定默认值的子集。
  -t显示当前连接卸载状态。
  间隔重新显示所选统计信息,暂停间隔秒
                每个显示之间。按Ctrl + C停止重新显示
                统计数据。如果省略,NetStat将打印当前
                配置信息一次。

但对于ICMP流量,它只可以显示统计数据。它将无法显示进程名称,就像它执行UDP / TCP流量。

C:\测试>netstat -s -p icmp

ICMPv4统计数据

                            Received    Sent
  消息3794 20504
  错误0 0.
  目的地无法访问39 484
  时间超过3 0
  参数问题0 0
  源淬火0 0
  重定向0 0.
  回声回复3750 2
  Echos 2 20018.
  时间戳0 0.
  时间戳回复0 0
  地址掩码0 0
  地址掩码回复0 0
  路由器征求0 0
  路由器广告0 0

2.2 视窗 Sysinternals Suite. tools
视窗 Sysinternals Suite提供了一些有用的工具来显示通常与ICMP流量相关的某些DLL文件的进程。

我们可以使用ListDll或Process Explorer来确定加载了哪些进程。逐个挂载它们,并在ICMP流量停止时注意。 

C:\Documents and Settings\user>listdlls -d icmp

ListDLLs v3.1 - List loaded DLLs
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com

----------------------------------------------------------------
Belkinwcui.exe pid: 2484
Command line: "C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe"

Base        Size      Path
0x74290000  0x4000    ICMP.DLL

使用tasklist命令(见下文)来确定哪个进程加载了哪个进程或加载了ICMP.dll(例如,当Tarcert.exe使用两者时,我发现ping.exe仅使用iphlpapi.dll) 


C:\测试>tasklist / m iphlpapi.dll

图像名称PID模块
========================= ======== ================= ===========================.
chrome.exe 8568 iphlpapi.dll.
chrome.exe 168 iphlpapi.dll.
chrome.exe 7600 iphlpapi.dll.
chrome.exe 3620 iphlpapi.dll.
chrome.exe 6820 iphlpapi.dll.
chrome.exe 8616 iphlpapi.dll.
chrome.exe 7576 iphlpapi.dll.
chrome.exe 6624 iphlpapi.dll.
chrome.exe 8128 iphlpapi.dll.
taskhost.exe 7048 iphlpapi.dll.
splwow64.exe 7440 iphlpapi.dll.
chrome.exe 8572 iphlpapi.dll.
chrome.exe 8144 iphlpapi.dll.
chrome.exe 6164 iphlpapi.dll.
OSPPSVC.exe 8048 iphlpapi.dll.
ping.exe.                       4272 IPHLPAPI.DLL

C:\测试>tasklist / m iphlpapi.dll

图像名称PID模块
========================= ======== ================= ===========================.
lsass.exe 604 iphlpapi.dll.
svchost.exe 912 iphlpapi.dll.
svchost.exe 968 iphlpapi.dll.
svchost.exe 992 iphlpapi.dll.
svchost.exe 336 iphlpapi.dll.
svchost.exe 608 iphlpapi.dll.
svchost.exe 1228 iphlpapi.dll.
svchost.exe 1320 iphlpapi.dll.
wlanext.exe 1352 iphlpapi.dll.
spoolsv.exe 1560 iphlpapi.dll.
btwdins.exe 1860 iphlpapi.dll.
OfficeClicktorun.exe 1884 iphlpapi.dll.
svchost.exe 2004 iphlpapi.dll.
evteng.exe 2036 iphlpapi.dll.
swicarddetect64.exe 2588 iphlpapi.dll.
wmiprvse.exe 1704 iphlpapi.dll.
svchost.exe 4316 iphlpapi.dll.
Explorer.exe 4108 iphlpapi.dll.
btstackserver.exe 5632 iphlpapi.dll.
svchost.exe 1868 iphlpapi.dll.
chrome.exe 8536 iphlpapi.dll.
chrome.exe 7816 iphlpapi.dll.
tracert.exe.                    9000 iphlpapi.DLL

C:\测试>tasklist /M icmp.dll

图像名称PID模块
========================= ======== ================= ===========================.
tracert.exe 9000 ICMP.dll.

3. netsh命令进行低级捕获网络流量
您可以在NDIS层使用新的内置ETL跟踪。您需要做的就是启动新的ETL数据包捕获会话。这方法甚至不需要您安装任何嗅探软件(网络监视器/ Wireshark等)。您也可以使用此选项在Windows 7 / Windows 2008 R2上捕获常规数据包:
NetSh Trace Start Capture = yes tracefile = c:\ test \ c1.etl

Netsh追踪停止


Microsoft消息分析器使您可以捕获,显示和分析协议消息传递流量;并追踪和评估从Windows组件的系统事件和其他消息。

4. Microsoft消息分析器

5.一些   视窗 Sysinternals Suite. tools

TCPView.

Procexp.

SYSMON收集网络连接

安装:
sysmon -i -igcepteula [选项]

  • 将二进制文件提取成%SystemRoot%
  • 寄存器事件日志清单
  • 启用默认配置



查看和更新​​配置:

sysmon -c [选项]

  • 更新立即生效
  • 选项可以是基本选项或配置文件



注册事件清单仅用于查看日志:
sysmon-m

卸载:
sysmon -u

C:\ISOScripting>sysmon64 -i -accepteula


System Monitor v7.02 - System activity monitor
Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Sysmon64 installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon64..
Sysmon64 started.
C:\ISOScripting>sysmon64 -c


System Monitor v7.02 - System activity monitor
Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Current configuration:
 - Service name:                  Sysmon64
 - Driver name:                   SysmonDrv
 - HashingAlgorithms:             SHA1
 - Network connection:            disabled
 - Image loading:                 disabled
 - CRL checking:                  disabled
 - Process Access:                disabled

No rules installed

C:\ISOScripting>sysmon64 -c -n


System Monitor v7.02 - System activity monitor
Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Configuration updated.


C:\ISOScripting>sysmon64 -c


System Monitor v7.02 - System activity monitor
Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Current configuration:
 - Service name:                  Sysmon64
 - Driver name:                   SysmonDrv
 - HashingAlgorithms:             SHA1
 - Network connection:            enabled
 - Image loading:                 disabled
 - CRL checking:                  disabled
 - Process Access:                disabled

No rules installed

C:\ISOScripting>Sysmon64.exe -u


System Monitor v7.02 - System activity monitor
Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Stopping Sysmon64.
Sysmon64 stopped.
Sysmon64 removed.
Stopping SysmonDrv.
SysmonDrv stopped.
SysmonDrv removed.
Removing service files................
Failed to delete C:\windows\Sysmon64.exe
C:\ISOScripting>sysmon64 /?


System Monitor v7.02 - System activity monitor
Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Usage:
Install:    sysmon64 -i [<configfile>]
              [-h <[sha1|md5|sha256|imphash|*],...>] [-n [<process,...>]]
              [-l [<process,...>]
Configure:  sysmon64 -c [<configfile>]
              [--|[-h <[sha1|md5|sha256|imphash|*],...>] [-n [<process,...>]]
              [-l [<process,...>]]]
Uninstall:  sysmon64 -u
  -c   Update configuration of an installed Sysmon driver or dump the
       current configuration if no other argument is provided. Optionally
       take a configuration file.
  -d   Specify the name of the installed device driver image.
       Configuration entry: DriverName.
       The service image and service name will be the same
       name of the Sysmon.exe executable image.
  -h   Specify the hash algorithms used for image identification (default
       is SHA1). It supports multiple algorithms at the same time.
       Configuration entry: HashAlgorithms.
  -i   Install service and driver. Optionally take a configuration file.
  -l   Log loading of modules. Optionally take a list of processes to track.
  -m   Install the event manifest (done on service install as well).
  -n   Log network connections. Optionally take a list of processes to track.
  -r   Check for signature certificate revocation.
       Configuration entry: CheckRevocation.
  -s   Print configuration schema definition of the specified version.
       Specify 'all' to dump all schema versions (default is latest).
  -u   Uninstall service and driver.

The service logs events immediately and the driver installs as a boot-start
driver to capture activity from early in the boot that the service will write
to the event log when it starts.

On Vista and higher, events are stored in "Applications and Services
Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events are
written to the System event log.

If you need more information on configuration files, use the '-? config'
command. More examples are available on the Sysinternals website.

Specify -accepteula to automatically accept the EULA on installation,
otherwise you will be interactively prompted to accept it.

Neither install nor uninstall requires a reboot.

C:\ISOScripting>

参考:

  • http://randomuserid.blogspot.ca/2007/03/tracking-down-random-icmp-in-windows.html

经过 jonny.

发表评论