2006-08-28

VB防火墙的开发原理

信息来源:http://www.chinanethack.com/

火墙主要有日志,网络状态列表,网络状态控制(如拦截)组成的。所以,我们要3个界面,一个是主界面——状态列表。一个是日志界面,一个是控制界面。
打开VB新建一个工程,添加一个窗体。一共要3个窗体,2个模块。太复杂了,我也在考虑怎么写才能让大家理解。文章写的不好,还请大家包含。说下原理:
一、监控 TCP连接

黑客程序或木马程序的本质是实现数据传输。TCP和UDP(用户数据文报协议)是两个最常用的数据传输协议,它们都使用设置监听端口的方法来完成数据传输。

实时监控所有端口的连接情况、及时对异常连接发出警告并提示用户删除异常连接,就可以有效地达到防黑目的。
使用微软的IP助手库函数(iphlpapi.dll)是一个捷径。其中的 GetTcpTable函数能返回当前系统中全部有效的 TCP连接。其定义为:
Declare Function GetTcpTable Lib "iphlpapi.dll" (ByRef pTcpTable As MIB_TCPTABLE, ByRef pdwSize As Long, ByVal bOrder As Long) As Long
其中参数一是 TCP连接表缓冲区的指针,参数二是缓冲区大小(当缓冲区不够大时,该参数返回实际需要的大小),参数三指示连接表是否需要按“Local IP”、“Localport”、“Remote IP”、“Remote port”依次进行排序。
对于监控 UDP连接表,可使用 GetUdpTable函数完成。由于在使用上完全类似,这里略去讨论。
二、异常警告及删除连接
通过定时比较前后两个 TCP连接表,我们可以立即发现异常并发出警告。收到警告信号后,我们应首先将可疑连接删除掉,然后再仔细查找系统中是否有安全漏洞或有可疑进程在工作。IP助手库函数中的 SetTcpEntry函数可以帮助我们删除可疑连接。其定义为:
Public Declare Function SetTcpEntry Lib "IPhlpAPI" (pTcpRow As MIB_TCPROW) As Long 'This is used to close an open port.
在调用此函数之前,应将欲删连接的状态置为 MIB_TCP_STATE_DELETE_TCB(删除)。MIB_TCP_STATE_DELETE_TCB也是目前唯一可在运行时设置的状态。
好了,有了这些,一个放火墙的基本原理以及方法已经知道了,哈哈,我们想将这些函数,API封装起来。建立一个类模块,名称为modNetstat,代码如下
‘-------------------------------------------------modNetstat-------------------------------
Option Explicit

'定义一些ICMP协议

Public MIBICMPSTATS As MIBICMPSTATS
Public Type MIBICMPSTATS
dwEchos As Long
dwEchoReps As Long
End Type

Public MIBICMPINFO As MIBICMPINFO
Public Type MIBICMPINFO
icmpOutStats As MIBICMPSTATS
End Type

Public MIB_ICMP As MIB_ICMP
Public Type MIB_ICMP
stats As MIBICMPINFO
End Type
'GetIcmpStatistics函数能够让你查看当前ICMP数据报的流量
Public Declare Function GetIcmpStatistics Lib "iphlpapi.dll" (pStats As MIBICMPINFO) As Long
Public Last_ICMP_Cnt As Integer

'-------------------------------------------------------------------------------
'定义一些TCP协议

Type MIB_TCPROW
dwState As Long
dwLocalAddr As Long
dwLocalPort As Long
dwRemoteAddr As Long
dwRemotePort As Long
End Type

Type MIB_TCPTABLE
dwNumEntries As Long
table(100) As MIB_TCPROW
End Type
Public MIB_TCPTABLE As MIB_TCPTABLE
'GetTcpTable函数能返回当前系统中全部有效的 TCP连接
Declare Function GetTcpTable Lib "iphlpapi.dll" (ByRef pTcpTable As MIB_TCPTABLE, ByRef pdwSize As Long, ByVal bOrder As Long) As Long
'SetTcpEntry函数可以帮助我们删除可疑连接
Public Declare Function SetTcpEntry Lib "IPhlpAPI" (pTcpRow As MIB_TCPROW) As Long 'This is used to close an open port.
'定义连接状态为13个
Public IP_States(13) As String
Private Last_Tcp_Cnt As Integer

'-------------------------------------------------------------------------------
'定义winsock相关内容

Private Const AF_INET = 2
Private Const IP_SUCCESS As Long = 0
Private Const MAX_WSADescription = 256
Private Const MAX_WSASYSStatus = 128
Private Const SOCKET_ERROR As Long = -1
Private Const WS_VERSION_REQD As Long = &H101

Type HOSTENT
h_name As Long ' official name of host
h_aliases As Long ' alias list
h_addrtype As Integer ' host address type
h_length As Integer ' length of address
h_addr_list As Long ' list of addresses
End Type

Type servent
s_name As Long ' (pointer to string) official service name
s_aliases As Long ' (pointer to string) alias list (might be null-seperated with 2null terminated)
s_port As Long ' port #
s_proto As Long ' (pointer to) protocol to use
End Type

Private Type WSADATA
wVersion As Integer
wHighVersion As Integer
szDescription(0 To MAX_WSADescription) As Byte
szSystemStatus(0 To MAX_WSASYSStatus) As Byte
wMaxSockets As Long
wMaxUDPDG As Long
dwVendorInfo As Long
End Type

Public Declare Function ntohs Lib "WSOCK32.DLL" (ByVal netshort As Long) As Long
'inet_addr将IP地址从 点数格式转换成无符号长整型
Private Declare Function inet_addr Lib "WSOCK32.DLL" (ByVal CP As String) As Long
'inet_ntoa将IP地址从 点数格式转换成ascii
Private Declare Function inet_ntoa Lib "WSOCK32.DLL" (ByVal inn As Long) As Long
Private Declare Function gethostbyaddr Lib "WSOCK32.DLL" (Addr As Long, ByVal addr_len As Long, ByVal addr_type As Long) As Long
Private Declare Function gethostbyname Lib "WSOCK32.DLL" (ByVal host_name As String) As Long
Private Declare Function WSAStartup Lib "WSOCK32.DLL" (ByVal wVersionRequired As Long, lpWSADATA As WSADATA) As Long
Private Declare Function WSACleanup Lib "WSOCK32.DLL" () As Long
'若该函数的返回值非0,则为存储器的地址。由于VB不能直接操作地址,所以还必须调用RtlMoveMemory函数将数据写入地址中
Private Declare Sub RtlMoveMemory Lib "kernel32" (hpvDest As Any, ByVal hpvSource As Long, ByVal cbCopy As Long)
'将数据转换为内存二进制形式字符串
Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal cb&)
Declare Function lstrlen Lib "kernel32" (ByVal lpString As Any) As Integer
Private Blocked As Boolean
'定义网络状态
Sub InitStates()
IP_States(0) = "未知"
IP_States(1) = "已经关闭"
IP_States(2) = "监听"
IP_States(3) = "发送同步空闲字符"
IP_States(4) = "接收同步空闲字符"
IP_States(5) = "数据交换中"
IP_States(6) = "结束等待1"
IP_States(7) = "结束等待2"
IP_States(8) = "关闭等待"
IP_States(9) = "关闭中"
IP_States(10) = "命令正确应答"
IP_States(11) = "连接等待"
IP_States(12) = "删除TCP连接"
End Sub

Public Function GetAscIP(ByVal inn As Long) As String
Dim nStr&
Dim lpStr As Long
Dim retString As String
retString = String(32, 0)
lpStr = inet_ntoa(inn)
If lpStr Then
nStr = lstrlen(lpStr)
If nStr > 32 Then nStr = 32
CopyMemory ByVal retString, ByVal lpStr, nStr
retString = Left(retString, nStr)
GetAscIP = retString
Else
GetAscIP = "无法取得IP"
End If
End Function
好了,日志是建立一个LOG文件,所以我们将所需要的函数封装一个类模块里。建立一个public模块。代码如下
'对日志的定义
Public Function Log(RemA As String, RemP As String, LocP As String, Txt As String)

Dim ff As Long
ff = FreeFile
‘打开log文件
Open App.Path & "\log.log" For Append As #ff
‘向log文件写入数据
Write #ff, Time & "-" & Date, RemA, RemP, LocP, Txt
‘将数据在日志窗口中显示出来
Frmlog.lstLog.ListItems.Add , , Time & "-" & Date
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(1) = RemA
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(2) = RemP
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(3) = LocP
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(4) = Txt
‘结束日志操作
Close #ff

End Function

好了,封装好了函数以及API数据库,下面是设计界面,以及功能结合了:)
先建立主窗体,这里将名称改为frmMain,我不想抹杀你们的创意,但是为了代码的最后测试成功,请你不要改变:)
点工程——部件,插入microsoft windows common controls 6.0 (sp4)如图1:

前面点上小钩,确定:)
回到桌面,双点击Toolbar,加入后,在上面右键属性。
依次插入按钮,如图2:

索引 标题 样式 图象
1 停止拦截 1-tbrcheck 暂时不说
2 刷新 0- tbrdefault
3 (空) 3-tbrseparator
4 查看日志 0- tbrdefault
插入2个ImageList空间,命名为imgHot和imgCold
依次插入图片,其实就是“停止拦截”等按钮上面显示的图片
在Toolbar上面右键属性如图3:

修改图象列表为imgcold,热图象列表为imghot
好了,在图2,我们看到图象图象后面的数字,着就是imgcold图片列表的数字:)
加入ListView控件
右键——属性——列首
索引 文本 宽度
1 远程IP 自己调节吧:)
2 远程端口
3 本地端口
4 状态
好了,在加入一个timer控件,名称为tmrRefresh,这个是用来刷新网络状态列表的。
将Interval设顶为250
最后完成界面如图:

添加代码如下:
‘定义一些常量
Private lC As Integer
Public Blk As String

Private a_RemA(1000) As String
Private a_LocP(1000) As String
Private a_RemP(1000) As String

Private a_Count As Long
‘下面是刷新网络状态的函数
Public Function RefreshTable(Optional force As Boolean = False)

On Error Resume Next

Dim tcpt As MIB_TCPTABLE, l As Long
Dim x As Integer, i As Integer
Dim RemA As String, LocP As String, RemP As String

l = Len(MIB_TCPTABLE)
GetTcpTable tcpt, l, 0
x = tcpt.dwNumEntries

If x <> lC Or force Then

lC = x

ListView1.ListItems.Clear

For i = 0 To x - 1

RemA = GetAscIP(tcpt.table(i).dwRemoteAddr)
RemP = ntohs(tcpt.table(i).dwRemotePort)
LocP = ntohs(tcpt.table(i).dwLocalPort)
ListView1.ListItems.Add , "x" & i, RemA
ListView1.ListItems(ListView1.ListItems.Count).SubItems(1) = RemP
ListView1.ListItems(ListView1.ListItems.Count).SubItems(2) = LocP
ListView1.ListItems(ListView1.ListItems.Count).SubItems(3) = modNetstat.IP_States(state)





Next i

End If

End Function

Private Sub Form_Load()
‘调用网络状态函数
modNetstat.InitStates
‘一开始就刷新网络状态列表
RefreshTable
End Sub

Private Sub ListView1_MouseUp(Button As Integer, Shift As Integer, x As Single, y As Single)
‘判断是否为鼠标右键按下
If Button = 2 And ListView1.ListItems.Count > 0 Then
‘调用控制按钮,在下面将说到
frmMain.PopupMenu frmMenu.mnuConn
End If
End Sub

Private Sub tmrRefresh_Timer()
‘定时刷新网络状态列表
RefreshTable
End Sub

Public Sub Toolbar1_ButtonClick(ByVal Button As MSComctlLib.Button)
Select Case Button.Index

Case 1
‘停止功能按钮
If Button.Caption = "停止" Then

Button.Caption = "继续"
Button.ToolTipText = "继续开始工作"
tmrRefresh.Enabled = False
‘停止刷新网络状态列表,先面反之
Else

Button.Caption = "停止"
Button.ToolTipText = "停止工作"
tmrRefresh.Enabled = True

End If

Case 2
‘刷新按钮功能
RefreshTable

Case 4
‘显示日志
Frmlog.Show

End Select

End Sub
好了,下面定义控制按钮:)也就是网络状态上右键显示的拦截连接
新建一个窗体,命名为frmMenu,只需要有一个菜单,如图:

修改菜单属性:
标题 名称
mnuConn mnuConn
拦截连接 mnuDis
如图:

好了,添加代码如下:

Private Sub mnuDis_Click()

Dim tcpt As MIB_TCPTABLE
Dim l As Long
Dim i As Long
Dim RemA As String, RemP As String, LocP As String

i = Right(frmMain.ListView1.SelectedItem.Key, Len(frmMain.ListView1.SelectedItem.Key) - 1) + 1

RemA = frmMain.ListView1.ListItems(i)
RemP = frmMain.ListView1.ListItems(i).SubItems(1)
LocP = frmMain.ListView1.ListItems(i).SubItems(2)

l = Len(MIB_TCPTABLE)
GetTcpTable tcpt, l, 0

tcpt.table(i - 1).dwState = 12
‘断开TCP连接,还记得一开始说的函数吗?
SetTcpEntry tcpt.table(i - 1)
DoEvents
‘写入日志
Log RemA, RemP, LocP, "拦截连接"
End Sub
好了,最后是一个日志操作窗体,建立一个名称为Frmlog的窗体
一个用一个listview和command控件,调整位置如图

listview属性
名称 lstLog
列首索引 文本 大小自己调节
1 时间
2 IP
3 远程端口
4 本地端口
5 说明
添加代码如下
Private Sub Command1_Click()
Dim r As String

r = MsgBox("防火墙日志是有效检查黑客入侵的手段!" & vbCrLf & vbCrLf & "清楚日志?", vbQuestion & vbYesNo, "注意!")
‘如果按的是“是”那么
If r = vbYes Then

Dim ff As Long
ff = FreeFile
‘打开日志写入空数据,也就是清空日志
Open App.Path & "\log.log" For Output As #ff

Close #ff
‘清空列表
lstLog.ListItems.Clear

End If
End Sub
程序运行后,成功拦截我以前开发的一个盗取拨号密码的木马,如图:
第一次获得密码是没拦截,拦截后提示无法连接

好了,我们完成了对防火墙的简单操作,文章还有很大改进余地,大家可以发挥自己的思维去改变,去完善。

0 comments: