对vb不大懂.
希望这些可以帮你.
火墙主要有日志,网络状态列表,网络状态控制(如拦截)组成的。所以,我们要3个界面,一个是主界面——状态列表。一个是日志界面,一个是控制界面。
打开VB新建一个工程,添加一个窗体。一共要3个窗体,2个模块。太复杂了,我也在考虑怎么写才能让大家理解。文章写的不好,还请大家包含。说下原理:
一、监控 TCP连接
黑客程序或木马程序的本质是实现数据传输。TCP和UDP(用户数据文报协议)是两个最常用的数据传输协议,它们都使用设置监听端口的方法来完成数据传输。
实时监控所有端口的连接情况、及时对异常连接发出警告并提示用户删除异常连接,就可以有效地达到防黑目的。
使用微软的IP助手库函数(iphlpapi.dll)是一个捷径。其中的 GetTcpTable函数能返回当前系统中全部有效的 TCP连接。其定义为:
Declare Function GetTcpTable Lib "iphlpapi.dll" (ByRef pTcpTable As MIB_TCPTABLE, ByRef pdwSize As Long, ByVal bOrder As Long) As Long
其中参数一是 TCP连接表缓冲区的指针,参数二是缓冲区大小(当缓冲区不够大时,该参数返回实际需要的大小),参数三指示连接表是否需要按“Local IP”、“Localport”、“Remote IP”、“Remote port”依次进行排序。
对于监控 UDP连接表,可使用 GetUdpTable函数完成。由于在使用上完全类似,这里略去讨论。
二、异常警告及删除连接
通过定时比较前后两个 TCP连接表,我们可以立即发现异常并发出警告。收到警告信号后,我们应首先将可疑连接删除掉,然后再仔细查找系统中是否有安全漏洞或有可疑进程在工作。IP助手库函数中的 SetTcpEntry函数可以帮助我们删除可疑连接。其定义为:
Public Declare Function SetTcpEntry Lib "IPhlpAPI" (pTcpRow As MIB_TCPROW) As Long ';This is used to close an open port.
在调用此函数之前,应将欲删连接的状态置为 MIB_TCP_STATE_DELETE_TCB(删除)。MIB_TCP_STATE_DELETE_TCB也是目前唯一可在运行时设置的状态。
好了,有了这些,一个放火墙的基本原理以及方法已经知道了,哈哈,我们想将这些函数,API封装起来。建立一个类模块,名称为modNetstat,代码如下
‘-------------------------------------------------modNetstat-------------------------------
Option Explicit
';定义一些ICMP协议
Public MIBICMPSTATS As MIBICMPSTATS
Public Type MIBICMPSTATS
dwEchos As Long
dwEchoReps As Long
End Type
Public MIBICMPINFO As MIBICMPINFO
Public Type MIBICMPINFO
icmpOutStats As MIBICMPSTATS
End Type
Public MIB_ICMP As MIB_ICMP
Public Type MIB_ICMP
stats As MIBICMPINFO
End Type
';GetIcmpStatistics函数能够让你查看当前ICMP数据报的流量
Public Declare Function GetIcmpStatistics Lib "iphlpapi.dll" (pStats As MIBICMPINFO) As Long
Public Last_ICMP_Cnt As Integer
';-------------------------------------------------------------------------------
';定义一些TCP协议
Type MIB_TCPROW
dwState As Long
dwLocalAddr As Long
dwLocalPort As Long
dwRemoteAddr As Long
dwRemotePort As Long
End Type
Type MIB_TCPTABLE
dwNumEntries As Long
table(100) As MIB_TCPROW
End Type
Public MIB_TCPTABLE As MIB_TCPTABLE
';GetTcpTable函数能返回当前系统中全部有效的 TCP连接
Declare Function GetTcpTable Lib "iphlpapi.dll" (ByRef pTcpTable As MIB_TCPTABLE, ByRef pdwSize As Long, ByVal bOrder As Long) As Long
';SetTcpEntry函数可以帮助我们删除可疑连接
Public Declare Function SetTcpEntry Lib "IPhlpAPI" (pTcpRow As MIB_TCPROW) As Long ';This is used to close an open port.
';定义连接状态为13个
Public IP_States(13) As String
Private Last_Tcp_Cnt As Integer
';-------------------------------------------------------------------------------
';定义winsock相关内容
Private Const AF_INET = 2
Private Const IP_SUCCESS As Long = 0
Private Const MAX_WSADescription = 256
Private Const MAX_WSASYSStatus = 128
Private Const SOCKET_ERROR As Long = -1
Private Const WS_VERSION_REQD As Long = &H101
Type HOSTENT
h_name As Long '; official name of host
h_aliases As Long '; alias list
h_addrtype As Integer '; host address type
h_length As Integer '; length of address
h_addr_list As Long '; list of addresses
End Type
Type servent
s_name As Long '; (pointer to string) official service name
s_aliases As Long '; (pointer to string) alias list (might be null-seperated with 2null terminated)
s_port As Long '; port #
s_proto As Long '; (pointer to) protocol to use
End Type
Private Type WSADATA
wVersion As Integer
wHighVersion As Integer
szDescription(0 To MAX_WSADescription) As Byte
szSystemStatus(0 To MAX_WSASYSStatus) As Byte
wMaxSockets As Long
wMaxUDPDG As Long
dwVendorInfo As Long
End Type
Public Declare Function ntohs Lib "WSOCK32.DLL" (ByVal netshort As Long) As Long
';inet_addr将IP地址从 点数格式转换成无符号长整型
Private Declare Function inet_addr Lib "WSOCK32.DLL" (ByVal CP As String) As Long
';inet_ntoa将IP地址从 点数格式转换成ascii
Private Declare Function inet_ntoa Lib "WSOCK32.DLL" (ByVal inn As Long) As Long
Private Declare Function gethostbyaddr Lib "WSOCK32.DLL" (Addr As Long, ByVal addr_len As Long, ByVal addr_type As Long) As Long
Private Declare Function gethostbyname Lib "WSOCK32.DLL" (ByVal host_name As String) As Long
Private Declare Function WSAStartup Lib "WSOCK32.DLL" (ByVal wVersionRequired As Long, lpWSADATA As WSADATA) As Long
Private Declare Function WSACleanup Lib "WSOCK32.DLL" () As Long
';若该函数的返回值非0,则为存储器的地址。由于VB不能直接操作地址,所以还必须调用RtlMoveMemory函数将数据写入地址中
Private Declare Sub RtlMoveMemory Lib "kernel32" (hpvDest As Any, ByVal hpvSource As Long, ByVal cbCopy As Long)
';将数据转换为内存二进制形式字符串
Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal cb&)
Declare Function lstrlen Lib "kernel32" (ByVal lpString As Any) As Integer
Private Blocked As Boolean
';定义网络状态
Sub InitStates()
IP_States(0) = "未知"
IP_States(1) = "已经关闭"
IP_States(2) = "监听"
IP_States(3) = "发送同步空闲字符"
IP_States(4) = "接收同步空闲字符"
IP_States(5) = "数据交换中"
IP_States(6) = "结束等待1"
IP_States(7) = "结束等待2"
IP_States(8) = "关闭等待"
IP_States(9) = "关闭中"
IP_States(10) = "命令正确应答"
IP_States(11) = "连接等待"
IP_States(12) = "删除TCP连接"
End Sub
Public Function GetAscIP(ByVal inn As Long) As String
Dim nStr&
Dim lpStr As Long
Dim retString As String
retString = String(32, 0)
lpStr = inet_ntoa(inn)
If lpStr Then
nStr = lstrlen(lpStr)
If nStr > 32 Then nStr = 32
CopyMemory ByVal retString, ByVal lpStr, nStr
retString = Left(retString, nStr)
GetAscIP = retString
Else
GetAscIP = "无法取得IP"
End If
End Function
好了,日志是建立一个LOG文件,所以我们将所需要的函数封装一个类模块里。建立一个public模块。代码如下
';对日志的定义
Public Function Log(RemA As String, RemP As String, LocP As String, Txt As String)
Dim ff As Long
ff = FreeFile
‘打开log文件
Open App.Path & "\log.log" For Append As #ff
‘向log文件写入数据
Write #ff, Time & "-" & Date, RemA, RemP, LocP, Txt
‘将数据在日志窗口中显示出来
Frmlog.lstLog.ListItems.Add , , Time & "-" & Date
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(1) = RemA
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(2) = RemP
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(3) = LocP
Frmlog.lstLog.ListItems(Frmlog.lstLog.ListItems.Count).SubItems(4) = Txt
‘结束日志操作
Close #ff
End Function
好了,封装好了函数以及API数据库,下面是设计界面,以及功能结合了:)
先建立主窗体,这里将名称改为frmMain,我不想抹杀你们的创意,但是为了代码的最后测试成功,请你不要改变:)
点工程——部件,插入microsoft windows common controls 6.0 (sp4)如图1:
前面点上小钩,确定:)
回到桌面,双点击Toolbar,加入后,在上面右键属性。
依次插入按钮,如图2:
索引 标题 样式 图象
1 停止拦截 1-tbrcheck 暂时不说
2 刷新 0- tbrdefault
3 (空) 3-tbrseparator
4 查看日志 0- tbrdefault
插入2个ImageList空间,命名为imgHot和imgCold
依次插入图片,其实就是“停止拦截”等按钮上面显示的图片
在Toolbar上面右键属性如图3:
修改图象列表为imgcold,热图象列表为imghot
好了,在图2,我们看到图象图象后面的数字,着就是imgcold图片列表的数字:)
加入ListView控件
右键——属性——列首
索引 文本 宽度
1 远程IP 自己调节吧:)
2 远程端口
3 本地端口
4 状态
好了,在加入一个timer控件,名称为tmrRefresh,这个是用来刷新网络状态列表的。
将Interval设顶为250
最后完成界面如图:
添加代码如下:
‘定义一些常量
Private lC As Integer
Public Blk As String
Private a_RemA(1000) As String
Private a_LocP(1000) As String
Private a_RemP(1000) As String
Private a_Count As Long
‘下面是刷新网络状态的函数
Public Function RefreshTable(Optional force As Boolean = False)
On Error Resume Next
Dim tcpt As MIB_TCPTABLE, l As Long
Dim x As Integer, i As Integer
Dim RemA As String, LocP As String, RemP As String
l = Len(MIB_TCPTABLE)
GetTcpTable tcpt, l, 0
x = tcpt.dwNumEntries
If x < lC Or x > lC Or force Then
lC = x
ListView1.ListItems.Clear
For i = 0 To x - 1
RemA = GetAscIP(tcpt.table(i).dwRemoteAddr)
RemP = ntohs(tcpt.table(i).dwRemotePort)
LocP = ntohs(tcpt.table(i).dwLocalPort)
ListView1.ListItems.Add , "x" & i, RemA
ListView1.ListItems(ListView1.ListItems.Count).SubItems(1) = RemP
ListView1.ListItems(ListView1.ListItems.Count).SubItems(2) = LocP
ListView1.ListItems(ListView1.ListItems.Count).SubItems(3) = modNetstat.IP_States(state)
Next i
End If
End Function
Private Sub Form_Load()
‘调用网络状态函数
modNetstat.InitStates
‘一开始就刷新网络状态列表
RefreshTable
End Sub
Private Sub ListView1_MouseUp(Button As Integer, Shift As Integer, x As Single, y As Single)
‘判断是否为鼠标右键按下
If Button = 2 And ListView1.ListItems.Count > 0 Then
‘调用控制按钮,在下面将说到
frmMain.PopupMenu frmMenu.mnuConn
End If
End Sub
Private Sub tmrRefresh_Timer()
‘定时刷新网络状态列表
RefreshTable
End Sub
Public Sub Toolbar1_ButtonClick(ByVal Button As MSComctlLib.Button)
Select Case Button.Index
Case 1
‘停止功能按钮
If Button.Caption = "停止" Then
Button.Caption = "继续"
Button.ToolTipText = "继续开始工作"
tmrRefresh.Enabled = False
‘停止刷新网络状态列表,先面反之
Else
Button.Caption = "停止"
Button.ToolTipText = "停止工作"
tmrRefresh.Enabled = True
End If
Case 2
‘刷新按钮功能
RefreshTable
Case 4
‘显示日志
Frmlog.Show
End Select
End Sub
好了,下面定义控制按钮:)也就是网络状态上右键显示的拦截连接
新建一个窗体,命名为frmMenu,只需要有一个菜单,如图:
修改菜单属性:
标题 名称
mnuConn mnuConn
拦截连接 mnuDis
如图:
好了,添加代码如下:
Private Sub mnuDis_Click()
Dim tcpt As MIB_TCPTABLE
Dim l As Long
Dim i As Long
Dim RemA As String, RemP As String, LocP As String
i = Right(frmMain.ListView1.SelectedItem.Key, Len(frmMain.ListView1.SelectedItem.Key) - 1) + 1
RemA = frmMain.ListView1.ListItems(i)
RemP = frmMain.ListView1.ListItems(i).SubItems(1)
LocP = frmMain.ListView1.ListItems(i).SubItems(2)
l = Len(MIB_TCPTABLE)
GetTcpTable tcpt, l, 0
tcpt.table(i - 1).dwState = 12
‘断开TCP连接,还记得一开始说的函数吗?
SetTcpEntry tcpt.table(i - 1)
DoEvents
‘写入日志
Log RemA, RemP, LocP, "拦截连接"
End Sub
好了,最后是一个日志操作窗体,建立一个名称为Frmlog的窗体
一个用一个listview和command控件,调整位置如图
listview属性
名称 lstLog
列首索引 文本 大小自己调节
1 时间
2 IP
3 远程端口
4 本地端口
5 说明
添加代码如下
Private Sub Command1_Click()
Dim r As String
r = MsgBox("防火墙日志是有效检查黑客入侵的手段!" & vbCrLf & vbCrLf & "清楚日志?", vbQuestion & vbYesNo, "注意!")
‘如果按的是“是”那么
If r = vbYes Then
Dim ff As Long
ff = FreeFile
‘打开日志写入空数据,也就是清空日志
Open App.Path & "\log.log" For Output As #ff
Close #ff
‘清空列表
lstLog.ListItems.Clear
End If
End Sub |
