Wierd stuff... (iphlpapi.dll)

[Tobbe]

Check this app:

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

The guy can show the process that owns the TCP/UDP socket.

There is undocumented function in iphlpapi.dll called AllocateAndGetTcpExTableFromStac() that will do the same as GetTcpTable() except that it also returns process ID.

But I have Windows 2000 and iphlpapi.dll on my computer does not have that function, I've used GetProcAddress().

How is he able to show the process ID when that function isn't availible?

I sent a nice e-mail to the author 3 days ago asking how he does it, but no reply.

[freestyle]

The function AllocateAndGetTcpExTableFromStack(), only exists on the XP version of the IPHlpApi.DLL, on Win2k there is a function called AllocateAndGetTcpTableFromStack() - I don't know if they do the same job tho (I checked this using the Visual Studio Depends utility).

Also in the MS Platform SDK, there is a IPHlpApi.Lib with the AllocateAndGetTcpExTableFromStack(), so you might just need to link with the library instead.

Also check this PC Quest article (near the bottom)

Hope this helps...

[Tobbe]

The function AllocateAndGetTcpExTableFromStack(), only exists on the XP version of the IPHlpApi.DLL, on Win2k there is a function called AllocateAndGetTcpTableFromStack() - I don't know if they do the same job tho (I checked this using the Visual Studio Depends utility).

Also in the MS Platform SDK, there is a IPHlpApi.Lib with the AllocateAndGetTcpExTableFromStack(), so you might just need to link with the library instead.

Also check this PC Quest article (near the bottom)

Hope this helps...

iphlpapi.dll in Platform SDK? I only downloaded the documenation.

You don't happend to have that LIB file?

Anyway...

I guess that AllocateAndGetTcpTableFromStack() use the MIB_TCPTABLE structure and that AllocateAndGetTcpExTableFromStack uses MIB_TCPEXTABLE

I need MIB_TCPEXTABLE.

Nothing on MSDN about AllocateAndGetTcpTableFromStack()

Only two results on google.com - Not usefull.

[freestyle]

You don't happend to have that LIB file?

See attached file... (hopefully if it works)

The PC Quest article lists the MIB_TCPTABLE_EX as follows:

typedef struct _MIB_TCPTABLE_EX
{
DWORD dwNumEntries;
MIB_TCPROW_EX table[ANY_SIZE];
} MIB_TCPTABLE_EX, *PMIB_TCPTABLE_EX;

and MIB_TCPROW_EX as

typedef struct _MIB_TCPROW_EX
{
DWORD dwState; // MIB_TCP_STATE_*
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwRemoteAddr;
DWORD dwRemotePort;
DWORD dwProcessId;
} MIB_TCPROW_EX, *PMIB_TCPROW_EX;

Bugger the attachment didn't seem to work, try here instead : IPHlpApi.Lib

[Tobbe]

It doesn't work. :cry:

[freestyle]

OK, this sorta works on my machine (XP), it prob won't work on a Win2K machine as the function (AllocateAndGetTcpExTableFromStack) does not exist in the DLL.

Code Block 1:Defines 'n' Stuff

Code Block 2:Actuall Function

#include <iphlpapi.h>
#include <tlhelp32.h>

typedef struct _MIB_TCPROW_EX
{
	DWORD dwState;
	DWORD dwLocalAddr;
	DWORD dwLocalPort;
	DWORD dwRemoteAddr;
	DWORD dwRemotePort;
	DWORD dwProcessId;
}MIB_TCPROW_EX, *PMIB_TCPROW_EX;

typedef struct _MIB_TCPTABLE_EX
{
	DWORD dwNumEntries;
	MIB_TCPROW_EX table[ANY_SIZE];
}MIB_TCPTABLE_EX, *PMIB_TCPTABLE_EX;

typedef 	 DWORD  (WINAPI* LPFNAAGTETFS) (PMIB_TCPTABLE_EX *, BOOL, HANDLE, DWORD, DWORD);
LPFNAAGTETFS	lpfnAllocateAndGetTcpExTableFromStack;

void TestFunc1() 
{
	HANDLE hHeap = GetProcessHeap();

	if (hHeap != NULL)
	{
  HMODULE hDll = LoadLibrary(_T("iphlpapi.dll"));

  PMIB_TCPTABLE_EX pmibTcpTable;
  DWORD dwErr;

  lpfnAllocateAndGetTcpExTableFromStack = (LPFNAAGTETFS)GetProcAddress(hDll, _T("AllocateAndGetTcpExTableFromStack"));
  dwErr = lpfnAllocateAndGetTcpExTableFromStack(&pmibTcpTable, TRUE, hHeap, 2, 2);

  HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

  if (!dwErr)
  {
 	 TCHAR szTcpStuff[255];
 	 TCHAR szProcess[50];
 	 DWORD dwLocalAddr;
 	 DWORD dwLocalPort;
 	 DWORD dwProcess;

 	 PROCESSENTRY32 peInfo;
 	 peInfo.dwSize = sizeof(PROCESSENTRY32);

 	 for (DWORD dwCt = 0; dwCt < pmibTcpTable->dwNumEntries; dwCt++)
 	 {
    dwLocalAddr = pmibTcpTable->table[dwCt].dwLocalAddr;
    dwLocalPort = pmibTcpTable->table[dwCt].dwLocalPort;
    dwProcess = pmibTcpTable->table[dwCt].dwProcessId;

    memset(szTcpStuff, 0x00, sizeof(szTcpStuff));
    memset(szProcess, 0x00, sizeof(szProcess));

    if (Process32First(hSnap, &peInfo) == TRUE)
    {
   	 while(1)
   	 {
      if (peInfo.th32ProcessID == dwProcess)
      {
     	 strcpy(szProcess, peInfo.szExeFile);
     	 break;
      }

      if (Process32Next(hSnap, &peInfo) == FALSE)
     	 break;
   	 }
    }

    sprintf(szTcpStuff, _T("%d.%d.%d.%d:%d %s\n"), (dwLocalAddr >> 24) & 0xff,
                (dwLocalAddr >> 16) & 0xff,
                (dwLocalAddr >> 8) & 0xff,
                (dwLocalAddr) & 0xff,
                htons((WORD)dwLocalPort),
                szProcess);

    MessageBox(szTcpStuff);
 	 }

  }

  CloseHandle(hSnap);

  FreeLibrary(hDll);
	}
}

[freestyle]

Just realised that this prints the IP address in the reverse order, oops.... But you get the idea anyway...

[Tobbe]

That wouldn't work for me... but I still don't understand how that guy does it. :(

[freestyle]

I don't suppose you tried loading the iphlpapi.dll from a XP system on your 2K machine, ie put the XP version of the DLL into the same directory as your program, load the dll and use GetProcAddress on the XP dll...

Clutching at straws I know...

[azcodemonkey]

At the bottom of the page you reference, the guy gives the source for the command-line version of tcpview, netstatp. Maybe that will give you some insight.

[Tobbe]

At the bottom of the page you reference, the guy gives the source for the command-line version of tcpview, netstatp. Maybe that will give you some insight.

I've already checked that and the command-line version can only show owner process in WinXP.

(But the GUI one can show process in Windows NT/2k/XP... so it says in the help file, seems to be correct too)

:cry:

Thanks anyway.