4

I'm trying to figure out how to get all network activity for a given process. In the Windows "Resource Monitor" application in the "Network Activity" box, you are able to see all tcp / udp connections, and the data being sent etc. I first tried using the cmd netstat, and was going to parse this but quickly realized it "misses" a whole bunch of udp connections. So that was out. Now I've been looking into using iphlpapi.h in c++ along with its GetExtendedUdpTable function. But even this doesn't seem to be showing all the data that Resource Monitor shows. Can anyone direct me to the proper windows API that can get the same information as seen in the Network Activity tab under Resource Monitor. I've been searching for a while now and everything I've found is extremely old, I'm hoping to use whatever is the current/modern approach. This doesn't have to be backwards compatible, windows 10 only is fine.

Basically my end-goal is to build an app that can geo-locate ip's using a database automatically for a target application (including UDP connections). Now I'm sure there are many libraries/apps out there that can already do this. I'm just wanting to do it as a learning process so I'd like to avoid any libraries/API other than windows provided ones.

This is currently what I've been working with, please forgive the use of poor practices such as using printf and not using static_cast etc. I'll be rewriting everything properly once I've found a way of obtaining the information I'm after.

    MIB_UDPTABLE_OWNER_PID* pUdpTable;
    MIB_UDPROW_OWNER_PID* owner;

    DWORD dwSize;
    DWORD dwResult;

    dwResult = GetExtendedUdpTable(NULL, &dwSize, false, AF_INET, UDP_TABLE_OWNER_PID, 0);
    pUdpTable = (MIB_UDPTABLE_OWNER_PID*)MALLOC(dwSize);
    dwResult = GetExtendedUdpTable(pUdpTable, &dwSize, false, AF_INET, UDP_TABLE_OWNER_PID, 0);

    for (DWORD dwLoop = 0; dwLoop < pUdpTable->dwNumEntries; dwLoop++) {
        owner = &pUdpTable->table[dwLoop];
        printf("%ld ", owner->dwOwningPid);

        HANDLE Handle = OpenProcess(
            PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
            FALSE,
            owner->dwOwningPid
        );
        if (Handle) {
            TCHAR Buffer[MAX_PATH];
            if (GetModuleFileNameEx(Handle, 0, Buffer, MAX_PATH)) {
                printf(Buffer);
                printf("\n");
            } else {
                printf("Error GetModuleFileNameEx : %lu\n", GetLastError());
            }
            CloseHandle(Handle);
        } else {
            printf("Error OpenProcess : %lu\n", GetLastError());
        }
    }

    FREE(pUdpTable);
Hex Crown
  • 753
  • 9
  • 22
  • 1
    So basically you want the list of all destination IP addresses requested by your machine(Source IP)? – Mayur Sep 28 '18 at 13:47
  • Yes, that's exactly right. – Hex Crown Sep 29 '18 at 17:24
  • Resource Monitor is ~Perfmon. So, I guess you're looking for performance counters or most probably ETW traces (like what's done here for other type of information: https://stackoverflow.com/questions/51654329/how-is-it-possible-to-understand-which-process-deletes-a-file-on-the-hard-drive but it's using C#, not C++) – Simon Mourier Sep 30 '18 at 08:20
  • Can you be more specific about the connections you don't see with `GetExtendedUdpTable`? Maybe this is because you see connections in `Resource Monitor` for a few seconds after they closed? – Codeguard Oct 01 '18 at 07:40
  • Basically I'm looking for the remote addresses of udp on a per process basis. As an example using resource monitor or a 3rd party tool such as net limiter I'm able to see every remote addresses a process talks to, and the rate at which data is being sent both to and from. Using the example c++ code in the original post shows only a sub-set of the remote addresses. As to which ones are omitted and why, I do not know. – Hex Crown Oct 01 '18 at 19:13

0 Answers0