Log in

View Full Version : How to know what ip app connects to?

roxaz
January 10th, 2009, 06:34
As topic says.... I have an app that connects to licence server and validates the licence. Its a short time span so i can not rly use netstat to see what ips are used (ye, windows!). virtualizer is used and i somehow cant even debug the app (x64, ida.. kek). any ideas?
Arcane
January 10th, 2009, 07:34
http://www.woodmann.com/collaborative/tools/Category:Process_Monitoring_Tools , im sure you can find something there which will show you the open-connections for a process , and too what destination it connects
squidge
January 11th, 2009, 15:15
netstat should work, as the connection should be in TIME_WAIT status long enough for that.
disavowed
January 17th, 2009, 15:40
http://www.woodmann.com/collaborative/sectools/Category:Packet_Sniffers
roxaz
January 17th, 2009, 17:04
i kinda easily figured it out... while stepping throu the code i passed connect.. send... recv... and it came to my mind that connection is still open so hell.. netstat + breakpoint rocks
vvw
January 17th, 2009, 18:53
Thats one way to go about it, but a bit overkill What if the executable decides to call WSASocket or WSAConnect, instead of socket, connect, etc. (socket calls WSASocket under the hood)

As others have mentioned, the correct tool to for this problem is a packet sniffer such as tcpdump, or wireshark.

-vvw
roxaz
January 17th, 2009, 20:48
yeah well if app calls those other funcs i break on other funcs... i can see imports afterall.. and references i tried to go with wireshark in the first place however. when i saw way it works i went with debuger.. it captures all packets so i needed to filter them by port or ip. so here u go..
vvw
January 18th, 2009, 02:35
There are many other functions that can be used to initiate a network connection. Would you know ALL of them by examining the import table?

Also, sometimes malware will use GetProcAddress(...) to "conceal" the functions it really uses so that they are not present in the import table (not a very good method) And even go as far as xor'ing or rot13'ing the function name so that you can't run a simple 'strings' utility against the binary to see what functions he will GetProcAddress on...

With a packet sniffer you never have to worry about any of that, you see all traffic regardless of what method the executable uses

-vvw