Display PID for listening sockets at netstat

trustedsec / CS-Situational-Awareness-BOF

Situational Awareness commands implemented using Beacon Object Files

GNU General Public License v2.0

1.28k stars 221 forks source link

Display PID for listening sockets at netstat #67

Closed 0xShkk closed 2 years ago

0xShkk commented 2 years ago

Hi there,

would be great if the "netstat" BOF would display the PID of the process opened the socket as well.

Like doing a "netstat -aon" via cmd.

Cheers

freefirex commented 2 years ago

I don't intend to implement this myself anytime soon, if anyone is watching this repo and wants to submit a pull request I'm open to reviewing it.

Looks like the changes would be replacing Get(tcp|udp)able with calls to https://docs.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getextendedtcptable, and using TCP_TABLE_OWNER_PID_ALL for the TableClass parameter.

nowhey2 commented 2 years ago

That was one of the first things i changed. Since I've had it a while, I've chosen to share the changes. I don't know why my pull request tagged multiple issues, my bad.

freefirex commented 2 years ago

Thanks again nowhey2, if ya want a twitter callout just comment your handle on here and I'll give you a more public thanks for there.

Awesome work!

nowhey2 commented 2 years ago

TY, not necessary.

0xShkk commented 2 years ago

Thank you very much for sharing your solution !