电脑是否被远程控制如何判断
判断电脑是否被远程控制需要从多个维度进行检测。以下是详细分析:
1. 网络连接检测:
```c
class NetworkMonitor {
// 检查可疑端口
BOOL CheckSuspiciousPorts() {
// 常见远程控制端口
const int SUSPICIOUS_PORTS[] = {
3389, // RDP
5900, // VNC
5938, // TeamViewer
7070, // AnyDesk
4899 // Radmin
};
MIB_TCPTABLE_OWNER_PID* pTcpTable = NULL;
DWORD dwSize = 0;
BOOL bFound = FALSE;
GetExtendedTcpTable(NULL, &dwSize, TRUE, AF_INET,
TCP_TABLE_OWNER_PID_ALL, 0);
pTcpTable = (MIB_TCPTABLE_OWNER_PID*)malloc(dwSize);
if (GetExtendedTcpTable(pTcpTable, &dwSize, TRUE,
AF_INET, TCP_TABLE_OWNER_PID_ALL, 0) == NO_ERROR) {
for (DWORD i = 0; i < pTcpTable->dwNumEntries; i++) {
DWORD localPort = ntohs(pTcpTable->table[i].dwLocalPort);
for (int port : SUSPICIOUS_PORTS) {
if (localPort == port) {
bFound = TRUE;
break;
}
}
}
}
free(pTcpTable);
return bFound;
}
};
```
2. 进程监控:
```c
class ProcessMonitor {
// 检查可疑进程
BOOL CheckSuspiciousProcesses() {
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) return FALSE;
PROCESSENTRY32W pe32;
pe32.dwSize = sizeof(pe32);
BOOL bFound = FALSE;
if (Process32FirstW(hSnapshot, &pe32)) {
do {
// 检查常见远程控制软件进程
if (CheckSuspiciousProcessName(pe32.szExeFile)) {
bFound = TRUE;
break;
}
} while (Process32NextW(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
return bFound;
}
BOOL CheckSuspiciousProcessName(LPCWSTR processName) {
const WCHAR* SUSPICIOUS_PROCESSES[] = {
L"TeamViewer.exe",
L"AnyDesk.exe",
L"vncserver.exe",
L"radmin.exe",
L"mstsc.exe"
};
for (const WCHAR* suspiciousProcess : SUSPICIOUS_PROCESSES) {
if (_wcsicmp(processName, suspiciousProcess) == 0) {
return TRUE;
}
}
return FALSE;
}
};
```
3. 系统资源监控:
```c
class ResourceMonitor {
// 检查异常资源使用
BOOL CheckAbnormalResourceUsage() {
// CPU使用率
BOOL CheckCPUUsage() {
PDH_HQUERY cpuQuery;
PDH_HCOUNTER cpuTotal;
PdhOpenQuery(NULL, NULL, &cpuQuery);
PdhAddCounter(cpuQuery, L"\\Processor(_Total)\\% Processor Time",
NULL, &cpuTotal);
PdhCollectQueryData(cpuQuery);
Sleep(1000); // 等待1秒收集数据
PDH_FMT_COUNTERVALUE counterVal;
PdhCollectQueryData(cpuQuery);
PdhGetFormattedCounterValue(cpuTotal, PDH_FMT_DOUBLE,
NULL, &counterVal);
PdhCloseQuery(cpuQuery);
// CPU使用率异常高可能表示远程控制
return counterVal.doubleValue > 80.0;
}
// 网络流量
BOOL CheckNetworkTraffic() {
MIB_IFROW ifRow;
DWORD dwSize = sizeof(ifRow);
// 获取网络接口信息
if (GetIfEntry(&ifRow) == NO_ERROR) {
// 检查异常流量
return (ifRow.dwOutOctets > 1000000 || // 1MB/s
ifRow.dwInOctets > 1000000);
}
return FALSE;
}
}
};
```
4. 注册表检查:
```c
class RegistryMonitor {
BOOL CheckSuspiciousRegistry() {
// 检查远程控制软件的注册表项
const WCHAR* SUSPICIOUS_KEYS[] = {
L"SOFTWARE\\TeamViewer",
L"SOFTWARE\\AnyDesk",
L"SOFTWARE\\RealVNC",
L"SOFTWARE\\TightVNC",
L"SOFTWARE\\Radmin"
};
for (const WCHAR* keyPath : SUSPICIOUS_KEYS) {
HKEY hKey;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, keyPath, 0,
KEY_READ, &hKey) == ERROR_SUCCESS) {
RegCloseKey(hKey);
return TRUE;
}
}
return FALSE;
}
};
```
5. 服务检查:
```c
class ServiceMonitor {
BOOL CheckRemoteServices() {
SC_HANDLE hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ENUMERATE_SERVICE);
if (!hSCM) return FALSE;
ENUM_SERVICE_STATUS* lpServices = NULL;
DWORD dwBytesNeeded = 0;
DWORD dwServicesReturned = 0;
DWORD dwResumeHandle = 0;
// 首先获取需要的缓冲区大小
EnumServicesStatus(hSCM, SERVICE_WIN32,
SERVICE_ACTIVE,
NULL, 0,
&dwBytesNeeded,
&dwServicesReturned,
&dwResumeHandle);
lpServices = (ENUM_SERVICE_STATUS*)malloc(dwBytesNeeded);
BOOL bResult = FALSE;
if (EnumServicesStatus(hSCM,
SERVICE_WIN32,
SERVICE_ACTIVE,
lpServices,
dwBytesNeeded,
&dwBytesNeeded,
&dwServicesReturned,
&dwResumeHandle)) {
for (DWORD i = 0; i < dwServicesReturned; i++) {
if (CheckSuspiciousServiceName(lpServices[i].lpServiceName)) {
bResult = TRUE;
break;
}
}
}
free(lpServices);
CloseServiceHandle(hSCM);
return bResult;
}
};
```
6. 事件日志分析:
```c
class EventLogMonitor {
BOOL CheckSuspiciousEvents() {
HANDLE hEventLog = OpenEventLog(NULL, L"Security");
if (hEventLog == NULL) return FALSE;
DWORD dwReadFlags = EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ;
DWORD dwRecordNumber = 0;
DWORD dwBytesRead = 0;
DWORD dwBytesNeeded = 0;
// 获取所需缓冲区大小
ReadEventLog(hEventLog,
dwReadFlags,
0,
NULL,
0,
&dwBytesNeeded,
&dwBytesRead);
BYTE* pBuffer = (BYTE*)malloc(dwBytesNeeded);
BOOL bResult = FALSE;
if (ReadEventLog(hEventLog,
dwReadFlags,
0,
pBuffer,
dwBytesNeeded,
&dwBytesRead,
&dwBytesRead)) {
PEVENTLOGRECORD pEvent = (PEVENTLOGRECORD)pBuffer;
// 检查远程登录事件
while (dwBytesRead > 0) {
if (pEvent->EventID == 4624 || // 登录成功
pEvent->EventID == 4625) { // 登录失败
bResult = TRUE;
break;
}
dwBytesRead -= pEvent->Length;
pEvent = (PEVENTLOGRECORD)((LPBYTE)pEvent + pEvent->Length);
}
}
free(pBuffer);
CloseEventLog(hEventLog);
return bResult;
}
};
```
7. 防火墙日志检查:
```c
class FirewallMonitor {
BOOL CheckFirewallLogs() {
// 检查Windows防火墙日志
HANDLE hFile = CreateFile(
L"C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log",
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile == INVALID_HANDLE_VALUE) return FALSE;
char buffer[4096];
DWORD bytesRead;
BOOL bResult = FALSE;
while (ReadFile(hFile, buffer, sizeof(buffer), &bytesRead, NULL)
&& bytesRead > 0) {
// 检查可疑连接
if (strstr(buffer, "3389") || // RDP
strstr(buffer, "5900") || // VNC
strstr(buffer, "5938")) { // TeamViewer
bResult = TRUE;
break;
}
}
CloseHandle(hFile);
return bResult;
}
};
```
8. 综合检测:
```c
class RemoteControlDetector {
BOOL IsRemotelyControlled() {
NetworkMonitor netMon;
ProcessMonitor procMon;
ResourceMonitor resMon;
RegistryMonitor regMon;
ServiceMonitor svcMon;
EventLogMonitor evtMon;
FirewallMonitor fwMon;
// 综合多个检测结果
int suspiciousCount = 0;
if (netMon.CheckSuspiciousPorts())
suspiciousCount++;
if (procMon.CheckSuspiciousProcesses())
suspiciousCount++;
if (resMon.CheckAbnormalResourceUsage())
suspiciousCount++;
if (regMon.CheckSuspiciousRegistry())
suspiciousCount++;
if (svcMon.CheckRemoteServices())
suspiciousCount++;
if (evtMon.CheckSuspiciousEvents())
suspiciousCount++;
if (fwMon.CheckFirewallLogs())
suspiciousCount++;
// 如果多个指标都显示可疑,则很可能被远程控制
return suspiciousCount >= 3;
}
};
```
关键检测点:
1. 网络层面:
- 可疑端口
- 异常连接
- 流量分析
2. 系统层面:
- 进程检查
- 服务检查
- 注册表检查
3. 资源层面:
- CPU使用率
- 内存使用
- 网络流量
4. 日志层面:
- 系统日志
- 安全日志
- 防火墙日志
5. 最佳实践:
- 多维度检测
- 实时监控
- 阈值调整
- 误报处理
这些检测方法可以:
1. 及时发现远程控制
2. 减少误报
3. 提供详细信息
4. 支持实时监控
5. 便于维护和扩展
原文地址:https://blog.csdn.net/zhangyihu321/article/details/144298523
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!