在PowerShell中使用Get-Process cmdlet时,它没有属性来获取进程使用的端口号。因此,这里我们将编写一个函数,该函数将为我们提供与进程关联的端口号。
Windows命令NETSTAT有一个,它提供端口号和关联的进程ID,但不提供进程名称。我们有Get-Process命令,其中提供了进程名称和PID(进程ID),因此我们可以编写一个可以将这两个命令关联起来的程序,并可以检索进程ID,本地地址,远程地址以及是否存在状态。像侦听,建立等的端口。
让我们看看NETSTAT命令的样子。
PS C:\WINDOWS\system32> netstat Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:9012 DESKTOP-9435KM9:56668 ESTABLISHED TCP 127.0.0.1:29885 DESKTOP-9435KM9:56733 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58748 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58755 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58766 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58772 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58780 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58782 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58788 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58797 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58799 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58801 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58810 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58815 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58833 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58835 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58836 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58837 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58838 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58843 ESTABLISHED TCP 127.0.0.1:49676 DESKTOP-9435KM9:58845 ESTABLISHED
在上面的命令中,我们需要获取端口号,本地地址和远程地址,因此我们将使用NETSTAT -ano命令。要获取有关此命令的更多信息,请查看下面的链接。
https://www.ionos.com/digitalguide/server/tools/introduction-to-netstat/
该命令的输出将是-
PS C:\WINDOWS\system32> netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1208 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 7864 TCP 0.0.0.0:5700 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:16861 0.0.0.0:0 LISTENING 26860 TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 760 TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 912 TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1704 TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2976 TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 3868 TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 3996 TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 720 TCP 127.0.0.1:515 0.0.0.0:0 LISTENING 9276 TCP 127.0.0.1:1001 0.0.0.0:0 LISTENING 4 TCP 127.0.0.1:8884 0.0.0.0:0 LISTENING 4 TCP 127.0.0.1:9012 0.0.0.0:0 LISTENING 15532 TCP 127.0.0.1:9012 127.0.0.1:56668 ESTABLISHED 15532 TCP 127.0.0.1:29885 0.0.0.0:0 LISTENING 26860
我们在此表中获得了进程ID(PID),并且可以使用Get-Process命令检索具有PID的进程,并为其编写程序,以将两者关联。
function Get-ProcessPorts{ [cmdletbinding()] Param( [parameter(Mandatory=$True, ValueFromPipeLine=$True)] [AllowEmptyCollection()] [string[]]$ProcessName ) Begin{ Write-Verbose "Declaring empty array to store the output" $portout = @() } Process{ Write-Verbose "Processes to get the port information" $processes = Get-Process $ProcessName foreach($proc in $processes){ # Get the port for the process. $mports = Netstat -ano | findstr $proc.ID # Separate each instance foreach($sport in $mports) # Split the netstat output and remove empty lines from the output. $out = $sport.Split('') | where{$_ -ne ""} $LCount = $out[1].LastIndexOf(':') $RCount = $out[2].LastIndexOf(':') $portout += [PSCustomObject]@{ 'Process' = $proc.Name 'PID' = $proc.ID 'Protocol' = $out[0] 'LocalAddress' = $out[1].SubString(0,$LCount) 'LocalPort' = $out[1].SubString($Lcount+1,($out[1].Length-$Lcount-1)) 'RemoteAddress' = $out[2].SubString(0,$RCount) 'RemotePort' = $out[2].SubString($RCount+1,($out[2].Length-$Rcount-1)) 'Connection' = $( # Checking if the connection contains any empty string. if(!($out[3] -match '\d')){$out[3]} ) } } } $portout | ft -AutoSize } End{ Write-Verbose "End of the program" } }
输出-
Process PID Protocol LocalAddress LocalPort RemoteAddress RemotePort Connection ------- --- -------- ------------ --------- ------------- ---------- ---------- avp 4252 TCP 127.0.0.1 49676 0.0.0.0 0 LISTENING avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50304 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50338 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50347 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50357 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50366 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50370 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50375 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50376 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50377 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50378 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50379 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50380 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50385 ESTABLISHED avp 4252 TCP 127.0.0.1 49676 127.0.0.1 50387 ESTABLISHED WINWORD 25852 TCP 192.168.0.107 53584 99.83.135.170 443 ESTABLISHED WINWORD 25852 TCP 192.168.0.107 53592 99.83.135.170 443 ESTABLISHED VERBOSE: End of the program