Hello,

Hi just a small request, when the port explorer icon is in the system tray would it be possible for it to flash or blink if there are any hidden sockets? Jason thanks for adding the mouse hover. ;D

Thanks
Loki 8)

Hi Loki,
wonder if the blinking would help: as i've constantly a few hidden sockets like the FW so it wouldn't add anything as it would keep on blinking, unless it would only blink after maximizing and back to tray in case of new hidden alerts, something like the alert signal in the FW and VisualZone for isntance. In such a case it would certainly add!
I like the mouse over hovering too!

Hello Jooske,

Well Port Explorer has finally decided Sygate Pro is ok and not a hidden socket. But you're right what I should have asked for is if there's a change after checking PE. Once you check then PE might reset and if a new socket goes hidden it could warn again. Something simple and easy.

Thanks
Loki 8)

P.S. Not to make Jason work any harder ;D.

It would be a good idea, if I could remove VALID red sockets from Port Explorer. Unfortunately I still havn't found an undocumented safe way of finding out if an application has a systray icon.

I get a lot of reports already about red sockets on "safe" programs so making a flashing thing would probably alert users more :P . But if I can find a way to remove the safe red socket programs then a flashing alert would be good as in 99% of cases that would be a trojan port.

-Jason-

Not always Jason, as i found this morning i lost connection, which i did not know, and hovering mouse over saw 7 hidden sockets in stead of the normal 3 and at the moment of opening the PE GUI they were all disappeared, only catched in a glimpse IE and OE had at least 1 hidden socket each, but the other 2 did not see that quick in the auto- refreshment; guess the disconnected processes had become hidden. Indeed my ISP has lost lots of the connectivity, mailserver, etc so this is not really strange here and which other sockets were hidden ... only autologging can tell :P

Jooske, Is it just me or have you posted around 200 messages in a week ;D
-Jason-

Don't know what kept you busy, i did not count, the users' most recent postings don't have a date choice to test that, but maybe the search engine can offer some help.

Anyway, not sure what more was wrong as even the clipboard was among the hidden sockets, which is normally very suspicious, scanning clipboard content and the exe itself, nada, no modification either, so... hmmm keep controlling more often now. Yes, a blinking systray icon for unexpected new not excluded processes/sockets could be something.
Wonder if this weekend's ZAPro upgrade to 3.5... is part of the many strange events.

Jooske, Did you totally uninstall ZA before doing the upgrade as I have read somewhere that this can cure the strange events. ZA's website has the complete uninstall instrutions.

Hmmmmm must think.....
You read the step by step disaster in another place so won't post that part here again. It does itself when installing the new version, but if it continues troubling i will uninstall it manually and re-install this one, of course.
Maybe it does not like PE, one of the other pieces of deep digging security software. Due to being extremely occupied and this Zapro and my ISP adsl problems i still did not get the 1.350; Jason will be on the next if i ever come to this one if this continues this way :)

Hi Jooske,

Just a short note about PE and ZAPro, I use both without any problems, so I doubt PE is the issue (ZAPro 3.5.169)

Wink :)

Think the problem was more in some strange changes in ZaPro to get used on and connection problems on my ISP side. Of course i had to check extra why my IE and OE and clipboard and more all of a sudden were indicated as hidden, scan scan nothing specific found, fortunately.
Hope to find out nice improvements in ZAPro 3.5.169.002 over the former, impression is it uses less RAM.
Keeping more eyes on PE. It has always functioned together very fine, so i'm not really worried at all, just surprised about all happenings.

Jooske indeed a strange problem since they were'nt showing as hidden before. Are all the outlook, etc, sockets showing as hidden or just some? Can you see the Outlook window?
-Jason-

It happened a few times more since. But i noticed too it was when i seem to have lost connection or my DNS:
at those moments i can't collect emails nor surf around.
I see all the sockets for Outlook Express (i don't use Outlook) red then and all those for Internet Explorer. I can access and see what there is already in OE and i guess the cached IE pages.
Till now disconnect from internet and reconnect or a modem reset or in cases even a reboot helped to get back correctly.
Not sure still if this is part of the new Zapro install, the general internet problems or my ISP having problems too more then often, so i am not intending to uninstall Zapro for isntance completely or make other big changes till all that part on internet is ok again.
I'll pay more attention to it now.

>It would be a good idea, if I could remove VALID red sockets from Port Explorer.
>Unfortunately I still havn't found an undocumented safe way of finding out if an application
>has a systray icon.

http://skyscraper.fortunecity.com/gigo/311/winprog/shellico.txt

(UN)fortune city doesn't give access to the file; other ways to get to it?

//----------------------------------------------------------------------------
// File: shellico.txt
//----------------------------------------------------------------------------
// You are allowed to distribute this document unmodified for free,
// without paying me any fee.
// The information in this document is provided AS IS,
// without any warranties or guarantees.
//
// All undocumented Windows features used/described in this document
// are discovered by me, Nick N. Repin.
//
// Copyright (c) Nikolay N. Repin (Nick N. Repin), 1998
//----------------------------------------------------------------------------
// Enumeration of all System Tray icons info.
// [This file consist of several modules]
//----------------------------------------------------------------------------

//*********************************************************************
// Part 1. Enumerates all Systray icons info and display icons.
// Injectes itself into the Explorer's address space.
//
// Consist of 2 modules: sh.cpp & shdll.cpp.
//*********************************************************************
/
//----------------------------------------------------------------------------
// File: sh.cpp.
// Compile & link with shdll.dll.
// Run it in window, not in the full-screen mode.
//
// Creates the console, attached to the Explorer.
// The icons info will be printed on this console.
// Icons will be painted on the console window caption
// at 200-pixels offset from the left.
// Console will be automatically destroyed after 10 sec.
//----------------------------------------------------------------------------

#define STRICT
#include <windows.h>
#include <iostream.h>
#include <conio.h>

void _import SetTrayHook();

void main(void)
{
SetTrayHook();

Sleep(15000);

SetTrayHook();
}

//----------------------------------------------------------------------------
// File: shdll.cpp.
// Compile in dll mode.
//----------------------------------------------------------------------------

#define STRICT
#include <windows.h>
#include <commctrl.h>
#include <stdlib.h>

bool IsNT()
{
OSVERSIONINFO v;
v.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
::GetVersionEx(&v);
return v.dwPlatformId==VER_PLATFORM_WIN32_NT;
}

bool isNT=IsNT();

void _export SetTrayHook();
void enumerateIcons();
void out(char* p=0);
LRESULT CALLBACK MsgProc(int,WPARAM,LPARAM);

HINSTANCE hInstance;
HHOOK hHook=0;
HWND SysTray=0;
HWND NotifyWnd=0;
DWORD dwExplorerThreadId=0,dwExplorerProcessId=0;

char msg[256];
HANDLE hCon=0;
HWND wCon=0;

BOOL WINAPI DllEntryPoint(HINSTANCE hInstDll,DWORD fdwReason,LPVOID)
{
switch(fdwReason) {
case DLL_PROCESS_ATTACH:
hInstance=hInstDll;
break;
case DLL_THREAD_ATTACH:
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}

void SetTrayHook()
{
if(hHook==NULL) {
SysTray=FindWindow("Shell_TrayWnd",NULL);
NotifyWnd=FindWindowEx(SysTray,0,"TrayNotifyWnd",0);
dwExplorerThreadId=GetWindowThreadProcessId(SysTray,
&dwExplorerProcessId);
hHook=SetWindowsHookEx(WH_CALLWNDPROC,HOOKPROC(MsgProc),
hInstance,dwExplorerThreadId);
//PostThreadMessage(dwExplorerThreadId,WM_NULL,0,0);
}
else {
UnhookWindowsHookEx(hHook);
hHook=NULL;
}
return;
}

bool isFirst=true;
LRESULT CALLBACK MsgProc(int nCode,WPARAM wParam,LPARAM lParam)
{
if(isFirst) {
isFirst=false;
isNT=IsNT();
SysTray=FindWindow("Shell_TrayWnd",NULL);
NotifyWnd=FindWindowEx(SysTray,0,"TrayNotifyWnd",0);
// To display messages
AllocConsole();
hCon=CreateFile("CONOUT$",GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,0,0);
SetConsoleMode(hCon,ENABLE_PROCESSED_OUTPUT|ENABLE_WRAP_AT_EOL_OUTPUT);
CONSOLE_SCREEN_BUFFER_INFO bi;
GetConsoleScreenBufferInfo(hCon,&bi);
bi.dwSize.Y=200;
SetConsoleScreenBufferSize(hCon,bi.dwSize);
SetConsoleTitle("Nick's console");
wCon=FindWindow(0,"Nick's console");
out("We are in the Explorer!\r\n");
wsprintf(msg,"Console wnd=%X\r\n\r\n",wCon);
out();

enumerateIcons();

Sleep(10000); // Wait 10 sec

CloseHandle(hCon);
FreeConsole();
}
return CallNextHookEx(hHook,nCode,wParam,lParam);
}

struct TWIconDataT {
DWORD imageIndex; // image index, -1 if no image in iconList
union {
NOTIFYICONDATAW dw;
NOTIFYICONDATAA da;
};
};

typedef TWIconDataT* pTWIconDataT;

struct TWIconsInfoT {
int Cnt;
pTWIconDataT* iconData;
};

struct TWDataT {
DWORD unknown[7];
TWIconsInfoT* iconsInfo;
HIMAGELIST iconList;
};

typedef pTWIconDataT WINAPI (*COMCTL32_332_T) (TWIconsInfoT* info,int index);
COMCTL32_332_T COMCTL32_332;

void enumerateIcons()
{
// Load useful function
HINSTANCE hLib=LoadLibrary("COMCTL32.DLL");
COMCTL32_332=(COMCTL32_332_T) GetProcAddress(hLib,LPCSTR(332));

TWDataT* twd=(TWDataT*)GetWindowLong(NotifyWnd,0);

wsprintf(msg,"Proc=%X, NotifyWnd=%X, data=%X\r\n",COMCTL32_332,
NotifyWnd,twd);
out();

int cnt=twd->iconsInfo->Cnt; // icons count

if(cnt==0) {
out("No tray icons!\r\n");
return;
}

wsprintf(msg,"Icons count=%d",cnt);
out();

int x=200; // Offset for icon painting

for(int i=cnt-1;i>=0;i--) {
wsprintf(msg,"\r\n\r\n# %d *****************\r\n",i); out();
pTWIconDataT p=COMCTL32_332(twd->iconsInfo,i);
wsprintf(msg,"ImageIndex=%d\r\n",p->imageIndex); out();
wsprintf(msg,"hWnd=%X\r\n",p->dw.hWnd); out();
wsprintf(msg,"uID=%d\r\n",p->dw.uID); out();
wsprintf(msg,"uFlags=%d\r\n",p->dw.uFlags); out();
wsprintf(msg,"uCallbackMessage=%d\r\n",p->dw.uCallbackMessage); out();
wsprintf(msg,"hIcon=%X\r\n",p->dw.hIcon); out();
memset(msg,0,sizeof(msg));
strcpy(msg,"szTip=");
if(isNT)
wcstombs(msg+strlen(msg),p->dw.szTip,sizeof(p->dw.szTip)/2);
else
strcpy(msg+strlen(msg),p->da.szTip);
out();

HICON icon=ImageList_GetIcon(twd->iconList,p->imageIndex,ILD_NORMAL);
wsprintf(msg,"Real icon=%X\r\n",icon);

// Draw icon
HDC dc=GetWindowDC(wCon);
ImageList_Draw(twd->iconList,p->imageIndex,dc,x,4,ILD_NORMAL);
ReleaseDC(wCon,dc);
x+=30;
}
}

void out(char* p)
{
DWORD dwWritten;
if(p) strcpy(msg,p);
WriteConsole(hCon,msg,strlen(msg),&dwWritten,0);
}

//*********************************************************************
// Part 2. Console program to enumerate Systray icons info.
// Windows95/98.
//*********************************************************************

#include <windows.h>
#include <commctrl.h>
#include <iostream.h>
#include <stdlib.h>

struct TWIconDataT {
DWORD internalId; // image index, -1 if no image in iconList
NOTIFYICONDATA d;
};

typedef TWIconDataT* pTWIconDataT;

struct TWIconsInfoT {
int Cnt;
pTWIconDataT* iconData;
};

struct TWDataT {
DWORD unknown[7];
TWIconsInfoT* iconsInfo;
HIMAGELIST iconList;
};

void main(void)
{
InitCommonControls();

HWND stw=FindWindow("Shell_TrayWnd",0);
if(!stw) {
cout<<"System tray not found!"<<endl;
return;
}

HWND tw=FindWindowEx(stw,0,"TrayNotifyWnd",0);
if(!tw) {
cout<<"TrayNotifyWnd not found!"<<endl;
return;
}
TWDataT* twd=(TWDataT*)GetWindowLong(tw,0);
if(!twd) {
cout<<"Cannot get TrayNotifyWnd data! "<<GetLastError()<<endl;
return;
}

// We cannot just read memory of another process

DWORD idExplorer;
GetWindowThreadProcessId(tw,&idExplorer);
HANDLE hExplorer=OpenProcess(PROCESS_VM_READ,FALSE,idExplorer);
if(!hExplorer) {
cout<<"Cannot open Explorer process! "<<GetLastError()<<endl;
return;
}

//Read tray window data
TWDataT data;
BOOL r=ReadProcessMemory(hExplorer,twd,&data,sizeof(data),0);
if(!r) {
cout<<"Cannot read tray window data! "<<GetLastError()<<endl;
return;
}

cout<<"Image list="<<data.iconList<<endl;

// Read icons info
TWIconsInfoT iconsInfo;
r=ReadProcessMemory(hExplorer,data.iconsInfo,&iconsInfo,
sizeof(iconsInfo),0);
if(!r) {
cout<<"Cannot read icons info! "<<GetLastError()<<endl;
return;
}

if(iconsInfo.Cnt==0) {
cout<<"No tray icons!"<<endl;
return;
}
else cout<<"Icons count="<<(iconsInfo.Cnt)<<endl;

// Ok, now read pointers to icons data
pTWIconDataT* ppIconData=new pTWIconDataT[iconsInfo.Cnt];
r=ReadProcessMemory(hExplorer,iconsInfo.iconData,ppIconData,
sizeof(pTWIconDataT)*iconsInfo.Cnt,0);
if(!r) {
cout<<"Cannot read pointers to icons data! "<<GetLastError()<<endl;
return;
}

// Now read icons data itself
pTWIconDataT pIconData=new TWIconDataT[iconsInfo.Cnt];
for(int i=0;i<iconsInfo.Cnt;i++) {
r=ReadProcessMemory(hExplorer,ppIconData[i],pIconData+i,
sizeof(TWIconDataT),0);
if(!r) {
cout<<"Cannot read icon data #"<<i<<"! "<<GetLastError()<<endl;
return;
}
}

delete[] ppIconData;
CloseHandle(hExplorer);

// Now, add points to Nick's account for wasted 4 hour!!

for(int i=iconsInfo.Cnt-1;i>=0;i--) {
cout<<endl<<"# "<<i<<" *****************"<<endl;
cout<<"internalId="<<(pIconData[i].internalId)<<endl;
cout<<"hWnd="<<(pIconData[i].d.hWnd)<<endl;
cout<<"uID="<<(pIconData[i].d.uID)<<endl;
cout<<"uFlags="<<(pIconData[i].d.uFlags)<<endl;
cout<<"uCallbackMessage="<<(pIconData[i].d.uCallbackMessage)<<endl;
cout<<"hIcon="<<(pIconData[i].d.hIcon)<<endl;
cout<<"szTip="<<(pIconData[i].d.szTip)<<endl;
// Will not work
//HICON icon=ImageList_GetIcon(data.iconList,pIconData[i].internalId,
// ILD_NORMAL);
//cout<<"Real icon="<<icon<<endl;
}

delete[] pIconData;
}

//*********************************************************************
// Part 3. Console program to enumerate Systray icons info.
// Windows NT 4.0.
//*********************************************************************

#include <windows.h>
#include <commctrl.h>
#include <iostream.h>
#include <stdlib.h>

struct TWIconDataT {
DWORD internalId; // image index, -1 if no image in iconList
NOTIFYICONDATAW d;
};

typedef TWIconDataT* pTWIconDataT;

struct TWIconsInfoT {
int Cnt;
pTWIconDataT* iconData;
};

struct TWDataT {
DWORD unknown[7];
TWIconsInfoT* iconsInfo;
HIMAGELIST iconList;
};

void main(void)
{
InitCommonControls();

HWND stw=FindWindow("Shell_TrayWnd",0);
if(!stw) {
cout<<"System tray not found!"<<endl;
return;
}

HWND tw=FindWindowEx(stw,0,"TrayNotifyWnd",0);
if(!tw) {
cout<<"TrayNotifyWnd not found!"<<endl;
return;
}
TWDataT* twd=(TWDataT*)GetWindowLong(tw,0);
if(!twd) {
cout<<"Cannot get TrayNotifyWnd data! "<<GetLastError()<<endl;
return;
}

// We cannot just read memory of another process

DWORD idExplorer;
GetWindowThreadProcessId(tw,&idExplorer);
HANDLE hExplorer=OpenProcess(PROCESS_VM_READ,FALSE,idExplorer);
if(!hExplorer) {
cout<<"Cannot open Explorer process! "<<GetLastError()<<endl;
return;
}

//Read tray window data
TWDataT data;
BOOL r=ReadProcessMemory(hExplorer,twd,&data,sizeof(data),0);
if(!r) {
cout<<"Cannot read tray window data! "<<GetLastError()<<endl;
return;
}

cout<<"Image list="<<data.iconList<<endl;

// Read icons info
TWIconsInfoT iconsInfo;
r=ReadProcessMemory(hExplorer,data.iconsInfo,&iconsInfo,
sizeof(iconsInfo),0);
if(!r) {
cout<<"Cannot read icons info! "<<GetLastError()<<endl;
return;
}

if(iconsInfo.Cnt==0) {
cout<<"No tray icons!"<<endl;
return;
}
else cout<<"Icons count="<<(iconsInfo.Cnt)<<endl;

// Ok, now read pointers to icons data
pTWIconDataT* ppIconData=new pTWIconDataT[iconsInfo.Cnt];
r=ReadProcessMemory(hExplorer,iconsInfo.iconData,ppIconData,
sizeof(pTWIconDataT)*iconsInfo.Cnt,0);
if(!r) {
cout<<"Cannot read pointers to icons data! "<<GetLastError()<<endl;
return;
}

// Now read icons data itself
pTWIconDataT pIconData=new TWIconDataT[iconsInfo.Cnt];
for(int i=0;i<iconsInfo.Cnt;i++) {
r=ReadProcessMemory(hExplorer,ppIconData[i],pIconData+i,
sizeof(TWIconDataT),0);
if(!r) {
cout<<"Cannot read icon data #"<<i<<"! "<<GetLastError()<<endl;
return;
}
}

delete[] ppIconData;
CloseHandle(hExplorer);

// Now, add points to Nick's account for wasted 4 hour!!

for(int i=iconsInfo.Cnt-1;i>=0;i--) {
cout<<endl<<"# "<<i<<" *****************"<<endl;
cout<<"internalId="<<(pIconData[i].internalId)<<endl;
cout<<"hWnd="<<(pIconData[i].d.hWnd)<<endl;
cout<<"uID="<<(pIconData[i].d.uID)<<endl;
cout<<"uFlags="<<(pIconData[i].d.uFlags)<<endl;
cout<<"uCallbackMessage="<<(pIconData[i].d.uCallbackMessage)<<endl;
cout<<"hIcon="<<(pIconData[i].d.hIcon)<<endl;
char buf[64];
wcstombs(buf,pIconData[i].d.szTip,sizeof(buf));
cout<<"szTip="<<buf<<endl;
// Will not work
//HICON icon=ImageList_GetIcon(data.iconList,pIconData[i].internalId,
// ILD_NORMAL);
//cout<<"Real icon="<<icon<<endl;
}

delete[] pIconData;
}

//- EOF: shellico.txt ---------------------------------------------------------

//----------------------------------------------------------------------------
// File: shico2k.cpp
//----------------------------------------------------------------------------
// You are allowed to distribute this document unmodified for free,
// without paying me any fee.
// The information in this document is provided AS IS,
// without any warranties or guarantees.
//
// All undocumented Windows features used/described in this document
// are discovered by me, Nick N. Repin.
//
// Copyright (c) Nikolay N. Repin (Nick N. Repin), 1999
//----------------------------------------------------------------------------
//
// Enumerating systray icons for Win2000.
//
//----------------------------------------------------------------------------

#include <windows.h>
#include <commctrl.h>

//******************************************************************
// Note: all the code below must be executed in the context of the
// explorer.exe.
//******************************************************************

typedef struct {
DWORD u1;
HWND hwnd; // Window which handles requests about systray icons,
// may be, it's the handle of "TrayNotifyWnd".
DWORD u2;
HIMAGELIST hIList; // Image list which contains icons itself.
} TrayDataT, *pTrayDataT;

// Same as NOTIFYICONDATA
typedef struct {
HWND hwnd;
UINT uID;
DWORD uCallbackMessage;
DWORD uFlags;
} IconInfoT, *pIconInfoT;

// Structure to pass requests about systray icons.
typedef struct {
DWORD sz;
DWORD dwFlags;
DWORD p2;
int iImage;
DWORD p3;
pIconInfoT pIconInfo;
LPWSTR pTip;
DWORD szTip;
} ControlDataT, *pControlDataT;
//---------------------------------------------------------------------------
// Returns number of icons on systray.
int getIconCount(pTrayDataT pData)
{
return SendMessageW(pData->hwnd,0x418,0,0);
}
//---------------------------------------------------------------------------
// Returns pointer to IconInfoT struct. iIndex is icon index, from zero
// to getIconCount()-1. bFlag must be true.
pIconInfoT getIconInfo(pTrayDataT pData,int iIndex,bool bFlag)
{
ControlDataT s;
s.sz=sizeof(s);
s.dwFlags=bFlag ? 0x80000010 : 0x10;
s.pIconInfo=0;
SendMessageW(pData->hwnd,0x43F,iIndex,LPARAM(&s));
return s.pIconInfo;
}
//---------------------------------------------------------------------------
// Returns index of icon image in the image list.
int getImageIndex(pTrayDataT pData,int iIndex)
{
ControlDataT s;
s.sz=sizeof(s);
s.dwFlags=0x80000001;
SendMessageW(pData->hwnd,0x43F,iIndex,LPARAM(&s));
return s.iImage;
}
//---------------------------------------------------------------------------
// Sets tip for icon.
void setTip(pTrayDataT pData,int iIndex,LPWSTR pTip)
{
ControlDataT s;
s.sz=sizeof(s);
s.dwFlags=0x80000002;
s.pTip=pTip;
s.szTip=MAXDWORD;
SendMessageW(pData->hwnd,0x440,iIndex,LPARAM(&s));
}
//---------------------------------------------------------------------------
// Gets tip for icon.
void getTip(pTrayDataT pData,int iIndex,LPWSTR pTip,DWORD szTip)
{
ControlDataT s;
s.sz=sizeof(s);
s.dwFlags=0x80000002;
s.pTip=pTip;
s.szTip=szTip;
SendMessageW(pData->hwnd,0x43F,iIndex,LPARAM(&s));
}
//---------------------------------------------------------------------------
void enumerate()
{
// As usually.
HWND hTrayNotifyWnd=
FindWindowEx(FindWindow("Shell_TrayWnd",0),0,"TrayNotifyWnd",0);
pTrayDataT pData=(pTrayDataT) GetWindowLong(hTrayNotifyWnd,0);

int cnt=getIconCount(pData);
for(int i=cnt-1;i>=0;i--) {
pIconInfoT pInfo=getIconInfo(pData,i,true);
int imageIndex=getImageIndex(pData,i);
// ImageList_GetIcon(pData->hIList,imageIndex,....)
// getTip(...)
}
}
//---------------------------------------------------------------------------
//- EOF: shico2k.cpp --------------------------------------------------------