findremoteip:根据网络连接信息过滤查找特定远程IP,查询和终止Windows相关进程

stevehe 2022年10月15日 72次浏览

本函数Cygwin下测试通过,MSYS2,WSL1理论上可用(另:WSL2自然是不行),未经过测试!

findremoteip函数代码:

findremoteip() {
	# 根据网络连接的远程主机IP查找Windows相关进程:
	# 目前仅针对IPv4做适配,IPv6暂不考虑
	if [ -z "$1" ]
	then
		echo -e "缺少远程IP!"
		echo -e "\`findremoteip\` 查看连接到指定IP的相关进程:\n"
		echo -e "Example: "
		echo -e "\tfindremoteip *remote~ip [filter~by~process~name] [-v]\n"
		echo -e "Usage: findremoteip 114.114.114.114"
		echo -e "\tfindremoteip 114.114.114.114 ssh  #仅查找该IP的ssh进程,其他进程忽略"
		return 0
	fi
	local remoteIP="$1" && shift
	local psName=""  #用此参数查找进程,当远程IP有多个匹配进程时,用于过滤;
	[ ! -z "$1" ] && [[ ! "${1,,}" == "/v" && ! "${1,,}" == "-v" ]] && psName="$1" && shift
	local netstatInfo=$(cmd /c netstat -ano -p TCP|awk '{if(match($3,/^'"$remoteIP"':/)){print}}')
	echo "$netstatInfo"
	local pids=$(echo "$netstatInfo"|grep 'ESTABLISHED'|awk '{print $NF}'|dos2unix -q)
	if [ -z "$pids" ]
	then
		echo "$remoteIP 地址没有找到相关进程..."
		return 0
	fi
	for pid in $pids; #对多个远程IP关联进程依次处理!
	do
		if [ ! -z "$1" ] && [[ "${1,,}" == "/v" || "${1,,}" == "-v" ]]
		then
			cmd /c tasklist /v|iconv -s -f GBK -t UTF-8|grep $pid
		else
			cmd /c tasklist|grep $pid
		fi
		##查看此进程是否关联Windows服务,如果有,提示是否需要net stop停止服务
		## Also you can use this powershell command:(Get-WmiObject Win32_Service -Filter "ProcessId='$PID'")
		local serviceInfo=$(cmd /c tasklist /svc /NH /FI "PID EQ $pid"|iconv -s -f GBK -t UTF-8|grep -i "$psName")
		[ -z "$serviceInfo" ] && continue
		echo -e "关联服务信息查询:$serviceInfo"
		local serviceName=$(echo "$serviceInfo"|dos2unix -q|sed -r '/^$/!{s/^.*'$pid' //;s/[\t| ]*$//g}'|tr -d '\n')
		if [ ! "$serviceName" = "N/A" -a ! "$serviceName" = "暂缺" ];then	
			read -p ">> 进程发现关联服务,是否需要停止服务 “$serviceName”? yes/no(y/n),默认No: " stopService
			if [[ "${stopService,,}" == "y" || "${stopService,,}" == "yes" ]];then
				echo ">>> Stop Service ..."
				gsudo net stop "$serviceName"
				echo "To check remoteip $remoteIP again ..."
				findremoteip $remoteIP
			fi
		else
			echo "pid为 $pid 的进程未关联服务或服务不是Win32本地系统服务!"
			echo "如:(“Cygwin sshd”是常驻服务,但不是本地服务,是用户登录服务)"
			
			read -p ">> 是否需要终止进程 “PID:$pid”? yes/no(y/n),默认No: " killProcess
			if [[ "${killProcess,,}" == "y" || "${killProcess,,}" == "yes" ]];then
				echo ">>> Kill Process ..."
				gsudo taskkill /F /PID "$pid"
			fi
		fi
	done
}

使用帮助:

image.png

$ findremoteip
缺少远程IP!
`findremoteip` 查看连接到指定IP的相关进程:

Example:
        findremoteip *remote~ip [filter~by~process~name] [-v]

Usage: findremoteip 114.114.114.114
        findremoteip 114.114.114.114 ssh  #仅查找该IP的ssh进程,其他进程忽略

使用效果:

image.png

代码共享:

https://gitee.com/hexiyou/shell-scripts/blob/master/findremoteip.sh