Windows Firewall Blocks Malicious TCP Connections

Close all software (except security), wireshark captures packets

set filter==tcp, capture all tcp packets, and

export the captured packet file as tcp.txt

filter out ip address

Remove the header and tail of the file, and execute the following procedure to obtain the ip address

#cut_file.py
def copy_first_10_chars(input_file, output_file):
    with open(input_file, 'r') as file_in:
        with open(output_file, 'w') as file_out:
            # in_len=len(file_in.readlines())
            # print(f'input file possessc.ees {len(file_in.readlines())} lines')
            for line in file_in:
                first_10_chars = line[:13]
                file_out.write(first_10_chars + '\n')
 # 使用示例
input_file = 'input.txt'  # 输入文件名
output_file = 'output.txt'  # 输出文件名
copy_first_10_chars("tcp.txt", "target.txt")

Execute python to get the ip address,

visit site for batch query

Copy target.txt to input box, start query,

Then the firewall blocks non-microsoft network segments

• Out/Inbound all demand block
• Do not put the shielded network segment in /8, otherwise it is easy to accidentally hurt the allies of https

View the connection method initiated by the software:

1. After the software is closed, save the ip addresstxt
2. Open the software and save address.txt again
3. Compare the two txt to get the ip connection initiated by the software

The naive code is as follows, python is still a bit useful (the comparison plug-in without Code is installed)

def copy_first_10_chars(input_file, output_file):
    with open(input_file, 'r') as file_in:
        with open(output_file, 'w') as file_out:
            # in_len=len(file_in.readlines())
            # print(f'input file possessc.ees {len(file_in.readlines())} lines')
            for line in file_in:
                first_10_chars = line[:13]
                file_out.write(first_10_chars + '\n')
     # 使用示例         
copy_first_10_chars("ip_0.txt", "tar_0.txt")
copy_first_10_chars("open_typora.txt", "tar_1.txt")

def compare(file1,file2,out_file):
    with open(file2,'r') as f1:
        with open(file1,'r') as f2:
            with open(out_file,'w') as of:
                l1=[];  l2=[]; sub=[]
                for line1 in f1:
                    l1.append(line1[:13])
                for line2 in f2:
                    l2.append(line2[:13])
                for ip1 in l1:
                    sig=0
                    for ip2 in l2:
                        if ip2==ip1:    sig=1
                    if sig==0:  #不再l2中
                        sub.append(ip1)
                for ip in sub:
                    of.write(ip+'\n')

compare('tar_0.txt','tar_1.txt','typora.txt')

• 202.89.233.1 for cn.bing.com
• 13.107.xxx.xx for www.bing.com
• typora seems to be corporate with ms