I am trying to get the PID of the process making local connections to a local http server from inside the server. eg: Chrome-> HTTPREQ -> httpServer:8080. So from the httpServer I can know which process is making the connection, in this case Chrome.
I can query all the tcp connections using GetExtendedTcpTable with TCP_TABLE_OWNER_MODULE_ALL and then check each row and use row->dwOwningPid
8080 == ntohs(row->dwRemotePort) &&
row->dwLocalAddr == inet_addr("127.0.0.1") &&
row->dwRemoteAddr == inet_addr("127.0.0.1")
The problem seems to be that because I have an AV installed that is intercepting my traffic I am getting the PID of the AV not the original app that started the connection.
chrome -> av wfp -> httpserver
Without adding exclusions to the AV, is there a way I can retrieve the PID of the original process that started the request, not a forwarder like an AV network filter?
Thanks in advance.
Answering my own question:
Chrome -> AV -> WFP
If AV (Xport) -> (Yport)WFP
Usually:
Chrome (Xport -1) -> WFP.
That worked for me.