判断电脑是否被远程控制需要从多个维度进行检测。以下是详细分析：

1. 网络连接检测： ```c class NetworkMonitor { // 检查可疑端口 BOOL CheckSuspiciousPorts() { // 常见远程控制端口 const int SUSPICIOUS_PORTS[] = { 3389, // RDP 5900, // VNC 5938, // TeamViewer 7070, // AnyDesk 4899 // Radmin }; MIB_TCPTABLE_OWNER_PID* pTcpTable = NULL; DWORD dwSize = 0; BOOL bFound = FALSE; GetExtendedTcpTable(NULL, &dwSize, TRUE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0); pTcpTable = (MIB_TCPTABLE_OWNER_PID*)malloc(dwSize); if (GetExtendedTcpTable(pTcpTable, &dwSize, TRUE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0) == NO_ERROR) { for (DWORD i = 0; i < pTcpTable->dwNumEntries; i++) { DWORD localPort = ntohs(pTcpTable->table[i].dwLocalPort); for (int port : SUSPICIOUS_PORTS) { if (localPort == port) { bFound = TRUE; break; } } } } free(pTcpTable); return bFound; } }; ```

2. 进程监控： ```c class ProcessMonitor { // 检查可疑进程 BOOL CheckSuspiciousProcesses() { HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapshot == INVALID_HANDLE_VALUE) return FALSE; PROCESSENTRY32W pe32; pe32.dwSize = sizeof(pe32); BOOL bFound = FALSE; if (Process32FirstW(hSnapshot, &pe32)) { do { // 检查常见远程控制软件进程 if (CheckSuspiciousProcessName(pe32.szExeFile)) { bFound = TRUE; break; } } while (Process32NextW(hSnapshot, &pe32)); } CloseHandle(hSnapshot); return bFound; } BOOL CheckSuspiciousProcessName(LPCWSTR processName) { const WCHAR* SUSPICIOUS_PROCESSES[] = { L"TeamViewer.exe", L"AnyDesk.exe", L"vncserver.exe", L"radmin.exe", L"mstsc.exe" }; for (const WCHAR* suspiciousProcess : SUSPICIOUS_PROCESSES) { if (_wcsicmp(processName, suspiciousProcess) == 0) { return TRUE; } } return FALSE; } }; ```

3. 系统资源监控： ```c class ResourceMonitor { // 检查异常资源使用 BOOL CheckAbnormalResourceUsage() { // CPU使用率 BOOL CheckCPUUsage() { PDH_HQUERY cpuQuery; PDH_HCOUNTER cpuTotal; PdhOpenQuery(NULL, NULL, &cpuQuery); PdhAddCounter(cpuQuery, L"\\Processor(_Total)\\% Processor Time", NULL, &cpuTotal); PdhCollectQueryData(cpuQuery); Sleep(1000); // 等待1秒收集数据 PDH_FMT_COUNTERVALUE counterVal; PdhCollectQueryData(cpuQuery); PdhGetFormattedCounterValue(cpuTotal, PDH_FMT_DOUBLE, NULL, &counterVal); PdhCloseQuery(cpuQuery); // CPU使用率异常高可能表示远程控制 return counterVal.doubleValue > 80.0; } // 网络流量 BOOL CheckNetworkTraffic() { MIB_IFROW ifRow; DWORD dwSize = sizeof(ifRow); // 获取网络接口信息 if (GetIfEntry(&ifRow) == NO_ERROR) { // 检查异常流量 return (ifRow.dwOutOctets > 1000000 || // 1MB/s ifRow.dwInOctets > 1000000); } return FALSE; } } }; ```

4. 注册表检查： ```c class RegistryMonitor { BOOL CheckSuspiciousRegistry() { // 检查远程控制软件的注册表项 const WCHAR* SUSPICIOUS_KEYS[] = { L"SOFTWARE\\TeamViewer", L"SOFTWARE\\AnyDesk", L"SOFTWARE\\RealVNC", L"SOFTWARE\\TightVNC", L"SOFTWARE\\Radmin" }; for (const WCHAR* keyPath : SUSPICIOUS_KEYS) { HKEY hKey; if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, keyPath, 0, KEY_READ, &hKey) == ERROR_SUCCESS) { RegCloseKey(hKey); return TRUE; } } return FALSE; } }; ```

5. 服务检查： ```c class ServiceMonitor { BOOL CheckRemoteServices() { SC_HANDLE hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ENUMERATE_SERVICE); if (!hSCM) return FALSE; ENUM_SERVICE_STATUS* lpServices = NULL; DWORD dwBytesNeeded = 0; DWORD dwServicesReturned = 0; DWORD dwResumeHandle = 0; // 首先获取需要的缓冲区大小 EnumServicesStatus(hSCM, SERVICE_WIN32, SERVICE_ACTIVE, NULL, 0, &dwBytesNeeded, &dwServicesReturned, &dwResumeHandle); lpServices = (ENUM_SERVICE_STATUS*)malloc(dwBytesNeeded); BOOL bResult = FALSE; if (EnumServicesStatus(hSCM, SERVICE_WIN32, SERVICE_ACTIVE, lpServices, dwBytesNeeded, &dwBytesNeeded, &dwServicesReturned, &dwResumeHandle)) { for (DWORD i = 0; i < dwServicesReturned; i++) { if (CheckSuspiciousServiceName(lpServices[i].lpServiceName)) { bResult = TRUE; break; } } } free(lpServices); CloseServiceHandle(hSCM); return bResult; } }; ```

6. 事件日志分析： ```c class EventLogMonitor { BOOL CheckSuspiciousEvents() { HANDLE hEventLog = OpenEventLog(NULL, L"Security"); if (hEventLog == NULL) return FALSE; DWORD dwReadFlags = EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ; DWORD dwRecordNumber = 0; DWORD dwBytesRead = 0; DWORD dwBytesNeeded = 0; // 获取所需缓冲区大小 ReadEventLog(hEventLog, dwReadFlags, 0, NULL, 0, &dwBytesNeeded, &dwBytesRead); BYTE* pBuffer = (BYTE*)malloc(dwBytesNeeded); BOOL bResult = FALSE; if (ReadEventLog(hEventLog, dwReadFlags, 0, pBuffer, dwBytesNeeded, &dwBytesRead, &dwBytesRead)) { PEVENTLOGRECORD pEvent = (PEVENTLOGRECORD)pBuffer; // 检查远程登录事件 while (dwBytesRead > 0) { if (pEvent->EventID == 4624 || // 登录成功 pEvent->EventID == 4625) { // 登录失败 bResult = TRUE; break; } dwBytesRead -= pEvent->Length; pEvent = (PEVENTLOGRECORD)((LPBYTE)pEvent + pEvent->Length); } } free(pBuffer); CloseEventLog(hEventLog); return bResult; } }; ```

7. 防火墙日志检查： ```c class FirewallMonitor { BOOL CheckFirewallLogs() { // 检查Windows防火墙日志 HANDLE hFile = CreateFile( L"C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) return FALSE; char buffer[4096]; DWORD bytesRead; BOOL bResult = FALSE; while (ReadFile(hFile, buffer, sizeof(buffer), &bytesRead, NULL) && bytesRead > 0) { // 检查可疑连接 if (strstr(buffer, "3389") || // RDP strstr(buffer, "5900") || // VNC strstr(buffer, "5938")) { // TeamViewer bResult = TRUE; break; } } CloseHandle(hFile); return bResult; } }; ```

8. 综合检测： ```c class RemoteControlDetector { BOOL IsRemotelyControlled() { NetworkMonitor netMon; ProcessMonitor procMon; ResourceMonitor resMon; RegistryMonitor regMon; ServiceMonitor svcMon; EventLogMonitor evtMon; FirewallMonitor fwMon; // 综合多个检测结果 int suspiciousCount = 0; if (netMon.CheckSuspiciousPorts()) suspiciousCount++; if (procMon.CheckSuspiciousProcesses()) suspiciousCount++; if (resMon.CheckAbnormalResourceUsage()) suspiciousCount++; if (regMon.CheckSuspiciousRegistry()) suspiciousCount++; if (svcMon.CheckRemoteServices()) suspiciousCount++; if (evtMon.CheckSuspiciousEvents()) suspiciousCount++; if (fwMon.CheckFirewallLogs()) suspiciousCount++; // 如果多个指标都显示可疑，则很可能被远程控制 return suspiciousCount >= 3; } }; ```

关键检测点：

1. 网络层面： - 可疑端口 - 异常连接 - 流量分析

2. 系统层面： - 进程检查 - 服务检查 - 注册表检查

3. 资源层面： - CPU使用率 - 内存使用 - 网络流量

4. 日志层面： - 系统日志 - 安全日志 - 防火墙日志

5. 最佳实践： - 多维度检测 - 实时监控 - 阈值调整 - 误报处理

这些检测方法可以： 1. 及时发现远程控制 2. 减少误报 3. 提供详细信息 4. 支持实时监控 5. 便于维护和扩展