Win2000中用户自定义IP头的实现及OicqSend完整实例源程序

实现自己定义的IP头是一件非常有意义的事情，比如，通过改变IP头里的TOS的优先级和TTL，你可以使自己的数据包有更强的传输能力和寿命，通过修改IP头里的源IP地址就可以隐藏自己机器的IP地址等等。象著名攻击程序“泪滴TearDrop”就是通过故意制造系统不能处理的分片IP包而实现的，还有SYN Flooder和UDP Flooder就是通过产生随机源IP实现欺骗的。

三、实现原理

一般来说，自定义IP头是通过使用socket的库函数setsockopt()的选项IP_HDRINCL来实现的，尽管这在unix和linux平台上很容易实现，但遗憾的是在Windows平台的Winsock1.1和Winsock2.0函数库里setsockopt()不支持IP_HDRINCL选项，所以在Windows 9x/NT里是无法通过Winsock函数库来实现IP头自定义的，当然可以通过编写虚拟设备驱动程序来实现，不过比较复杂，但Windows 2000的出现打破了这种局面，Windows2000的Winsock2.2函数库里全面支持setsockopt()的选项IP_HDRINCL，使得我们轻松就可以实现自定义的IP头。实现方法如下：

SOCKET s;

BOOL bopt;

s=WSASocket(AF_INET, SOCK_RAW, IPPROTO_UDP, NULL, 0, WSA_FLAG_OVERLAPPED);

ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)bopt, sizeof(bopt);

四、实例

为帮助大家尽快地学会构造自己的IP头数据，特给出一个完整的实例，例子的功能是：只要给出对方的IP地址，就可以发送给对方的OICQ一个“hello!”消息，并且由于修改了发送数据包的IP头，完全实现了发送方IP地址的隐藏，也就是说稍加修改你就可以制作出一个能够完完全全的匿名OICQ发送器，当然，若是故意捣乱的话，后果自负。源代码如下：
/***********************************************************************/
/* OicqSend.c */
/* 本程序用Visual C++ 6.0编译在Windows 2000 Advanced Server 上调试通过 */
/* Created by janker@371.net 2000.8.28 */
/* 声明：本程序经修改后可能会产生攻击性 擅自修改成攻击程序者后果自负 */
/***********************************************************************/
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#include
#include
#include
#include
#include
#define OICQ_MAX_PACKET 1024
#define OICQ_MAX_MSG 512
#define OICQ_MSG_LEN 45
#define SRC_IP "127.0.0.1"
#define SRC_PORT 5277
#define DST_PORT 4000
typedef struct ip_hdr
{
unsigned char ip_verlen;
unsigned char ip_tos;
unsigned short ip_totallength;
unsigned short ip_id;
unsigned short ip_offset;
unsigned char ip_ttl;
unsigned char ip_protocol;
unsigned short ip_checksum;
unsigned int ip_srcaddr;
unsigned int ip_destaddr;
} IP_HDR;
typedef struct udp_hdr
{
unsigned short src_portno;
unsigned short dst_portno;
unsigned short udp_length;
unsigned short udp_checksum;
} UDP_HDR;
char strMessage[OICQ_MSG_LEN] = {
0x02,0x01,0x07,0x00,0x78,0x00,0x00,0x31,0x30,0x30,0x30,0x31,0x1f,0x30,0x1f,
0x30,0x30,0x1f,0x32,0x30,0x30,0x30,0x2d,0x30,0x31,0x2d,0x30,0x31,0x1f,0x30,
0x30,0x3a,0x30,0x30,0x3a,0x30,0x30,0x1f,0x68,0x65,0x6c,0x6c,0x6f,0x21,0x03
};
USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while (size > 1)
{
cksum += *buffer++;
size -= sizeof(USHORT);
}
if (size)
{
cksum += *(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}
int main(int argc, char **argv)
{
WSADATA wsd;
SOCKET s;
BOOL bOpt;
struct sockaddr_in remote;
IP_HDR ipHdr;
UDP_HDR udpHdr;
int ret;
DWORD i;
unsigned short iTotalSize,
iUdpSize,
iUdpChecksumSize,
iIPVersion,
iIPSize,
cksum = 0;
char buf[OICQ_MAX_PACKET],
*ptr = NULL;
printf("Spoof OICQ Msg Sender - by Janker@371.net\n\n");
if(argc!=2) {
printf("usage: OICQSEND Destination_IP_Address");
ExitProcess(1);
}
srand((unsigned)time(NULL));
strMessage[5]=rand();
if (WSAStartup(MAKEWORD(2,2), &wsd) != 0)
{
printf("WSAStartup() failed: %d\n", GetLastError());
return -1;
}
s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_UDP, NULL, 0,0);
if (s == INVALID_SOCKET)
{
printf("WSASocket() failed: %d\n", WSAGetLastError());
return -1;
}
bOpt = TRUE;
ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt));
if (ret == SOCKET_ERROR)
{
printf("setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError());
return -1;
}
iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + OICQ_MSG_LEN;
iIPVersion = 4;
iIPSize = sizeof(ipHdr) / sizeof(unsigned long);
ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize;
ipHdr.ip_tos = 0;
ipHdr.ip_totallength = htons(iTotalSize);
ipHdr.ip_id = 0;
ipHdr.ip_offset = 0;
ipHdr.ip_ttl = 128;
ipHdr.ip_protocol = 0x11;
ipHdr.ip_checksum = 0 ;
ipHdr.ip_srcaddr = inet_addr(SRC_IP);
ipHdr.ip_destaddr = inet_addr(argv[1]);
iUdpSize = sizeof(udpHdr) + OICQ_MSG_LEN;
udpHdr.src_portno = htons(SRC_PORT) ;
udpHdr.dst_portno = htons(DST_PORT) ;
udpHdr.udp_length = htons(iUdpSize) ;
udpHdr.udp_checksum = 0 ;
iUdpChecksumSize = 0;
ptr = buf;
ZeroMemory(buf, OICQ_MAX_PACKET);
memcpy(ptr, &ipHdr.ip_srcaddr, sizeof(ipHdr.ip_srcaddr));
ptr += sizeof(ipHdr.ip_srcaddr);
iUdpChecksumSize += sizeof(ipHdr.ip_srcaddr);
memcpy(ptr, &ipHdr.ip_destaddr, sizeof(ipHdr.ip_destaddr));
ptr += sizeof(ipHdr.ip_destaddr);
iUdpChecksumSize += sizeof(ipHdr.ip_destaddr);
ptr++;
iUdpChecksumSize += 1;
memcpy(ptr, &ipHdr.ip_protocol, sizeof(ipHdr.ip_protocol));
ptr += sizeof(ipHdr.ip_protocol);
iUdpChecksumSize += sizeof(ipHdr.ip_protocol);
memcpy(ptr, &udpHdr.udp_length, sizeof(udpHdr.udp_length));
ptr += sizeof(udpHdr.udp_length);
iUdpChecksumSize += sizeof(udpHdr.udp_length);
memcpy(ptr, &udpHdr, sizeof(udpHdr));
ptr += sizeof(udpHdr);
iUdpChecksumSize += sizeof(udpHdr);
for(i = 0; i *ptr = strMessage[i];
iUdpChecksumSize += OICQ_MSG_LEN;
cksum = checksum((USHORT *)buf, iUdpChecksumSize);
udpHdr.udp_checksum = cksum;
ZeroMemory(buf, OICQ_MAX_PACKET);
ptr = buf;
memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr);
memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr);
memcpy(ptr, strMessage, OICQ_MSG_LEN);
remote.sin_family = AF_INET;
remote.sin_port = htons(DST_PORT);
remote.sin_addr.s_addr = inet_addr(argv[1]);
ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote, sizeof(remote));
if (ret == SOCKET_ERROR)
printf("sendto() failed: %d\n", WSAGetLastError());
else
printf("Send O.K.!");
closesocket(s) ;
WSACleanup() ;
return 0;
}

请下载完整的源程序和EXE文件压缩包oicqsend.zip

五、后话

本文的实例OICQ数据是本人用Windows 2000的“网络监视器”分析而得，这是一个很好的网络数据包分析工具，希望大家能好好利用。

参考书目：

《Network Programming for Microsoft Windows》 Author: Jim Ohlund，Microsoft Press。