Author: Too2y [Original] E-mail: Too2y@safechina.nethomepage: www.safechina.netdate: 11-9-2002
A WinPCAP Drive Introduction Two packet.dll Related Data Structure and Function Three T-ARP Features and Principles Description Four T-ARP Main Code Analysis Five T-ARP Source Codes
A) WinPCAP Drive Introduction WinPCAP (Windows Packet Capture) is a Windows Platform, a free, public network access system. Developing WinPCap This project is to provide Win32 applications to provide access to the network underlying. It provides the following functions: 1> Capture the original datagram, including the data reported on the shared network and exchange / acceptance between each other; 2> Before the data is reported to the application, according to the custom The rule filters some special datagrams; 3> Send raw datagram on the network; 4> Collect statistics during network communication.
The main function of WinPCAP is to send and receive raw datagrams independently of host protocols such as TCP-IP. That is, WinPCAP cannot block, filter or control the sending of other application datagrams, which is just the data report transmitted on the shared network. Therefore, it cannot be used for QoS schedule or personal firewall.
At present, the main object developed by WinPCAP is Windows NT / 2000 / XP, which is mainly because only a small portion of the user who uses WinPCap is only using Windows 95/98 / Me, and M $ has also given up the development of Win9x. . Therefore, the programs T-ARP related to this article are also NT / 2000 / XP users. In fact, the concept of 9X system in WinPCap is very similar to the NT system, just a bit difference in some implementation, such as 9X only supports ANSI encoding, and the NT system advises using Unicode encoding.
This article discusses various functions provided by packet.dll because they can implement the requirements of this article. But if you have other special or more advanced requirements, WinPCAP also provides another dynamic connection wpcap.dll. Although WPCap.dll relies on packet.dll, it provides a simpler, direct and powerful way to better utilize programming environments. For example, a datagram is captured, creating a datagram filtering device or a data report that will be listened to a file, etc., WPCAP.DLL will provide you with more secure implementation methods.
2) Packet.dll Related Data Structure and Function One One One One One One One One One is to introduce how to use WinPCAP driver to write ARP tools, so it is necessary to introduce some related data structures and functions, or to look at a row code and function, maybe some I don't know what the cloud is.
First introduce some related data structures: 1. TypedF struct _adapter adapter // Describe a network adapter; 2. TypeDef struct _packet packet // Describe a set of network datagrams; 3. TypeDef struct Nettype Nettype // Describe the network type Data structure; 4. TYPEF STRUCT NPF_IF_ADDEF STRUCT NPF_IF_ADDR NPF_IF_ADDR / / Description IP address of a network adapter; 5. Struct BPF_HDR // Data report header; 6. Struct BPF_STAT // Currently captured the statistics of the datagram.
Below, you will introduce the various functions used by T-ARP, they are defined in packet.dll: 1> LPPACKET PACKETALLOCATEPACKET (VOID) If the run is successful, return a _packet structure pointer, otherwise returns NULL. The result of successfully returned will be transferred to the PacketReceivePacket () function to receive network datagrams from the driver. 2> Void PacketCloseadapter (LPADAPTER LPADAPTER) Closes the network adapter provided in the parameter to release the associated Adapter structure.
3> Void PacketFreePacket (LPPACKET LPPACKET) Release the _packet structure provided by the parameter.
4> Boolean PacketGetAdapternames (LPSTR PSTR, Pulong Buffersize) Returns a list of network adapters that can be obtained and described.
5> Boolean PacketGetNetInfoEx (LPTSTR AdapterNames, NPF_IP_ADDR * BUFF, PLONG NENTRIES) Returns a full address information of a network adapter. Where NPF_IP_ADDR structure includes: ipaddress, subnetMask, Broadcast ipaddress: IP address SubnetMask: Subnet mask Broadcast: Broadcast address
6> Boolean PacketGetType (LPADAPTER AdapterObject, NetType * Type) Returns a MAC type of a network adapter. LinkSpeed and LinkType are included in the NETTYPE structure. Wherein LinkType comprising the following situations: NdisMedium802_3: Ethernet (802.3) NdisMediumWan: WAN NdisMedium802_5: Token Ring (802.5) NdisMediumFddi: FDDI NdisMediumAtm: ATM NdisMediumArcnet878_2: ARCNET (878.2)
7> Boolean PacketGetStats (LPADAPTER AdapterObject, Struct BPF_STAT * S) Returns a few statistics about current capture reports. The BPF_STAT structure includes: BS_RECV, BS_DROP, PS_IFDROP, BS_CAPT BS_RECV: From the network adapter to start capturing all datagrams received by the Data report, including lost datagrams; BS_DROP: Lost data reported. Data report loss occurs when the drive buffer is already full.
8> Pchar packetgetversion () Returns the version information about the DLL.
9> Void packetinitpacket (LPPACKET LPPACKET, PVOID BUFFER, UINT Length) initializes a _packet structure.
10> LPADAPTER PACKETOPETADAPTER (LPTSTR AdapterName Opens a network adapter.
11> Boolean PacketReceivePacket (LPADAPTER AdapterObject, LPPACKET LPPACKET, BOOLEAN SYNC) Reads network datagrams and statistics from the NPF driver. Data News Code Structure: | BPF_HDR | DATA | Padding | BPF_HDR | DATA | PADDING | 12> Boolean PacketSendPacket (LPPADAPTEROBJECT, LPPACKET LPPACKET, BOOLEAN SYNC) Sends a copy of one or more datagrams.
13> Boolean PacketSetBuff (LPADAPTER AdapterObject, INT DIM Sets the kernel buffer size capturing datagram.
14> Boolean PacketSethwfilter (LPADAPTER AdapterObject, Ulong Filter) Sets the hardware filtering rule for the received datagram. The following is some typical filtering rules: ndis_packet_type_promiscuous: Set to a mixed mode, receive all flowing datagram; NDIS_PACKET_TYPE_DIRECTED: Only the destination is the local host network adapter will be received; ndis_packet_type_broadcast: Only broadcast data report will be Receive; NDIS_PACKET_TYPE_MULTITIST: Only multicast data reports corresponding to the local host network adapter will be received; ndis_packet_type_all_multicast: All multicast data reports are received; ndis_packet_type_all_local: All local datagrams are received.
15> Boolean PacketSetNumWrites (LPADAPTER AdapterObject, INT NWRITES) Set the number of times the packetsendpacket () function sends a data report replica.
16> Boolean PacketSetReadTimeout (INT TIMEOUT) is set to receive a "rest" after receiving a datagram. The above is the functions called by T-ARP, which contains most of the functions in packet.dll. If you want to know more about WinPcap, please visit the relevant website, home address: http://winpcap.polito.it
3) T-ARP function and principle introduction Preparation: 1. Install WinPCAP driver, currently the latest version is WinPCAP_3.0_alpha, stable version is WinPCAP_2.3; 2. Before using ARP spoof, you must start IP routing function, modify ( Add) Registry Options: HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / parameters / iPenableRunt = 0x1
Options: -m Host Scan, get the IP address and MAC address of the survival host in the local area network; -A anti-sniffing scan, get the IP address and MAC address of the horses in the local area network to specify the host; -s ARP Download, deceive the two hosts specified in the LAN, so that they send the received data reports through the local host; the network sniffer, if you choose the deceived host, you will be local host, then you will monitor all the local The host's data report; IP conflict, if you choose to deceive the two hosts that are the same non-local host, then initiate an IP conflict attack; -r reset the deceived host, so that the deceived host will return to normal work status. Principle and implementation process: no matter what option, the first thing is to get the MAC address and related network settings of the local host. We send an ARP Request (ARP request) datagram to the local host with a special IP address (112.12.112.112.112). When the local host receives, an ARP Reply (ARP response) datagram is sent to respond to request, so We can get the MAC address of the local host. As related to related network settings can be obtained by PacketGetNetInfoEx () and PacketGetType ().
-m Send broadcast to all hosts within the specified IP network segment (IP and Mac) (FF: FF: FF: FF: FF: FF) ARP Request Datasheet, the surviving host will be sent to the name of the local host. ARP Reply Datashers, you can get a list of current survival hosts. Because the ARP Request is restricted to the ARP Request on many gateways - the ARP Request Datasters sent by non-intranet IP will not receive the gateway, if you use the IP of other hosts in the intranet to send ARP Request Datasters, If the filled MAC address and the corresponding IP are not in charge, an IP conflict occurs. So it is best to send a request with your IP and MAC address.
-A The ARP Request Datasheet of 31-bit Broadcast Address (FF: FF: FF: FF: FF: FE) is sent to all hosts within the specified IP network (FF: FF: FF: FF: FF: FF: FF: FF: FF: FF: FF: FF: FF: FE). The host that is sniffing will send the ARP Reply datagram so that the list of current surviving hosts can be obtained. Sniffing Win2000 systems will respond to 16-bit vowetry (FF: FF: 00: 00: 00: 00: "And Win95 / 98 / ME in the sniff will not only respond to 16-bit countercast address, And also responded to 8-bit vowetry (FF: 00: 00: 00: 00: 00), and the * NIX system has different reactions made by various broadcast addresses. Here we choose a 31-bit vowetry address because most systems will respond to it when sniffing. The various systems under normal conditions will not respond to the 31-bit counterfeit broadcast address.
-s (ARP spoof spoof) requires emphasizing that in some local area networks (such as Ethernet), the transmission and reception of the datagram based on the hardware address is based on the hardware address. This is the basis of our realization. First get the MAC address of the specified two hosts (assuming as a and b), then send ARP Reply datagrans to A, where the source IP address is the IP address of B, but the source MAC address is the MAC address of the local host. Such host A will consider the MAC address of the host B to be the MAC address of the local host, so the host A sent to the host B sent to the local host. Similar to the host B, the ARP Reply datagon is sent to the host A, the MAC address of the host A is the MAC address of the local host. Such host a and host B will understand the MAC address of the destination host as the MAC address of the local host, so that the data reported between them is first reached the local host, and we have set the local host to set IP routing. The system will automatically forward the datagram to the true destination host. Together, you can monitor the various datagrams they communicated. -S (Network Sniff Sniff) If the specified two destination hosts are local hosts, then the network adapter is set to mixed mode so that various data flowing through the local host network adapter can be monitored.
-S (IP Conflict Shock) If you choose to deceive the two hosts that are the same non-local host (if it is host C), then send ARP Reply datagram to host c, the source IP address in the message is The IP address of the host C, but the source MAC address is the MAC address of the local host, so host c will find that another host has the same IP as yours, this is the IP conflict attack. If it is a non-XP system, you will jump out of a prompt window for an IP conflict, and the XP system will have a similar warning. However, please note that in the System Event Viewer in Host C, leave the mac address of the local host with conflict, so you'd better not abuse this feature.
-r In the case of realizing ARP spoof, the ARP Reply datagram is sent to host a and b, notifying host a (b) pay attention to host B (a) MAC address as host B (a) its own MAC address, which host A and B will update their ARP cache to realize normal data communication. IV) T-ARP main code analysis 1> Custom function: int getMine () // Send ARP Request Datashers, requests a local host's MAC address; Void getData (LPPACKET LP, INT OP) // Classification Processing received Data report; DWORD WINAPI SNIFF (LPVOID NO) // Sets the network adapter to a mixed mode, receives all flown data reports; DWORD WINAPI SendmasR (LPVOID NO) // Sends ARP Request Datashers, requests the MAC address of the specified IP DWORD WINAPI SENDSR (LPVOID NO) // Sends ARP Reply to make ARP spoof, or update the host's ARP cache.
2> Main Code Analysis Printf ("/ NLIBARARY VERSION:% S", PacketGetVersion ()); // Output DLL version information; PacketGetAdAme, & AdapterNames (& AdapterLength) // Get a list of network adapters and descriptions of local hosts ;
LPADAPTER = packetopenadapter (AdapterList [Open-1]); // Open the specified network adapter; PacketGetNetType (LPADADAPTER, & NTYPE) // Get the MAC type of the network adapter; PacketGetNetinfoEx (AdapterList [Open-1], & IPBuff, & npflen) // Get the relevant information of the specified network adapter; Rthread = CreateThread (NULL, 0, SNIFF, (LPVOID) & Opti, 0, & threadrid); // Create a new thread to listen to the network datagrans; PacketSethWFilter (LPADAPTER, NDIS_PACKET_TYPE_PROMISCUOSUS) // The adapter is set to a mixed mode, so that the data report that flows through the local host can be listened to the local host's datagram; PacketSetBuff (LPADAPTER, 500 * 1024) // Customize the core of the network adapter is 500 * 1024; PacketsetReadTimeout (LPADAPTER, 1) // Setting the time to receive a data report is 1 millisecond; PacketReceivePacket (LPADAPTER, LPPACKETR, TRUE) // receives all of the datagrams after setting to mixed mode;
Sthread = CreateThread (NULL, 0, Sendmasr, (LPVOID) & Opti, 0, & Threadsid; sthread = CreateThread (Null, 0, Sendsr, (LPVOID) & Opti, 0, & Threadsid; // Create a new thread Send a specific ARP Datagram
PacketsetNumWrites (LPADAPTER, 2) // Repeat twice when sending a datagram; PacketSendPacket (LPADAPTER, LPPACKETS, TRUE) // Send a custom datagram; WaitForsingleObject (sthread, infinite); // Waiting to send ARP diblance The thread ends; PacketGetStats (LPADAPTER, & STAT) // Gets statistics for network adapters;
