拦截SendArp伪造对应局域网主机MAC地址

int _tmain(int argc, _TCHAR* argv[]) { inithook(); MIB_IPADDRTABLE *pIPAddrTable = (MIB_IPADDRTABLE*)malloc(sizeof(MIB_IPADDRTABLE)); ULONG dwRetVal = 0, dwSize = 0; if (GetIpAddrTable(pIPAddrTable, &dwSize, 0) == ERROR_INSUFFICIENT_BUFFER) { free(pIPAddrTable); pIPAddrTable = (MIB_IPADDRTABLE*)malloc(dwSize); } if ((dwRetVal = GetIpAddrTable(pIPAddrTable, &dwSize, 0)) == NO_ERROR) { ULONG ulHostIp = ntohl(pIPAddrTable->table[0].dwAddr); ULONG ulHostMask = ntohl(pIPAddrTable->table[0].dwMask); for (ULONG i = 0; i < (~ulHostMask); i++) { static ULONG uNo = 0; HRESULT hr;//函数返回值结构 IPAddr ipAddr; ULONG pulMac[2]; ULONG ulLen; ipAddr = htonl(i + (ulHostIp&ulHostMask)); unsigned char* strIpAddr = (unsigned char*)(&ipAddr); memset(pulMac, 0xff, sizeof(pulMac)); ulLen = 6; printf("IP_Address: %d.%d.%d.%d\n", strIpAddr[0], strIpAddr[1], strIpAddr[2], strIpAddr[3]); hr = SendARP(ipAddr, 0, pulMac, &ulLen); if (ulLen == 6) { PBYTE pbHexMac = (PBYTE)pulMac; //PBYTE:无符号单字节数值 printf("SendARP 获取MAC: X X X X X X\n", pbHexMac[0], pbHexMac[1], pbHexMac[2], pbHexMac[3], pbHexMac[4], pbHexMac[5]); getchar(); } } } else { printf("GetAddrTable Failed!"); } printf("Over!"); free(pIPAddrTable); getch(); }

HOOK 方式 拦截 DeviceIoControl通信

if (ADR1 != 0) { byte ip_1 = *(byte*)((DWORD)ADR1); byte ip_2 = *(byte*)((DWORD)ADR1 + 1); byte ip_3 = *(byte*)((DWORD)ADR1 + 2); byte ip_4 = *(byte*)((DWORD)ADR1 + 3); byte ip_5 = *(byte*)((DWORD)ADR1 + 4); byte ip_6 = *(byte*)((DWORD)ADR1 + 5); printf("IoControlCode 原始MAC:%X.%X.%X.%X.%X.%X \r\n", ip_1, ip_2, ip_3, ip_4,ip_5,ip_6); if (ip_1!=1) { *(byte*)((DWORD)ADR1) = 0x1; *(byte*)((DWORD)ADR1 + 1) = 0x2; *(byte*)((DWORD)ADR1 + 2) = 0x3; *(byte*)((DWORD)ADR1 + 3) = 0x4; *(byte*)((DWORD)ADR1 + 4) = 0x5; *(byte*)((DWORD)ADR1 + 5) = 0x6; } }

也可以屏蔽对指定ip的Arp请求,具体偏移 [Buffer]+0x10 这个参数NSI.dll中未公开 是一个结构体 内部3个指针,NSI内部使用 NsiGet(Set)xxx 来初始化这个结构体