VB6中使用Winsock穿越各種代理的實(shí)現(xiàn).doc

VB6中使用Winsock穿越各種代理的實(shí)現(xiàn)原文標(biāo)題：VB6 中 使用Winsock穿越各種代理的實(shí)現(xiàn)(TCP協(xié)議)本文中引用的RFC文檔內(nèi)容歸原作者所有轉(zhuǎn)載本文請(qǐng)標(biāo)明出處本文作者:吳滂關(guān)于用vb的winsock穿透代理的討論歸討論,一直沒有什么源代碼放出,現(xiàn)在我就放源出來,省的某些人拿這所謂的技術(shù)去騙錢.由于缺乏測(cè)試環(huán)境,本程序只在我自己編寫的代理模擬器上測(cè)試過,其結(jié)果和騰訊QQ,MSN,網(wǎng)易泡泡穿越該模擬器時(shí)得出的結(jié)果基本一致.因此,代碼可能有錯(cuò)誤的地方,請(qǐng)各位有條件的用戶自行改正,請(qǐng)見諒!首先,是基礎(chǔ)知識(shí),也就是RFC文檔.這個(gè)是必看內(nèi)容.我的程序就是基于這些文檔寫出.下面是各RFC的連接,為了準(zhǔn)確,我先提供英文版的連接,在下面的介紹中再把關(guān)鍵部分翻譯成中文.另外,要糾正一個(gè)錯(cuò)誤.國(guó)內(nèi)很多文章說socks5代理的用戶名/密碼校驗(yàn)標(biāo)準(zhǔn)在 RFC 1928里有說明,其實(shí)這是一個(gè)完全錯(cuò)誤的說法(我很懷疑寫那文章的人有沒有看過RFC),socks5用戶名/密碼校驗(yàn)標(biāo)準(zhǔn)其實(shí)是在 RFC 1929 里面說明的.RFC 1928 - socks5 代理標(biāo)準(zhǔn)RFC 1929 - socks5 代理用戶名/密碼校驗(yàn)標(biāo)準(zhǔn)RFC ? - socks4 代理標(biāo)準(zhǔn)RFC 2616 - HTTP1.1 標(biāo)準(zhǔn)我們現(xiàn)在直入正題:先說socks5的TCP穿透(有了這個(gè)例子大家自己照這可以寫UDP穿透)首先和代理服務(wù)器連接-直接用winsock去connect指定的地址端口(通常是1080)即可.然后進(jìn)入細(xì)節(jié)商議階段.細(xì)節(jié)商議-無用戶名/密碼校驗(yàn)RFC 1928 中對(duì)于細(xì)節(jié)商議的第一步是這樣描述的:The client connects to the server, and sends a versionidentifier/method selection message:+-+-+-+|VER | NMETHODS | METHODS |+-+-+-+| 1 | 1 | 1 to 255 |+-+-+-+The VER field is set to X05 for this version of the protocol. TheNMETHODS field contains the number of method identifier octets thatappear in the METHODS field.The server selects from one of the methods given in METHODS, andsends a METHOD selection message:+-+-+|VER | METHOD |+-+-+| 1 | 1 |+-+-+If the selected METHOD is XFF, none of the methods listed by theclient are acceptable, and the client MUST close the connection.The values currently defined for METHOD are:o X00 NO AUTHENTICATION REQUIRED -無用戶密碼 00o X01 GSSAPI -? GSSAPI ?o X02 USERNAME/PASSWORD -有用戶密碼 02o X03 to X7F IANA ASSIGNEDo X80 to XFE RESERVED FOR PRIVATE METHODSo XFF NO ACCEPTABLE METHODS -失敗 255The client and server then enter a method-specific sub-negotiation.換言之,就是向服務(wù)器發(fā)送三個(gè)字節(jié)的Byte數(shù)組,由于是無須用戶/密碼校驗(yàn),展開來寫是 05 01 00然后服務(wù)器返回兩個(gè)字節(jié)的信息,第一個(gè)字節(jié)固定,第而個(gè)字節(jié)是說明,如果是16進(jìn)制的FF(即十進(jìn)制255)表示連接失敗(o XFF NO ACCEPTABLE METHODS)根據(jù)上面的列表,我們連接成功應(yīng)該第二字節(jié)為 00.然后我們進(jìn)入第二步,請(qǐng)看以下RFC說明:Once the method-dependent subnegotiation has completed, the clientsends the request details. If the negotiated method includesencapsulation for purposes of integrity checking and/orconfidentiality, these requests MUST be encapsulated in the method-dependent encapsulation.The SOCKS request is formed as follows:+-+-+-+-+-+-+|VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT |+-+-+-+-+-+-+| 1 | 1 | X00 | 1 | Variable | 2 |+-+-+-+-+-+-+Where:o VER protocol version: X05 - 固定 05o CMDo CONNECT X01 - TCP方式 01o BIND X02o UDP ASSOCIATE X03 - UDP方式 03o RSV RESERVED - 固定 00o ATYP address type of following addresso IP V4 address: X01 - IPv4 01o DOMAINNAME: X03o IP V6 address: X04o DST.ADDR desired destination addresso DST.PORT desired destination port in network octetorderThe SOCKS server will typically evaluate the request based on sourceand destination addresses, and return one or more reply messages, asappropriate for the request type.發(fā)送 05 01 00 01 + 目的地址(4字節(jié)) + 目的端口(2字節(jié))，目的地址和端口都是16進(jìn)制碼(不是字符串)。例7 - 7201則發(fā)送的信息為：05 01 00 01 CA 67 BE 1B 1C 21(CA=202 67=103 BE=190 1B=27 1C21=7201)關(guān)于我是怎么把16進(jìn)制碼換成10進(jìn)制的,請(qǐng)自己看程序最后,接受服務(wù)器返回?cái)?shù)據(jù),看RFC:+-+-+-+-+-+-+|VER | REP | RSV | ATYP | BND.ADDR | BND.PORT |+-+-+-+-+-+-+| 1 | 1 | X00 | 1 | Variable | 2 |+-+-+-+-+-+-+Where:o VER protocol version: X05 - 固定 05o REP Reply field:o X00 succeeded - 若為 00 成功 其余可以都看成失敗o X01 general SOCKS server failureo X02 connection not allowed by ruleseto X03 Network unreachableo X04 Host unreachableo X05 Connection refusedo X06 TTL expiredo X07 Command not supportedo X08 Address type not supportedo X09 to XFF unassignedo RSV RESERVEDo ATYP address type of following addresso IP V4 address: X01o DOMAINNAME: X03o IP V6 address: X04o BND.ADDR server bound addresso BND.PORT server bound port in network octet orderFields marked RESERVED (RSV) must be set to X00.可見,對(duì)于返回信息,只須判斷第二字節(jié)是否為00.若為 00 連接成功,剩下的操作和直連一樣,Winsock可直接用SendData 和 GetData 發(fā)送接受數(shù)據(jù).下面介紹需要驗(yàn)證用戶名/密碼的socks5穿透第一步還是發(fā)送三個(gè)字節(jié),只是內(nèi)容有變,展開來寫為: 05 01 02服務(wù)器返回信息也有所不同,正確的返回為 05 02成功后發(fā)送用戶/密碼信息,請(qǐng)看RFC 說明:Once the SOCKS V5 server has started, and the client has selected theUsername/Password Authentication protocol, the Username/Passwordsubnegotiation begins. This begins with the client producing aUsername/Password request:+-+-+-+-+-+|VER | ULEN | UNAME | PLEN | PASSWD |+-+-+-+-+-+| 1 | 1 | 1 to 255 | 1 | 1 to 255 |+-+-+-+-+-+The VER field contains the current version of the subnegotiation,which is X01. The ULEN field contains the length of the UNAME fieldthat follows. The UNAME field contains the username as known to thesource operating system. The PLEN field contains the length of thePASSWD field that follows. The PASSWD field contains the passwordassociation with the given UNAME.The server verifies the supplied UNAME and PASSWD, and sends thefollowing response:+-+-+|VER | STATUS |+-+-+| 1 | 1 |+-+-+A STATUS field of X00 indicates success. If the server returns afailure (STATUS value other than X00) status, it MUST close theconnection.即 發(fā)送 01 + 用戶名長(zhǎng)度(一字節(jié)) + 轉(zhuǎn)換成16進(jìn)制碼的用戶名 + 密碼長(zhǎng)度(一字節(jié)) + 轉(zhuǎn)換成16進(jìn)制碼的密碼,關(guān)于如何把用戶名和密碼轉(zhuǎn)換為10進(jìn)制Byte數(shù)組,請(qǐng)自己看程序.然后服務(wù)器返回兩個(gè)字節(jié)的信息,只須判斷第二字節(jié),00 為成功,其余為失敗.剩下的步驟和無用戶名密碼校驗(yàn)是一樣的,即發(fā)送 05 01 00 01 + 目的地址(4字節(jié)) + 目的端口(2字節(jié))，目的地址和端口都是16進(jìn)制碼(不是字符串)。例7 - 7201則發(fā)送的信息為：05 01 00 01 CA 67 BE 1B 1C 21(CA=202 67=103 BE=190 1B=27 1C21=7201)關(guān)于我是怎么把16進(jìn)制碼換成10進(jìn)制的,請(qǐng)自己看程序最后接受服務(wù)器返回信息.對(duì)于返回信息,只須判斷第二字節(jié)是否為00.若為 00 連接成功,剩下的操作和直連一樣,Winsock可直接用SendData 和 GetData 發(fā)送接受數(shù)據(jù).socks4的TCP穿透(事實(shí)上,socks4只支持TCP穿透)無用戶名/密碼驗(yàn)證請(qǐng)看 RFC 說明1) CONNECTThe client connects to the SOCKS server and sends a CONNECT request whenit wants to establish a connection to an application server. The clientincludes in the request packet the IP address and the port number of thedestination host, and userid, in the following format.+-+-+-+-+-+-+-+-+-+-+.+-+| VN | CD | DSTPORT | DSTIP | USERID |NULL|+-+-+-+-+-+-+-+-+-+-+.+-+1 1 2 4 variable 1VN is the SOCKS protocol version number and should be 4. CD is theSOCKS command code and should be 1 for CONNECT request. NULL is a byteof all zero bits.我們首先還是連接服務(wù)器,然后根據(jù)RFC的格式發(fā)送數(shù)據(jù)給服務(wù)器.由于是無用戶密碼驗(yàn)證,我們需要發(fā)送9個(gè)字節(jié)的數(shù)據(jù),展開寫為 04 01 + 目標(biāo)端口(2字節(jié)) + 目標(biāo)IP(4字節(jié)) + 00,奇怪的是,表中的USERID部分似乎是沒有用的,我參照過大量的C+代碼,代碼中都沒有體現(xiàn)該部分.至于如何轉(zhuǎn)換目標(biāo)端口和IP為相應(yīng)的Byte數(shù)組,請(qǐng)自己看示例程序.消息發(fā)出后,服務(wù)器會(huì)返回信息,格式如下:+-+-+-+-+-+-+-+-+| VN | CD | DSTPORT | DSTIP |+-+-+-+-+-+-+-+-+1 1 2 4VN is the version of the reply code and should be 0. CD is the resultcode with one of the following values:90: request granted - 成功91: request rejected or failed - 失敗92: request rejected becasue SOCKS server cannot connect toidentd on the client93: request rejected because the client program and identdreport different user-idsThe remaining fields are ignored.根據(jù)RFC的說法,代理服務(wù)器返回8字節(jié)的數(shù)據(jù),我們只要判斷第二字節(jié)是否為90即可,若是90連接成功,否則失敗.剩下的操作和直連一樣,Winsock可直接用SendData 和 GetData 發(fā)送接受數(shù)據(jù).HTTP1.1 代理的穿透由于RFC 2616過于冗長(zhǎng),加上HTTP代理穿透的步驟比socks簡(jiǎn)單,這里就不詳細(xì)說明了,我只給出連接的步驟和發(fā)送數(shù)據(jù)格式.第一步仍然是用Winsock去連接代理服務(wù)器.第二步為發(fā)送請(qǐng)求字符,其格式為:無用戶名/密碼校驗(yàn) 格式:CONNECT + 空格 + 目標(biāo)連接地址 + : + 目標(biāo)連接端口 + 空格 + HTTP/1.1 + Chr(13) + Chr(10) + Host: + 空格 + 目標(biāo)連接地址 + : + 目標(biāo)連接端口 + Chr(13) + Chr(10) + Chr(13) + Chr(10)用戶名/密碼驗(yàn)證格式:CONNECT + 空格 + 目標(biāo)連接地址 + : + 目標(biāo)連接端口 + 空格 + HTTP/1.1 + Chr(13) + Chr(10) + Host: + 空格 + 目標(biāo)連接地址 + : + 目標(biāo)連接端口 + Chr(13) + Chr(10) + Authorization: Basic + 空格 + 經(jīng)Base64加密過后的用戶名:密碼 + Chr(13) + Chr(10) + Chr(13) + Chr(10) + Proxy-Authorization: Basic + 空格 + 經(jīng)Base64加密過后的用戶名:密碼 + Chr(13) + Chr(10) + Chr(13) + Chr(10)發(fā)送請(qǐng)求完畢后,將收到代理的回應(yīng),根據(jù)RFC說明(注意 Status-Line 和 Status-Code):6 ResponseAfter receiving and interpreting a request message, a server respondswith an HTTP response message.Response = Status-Line ; Section 6.1*( general-header ; Section 4.5| response-header ; Section 6.2| entity-header ) CRLF) ; Section 7.1CRLF message-body ; Section 7.26.1 Status-LineThe first line of a Response message is the Status-Line, consistingof the protocol version followed by a numeric status code and itsassociated textual phrase, with each element separated by SPcharacters. No CR or LF is allowed except in the final CRLF sequence.Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF6.1.1 Status Code and Reason PhraseThe Status-Code element is a 3-digit integer result code of theattempt to understand and satisfy the request. These codes are fullydefined in section 10. The Reason-Phrase is intended to give a shorttextual description of the Status-Code. The Status-Code is intendedfor use by automata and the Reason-Phrase is intended for the humanuser. The client is not required to examine or display the Reason-Phrase.The first digit of the Status-Code defines the class of response. Thelast two digits do not have any categorization role. There are 5values for the first digit:- 1xx: Informational - Request received, continuing process- 2xx: Success - The action was successfully received,understood, and accepted- 3xx: Redirection - Further action must be taken in order tocomplete the request- 4xx: Client Error - The request contains bad syntax or cannotbe fulfilled- 5xx: Server Error - The server failed to fulfill an apparentlyvalid requestThe individual values of the numeric status codes defined forHTTP/1.1, and an example set of corresponding Reason-Phrases, arepresented below. The reason phrases listed here are onlyrecommendations - they MAY be replaced by local equivalents withoutaffecting the protocol.Status-Code =100 ; Section 10.1.1: Continue| 101 ; Section 10.1.2: Switching Protocols| 200 ; Section 10.2.1: OK| 201 ; Section 10.2.2: Created| 202 ; Section 10.2.3: Accepted| 203 ; Section 10.2.4: Non-Authoritative Information| 204 ; Section 10.2.5: No Content| 205 ; Section 10.2.6: Reset Content| 206 ; Section 10.2.7: Partial Content| 300 ; Section 10.3.1: Multiple Choices| 301 ; Section 10.3.2: Moved Permanently| 302 ; Section 10.3.3: Found| 303 ; Section 10.3.4: See Other| 304 ; Section 10.3.5: Not Modified| 305 ; Section 10.3.6: Use Proxy| 307 ; Section 10.3.8: Temporary Redirect| 400 ; Section 10.4.1: Bad Request| 401 ; Section 10.4.2: Unauthorized| 402 ; Section 10.4.3: Payment Required| 403 ; Section 10.4.4: Forbidden| 404 ; Section 10.4.5: Not Found| 405 ; Section 10.4.6: Method Not Allowed| 406 ; Section 10.4.7: Not Acceptable| 407 ; Section 10.4.8: Proxy Authentication Required| 408 ; Section 10.4.9: Request Time-out| 409 ; Section 10.4.10: Conflict| 410 ; Section 10.4.11: Gone| 411 ; Section 10.4.12: Length Required| 412 ; Section 10.4.13: Precondition Failed| 413 ; Section 10.4.14: Request Entity Too Large| 414 ; Section 10.4.15: Request-URI Too Large| 415 ; Section 10.4.16: Unsupported Media Type| 416 ; Section 10.4.17: Requested range not satisfiable| 417 ; Section 10.4.18: Expectation Failed| 500 ; Section 10.5.1: Internal Server Error| 501 ; Section 10.5.2: Not Implemented| 502 ; Section 10.5.3: Bad Gateway| 503 ; Section 10.5.4: Service Unavailable| 504 ; Section 10.5.5: Gateway Time-out| 505 ; Section 10.5.6: HTTP Version not supported| extension-code可知,如果連接成功,服務(wù)器返回的信息是 HTTP/ + 代理版本 + 200 + 描述(Connection established)所以我們只要判斷返回的信息是否以http開頭,是否存在 200 字眼即可.以下是關(guān)鍵函數(shù)的源代碼:Public Function ProxyStep(ProxyType As Integer, PStep As Integer)Dim SendByte() As ByteIf ProxyType = 0 Then sock4代理If PStep = 1 ThenReDim SendByte(0 To 8) As ByteSendByte(0) = 4 04SendByte(1) = 1 01SendByte(2) = Int(DestPort / 256)SendByte(3) = DestPort Mod 256SendByte(4) = GetIPByte(1, DestIP)SendByte(5) = GetIPByte(2, DestIP)SendByte(6) = GetIPByte(3, DestIP)SendByte(7) = GetIPByte(4, DestIP)SendByte(8) = 0 最后要以 0 結(jié)束Form1.Winsock1.SendData SendByte()ConnStep = PStep + 1Exit FunctionEnd IfIf PStep = 2 Then 代理回復(fù)，第二字節(jié)為 90 為成功，其余值為失敗If Asc(Mid(RevBuffer, 2, 1) 90 ThenDebug.Print Asc(Mid(RevBuffer, 2, 1)MsgBox 連接sock4代理失敗!, 48, 錯(cuò)誤Form1.Winsock1.CloseConnStep = 0Exit FunctionElseForm1.Label8.Caption = 連接目標(biāo)服務(wù)器成功!ConnStep = -1Form2.ShowExit FunctionEnd IfEnd IfEnd If*下面的例子有大量重復(fù)代碼，是為了讓大家更清楚地了解sock5穿透過程，大家可以拿回去自己優(yōu)化 *If ProxyType = 1 Then sock5代理Select Case PStepCase 1ReDim SendByte(0 To 2) As Byte 第一步 無驗(yàn)證發(fā)送 05 01 00, 有驗(yàn)證發(fā)送 05 02 02SendByte(0) = 5 05SendByte(1) = 1 01 在有用戶密碼驗(yàn)證時(shí)此字節(jié)是 1 還是 2 有諸多爭(zhēng)論，現(xiàn)以騰訊QQ穿越代理模擬器時(shí)發(fā)送的數(shù)據(jù)為準(zhǔn)，如有錯(cuò)誤，請(qǐng)自己修改!SendByte(2) = IIf(Form1.Check1.Value = 0, 0, 2) 00 或 02Form1.Winsock1.SendData SendByte()ConnStep = PStep + 1Exit FunctionCase 2 代理回復(fù)If Asc(Mid(RevBuffer, 2, 1) = 255 Then FF (255) 為失敗MsgBox 連接代理失敗!, 64Form1.Winsock1.CloseConnStep = 0Exit FunctionEnd IfIf Asc(Mid(RevBuffer, 2, 1) = 0 And Asc(Mid(RevBuffer, 1, 1) = 5 Then 若代理回復(fù) 05 00 為無驗(yàn)證連接成功Form1.Label8.Caption = 連接成功!無驗(yàn)證ReDim SendByte(0 To 9) As Byte 第二步 無驗(yàn)證 發(fā)送連接請(qǐng)求SendByte(0) = 5SendByte(1) = 1SendByte(2) = 0SendByte(3) = 1SendByte(4) = GetIPByte(1, DestIP)SendByte(5) = GetIPByte(2, DestIP)SendByte(6) = GetIPByte(3, DestIP)SendByte(7) = GetIPByte(4, DestIP)SendByte(8) = Int(DestPort / 256) 把10進(jìn)制端口分成兩個(gè)字節(jié)SendByte(9) = DestPort Mod 256 把10進(jìn)制端口分成兩個(gè)字節(jié)Form1.Winsock1.SendData SendByte()ConnStep = ConnStep + 1Exit FunctionEnd IfIf Asc(Mid(RevBuffer, 2, 1) = 2 And Asc(Mid(RevBuffer, 1, 1) = 5 Then 第二步 有用戶名密碼驗(yàn)證 成功為 05 02Form1.Label8.Caption = 連接成功!有驗(yàn)證ReDim SendByte(0 To 2 + Len(UserName) + Len(UserPassword) As ByteSendByte(0) = 1SendByte(1) = Len(UserName)MemCopy SendByte(2), ByVal UserName, Len(UserName) 將用戶名轉(zhuǎn)換SendByte(2 + Len(UserName) = Len(UserPassword)MemCopy SendByte(3 + Len(UserName), ByVal UserPassword, Len(UserPassword) 將密碼轉(zhuǎn)換Form1.Winsock1.SendData SendByte()ConnStep = ConnStep + 1Exit FunctionEnd IfCase 3If Asc(Mid(RevBuffer, 2, 1) 0 And Form1.Check1.Value = 1 Then 有驗(yàn)證，驗(yàn)證失敗 代理回復(fù)第二字節(jié)為 00 驗(yàn)證成功，其余值為失敗MsgBox sock5代理校驗(yàn)用戶名、密碼失敗!, 48, 錯(cuò)誤Form1.Winsock1.CloseConnStep = 0Exit FunctionEnd IfIf Asc(Mid(RevBuffer, 2, 1) = 0 And Form1.Check1.Value = 1 Then 有驗(yàn)證，驗(yàn)證成功，回復(fù)值第二字節(jié)為 00 ，其余值為失敗Form1.Label8.Caption = 連接成功!有驗(yàn)證!ReDim SendByte(0 To 9) As Byte 發(fā)送連接請(qǐng)求SendByte(0) = 5SendByte(1) = 1SendByte(2) = 0SendByte(3) = 1SendByte(4) = GetIPByte(1, DestIP)SendByte(5) = GetIPByte(2, DestIP)SendByte(6) = GetIPByte(3, DestIP)SendByte(7) = GetIPByte(4, DestIP)SendByte(8) = Int(DestPort / 256) 把10進(jìn)制端口分成兩個(gè)字節(jié)SendByte(9) = DestPort Mod 256 把10進(jìn)制端口分成兩個(gè)字節(jié)Form1.Winsock1.SendData SendByte()ConnStep = ConnStep + 1Exit FunctionEnd IfIf Asc(Mid(RevBuffer, 2, 1) = 0 And Form1.Check1.Value = 0 ThenForm1.Label8.Caption = 連接目標(biāo)服務(wù)器成功! 無驗(yàn)證的最后一步，代理回復(fù)第二字節(jié)為 00 成功，其余值為失敗ConnStep = -1Form2.ShowExit FunctionEnd IfIf Asc(Mid(RevBuffer, 2, 1) 0 And Form1.Check1.Value = 0 ThenMsgBox 連接目標(biāo)服務(wù)器失敗!, 48, 錯(cuò)誤 無驗(yàn)證的最后一步，代理回復(fù)第二字節(jié)為 00 成功，其余值為失敗ConnSte