TCPIP.SYS raw sockets

[JMC31337]

fig'd since the mcsft update patch keeps us from being able to fully utilize our OS it belonged in the security thread

 

this site goes into details about modding up tcpip.sys to allow raw sockets (ancient chinese secrets)

 

http://blog.csdn.net/aerror/article/details/2467775

 

and this site goes into details about allowing unlimited connections for our tcpip.sys sockets

 

unlimited connections but it doesnt solve the problems of RAW TCPIP contsruction

 

http://www.msfn.org/board/topic/25308-new-sp2-patch-kb884020-update-the-tcpipsys-file/

TCPIP.SYS
359,040 bytes, version 5.1.2600.2505Offset 130 (This is the checksum!)
FROM: 27 C3 05 00 TO: 1B C4 05 00 (<--- corrected checksum = 05c41bh)offset 4F322
FROM: A0 00 00 00 TO: FE FF FF 00 (<--- unlimited connections)

 

 

and the active recovery system on windows will immediately replace that tcpip.sys if you modify its CRC against what it knows to be valid

so be sure to match them up...

 

would it be against MCSFT policy to mod up a tcpip.sys and post it?   

 

 

More Info:

How To Remove Windows TCP IP Limits connections.doc

ftp://ftp.snellwilcox.com/RollCall/SNMP_Support_Tools/How%20To%20Remove%20Windows%20TCP%20IP%20Limits%20connections.doc

 

PS: i find it ironic that 2003 server enterprise allows us to use raw socket but our common everyday SP2 XP will not nor will Vista or Win7

Edited December 21, 2013 by JMC31337

[JMC31337]

First we needed a raw socket code to test as working under 2003 Enterprise (evaluation)  since my "trial is about to expire i need to re-install the iso)

nonetheless attached is the raw socket code 

 

http://forum.tuts4you.com/topic/34101-tcpipsys-raw-sockets/#entry157387

 

 

XP SP 3 terminal output:

 

Initialising Winsock...Initialised successfully.

Creating Raw TCP Socket...Raw TCP Socket Created successfully.

Setting the socket in RAW mode...Successful.

Sending packet...

 

Error sending Packet : 10004

 

 

2003 Enterprise:

Initialising Winsock...Initialised successfully.

Creating Raw TCP Socket...Raw TCP Socket Created successfully.

Setting the socket in RAW mode...Successful.

Sending packet...

 

  14597  packets send

 

 

so we can easily see we have a good sample to test and if we get "packets send" on SP3 we "Reversed the tcpip.sys"

 

 

.text:00034007 8B 45 B4                mov     eax, [ebp+var_4C]

.text:0003400A 89 50 0C                mov     [eax+0Ch], edx

.text:0003400D 8B 45 B4                mov     eax, [ebp+var_4C]

.text:00034010 88 58 1C                mov     [eax+1Ch], bl

.text:00034013 8B 4D AC                mov     ecx, [ebp+var_54]

.text:00034016 8A 41 09                mov     al, [ecx+9]     ; <---开始判断类型

.text:00034019 3C 06                   cmp     al, 6

.text:0003401B 0F 84 A9 14 00 00       jz      pos_to_drop_skip_packet <-- change TO jmp 0003405D
under a hex editor: 23FA3 - 23FB8 (for this SP3 tcpip.sys)

8B 45 B4 89 50 0C 8B 45 B4 88 58 1C 8B 4D AC 8A 41 09 3C 06 0F 84

text:0003405D               loc_3405D:    ; CODE XREF: IPTransmit(x,x,x,x,x,x,x,x,x,x)+213FD j
.text:0003405D 8B 45 AC                mov     eax, [ebp+var_54] ; <---不检查，直接执行

.text:00034060 0F B6 00                movzx   eax, byte ptr [eax]

.text:00034063 83 E0 0F                and     eax, 0Fh

.text:00034066 C1 E0 02                shl     eax, 2

.text:00034069 8B F0                   mov     esi, eax

.text:0003406B 83 FE 14                cmp     esi, 14h

.text:0003406E 89 B5 64 FF FF FF       mov     [ebp+var_9C], esi
which is where i guess we wanna be:
Hex EDitor : 23FF9 - 2400F  (for this SP3 tcpip.sys)

8B 45 AC 0F B6 00 83 E0 0F C1 E0 02 8B F0 83 FE 14 89 B5 64 FF FF FF

its only one place in the tcpip.sys file
those .text above came from the chinese source code mentioned in the first post, the Hex edit locations are the SP3 areas for tcpip

on this system it is this (with my ollydbg):

 

Address   Hex dump          Command                                  Comments

B80B4FA3    8B45 B4         MOV EAX,DWORD PTR SS:[EBP-4C]

B80B4FA6    8950 0C         MOV DWORD PTR DS:[EAX+0C],EDX

B80B4FA9    8B45 B4         MOV EAX,DWORD PTR SS:[EBP-4C]

B80B4FAC    8858 1C         MOV BYTE PTR DS:[EAX+1C],BL

B80B4FAF    8B4D AC         MOV ECX,DWORD PTR SS:[EBP-54]

B80B4FB2    8A41 09         MOV AL,BYTE PTR DS:[ECX+9]

B80B4FB5    3C 06           CMP AL,6

B80B4FB7    0F84 C8140000   JE B80B6485       <------------ ?????????????

 

 

 

on this system: (ollydbg)

 

CPU Disasm

Address   Hex dump          Command                                  Comments

B80B4FF9    8B45 AC         MOV EAX,DWORD PTR SS:[EBP-54]

B80B4FFC    0FB600          MOVZX EAX,BYTE PTR DS:[EAX]

B80B4FFF    83E0 0F         AND EAX,0000000F

B80B5002    C1E0 02         SHL EAX,2

B80B5005    8BF0            MOV ESI,EAX

B80B5007    83FE 14         CMP ESI,14

B80B500A    89B5 64FFFFFF   MOV DWORD PTR SS:[EBP-9C],ESI

 

 

maybe use ollydbg to dump the expression memory address as a new sys file:
CPU Disasm

Address   Hex dump          Command                                  Comments

B80B4FA3    8B45 B4         MOV EAX,DWORD PTR SS:[EBP-4C]

B80B4FA6    8950 0C         MOV DWORD PTR DS:[EAX+0C],EDX

B80B4FA9    8B45 B4         MOV EAX,DWORD PTR SS:[EBP-4C]

B80B4FAC    8858 1C         MOV BYTE PTR DS:[EAX+1C],BL

B80B4FAF    8B4D AC         MOV ECX,DWORD PTR SS:[EBP-54]

B80B4FB2    8A41 09         MOV AL,BYTE PTR DS:[ECX+9]

B80B4FB5    3C 06           CMP AL,6

B80B4FB7    0F84 C8140000   JE B80B6485                    <------------------ B80B4FF9

B80B4FBD    3C 04           CMP AL,4

B80B4FBF    0F84 C0140000   JE B80B6485

B80B4FC5    3C 29           CMP AL,29

B80B4FC7    0F84 B8140000   JE B80B6485

B80B4FCD    FF71 0C         PUSH DWORD PTR DS:[ECX+0C]

B80B4FD0    E8 3CCEFDFF     CALL B8091E11

B80B4FD5    84C0            TEST AL,AL

B80B4FD7    74 20           JE SHORT B80B4FF9

B80B4FD9    8B45 AC         MOV EAX,DWORD PTR SS:[EBP-54]

B80B4FDC    FF70 10         PUSH DWORD PTR DS:[EAX+10]

B80B4FDF    E8 2DCEFDFF     CALL B8091E11

B80B4FE4    3C 03           CMP AL,3

B80B4FE6    0F85 99140000   JNE B80B6485

B80B4FEC    8B45 8C         MOV EAX,DWORD PTR SS:[EBP-74]

B80B4FEF    F640 0C 20      TEST BYTE PTR DS:[EAX+0C],20

B80B4FF3    0F84 8C140000   JE B80B6485
CPU Disasm

Address   Hex dump          Command                                  Comments

B80B4FF9    8B45 AC         MOV EAX,DWORD PTR SS:[EBP-54]

B80B4FFC    0FB600          MOVZX EAX,BYTE PTR DS:[EAX]

B80B4FFF    83E0 0F         AND EAX,0000000F

B80B5002    C1E0 02         SHL EAX,2

B80B5005    8BF0            MOV ESI,EAX

B80B5007    83FE 14         CMP ESI,14

B80B500A    89B5 64FFFFFF   MOV DWORD PTR SS:[EBP-9C],ESI

B80B5010    0F82 6F140000   JB B80B6485

B80B5016    76 67           JBE SHORT B80B507F

B80B5018    6A 10           PUSH 10

B80B501A    8D46 EC         LEA EAX,[ESI-14]

B80B501D    68 54436977     PUSH 77694354

B80B5022    33FF            XOR EDI,EDI

B80B5024    50              PUSH EAX

B80B5025    47              INC EDI

B80B5026    53              PUSH EBX

B80B5027    897D 80         MOV DWORD PTR SS:[EBP-80],EDI

B80B502A    8945 88         MOV DWORD PTR SS:[EBP-78],EAX

B80B502D    FF15 A8060DB8   CALL DWORD PTR DS:[B80D06A8]

B80B5033    3BC3            CMP EAX,EBX

B80B5035    8945 A8         MOV DWORD PTR SS:[EBP-58],EAX

B80B5038    75 0C           JNE SHORT B80B5046

B80B503A    BE FE2A0000     MOV ESI,2AFE

B80B503F    56              PUSH ESI

B80B5040    57              PUSH EDI

B80B5041    E9 5B140000     JMP B80B64A1
that's the same Chinese dissassembly that i gave ya earlier only instead of SP2, this is the sp3 version here within these code-tags

B80B4FB7    0F84 C8140000   JE B80B6485                                  <------------------ B80B4FF9

 

 

 

only problem is these sys drivers get loaded into different mem addresses EVERY TIME the machine boots

 

but thats as far as I got last night... 

Edited December 25, 2013 by JMC31337

[JMC31337]

okay i got this to work under SP3 vmware: 

 

packets get sent and all...  (very hit or miss without using a system kernel debugger)

 

Steps:

 

1) backup your tcpip.sys (the included patcher does this for you) but do it jsut to make sure

2) open your SP3 tcpip.sys file with a hex editor

3) so a search for 8B 45 B4 89 50 0C 8B 45 B4 88 58 1C 8B 4D AC 8A 41 09 3C 06

(its only one place in the file)

 

REPLACE EVERYTHING AS YOU see here

 

8B 45 B4 89 50 0C 8B 45 B4 88 58 1C 8B 4D AC 8A 41 09 3C 06 74 40 C8 14 00 00 3C 04 74 38 C0 14 00 00 3C 29 74 30 B8 14 00 00 FF 71 0C E8 14 CE FD FF 84 C0 74 20 8B 45 AC FF 70 10 E8 05 CE FD FF 3C 03 0F 85 99 14 00 00 8B 45 8C F6 40 0C 20 74 20 8C 14 00 00 8B 45 AC 0F B6 00 83 E0 0F C1 E0 02 8B F0 83 FE 14 89 B5 64 FF FF FF

 

the ones in blue are the driver jumps.. they must point to their respective distances (see the original chinese tcpip modification tutorial) 

 

and save

 

4) head into SAFE MODE WITH COMMAND PROMPT

 5) once in command prompt for administrator (or admin account) head to :

\windows\system32\drivers

 

6) replace our "hacked"unpatched version" and overwrite the original tcpip.sys

7) now run that chinese patcher

8) it will say modified (not original) and change the number of connections to 9999

9) patch

10) a warning will pop asking to patch a modified tcpip.sys  click yes

11) reboot

 

run that winsock raw socket code.. and it will say

 

packets sent!

 

thats SP3...  in time ill do the vista and win7

UniversalTcpipPatch-x86.rar

Edited December 23, 2013 by JMC31337

[JMC31337]

after playing around with  (AF_INET, SOCK_RAW, IPPROTO_RAW)  raw winsock settings,

 

ICMP works (but it works as raw for all machines anyways)

 

UDP and TCP i cant see under a sniffer (maybe not crafting the packets right)

 

other times its BSOD

 

if anyone has any ideas... lemme know.. 

i'm game for trying anything with raw sockets

[JMC31337]

okay it works just fine.. just gotta have the right winsock code and the right TCP header info set

 

 

on the "unhacked" SP3 :

Initialising Winsock...Initialised successfully.

Creating Raw TCP Socket...Raw TCP Socket Created successfully.

Setting the socket in RAW mode...Successful.

Enter hostname : www.tuts4you.com
Resolving Hostname...Resolved.

Enter Source IP : 192.168.219.130
Sending packet...

Error sending Packet : 10004

on the hacked SP3 trial evalulation under VMWARE (with network enabled):

E:\>raw_tcp
Initialising Winsock...Initialised successfully.

Creating Raw TCP Socket...Raw TCP Socket Created successfully.

Setting the socket in RAW mode...Successful.

Enter hostname : www.tuts4you.com
Resolving Hostname...Resolved.

Enter Source IP : 192.168.219.130
Sending packet...

7180 packets send

2	TCP	192.168.219.130	198.57.187.53	1234	50000	xpvm.localdomain	tuts4you.com		1,218	633,360 Bytes	672,888 Bytes	122.6 KB/Sec	12/25/2013 1:03:49 AM:531	12/25/2013 1:03:54 AM:578	00:00:05.046					

Packets Stream Report

Index 2  

Protocol TCP  

Local Address 192.168.219.130  

Remote Address 198.57.187.53  

Local Port 1234  

Remote Port 50000  

Local Host xpvm.localdomain  

Remote Host tuts4you.com  

Service Name    

Packets 1,218  

Data Size 633,360 Bytes  

Total Size 672,888 Bytes  

Data Speed 122.6 KB/Sec  

Capture Time 12/25/2013 1:03:49 AM:531  

Last Packet Time 12/25/2013 1:03:54 AM:578  

Duration 00:00:05.046  

Local MAC Address    

Remote MAC Address    

Local IP Country    

Remote IP Country    
00000000  31 44 00 00 00 00 00 00  5E 5E 5E 5E 5E 5E 5E 5E   1D...... ^^^^^^^^ 

00000010  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000020  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000030  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000040  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000050  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000060  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000070  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000080  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000090  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000000A0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000000B0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000000C0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000000D0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000000E0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000000F0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000100  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000110  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000120  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000130  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000140  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000150  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000160  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000170  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000180  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000190  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000001A0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000001B0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000001C0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000001D0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000001E0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

000001F0  5E 5E 5E 5E 5E 5E 5E 5E  5E 5E 5E 5E 5E 5E 5E 5E   ^^^^^^^^ ^^^^^^^^ 

00000200  5E 5E 5E 5E 5E 5E 5E 5E                            ^^^^^^^^ 

and the code that did it:

http://www.binarytides.com/raw-sockets-using-winsock/

//raw tcp packet crafter
#include "stdio.h"

#include "winsock2.h"

#include "ws2tcpip.h" //IP_HDRINCL is here

#include "conio.h"
#pragma comment(lib,"ws2_32.lib") //winsock 2.2 library
typedef struct ip_hdr

{

unsigned char ip_header_len:4; // 4-bit header length (in 32-bit words) normally=5 (Means 20 Bytes may be 24 also)

unsigned char ip_version :4; // 4-bit IPv4 version

unsigned char ip_tos; // IP type of service

unsigned short ip_total_length; // Total length

unsigned short ip_id; // Unique identifier
unsigned char ip_frag_offset :5; // Fragment offset field
unsigned char ip_more_fragment :1;

unsigned char ip_dont_fragment :1;

unsigned char ip_reserved_zero :1;
unsigned char ip_frag_offset1; //fragment offset
unsigned char ip_ttl; // Time to live

unsigned char ip_protocol; // Protocol(TCP,UDP etc)

unsigned short ip_checksum; // IP checksum

unsigned int ip_srcaddr; // Source address

unsigned int ip_destaddr; // Source address

} IPV4_HDR, *PIPV4_HDR, FAR * LPIPV4_HDR;
// TCP header

typedef struct tcp_header

{

unsigned short source_port; // source port

unsigned short dest_port; // destination port

unsigned int sequence; // sequence number - 32 bits

unsigned int acknowledge; // acknowledgement number - 32 bits
unsigned char ns :1; //Nonce Sum Flag Added in RFC 3540.

unsigned char reserved_part1:3; //according to rfc

unsigned char data_offset:4; /*The number of 32-bit words in the TCP header.

This indicates where the data begins.

The length of the TCP header is always a multiple

of 32 bits.*/
unsigned char fin :1; //Finish Flag

unsigned char syn :1; //Synchronise Flag

unsigned char rst :1; //Reset Flag

unsigned char psh :1; //Push Flag

unsigned char ack :1; //Acknowledgement Flag

unsigned char urg :1; //Urgent Flag
unsigned char ecn :1; //ECN-Echo Flag

unsigned char cwr :1; //Congestion Window Reduced Flag
////////////////////////////////
unsigned short window; // window

unsigned short checksum; // checksum

unsigned short urgent_pointer; // urgent pointer

} TCP_HDR , *PTCP_HDR , FAR * LPTCP_HDR , TCPHeader , TCP_HEADER;
int main()

{

char host[100],buf[1000],*data=NULL,source_ip[20]; //buf is the complete packet

SOCKET s;

int k=1;
IPV4_HDR *v4hdr=NULL;

TCP_HDR *tcphdr=NULL;
int payload=512 , optval;

SOCKADDR_IN dest;

hostent *server;
//Initialise Winsock

WSADATA wsock;

printf("\nInitialising Winsock...");

if (WSAStartup(MAKEWORD(2,2),&wsock) != 0)

{

fprintf(stderr,"WSAStartup() failed");

exit(EXIT_FAILURE);

}

printf("Initialised successfully.");

////////////////////////////////////////////////
//Create Raw TCP Packet

printf("\nCreating Raw TCP Socket...");

if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))==SOCKET_ERROR)

{

printf("Creation of raw socket failed.");

return 0;

}

printf("Raw TCP Socket Created successfully.");

////////////////////////////////////////////////
//Put Socket in RAW Mode.

printf("\nSetting the socket in RAW mode...");

if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&optval, sizeof(optval))==SOCKET_ERROR)

{

printf("failed to set socket in raw mode.");

return 0;

}

printf("Successful.");

////////////////////////////////////////////////
//Target Hostname

printf("\nEnter hostname : ");

gets(host);

printf("\nResolving Hostname...");

if((server=gethostbyname(host))==0)

{

printf("Unable to resolve.");

return 0;

}

dest.sin_family = AF_INET;

dest.sin_port = htons(50000); //your destination port

memcpy(&dest.sin_addr.s_addr,server->h_addr,server->h_length);

printf("Resolved.");

/////////////////////////////////////////////////
printf("\nEnter Source IP : ");

gets(source_ip);
v4hdr = (IPV4_HDR *)buf; //lets point to the ip header portion

v4hdr->ip_version=4;

v4hdr->ip_header_len=5;

v4hdr->ip_tos = 0;

v4hdr->ip_total_length = htons ( sizeof(IPV4_HDR) + sizeof(TCP_HDR) + payload );

v4hdr->ip_id = htons(2);

v4hdr->ip_frag_offset = 0;

v4hdr->ip_frag_offset1 = 0;

v4hdr->ip_reserved_zero = 0;

v4hdr->ip_dont_fragment = 1;

v4hdr->ip_more_fragment = 0;

v4hdr->ip_ttl = 8;

v4hdr->ip_protocol = IPPROTO_TCP;

v4hdr->ip_srcaddr = inet_addr(source_ip);

v4hdr->ip_destaddr = inet_addr(inet_ntoa(dest.sin_addr));

v4hdr->ip_checksum = 0;
tcphdr = (TCP_HDR *)&buf[sizeof(IPV4_HDR)]; //get the pointer to the tcp header in the packet
tcphdr->source_port = htons(1234);

tcphdr->dest_port = htons(50000);
tcphdr->cwr=0;

tcphdr->ecn=1;

tcphdr->urg=0;

tcphdr->ack=0;

tcphdr->psh=0;

tcphdr->rst=1;

tcphdr->syn=0;

tcphdr->fin=0;

tcphdr->ns=1;
tcphdr->checksum = 0;
// Initialize the TCP payload to some rubbish

data = &buf[sizeof(IPV4_HDR) + sizeof(TCP_HDR)];

memset(data, '^', payload);
printf("\nSending packet...\n");
while(!_kbhit())

{

printf(" %d packets send\r",k++);

if((sendto(s , buf , sizeof(IPV4_HDR)+sizeof(TCP_HDR) + payload, 0,

(SOCKADDR *)&dest, sizeof(dest)))==SOCKET_ERROR)

{
printf("Error sending Packet : %d",WSAGetLastError());

break;

}

}

 getchar();

return 0;

}

one to tuts4you.com from google.com:

C:\Documents and Settings\JMC31337>ping www.google.com
Pinging www.google.com [74.125.228.80] with 32 bytes of data:
Reply from 74.125.228.80: bytes=32 time=23ms TTL=128
Ping statistics for 74.125.228.80:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 23ms, Maximum = 23ms, Average = 23ms
Initialising Winsock...Initialised successfully.

Creating Raw TCP Socket...Raw TCP Socket Created successfully.

Setting the socket in RAW mode...Successful.

Enter hostname : www.tuts4you.com
Resolving Hostname...Resolved.

Enter Source IP : 74.125.228.80
Sending packet...

 1597 packets send
1	TCP	74.125.228.80	198.57.187.53	1234	50000	www.google.com	tuts4you.com		1,830	951,600 Bytes	1,010,712 Bytes	108.7 KB/Sec	12/25/2013 1:20:12 AM:328	12/25/2013 1:20:20 AM:875	00:00:08.546					

here's the thing though: through all the research i did, it may be that the ISP are able to detect the TRUE source of packets and drop those that arent coming fromn legit sources.. but other than that.. 

Edited December 25, 2013 by JMC31337