VB6中使用Winsock穿越各種代理的實現原文標題：VB6 中 使用Winsock穿越各種代理的實現(TCP協議)本文中引用的RFC文檔內容歸原作者所有轉載本文請標明出處本文作者:吳滂關于用vb的winsock穿透代理的討論歸討論,一直沒有什么源代碼放出,現在我就放源出來,省的某些人拿這所謂的技術去騙錢.由于缺乏測試環境,本程序只在我自己編寫的代理模擬器上測試過,其結果和騰訊QQ,MSN,網易泡泡穿越該模擬器時得出的結果基本一致.因此,代碼可能有錯誤的地方,請各位有條件的用戶自行改正,請見諒!首先,是基礎知識,也就是RFC文檔.這個是必看內容.我的程序就是基于這些文檔寫出.下面是各RFC的連接,為了準確,我先提供英文版的連接,在下面的介紹中再把關鍵部分翻譯成中文.另外,要糾正一個錯誤.國內很多文章說socks5代理的用戶名/密碼校驗標準在 RFC 1928里有說明,其實這是一個完全錯誤的說法(我很懷疑寫那文章的人有沒有看過RFC),socks5用戶名/密碼校驗標準其實是在 RFC 1929 里面說明的.RFC 1928 - socks5 代理標準RFC 1929 - socks5 代理用戶名/密碼校驗標準RFC ? - socks4 代理標準RFC 2616 - HTTP1.1 標準我們現在直入正題:先說socks5的TCP穿透(有了這個例子大家自己照這可以寫UDP穿透)首先和代理服務器連接-直接用winsock去connect指定的地址端口(通常是1080)即可.然后進入細節商議階段.細節商議-無用戶名/密碼校驗RFC 1928 中對于細節商議的第一步是這樣描述的:The client connects to the server, and sends a versionidentifier/method selection message:+-+-+-+|VER | NMETHODS | METHODS |+-+-+-+| 1 | 1 | 1 to 255 |+-+-+-+The VER field is set to X05 for this version of the protocol. TheNMETHODS field contains the number of method identifier octets thatappear in the METHODS field.The server selects from one of the methods given in METHODS, andsends a METHOD selection message:+-+-+|VER | METHOD |+-+-+| 1 | 1 |+-+-+If the selected METHOD is XFF, none of the methods listed by theclient are acceptable, and the client MUST close the connection.The values currently defined for METHOD are:o X00 NO AUTHENTICATION REQUIRED -無用戶密碼 00o X01 GSSAPI -? GSSAPI ?o X02 USERNAME/PASSWORD -有用戶密碼 02o X03 to X7F IANA ASSIGNEDo X80 to XFE RESERVED FOR PRIVATE METHODSo XFF NO ACCEPTABLE METHODS -失敗 255The client and server then enter a method-specific sub-negotiation.換言之,就是向服務器發送三個字節的Byte數組,由于是無須用戶/密碼校驗,展開來寫是 05 01 00然后服務器返回兩個字節的信息,第一個字節固定,第而個字節是說明,如果是16進制的FF(即十進制255)表示連接失敗(o XFF NO ACCEPTABLE METHODS)根據上面的列表,我們連接成功應該第二字節為 00.然后我們進入第二步,請看以下RFC說明:Once the method-dependent subnegotiation has completed, the clientsends the request details. If the negotiated method includesencapsulation for purposes of integrity checking and/orconfidentiality, these requests MUST be encapsulated in the method-dependent encapsulation.The SOCKS request is formed as follows:+-+-+-+-+-+-+|VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT |+-+-+-+-+-+-+| 1 | 1 | X00 | 1 | Variable | 2 |+-+-+-+-+-+-+Where:o VER protocol version: X05 - 固定 05o CMDo CONNECT X01 - TCP方式 01o BIND X02o UDP ASSOCIATE X03 - UDP方式 03o RSV RESERVED - 固定 00o ATYP address type of following addresso IP V4 address: X01 - IPv4 01o DOMAINNAME: X03o IP V6 address: X04o DST.ADDR desired destination addresso DST.PORT desired destination port in network octetorderThe SOCKS server will typically evaluate the request based on sourceand destination addresses, and return one or more reply messages, asappropriate for the request type.發送 05 01 00 01 + 目的地址(4字節) + 目的端口(2字節)，目的地址和端口都是16進制碼(不是字符串)。例7 - 7201則發送的信息為：05 01 00 01 CA 67 BE 1B 1C 21(CA=202 67=103 BE=190 1B=27 1C21=7201)關于我是怎么把16進制碼換成10進制的,請自己看程序最后,接受服務器返回數據,看RFC:+-+-+-+-+-+-+|VER | REP | RSV | ATYP | BND.ADDR | BND.PORT |+-+-+-+-+-+-+| 1 | 1 | X00 | 1 | Variable | 2 |+-+-+-+-+-+-+Where:o VER protocol version: X05 - 固定 05o REP Reply field:o X00 succeeded - 若為 00 成功 其余可以都看成失敗o X01 general SOCKS server failureo X02 connection not allowed by ruleseto X03 Network unreachableo X04 Host unreachableo X05 Connection refusedo X06 TTL expiredo X07 Command not supportedo X08 Address type not supportedo X09 to XFF unassignedo RSV RESERVEDo ATYP address type of following addresso IP V4 address: X01o DOMAINNAME: X03o IP V6 address: X04o BND.ADDR server bound addresso BND.PORT server bound port in network octet orderFields marked RESERVED (RSV) must be set to X00.可見,對于返回信息,只須判斷第二字節是否為00.若為 00 連接成功,剩下的操作和直連一樣,Winsock可直接用SendData 和 GetData 發送接受數據.下面介紹需要驗證用戶名/密碼的socks5穿透第一步還是發送三個字節,只是內容有變,展開來寫為: 05 01 02服務器返回信息也有所不同,正確的返回為 05 02成功后發送用戶/密碼信息,請看RFC 說明:Once the SOCKS V5 server has started, and the client has selected theUsername/Password Authentication protocol, the Username/Passwordsubnegotiation begins. This begins with the client producing aUsername/Password request:+-+-+-+-+-+|VER | ULEN | UNAME | PLEN | PASSWD |+-+-+-+-+-+| 1 | 1 | 1 to 255 | 1 | 1 to 255 |+-+-+-+-+-+The VER field contains the current version of the subnegotiation,which is X01. The ULEN field contains the length of the UNAME fieldthat follows. The UNAME field contains the username as known to thesource operating system. The PLEN field contains the length of thePASSWD field that follows. The PASSWD field contains the passwordassociation with the given UNAME.The server verifies the supplied UNAME and PASSWD, and sends thefollowing response:+-+-+|VER | STATUS |+-+-+| 1 | 1 |+-+-+A STATUS field of X00 indicates success. If the server returns afailure (STATUS value other than X00) status, it MUST close theconnection.即 發送 01 + 用戶名長度(一字節) + 轉換成16進制碼的用戶名 + 密碼長度(一字節) + 轉換成16進制碼的密碼,關于如何把用戶名和密碼轉換為10進制Byte數組,請自己看程序.然后服務器返回兩個字節的信息,只須判斷第二字節,00 為成功,其余為失敗.剩下的步驟和無用戶名密碼校驗是一樣的,即發送 05 01 00 01 + 目的地址(4字節) + 目的端口(2字節)，目的地址和端口都是16進制碼(不是字符串)。例7 - 7201則發送的信息為：05 01 00 01 CA 67 BE 1B 1C 21(CA=202 67=103 BE=190 1B=27 1C21=7201)關于我是怎么把16進制碼換成10進制的,請自己看程序最后接受服務器返回信息.對于返回信息,只須判斷第二字節是否為00.若為 00 連接成功,剩下的操作和直連一樣,Winsock可直接用SendData 和 GetData 發送接受數據.socks4的TCP穿透(事實上,socks4只支持TCP穿透)無用戶名/密碼驗證請看 RFC 說明1) CONNECTThe client connects to the SOCKS server and sends a CONNECT request whenit wants to establish a connection to an application server. The clientincludes in the request packet the IP address and the port number of thedestination host, and userid, in the following format.+-+-+-+-+-+-+-+-+-+-+.+-+| VN | CD | DSTPORT | DSTIP | USERID |NULL|+-+-+-+-+-+-+-+-+-+-+.+-+1 1 2 4 variable 1VN is the SOCKS protocol version number and should be 4. CD is theSOCKS command code and should be 1 for CONNECT request. NULL is a byteof all zero bits.我們首先還是連接服務器,然后根據RFC的格式發送數據給服務器.由于是無用戶密碼驗證,我們需要發送9個字節的數據,展開寫為 04 01 + 目標端口(2字節) + 目標IP(4字節) + 00,奇怪的是,表中的USERID部分似乎是沒有用的,我參照過大量的C+代碼,代碼中都沒有體現該部分.至于如何轉換目標端口和IP為相應的Byte數組,請自己看示例程序.消息發出后,服務器會返回信息,格式如下:+-+-+-+-+-+-+-+-+| VN | CD | DSTPORT | DSTIP |+-+-+-+-+-+-+-+-+1 1 2 4VN is the version of the reply code and should be 0. CD is the resultcode with one of the following values:90: request granted - 成功91: request rejected or failed - 失敗92: request rejected becasue SOCKS server cannot connect toidentd on the client93: request rejected because the client program and identdreport different user-idsThe remaining fields are ignored.根據RFC的說法,代理服務器返回8字節的數據,我們只要判斷第二字節是否為90即可,若是90連接成功,否則失敗.剩下的操作和直連一樣,Winsock可直接用SendData 和 GetData 發送接受數據.HTTP1.1 代理的穿透由于RFC 2616過于冗長,加上HTTP代理穿透的步驟比socks簡單,這里就不詳細說明了,我只給出連接的步驟和發送數據格式.第一步仍然是用Winsock去連接代理服務器.第二步為發送請求字符,其格式為:無用戶名/密碼校驗 格式:CONNECT + 空格 + 目標連接地址 + : + 目標連接端口 + 空格 + HTTP/1.1 + Chr(13) + Chr(10) + Host: + 空格 + 目標連接地址 + : + 目標連接端口 + Chr(13) + Chr(10) + Chr(13) + Chr(10)用戶名/密碼驗證格式:CONNECT + 空格 + 目標連接地址 + : + 目標連接端口 + 空格 + HTTP/1.1 + Chr(13) + Chr(10) + Host: + 空格 + 目標連接地址 + : + 目標連接端口 + Chr(13) + Chr(10) + Authorization: Basic + 空格 + 經Base64加密過后的用戶名:密碼 + Chr(13) + Chr(10) + Chr(13) + Chr(10) + Proxy-Authorization: Basic + 空格 + 經Base64加密過后的用戶名:密碼 + Chr(13) + Chr(10) + Chr(13) + Chr(10)發送請求完畢后,將收到代理的回應,根據RFC說明(注意 Status-Line 和 Status-Code):6 ResponseAfter receiving and interpreting a request message, a server respondswith an HTTP response message.Response = Status-Line ; Section 6.1*( general-header ; Section 4.5| response-header ; Section 6.2| entity-header ) CRLF) ; Section 7.1CRLF message-body ; Section 7.26.1 Status-LineThe first line of a Response message is the Status-Line, consistingof the protocol version followed by a numeric status code and itsassociated textual phrase, with each element separated by SPcharacters. No CR or LF is allowed except in the final CRLF sequence.Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF6.1.1 Status Code and Reason PhraseThe Status-Code element is a 3-digit integer result code of theattempt to understand and satisfy the request. These codes are fullydefined in section 10. The Reason-Phrase is intended to give a shorttextual description of the Status-Code. The Status-Code is intendedfor use by automata and the Reason-Phrase is intended for the humanuser. The client is not required to examine or display the Reason-Phrase.The first digit of the Status-Code defines the class of response. Thelast two digits do not have any categorization role. There are 5values for the first digit:- 1xx: Informational - Request received, continuing process- 2xx: Success - The action was successfully received,understood, and accepted- 3xx: Redirection - Further action must be taken in order tocomplete the request- 4xx: Client Error - The request contains bad syntax or cannotbe fulfilled- 5xx: Server Error - The server failed to fulfill an apparentlyvalid requestThe individual values of the numeric status codes defined forHTTP/1.1, and an example set of corresponding Reason-Phrases, arepresented below. The reason phrases listed here are onlyrecommendations - they MAY be replaced by local equivalents withoutaffecting the protocol.Status-Code =100 ; Section 10.1.1: Continue| 101 ; Section 10.1.2: Switching Protocols| 200 ; Section 10.2.1: OK| 201 ; Section 10.2.2: Created| 202 ; Section 10.2.3: Accepted| 203 ; Section 10.2.4: Non-Authoritative Information| 204 ; Section 10.2.5: No Content| 205 ; Section 10.2.6: Reset Content| 206 ; Section 10.2.7: Partial Content| 300 ; Section 10.3.1: Multiple Choices| 301 ; Section 10.3.2: Moved Permanently| 302 ; Section 10.3.3: Found| 303 ; Section 10.3.4: See Other| 304 ; Section 10.3.5: Not Modified| 305 ; Section 10.3.6: Use Proxy| 307 ; Section 10.3.8: Temporary Redirect| 400 ; Section 10.4.1: Bad Request| 401 ; Section 10.4.2: Unauthorized| 402 ; Section 10.4.3: Payment Required| 403 ; Section 10.4.4: Forbidden| 404 ; Section 10.4.5: Not Found| 405 ; Section 10.4.6: Method Not Allowed| 406 ; Section 10.4.7: Not Acceptable| 407 ; Section 10.4.8: Proxy Authentication Required| 408 ; Section 10.4.9: Request Time-out| 409 ; Section 10.4.10: Conflict| 410 ; Section 10.4.11: Gone| 411 ; Section 10.4.12: Length Required| 412 ; Section 10.4.13: Precondition Failed| 413 ; Section 10.4.14: Request Entity Too Large| 414 ; Section 10.4.15: Request-URI Too Large| 415 ; Section 10.4.16: Unsupported Media Type| 416 ; Section 10.4.17: Requested range not satisfiable| 417 ; Section 10.4.18: Expectation Failed| 500 ; Section 10.5.1: Internal Server Error| 501 ; Section 10.5.2: Not Implemented| 502 ; Section 10.5.3: Bad Gateway| 503 ; Section 10.5.4: Service Unavailable| 504 ; Section 10.5.5: Gateway Time-out| 505 ; Section 10.5.6: HTTP Version not supported| extension-code可知,如果連接成功,服務器返回的信息是 HTTP/ + 代理版本 + 200 + 描述(Connection established)所以我們只要判斷返回的信息是否以http開頭,是否存在 200 字眼即可.以下是關鍵函數的源代碼:Public Function ProxyStep(ProxyType As Integer, PStep As Integer)Dim SendByte() As ByteIf ProxyType = 0 Then sock4代理If PStep = 1 ThenReDim SendByte(0 To 8) As ByteSendByte(0) = 4 04SendByte(1) = 1 01SendByte(2) = Int(DestPort / 256)SendByte(3) = DestPort Mod 256SendByte(4) = GetIPByte(1, DestIP)SendByte(5) = GetIPByte(2, DestIP)SendByte(6) = GetIPByte(3, DestIP)SendByte(7) = GetIPByte(4, DestIP)SendByte(8) = 0 最后要以 0 結束Form1.Winsock1.SendData SendByte()ConnStep = PStep + 1Exit FunctionEnd IfIf PStep = 2 Then 代理回復，第二字節為 90 為成功，其余值為失敗If Asc(Mid(RevBuffer, 2, 1) 90 ThenDebug.Print Asc(Mid(RevBuffer, 2, 1)MsgBox 連接sock4代理失敗!, 48, 錯誤Form1.Winsock1.CloseConnStep = 0Exit FunctionElseForm1.Label8.Caption = 連接目標服務器成功!ConnStep = -1Form2.ShowExit FunctionEnd IfEnd IfEnd If*下面的例子有大量重復代碼，是為了讓大家更清楚地了解sock5穿透過程，大家可以拿回去自己優化 *If ProxyType = 1 Then sock5代理Select Case PStepCase 1ReDim SendByte(0 To 2) As Byte 第一步 無驗證發送 05 01 00, 有驗證發送 05 02 02SendByte(0) = 5 05SendByte(1) = 1 01 在有用戶密碼驗證時此字節是 1 還是 2 有諸多爭論，現以騰訊QQ穿越代理模擬器時發送的數據為準，如有錯誤，請自己修改!SendByte(2) = IIf(Form1.Check1.Value = 0, 0, 2) 00 或 02Form1.Winsock1.SendData SendByte()ConnStep = PStep + 1Exit FunctionCase 2 代理回復If Asc(Mid(RevBuffer, 2, 1) = 255 Then FF (255) 為失敗MsgBox 連接代理失敗!, 64Form1.Winsock1.CloseConnStep = 0Exit FunctionEnd IfIf Asc(Mid(RevBuffer, 2, 1) = 0 And Asc(Mid(RevBuffer, 1, 1) = 5 Then 若代理回復 05 00 為無驗證連接成功Form1.Label8.Caption = 連接成功!無驗證ReDim SendByte(0 To 9) As Byte 第二步 無驗證 發送連接請求SendByte(0) = 5SendByte(1) = 1SendByte(2) = 0SendByte(3) = 1SendByte(4) = GetIPByte(1, DestIP)SendByte(5) = GetIPByte(2, DestIP)SendByte(6) = GetIPByte(3, DestIP)SendByte(7) = GetIPByte(4, DestIP)SendByte(8) = Int(DestPort / 256) 把10進制端口分成兩個字節SendByte(9) = DestPort Mod 256 把10進制端口分成兩個字節Form1.Winsock1.SendData SendByte()ConnStep = ConnStep + 1Exit FunctionEnd IfIf Asc(Mid(RevBuffer, 2, 1) = 2 And Asc(Mid(RevBuffer, 1, 1) = 5 Then 第二步 有用戶名密碼驗證 成功為 05 02Form1.Label8.Caption = 連接成功!有驗證ReDim SendByte(0 To 2 + Len(UserName) + Len(UserPassword) As ByteSendByte(0) = 1SendByte(1) = Len(UserName)MemCopy SendByte(2), ByVal UserName, Len(UserName) 將用戶名轉換SendByte(2 + Len(UserName) = Len(UserPassword)MemCopy SendByte(3 + Len(UserName), ByVal UserPassword, Len(UserPassword) 將密碼轉換Form1.Winsock1.SendData SendByte()ConnStep = ConnStep + 1Exit FunctionEnd IfCase 3If Asc(Mid(RevBuffer, 2, 1) 0 And Form1.Check1.Value = 1 Then 有驗證，驗證失敗 代理回復第二字節為 00 驗證成功，其余值為失敗MsgBox sock5代理校驗用戶名、密碼失敗!, 48, 錯誤Form1.Winsock1.CloseConnStep = 0Exit FunctionEnd IfIf Asc(Mid(RevBuffer, 2, 1) = 0 And Form1.Check1.Value = 1 Then 有驗證，驗證成功，回復值第二字節為 00 ，其余值為失敗Form1.Label8.Caption = 連接成功!有驗證!ReDim SendByte(0 To 9) As Byte 發送連接請求SendByte(0) = 5SendByte(1) = 1SendByte(2) = 0SendByte(3) = 1SendByte(4) = GetIPByte(1, DestIP)SendByte(5) = GetIPByte(2, DestIP)SendByte(6) = GetIPByte(3, DestIP)SendByte(7) = GetIPByte(4, DestIP)SendByte(8) = Int(DestPort / 256) 把10進制端口分成兩個字節SendByte(9) = DestPort Mod 256 把10進制端口分成兩個字節Form1.Winsock1.SendData SendByte()ConnStep = ConnStep + 1Exit FunctionEnd IfIf Asc(Mid(RevBuffer, 2, 1) = 0 And Form1.Check1.Value = 0 ThenForm1.Label8.Caption = 連接目標服務器成功! 無驗證的最后一步，代理回復第二字節為 00 成功，其余值為失敗ConnStep = -1Form2.ShowExit FunctionEnd IfIf Asc(Mid(RevBuffer, 2, 1) 0 And Form1.Check1.Value = 0 ThenMsgBox 連接目標服務器失敗!, 48, 錯誤 無驗證的最后一步，代理回復第二字節為 00 成功，其余值為失敗ConnSte