Author: ZV (ZVROP) e-mail: zvrop@163.com Home :( reorganized off old ~~~~~> _ <~~~~~~) website: http: //www.s8s8.net Date: 2004- 8-18 reproduced please preserve the complete document, thank you for writing a lot of warehouse, the wrong leakage is inevitable, please give an ax are right. If you have any questions, you can send me email. ^ _ ^ ... directory: 1. Written in front The cause of the story is three. Solve - abdominal draft four. Solve - actual five. Solve - to create six. Package seven. Section 8. After Nine, refer to the text begins: 1. Write in front of this document tells what is not fresh Technology, I just played them to make them the role of the functions you need. If you are quite understanding for batch processing and PE format, then I will have the right to browse the Temple ... ^ _ ^ ... In addition, because I personally talk more, I don't want to write the main reason for the magazine, give me 3,000 words that can tell me, it is better to not limit the refreshing (of course, there is no remuneration ... One _ one ..), so, in order to prevent you from falling asleep on the way to see the article, please bring your own cone one ..... Finally, this document says it is a batch download file, in fact it contains a lot Knowledge, if there is time, you may wish to look at Ha, ^ _ ^, start to buy melon .. II. The cause of the story is the idea of this idea, in the forum (advertisement: http://www.s8s8 There is a post on .NET), there is a post, the content is a book for a batch download picture written by Bash Shell (it is H picture ... one _ one ..), next follow That's more ..., there is a traditional PHP, VBS, C, C #, Java, and even exchange to multi-thread, breakpoint resume .... Quote the flower big brother "Silent, for MM Photo, everyone's motivation is very good! "... Khan ~~ .. after sending a PHP and C code (feeling my motivation _ big color wolf ... one _ one ..), feel It is very simple (because the download of the file with C or PHP is originally very basic) I have started to use Microsoft's most primitive script - Batch (batch) to try to implement ("Issue in this article" No word "is commemoration here, one _ one.), This seems a bit incredible, because batch depends almost no support network function (of course, if you can use Telnet to download to the file, I am very admired. One _ one ..), but not there is no way, after all, there are so many things that can be used in Windows, there is nothing wrong .... Under the seduce of this challenge, I completed the batch download file. The function .... Now let me play back my idea step by step, unveil the mystery of the download file ... II. Solution - Abdominal draft If you use the batch to download the file, Will definitely think that the CScript script (or Java script), of course, too many batch scripts implement some of the features that itself cannot be implemented, it is solved with Echo's way out of another script. But our The purpose is to use the batch to implement the download function. If you want to use VBS to help, it is better to write VBS directly. This idea is coming to blow .... Come, remember to have an epiion in the DLL before, It seems to be with the purpose we need, because the API can be used in the download file, if Rundll can call, it is best nothing. So I opened MSDN, I found an API: URLDOWNLOADOFILDOWNLOADTOFILE Function prototype:
Code
HRESULT URLDOWNLOADTOFILE (LPCTSTR SZURL, LPCTSTSTSTSTSTSTSERVED, DWORD DWRESERVED, LPBINDSTATUSCALLBACK LPFNCB);
Some information for the URLDownloadTofile function:
Quote
Header Urlmon.h Import Library Urlmon.lib Minimum Availability Internet Explorer 3.0 Minimum Operating Systems Windows NT 4.0, Windows 95
Based on this, we can know that this API is an export function in the urlmon.dll file. Simple implementation has a function of downloading a file from the web server, which is not bad, at least it helps us The functions of breakpoints, caching, etc. are more than much more than the functionality directly using the socket function or with the function in Wininet .urdownloadTofile has five parameters:
The first parameter is used only when the caller is an ActiveX object, typically null.
The second parameter is to download the target URL of the file, the full path.
The third is the local saving path and the full path
The fourth is to keep, must be 0
The fifth is to point to a pointer to an IbindStatusCallback interface, which is similar to a callback mechanism, you can refer to these to act now, choose whether to continue download, etc.
In this regard, we only care about the second and third parameters. Other communication is set to 0. (Of course, it is best to set to null when you write C)
Well, I knocked on the point button to introduce this function because the entire document is closely related to this function. If you have this function, you can call Rundll32 to call it, but a pity, this beautiful plan is also broken .. .
I went to Microsoft to read their 164787 document (
Http://support.microsoft.com/default.aspx?...kb;n-us;164787), this document describes the modulation of Rundll32 and the format that can be called by him:
They say this:
Quote
Rundll and Rundll32 programs do not allow you to call any exported function from any DLL. For example, you can not use these utility programs to call the Win32 API (Application Programming Interface) calls exported from the system DLLs. The programs only allow you to Call functions from a dll That Are Explicitly Written to Be Called by Them.
This is the specified format:
Code
Void CallbackenTryPoint (HWND HWND, Hinstance Hinst, LPSTR LPSZCMDLINE, INT NCMDSHOW);
Unfortunately, our URLDOWNLOADTOFILE brothers did not meet these conditions, and they were arbitrarily abandoned by Rundll32 (Khan Drops.) ... But we didn't have it to dislike it (Khan Drop again ..), after all, in later realization In the process, it is a lot of effort to our work province.
At this point, run the planned abortion with Rundll32 .... (cold ...)
I want to have a smoke, now urldownloadtofile, how can I call this function? I can't imitate the two parameters of the compilation Push, then Call, then the address of this function is also used to calculate. Gar, the address of these two functions ..... or give up ... Exe to download the file. But our purpose is to download with BAT, can the BAT file package EXE data? The answer is affirmation ...
I remember to have seen a document in the << Do All In Cmd Shell >> Introduced a method. Sell a car first. Everyone knows that if you use the Echo to add a file, you can only write ASCII. Part of those ASCII (that is, the ASCII value of less than 128), there is no way for those that cannot be displayed. But this makes us think of a tool, a Microsoft history, the same ancient, batch Handling brothers - Debug!
Now think clearly: allowing batch to convert Echo's characters that the character cannot be displayed into 16-billed data (such as those in Exe) saved in batch, then use the debug write file, finally call the generated EXE Download the file! (I want to finish here, I feel too much trouble, don't you know which cattle people have more simple ways to achieve this more simple way ??) Fourth. Solve - actual combat
If you write an Exe of downloadable files, then use the bat package, it will be shameful by the same country, not just because the data of thousands of bytes dragged the big bloated BAT file, more let this simple idea immediately In order not to meet these negative effects, it is nothing to do so if it does not meet these negative effects, but it is quite a big feelings that I have seen Watercloud's masterpiece earlier). A string of 16 credits instead of the machine-compiled EXE. It is beautiful interface and has enhanced technical ..... (one _ one ... is in selling ...)
Today's urgent is to download an Exe program that can download files, implement this goal, just a URLDOWNLOADTOFILE, put it in the final implementation, let's write a PE frame: everyone knows the format of the PE file, I don't understand the one. The famous telecom hacker Luo Mou's book. (Who!? ... ~)
First give our PE framework, XP-based FileAlignment how to support the 0x200 (512 bytes of 10), which add 0x in front of the 0x, which is added in front, and our framework Have 512 bytes (note, I have a blank below to represent each PE portion, combined with the following document, everyone is convenient to understand), there is no code or data in this frame:
(ZV Friendly Tip: Below is the most boring part, everyone holding the cone, there must be one is not afraid of suffering, I am not afraid of painful spirit to read it ....)
(If you have a friend who is unweets, or the pile of PE files is familiar with the friends, you can go to "JMP S1" in the byte.)
(If you just want to know what's going on, or friends who make a textbook viewing attitude, you can go directly to "JMP S2" to continue to browse)
(Sleeping, continue to sleep ...)
Code
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F00000000 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ .............. 00000010 00 00 00 00 00 00 00 00 0,000,000,000,000,000 ................ 00000020 0,000,000,000,000,000 0,000,000,000,000,000 .. .............. 00000000 00 00 00 00 00 00 00 00 00 00 00 ............ @ ... === ============================================================================================================================================================================================================= ===============================================================================00000000 00 00 00 00 00 00 00 00 PE..L .... ..... 00000050 00 00 00 00 00 00 02 00 00 00 00 00 00 00 .... P ......... 00000060 00 00 00 00 00 00 79 01 00 00 00 00 ............... 00000070 00 00 00 00 00 00 00 00 00 00 00 00 ...... @ ... ...... 00000080 0,000,000,000,000,000 0,400,000,000,000,000 00.00009 million ................ 00 30 0,000,000,200,000,000 00 00 02 00 00 00 .0 .............. 000000A0 00 01 00 00 00 00 00 00 00 01 00 00 00 10 00 00 .............. 000000B0 00 00 00 00 00 00 00 00 ........... ... 000000c0 28 11 00 00 28 00 00 00 ====================================== ============
==================================================================00 00 00 00 00 00 00 00 00 (......... ..0000000000 00 00 00 00 00 00 00 00 00 00 ... 00 60 ............ `..`000000F0 00 00 00 00 00 00 00 00 02 00 00 00 00 20 00 00 ............. .. 00000100 0,002,000,000,000,000 0,000,000,000,000,000 ................ 00000110 0,000,000,060,000,060 0,000,000,000,000,000 .... `..` ........ 00000120 58 11 00 00 00 00 00 00 50 11 00 00 00 00 00 00 X ....... P ....... 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 .............. 00.00015 million 5,811,000,000,000,000 0,000,000,000,000,000 ................ 000001600000 00 00 00 00 00 00 0,000,000,000,000,000 ................ 00.00017 million 0,000,000,000,000,000 0,000,000,000,000,000 ... ........... 00 000.18 thousand 0,000,000,000,000,000 0,000,000,000,000,000 ................ 00.00019 million 0,000,000,000,000,000 0,000,000,000,000,000 ................ 000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00. ............... 000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .. ............
Here is a brief introduction to the composition of the PE file format:
The PE format file can be divided into these three parts (that is, the three parts: "==" segmentation in the above frame):
Quote
DOS Information Parts PE Information Parts
Let's briefly introduce the structure of each part, the first "DOS Information Part":
Quote
[DOS File Head] [0x40] <== DOS Information Section [DOS Block] [0x70, Variable] This section I think is the most redundant place, first The structure of the DOS file header:
Code
typedef struct _IMAGE_DOS_HEADER {// DOS .EXE header WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP Value Word E_CS; // Initial (Relative) CS Value Word E_LFARLC; // File Address of Relocation Table Word E_ovno; // Overlay Number Word E_RES [4]; // Reserved Words Word e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2 [10]; // Reserved words LONG e_lfanew; // File address of new exe header} IMAGE_DOS_HEADER, * PIMAGE_DOS_HEADER; the most important It is E_LFANEW, which points to the start address of the "PE information part" below (that is, commonly known as PE header). Other Some DOS running this PE file must be structures, such as seeing annotations, what code Initializing the stack segment, initializing the stack pointer, entrance IP, CS, etc., all in Win32, I don't translate, these are DOS, if this PE file is set in Windows Under operation, these chaos don't matter, you can even write your name (..... _ one ..). Of course, this file will not run in DOS after this file .. Otherwise It is almost certain .... (cold ...).
In addition to the E_LFANew is the pointer to the PE header, remember that the DOS file head structure is 0x40, which is 64 bytes. There is also the first parameter e_magic, this place is always "0x40 0x5a", that is, characters "MZ".
