Based on these, we can know that this API is an export function in a file, which simply implements the function of downloading a file from a WEB server. In fact, using this function is not bad. At least it helps us handle breakpoint continuous transmission, cache and other functions. It is much simpler than directly using SOCKET functions or using functions in WININET to implement it.
URLDownloadToFile has five parameters:
The first parameter is only used if the caller is an ActiveX object, generally NULL.
The second parameter is to download the target URL and the complete path of the file.
The third is the local save path, which is also the complete path
The fourth one is reserved, must be 0
The fifth is a pointer to an IBindStatusCallback interface, which is similar to a callback mechanism. You can refer to these to activate the current download progress, choose whether to continue downloading, etc.
We only care about the second and third parameters. All the others are set to 0. (Of course, it is best to set to NULL when you write C)
Well, I typed a keyboard and introduced this function because the whole document is closely related to this function. With this function, you can call RUNDLL32 to call it, but unfortunately, this beautiful plan immediately broke...
I went to Microsoft to read their document No. 164787/?...kb;en-us;164787), which explains the calling method of RUNDLL32 and the format of the functions that can be called by it:
They say this:
Quote
Rundll and Rundll32 programs do not allow you to call any exported function from any DLL. For example, you can not use these utility programs to call the Win32 API (Application Programming Interface) calls exported from the system DLLs. The programs only allow you to call functions from a DLL that are explicitly written to be called by them.
This is the specified format:
Code
void CALLBACK
EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);
Unfortunately, our URLDownloadToFile brother did not meet these conditions and was ruthlessly abandoned by RUNDLL32 (a drop of sweat...). But we did not dislike it because of this (a drop of sweat...). After all, in the later implementation process, it saved a lot of effort for our work.
At this point, use RUNDLL32 to run and plan to abort... (cold...)
I thought about a cigarette, and now that the URLDownloadToFile is available, how can I call this function? I can't imitate the assembly PUSH 5 parameters and put them into the stack, and then CALL. Then the address of this function must be calculated using LoadLibrary() and GetProcAddress(). Then the addresses of these two functions... or give up... etc. If you use an EXE to implement it, it will be much simpler (at least EXE does not require any interpreter). Yes, write an EXE to download the file. But our purpose is to use BAT to download. Can the BAT file wrap the EXE data? The answer is yes... Read down...
I remember reading a document <<Do All in Cmd Shell>> before that introduced a method. Let's keep it a secret. Everyone knows that if you use ECHO to add a redirector to write a file, you can only write a part of ASCII, which can be displayed (that is, those with ASCII value less than 128). There is no way to use characters that cannot be displayed. But this reminds us of a tool, a brother who is also an old batch processing in Microsoft history - DEBUG!
Now the idea is clear: you can let the batch process convert characters that cannot be displayed by ECHO into hexadecimal data (such as those data in EXE) and save them in batch process, then write the file with DEBUG, and finally use BAT to call the generated EXE to download the file! (After thinking about it, I feel it is still too troublesome. I wonder if any great man has any simpler way to implement this??)
4. Solve - Practical combat
If I write an EXE that can be downloaded and then wrapped in BAT directly, I will definitely be ridiculed by my colleagues. Not only because the thousands of bytes of data dragged the large and bloated BAT file, this simple idea will be immediately revealed. In order not to achieve these negative effects, but also to prevent this document from being shrunken and shrunken, it makes me feel that it is not very interesting (in fact, because I read a masterpiece by watercloud earlier, I have a deep understanding), I decided to manually write a string of hexadecimal code instead of machine-compiled EXE. It not only beautiful the interface, but also enhances the technicality... (One_One... is simply selling...)
The most urgent task now is to have an EXE program that can download files. To achieve this goal, you only need a URLDownloadToFile. It is finally implemented. Let’s write a PE framework first: Everyone knows the format of PE files. If you don’t understand, go and read the book of the famous telecommunications hacker Luo Moumou. (Who!?...~)
First, we give our PE framework. The fileAlignment alignment size based on XP is supported to 0x200 (that is, 512 bytes in decimal. The following is the one with 0x added before it represents hexadecimal values), and our framework will type 512 bytes (note that I have a blank space below to indicate each PE part, combined with the following documents, it is easy for you to understand). There is no code or data in this framework:
(ZV Friendly Tips: The following is the boring part. Everyone should hold an awl in their hands and have the spirit of not being afraid of hardship or pain after reading it...)
(If you have low concentration, or friends who are familiar with PE files, you can turn the bytes to "JMP S1" and read it down.)
(If you only want to know what's going on, or if you are interested in browsing this essay, you can go directly to "JMP S2" to continue browsing)
(Sleeping continues to sleep...)
Previous page12Read the full text