📄 用批处理调用api实现文件下载.txt
字号:
四.解决-实战
倘若就此编写一个可下载文件的EXE,然后直接用BAT包裹,定然会被同行耻笑,不单是因为那几千个字节的数据拖着大大臃肿的BAT文件,更加让为这种简单的想法立刻现形,为了不达到这些负面效果,也为了让这篇文档不至于干瘪瘪的让人感觉没什么看头(事实上是因为早些时候看过watercloud的一篇大作感悟颇深),我决定手工写一串16进制代码来代替机器编译的EXE.既美观了界面,又增强了技术性.....(一_一...简直是在卖作...)
现在当务之急是要一个可以下载文件的EXE程序,实现这个目标只要一个URLDownloadToFile即可,放在最后实现,先来写一个PE框架:大家都知道PE文件的格式吧,不懂的就去看看那个著名的电信黑客罗某某的书.(Who!?...~)
先给出我们的PE框架,基于XP的FileAlignment对齐大小最小就支持到0x200(也就是10进制的512字节,以下有在前面加上0x的都表示16进制数值),我们的框架就打出512字节(注意,我下面留有空白表示各个PE部分,结合下面的文档,大家方便理解),这个框架里没有任何的代码或者数据:
(ZV友情提示:下面是最枯燥的部分,各位手握锥子,要有一不怕苦,二不怕痛的精神看完它....)
(如果定力不高的朋友,或者堆PE文件再熟悉不过的朋友,可以字节转到"JMP S1"处往下看.)
(如果只想知道到底怎么回事,或者对这篇作文报浏览态度的朋友,可以直接转到"JMP S2"处继续浏览)
(睡着了的继续睡觉....)
代码
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ..............
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 ............@...
==============================================================================
00000040 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 PE..L...........
00000050 00 00 00 00 70 00 0F 01
0B 01 00 00 00 02 00 00 ....p...........
00000060 00 00 00 00 00 00 00 00 79 01 00 00 00 00 00 00 ........y.......
00000070 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@.........
00000080 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
00000090 00 30 00 00 00 02 00 00 00 00 00 00 02 00 00 00 .0..............
000000A0 00 01 00 00 00 00 00 00 00 01 00 00 00 10 00 00 ................
000000B0 00 00 00 00 02 00 00 00
00 00 00 00 00 00 00 00 ................
000000C0 28 11 00 00 28 00 00 00
==============================================================================
00 00 00 00 00 00 00 00 (...(...........
000000D0 00 02 00 00 00 10 00 00 00 02 00 00 00 01 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 ............`..`
000000F0 00 00 00 00 00 00 00 00 02 00 00 00 00 20 00 00 ............. ..
00000100 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000110 00 00 00 00 60 00 00 60 00 00 00 00 00 00 00 00 ....`..`........
00000120 58 11 00 00 00 00 00 00 50 11 00 00 00 00 00 00 X.......P.......
00000130 00 00 00 00 6E 11 00 00 20 11 00 00 00 00 00 00 ....n... .......
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 58 11 00 00 00 00 00 00
00 00 00 00 00 00 00 00 ................
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
这里简单介绍一下PE文件格式的组成:
大致来分呢,PE格式文件可以分为这三个部分(就是上述框架中用"=="分割的三个部分):
引用
++++++++++++++++++++++++
+DOS信息部分 +
++++++++++++++++++++++++
++++++++++++++++++++++++
+PE信息部分 +
++++++++++++++++++++++++
++++++++++++++++++++++++
+数据部分 +
++++++++++++++++++++++++
下面来简单介绍每一部分的结构,首先的"DOS信息部分":
引用
+++++++++++++++++++++++++++++++++++++++++++++
+ +++++++++++++++++++++++++++++++++++++++ +
+ +[DOS文件头][0x40] + +
+ +++++++++++++++++++++++++++++++++++++++ +
+ + <==DOS信息部分
+ +++++++++++++++++++++++++++++++++++++++ +
+ +[DOS块][0x70,可变] + +
+ +++++++++++++++++++++++++++++++++++++++ +
+++++++++++++++++++++++++++++++++++++++++++++
这部分我觉得是最冗余的地方,首先DOS文件头的结构:
代码
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
其中最重要的就是e_lfanew,它指向了下面的"PE信息部分"的起始地址(也就是俗称的PE头部).其他的是一些DOS下运行这个PE文件必须的结构,比如看注解就明白,什么代码初始化堆栈段,初始化堆栈指针,入口IP,CS等等,都是在WIN32上没有用的东西,我就不翻译拉,这些都是说DOS下的,如果这个PE文件一开始就打定在WINDOWS下运行,这些乱写都无所谓,你甚至可以把你的名字都写进去(.....一_一..).当然,你这么作后这个文件就不能在DOS下运行了..不然当机是几乎可以肯定的....(寒....).
需要记的除了e_lfanew是指向PE头的指针外还要记得这个DOS文件头结构长0x40,也就是64个字节.还有第一个参数e_magic,这个地方永远是"0x40 0x5a",也就是字符的"MZ".
DOS块部分保存的就是一段DOS下可以执行的代码,比如现在大多编译器就简单的输出一个"This program cannot be run in DOS mode"的字符串,和"DOS信息部分"一样,如果你不打算在DOS执行这个EXE文件,那么这里完全可以删除,为什么?因为WIN32的PE装载器只关心"DOS信息部分"的e_lfanew指向的而已.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -