XR3X
Clicky

Jump to content


Photo

MASM Downloader/Execute

source masm

  • You cannot start a new topic
  • Please log in to reply
6 replies to this topic

#1 EpicOut

EpicOut

    Newbie

  • Members +
  • 5 posts

Posted 25 October 2013 - 08:26 AM

Hey, i share my downloader, i make it for fun and instructive purpose;

my downlader just use UrlDownloadToFile and CreateProcess, all dynamcally for bypass some avs. I could have use the PEB to perfom a better downloader but im lazy :].

Please Login or Register to see this Hidden Content


  • HttP-NuKe, x58 and Hess like this

#2 iCode

iCode

    Advanced Member

  • Loyalist
  • 390 posts

Posted 25 October 2013 - 07:51 PM

Nice contribute. Just so you know this isn't dynamic since the API addresses are still hard-coded.



#3 EpicOut

EpicOut

    Newbie

  • Members +
  • 5 posts

Posted 25 October 2013 - 09:09 PM

They are not hard-coded, and this is dynamic because the functions used are not reported in the IAT, unless GetProc & LoadLibrary, but i could have use PEB to hide them.

Hard-coded suppose the addresses are already known (not in this case), and in other words it's impossible to known in advance the addresses, (ASLR) every reboot the DLL/EXECUTABLE change their execution addresses.



#4 iCode

iCode

    Advanced Member

  • Loyalist
  • 390 posts

Posted 25 October 2013 - 10:09 PM

They are not hard-coded, and this is dynamic because the functions used are not reported in the IAT, unless GetProc & LoadLibrary, but i could have use PEB to hide them.

Hard-coded suppose the addresses are already known (not in this case), and in other words it's impossible to known in advance the addresses, (ASLR) every reboot the DLL/EXECUTABLE change their execution addresses.

 

I meant for if you were to turn this into a shellcode, the addresses for GetProcAddresses and LoadLibraryA would be static. Sorry I completely forgot to finish my comment before I posted it :P Since you are creating an executable and not just a binary, you can use Invoke instead of directly calling them from Kernel32.



#5 optyczny

optyczny

    Member

  • Members +
  • 51 posts

Posted 21 December 2015 - 03:46 PM

Sorry for digging old thread, but mind someone explain purpose of:
 

Please Login or Register to see this Hidden Content



#6 Abronsius

Abronsius

    Member

  • Notorious
  • 73 posts

Posted 21 December 2015 - 05:47 PM

 

Sorry for digging old thread, but mind someone explain purpose of:
 

Please Login or Register to see this Hidden Content

 

Just nothing



#7 Jochen

Jochen

    Intermediate Member

  • Notorious
  • 149 posts
Contributor

Posted 22 December 2015 - 09:08 AM

InternetOpenUrl is another way.

Please Login or Register to see this Hidden Content





Also tagged with one or more of these keywords: source, masm