;
;
; this will give us all running processes!!!!
;
; perfect procdump detection - utility!!!
;
.386
.Model Flat ,StdCall

extrn     ExitProcess              : PROC     ;procedure to shut down a process
extrn     MessageBoxA              : PROC     ;procedure to show a MessageBox
extrn     Process32First           : PROC
extrn     Process32Next            : PROC
extrn     CreateToolhelp32Snapshot : PROC
extrn     OpenProcess              : PROC
extrn     ReadProcessMemory        : PROC
extrn     TerminateProcess         : PROC

.Data
handle   dd ?
tool     dd ?
space    db 0200h dup (00h)
caption  db "muahahah ^DAEMON^ rulez..... muahahah",0
space2   db 02000h dup (00h)
pro_id   dd ?
header   db 0500h  dup (00h)
string1  db '.text',0,0,0,0b2h,088h,0,0,0,10h,0,0,0,08ah,0,0,0,04h
end_str  equ $

.Code
Main:
;        int 1
        lea  edi,space2
        push 0
        push 02
        call CreateToolhelp32Snapshot
        mov  tool,eax                   ; don't ask too much, we simply
                                        ; need this value!
        lea  ebx,space                  ; store our received information here
        mov  dword ptr [ebx],0128h      ; must be 128 ??!?!??
        push ebx
        push dword ptr [tool]
        call Process32First             ; get first process (kernel32)
        test eax,eax
        jz   ende
        call print_                     ; generate list of all received processes
next_:  mov  dword ptr [ebx],0128h      ; write value back
        push ebx
        push dword ptr [tool]
        call Process32Next              ; get next process
        test eax,eax
        jz   ende
        call print_
        push dword ptr [pro_id]         ; our received process_id
        push 0
        push 1F0FFFh                    ; process_all_acess
        call OpenProcess                ; open our process to get a handle
        test eax,eax                    ; to it
        jz   next_

        mov  handle,eax
        push 0                          ; numberofbytesread
        push 400h                       ; read 400h of bytes
        push offset header              ; where to place read data
        push 00400000h                  ; start address to read from
        push eax                        ; push the open handle
        call ReadProcessMemory          ;
        test eax,eax
        jz   next_

;=======================================================================
;
; lets analyse the read data and check if we can find procdump there
;
;
;=======================================================================

        pushad
        lea  ebx,header
        cmp  word ptr [ebx],'ZM'            ; MZ in here ??? we don't wanna
        jne  no_1                           ; cause an exception
        add  ebx,[ebx+03ch]                 ; get pointer to 'PE-HEADER'
        cmp  word ptr [ebx],'EP'            ; is it 'PE' ???
        jne  no_1                           ; 
        add  ebx,0f8h                       ; point ebx to first section
        mov  edi,ebx                        ; point edi to target
        mov  esi,offset string1             ; point to source
        mov  ecx,offset end_str - string1   ; length of string to compare
        repz cmpsb                          ; compare both
        test ecx,ecx
        jz   seek_and_destroy               ; zero = we found procdump
no_1:   popad
        jmp  next_

;==========================================================================
;
; WE FOUND PROCDUMP ?!?!?!? - SO LETZ TERMINATE THIS PROCESS
;
;
;==========================================================================

seek_and_destroy:
;        int 1
        mov  eax,handle                ; 
        push 0                         ; no exit-code
        push eax                       ; process - handle
        call TerminateProcess          ; terminate this process now :)))
        jmp  no_1                      ; and return



;============================================================================
;
; GIVE OUT ALL OUR COLLECTED PROCESSES, WE FOUND IN MEMORY IN A MESSAGEBOX :)
;
;============================================================================

ende:   push 0
        push offset caption
        push offset space2
        push 0
        call MessageBoxA                ; give out a list of all processes found
        call ExitProcess                ; and exit....




print_: lea  esi,[ebx+024h]             ; point to path string
repeat_:lodsb                           ; load one byte into al
        test al,al
        jz   done                       ; zero? if so, we found the end
        stosb                           ; otherwise store it in edi
        jmp  repeat_                    ; repeat until al=0
done:   mov eax,020202020h              ; just four spaces....
        stosd
        mov  eax,':DIP'                 ; 'PID:'
        stosd
        mov  eax,[ebx+08h]              ; get pid
        mov  pro_id,eax                 ;
        mov  edx,edi                    ;
        call convert                    ; and convert it... to give it out
                                        ; in a msgbox
        add  edi,08h                    ; correct edi
        mov  al,010                     ; cr,lf
        stosb
        mov  al,013
        stosb
        ret

;============================================================================
;
; THE ROUTINE BELOW IS JUST TO CONVERT A HEX VALUE INTO A STRING
;
; INPUT: EAX=ANY HEX VALUE
;        EDX=POINTER TO MEMORY LOCATION
;
; developed one day in 2k.... 
;============================================================================

convert:
      mov  ecx,08
      rol  eax,04h
here: ror  eax,04h
      push eax
      and  eax,0000000Fh
      add  eax,030h
      cmp  eax,03ah
      jae  ahh
write:mov  byte ptr [edx+ecx-1],al
      pop  eax
      loop here
      ret
ahh:  sub  eax,030h
      sub  eax,0ah
      add  eax,041h
      jmp  write
End Main                        ;End of code, Main is the entrypoint