Monday 7 February 2011

Windows Software Protection

According to S!Ri
Windows Software Protection is a fake security application from the same family as: Windows Safety Protection, Windows Problems Protector, Windows Problems Remover, Windows Health Center, Windows Shield Center, Windows Antispyware Solution, Windows Risk Eliminator, Windows Universal Tool, Windows Utility Tool, Windows Security & Control, Windows Optimization & Security, Windows System Optimizator, Windows Optimization Center, Privacy Corrector, Privacy Guard 2010.
This rogue displays fake warning messages pushing users to buy a license.



The rogue is dropped into %APPDATA%



Windows Software Protection prevent softwares execution like browsers and other legit tools such as Process Explorer.
For run a blocked file, rename it to: mshta.exe, then try again.
To register (and help removal) you can use our patch... or make your own:

~ ASM
.486 ;Only 2,50 Kb :þ
.model flat,stdcall
option casemap:none

include windows.inc

uselib  MACRO   libname
    include     libname.inc
    includelib  libname.lib
ENDM

uselib  user32
uselib  kernel32

rogue PROTO :DWORD,:DWORD,:DWORD,:DWORD

.data
Titre           db "Windows Software Protection patch", 0
PasTrouver  db "There is no thread called",13,10,"Help",0
Trouver     db "Patched successfully",13,10,"Enter any serial like 1111-1111-1111-1111 And enjoy",0
szFileName  db "Help",0

;====== Patching if serial is bad
AddressToPatch1 dd 0410BECh ;0x0410BEC
ReplaceBy1 db 0EBh,047h ;75 47 JNZ SHORT 00410C35 -> To JMP
ReplaceSize1 dd 2 ;2 bytes changed
AddressToPatch2 dd 0410C38h ;0x0410C38
ReplaceBy2 db 090h,090h,090h,090h,090h,090h ;0F85 03030000 JNZ 00410F41
ReplaceSize2 dd 6 ;6 bytes changed
AddressToPatch3 dd 0410C41h ;0x0410C41
ReplaceBy3 db 090h,090h,090h,090h,090h,090h ;0F85 FA020000 JNZ 00410F41
ReplaceSize3 dd 6 ;6 bytes changed
AddressToPatch4 dd 0410C4Eh ;0x0410C4E
ReplaceBy4 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 00410F41
ReplaceSize4 dd 6 ;6 bytes changed
AddressToPatch5 dd 04112F7h ;0x04112F7
ReplaceBy5 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 00410F41
ReplaceSize5 dd 6 ;6 bytes changed
AddressToPatch6 dd 0410C97h ;0x0410C97
ReplaceBy6 db 090h,090h ;7C 05 JL SHORT 00410C9E
ReplaceSize6 dd 2 ;2 bytes changed
AddressToPatch7 dd 0410C9Ch ;0x0410C9C
ReplaceBy7 db 0EBh,047h ;7E 47 JLE SHORT 00410CE5  -> To JMP
ReplaceSize7 dd 2 ;2 bytes changed


.data?
PID         dd ?

.code
  start:
rogue proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
            invoke FindWindow, NULL, offset szFileName
            .If eax != NULL
                mov ebx, eax
                Invoke GetWindowThreadProcessId, ebx, offset PID
                Invoke OpenProcess, PROCESS_ALL_ACCESS,NULL, PID
                mov ebx, eax
                            Invoke VirtualProtectEx, ebx, AddressToPatch1, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch1, offset ReplaceBy1, ReplaceSize1, NULL
                           
                            Invoke VirtualProtectEx, ebx, AddressToPatch2, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch2, offset ReplaceBy2, ReplaceSize2, NULL
                           
                            Invoke VirtualProtectEx, ebx, AddressToPatch3, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch3, offset ReplaceBy3, ReplaceSize3, NULL 
                           
                            Invoke VirtualProtectEx, ebx, AddressToPatch4, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch4, offset ReplaceBy4, ReplaceSize4, NULL
                           
                            Invoke VirtualProtectEx, ebx, AddressToPatch5, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch5, offset ReplaceBy5, ReplaceSize5, NULL
                           
                            Invoke VirtualProtectEx, ebx, AddressToPatch6, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch6, offset ReplaceBy6, ReplaceSize6, NULL
                           
                            Invoke VirtualProtectEx, ebx, AddressToPatch7, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch7, offset ReplaceBy7, ReplaceSize7, NULL 
                           
                        Invoke CloseHandle, ebx
                        invoke MessageBox, NULL, addr Trouver, addr Titre, MB_ICONINFORMATION
            .else
                invoke Beep,100,30 ;lol
                invoke MessageBox, NULL, addr PasTrouver, addr Titre, MB_ICONEXCLAMATION
            .endif
                invoke ExitProcess,0
rogue endp
  end start


Once registered, applications are not blocked anymore.

No comments:

Post a Comment