Windows Problems Protector is a fake security application from the same family as: Windows Problems Remover, Windows Health Center, Windows Shield Center, Windows Antispyware Solution, Windows Risk Eliminator, Windows Universal Tool, Windows Utility Tool, Windows Security & Control, Windows Optimization & Security, Windows System Optimizator, Windows Optimization Center, Privacy Corrector, Privacy Guard 2010.
This rogue displays fake warning messages pushing users to buy a license.
The rogue is dropped into %APPDATA%
Windows Problems Protector prevent softwares execution like browsers and other legit tools such as Process Explorer.
For run a blocked file, rename it to: mshta.exe, then try again.
To register (and help removal) you can use our patch... or make your own:
~ ASM
.486 ;Only 2,50 Kb :þ
.model flat,stdcall
option casemap:none
include windows.inc
uselib MACRO libname
include libname.inc
includelib libname.lib
ENDM
uselib user32
uselib kernel32
rogue PROTO :DWORD,:DWORD,:DWORD,:DWORD
.data
Titre db "Windows Problems Protector patch", 0
PasTrouver db "There is no thread called",13,10,"help",0
Trouver db "Full of win",13,10,"Enter any serial like 1111-1111-1111-1111 And enjoy",0
szFileName db "help",0
;====== Patching
AddressToPatch1 dd 0411288h ;0x0411288
ReplaceBy1 db 0EBh,047h ;75 47 JNZ SHORT 00411025 -> To JMP
ReplaceSize1 dd 2 ;2 bytes changed
AddressToPatch2 dd 04112D4h ;0x04112D4
ReplaceBy2 db 090h,090h,090h,090h,090h,090h ;0F85 03030000 JNZ 004115DD
ReplaceSize2 dd 6 ;6 bytes changed
AddressToPatch3 dd 04112DDh ;0x04112DD
ReplaceBy3 db 090h,090h,090h,090h,090h,090h ;0F85 FA020000 JNZ 004115DD
ReplaceSize3 dd 6 ;6 bytes changed
AddressToPatch4 dd 04112EAh ;0x04112EA
ReplaceBy4 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 004115DD
ReplaceSize4 dd 6 ;6 bytes changed
AddressToPatch5 dd 04112F7h ;0x04112F7
ReplaceBy5 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 004115DD
ReplaceSize5 dd 6 ;6 bytes changed
AddressToPatch6 dd 0411333h ;0x0411333
ReplaceBy6 db 090h,090h ;7C 05 JL SHORT 0041133A
ReplaceSize6 dd 2 ;2 bytes changed
AddressToPatch7 dd 0411338h ;0x0411338
ReplaceBy7 db 0EBh,047h ;7E 47 JLE SHORT 00411381 -> To JMP
ReplaceSize7 dd 2 ;2 bytes changed
.data?
PID dd ?
.code
start:
rogue proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
invoke FindWindow, NULL, offset szFileName
.If eax != NULL
mov ebx, eax
Invoke GetWindowThreadProcessId, ebx, offset PID
Invoke OpenProcess, PROCESS_ALL_ACCESS,NULL, PID
mov ebx, eax
Invoke VirtualProtectEx, ebx, AddressToPatch1, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch1, offset ReplaceBy1, ReplaceSize1, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch2, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch2, offset ReplaceBy2, ReplaceSize2, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch3, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch3, offset ReplaceBy3, ReplaceSize3, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch4, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch4, offset ReplaceBy4, ReplaceSize4, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch5, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch5, offset ReplaceBy5, ReplaceSize5, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch6, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch6, offset ReplaceBy6, ReplaceSize6, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch7, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch7, offset ReplaceBy7, ReplaceSize7, NULL
Invoke CloseHandle, ebx
invoke MessageBox, NULL, addr Trouver, addr Titre, MB_ICONINFORMATION
.else
invoke Beep,100,30 ;lol
invoke MessageBox, NULL, addr PasTrouver, addr Titre, MB_ICONEXCLAMATION
.endif
invoke ExitProcess,0
rogue endp
end start
.model flat,stdcall
option casemap:none
include windows.inc
uselib MACRO libname
include libname.inc
includelib libname.lib
ENDM
uselib user32
uselib kernel32
rogue PROTO :DWORD,:DWORD,:DWORD,:DWORD
.data
Titre db "Windows Problems Protector patch", 0
PasTrouver db "There is no thread called",13,10,"help",0
Trouver db "Full of win",13,10,"Enter any serial like 1111-1111-1111-1111 And enjoy",0
szFileName db "help",0
;====== Patching
AddressToPatch1 dd 0411288h ;0x0411288
ReplaceBy1 db 0EBh,047h ;75 47 JNZ SHORT 00411025 -> To JMP
ReplaceSize1 dd 2 ;2 bytes changed
AddressToPatch2 dd 04112D4h ;0x04112D4
ReplaceBy2 db 090h,090h,090h,090h,090h,090h ;0F85 03030000 JNZ 004115DD
ReplaceSize2 dd 6 ;6 bytes changed
AddressToPatch3 dd 04112DDh ;0x04112DD
ReplaceBy3 db 090h,090h,090h,090h,090h,090h ;0F85 FA020000 JNZ 004115DD
ReplaceSize3 dd 6 ;6 bytes changed
AddressToPatch4 dd 04112EAh ;0x04112EA
ReplaceBy4 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 004115DD
ReplaceSize4 dd 6 ;6 bytes changed
AddressToPatch5 dd 04112F7h ;0x04112F7
ReplaceBy5 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 004115DD
ReplaceSize5 dd 6 ;6 bytes changed
AddressToPatch6 dd 0411333h ;0x0411333
ReplaceBy6 db 090h,090h ;7C 05 JL SHORT 0041133A
ReplaceSize6 dd 2 ;2 bytes changed
AddressToPatch7 dd 0411338h ;0x0411338
ReplaceBy7 db 0EBh,047h ;7E 47 JLE SHORT 00411381 -> To JMP
ReplaceSize7 dd 2 ;2 bytes changed
.data?
PID dd ?
.code
start:
rogue proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
invoke FindWindow, NULL, offset szFileName
.If eax != NULL
mov ebx, eax
Invoke GetWindowThreadProcessId, ebx, offset PID
Invoke OpenProcess, PROCESS_ALL_ACCESS,NULL, PID
mov ebx, eax
Invoke VirtualProtectEx, ebx, AddressToPatch1, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch1, offset ReplaceBy1, ReplaceSize1, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch2, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch2, offset ReplaceBy2, ReplaceSize2, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch3, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch3, offset ReplaceBy3, ReplaceSize3, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch4, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch4, offset ReplaceBy4, ReplaceSize4, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch5, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch5, offset ReplaceBy5, ReplaceSize5, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch6, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch6, offset ReplaceBy6, ReplaceSize6, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch7, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch7, offset ReplaceBy7, ReplaceSize7, NULL
Invoke CloseHandle, ebx
invoke MessageBox, NULL, addr Trouver, addr Titre, MB_ICONINFORMATION
.else
invoke Beep,100,30 ;lol
invoke MessageBox, NULL, addr PasTrouver, addr Titre, MB_ICONEXCLAMATION
.endif
invoke ExitProcess,0
rogue endp
end start
No comments:
Post a Comment