A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #4730  by Xylitol
 Wed Jan 26, 2011 1:21 am
Well, not really a tool just l33t stuff about Spyware Protection (http://www.kernelmode.info/forum/viewto ... t=60#p4712)
~ ASM
1: Kill "defender.exe" process
2: Remove the startup regkey (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spyware Protection)
3: Delete "defender.exe" in %APPDATA%
simple version:
Code: Select all
.386 ;Spyware Protection remover, only 17kb :þ
.MODEL FLAT, STDCALL
OPTION CASEMAP:NONE

        INCLUDE     WINDOWS.INC
        INCLUDE     USER32.INC
        INCLUDE     KERNEL32.INC
        INCLUDE     ADVAPI32.INC
        INCLUDE     CRYPTOHASH.INC
        INCLUDELIB  USER32.LIB
        INCLUDELIB  KERNEL32.LIB
        INCLUDELIB  ADVAPI32.LIB
        INCLUDELIB  CRYPTOHASH.LIB

        DlgProc   PROTO  :DWORD,:DWORD,:DWORD,:DWORD

.data
        SubKey      db "Software\Microsoft\Windows\CurrentVersion\Run\",0
        szX         db "Spyware Protection",0
        szTarget      db "defender.exe",0
        szCaption   db "Spyware Protection Remover",0
        szNF        db "Spyware Protection Not Found",0
        szF         db "Spyware Protection Found",0    
        appdata     db "APPDATA", 0
        MD5         db "DD18BCE36B184E2901A8AD94E48C30F8",0
        slash       db "\",0

        ;ProcError      db "An Error has occurred!!",0
        ;ProcFinish      db "Process Terminated successfully!",0
        ;errSnapshot     db "CreateToolhelp32Snapshot failed.",0
        ;errProcFirst    db "Process32First failed.",0

.data?
        hInstance   dd  ?
        hKey        dd  ?
        hValue      dd  ?
        hFile       dd  ?
        mFile       dd  ?
        sFile       dd  ?
        mapFile     dd  ?
        szBuffer    db 512 dup(?)
        buffer      db 512 dup(?)
        BufferHash  db 512 dup(?)

        StartupInfo     STARTUPINFO     <>
        ProcessInfo     PROCESS_INFORMATION     <>
        hSnapshot       HANDLE ?
        ProcEnt         PROCESSENTRY32 <?>

.code
start:
    invoke GetModuleHandle, NULL
    mov    hInstance,eax
    invoke DialogBoxParam, hInstance, 1001, NULL, addr DlgProc, NULL
    invoke ExitProcess,eax

DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
    .if uMsg== WM_INITDIALOG
        invoke GetEnvironmentVariable,addr appdata,addr buffer,256
        invoke lstrcat,addr buffer,addr slash
        invoke lstrcat,addr buffer,addr szTarget
        CALL TerminateProc
    .elseif uMsg == WM_COMMAND
        mov eax,wParam
        .if eax==1023
            invoke RegOpenKeyEx,HKEY_CURRENT_USER,ADDR SubKey,NULL,KEY_READ,addr hKey
                invoke RegQueryInfoKey,hKey,0,0,0,0,0,0,0,0,ADDR hValue,0,0
                invoke RegQueryValueEx,hKey, ADDR szX,0,0,ADDR szBuffer,ADDR hValue
                invoke lstrcmp,ADDR szBuffer,ADDR buffer
                .if !eax
                    invoke RegOpenKeyEx,HKEY_CURRENT_USER,ADDR SubKey,NULL,KEY_ALL_ACCESS,addr hKey
                    invoke RegDeleteValue,hKey,addr szX
                    invoke RegCloseKey,hKey
                        invoke CreateFile,addr buffer,GENERIC_READ,FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
                        .if eax!=-1
                            mov hFile,eax
                            invoke CreateFileMapping,hFile,0,PAGE_READONLY,0,0,0
                            mov mFile,eax
                            invoke MapViewOfFile,mFile,FILE_MAP_READ,0,0,0
                            mov mapFile,eax
                            invoke GetFileSize,hFile,0
                            mov sFile,eax
                            invoke MD5Init
                            invoke MD5Update,mapFile,sFile
                            invoke MD5Final
                            invoke HexEncode,eax,MD5_DIGESTSIZE,addr BufferHash
                                invoke lstrcmp,ADDR MD5,ADDR BufferHash
                                .if !eax   
                                    invoke UnmapViewOfFile,mapFile
                                    invoke CloseHandle,mFile
                                    invoke CloseHandle,hFile
                                    invoke SetFileAttributes,addr buffer,FILE_ATTRIBUTE_NORMAL
                                    invoke DeleteFile,addr buffer
                                .else
                                    invoke MessageBox,NULL,ADDR szNF,ADDR szCaption,MB_OK+MB_ICONINFORMATION
                                .endif     
                        .elseif
                        .endif         
                .endif
                .else
                    invoke MessageBox,NULL,ADDR szNF,ADDR szCaption,MB_OK+MB_ICONINFORMATION
                .endif
            invoke RegCloseKey , hKey
    .elseif uMsg == WM_CLOSE
        invoke  EndDialog, hWnd, 0
    .endif
    xor eax,eax
    ret
DlgProc endp

TerminateProc proc
        invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS,0
        .IF (eax != INVALID_HANDLE_VALUE)
            mov hSnapshot,eax
            mov [ProcEnt.dwSize],SIZEOF ProcEnt
            invoke Process32First, hSnapshot,ADDR ProcEnt
            .IF (eax)
                @@:
                    invoke lstrcmpi, ADDR szTarget,ADDR [ProcEnt.szExeFile]
                    .IF (eax == 0)
                        invoke OpenProcess, PROCESS_TERMINATE,FALSE,[ProcEnt.th32ProcessID]
                        .IF (eax)
                            invoke TerminateProcess, eax,0
                            .IF eax==0
                                ;invoke MessageBox,NULL,addr ProcError,NULL,MB_OK
                            .else
                                ;invoke MessageBox,NULL,addr ProcFinish,NULL,MB_ICONINFORMATION
                            .endif
                        .ELSE
                            ;invoke MessageBox,NULL,addr ProcError,NULL,MB_OK
                        .ENDIF
                    .ENDIF
                    invoke Process32Next, hSnapshot,ADDR ProcEnt
                    test eax,eax
                    jnz @B
            .ELSE
                ;invoke MessageBox, NULL,ADDR errProcFirst,NULL,MB_OK or MB_ICONERROR
            .ENDIF
            invoke CloseHandle, hSnapshot
        .ELSE
            ;invoke MessageBox, NULL,ADDR errSnapshot,NULL,MB_OK or MB_ICONERROR
        .ENDIF
    RET
TerminateProc endp
end start
Code: Select all
;This Resource Script was generated by WinAsm Studio.

1001 DIALOGEX 0,0,219,45
CAPTION "Spyware Protection Remover"
FONT 8,"MS Sans Serif"
STYLE 0x10ca0800
EXSTYLE 0x00000000
BEGIN
CONTROL "REMOVE",1023,"Button",0x50010000,10,9,197,25,0x00020000
END
And the cryptohash (search it on google):
Code: Select all
comment "written by drizz <1of00@gmx.net>"

; CIPHERS
; =======
GOSTSetKey proto pKey:ptr byte
GOSTEncrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
GOSTDecrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
CAST128SetKey proto pKey:ptr byte,dwKeylen:dword
CAST128Encrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
CAST128Decrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
MARSSetKey proto pKey:ptr byte,dwKeyLen:dword
MARSEncrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
MARSDecrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
IDEASetKeyEnc proto pKey:dword
IDEASetKeyDec proto pKey:dword
IDEAEncrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
IDEADecrypt equ IDEAEncrypt
IDEAEncryptSSE proto pBlockIn:ptr byte,pBlockOut:ptr byte
IDEADecryptSSE equ IDEAEncryptSSE
DESSetKey PROTO pKey:PTR BYTE
DESSetKeyEnc PROTO pKey:PTR BYTE
DESSetKeyDec PROTO pKey:PTR BYTE
DESEncrypt PROTO pBlockIn:PTR BYTE,pBlockOut:PTR BYTE
DESDecrypt PROTO pBlockIn:PTR BYTE,pBlockOut:PTR BYTE
TwofishInit PROTO :DWORD,:DWORD
TwofishEncrypt PROTO :DWORD,:DWORD
TwofishDecrypt PROTO :DWORD,:DWORD
RC2Init proto pKey:DWORD,dwKeyLen:DWORD
RC2Encrypt proto pBlockIn:DWORD,pBlockOut:DWORD
RC2Decrypt proto pBlockIn:DWORD,pBlockOut:DWORD
RC4Init proto pKey:DWORD,:DWORD
RC4Encrypt proto pBlock:DWORD,dwBlockLen:DWORD
RC4Decrypt equ <RC4Encrypt>
RC5Init       PROTO pKeys:DWORD
RC5Encrypt    PROTO pBlockIn:DWORD,pBlockOut:DWORD
RC5Decrypt    PROTO pBlockIn:DWORD,pBlockOut:DWORD
RC6Init       PROTO :DWORD,:DWORD
RC6Encrypt    PROTO pBlockIn:DWORD,pBlockOut:DWORD
RC6Decrypt    PROTO pBlockIn:DWORD,pBlockOut:DWORD
XTEAInit    proto :DWORD,:DWORD
XTEAEncrypt proto :DWORD,:DWORD
XTEADecrypt proto :DWORD,:DWORD
RijndaelInit proto :DWORD,:DWORD
RijndaelEncrypt proto :DWORD,:DWORD
RijndaelDecrypt proto :DWORD,:DWORD
ThreeWayInit    proto :DWORD
ThreeWayEncrypt proto :DWORD,:DWORD
ThreeWayDecrypt proto :DWORD,:DWORD
TEAInit proto :DWORD
TEAEncrypt  proto :DWORD,:DWORD
TEADecrypt  proto :DWORD,:DWORD
BlowfishInit proto :DWORD,:DWORD
BlowfishEncrypt proto :DWORD,:DWORD
BlowfishDecrypt proto :DWORD,:DWORD
; CHECKSUMS
; =========
INIT_CRC32 equ 0
INIT_CRC16 equ 0
INIT_ADLER32 equ 1
CRC32 proto lpBuffer:DWORD,dwBufLen:DWORD,dwCRC:DWORD; init dwCRC = 0
; for RCRC32 Data must be Readable/Writeable
RCRC32 proto pData:dword,dwDataLen:dword,dwOffset:dword,dwWantCrc:dword; reverse CRC32
CRC16 proto lpBuffer:DWORD,dwBufLen:DWORD,dwCRC:DWORD; init dwCRC = 0
Adler32 proto lpBuffer:DWORD,dwBufLen:DWORD,dwAdler:DWORD; init dwAdler = 1
; HASHES
; ======
MD5_DIGESTSIZE equ 128/8
MD4_DIGESTSIZE equ 128/8
MD2_DIGESTSIZE equ 128/8
RMD128_DIGESTSIZE equ 128/8
RMD160_DIGESTSIZE equ 160/8
RMD256_DIGESTSIZE equ 256/8
RMD320_DIGESTSIZE equ 320/8
SHA0_DIGESTSIZE equ 160/8
SHA1_DIGESTSIZE equ 160/8
SHA256_DIGESTSIZE equ 256/8
SHA384_DIGESTSIZE equ 384/8
SHA512_DIGESTSIZE equ 512/8
WHIRLPOOL_DIGESTSIZE equ 512/8
TIGER_DIGESTSIZE equ 192/8
MD5Init proto
MD5Update proto lpBuffer:DWORD,dwBufLen:DWORD
MD5Final proto
MD4Init proto
MD4Update proto lpBuffer:DWORD,dwBufLen:DWORD
MD4Final proto
MD2Init proto
MD2Update proto lpBuffer:DWORD,dwBufLen:DWORD
MD2Final proto
RMD128Init proto
RMD128Update proto lpBuffer:DWORD,dwBufLen:DWORD
RMD128Final proto
RMD160Init proto
RMD160Update proto lpBuffer:DWORD,dwBufLen:DWORD
RMD160Final proto
RMD256Init proto
RMD256Update proto lpBuffer:DWORD,dwBufLen:DWORD
RMD256Final proto
RMD320Init proto
RMD320Update proto lpBuffer:DWORD,dwBufLen:DWORD
RMD320Final proto
SHA0Init proto
SHA0Update proto lpBuffer:DWORD,dwBufLen:DWORD
SHA0Final proto
SHA1Init proto
SHA1Update proto lpBuffer:DWORD,dwBufLen:DWORD
SHA1Final proto
SHA256Init proto
SHA256Update proto lpBuffer:DWORD,dwBufLen:DWORD
SHA256Final proto
SHA384Init proto
SHA384Update proto lpBuffer:DWORD,dwBufLen:DWORD
SHA384Final proto
SHA512Init proto
SHA512Update proto lpBuffer:DWORD,dwBufLen:DWORD
SHA512Final proto
WhirlpoolInit proto
WhirlpoolUpdate proto lpBuffer:DWORD,dwBufLen:DWORD
WhirlpoolFinal proto
TigerInit proto
TigerUpdate proto lpBuffer:DWORD,dwBufLen:DWORD
TigerFinal proto
HavalInit proto DigestSizeBits:DWORD,Passes:DWORD ; variable digest & passes !!!
HavalUpdate proto lpBuffer:DWORD,dwBufLen:DWORD
HavalFinal proto
; TEXT UTILS
; ==========
HexEncode proto pBuff:dword,dwLen:dword,pOutBuff:dword ; sizeof pOutBuff must be (dwLen)*2+2
HexDecode proto pHexStr:dword,pOutBuffer:dword; sizeof pOutBuff must be StrLen(pHexStr)/2+1
Base64Encode proto pInputData:DWORD,dwDataLen:DWORD,pOutputStr:DWORD; returns b64 string len
Base64Decode proto pInputStr:DWORD,pOutputData:DWORD; result = length
Base2Decode proto pInputStr:dword,pOutputData:dword; result = length
Base2Encode proto pInputData:dword,dwDataLen:dword,pOutputData:dword; result = length
Image

i've used the chiptune ripped by EP_X0 in a post (http://www.kernelmode.info/forum/viewto ... =675#p4614)
Attachments
Spyware Protection Remover
(252.51 KiB) Downloaded 37 times