Archives
/
defender-control
mirror of https://github.com/qtkite/defender-control
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

enable + disable routine hooks

Browse Source
pull/1/head
qtkite 3 years ago
parent 9a09527155
commit 10b7ce23e0
3 changed files with 154 additions and 89 deletions
Show Stats Download Patch File Download Diff File

190
src/defender-control/dcontrol.cpp
Unescape Escape View File

@ -2,6 +2,11 @@
namespace REG
{
void init_key(DWORD* a1)
{
*a1 = -2147483646;
}
// reads a key from HKEY_LOCAL_MACHINE
//
DWORD read_key(const wchar_t* root_name, const wchar_t* value_name, uint32_t flags)
@ -16,6 +21,12 @@ namespace REG
// KEY_ALL_ACCESS to access
// but we only need to read for this call
#if 0
HKEY temp{};
HKEY phkResult;
RegConnectRegistryW(0, temp, &phkResult);
#endif
status = RegOpenKeyExW(
HKEY_LOCAL_MACHINE,
root_name,
@ -59,153 +70,201 @@ namespace REG
{
LSTATUS status;
#if 0
HKEY temp{};
HKEY phkResult;
RegConnectRegistryW(0, temp, &phkResult);
#endif
#if 0
// 0x20119 or 131353
status = RegOpenKeyExW(
HKEY_LOCAL_MACHINE,
root_name,
0,
KEY_ALL_ACCESS | KEY_WOW64_64KEY,
131353,
&hkey
);
if (!status)
if (status == ERROR_SUCCESS)
{
std::wcout << "Successfully opened " << root_name << std::endl;
return true;
}
#endif
//[RegCreateKeyExW]
//hKey: 80000002
//lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
//lpClass:
//samDesired: 131334
//Reserved: 0
//lpSecurityAttributes: 00000000
//dwOptions: 0
//lpdwDisposition: 008BF04C
DWORD dwDisposition;
status = RegCreateKeyExW(
HKEY_LOCAL_MACHINE,
root_name,
0, 0,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS, 0,
0,
0,
0,
131334,
0,
&hkey,
0
&dwDisposition
);
if (status)
{
std::cout << "could not find or create " << root_name << std::endl;
std::wcout << "could not find or create " << root_name << " error: " << status << std::endl;
return false;
}
#if 0
std::cout << "disposition: " << dwDisposition << std::endl;
#endif
return true;
}
bool set_keyval(HKEY& hkey, const wchar_t* value_name, DWORD value)
{
if (RegSetValueExW(hkey, value_name, 0, REG_DWORD,
reinterpret_cast<LPBYTE>(&value), sizeof(DWORD)))
auto ret = RegSetValueExW(hkey, value_name, 0, REG_DWORD,
reinterpret_cast<LPBYTE>(&value), 4);
if (ret)
{
std::cout << "Set error: " << ret << std::endl;
return false;
}
return true;
}
bool set_keyval_bin(HKEY& hkey, const wchar_t* value_name, DWORD value)
{
if (RegSetValueExW(hkey, value_name, 0, REG_BINARY,
reinterpret_cast<LPBYTE>(&value), sizeof(DWORD)))
auto ret = RegSetValueExW(hkey, value_name, 0, REG_BINARY,
reinterpret_cast<LPBYTE>(&value), 12);
if (ret)
{
std::cout << "Set error: " << ret << std::endl;
return false;
}
return true;
}
}
namespace DCONTROL
{
char sub_43604B()
{
char v0; // bl
SC_HANDLE v1; // eax
SC_HANDLE v2; // esi
void* v3; // eax
v0 = 0;
v1 = OpenSCManagerW(0, 0, 8u);
v2 = v1;
if (v1)
{
v3 = LockServiceDatabase(v1);
if (v3)
{
UnlockServiceDatabase(v3);
CloseServiceHandle(v2);
return 1;
}
if (GetLastError() == 1055)
v0 = 1;
CloseServiceHandle(v2);
}
return v0;
}
// disables window defender
//
bool disable_defender()
{
// create DisableRealtimeMonitoring if it does not exist then set value to 1
// [RegCreateKeyExW]
// lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
// [RegSetValueExW]
// lpValueName: DisableAntiSpyware
// [RegCreateKeyExW]
// lpSubKey: SOFTWARE\Microsoft\Windows Defender
// [RegCreateKeyExW]
// lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
// [RegCreateKeyExW]
// lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
// [RegSetValueExW]
// lpValueName: Start
// [RegOpenKeyExW]
// lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
// [RegQueryValueExW]
// lpValueName: SecurityHealth
// [RegCreateKeyExW]
// lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
// [RegSetValueExW]
// lpValueName: SecurityHealth
// [RegOpenKeyExW]
// lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
// [RegEnumValueW]
// lpValueName: SecurityHealth
// [RegOpenKeyExW]
// lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
// [RegQueryValueExW]
// lpValueName: DisableRealtimeMonitoring
if (!sub_43604B())
{
std::cout << "permission error" << std::endl;
return false;
}
HKEY hkey;
// SecurityHealth
// DisableAntiSpyware
{
if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", hkey))
{
std::cout << "failed to access CurrentVersion" << std::endl;
return false;
}
if (!REG::create_registry(L"SOFTWARE\\Policies\\Microsoft\\Windows Defender", hkey))
{
std::cout << "failed to access Policies" << std::endl;
return false;
}
if (!REG::set_keyval_bin(hkey, L"SecurityHealth", 3))
if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1))
{
std::cout << "failed to write to SecurityHealth" << std::endl;
std::cout << "failed to write to DisableAntiSpyware" << std::endl;
return false;
}
}
// Start (3 off) (2 on)
{
if (!REG::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\WinDefend", hkey))
#if 0
if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender", hkey))
{
std::cout << "failed to access CurrentControlSet" << std::endl;
std::cout << "failed to access Windows Defender" << std::endl;
return false;
}
if (!REG::set_keyval(hkey, L"Start", 3))
if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1))
{
std::cout << "failed to write to Start" << std::endl;
std::cout << "failed to write to DisableAntiSpyware" << std::endl;
return false;
}
#endif
}
// DisableAntiSpyware
// Start (3 off) (2 on)
{
if (!REG::create_registry(L"SOFTWARE\\Policies\\Microsoft\\Windows Defender", hkey))
if (!REG::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\WinDefend", hkey))
{
std::cout << "failed to access Policies" << std::endl;
std::cout << "failed to access CurrentControlSet" << std::endl;
return false;
}
if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1))
if (!REG::set_keyval(hkey, L"Start", 3))
{
std::cout << "failed to write to DisableAntiSpyware" << std::endl;
std::cout << "failed to write to Start" << std::endl;
return false;
}
}
if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender", hkey))
std::cout << "Wrote to Start" << std::endl;
// SecurityHealth
{
if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", hkey))
{
std::cout << "failed to access Windows Defender" << std::endl;
std::cout << "failed to access CurrentVersion" << std::endl;
return false;
}
if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1))
if (!REG::set_keyval_bin(hkey, L"SecurityHealth", 3))
{
std::cout << "failed to write to DisableAntiSpyware" << std::endl;
std::cout << "failed to write to SecurityHealth" << std::endl;
return false;
}
}
std::cout << "Wrote to SecurityHealth" << std::endl;
#if 0
// DisableRealtimeMonitoring
{
if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", hkey))
@ -219,6 +278,7 @@ namespace DCONTROL
return false;
}
}
#endif
return true;
}

2
src/defender-control/defender-control.vcxproj
Unescape Escape View File

@ -37,7 +37,7 @@
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>

51
src/dumper/dumper.cpp
Unescape Escape View File

@ -44,26 +44,24 @@ namespace RegHooks
using enable_def_helper_t = int(__thiscall*)(void*, int, DWORD*);
uintptr_t enable_def_help_addr;
int __fastcall enable_def_helper(void* pThis, void* edx, int a2, DWORD* a3)
int __fastcall hk_enable_def(void* pThis, void* edx, int a2, DWORD* a3)
{
std::cout << "activation routine" << std::endl;
auto v37 = *(DWORD*)(a2 + 8);
std::cout << "v37: " << v37 << std::endl;
std::cout << "enabling defender" << std::endl;
return (reinterpret_cast<enable_def_helper_t>(enable_def_help_addr))(pThis, a2, a3);
}
// WM_COMMAND handler
// base+05F48E
// can be found by tracing the main function and looking for WM_COMMAND (0x0111)
// however this function doesn't seem to be called on runtime
//
using handle_command_t = char(__stdcall*)(int, UINT, UINT);
uintptr_t handle_command_addr;
// Disable defender handler
using disable_def_t = int(__thiscall*)(void*, int, DWORD*);
uintptr_t disable_def_addr;
// disable defender routine:
// 0x6AEAF
// int __thiscall DisableDefender(void *this, int a1, _DWORD *a2)
char __stdcall HandleCommand(int a1, UINT wparam, UINT lparam)
int __fastcall hk_disable_def(void* pThis, void* edx, int a1, DWORD* a2)
{
std::cout << "handlecommand(" << wparam << ", " << lparam << ")" << std::endl;
return (reinterpret_cast<handle_command_t>(handle_command_addr))(a1, wparam, lparam);
std::cout << "disabling defender" << std::endl;
return (reinterpret_cast<disable_def_t>(disable_def_addr))(pThis, a1, a2);
}
// hook for RegEnumValueW
@ -148,6 +146,10 @@ namespace RegHooks
{
std::cout << "[RegSetValueExW]" << std::endl;
std::cout << "lpValueName: " << wide_to_string(lpValueName).c_str() << std::endl;
std::cout << "Reserved: " << Reserved << std::endl;
std::cout << "dwType: " << dwType << std::endl;
std::cout << "cbData: " << cbData << std::endl;
return (reinterpret_cast<regsetkeyvalueexw_t>(regsetvalue_addr))(hKey, lpValueName, Reserved, dwType, lpData, cbData);
}
@ -171,8 +173,14 @@ namespace RegHooks
)
{
std::cout << "[RegCreateKeyExW]" << std::endl;
std::cout << "hKey: " << hKey << std::endl;
std::cout << "lpSubKey: " << wide_to_string(lpSubKey).c_str() << std::endl;
std::cout << "lpClass: " << wide_to_string(lpClass).c_str() << std::endl;
std::cout << "samDesired: " << samDesired << std::endl;
std::cout << "Reserved: " << Reserved << std::endl;
std::cout << "lpSecurityAttributes: " << lpSecurityAttributes << std::endl;
std::cout << "dwOptions: " << dwOptions << std::endl;
std::cout << "lpdwDisposition: " << lpdwDisposition << std::endl;
return (reinterpret_cast<RegCreateKeyExW_t>(RegCreateKeyExW_addr))
(hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition);
@ -343,23 +351,20 @@ void thread_main()
//DetourHelper::perf_hook((PVOID*)&RegHooks::regdeletekeyw_addr, RegHooks::hk_RegDeleteKeyW);
//DetourHelper::perf_hook((PVOID*)&RegHooks::regdeletevaluew_addr, RegHooks::hk_RegDeleteValueW);
//DetourHelper::perf_hook((PVOID*)&RegHooks::regenumvaluew_addr, RegHooks::hk_RegEnumValueW);
DetourHelper::perf_hook((PVOID*)&RegHooks::regsetvalue_addr, RegHooks::hk_RegSetValueExW);
DetourHelper::perf_hook((PVOID*)&RegHooks::RegCreateKeyExW_addr, RegHooks::hk_RegCreateKeyExW);
//DetourHelper::perf_hook((PVOID*)&RegHooks::regsetvalue_addr, RegHooks::hk_RegSetValueExW);
//DetourHelper::perf_hook((PVOID*)&RegHooks::RegCreateKeyExW_addr, RegHooks::hk_RegCreateKeyExW);
//DetourHelper::perf_hook((PVOID*)&RegHooks::RegConnectRegistryW_addr, RegHooks::hk_RegConnectRegistryW);
//DetourHelper::perf_hook((PVOID*)&RegHooks::RegEnumKeyExW_addr, RegHooks::hk_RegEnumKeyExW);
//DetourHelper::perf_hook((PVOID*)&RegHooks::RegQueryValueExW_addr, RegHooks::hk_RegQueryValueExW);
DetourHelper::perf_hook((PVOID*)&RegHooks::RegOpenKeyExW_addr, RegHooks::hk_RegOpenKeyExW);
//DetourHelper::perf_hook((PVOID*)&RegHooks::RegOpenKeyExW_addr, RegHooks::hk_RegOpenKeyExW);
// native hooks
// pretty redunant dont need to enable them
//
#if 0
RegHooks::enable_def_help_addr = (uintptr_t)GetModuleHandleA(0) + 0x6AB70;
DetourHelper::perf_hook((PVOID*)&RegHooks::enable_def_help_addr, RegHooks::enable_def_helper);
DetourHelper::perf_hook((PVOID*)&RegHooks::enable_def_help_addr, RegHooks::hk_enable_def);
RegHooks::handle_command_addr = (uintptr_t)GetModuleHandleA(0) + 0x5F48E;
DetourHelper::perf_hook((PVOID*)&RegHooks::handle_command_addr, RegHooks::HandleCommand);
#endif
RegHooks::disable_def_addr = (uintptr_t)GetModuleHandleA(0) + 0x6AEAF;
DetourHelper::perf_hook((PVOID*)&RegHooks::disable_def_addr, RegHooks::hk_disable_def);
}
BOOL APIENTRY DllMain(HMODULE hModule,

Write Preview
Loading…
Cancel
Save