From 10b7ce23e07894beaaa49c5e687b1cec0ed6b087 Mon Sep 17 00:00:00 2001 From: qtkite Date: Mon, 7 Jun 2021 04:05:26 +1000 Subject: [PATCH] enable + disable routine hooks --- src/defender-control/dcontrol.cpp | 190 ++++++++++++------ src/defender-control/defender-control.vcxproj | 2 +- src/dumper/dumper.cpp | 51 ++--- 3 files changed, 154 insertions(+), 89 deletions(-) diff --git a/src/defender-control/dcontrol.cpp b/src/defender-control/dcontrol.cpp index 007b78c..95eb677 100644 --- a/src/defender-control/dcontrol.cpp +++ b/src/defender-control/dcontrol.cpp @@ -2,6 +2,11 @@ namespace REG { + void init_key(DWORD* a1) + { + *a1 = -2147483646; + } + // reads a key from HKEY_LOCAL_MACHINE // DWORD read_key(const wchar_t* root_name, const wchar_t* value_name, uint32_t flags) @@ -16,6 +21,12 @@ namespace REG // KEY_ALL_ACCESS to access // but we only need to read for this call +#if 0 + HKEY temp{}; + HKEY phkResult; + RegConnectRegistryW(0, temp, &phkResult); +#endif + status = RegOpenKeyExW( HKEY_LOCAL_MACHINE, root_name, @@ -59,153 +70,201 @@ namespace REG { LSTATUS status; +#if 0 + HKEY temp{}; + HKEY phkResult; + RegConnectRegistryW(0, temp, &phkResult); +#endif + +#if 0 + // 0x20119 or 131353 status = RegOpenKeyExW( HKEY_LOCAL_MACHINE, root_name, 0, - KEY_ALL_ACCESS | KEY_WOW64_64KEY, + 131353, &hkey ); - if (!status) + if (status == ERROR_SUCCESS) + { + std::wcout << "Successfully opened " << root_name << std::endl; return true; + } +#endif + + //[RegCreateKeyExW] + //hKey: 80000002 + //lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run + //lpClass: + //samDesired: 131334 + //Reserved: 0 + //lpSecurityAttributes: 00000000 + //dwOptions: 0 + //lpdwDisposition: 008BF04C + + DWORD dwDisposition; status = RegCreateKeyExW( HKEY_LOCAL_MACHINE, root_name, - 0, 0, - REG_OPTION_NON_VOLATILE, - KEY_ALL_ACCESS, 0, + 0, + 0, + 0, + 131334, + 0, &hkey, - 0 + &dwDisposition ); if (status) { - std::cout << "could not find or create " << root_name << std::endl; + std::wcout << "could not find or create " << root_name << " error: " << status << std::endl; return false; } +#if 0 + std::cout << "disposition: " << dwDisposition << std::endl; +#endif + return true; } bool set_keyval(HKEY& hkey, const wchar_t* value_name, DWORD value) { - if (RegSetValueExW(hkey, value_name, 0, REG_DWORD, - reinterpret_cast(&value), sizeof(DWORD))) + auto ret = RegSetValueExW(hkey, value_name, 0, REG_DWORD, + reinterpret_cast(&value), 4); + + if (ret) { + std::cout << "Set error: " << ret << std::endl; return false; } + return true; } bool set_keyval_bin(HKEY& hkey, const wchar_t* value_name, DWORD value) { - if (RegSetValueExW(hkey, value_name, 0, REG_BINARY, - reinterpret_cast(&value), sizeof(DWORD))) + auto ret = RegSetValueExW(hkey, value_name, 0, REG_BINARY, + reinterpret_cast(&value), 12); + + if (ret) { + std::cout << "Set error: " << ret << std::endl; return false; } return true; - + } } namespace DCONTROL { + char sub_43604B() + { + char v0; // bl + SC_HANDLE v1; // eax + SC_HANDLE v2; // esi + void* v3; // eax + + v0 = 0; + v1 = OpenSCManagerW(0, 0, 8u); + v2 = v1; + if (v1) + { + v3 = LockServiceDatabase(v1); + if (v3) + { + UnlockServiceDatabase(v3); + CloseServiceHandle(v2); + return 1; + } + if (GetLastError() == 1055) + v0 = 1; + CloseServiceHandle(v2); + } + return v0; + } + // disables window defender // bool disable_defender() { - // create DisableRealtimeMonitoring if it does not exist then set value to 1 - // [RegCreateKeyExW] - // lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender - // [RegSetValueExW] - // lpValueName: DisableAntiSpyware - // [RegCreateKeyExW] - // lpSubKey: SOFTWARE\Microsoft\Windows Defender - // [RegCreateKeyExW] - // lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection - // [RegCreateKeyExW] - // lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend - // [RegSetValueExW] - // lpValueName: Start - // [RegOpenKeyExW] - // lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run - // [RegQueryValueExW] - // lpValueName: SecurityHealth - // [RegCreateKeyExW] - // lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run - // [RegSetValueExW] - // lpValueName: SecurityHealth - // [RegOpenKeyExW] - // lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run - // [RegEnumValueW] - // lpValueName: SecurityHealth - // [RegOpenKeyExW] - // lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection - // [RegQueryValueExW] - // lpValueName: DisableRealtimeMonitoring + if (!sub_43604B()) + { + std::cout << "permission error" << std::endl; + return false; + } HKEY hkey; - // SecurityHealth + // DisableAntiSpyware { - if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", hkey)) - { - std::cout << "failed to access CurrentVersion" << std::endl; - return false; - } + if (!REG::create_registry(L"SOFTWARE\\Policies\\Microsoft\\Windows Defender", hkey)) + { + std::cout << "failed to access Policies" << std::endl; + return false; + } - if (!REG::set_keyval_bin(hkey, L"SecurityHealth", 3)) + if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1)) { - std::cout << "failed to write to SecurityHealth" << std::endl; + std::cout << "failed to write to DisableAntiSpyware" << std::endl; return false; } - } - // Start (3 off) (2 on) - { - if (!REG::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\WinDefend", hkey)) +#if 0 + if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender", hkey)) { - std::cout << "failed to access CurrentControlSet" << std::endl; + std::cout << "failed to access Windows Defender" << std::endl; return false; } - if (!REG::set_keyval(hkey, L"Start", 3)) + if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1)) { - std::cout << "failed to write to Start" << std::endl; + std::cout << "failed to write to DisableAntiSpyware" << std::endl; return false; } +#endif } - // DisableAntiSpyware + // Start (3 off) (2 on) { - if (!REG::create_registry(L"SOFTWARE\\Policies\\Microsoft\\Windows Defender", hkey)) + if (!REG::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\WinDefend", hkey)) { - std::cout << "failed to access Policies" << std::endl; + std::cout << "failed to access CurrentControlSet" << std::endl; return false; } - if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1)) + if (!REG::set_keyval(hkey, L"Start", 3)) { - std::cout << "failed to write to DisableAntiSpyware" << std::endl; + std::cout << "failed to write to Start" << std::endl; return false; } + } - if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender", hkey)) + std::cout << "Wrote to Start" << std::endl; + + + // SecurityHealth + { + if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", hkey)) { - std::cout << "failed to access Windows Defender" << std::endl; + std::cout << "failed to access CurrentVersion" << std::endl; return false; } - if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1)) + if (!REG::set_keyval_bin(hkey, L"SecurityHealth", 3)) { - std::cout << "failed to write to DisableAntiSpyware" << std::endl; + std::cout << "failed to write to SecurityHealth" << std::endl; return false; } } + std::cout << "Wrote to SecurityHealth" << std::endl; + + +#if 0 // DisableRealtimeMonitoring { if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", hkey)) @@ -219,6 +278,7 @@ namespace DCONTROL return false; } } +#endif return true; } diff --git a/src/defender-control/defender-control.vcxproj b/src/defender-control/defender-control.vcxproj index da489c3..9ebc782 100644 --- a/src/defender-control/defender-control.vcxproj +++ b/src/defender-control/defender-control.vcxproj @@ -37,7 +37,7 @@ false v142 true - Unicode + MultiByte Application diff --git a/src/dumper/dumper.cpp b/src/dumper/dumper.cpp index e934d80..946cae8 100644 --- a/src/dumper/dumper.cpp +++ b/src/dumper/dumper.cpp @@ -44,26 +44,24 @@ namespace RegHooks using enable_def_helper_t = int(__thiscall*)(void*, int, DWORD*); uintptr_t enable_def_help_addr; - int __fastcall enable_def_helper(void* pThis, void* edx, int a2, DWORD* a3) + int __fastcall hk_enable_def(void* pThis, void* edx, int a2, DWORD* a3) { - std::cout << "activation routine" << std::endl; - auto v37 = *(DWORD*)(a2 + 8); - std::cout << "v37: " << v37 << std::endl; + std::cout << "enabling defender" << std::endl; return (reinterpret_cast(enable_def_help_addr))(pThis, a2, a3); } - // WM_COMMAND handler - // base+05F48E - // can be found by tracing the main function and looking for WM_COMMAND (0x0111) - // however this function doesn't seem to be called on runtime - // - using handle_command_t = char(__stdcall*)(int, UINT, UINT); - uintptr_t handle_command_addr; + // Disable defender handler + using disable_def_t = int(__thiscall*)(void*, int, DWORD*); + uintptr_t disable_def_addr; + + // disable defender routine: + // 0x6AEAF + // int __thiscall DisableDefender(void *this, int a1, _DWORD *a2) - char __stdcall HandleCommand(int a1, UINT wparam, UINT lparam) + int __fastcall hk_disable_def(void* pThis, void* edx, int a1, DWORD* a2) { - std::cout << "handlecommand(" << wparam << ", " << lparam << ")" << std::endl; - return (reinterpret_cast(handle_command_addr))(a1, wparam, lparam); + std::cout << "disabling defender" << std::endl; + return (reinterpret_cast(disable_def_addr))(pThis, a1, a2); } // hook for RegEnumValueW @@ -148,6 +146,10 @@ namespace RegHooks { std::cout << "[RegSetValueExW]" << std::endl; std::cout << "lpValueName: " << wide_to_string(lpValueName).c_str() << std::endl; + std::cout << "Reserved: " << Reserved << std::endl; + std::cout << "dwType: " << dwType << std::endl; + std::cout << "cbData: " << cbData << std::endl; + return (reinterpret_cast(regsetvalue_addr))(hKey, lpValueName, Reserved, dwType, lpData, cbData); } @@ -171,8 +173,14 @@ namespace RegHooks ) { std::cout << "[RegCreateKeyExW]" << std::endl; + std::cout << "hKey: " << hKey << std::endl; std::cout << "lpSubKey: " << wide_to_string(lpSubKey).c_str() << std::endl; + std::cout << "lpClass: " << wide_to_string(lpClass).c_str() << std::endl; std::cout << "samDesired: " << samDesired << std::endl; + std::cout << "Reserved: " << Reserved << std::endl; + std::cout << "lpSecurityAttributes: " << lpSecurityAttributes << std::endl; + std::cout << "dwOptions: " << dwOptions << std::endl; + std::cout << "lpdwDisposition: " << lpdwDisposition << std::endl; return (reinterpret_cast(RegCreateKeyExW_addr)) (hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition); @@ -343,23 +351,20 @@ void thread_main() //DetourHelper::perf_hook((PVOID*)&RegHooks::regdeletekeyw_addr, RegHooks::hk_RegDeleteKeyW); //DetourHelper::perf_hook((PVOID*)&RegHooks::regdeletevaluew_addr, RegHooks::hk_RegDeleteValueW); //DetourHelper::perf_hook((PVOID*)&RegHooks::regenumvaluew_addr, RegHooks::hk_RegEnumValueW); - DetourHelper::perf_hook((PVOID*)&RegHooks::regsetvalue_addr, RegHooks::hk_RegSetValueExW); - DetourHelper::perf_hook((PVOID*)&RegHooks::RegCreateKeyExW_addr, RegHooks::hk_RegCreateKeyExW); + //DetourHelper::perf_hook((PVOID*)&RegHooks::regsetvalue_addr, RegHooks::hk_RegSetValueExW); + //DetourHelper::perf_hook((PVOID*)&RegHooks::RegCreateKeyExW_addr, RegHooks::hk_RegCreateKeyExW); //DetourHelper::perf_hook((PVOID*)&RegHooks::RegConnectRegistryW_addr, RegHooks::hk_RegConnectRegistryW); //DetourHelper::perf_hook((PVOID*)&RegHooks::RegEnumKeyExW_addr, RegHooks::hk_RegEnumKeyExW); //DetourHelper::perf_hook((PVOID*)&RegHooks::RegQueryValueExW_addr, RegHooks::hk_RegQueryValueExW); - DetourHelper::perf_hook((PVOID*)&RegHooks::RegOpenKeyExW_addr, RegHooks::hk_RegOpenKeyExW); + //DetourHelper::perf_hook((PVOID*)&RegHooks::RegOpenKeyExW_addr, RegHooks::hk_RegOpenKeyExW); // native hooks - // pretty redunant dont need to enable them // -#if 0 RegHooks::enable_def_help_addr = (uintptr_t)GetModuleHandleA(0) + 0x6AB70; - DetourHelper::perf_hook((PVOID*)&RegHooks::enable_def_help_addr, RegHooks::enable_def_helper); + DetourHelper::perf_hook((PVOID*)&RegHooks::enable_def_help_addr, RegHooks::hk_enable_def); - RegHooks::handle_command_addr = (uintptr_t)GetModuleHandleA(0) + 0x5F48E; - DetourHelper::perf_hook((PVOID*)&RegHooks::handle_command_addr, RegHooks::HandleCommand); -#endif + RegHooks::disable_def_addr = (uintptr_t)GetModuleHandleA(0) + 0x6AEAF; + DetourHelper::perf_hook((PVOID*)&RegHooks::disable_def_addr, RegHooks::hk_disable_def); } BOOL APIENTRY DllMain(HMODULE hModule,