mirror of
https://github.com/qtkite/defender-control.git
synced 2024-11-04 12:00:15 +00:00
Merge branch 'main' of https://github.com/qtKite/defender-control into main
This commit is contained in:
qtkite
commit
241ad86ac8
84
README.md
84
README.md
@ -1,81 +1,50 @@
|
||||
# defender-control
|
||||
currently a work in progress - feel free to come back to check on any updates
|
||||
|
||||
## what is this project?
|
||||
We all know that disabling windefender is a pain going through countless registries.
|
||||
The next easiest solution is to use freeware and currently the most popular one is by sordum. (i won't link here - you can find it on the first google result)
|
||||
however, i was first wary of this program and the virus total detections; althought they are claimed to be false positive.
|
||||
but i know that this program has worked well for me and friends in the past.
|
||||
|
||||
but for those who like open source, i took apart this program and did the research to disable windows defender in an easy open source manner without having to worry about running malware.
|
||||
# Defender Control
|
||||
Open source windows defender disabler
|
||||
|
||||
## reversal
|
||||
Our tool of choice will be IDA & x64 debugger for this task
|
||||
firstly we are going to inspect the strings and look for anything interesting.
|
||||
Strings seems to be hidden in this one, so I will do 2 different PoC of attack.
|
||||
The first one, is to hook the registry functions and output their arguments. Since I know
|
||||
for a fact after looking at the imports - this program works by writing into relevant registries.
|
||||
## What is this project?
|
||||
We all know that disabling windefender is a pain going through countless registries & running endless powershell commands.
|
||||
The next easiest solution is to use freeware and currently the most popular one is by sordum.
|
||||
But I like open source, so I made a safe to use open source defender control.
|
||||
|
||||
The second method is to breakpoint each function with x64 debugger and take a look at the strings on runtime.
|
||||
|
||||
I did eventually come up with a third method, and it was to let procmon do its thing while you debug the program - but ill leave that as an exercise for another day.
|
||||
## Demo
|
||||
|
||||
|
||||
## TODO
|
||||
- Delete windefend as trusted installer
|
||||
- Remove startup as boot
|
||||
|
||||
|
||||
## Reversal
|
||||
I reversed parts of the freeware with some hooks & x64 debugger, here are some of my findings
|
||||
|
||||
## x64 Debug
|
||||
|
||||
### disabling defender
|
||||
|
||||
If we breakpoint onto RegSetKeyValue it writes into "DisableAntiSpyware" which we can research on the internet
|
||||
There is a lot of occurance with the following registry directory: "Software\\Policies\\Microsoft\\Windows Defender"
|
||||
It is found under the parent directory of HKLM64.
|
||||
|
||||
|
||||
```asm
|
||||
008CE9E8 043DCA88 L"HKLM64"
|
||||
...
|
||||
008CEA08 043DCBC0 L"SOFTWARE\\Policies\\Microsoft\\Windows Defender"
|
||||
```
|
||||
|
||||
The second breakpoint leads us here:
|
||||
|
||||
```asm
|
||||
008CE8F0 043DCFE8 L"HKLM64"
|
||||
...
|
||||
008CE910 043DD120 L"SYSTEM\\CurrentControlSet\\Services\\WinDefend"
|
||||
```
|
||||
|
||||
So taking a look into the registry: SYSTEM\\CurrentControlSet\\Services\\WinDefend
|
||||
and cross referencing back to x64 dbg: we notice this:
|
||||
76122F7F | 397D 0C | cmp dword ptr ss:[ebp+C],edi | [ebp+C]:L"Start"`
|
||||
|
||||
`76122F7F | 397D 0C | cmp dword ptr ss:[ebp+C],edi | [ebp+C]:L"Start"`
|
||||
https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start-windows_10/how-to-disable-windows-defender-in-windows-10/b834d36e-6da8-42a8-85f6-da9a520f05f2
|
||||
|
||||
It appears that 0x03 disables windefender, while 0x02 means to enable.
|
||||
A quick google search brings us here: https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start-windows_10/how-to-disable-windows-defender-in-windows-10/b834d36e-6da8-42a8-85f6-da9a520f05f2
|
||||
|
||||
The next one is also in HKLM:
|
||||
|
||||
```asm
|
||||
76122FF0 | 8945 CC | mov dword ptr ss:[ebp-34],eax | [ebp-34]:L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"
|
||||
76122FF3 | 66:8B01 | mov ax,word ptr ds:[ecx] | ecx:&L"SecurityHealth"
|
||||
```
|
||||
|
||||
Seems to be set to 3 or off
|
||||
|
||||
Now we will look at RegCreateKey
|
||||
There seems to be a regisatry opened at
|
||||
|
||||
```asm
|
||||
EDX : 043DCD78 L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection"
|
||||
EIP : 7591E420 <advapi32.RegCreateKeyExW>
|
||||
```
|
||||
|
||||
However, there doesnt seem to be anymore functions breakpointed. So lets inspect the directory
|
||||
|
||||
We have 2 flags set:
|
||||
DisableRealtimeMonitoring as a REG_DWORD set to 0x01
|
||||
DpaDisabled as REG_DWORD set to 0x0
|
||||
|
||||
Another one opened here:
|
||||
|
||||
```asm
|
||||
008CEFF8 043EB4C8 L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"
|
||||
```
|
||||
|
||||
@ -265,11 +234,7 @@ lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
|
||||
[RegQueryValueExW]
|
||||
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
|
||||
<also redacted a bunch of stuff from policy manager stuff>
|
||||
```
|
||||
|
||||
So by analyzing these logs, it seems that we check if defender is enabled by reading these two registries:
|
||||
|
||||
```asm
|
||||
-----
|
||||
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
||||
DisableRealtimeMonitoring
|
||||
```
|
||||
@ -357,8 +322,7 @@ lpValueName: DisableRealtimeMonitoring
|
||||
[Control Table] 0x495be4
|
||||
```
|
||||
|
||||
To enable the AV, we just do the opposite of what we needed to disable the AV.
|
||||
|
||||
|
||||
Upon starting the AV, the program calls CreateProcessW on C:\Windows\System32\SecurityHealthSystray.exe
|
||||
|
||||
## Windows Tamper Protection
|
||||
@ -368,8 +332,6 @@ Luckily for us, all this stuff is documented. Check out these two links:
|
||||
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps
|
||||
- https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-c---application-examples
|
||||
|
||||
So, since its kind of difficult to debug the values DefenderControl accesses and this stuff is pretty well documented - we are going to base our work off research.
|
||||
|
||||
I first wanted to see how powershell called the command, so i looked through the powershell github since its open sourced and found that the command was in a cmdlet that was not documented in the repository. So after reading up on some powershell commands I dumped the powershell informating using this:
|
||||
|
||||
```asm
|
||||
@ -384,7 +346,7 @@ We can access via powershell like so:
|
||||
Get-WmiObject -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender
|
||||
```
|
||||
|
||||
If we look further we can write to this using the WMI as i suspected, it is documented here:
|
||||
If we look further we can write to this using the WMI - it is documented here:
|
||||
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal
|
||||
|
||||
We can find the specific wmi com classes if we do the following command:
|
||||
@ -403,4 +365,4 @@ CimSystemProperties : Microsoft.Management.Infrastruct
|
||||
|
||||
We can find the class here: https://docs.microsoft.com/en-us/dotnet/api/microsoft.management.infrastructure.cimsystemproperties?view=powershellsdk-7.0.0
|
||||
|
||||
It is also located in windows binaries in the following path: C:\Program Files (x86)\Reference Assemblies\Microsoft\WMI\v1.0
|
||||
It is also located in windows binaries in the following path: C:\Program Files (x86)\Reference Assemblies\Microsoft\WMI\v1.0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user