From 3a4cc3d0ee65a533b6cac0e759cd05e40326d766 Mon Sep 17 00:00:00 2001 From: qtkite Date: Tue, 8 Jun 2021 00:49:35 +1000 Subject: [PATCH] start av --- README.md | 2 + src/defender-control/dcontrol.cpp | 23 ++++-- src/dumper/dumper.cpp | 112 +++++++++++++++++------------- 3 files changed, 83 insertions(+), 54 deletions(-) diff --git a/README.md b/README.md index ee1082e..84ccddc 100644 --- a/README.md +++ b/README.md @@ -355,6 +355,8 @@ lpValueName: DisableRealtimeMonitoring ``` To enable the AV, we just do the opposite of what we needed to disable the AV. + +Upon starting the AV, the program calls CreateProcessW on C:\Windows\System32\SecurityHealthSystray.exe ## Windows Tamper Protection diff --git a/src/defender-control/dcontrol.cpp b/src/defender-control/dcontrol.cpp index be2896c..24790da 100644 --- a/src/defender-control/dcontrol.cpp +++ b/src/defender-control/dcontrol.cpp @@ -104,7 +104,6 @@ namespace REG return false; } return true; - } } @@ -115,31 +114,41 @@ namespace WMIC namespace DCONTROL { // Sets the programs debug priviliges - bool Setprivilege(LPCSTR privilege, BOOL enable) + bool set_privilege(LPCSTR privilege, BOOL enable) { TOKEN_PRIVILEGES priv = { 0,0,0,0 }; HANDLE token = nullptr; LUID luid = { 0,0 }; - if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) { + + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) + { if (token) CloseHandle(token); + return false; } - if (!LookupPrivilegeValueA(nullptr, privilege, &luid)) { + + if (!LookupPrivilegeValueA(nullptr, SE_DEBUG_NAME, &luid)) + { if (token) CloseHandle(token); + return false; } priv.PrivilegeCount = 1; priv.Privileges[0].Luid = luid; - priv.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED; - if (!AdjustTokenPrivileges(token, false, &priv, 0, nullptr, nullptr)) { + priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; + + if (!AdjustTokenPrivileges(token, false, &priv, 0, nullptr, nullptr)) + { if (token) CloseHandle(token); + return false; } if (token) CloseHandle(token); + return true; } @@ -179,7 +188,7 @@ namespace DCONTROL return false; } - Setprivilege(SE_DEBUG_NAME, TRUE); + set_privilege(SE_DEBUG_NAME, TRUE); HKEY hkey; diff --git a/src/dumper/dumper.cpp b/src/dumper/dumper.cpp index b4603fc..8ed075c 100644 --- a/src/dumper/dumper.cpp +++ b/src/dumper/dumper.cpp @@ -18,6 +18,25 @@ std::string wide_to_string(const std::wstring& s) { namespace RegHooks { + // 0x464DC + // + using alt_start_proc_t = char(__stdcall*)(LPCWSTR, LPCWSTR, LPCWSTR, LPVOID, LPWSTR, + HANDLE, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION); + uintptr_t alt_start_proc_addr; + + char __stdcall hk_alt_start_proc(LPCWSTR lpUsername, LPCWSTR lpDomain, + LPCWSTR lpPassword, LPVOID Environment, LPWSTR lpCommandLine, + HANDLE TokenHandle, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, + LPPROCESS_INFORMATION lpProcessInformation) + { + std::cout << "[Alt Start Proc]" << std::endl; + + return (reinterpret_cast(alt_start_proc_addr))(lpUsername, lpDomain, + lpPassword, Environment, lpCommandLine, + TokenHandle, lpCurrentDirectory, lpStartupInfo, + lpProcessInformation); + } + // 0x45E0 // using control_table_t = int(__stdcall*)(DWORD*, int); @@ -30,52 +49,6 @@ namespace RegHooks 0x4947a4, 0x495b30, 0x494d44 }; - /* - [Control Table] 0x493658 - [Control Table] 0x4932f8 - [Control Table] 0x494e1c - [Control Table] 0x4949e4 - [Control Table] 0x4965e0 - [Control Table] 0x496088 - [Control Table] 0x4951c4 - [Control Table] 0x4960d0 - [Control Table] 0x49463c - [Control Table] 0x493808 - [Control Table] 0x493850 - [Control Table] 0x494ed0 - [Control Table] 0x49382c - [Control Table] 0x49532c - [Control Table] 0x493874 DLLSTRUCTGETSIZE - [Control Table] 0x493898 DLLSTRUCTSETDATA - [Control Table] 0x4931fc sub_45AA7F - [Control Table] 0x4931b4 int __stdcall sub_45AC96(int a1, int *a2) - [Control Table] 0x495500 REGISTRY DEFENDER - [Control Table] 0x495cbc STRINGTOBINARY - [Control Table] 0x495ce0 STRINGTRIMLEFT - [Control Table] 0x4958cc STRING - [Control Table] 0x494a74 - [Control Table] 0x495c08 - [Control Table] 0x494cfc INT - [Control Table] 0x493c40 - [Control Table] 0x493e5c - [Control Table] 0x493ea4 - [Control Table] 0x493b8c - [Control Table] 0x495b0c - [Control Table] 0x495c2c - [Control Table] 0x4930dc - [Control Table] 0x493fe8 - [Control Table] 0x495644 - [Control Table] 0x495428 - [Control Table] 0x496430 - [Control Table] 0x4963e8 - [Control Table] 0x4954b8 - [Control Table] 0x4945d0 - [Control Table] 0x496040 - [Control Table] 0x4960ac - [Control Table] 0x494a50 - [Control Table] 0x495be4 - */ - int __stdcall hk_ControlTable(DWORD* a1, int a2) { auto ret = (reinterpret_cast(ControlTable_addr))(a1, a2); @@ -388,6 +361,36 @@ namespace RegHooks return (reinterpret_cast(RegOpenKeyExW_addr)) (hKey, lpSubKey, ulOptions, samDesired, phkResult); } + + // CreateProcessW + // ms docs: https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessw + // + using CreateProcessW_t = BOOL(__stdcall*)(LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES, + LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION); + uintptr_t CreateProcessW_addr; + + BOOL __stdcall hk_CreateProcessW( + LPCWSTR lpApplicationName, + LPWSTR lpCommandLine, + LPSECURITY_ATTRIBUTES lpProcessAttributes, + LPSECURITY_ATTRIBUTES lpThreadAttributes, + BOOL bInheritHandles, + DWORD dwCreationFlags, + LPVOID lpEnvironment, + LPCWSTR lpCurrentDirectory, + LPSTARTUPINFOW lpStartupInfo, + LPPROCESS_INFORMATION lpProcessInformation + ) + { + std::cout << "[CreateProcessW]" << std::endl; + std::cout << "lpCommandLine: " << wide_to_string(lpCommandLine).c_str() << std::endl; + + return (reinterpret_cast(CreateProcessW_addr))( + lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, + bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, + lpStartupInfo, lpProcessInformation); + } + } namespace DetourHelper @@ -433,6 +436,7 @@ void thread_main() // setup hooks // auto advapi32 = GetModuleHandleA("Advapi32.dll"); + auto kernel32 = GetModuleHandleA("Kernel32.dll"); if (!advapi32) { @@ -440,6 +444,12 @@ void thread_main() return; } + if (!kernel32) + { + std::cout << "kernel32.dll not found" << std::endl; + return; + } + RegHooks::regdeletekeyw_addr = get_func_addr(advapi32, "RegDeleteKeyW"); RegHooks::regdeletevaluew_addr = get_func_addr(advapi32, "RegDeleteValueW"); RegHooks::regenumvaluew_addr = get_func_addr(advapi32, "RegEnumValueW"); @@ -449,6 +459,8 @@ void thread_main() RegHooks::RegEnumKeyExW_addr = get_func_addr(advapi32, "RegEnumKeyExW"); RegHooks::RegQueryValueExW_addr = get_func_addr(advapi32, "RegQueryValueExW"); RegHooks::RegOpenKeyExW_addr = get_func_addr(advapi32, "RegOpenKeyExW"); + RegHooks::CreateProcessW_addr = get_func_addr(kernel32, "CreateProcessW"); + std::cout << "imports resolved\npreparing to hook" << std::endl; @@ -466,6 +478,9 @@ void thread_main() DetourHelper::perf_hook((PVOID*)&RegHooks::RegOpenKeyExW_addr, RegHooks::hk_RegOpenKeyExW); #endif + DetourHelper::perf_hook((PVOID*)&RegHooks::CreateProcessW_addr, RegHooks::hk_CreateProcessW); + + // native hooks // #if 0 @@ -483,10 +498,13 @@ void thread_main() RegHooks::wmic_2_addr = (uintptr_t)GetModuleHandleA(0) + 0x75ACA; DetourHelper::perf_hook((PVOID*)&RegHooks::wmic_2_addr, RegHooks::hk_wmic_2); -#endif RegHooks::ControlTable_addr = (uintptr_t)GetModuleHandleA(0) + 0x45E0; DetourHelper::perf_hook((PVOID*)&RegHooks::ControlTable_addr, RegHooks::hk_ControlTable); +#endif + + RegHooks::alt_start_proc_addr = (uintptr_t)GetModuleHandleA(0) + 0x464DC; + DetourHelper::perf_hook((PVOID*)&RegHooks::alt_start_proc_addr, RegHooks::hk_alt_start_proc); }