start av

README.md

@@ -356,6 +356,8 @@ lpValueName: DisableRealtimeMonitoring
 
 To enable the AV, we just do the opposite of what we needed to disable the AV.
   
+Upon starting the AV, the program calls CreateProcessW on C:\Windows\System32\SecurityHealthSystray.exe
+
 ## Windows Tamper Protection
 
 But theres, a catch. In a newer recent windows update - you can no longer disable the defender via registries. Well, our program runs completely in usermode, so there must be another way its making these registry changes - most likely through the powershell command  Set-MpPreference if we do some research into changing the registry. So we will need to take a peek into the wmic api it accesses.  

src/defender-control/dcontrol.cpp

@@ -104,7 +104,6 @@ namespace REG
       return false;
     }
     return true;
-
   }
 }
 
@@ -115,31 +114,41 @@ namespace WMIC
 namespace DCONTROL
 {
   // Sets the programs debug priviliges
-  bool Setprivilege(LPCSTR privilege, BOOL enable)
+  bool set_privilege(LPCSTR privilege, BOOL enable)
   {
     TOKEN_PRIVILEGES priv = { 0,0,0,0 };
     HANDLE token = nullptr;
     LUID luid = { 0,0 };
-    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) {
+
+    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) 
+    {
       if (token)
         CloseHandle(token);
+
       return false;
     }
-    if (!LookupPrivilegeValueA(nullptr, privilege, &luid)) {
+
+    if (!LookupPrivilegeValueA(nullptr, SE_DEBUG_NAME, &luid)) 
+    {
       if (token)
         CloseHandle(token);
+
       return false;
     }
     priv.PrivilegeCount = 1;
     priv.Privileges[0].Luid = luid;
-    priv.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
+    priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
-    if (!AdjustTokenPrivileges(token, false, &priv, 0, nullptr, nullptr)) {
+
+    if (!AdjustTokenPrivileges(token, false, &priv, 0, nullptr, nullptr))
+    {
       if (token)
         CloseHandle(token);
+
       return false;
     }
     if (token)
       CloseHandle(token);
+
     return true;
   }
 
@@ -179,7 +188,7 @@ namespace DCONTROL
       return false;
     }
 
-    Setprivilege(SE_DEBUG_NAME, TRUE);
+    set_privilege(SE_DEBUG_NAME, TRUE);
 
     HKEY hkey;
 

src/dumper/dumper.cpp

@@ -18,6 +18,25 @@ std::string wide_to_string(const std::wstring& s) {
 
 namespace RegHooks
 {
+  // 0x464DC  
+  // 
+  using alt_start_proc_t = char(__stdcall*)(LPCWSTR, LPCWSTR, LPCWSTR, LPVOID, LPWSTR,
+    HANDLE, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION);
+  uintptr_t alt_start_proc_addr;
+
+  char __stdcall hk_alt_start_proc(LPCWSTR lpUsername, LPCWSTR lpDomain,
+    LPCWSTR lpPassword, LPVOID Environment, LPWSTR lpCommandLine,
+    HANDLE TokenHandle, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo,
+    LPPROCESS_INFORMATION lpProcessInformation)
+  {
+    std::cout << "[Alt Start Proc]" << std::endl;
+
+    return (reinterpret_cast<alt_start_proc_t>(alt_start_proc_addr))(lpUsername, lpDomain,
+      lpPassword, Environment, lpCommandLine,
+      TokenHandle, lpCurrentDirectory, lpStartupInfo,
+      lpProcessInformation);
+  }
+
   // 0x45E0
   //
   using control_table_t = int(__stdcall*)(DWORD*, int);
@@ -30,52 +49,6 @@ namespace RegHooks
     0x4947a4, 0x495b30, 0x494d44
   };
 
-  /*
-  [Control Table] 0x493658
-  [Control Table] 0x4932f8
-  [Control Table] 0x494e1c
-  [Control Table] 0x4949e4
-  [Control Table] 0x4965e0
-  [Control Table] 0x496088
-  [Control Table] 0x4951c4
-  [Control Table] 0x4960d0
-  [Control Table] 0x49463c
-  [Control Table] 0x493808
-  [Control Table] 0x493850
-  [Control Table] 0x494ed0
-  [Control Table] 0x49382c
-  [Control Table] 0x49532c
-  [Control Table] 0x493874 DLLSTRUCTGETSIZE
-  [Control Table] 0x493898 DLLSTRUCTSETDATA
-  [Control Table] 0x4931fc sub_45AA7F
-  [Control Table] 0x4931b4 int __stdcall sub_45AC96(int a1, int *a2)
-  [Control Table] 0x495500 REGISTRY DEFENDER
-  [Control Table] 0x495cbc STRINGTOBINARY
-  [Control Table] 0x495ce0 STRINGTRIMLEFT
-  [Control Table] 0x4958cc STRING
-  [Control Table] 0x494a74
-  [Control Table] 0x495c08
-  [Control Table] 0x494cfc INT
-  [Control Table] 0x493c40
-  [Control Table] 0x493e5c
-  [Control Table] 0x493ea4
-  [Control Table] 0x493b8c
-  [Control Table] 0x495b0c
-  [Control Table] 0x495c2c
-  [Control Table] 0x4930dc
-  [Control Table] 0x493fe8
-  [Control Table] 0x495644
-  [Control Table] 0x495428
-  [Control Table] 0x496430
-  [Control Table] 0x4963e8
-  [Control Table] 0x4954b8
-  [Control Table] 0x4945d0
-  [Control Table] 0x496040
-  [Control Table] 0x4960ac
-  [Control Table] 0x494a50
-  [Control Table] 0x495be4
-  */
-
   int __stdcall hk_ControlTable(DWORD* a1, int a2)
   {
     auto ret = (reinterpret_cast<control_table_t>(ControlTable_addr))(a1, a2);
@@ -388,6 +361,36 @@ namespace RegHooks
     return (reinterpret_cast<RegOpenKeyExW_t>(RegOpenKeyExW_addr))
       (hKey, lpSubKey, ulOptions, samDesired, phkResult);
   }
+
+  // CreateProcessW 
+  // ms docs: https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessw
+  //
+  using CreateProcessW_t = BOOL(__stdcall*)(LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES,
+    LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION);
+  uintptr_t CreateProcessW_addr;
+
+  BOOL __stdcall hk_CreateProcessW(
+    LPCWSTR               lpApplicationName,
+    LPWSTR                lpCommandLine,
+    LPSECURITY_ATTRIBUTES lpProcessAttributes,
+    LPSECURITY_ATTRIBUTES lpThreadAttributes,
+    BOOL                  bInheritHandles,
+    DWORD                 dwCreationFlags,
+    LPVOID                lpEnvironment,
+    LPCWSTR               lpCurrentDirectory,
+    LPSTARTUPINFOW        lpStartupInfo,
+    LPPROCESS_INFORMATION lpProcessInformation
+  )
+  {
+    std::cout << "[CreateProcessW]" << std::endl;
+    std::cout << "lpCommandLine: " << wide_to_string(lpCommandLine).c_str() << std::endl;
+
+    return (reinterpret_cast<CreateProcessW_t>(CreateProcessW_addr))(
+      lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+      bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory,
+      lpStartupInfo, lpProcessInformation);
+  }
+
 }
 
 namespace DetourHelper
@@ -433,6 +436,7 @@ void thread_main()
   // setup hooks
   //
   auto advapi32 = GetModuleHandleA("Advapi32.dll");
+  auto kernel32 = GetModuleHandleA("Kernel32.dll");
 
   if (!advapi32)
   {
@@ -440,6 +444,12 @@ void thread_main()
     return;
   }
 
+  if (!kernel32)
+  {
+    std::cout << "kernel32.dll not found" << std::endl;
+    return;
+  }
+
   RegHooks::regdeletekeyw_addr = get_func_addr(advapi32, "RegDeleteKeyW");
   RegHooks::regdeletevaluew_addr = get_func_addr(advapi32, "RegDeleteValueW");
   RegHooks::regenumvaluew_addr = get_func_addr(advapi32, "RegEnumValueW");
@@ -449,6 +459,8 @@ void thread_main()
   RegHooks::RegEnumKeyExW_addr = get_func_addr(advapi32, "RegEnumKeyExW");
   RegHooks::RegQueryValueExW_addr = get_func_addr(advapi32, "RegQueryValueExW");
   RegHooks::RegOpenKeyExW_addr = get_func_addr(advapi32, "RegOpenKeyExW");
+  RegHooks::CreateProcessW_addr = get_func_addr(kernel32, "CreateProcessW");
+
 
   std::cout << "imports resolved\npreparing to hook" << std::endl;
 
@@ -466,6 +478,9 @@ void thread_main()
   DetourHelper::perf_hook((PVOID*)&RegHooks::RegOpenKeyExW_addr, RegHooks::hk_RegOpenKeyExW);
 #endif
 
+  DetourHelper::perf_hook((PVOID*)&RegHooks::CreateProcessW_addr, RegHooks::hk_CreateProcessW);
+
+
   // native hooks
   // 
 #if 0
@@ -483,10 +498,13 @@ void thread_main()
 
   RegHooks::wmic_2_addr = (uintptr_t)GetModuleHandleA(0) + 0x75ACA;
   DetourHelper::perf_hook((PVOID*)&RegHooks::wmic_2_addr, RegHooks::hk_wmic_2);
-#endif
 
   RegHooks::ControlTable_addr = (uintptr_t)GetModuleHandleA(0) + 0x45E0;
   DetourHelper::perf_hook((PVOID*)&RegHooks::ControlTable_addr, RegHooks::hk_ControlTable);
+#endif
+
+  RegHooks::alt_start_proc_addr = (uintptr_t)GetModuleHandleA(0) + 0x464DC;
+  DetourHelper::perf_hook((PVOID*)&RegHooks::alt_start_proc_addr, RegHooks::hk_alt_start_proc);
 
 }