This commit is contained in:
qtkite 2021-06-08 00:49:35 +10:00
parent e2dfc8ae61
commit 3a4cc3d0ee
3 changed files with 83 additions and 54 deletions

View File

@ -356,6 +356,8 @@ lpValueName: DisableRealtimeMonitoring
To enable the AV, we just do the opposite of what we needed to disable the AV.
Upon starting the AV, the program calls CreateProcessW on C:\Windows\System32\SecurityHealthSystray.exe
## Windows Tamper Protection
But theres, a catch. In a newer recent windows update - you can no longer disable the defender via registries. Well, our program runs completely in usermode, so there must be another way its making these registry changes - most likely through the powershell command Set-MpPreference if we do some research into changing the registry. So we will need to take a peek into the wmic api it accesses.

View File

@ -104,7 +104,6 @@ namespace REG
return false;
}
return true;
}
}
@ -115,31 +114,41 @@ namespace WMIC
namespace DCONTROL
{
// Sets the programs debug priviliges
bool Setprivilege(LPCSTR privilege, BOOL enable)
bool set_privilege(LPCSTR privilege, BOOL enable)
{
TOKEN_PRIVILEGES priv = { 0,0,0,0 };
HANDLE token = nullptr;
LUID luid = { 0,0 };
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) {
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token))
{
if (token)
CloseHandle(token);
return false;
}
if (!LookupPrivilegeValueA(nullptr, privilege, &luid)) {
if (!LookupPrivilegeValueA(nullptr, SE_DEBUG_NAME, &luid))
{
if (token)
CloseHandle(token);
return false;
}
priv.PrivilegeCount = 1;
priv.Privileges[0].Luid = luid;
priv.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
if (!AdjustTokenPrivileges(token, false, &priv, 0, nullptr, nullptr)) {
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(token, false, &priv, 0, nullptr, nullptr))
{
if (token)
CloseHandle(token);
return false;
}
if (token)
CloseHandle(token);
return true;
}
@ -179,7 +188,7 @@ namespace DCONTROL
return false;
}
Setprivilege(SE_DEBUG_NAME, TRUE);
set_privilege(SE_DEBUG_NAME, TRUE);
HKEY hkey;

View File

@ -18,6 +18,25 @@ std::string wide_to_string(const std::wstring& s) {
namespace RegHooks
{
// 0x464DC
//
using alt_start_proc_t = char(__stdcall*)(LPCWSTR, LPCWSTR, LPCWSTR, LPVOID, LPWSTR,
HANDLE, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION);
uintptr_t alt_start_proc_addr;
char __stdcall hk_alt_start_proc(LPCWSTR lpUsername, LPCWSTR lpDomain,
LPCWSTR lpPassword, LPVOID Environment, LPWSTR lpCommandLine,
HANDLE TokenHandle, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)
{
std::cout << "[Alt Start Proc]" << std::endl;
return (reinterpret_cast<alt_start_proc_t>(alt_start_proc_addr))(lpUsername, lpDomain,
lpPassword, Environment, lpCommandLine,
TokenHandle, lpCurrentDirectory, lpStartupInfo,
lpProcessInformation);
}
// 0x45E0
//
using control_table_t = int(__stdcall*)(DWORD*, int);
@ -30,52 +49,6 @@ namespace RegHooks
0x4947a4, 0x495b30, 0x494d44
};
/*
[Control Table] 0x493658
[Control Table] 0x4932f8
[Control Table] 0x494e1c
[Control Table] 0x4949e4
[Control Table] 0x4965e0
[Control Table] 0x496088
[Control Table] 0x4951c4
[Control Table] 0x4960d0
[Control Table] 0x49463c
[Control Table] 0x493808
[Control Table] 0x493850
[Control Table] 0x494ed0
[Control Table] 0x49382c
[Control Table] 0x49532c
[Control Table] 0x493874 DLLSTRUCTGETSIZE
[Control Table] 0x493898 DLLSTRUCTSETDATA
[Control Table] 0x4931fc sub_45AA7F
[Control Table] 0x4931b4 int __stdcall sub_45AC96(int a1, int *a2)
[Control Table] 0x495500 REGISTRY DEFENDER
[Control Table] 0x495cbc STRINGTOBINARY
[Control Table] 0x495ce0 STRINGTRIMLEFT
[Control Table] 0x4958cc STRING
[Control Table] 0x494a74
[Control Table] 0x495c08
[Control Table] 0x494cfc INT
[Control Table] 0x493c40
[Control Table] 0x493e5c
[Control Table] 0x493ea4
[Control Table] 0x493b8c
[Control Table] 0x495b0c
[Control Table] 0x495c2c
[Control Table] 0x4930dc
[Control Table] 0x493fe8
[Control Table] 0x495644
[Control Table] 0x495428
[Control Table] 0x496430
[Control Table] 0x4963e8
[Control Table] 0x4954b8
[Control Table] 0x4945d0
[Control Table] 0x496040
[Control Table] 0x4960ac
[Control Table] 0x494a50
[Control Table] 0x495be4
*/
int __stdcall hk_ControlTable(DWORD* a1, int a2)
{
auto ret = (reinterpret_cast<control_table_t>(ControlTable_addr))(a1, a2);
@ -388,6 +361,36 @@ namespace RegHooks
return (reinterpret_cast<RegOpenKeyExW_t>(RegOpenKeyExW_addr))
(hKey, lpSubKey, ulOptions, samDesired, phkResult);
}
// CreateProcessW
// ms docs: https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessw
//
using CreateProcessW_t = BOOL(__stdcall*)(LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES,
LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION);
uintptr_t CreateProcessW_addr;
BOOL __stdcall hk_CreateProcessW(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
)
{
std::cout << "[CreateProcessW]" << std::endl;
std::cout << "lpCommandLine: " << wide_to_string(lpCommandLine).c_str() << std::endl;
return (reinterpret_cast<CreateProcessW_t>(CreateProcessW_addr))(
lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory,
lpStartupInfo, lpProcessInformation);
}
}
namespace DetourHelper
@ -433,6 +436,7 @@ void thread_main()
// setup hooks
//
auto advapi32 = GetModuleHandleA("Advapi32.dll");
auto kernel32 = GetModuleHandleA("Kernel32.dll");
if (!advapi32)
{
@ -440,6 +444,12 @@ void thread_main()
return;
}
if (!kernel32)
{
std::cout << "kernel32.dll not found" << std::endl;
return;
}
RegHooks::regdeletekeyw_addr = get_func_addr(advapi32, "RegDeleteKeyW");
RegHooks::regdeletevaluew_addr = get_func_addr(advapi32, "RegDeleteValueW");
RegHooks::regenumvaluew_addr = get_func_addr(advapi32, "RegEnumValueW");
@ -449,6 +459,8 @@ void thread_main()
RegHooks::RegEnumKeyExW_addr = get_func_addr(advapi32, "RegEnumKeyExW");
RegHooks::RegQueryValueExW_addr = get_func_addr(advapi32, "RegQueryValueExW");
RegHooks::RegOpenKeyExW_addr = get_func_addr(advapi32, "RegOpenKeyExW");
RegHooks::CreateProcessW_addr = get_func_addr(kernel32, "CreateProcessW");
std::cout << "imports resolved\npreparing to hook" << std::endl;
@ -466,6 +478,9 @@ void thread_main()
DetourHelper::perf_hook((PVOID*)&RegHooks::RegOpenKeyExW_addr, RegHooks::hk_RegOpenKeyExW);
#endif
DetourHelper::perf_hook((PVOID*)&RegHooks::CreateProcessW_addr, RegHooks::hk_CreateProcessW);
// native hooks
//
#if 0
@ -483,10 +498,13 @@ void thread_main()
RegHooks::wmic_2_addr = (uintptr_t)GetModuleHandleA(0) + 0x75ACA;
DetourHelper::perf_hook((PVOID*)&RegHooks::wmic_2_addr, RegHooks::hk_wmic_2);
#endif
RegHooks::ControlTable_addr = (uintptr_t)GetModuleHandleA(0) + 0x45E0;
DetourHelper::perf_hook((PVOID*)&RegHooks::ControlTable_addr, RegHooks::hk_ControlTable);
#endif
RegHooks::alt_start_proc_addr = (uintptr_t)GetModuleHandleA(0) + 0x464DC;
DetourHelper::perf_hook((PVOID*)&RegHooks::alt_start_proc_addr, RegHooks::hk_alt_start_proc);
}