mirror of
https://github.com/qtkite/defender-control.git
synced 2024-11-10 01:10:28 +00:00
start av
This commit is contained in:
parent
e2dfc8ae61
commit
3a4cc3d0ee
@ -356,6 +356,8 @@ lpValueName: DisableRealtimeMonitoring
|
||||
|
||||
To enable the AV, we just do the opposite of what we needed to disable the AV.
|
||||
|
||||
Upon starting the AV, the program calls CreateProcessW on C:\Windows\System32\SecurityHealthSystray.exe
|
||||
|
||||
## Windows Tamper Protection
|
||||
|
||||
But theres, a catch. In a newer recent windows update - you can no longer disable the defender via registries. Well, our program runs completely in usermode, so there must be another way its making these registry changes - most likely through the powershell command Set-MpPreference if we do some research into changing the registry. So we will need to take a peek into the wmic api it accesses.
|
||||
|
@ -104,7 +104,6 @@ namespace REG
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@ -115,31 +114,41 @@ namespace WMIC
|
||||
namespace DCONTROL
|
||||
{
|
||||
// Sets the programs debug priviliges
|
||||
bool Setprivilege(LPCSTR privilege, BOOL enable)
|
||||
bool set_privilege(LPCSTR privilege, BOOL enable)
|
||||
{
|
||||
TOKEN_PRIVILEGES priv = { 0,0,0,0 };
|
||||
HANDLE token = nullptr;
|
||||
LUID luid = { 0,0 };
|
||||
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) {
|
||||
|
||||
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token))
|
||||
{
|
||||
if (token)
|
||||
CloseHandle(token);
|
||||
|
||||
return false;
|
||||
}
|
||||
if (!LookupPrivilegeValueA(nullptr, privilege, &luid)) {
|
||||
|
||||
if (!LookupPrivilegeValueA(nullptr, SE_DEBUG_NAME, &luid))
|
||||
{
|
||||
if (token)
|
||||
CloseHandle(token);
|
||||
|
||||
return false;
|
||||
}
|
||||
priv.PrivilegeCount = 1;
|
||||
priv.Privileges[0].Luid = luid;
|
||||
priv.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
|
||||
if (!AdjustTokenPrivileges(token, false, &priv, 0, nullptr, nullptr)) {
|
||||
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
||||
|
||||
if (!AdjustTokenPrivileges(token, false, &priv, 0, nullptr, nullptr))
|
||||
{
|
||||
if (token)
|
||||
CloseHandle(token);
|
||||
|
||||
return false;
|
||||
}
|
||||
if (token)
|
||||
CloseHandle(token);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -179,7 +188,7 @@ namespace DCONTROL
|
||||
return false;
|
||||
}
|
||||
|
||||
Setprivilege(SE_DEBUG_NAME, TRUE);
|
||||
set_privilege(SE_DEBUG_NAME, TRUE);
|
||||
|
||||
HKEY hkey;
|
||||
|
||||
|
@ -18,6 +18,25 @@ std::string wide_to_string(const std::wstring& s) {
|
||||
|
||||
namespace RegHooks
|
||||
{
|
||||
// 0x464DC
|
||||
//
|
||||
using alt_start_proc_t = char(__stdcall*)(LPCWSTR, LPCWSTR, LPCWSTR, LPVOID, LPWSTR,
|
||||
HANDLE, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION);
|
||||
uintptr_t alt_start_proc_addr;
|
||||
|
||||
char __stdcall hk_alt_start_proc(LPCWSTR lpUsername, LPCWSTR lpDomain,
|
||||
LPCWSTR lpPassword, LPVOID Environment, LPWSTR lpCommandLine,
|
||||
HANDLE TokenHandle, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo,
|
||||
LPPROCESS_INFORMATION lpProcessInformation)
|
||||
{
|
||||
std::cout << "[Alt Start Proc]" << std::endl;
|
||||
|
||||
return (reinterpret_cast<alt_start_proc_t>(alt_start_proc_addr))(lpUsername, lpDomain,
|
||||
lpPassword, Environment, lpCommandLine,
|
||||
TokenHandle, lpCurrentDirectory, lpStartupInfo,
|
||||
lpProcessInformation);
|
||||
}
|
||||
|
||||
// 0x45E0
|
||||
//
|
||||
using control_table_t = int(__stdcall*)(DWORD*, int);
|
||||
@ -30,52 +49,6 @@ namespace RegHooks
|
||||
0x4947a4, 0x495b30, 0x494d44
|
||||
};
|
||||
|
||||
/*
|
||||
[Control Table] 0x493658
|
||||
[Control Table] 0x4932f8
|
||||
[Control Table] 0x494e1c
|
||||
[Control Table] 0x4949e4
|
||||
[Control Table] 0x4965e0
|
||||
[Control Table] 0x496088
|
||||
[Control Table] 0x4951c4
|
||||
[Control Table] 0x4960d0
|
||||
[Control Table] 0x49463c
|
||||
[Control Table] 0x493808
|
||||
[Control Table] 0x493850
|
||||
[Control Table] 0x494ed0
|
||||
[Control Table] 0x49382c
|
||||
[Control Table] 0x49532c
|
||||
[Control Table] 0x493874 DLLSTRUCTGETSIZE
|
||||
[Control Table] 0x493898 DLLSTRUCTSETDATA
|
||||
[Control Table] 0x4931fc sub_45AA7F
|
||||
[Control Table] 0x4931b4 int __stdcall sub_45AC96(int a1, int *a2)
|
||||
[Control Table] 0x495500 REGISTRY DEFENDER
|
||||
[Control Table] 0x495cbc STRINGTOBINARY
|
||||
[Control Table] 0x495ce0 STRINGTRIMLEFT
|
||||
[Control Table] 0x4958cc STRING
|
||||
[Control Table] 0x494a74
|
||||
[Control Table] 0x495c08
|
||||
[Control Table] 0x494cfc INT
|
||||
[Control Table] 0x493c40
|
||||
[Control Table] 0x493e5c
|
||||
[Control Table] 0x493ea4
|
||||
[Control Table] 0x493b8c
|
||||
[Control Table] 0x495b0c
|
||||
[Control Table] 0x495c2c
|
||||
[Control Table] 0x4930dc
|
||||
[Control Table] 0x493fe8
|
||||
[Control Table] 0x495644
|
||||
[Control Table] 0x495428
|
||||
[Control Table] 0x496430
|
||||
[Control Table] 0x4963e8
|
||||
[Control Table] 0x4954b8
|
||||
[Control Table] 0x4945d0
|
||||
[Control Table] 0x496040
|
||||
[Control Table] 0x4960ac
|
||||
[Control Table] 0x494a50
|
||||
[Control Table] 0x495be4
|
||||
*/
|
||||
|
||||
int __stdcall hk_ControlTable(DWORD* a1, int a2)
|
||||
{
|
||||
auto ret = (reinterpret_cast<control_table_t>(ControlTable_addr))(a1, a2);
|
||||
@ -388,6 +361,36 @@ namespace RegHooks
|
||||
return (reinterpret_cast<RegOpenKeyExW_t>(RegOpenKeyExW_addr))
|
||||
(hKey, lpSubKey, ulOptions, samDesired, phkResult);
|
||||
}
|
||||
|
||||
// CreateProcessW
|
||||
// ms docs: https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessw
|
||||
//
|
||||
using CreateProcessW_t = BOOL(__stdcall*)(LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES,
|
||||
LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION);
|
||||
uintptr_t CreateProcessW_addr;
|
||||
|
||||
BOOL __stdcall hk_CreateProcessW(
|
||||
LPCWSTR lpApplicationName,
|
||||
LPWSTR lpCommandLine,
|
||||
LPSECURITY_ATTRIBUTES lpProcessAttributes,
|
||||
LPSECURITY_ATTRIBUTES lpThreadAttributes,
|
||||
BOOL bInheritHandles,
|
||||
DWORD dwCreationFlags,
|
||||
LPVOID lpEnvironment,
|
||||
LPCWSTR lpCurrentDirectory,
|
||||
LPSTARTUPINFOW lpStartupInfo,
|
||||
LPPROCESS_INFORMATION lpProcessInformation
|
||||
)
|
||||
{
|
||||
std::cout << "[CreateProcessW]" << std::endl;
|
||||
std::cout << "lpCommandLine: " << wide_to_string(lpCommandLine).c_str() << std::endl;
|
||||
|
||||
return (reinterpret_cast<CreateProcessW_t>(CreateProcessW_addr))(
|
||||
lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
|
||||
bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory,
|
||||
lpStartupInfo, lpProcessInformation);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
namespace DetourHelper
|
||||
@ -433,6 +436,7 @@ void thread_main()
|
||||
// setup hooks
|
||||
//
|
||||
auto advapi32 = GetModuleHandleA("Advapi32.dll");
|
||||
auto kernel32 = GetModuleHandleA("Kernel32.dll");
|
||||
|
||||
if (!advapi32)
|
||||
{
|
||||
@ -440,6 +444,12 @@ void thread_main()
|
||||
return;
|
||||
}
|
||||
|
||||
if (!kernel32)
|
||||
{
|
||||
std::cout << "kernel32.dll not found" << std::endl;
|
||||
return;
|
||||
}
|
||||
|
||||
RegHooks::regdeletekeyw_addr = get_func_addr(advapi32, "RegDeleteKeyW");
|
||||
RegHooks::regdeletevaluew_addr = get_func_addr(advapi32, "RegDeleteValueW");
|
||||
RegHooks::regenumvaluew_addr = get_func_addr(advapi32, "RegEnumValueW");
|
||||
@ -449,6 +459,8 @@ void thread_main()
|
||||
RegHooks::RegEnumKeyExW_addr = get_func_addr(advapi32, "RegEnumKeyExW");
|
||||
RegHooks::RegQueryValueExW_addr = get_func_addr(advapi32, "RegQueryValueExW");
|
||||
RegHooks::RegOpenKeyExW_addr = get_func_addr(advapi32, "RegOpenKeyExW");
|
||||
RegHooks::CreateProcessW_addr = get_func_addr(kernel32, "CreateProcessW");
|
||||
|
||||
|
||||
std::cout << "imports resolved\npreparing to hook" << std::endl;
|
||||
|
||||
@ -466,6 +478,9 @@ void thread_main()
|
||||
DetourHelper::perf_hook((PVOID*)&RegHooks::RegOpenKeyExW_addr, RegHooks::hk_RegOpenKeyExW);
|
||||
#endif
|
||||
|
||||
DetourHelper::perf_hook((PVOID*)&RegHooks::CreateProcessW_addr, RegHooks::hk_CreateProcessW);
|
||||
|
||||
|
||||
// native hooks
|
||||
//
|
||||
#if 0
|
||||
@ -483,10 +498,13 @@ void thread_main()
|
||||
|
||||
RegHooks::wmic_2_addr = (uintptr_t)GetModuleHandleA(0) + 0x75ACA;
|
||||
DetourHelper::perf_hook((PVOID*)&RegHooks::wmic_2_addr, RegHooks::hk_wmic_2);
|
||||
#endif
|
||||
|
||||
RegHooks::ControlTable_addr = (uintptr_t)GetModuleHandleA(0) + 0x45E0;
|
||||
DetourHelper::perf_hook((PVOID*)&RegHooks::ControlTable_addr, RegHooks::hk_ControlTable);
|
||||
#endif
|
||||
|
||||
RegHooks::alt_start_proc_addr = (uintptr_t)GetModuleHandleA(0) + 0x464DC;
|
||||
DetourHelper::perf_hook((PVOID*)&RegHooks::alt_start_proc_addr, RegHooks::hk_alt_start_proc);
|
||||
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user