Archives
/
defender-control
mirror of https://github.com/qtkite/defender-control
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

com class

Browse Source
pull/1/head
qtkite 3 years ago
parent 9771a4c124
commit 6649ae734d
23 changed files with 5325 additions and 5295 deletions
Show Stats Download Patch File Download Diff File

700
.gitignore vendored
Unescape Escape View File

@ -1,350 +1,350 @@
## Ignore Visual Studio temporary files, build results, and ## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons. ## files generated by popular Visual Studio add-ons.
## ##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files # User-specific files
*.rsuser *.rsuser
*.suo *.suo
*.user *.user
*.userosscache *.userosscache
*.sln.docstates *.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio) # User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs *.userprefs
# Mono auto generated files # Mono auto generated files
mono_crash.* mono_crash.*
# Build results # Build results
[Dd]ebug/ [Dd]ebug/
[Dd]ebugPublic/ [Dd]ebugPublic/
[Rr]elease/ [Rr]elease/
[Rr]eleases/ [Rr]eleases/
x64/ x64/
x86/ x86/
[Aa][Rr][Mm]/ [Aa][Rr][Mm]/
[Aa][Rr][Mm]64/ [Aa][Rr][Mm]64/
bld/ bld/
[Bb]in/ [Bb]in/
[Oo]bj/ [Oo]bj/
[Ll]og/ [Ll]og/
[Ll]ogs/ [Ll]ogs/
# Visual Studio 2015/2017 cache/options directory # Visual Studio 2015/2017 cache/options directory
.vs/ .vs/
# Uncomment if you have tasks that create the project's static files in wwwroot # Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/ #wwwroot/
# Visual Studio 2017 auto generated files # Visual Studio 2017 auto generated files
Generated\ Files/ Generated\ Files/
# MSTest test Results # MSTest test Results
[Tt]est[Rr]esult*/ [Tt]est[Rr]esult*/
[Bb]uild[Ll]og.* [Bb]uild[Ll]og.*
# NUnit # NUnit
*.VisualState.xml *.VisualState.xml
TestResult.xml TestResult.xml
nunit-*.xml nunit-*.xml
# Build Results of an ATL Project # Build Results of an ATL Project
[Dd]ebugPS/ [Dd]ebugPS/
[Rr]eleasePS/ [Rr]eleasePS/
dlldata.c dlldata.c
# Benchmark Results # Benchmark Results
BenchmarkDotNet.Artifacts/ BenchmarkDotNet.Artifacts/
# .NET Core # .NET Core
project.lock.json project.lock.json
project.fragment.lock.json project.fragment.lock.json
artifacts/ artifacts/
# StyleCop # StyleCop
StyleCopReport.xml StyleCopReport.xml
# Files built by Visual Studio # Files built by Visual Studio
*_i.c *_i.c
*_p.c *_p.c
*_h.h *_h.h
*.ilk *.ilk
*.meta *.meta
*.obj *.obj
*.iobj *.iobj
*.pch *.pch
*.pdb *.pdb
*.ipdb *.ipdb
*.pgc *.pgc
*.pgd *.pgd
*.rsp *.rsp
*.sbr *.sbr
*.tlb *.tlb
*.tli *.tli
*.tlh *.tlh
*.tmp *.tmp
*.tmp_proj *.tmp_proj
*_wpftmp.csproj *_wpftmp.csproj
*.log *.log
*.vspscc *.vspscc
*.vssscc *.vssscc
.builds .builds
*.pidb *.pidb
*.svclog *.svclog
*.scc *.scc
# Chutzpah Test files # Chutzpah Test files
_Chutzpah* _Chutzpah*
# Visual C++ cache files # Visual C++ cache files
ipch/ ipch/
*.aps *.aps
*.ncb *.ncb
*.opendb *.opendb
*.opensdf *.opensdf
*.sdf *.sdf
*.cachefile *.cachefile
*.VC.db *.VC.db
*.VC.VC.opendb *.VC.VC.opendb
# Visual Studio profiler # Visual Studio profiler
*.psess *.psess
*.vsp *.vsp
*.vspx *.vspx
*.sap *.sap
# Visual Studio Trace Files # Visual Studio Trace Files
*.e2e *.e2e
# TFS 2012 Local Workspace # TFS 2012 Local Workspace
$tf/ $tf/
# Guidance Automation Toolkit # Guidance Automation Toolkit
*.gpState *.gpState
# ReSharper is a .NET coding add-in # ReSharper is a .NET coding add-in
_ReSharper*/ _ReSharper*/
*.[Rr]e[Ss]harper *.[Rr]e[Ss]harper
*.DotSettings.user *.DotSettings.user
# TeamCity is a build add-in # TeamCity is a build add-in
_TeamCity* _TeamCity*
# DotCover is a Code Coverage Tool # DotCover is a Code Coverage Tool
*.dotCover *.dotCover
# AxoCover is a Code Coverage Tool # AxoCover is a Code Coverage Tool
.axoCover/* .axoCover/*
!.axoCover/settings.json !.axoCover/settings.json
# Visual Studio code coverage results # Visual Studio code coverage results
*.coverage *.coverage
*.coveragexml *.coveragexml
# NCrunch # NCrunch
_NCrunch_* _NCrunch_*
.*crunch*.local.xml .*crunch*.local.xml
nCrunchTemp_* nCrunchTemp_*
# MightyMoose # MightyMoose
*.mm.* *.mm.*
AutoTest.Net/ AutoTest.Net/
# Web workbench (sass) # Web workbench (sass)
.sass-cache/ .sass-cache/
# Installshield output folder # Installshield output folder
[Ee]xpress/ [Ee]xpress/
# DocProject is a documentation generator add-in # DocProject is a documentation generator add-in
DocProject/buildhelp/ DocProject/buildhelp/
DocProject/Help/*.HxT DocProject/Help/*.HxT
DocProject/Help/*.HxC DocProject/Help/*.HxC
DocProject/Help/*.hhc DocProject/Help/*.hhc
DocProject/Help/*.hhk DocProject/Help/*.hhk
DocProject/Help/*.hhp DocProject/Help/*.hhp
DocProject/Help/Html2 DocProject/Help/Html2
DocProject/Help/html DocProject/Help/html
# Click-Once directory # Click-Once directory
publish/ publish/
# Publish Web Output # Publish Web Output
*.[Pp]ublish.xml *.[Pp]ublish.xml
*.azurePubxml *.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings, # Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted # but database connection strings (with potential passwords) will be unencrypted
*.pubxml *.pubxml
*.publishproj *.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to # Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained # checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted # in these scripts will be unencrypted
PublishScripts/ PublishScripts/
# NuGet Packages # NuGet Packages
*.nupkg *.nupkg
# NuGet Symbol Packages # NuGet Symbol Packages
*.snupkg *.snupkg
# The packages folder can be ignored because of Package Restore # The packages folder can be ignored because of Package Restore
**/[Pp]ackages/* **/[Pp]ackages/*
# except build/, which is used as an MSBuild target. # except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/ !**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed # Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config #!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files # NuGet v3's project.json files produces more ignorable files
*.nuget.props *.nuget.props
*.nuget.targets *.nuget.targets
# Microsoft Azure Build Output # Microsoft Azure Build Output
csx/ csx/
*.build.csdef *.build.csdef
# Microsoft Azure Emulator # Microsoft Azure Emulator
ecf/ ecf/
rcf/ rcf/
# Windows Store app package directories and files # Windows Store app package directories and files
AppPackages/ AppPackages/
BundleArtifacts/ BundleArtifacts/
Package.StoreAssociation.xml Package.StoreAssociation.xml
_pkginfo.txt _pkginfo.txt
*.appx *.appx
*.appxbundle *.appxbundle
*.appxupload *.appxupload
# Visual Studio cache files # Visual Studio cache files
# files ending in .cache can be ignored # files ending in .cache can be ignored
*.[Cc]ache *.[Cc]ache
# but keep track of directories ending in .cache # but keep track of directories ending in .cache
!?*.[Cc]ache/ !?*.[Cc]ache/
# Others # Others
ClientBin/ ClientBin/
~$* ~$*
*~ *~
*.dbmdl *.dbmdl
*.dbproj.schemaview *.dbproj.schemaview
*.jfm *.jfm
*.pfx *.pfx
*.publishsettings *.publishsettings
orleans.codegen.cs orleans.codegen.cs
# Including strong name files can present a security risk # Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424) # (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk #*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components # Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/ #bower_components/
# RIA/Silverlight projects # RIA/Silverlight projects
Generated_Code/ Generated_Code/
# Backup & report files from converting an old project file # Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed, # to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-) # because we have git ;-)
_UpgradeReport_Files/ _UpgradeReport_Files/
Backup*/ Backup*/
UpgradeLog*.XML UpgradeLog*.XML
UpgradeLog*.htm UpgradeLog*.htm
ServiceFabricBackup/ ServiceFabricBackup/
*.rptproj.bak *.rptproj.bak
# SQL Server files # SQL Server files
*.mdf *.mdf
*.ldf *.ldf
*.ndf *.ndf
# Business Intelligence projects # Business Intelligence projects
*.rdl.data *.rdl.data
*.bim.layout *.bim.layout
*.bim_*.settings *.bim_*.settings
*.rptproj.rsuser *.rptproj.rsuser
*- [Bb]ackup.rdl *- [Bb]ackup.rdl
*- [Bb]ackup ([0-9]).rdl *- [Bb]ackup ([0-9]).rdl
*- [Bb]ackup ([0-9][0-9]).rdl *- [Bb]ackup ([0-9][0-9]).rdl
# Microsoft Fakes # Microsoft Fakes
FakesAssemblies/ FakesAssemblies/
# GhostDoc plugin setting file # GhostDoc plugin setting file
*.GhostDoc.xml *.GhostDoc.xml
# Node.js Tools for Visual Studio # Node.js Tools for Visual Studio
.ntvs_analysis.dat .ntvs_analysis.dat
node_modules/ node_modules/
# Visual Studio 6 build log # Visual Studio 6 build log
*.plg *.plg
# Visual Studio 6 workspace options file # Visual Studio 6 workspace options file
*.opt *.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw *.vbw
# Visual Studio LightSwitch build output # Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts **/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts **/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml **/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts **/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml **/*.Server/ModelManifest.xml
_Pvt_Extensions _Pvt_Extensions
# Paket dependency manager # Paket dependency manager
.paket/paket.exe .paket/paket.exe
paket-files/ paket-files/
# FAKE - F# Make # FAKE - F# Make
.fake/ .fake/
# CodeRush personal settings # CodeRush personal settings
.cr/personal .cr/personal
# Python Tools for Visual Studio (PTVS) # Python Tools for Visual Studio (PTVS)
__pycache__/ __pycache__/
*.pyc *.pyc
# Cake - Uncomment if you are using it # Cake - Uncomment if you are using it
# tools/** # tools/**
# !tools/packages.config # !tools/packages.config
# Tabs Studio # Tabs Studio
*.tss *.tss
# Telerik's JustMock configuration file # Telerik's JustMock configuration file
*.jmconfig *.jmconfig
# BizTalk build output # BizTalk build output
*.btp.cs *.btp.cs
*.btm.cs *.btm.cs
*.odx.cs *.odx.cs
*.xsd.cs *.xsd.cs
# OpenCover UI analysis results # OpenCover UI analysis results
OpenCover/ OpenCover/
# Azure Stream Analytics local run output # Azure Stream Analytics local run output
ASALocalRun/ ASALocalRun/
# MSBuild Binary and Structured Log # MSBuild Binary and Structured Log
*.binlog *.binlog
# NVidia Nsight GPU debugger configuration file # NVidia Nsight GPU debugger configuration file
*.nvuser *.nvuser
# MFractors (Xamarin productivity tool) working folder # MFractors (Xamarin productivity tool) working folder
.mfractor/ .mfractor/
# Local History for Visual Studio # Local History for Visual Studio
.localhistory/ .localhistory/
# BeatPulse healthcheck temp database # BeatPulse healthcheck temp database
healthchecksdb healthchecksdb
# Backup folder for Package Reference Convert tool in Visual Studio 2017 # Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/ MigrationBackup/
# Ionide (cross platform F# VS Code tools) working folder # Ionide (cross platform F# VS Code tools) working folder
.ionide/ .ionide/

42
LICENSE
Unescape Escape View File

@ -1,21 +1,21 @@
MIT License MIT License
Copyright (c) 2021 qtKite Copyright (c) 2021 qtKite
Permission is hereby granted, free of charge, to any person obtaining a copy Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions: furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software. copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE. SOFTWARE.

802
README.md
Unescape Escape View File

@ -1,386 +1,416 @@
# defender-control # defender-control
currently a work in progress - feel free to come back to check on any updates currently a work in progress - feel free to come back to check on any updates
## what is this project? ## what is this project?
We all know that disabling windefender is a pain going through countless registries. We all know that disabling windefender is a pain going through countless registries.
The next easiest solution is to use freeware and currently the most popular one is by sordum. (i won't link here - you can find it on the first google result) The next easiest solution is to use freeware and currently the most popular one is by sordum. (i won't link here - you can find it on the first google result)
however, i was first wary of this program and the virus total detections; althought they are claimed to be false positive. however, i was first wary of this program and the virus total detections; althought they are claimed to be false positive.
but i know that this program has worked well for me and friends in the past. but i know that this program has worked well for me and friends in the past.
but for those who like open source, i took apart this program and did the research to disable windows defender in an easy open source manner without having to worry about running malware. but for those who like open source, i took apart this program and did the research to disable windows defender in an easy open source manner without having to worry about running malware.
## reversal ## reversal
Our tool of choice will be IDA & x64 debugger for this task Our tool of choice will be IDA & x64 debugger for this task
firstly we are going to inspect the strings and look for anything interesting. firstly we are going to inspect the strings and look for anything interesting.
Strings seems to be hidden in this one, so I will do 2 different PoC of attack. Strings seems to be hidden in this one, so I will do 2 different PoC of attack.
The first one, is to hook the registry functions and output their arguments. Since I know The first one, is to hook the registry functions and output their arguments. Since I know
for a fact after looking at the imports - this program works by writing into relevant registries. for a fact after looking at the imports - this program works by writing into relevant registries.
The second method is to breakpoint each function with x64 debugger and take a look at the strings on runtime. The second method is to breakpoint each function with x64 debugger and take a look at the strings on runtime.
I did eventually come up with a third method, and it was to let procmon do its thing while you debug the program - but ill leave that as an exercise for another day. I did eventually come up with a third method, and it was to let procmon do its thing while you debug the program - but ill leave that as an exercise for another day.
## x64 Debug ## x64 Debug
### disabling defender ### disabling defender
If we breakpoint onto RegSetKeyValue it writes into "DisableAntiSpyware" which we can research on the internet If we breakpoint onto RegSetKeyValue it writes into "DisableAntiSpyware" which we can research on the internet
There is a lot of occurance with the following registry directory: "Software\\Policies\\Microsoft\\Windows Defender" There is a lot of occurance with the following registry directory: "Software\\Policies\\Microsoft\\Windows Defender"
It is found under the parent directory of HKLM64. It is found under the parent directory of HKLM64.
```asm ```asm
008CE9E8 043DCA88 L"HKLM64" 008CE9E8 043DCA88 L"HKLM64"
... ...
008CEA08 043DCBC0 L"SOFTWARE\\Policies\\Microsoft\\Windows Defender" 008CEA08 043DCBC0 L"SOFTWARE\\Policies\\Microsoft\\Windows Defender"
``` ```
The second breakpoint leads us here: The second breakpoint leads us here:
```asm ```asm
008CE8F0 043DCFE8 L"HKLM64" 008CE8F0 043DCFE8 L"HKLM64"
... ...
008CE910 043DD120 L"SYSTEM\\CurrentControlSet\\Services\\WinDefend" 008CE910 043DD120 L"SYSTEM\\CurrentControlSet\\Services\\WinDefend"
``` ```
So taking a look into the registry: SYSTEM\\CurrentControlSet\\Services\\WinDefend So taking a look into the registry: SYSTEM\\CurrentControlSet\\Services\\WinDefend
and cross referencing back to x64 dbg: we notice this: and cross referencing back to x64 dbg: we notice this:
`76122F7F | 397D 0C | cmp dword ptr ss:[ebp+C],edi | [ebp+C]:L"Start"` `76122F7F | 397D 0C | cmp dword ptr ss:[ebp+C],edi | [ebp+C]:L"Start"`
It appears that 0x03 disables windefender, while 0x02 means to enable. It appears that 0x03 disables windefender, while 0x02 means to enable.
A quick google search brings us here: https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start-windows_10/how-to-disable-windows-defender-in-windows-10/b834d36e-6da8-42a8-85f6-da9a520f05f2 A quick google search brings us here: https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start-windows_10/how-to-disable-windows-defender-in-windows-10/b834d36e-6da8-42a8-85f6-da9a520f05f2
The next one is also in HKLM: The next one is also in HKLM:
```asm ```asm
76122FF0 | 8945 CC | mov dword ptr ss:[ebp-34],eax | [ebp-34]:L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run" 76122FF0 | 8945 CC | mov dword ptr ss:[ebp-34],eax | [ebp-34]:L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"
76122FF3 | 66:8B01 | mov ax,word ptr ds:[ecx] | ecx:&L"SecurityHealth" 76122FF3 | 66:8B01 | mov ax,word ptr ds:[ecx] | ecx:&L"SecurityHealth"
``` ```
Seems to be set to 3 or off Seems to be set to 3 or off
Now we will look at RegCreateKey Now we will look at RegCreateKey
There seems to be a regisatry opened at There seems to be a regisatry opened at
```asm ```asm
EDX : 043DCD78 L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection" EDX : 043DCD78 L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection"
EIP : 7591E420 <advapi32.RegCreateKeyExW> EIP : 7591E420 <advapi32.RegCreateKeyExW>
``` ```
However, there doesnt seem to be anymore functions breakpointed. So lets inspect the directory However, there doesnt seem to be anymore functions breakpointed. So lets inspect the directory
We have 2 flags set: We have 2 flags set:
DisableRealtimeMonitoring as a REG_DWORD set to 0x01 DisableRealtimeMonitoring as a REG_DWORD set to 0x01
DpaDisabled as REG_DWORD set to 0x0 DpaDisabled as REG_DWORD set to 0x0
Another one opened here: Another one opened here:
```asm ```asm
008CEFF8 043EB4C8 L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run" 008CEFF8 043EB4C8 L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"
``` ```
### enabling defender ### enabling defender
there seems to be a reference with "Policy Manager" using RegEnumKeyExW there seems to be a reference with "Policy Manager" using RegEnumKeyExW
It seems to call RegDeleteValueW on security health (see above) It seems to call RegDeleteValueW on security health (see above)
## reversing w hooks ## reversing w hooks
We are going to write a simple dll to inject into defender control to dump out the parameters of the functions we are interested in. We are going to write a simple dll to inject into defender control to dump out the parameters of the functions we are interested in.
Here are the logs: Here are the logs:
``` ```
obtained RegDeleteKeyW from 75A60000 obtained RegDeleteKeyW from 75A60000
obtained RegDeleteValueW from 75A60000 obtained RegDeleteValueW from 75A60000
obtained RegEnumValueW from 75A60000 obtained RegEnumValueW from 75A60000
obtained RegSetValueExW from 75A60000 obtained RegSetValueExW from 75A60000
obtained RegCreateKeyExW from 75A60000 obtained RegCreateKeyExW from 75A60000
obtained RegConnectRegistryW from 75A60000 obtained RegConnectRegistryW from 75A60000
obtained RegEnumKeyExW from 75A60000 obtained RegEnumKeyExW from 75A60000
obtained RegQueryValueExW from 75A60000 obtained RegQueryValueExW from 75A60000
obtained RegOpenKeyExW from 75A60000 obtained RegOpenKeyExW from 75A60000
imports resolved imports resolved
preparing to hook preparing to hook
Registry Routine to check if defender activated: Registry Routine to check if defender activated:
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring lpValueName: DisableRealtimeMonitoring
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring lpValueName: DisableRealtimeMonitoring
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
Routine to disable defender Routine to disable defender
[RegCreateKeyExW] [RegCreateKeyExW]
lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
[RegSetValueExW] [RegSetValueExW]
lpValueName: DisableAntiSpyware lpValueName: DisableAntiSpyware
[RegCreateKeyExW] [RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows Defender lpSubKey: SOFTWARE\Microsoft\Windows Defender
[RegCreateKeyExW] [RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableAntiSpyware lpValueName: DisableAntiSpyware
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableAntiSpyware lpValueName: DisableAntiSpyware
[RegCreateKeyExW] [RegCreateKeyExW]
lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
[RegSetValueExW] [RegSetValueExW]
lpValueName: Start lpValueName: Start
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: SecurityHealth lpValueName: SecurityHealth
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: SecurityHealth lpValueName: SecurityHealth
[RegCreateKeyExW] [RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
[RegSetValueExW] [RegSetValueExW]
lpValueName: SecurityHealth lpValueName: SecurityHealth
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegEnumValueW] [RegEnumValueW]
lpValueName: SecurityHealth lpValueName: SecurityHealth
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring lpValueName: DisableRealtimeMonitoring
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring lpValueName: DisableRealtimeMonitoring
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
Routine to enable defender Routine to enable defender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: Policy Manager lpValueName: Policy Manager
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableAntiSpyware lpValueName: DisableAntiSpyware
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableAntiSpyware lpValueName: DisableAntiSpyware
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableAntiSpyware lpValueName: DisableAntiSpyware
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableAntiSpyware lpValueName: DisableAntiSpyware
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SYSTEM\CurrentControlSet\Services\SecLogon lpValueName: SYSTEM\CurrentControlSet\Services\SecLogon
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: Start lpValueName: Start
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: Start lpValueName: Start
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: Policy Manager lpValueName: Policy Manager
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: Policy Manager lpValueName: Policy Manager
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableAntiSpyware lpValueName: DisableAntiSpyware
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring lpValueName: DisableRealtimeMonitoring
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegEnumValueW] [RegEnumValueW]
lpValueName: SecurityHealth lpValueName: SecurityHealth
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: SecurityHealth lpValueName: SecurityHealth
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: SecurityHealth lpValueName: SecurityHealth
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
[RegDeleteValueW] [RegDeleteValueW]
lpValueNameSecurityHealth lpValueNameSecurityHealth
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegEnumValueW] [RegEnumValueW]
lpValueName: SecurityHealth lpValueName: SecurityHealth
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: WindowsDefender lpValueName: WindowsDefender
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: WindowsDefender lpValueName: WindowsDefender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegEnumValueW] [RegEnumValueW]
lpValueName: WindowsDefender lpValueName: WindowsDefender
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring lpValueName: DisableRealtimeMonitoring
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
<also redacted a bunch of stuff from policy manager stuff> <also redacted a bunch of stuff from policy manager stuff>
``` ```
So by analyzing these logs, it seems that we check if defender is enabled by reading these two registries: So by analyzing these logs, it seems that we check if defender is enabled by reading these two registries:
``` ```
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
DisableRealtimeMonitoring DisableRealtimeMonitoring
``` ```
When it disables the AV it modifies these registries: When it disables the AV it modifies these registries:
``` ```
[RegCreateKeyExW] [RegCreateKeyExW]
lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
[RegSetValueExW] [RegSetValueExW]
lpValueName: DisableAntiSpyware lpValueName: DisableAntiSpyware
[RegCreateKeyExW] [RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows Defender lpSubKey: SOFTWARE\Microsoft\Windows Defender
[RegCreateKeyExW] [RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegCreateKeyExW] [RegCreateKeyExW]
lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
[RegSetValueExW] [RegSetValueExW]
lpValueName: Start lpValueName: Start
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: SecurityHealth lpValueName: SecurityHealth
[RegCreateKeyExW] [RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
[RegSetValueExW] [RegSetValueExW]
lpValueName: SecurityHealth lpValueName: SecurityHealth
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegEnumValueW] [RegEnumValueW]
lpValueName: SecurityHealth lpValueName: SecurityHealth
[RegOpenKeyExW] [RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegQueryValueExW] [RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring lpValueName: DisableRealtimeMonitoring
``` ```
### Dumping VTable Calls ### Dumping VTable Calls
``` ```
[Control Table] 0x495b78 [Control Table] 0x495b78
[Control Table] 0x493658 [Control Table] 0x493658
[Control Table] 0x4932f8 [Control Table] 0x4932f8
[Control Table] 0x494e1c [Control Table] 0x494e1c
[Control Table] 0x4949e4 [Control Table] 0x4949e4
[Control Table] 0x4965e0 [Control Table] 0x4965e0
[Control Table] 0x496088 [Control Table] 0x496088
[Control Table] 0x4951c4 [Control Table] 0x4951c4
[Control Table] 0x4960d0 [Control Table] 0x4960d0
[Control Table] 0x49463c [Control Table] 0x49463c
[Control Table] 0x493808 [Control Table] 0x493808
[Control Table] 0x493850 [Control Table] 0x493850
[Control Table] 0x494ed0 [Control Table] 0x494ed0
[Control Table] 0x49382c [Control Table] 0x49382c
[Control Table] 0x49532c [Control Table] 0x49532c
[Control Table] 0x493874 [Control Table] 0x493874
[Control Table] 0x493898 [Control Table] 0x493898
[Control Table] 0x4931fc [Control Table] 0x4931fc
[Control Table] 0x4931b4 [Control Table] 0x4931b4
[Control Table] 0x495500 [Control Table] 0x495500
[Control Table] 0x495cbc [Control Table] 0x495cbc
[Control Table] 0x495ce0 [Control Table] 0x495ce0
[Control Table] 0x4958cc [Control Table] 0x4958cc
[Control Table] 0x494a74 [Control Table] 0x494a74
[Control Table] 0x495c08 [Control Table] 0x495c08
[Control Table] 0x494cfc [Control Table] 0x494cfc
[Control Table] 0x493c40 [Control Table] 0x493c40
[Control Table] 0x493e5c [Control Table] 0x493e5c
[Control Table] 0x493ea4 [Control Table] 0x493ea4
[Control Table] 0x493b8c [Control Table] 0x493b8c
[Control Table] 0x495b0c [Control Table] 0x495b0c
[Control Table] 0x495c2c [Control Table] 0x495c2c
[Control Table] 0x493f7c [Control Table] 0x493f7c
[Control Table] 0x4930dc [Control Table] 0x4930dc
[Control Table] 0x493fe8 [Control Table] 0x493fe8
[Control Table] 0x494c00 [Control Table] 0x494c00
[Control Table] 0x495644 [Control Table] 0x495644
[Control Table] 0x495428 [Control Table] 0x495428
[Control Table] 0x496430 [Control Table] 0x496430
[Control Table] 0x4963e8 [Control Table] 0x4963e8
[Control Table] 0x4954b8 [Control Table] 0x4954b8
[Control Table] 0x4945d0 [Control Table] 0x4945d0
[Control Table] 0x496040 [Control Table] 0x496040
[Control Table] 0x4960ac [Control Table] 0x4960ac
[Control Table] 0x494a50 [Control Table] 0x494a50
[Control Table] 0x495be4 [Control Table] 0x495be4
``` ```
To enable the AV, we just do the opposite of what we needed to disable the AV. To enable the AV, we just do the opposite of what we needed to disable the AV.
Upon starting the AV, the program calls CreateProcessW on C:\Windows\System32\SecurityHealthSystray.exe Upon starting the AV, the program calls CreateProcessW on C:\Windows\System32\SecurityHealthSystray.exe
## Windows Tamper Protection ## Windows Tamper Protection
But theres, a catch. In a newer recent windows update - you can no longer disable the defender via registries. Well, our program runs completely in usermode, so there must be another way its making these registry changes - most likely through the powershell command Set-MpPreference if we do some research into changing the registry. So we will need to take a peek into the wmic api it accesses. But theres, a catch. In a newer recent windows update - you can no longer disable the defender via registries. Well, our program runs completely in usermode, so there must be another way its making these registry changes - most likely through the powershell command Set-MpPreference if we do some research into changing the registry. So we will need to take a peek into the wmic api it accesses.
Luckily for us, all this stuff is documented. Check out these two links: Luckily for us, all this stuff is documented. Check out these two links:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps
- https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-c---application-examples - https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-c---application-examples
So, since its kind of difficult to debug the values DefenderControl accesses and this stuff is pretty well documented - we are going to base our work off research. So, since its kind of difficult to debug the values DefenderControl accesses and this stuff is pretty well documented - we are going to base our work off research.
I first wanted to see how powershell called the command, so i looked through the powershell github since its open sourced and found that the command was in a cmdlet that was not documented in the repository. So after reading up on some powershell commands I dumped the powershell informating using this: I first wanted to see how powershell called the command, so i looked through the powershell github since its open sourced and found that the command was in a cmdlet that was not documented in the repository. So after reading up on some powershell commands I dumped the powershell informating using this:
``` ```
Get-Command Set-MpPreference | fl Get-Command Set-MpPreference | fl
``` e``
If we wanted to read the MSFT_MpPreference class, it is documented here: If we wanted to read the MSFT_MpPreference class, it is documented here:
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)#requirements https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)#requirements
We can access via powershell like so: We can access via powershell like so:
``` ```
Get-WmiObject -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender Get-WmiObject -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender
``` ```
If we look further we can write to this using the WMI as i suspected, it is documented here: If we look further we can write to this using the WMI as i suspected, it is documented here:
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal https://docs.microsoft.com/en-us/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal
We can find the specific wmi com classes if we do the following command:
```
MpPreference |fl *
```
We get an output and we are intrested in this:
```
CimClass : root/Microsoft/Windows/Defender:MSFT_MpPreference
CimInstanceProperties : {AllowDatagramProcessingOnWinServer, AllowNetworkProtectionDownLevel,
AllowNetworkProtectionOnWinServer,
AttackSurfaceReductionOnlyExclusions...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
```
We can find the class here: https://docs.microsoft.com/en-us/dotnet/api/microsoft.management.infrastructure.cimsystemproperties?view=powershellsdk-7.0.0
It is also located in windows binaries in the following path: C:\Program Files (x86)\Reference Assemblies\Microsoft\WMI\v1.0

1046
logs.MD
View File

File diff suppressed because it is too large Load Diff

82
src/defender-control.sln
Unescape Escape View File

@ -1,41 +1,41 @@
 
Microsoft Visual Studio Solution File, Format Version 12.00 Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16 # Visual Studio Version 16
VisualStudioVersion = 16.0.31229.75 VisualStudioVersion = 16.0.31229.75
MinimumVisualStudioVersion = 10.0.40219.1 MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "defender-control", "defender-control\defender-control.vcxproj", "{7C2C0AEC-7B9D-4104-99FA-1844D609452C}" Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "defender-control", "defender-control\defender-control.vcxproj", "{7C2C0AEC-7B9D-4104-99FA-1844D609452C}"
EndProject EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dumper", "dumper\dumper.vcxproj", "{089CA7D6-3277-4998-86AF-F6413290A442}" Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dumper", "dumper\dumper.vcxproj", "{089CA7D6-3277-4998-86AF-F6413290A442}"
EndProject EndProject
Global Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64 Debug|x64 = Debug|x64
Debug|x86 = Debug|x86 Debug|x86 = Debug|x86
Release|x64 = Release|x64 Release|x64 = Release|x64
Release|x86 = Release|x86 Release|x86 = Release|x86
EndGlobalSection EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution GlobalSection(ProjectConfigurationPlatforms) = postSolution
{7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Debug|x64.ActiveCfg = Debug|x64 {7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Debug|x64.ActiveCfg = Debug|x64
{7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Debug|x64.Build.0 = Debug|x64 {7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Debug|x64.Build.0 = Debug|x64
{7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Debug|x86.ActiveCfg = Debug|Win32 {7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Debug|x86.ActiveCfg = Debug|Win32
{7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Debug|x86.Build.0 = Debug|Win32 {7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Debug|x86.Build.0 = Debug|Win32
{7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Release|x64.ActiveCfg = Release|x64 {7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Release|x64.ActiveCfg = Release|x64
{7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Release|x64.Build.0 = Release|x64 {7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Release|x64.Build.0 = Release|x64
{7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Release|x86.ActiveCfg = Release|Win32 {7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Release|x86.ActiveCfg = Release|Win32
{7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Release|x86.Build.0 = Release|Win32 {7C2C0AEC-7B9D-4104-99FA-1844D609452C}.Release|x86.Build.0 = Release|Win32
{089CA7D6-3277-4998-86AF-F6413290A442}.Debug|x64.ActiveCfg = Debug|x64 {089CA7D6-3277-4998-86AF-F6413290A442}.Debug|x64.ActiveCfg = Debug|x64
{089CA7D6-3277-4998-86AF-F6413290A442}.Debug|x64.Build.0 = Debug|x64 {089CA7D6-3277-4998-86AF-F6413290A442}.Debug|x64.Build.0 = Debug|x64
{089CA7D6-3277-4998-86AF-F6413290A442}.Debug|x86.ActiveCfg = Debug|Win32 {089CA7D6-3277-4998-86AF-F6413290A442}.Debug|x86.ActiveCfg = Debug|Win32
{089CA7D6-3277-4998-86AF-F6413290A442}.Debug|x86.Build.0 = Debug|Win32 {089CA7D6-3277-4998-86AF-F6413290A442}.Debug|x86.Build.0 = Debug|Win32
{089CA7D6-3277-4998-86AF-F6413290A442}.Release|x64.ActiveCfg = Release|x64 {089CA7D6-3277-4998-86AF-F6413290A442}.Release|x64.ActiveCfg = Release|x64
{089CA7D6-3277-4998-86AF-F6413290A442}.Release|x64.Build.0 = Release|x64 {089CA7D6-3277-4998-86AF-F6413290A442}.Release|x64.Build.0 = Release|x64
{089CA7D6-3277-4998-86AF-F6413290A442}.Release|x86.ActiveCfg = Release|Win32 {089CA7D6-3277-4998-86AF-F6413290A442}.Release|x86.ActiveCfg = Release|Win32
{089CA7D6-3277-4998-86AF-F6413290A442}.Release|x86.Build.0 = Release|Win32 {089CA7D6-3277-4998-86AF-F6413290A442}.Release|x86.Build.0 = Release|Win32
EndGlobalSection EndGlobalSection
GlobalSection(SolutionProperties) = preSolution GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE HideSolutionNode = FALSE
EndGlobalSection EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {708A26F9-CBFF-49C9-8F9D-1C62AF49488E} SolutionGuid = {708A26F9-CBFF-49C9-8F9D-1C62AF49488E}
EndGlobalSection EndGlobalSection
EndGlobal EndGlobal

572
src/defender-control/dcontrol.cpp
Unescape Escape View File

@ -1,287 +1,287 @@
#include "dcontrol.h" #include "dcontrol.h"
namespace REG namespace REG
{ {
// reads a key from HKEY_LOCAL_MACHINE // reads a key from HKEY_LOCAL_MACHINE
// //
DWORD read_key(const wchar_t* root_name, const wchar_t* value_name, uint32_t flags) DWORD read_key(const wchar_t* root_name, const wchar_t* value_name, uint32_t flags)
{ {
LSTATUS status; LSTATUS status;
HKEY hkey; HKEY hkey;
DWORD result{}; DWORD result{};
DWORD buff_sz = sizeof(DWORD); DWORD buff_sz = sizeof(DWORD);
// https://docs.microsoft.com/en-us/windows/win32/winprog64/accessing-an-alternate-registry-view // https://docs.microsoft.com/en-us/windows/win32/winprog64/accessing-an-alternate-registry-view
status = RegOpenKeyExW( status = RegOpenKeyExW(
HKEY_LOCAL_MACHINE, HKEY_LOCAL_MACHINE,
root_name, root_name,
0, 0,
KEY_READ | KEY_WOW64_64KEY, KEY_READ | KEY_WOW64_64KEY,
&hkey &hkey
); );
if (status) if (status)
{ {
if (flags & DBG_MSG) if (flags & DBG_MSG)
std::cout << "Error opening " << root_name << " key" << std::endl; std::cout << "Error opening " << root_name << " key" << std::endl;
return -1; return -1;
} }
status = RegQueryValueExW( status = RegQueryValueExW(
hkey, hkey,
value_name, value_name,
0, NULL, 0, NULL,
reinterpret_cast<LPBYTE>(&result), reinterpret_cast<LPBYTE>(&result),
&buff_sz &buff_sz
); );
if (status) if (status)
{ {
if (flags & DBG_MSG) if (flags & DBG_MSG)
std::cout << "Failed to read " << result << std::endl; std::cout << "Failed to read " << result << std::endl;
return -1; return -1;
} }
RegCloseKey(hkey); RegCloseKey(hkey);
return result; return result;
} }
// creates a registry in HKEY_LOCAL_MACHINE with KEY_ALL_ACCESS permissions // creates a registry in HKEY_LOCAL_MACHINE with KEY_ALL_ACCESS permissions
// //
bool create_registry(const wchar_t* root_name, HKEY& hkey) bool create_registry(const wchar_t* root_name, HKEY& hkey)
{ {
LSTATUS status; LSTATUS status;
DWORD dwDisposition; DWORD dwDisposition;
status = RegCreateKeyExW( status = RegCreateKeyExW(
HKEY_LOCAL_MACHINE, HKEY_LOCAL_MACHINE,
root_name, root_name,
0, 0,
0, 0,
0, 0,
131334, 131334,
0, 0,
&hkey, &hkey,
&dwDisposition &dwDisposition
); );
if (status) if (status)
{ {
std::wcout << "could not find or create " << root_name << " error: " << status << std::endl; std::wcout << "could not find or create " << root_name << " error: " << status << std::endl;
return false; return false;
} }
return true; return true;
} }
bool set_keyval(HKEY& hkey, const wchar_t* value_name, DWORD value) bool set_keyval(HKEY& hkey, const wchar_t* value_name, DWORD value)
{ {
auto ret = RegSetValueExW(hkey, value_name, 0, REG_DWORD, auto ret = RegSetValueExW(hkey, value_name, 0, REG_DWORD,
reinterpret_cast<LPBYTE>(&value), 4); reinterpret_cast<LPBYTE>(&value), 4);
if (ret) if (ret)
{ {
std::cout << "Set error: " << ret << std::endl; std::cout << "Set error: " << ret << std::endl;
return false; return false;
} }
return true; return true;
} }
bool set_keyval_bin(HKEY& hkey, const wchar_t* value_name, DWORD value) bool set_keyval_bin(HKEY& hkey, const wchar_t* value_name, DWORD value)
{ {
auto ret = RegSetValueExW(hkey, value_name, 0, REG_BINARY, auto ret = RegSetValueExW(hkey, value_name, 0, REG_BINARY,
reinterpret_cast<LPBYTE>(&value), 12); reinterpret_cast<LPBYTE>(&value), 12);
if (ret) if (ret)
{ {
std::cout << "Set error: " << ret << std::endl; std::cout << "Set error: " << ret << std::endl;
return false; return false;
} }
return true; return true;
} }
} }
namespace WMIC namespace WMIC
{ {
} }
namespace DCONTROL namespace DCONTROL
{ {
// Sets the programs debug priviliges // Sets the programs debug priviliges
bool set_privilege(LPCSTR privilege, BOOL enable) bool set_privilege(LPCSTR privilege, BOOL enable)
{ {
TOKEN_PRIVILEGES priv = { 0,0,0,0 }; TOKEN_PRIVILEGES priv = { 0,0,0,0 };
HANDLE token = nullptr; HANDLE token = nullptr;
LUID luid = { 0,0 }; LUID luid = { 0,0 };
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token))
{ {
if (token) if (token)
CloseHandle(token); CloseHandle(token);
return false; return false;
} }
if (!LookupPrivilegeValueA(nullptr, SE_DEBUG_NAME, &luid)) if (!LookupPrivilegeValueA(nullptr, SE_DEBUG_NAME, &luid))
{ {
if (token) if (token)
CloseHandle(token); CloseHandle(token);
return false; return false;
} }
priv.PrivilegeCount = 1; priv.PrivilegeCount = 1;
priv.Privileges[0].Luid = luid; priv.Privileges[0].Luid = luid;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(token, false, &priv, 0, nullptr, nullptr)) if (!AdjustTokenPrivileges(token, false, &priv, 0, nullptr, nullptr))
{ {
if (token) if (token)
CloseHandle(token); CloseHandle(token);
return false; return false;
} }
if (token) if (token)
CloseHandle(token); CloseHandle(token);
return true; return true;
} }
char sub_43604B() char sub_43604B()
{ {
char v0; // bl char v0; // bl
SC_HANDLE v1; // eax SC_HANDLE v1; // eax
SC_HANDLE v2; // esi SC_HANDLE v2; // esi
void* v3; // eax void* v3; // eax
v0 = 0; v0 = 0;
v1 = OpenSCManagerW(0, 0, 8u); v1 = OpenSCManagerW(0, 0, 8u);
v2 = v1; v2 = v1;
if (v1) if (v1)
{ {
v3 = LockServiceDatabase(v1); v3 = LockServiceDatabase(v1);
if (v3) if (v3)
{ {
UnlockServiceDatabase(v3); UnlockServiceDatabase(v3);
CloseServiceHandle(v2); CloseServiceHandle(v2);
return 1; return 1;
} }
if (GetLastError() == 1055) if (GetLastError() == 1055)
v0 = 1; v0 = 1;
CloseServiceHandle(v2); CloseServiceHandle(v2);
} }
return v0; return v0;
} }
// disables window defender // disables window defender
// //
bool disable_defender() bool disable_defender()
{ {
if (!sub_43604B()) if (!sub_43604B())
{ {
std::cout << "permission error" << std::endl; std::cout << "permission error" << std::endl;
return false; return false;
} }
set_privilege(SE_DEBUG_NAME, TRUE); set_privilege(SE_DEBUG_NAME, TRUE);
HKEY hkey; HKEY hkey;
// DisableAntiSpyware // DisableAntiSpyware
{ {
if (!REG::create_registry(L"SOFTWARE\\Policies\\Microsoft\\Windows Defender", hkey)) if (!REG::create_registry(L"SOFTWARE\\Policies\\Microsoft\\Windows Defender", hkey))
{ {
std::cout << "failed to access Policies" << std::endl; std::cout << "failed to access Policies" << std::endl;
return false; return false;
} }
if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1)) if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1))
{ {
std::cout << "failed to write to DisableAntiSpyware" << std::endl; std::cout << "failed to write to DisableAntiSpyware" << std::endl;
return false; return false;
} }
#if 0 #if 0
if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender", hkey)) if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender", hkey))
{ {
std::cout << "failed to access Windows Defender" << std::endl; std::cout << "failed to access Windows Defender" << std::endl;
return false; return false;
} }
if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1)) if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1))
{ {
std::cout << "failed to write to DisableAntiSpyware" << std::endl; std::cout << "failed to write to DisableAntiSpyware" << std::endl;
return false; return false;
} }
#endif #endif
} }
// Start (3 off) (2 on) // Start (3 off) (2 on)
{ {
if (!REG::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\WinDefend", hkey)) if (!REG::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\WinDefend", hkey))
{ {
std::cout << "failed to access CurrentControlSet" << std::endl; std::cout << "failed to access CurrentControlSet" << std::endl;
return false; return false;
} }
if (!REG::set_keyval(hkey, L"Start", 3)) if (!REG::set_keyval(hkey, L"Start", 3))
{ {
std::cout << "failed to write to Start" << std::endl; std::cout << "failed to write to Start" << std::endl;
return false; return false;
} }
} }
std::cout << "Wrote to Start" << std::endl; std::cout << "Wrote to Start" << std::endl;
// SecurityHealth // SecurityHealth
{ {
if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", hkey)) if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", hkey))
{ {
std::cout << "failed to access CurrentVersion" << std::endl; std::cout << "failed to access CurrentVersion" << std::endl;
return false; return false;
} }
if (!REG::set_keyval_bin(hkey, L"SecurityHealth", 3)) if (!REG::set_keyval_bin(hkey, L"SecurityHealth", 3))
{ {
std::cout << "failed to write to SecurityHealth" << std::endl; std::cout << "failed to write to SecurityHealth" << std::endl;
return false; return false;
} }
} }
std::cout << "Wrote to SecurityHealth" << std::endl; std::cout << "Wrote to SecurityHealth" << std::endl;
#if 0 #if 0
// DisableRealtimeMonitoring // DisableRealtimeMonitoring
{ {
if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", hkey)) if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", hkey))
{ {
std::cout << "failed to access registry" << std::endl; std::cout << "failed to access registry" << std::endl;
return false; return false;
} }
if (!REG::set_keyval(hkey, L"DisableRealtimeMonitoring", 1)) if (!REG::set_keyval(hkey, L"DisableRealtimeMonitoring", 1))
{ {
std::cout << "failed to disable DisableRealtimeMonitoring" << std::endl; std::cout << "failed to disable DisableRealtimeMonitoring" << std::endl;
return false; return false;
} }
} }
#endif #endif
return true; return true;
} }
// Checks whether Real-Time Protection is activated on windows // Checks whether Real-Time Protection is activated on windows
// //
bool check_defender(uint32_t flags) bool check_defender(uint32_t flags)
{ {
return REG::read_key( return REG::read_key(
L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection",
L"DisableRealtimeMonitoring") == 0; L"DisableRealtimeMonitoring") == 0;
} }
} }

38
src/defender-control/dcontrol.h
Unescape Escape View File

@ -1,20 +1,20 @@
#pragma once #pragma once
#include <Windows.h> #include <Windows.h>
#include <iostream> #include <iostream>
#define DBG_MSG (1 << 0) #define DBG_MSG (1 << 0)
namespace REG namespace REG
{ {
DWORD read_key(const wchar_t* root_name, const wchar_t* value_name, uint32_t flags = 0); DWORD read_key(const wchar_t* root_name, const wchar_t* value_name, uint32_t flags = 0);
bool create_registry(const wchar_t* root_name, HKEY& hkey); bool create_registry(const wchar_t* root_name, HKEY& hkey);
bool set_keyval(HKEY& hkey, const wchar_t* value_name, DWORD value); bool set_keyval(HKEY& hkey, const wchar_t* value_name, DWORD value);
bool set_keyval_bin(HKEY& hkey, const wchar_t* value_name, DWORD value); bool set_keyval_bin(HKEY& hkey, const wchar_t* value_name, DWORD value);
} }
namespace DCONTROL namespace DCONTROL
{ {
bool disable_defender(); bool disable_defender();
bool check_defender(uint32_t flags = 0); bool check_defender(uint32_t flags = 0);
} }

304
src/defender-control/defender-control.vcxproj
Unescape Escape View File

@ -1,153 +1,153 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations"> <ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32"> <ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration> <Configuration>Debug</Configuration>
<Platform>Win32</Platform> <Platform>Win32</Platform>
</ProjectConfiguration> </ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32"> <ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration> <Configuration>Release</Configuration>
<Platform>Win32</Platform> <Platform>Win32</Platform>
</ProjectConfiguration> </ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64"> <ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration> <Configuration>Debug</Configuration>
<Platform>x64</Platform> <Platform>x64</Platform>
</ProjectConfiguration> </ProjectConfiguration>
<ProjectConfiguration Include="Release|x64"> <ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration> <Configuration>Release</Configuration>
<Platform>x64</Platform> <Platform>x64</Platform>
</ProjectConfiguration> </ProjectConfiguration>
</ItemGroup> </ItemGroup>
<PropertyGroup Label="Globals"> <PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion> <VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword> <Keyword>Win32Proj</Keyword>
<ProjectGuid>{7c2c0aec-7b9d-4104-99fa-1844d609452c}</ProjectGuid> <ProjectGuid>{7c2c0aec-7b9d-4104-99fa-1844d609452c}</ProjectGuid>
<RootNamespace>defendercontrol</RootNamespace> <RootNamespace>defendercontrol</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion> <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType> <ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType> <ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries> <UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization> <WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet> <CharacterSet>MultiByte</CharacterSet>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType> <ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType> <ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries> <UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization> <WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings"> <ImportGroup Label="ExtensionSettings">
</ImportGroup> </ImportGroup>
<ImportGroup Label="Shared"> <ImportGroup Label="Shared">
</ImportGroup> </ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup> </ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup> </ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup> </ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup> </ImportGroup>
<PropertyGroup Label="UserMacros" /> <PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental> <LinkIncremental>true</LinkIncremental>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental> <LinkIncremental>false</LinkIncremental>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental> <LinkIncremental>true</LinkIncremental>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental> <LinkIncremental>false</LinkIncremental>
<IntDir>$(Platform)\$(Configuration)</IntDir> <IntDir>$(Platform)\$(Configuration)</IntDir>
</PropertyGroup> </PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile> <ClCompile>
<WarningLevel>Level3</WarningLevel> <WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck> <SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>true</GenerateDebugInformation>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile> <ClCompile>
<WarningLevel>Level3</WarningLevel> <WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking> <FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions> <IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck> <SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding> <EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences> <OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>true</GenerateDebugInformation>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel> <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile> <ClCompile>
<WarningLevel>Level3</WarningLevel> <WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck> <SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>true</GenerateDebugInformation>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile> <ClCompile>
<WarningLevel>Level3</WarningLevel> <WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking> <FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions> <IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck> <SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding> <EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences> <OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>true</GenerateDebugInformation>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="dcontrol.cpp" /> <ClCompile Include="dcontrol.cpp" />
<ClCompile Include="main.cpp" /> <ClCompile Include="main.cpp" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="dcontrol.h" /> <ClInclude Include="dcontrol.h" />
</ItemGroup> </ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets"> <ImportGroup Label="ExtensionTargets">
</ImportGroup> </ImportGroup>
</Project> </Project>

64
src/defender-control/defender-control.vcxproj.filters
Unescape Escape View File

@ -1,33 +1,33 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup> <ItemGroup>
<Filter Include="Source Files"> <Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions> <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter> </Filter>
<Filter Include="Header Files"> <Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions> <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter> </Filter>
<Filter Include="Resource Files"> <Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter> </Filter>
<Filter Include="Source Files\defender-control"> <Filter Include="Source Files\defender-control">
<UniqueIdentifier>{8a88e18b-d3f3-447e-a3b0-9867c153c3c1}</UniqueIdentifier> <UniqueIdentifier>{8a88e18b-d3f3-447e-a3b0-9867c153c3c1}</UniqueIdentifier>
</Filter> </Filter>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="main.cpp"> <ClCompile Include="main.cpp">
<Filter>Source Files</Filter> <Filter>Source Files</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="dcontrol.cpp"> <ClCompile Include="dcontrol.cpp">
<Filter>Source Files\defender-control</Filter> <Filter>Source Files\defender-control</Filter>
</ClCompile> </ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="dcontrol.h"> <ClInclude Include="dcontrol.h">
<Filter>Source Files\defender-control</Filter> <Filter>Source Files\defender-control</Filter>
</ClInclude> </ClInclude>
</ItemGroup> </ItemGroup>
</Project> </Project>

46
src/defender-control/main.cpp
Unescape Escape View File

@ -1,23 +1,23 @@
#include "dcontrol.h" #include "dcontrol.h"
// to-do: // to-do:
// write argument parser // write argument parser
// create cli program // create cli program
// maybe make a ui for this // maybe make a ui for this
// entrypoint // entrypoint
// //
int main() int main()
{ {
printf(DCONTROL::check_defender() ? printf(DCONTROL::check_defender() ?
"Windows defender is ACTIVE\n" : "Windows defender is ACTIVE\n" :
"Windows defender is OFF\n"); "Windows defender is OFF\n");
printf(DCONTROL::disable_defender() ? printf(DCONTROL::disable_defender() ?
"Defender disabled\n" : "Defender disabled\n" :
"Failed to disable\n"); "Failed to disable\n");
system("pause"); system("pause");
return 0; return 0;
} }

2418
src/detour/64/include/detours.h
View File

File diff suppressed because it is too large Load Diff

54
src/detour/64/include/detver.h
Unescape Escape View File

@ -1,27 +1,27 @@
////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////
// //
// Common version parameters. // Common version parameters.
// //
// Microsoft Research Detours Package, Version 4.0.1 // Microsoft Research Detours Package, Version 4.0.1
// //
// Copyright (c) Microsoft Corporation. All rights reserved. // Copyright (c) Microsoft Corporation. All rights reserved.
// //
#define _USING_V110_SDK71_ 1 #define _USING_V110_SDK71_ 1
#include "winver.h" #include "winver.h"
#if 0 #if 0
#include <windows.h> #include <windows.h>
#include <detours.h> #include <detours.h>
#else #else
#ifndef DETOURS_STRINGIFY #ifndef DETOURS_STRINGIFY
#define DETOURS_STRINGIFY_(x) #x #define DETOURS_STRINGIFY_(x) #x
#define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x) #define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x)
#endif #endif
#define VER_FILEFLAGSMASK 0x3fL #define VER_FILEFLAGSMASK 0x3fL
#define VER_FILEFLAGS 0x0L #define VER_FILEFLAGS 0x0L
#define VER_FILEOS 0x00040004L #define VER_FILEOS 0x00040004L
#define VER_FILETYPE 0x00000002L #define VER_FILETYPE 0x00000002L
#define VER_FILESUBTYPE 0x00000000L #define VER_FILESUBTYPE 0x00000000L
#endif #endif
#define VER_DETOURS_BITS DETOURS_STRINGIFY(DETOURS_BITS) #define VER_DETOURS_BITS DETOURS_STRINGIFY(DETOURS_BITS)

178
src/detour/64/include/syelog.h
Unescape Escape View File

@ -1,89 +1,89 @@
////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////
// //
// Detours Test Program (syelog.h of syelog.lib) // Detours Test Program (syelog.h of syelog.lib)
// //
// Microsoft Research Detours Package // Microsoft Research Detours Package
// //
// Copyright (c) Microsoft Corporation. All rights reserved. // Copyright (c) Microsoft Corporation. All rights reserved.
// //
#pragma once #pragma once
#ifndef _SYELOGD_H_ #ifndef _SYELOGD_H_
#define _SYELOGD_H_ #define _SYELOGD_H_
#include <stdarg.h> #include <stdarg.h>
#pragma pack(push, 1) #pragma pack(push, 1)
#pragma warning(push) #pragma warning(push)
#pragma warning(disable: 4200) #pragma warning(disable: 4200)
////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////
// //
// //
#define SYELOG_PIPE_NAMEA "\\\\.\\pipe\\syelog" #define SYELOG_PIPE_NAMEA "\\\\.\\pipe\\syelog"
#define SYELOG_PIPE_NAMEW L"\\\\.\\pipe\\syelog" #define SYELOG_PIPE_NAMEW L"\\\\.\\pipe\\syelog"
#ifdef UNICODE #ifdef UNICODE
#define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEW #define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEW
#else #else
#define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEA #define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEA
#endif #endif
////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////
// //
#define SYELOG_MAXIMUM_MESSAGE 4086 // 4096 - sizeof(header stuff) #define SYELOG_MAXIMUM_MESSAGE 4086 // 4096 - sizeof(header stuff)
typedef struct _SYELOG_MESSAGE typedef struct _SYELOG_MESSAGE
{ {
USHORT nBytes; USHORT nBytes;
BYTE nFacility; BYTE nFacility;
BYTE nSeverity; BYTE nSeverity;
DWORD nProcessId; DWORD nProcessId;
FILETIME ftOccurance; FILETIME ftOccurance;
BOOL fTerminate; BOOL fTerminate;
CHAR szMessage[SYELOG_MAXIMUM_MESSAGE]; CHAR szMessage[SYELOG_MAXIMUM_MESSAGE];
} SYELOG_MESSAGE, *PSYELOG_MESSAGE; } SYELOG_MESSAGE, *PSYELOG_MESSAGE;
// Facility Codes. // Facility Codes.
// //
#define SYELOG_FACILITY_KERNEL 0x10 // OS Kernel #define SYELOG_FACILITY_KERNEL 0x10 // OS Kernel
#define SYELOG_FACILITY_SECURITY 0x20 // OS Security #define SYELOG_FACILITY_SECURITY 0x20 // OS Security
#define SYELOG_FACILITY_LOGGING 0x30 // OS Logging-internal #define SYELOG_FACILITY_LOGGING 0x30 // OS Logging-internal
#define SYELOG_FACILITY_SERVICE 0x40 // User-mode system daemon #define SYELOG_FACILITY_SERVICE 0x40 // User-mode system daemon
#define SYELOG_FACILITY_APPLICATION 0x50 // User-mode application #define SYELOG_FACILITY_APPLICATION 0x50 // User-mode application
#define SYELOG_FACILITY_USER 0x60 // User self-generated. #define SYELOG_FACILITY_USER 0x60 // User self-generated.
#define SYELOG_FACILITY_LOCAL0 0x70 // Locally defined. #define SYELOG_FACILITY_LOCAL0 0x70 // Locally defined.
#define SYELOG_FACILITY_LOCAL1 0x71 // Locally defined. #define SYELOG_FACILITY_LOCAL1 0x71 // Locally defined.
#define SYELOG_FACILITY_LOCAL2 0x72 // Locally defined. #define SYELOG_FACILITY_LOCAL2 0x72 // Locally defined.
#define SYELOG_FACILITY_LOCAL3 0x73 // Locally defined. #define SYELOG_FACILITY_LOCAL3 0x73 // Locally defined.
#define SYELOG_FACILITY_LOCAL4 0x74 // Locally defined. #define SYELOG_FACILITY_LOCAL4 0x74 // Locally defined.
#define SYELOG_FACILITY_LOCAL5 0x75 // Locally defined. #define SYELOG_FACILITY_LOCAL5 0x75 // Locally defined.
#define SYELOG_FACILITY_LOCAL6 0x76 // Locally defined. #define SYELOG_FACILITY_LOCAL6 0x76 // Locally defined.
#define SYELOG_FACILITY_LOCAL7 0x77 // Locally defined. #define SYELOG_FACILITY_LOCAL7 0x77 // Locally defined.
#define SYELOG_FACILITY_LOCAL8 0x78 // Locally defined. #define SYELOG_FACILITY_LOCAL8 0x78 // Locally defined.
#define SYELOG_FACILITY_LOCAL9 0x79 // Locally defined. #define SYELOG_FACILITY_LOCAL9 0x79 // Locally defined.
// Severity Codes. // Severity Codes.
// //
#define SYELOG_SEVERITY_FATAL 0x00 // System is dead. #define SYELOG_SEVERITY_FATAL 0x00 // System is dead.
#define SYELOG_SEVERITY_ALERT 0x10 // Take action immediately. #define SYELOG_SEVERITY_ALERT 0x10 // Take action immediately.
#define SYELOG_SEVERITY_CRITICAL 0x20 // Critical condition. #define SYELOG_SEVERITY_CRITICAL 0x20 // Critical condition.
#define SYELOG_SEVERITY_ERROR 0x30 // Error #define SYELOG_SEVERITY_ERROR 0x30 // Error
#define SYELOG_SEVERITY_WARNING 0x40 // Warning #define SYELOG_SEVERITY_WARNING 0x40 // Warning
#define SYELOG_SEVERITY_NOTICE 0x50 // Significant condition. #define SYELOG_SEVERITY_NOTICE 0x50 // Significant condition.
#define SYELOG_SEVERITY_INFORMATION 0x60 // Informational #define SYELOG_SEVERITY_INFORMATION 0x60 // Informational
#define SYELOG_SEVERITY_AUDIT_FAIL 0x66 // Audit Failed #define SYELOG_SEVERITY_AUDIT_FAIL 0x66 // Audit Failed
#define SYELOG_SEVERITY_AUDIT_PASS 0x67 // Audit Succeeeded #define SYELOG_SEVERITY_AUDIT_PASS 0x67 // Audit Succeeeded
#define SYELOG_SEVERITY_DEBUG 0x70 // Debugging #define SYELOG_SEVERITY_DEBUG 0x70 // Debugging
// Logging Functions. // Logging Functions.
// //
VOID SyelogOpen(PCSTR pszIdentifier, BYTE nFacility); VOID SyelogOpen(PCSTR pszIdentifier, BYTE nFacility);
VOID Syelog(BYTE nSeverity, PCSTR pszMsgf, ...); VOID Syelog(BYTE nSeverity, PCSTR pszMsgf, ...);
VOID SyelogV(BYTE nSeverity, PCSTR pszMsgf, va_list args); VOID SyelogV(BYTE nSeverity, PCSTR pszMsgf, va_list args);
VOID SyelogClose(BOOL fTerminate); VOID SyelogClose(BOOL fTerminate);
#pragma warning(pop) #pragma warning(pop)
#pragma pack(pop) #pragma pack(pop)
#endif // _SYELOGD_H_ #endif // _SYELOGD_H_
// //
///////////////////////////////////////////////////////////////// End of File. ///////////////////////////////////////////////////////////////// End of File.

2418
src/detour/86/include/detours.h
View File

File diff suppressed because it is too large Load Diff

54
src/detour/86/include/detver.h
Unescape Escape View File

@ -1,27 +1,27 @@
////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////
// //
// Common version parameters. // Common version parameters.
// //
// Microsoft Research Detours Package, Version 4.0.1 // Microsoft Research Detours Package, Version 4.0.1
// //
// Copyright (c) Microsoft Corporation. All rights reserved. // Copyright (c) Microsoft Corporation. All rights reserved.
// //
#define _USING_V110_SDK71_ 1 #define _USING_V110_SDK71_ 1
#include "winver.h" #include "winver.h"
#if 0 #if 0
#include <windows.h> #include <windows.h>
#include <detours.h> #include <detours.h>
#else #else
#ifndef DETOURS_STRINGIFY #ifndef DETOURS_STRINGIFY
#define DETOURS_STRINGIFY_(x) #x #define DETOURS_STRINGIFY_(x) #x
#define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x) #define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x)
#endif #endif
#define VER_FILEFLAGSMASK 0x3fL #define VER_FILEFLAGSMASK 0x3fL
#define VER_FILEFLAGS 0x0L #define VER_FILEFLAGS 0x0L
#define VER_FILEOS 0x00040004L #define VER_FILEOS 0x00040004L
#define VER_FILETYPE 0x00000002L #define VER_FILETYPE 0x00000002L
#define VER_FILESUBTYPE 0x00000000L #define VER_FILESUBTYPE 0x00000000L
#endif #endif
#define VER_DETOURS_BITS DETOURS_STRINGIFY(DETOURS_BITS) #define VER_DETOURS_BITS DETOURS_STRINGIFY(DETOURS_BITS)

178
src/detour/86/include/syelog.h
Unescape Escape View File

@ -1,89 +1,89 @@
////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////
// //
// Detours Test Program (syelog.h of syelog.lib) // Detours Test Program (syelog.h of syelog.lib)
// //
// Microsoft Research Detours Package // Microsoft Research Detours Package
// //
// Copyright (c) Microsoft Corporation. All rights reserved. // Copyright (c) Microsoft Corporation. All rights reserved.
// //
#pragma once #pragma once
#ifndef _SYELOGD_H_ #ifndef _SYELOGD_H_
#define _SYELOGD_H_ #define _SYELOGD_H_
#include <stdarg.h> #include <stdarg.h>
#pragma pack(push, 1) #pragma pack(push, 1)
#pragma warning(push) #pragma warning(push)
#pragma warning(disable: 4200) #pragma warning(disable: 4200)
////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////
// //
// //
#define SYELOG_PIPE_NAMEA "\\\\.\\pipe\\syelog" #define SYELOG_PIPE_NAMEA "\\\\.\\pipe\\syelog"
#define SYELOG_PIPE_NAMEW L"\\\\.\\pipe\\syelog" #define SYELOG_PIPE_NAMEW L"\\\\.\\pipe\\syelog"
#ifdef UNICODE #ifdef UNICODE
#define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEW #define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEW
#else #else
#define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEA #define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEA
#endif #endif
////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////
// //
#define SYELOG_MAXIMUM_MESSAGE 4086 // 4096 - sizeof(header stuff) #define SYELOG_MAXIMUM_MESSAGE 4086 // 4096 - sizeof(header stuff)
typedef struct _SYELOG_MESSAGE typedef struct _SYELOG_MESSAGE
{ {
USHORT nBytes; USHORT nBytes;
BYTE nFacility; BYTE nFacility;
BYTE nSeverity; BYTE nSeverity;
DWORD nProcessId; DWORD nProcessId;
FILETIME ftOccurance; FILETIME ftOccurance;
BOOL fTerminate; BOOL fTerminate;
CHAR szMessage[SYELOG_MAXIMUM_MESSAGE]; CHAR szMessage[SYELOG_MAXIMUM_MESSAGE];
} SYELOG_MESSAGE, *PSYELOG_MESSAGE; } SYELOG_MESSAGE, *PSYELOG_MESSAGE;
// Facility Codes. // Facility Codes.
// //
#define SYELOG_FACILITY_KERNEL 0x10 // OS Kernel #define SYELOG_FACILITY_KERNEL 0x10 // OS Kernel
#define SYELOG_FACILITY_SECURITY 0x20 // OS Security #define SYELOG_FACILITY_SECURITY 0x20 // OS Security
#define SYELOG_FACILITY_LOGGING 0x30 // OS Logging-internal #define SYELOG_FACILITY_LOGGING 0x30 // OS Logging-internal
#define SYELOG_FACILITY_SERVICE 0x40 // User-mode system daemon #define SYELOG_FACILITY_SERVICE 0x40 // User-mode system daemon
#define SYELOG_FACILITY_APPLICATION 0x50 // User-mode application #define SYELOG_FACILITY_APPLICATION 0x50 // User-mode application
#define SYELOG_FACILITY_USER 0x60 // User self-generated. #define SYELOG_FACILITY_USER 0x60 // User self-generated.
#define SYELOG_FACILITY_LOCAL0 0x70 // Locally defined. #define SYELOG_FACILITY_LOCAL0 0x70 // Locally defined.
#define SYELOG_FACILITY_LOCAL1 0x71 // Locally defined. #define SYELOG_FACILITY_LOCAL1 0x71 // Locally defined.
#define SYELOG_FACILITY_LOCAL2 0x72 // Locally defined. #define SYELOG_FACILITY_LOCAL2 0x72 // Locally defined.
#define SYELOG_FACILITY_LOCAL3 0x73 // Locally defined. #define SYELOG_FACILITY_LOCAL3 0x73 // Locally defined.
#define SYELOG_FACILITY_LOCAL4 0x74 // Locally defined. #define SYELOG_FACILITY_LOCAL4 0x74 // Locally defined.
#define SYELOG_FACILITY_LOCAL5 0x75 // Locally defined. #define SYELOG_FACILITY_LOCAL5 0x75 // Locally defined.
#define SYELOG_FACILITY_LOCAL6 0x76 // Locally defined. #define SYELOG_FACILITY_LOCAL6 0x76 // Locally defined.
#define SYELOG_FACILITY_LOCAL7 0x77 // Locally defined. #define SYELOG_FACILITY_LOCAL7 0x77 // Locally defined.
#define SYELOG_FACILITY_LOCAL8 0x78 // Locally defined. #define SYELOG_FACILITY_LOCAL8 0x78 // Locally defined.
#define SYELOG_FACILITY_LOCAL9 0x79 // Locally defined. #define SYELOG_FACILITY_LOCAL9 0x79 // Locally defined.
// Severity Codes. // Severity Codes.
// //
#define SYELOG_SEVERITY_FATAL 0x00 // System is dead. #define SYELOG_SEVERITY_FATAL 0x00 // System is dead.
#define SYELOG_SEVERITY_ALERT 0x10 // Take action immediately. #define SYELOG_SEVERITY_ALERT 0x10 // Take action immediately.
#define SYELOG_SEVERITY_CRITICAL 0x20 // Critical condition. #define SYELOG_SEVERITY_CRITICAL 0x20 // Critical condition.
#define SYELOG_SEVERITY_ERROR 0x30 // Error #define SYELOG_SEVERITY_ERROR 0x30 // Error
#define SYELOG_SEVERITY_WARNING 0x40 // Warning #define SYELOG_SEVERITY_WARNING 0x40 // Warning
#define SYELOG_SEVERITY_NOTICE 0x50 // Significant condition. #define SYELOG_SEVERITY_NOTICE 0x50 // Significant condition.
#define SYELOG_SEVERITY_INFORMATION 0x60 // Informational #define SYELOG_SEVERITY_INFORMATION 0x60 // Informational
#define SYELOG_SEVERITY_AUDIT_FAIL 0x66 // Audit Failed #define SYELOG_SEVERITY_AUDIT_FAIL 0x66 // Audit Failed
#define SYELOG_SEVERITY_AUDIT_PASS 0x67 // Audit Succeeeded #define SYELOG_SEVERITY_AUDIT_PASS 0x67 // Audit Succeeeded
#define SYELOG_SEVERITY_DEBUG 0x70 // Debugging #define SYELOG_SEVERITY_DEBUG 0x70 // Debugging
// Logging Functions. // Logging Functions.
// //
VOID SyelogOpen(PCSTR pszIdentifier, BYTE nFacility); VOID SyelogOpen(PCSTR pszIdentifier, BYTE nFacility);
VOID Syelog(BYTE nSeverity, PCSTR pszMsgf, ...); VOID Syelog(BYTE nSeverity, PCSTR pszMsgf, ...);
VOID SyelogV(BYTE nSeverity, PCSTR pszMsgf, va_list args); VOID SyelogV(BYTE nSeverity, PCSTR pszMsgf, va_list args);
VOID SyelogClose(BOOL fTerminate); VOID SyelogClose(BOOL fTerminate);
#pragma warning(pop) #pragma warning(pop)
#pragma pack(pop) #pragma pack(pop)
#endif // _SYELOGD_H_ #endif // _SYELOGD_H_
// //
///////////////////////////////////////////////////////////////// End of File. ///////////////////////////////////////////////////////////////// End of File.

6
src/detour/README.md
Unescape Escape View File

@ -1,3 +1,3 @@
Please include microsoft detour binaries here. Please include microsoft detour binaries here.
https://github.com/Microsoft/Detours/blob/master/samples/README.TXT https://github.com/Microsoft/Detours/blob/master/samples/README.TXT

1152
src/dumper/dumper.cpp
View File

File diff suppressed because it is too large Load Diff

346
src/dumper/dumper.vcxproj
Unescape Escape View File

@ -1,174 +1,174 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations"> <ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32"> <ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration> <Configuration>Debug</Configuration>
<Platform>Win32</Platform> <Platform>Win32</Platform>
</ProjectConfiguration> </ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32"> <ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration> <Configuration>Release</Configuration>
<Platform>Win32</Platform> <Platform>Win32</Platform>
</ProjectConfiguration> </ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64"> <ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration> <Configuration>Debug</Configuration>
<Platform>x64</Platform> <Platform>x64</Platform>
</ProjectConfiguration> </ProjectConfiguration>
<ProjectConfiguration Include="Release|x64"> <ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration> <Configuration>Release</Configuration>
<Platform>x64</Platform> <Platform>x64</Platform>
</ProjectConfiguration> </ProjectConfiguration>
</ItemGroup> </ItemGroup>
<PropertyGroup Label="Globals"> <PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion> <VCProjectVersion>16.0</VCProjectVersion>
<ProjectGuid>{089CA7D6-3277-4998-86AF-F6413290A442}</ProjectGuid> <ProjectGuid>{089CA7D6-3277-4998-86AF-F6413290A442}</ProjectGuid>
<Keyword>Win32Proj</Keyword> <Keyword>Win32Proj</Keyword>
<RootNamespace>dumper</RootNamespace> <RootNamespace>dumper</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion> <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType> <ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType> <ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries> <UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization> <WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType> <ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType> <ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries> <UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset> <PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization> <WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings"> <ImportGroup Label="ExtensionSettings">
</ImportGroup> </ImportGroup>
<ImportGroup Label="Shared"> <ImportGroup Label="Shared">
</ImportGroup> </ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup> </ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup> </ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup> </ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup> </ImportGroup>
<PropertyGroup Label="UserMacros" /> <PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental> <LinkIncremental>true</LinkIncremental>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental> <LinkIncremental>true</LinkIncremental>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental> <LinkIncremental>false</LinkIncremental>
<IncludePath>$(SolutionDir)\detour\86\include;$(IncludePath)</IncludePath> <IncludePath>$(SolutionDir)\detour\86\include;$(IncludePath)</IncludePath>
<LibraryPath>$(SolutionDir)\detour\86\lib;$(LibraryPath)</LibraryPath> <LibraryPath>$(SolutionDir)\detour\86\lib;$(LibraryPath)</LibraryPath>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental> <LinkIncremental>false</LinkIncremental>
<IntDir>$(Platform)\$(Configuration)</IntDir> <IntDir>$(Platform)\$(Configuration)</IntDir>
<IncludePath>$(SolutionDir)\detour\64\include;$(IncludePath)</IncludePath> <IncludePath>$(SolutionDir)\detour\64\include;$(IncludePath)</IncludePath>
<LibraryPath>$(SolutionDir)\detour\64\lib;$(LibraryPath)</LibraryPath> <LibraryPath>$(SolutionDir)\detour\64\lib;$(LibraryPath)</LibraryPath>
</PropertyGroup> </PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile> <ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader> <PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel> <WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck> <SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;DUMPER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>_DEBUG;DUMPER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile> <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Windows</SubSystem> <SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>true</GenerateDebugInformation>
<EnableUAC>false</EnableUAC> <EnableUAC>false</EnableUAC>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile> <ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader> <PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel> <WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck> <SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;DUMPER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>WIN32;_DEBUG;DUMPER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile> <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Windows</SubSystem> <SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>true</GenerateDebugInformation>
<EnableUAC>false</EnableUAC> <EnableUAC>false</EnableUAC>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile> <ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader> <PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel> <WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking> <FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions> <IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck> <SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;DUMPER_EXPORTS;_WINDOWS;_USRDLL;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>WIN32;NDEBUG;DUMPER_EXPORTS;_WINDOWS;_USRDLL;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile> <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Windows</SubSystem> <SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding> <EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences> <OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>true</GenerateDebugInformation>
<EnableUAC>false</EnableUAC> <EnableUAC>false</EnableUAC>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile> <ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader> <PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel> <WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking> <FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions> <IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck> <SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;DUMPER_EXPORTS;_WINDOWS;_USRDLL;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>NDEBUG;DUMPER_EXPORTS;_WINDOWS;_USRDLL;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile> <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Windows</SubSystem> <SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding> <EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences> <OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>true</GenerateDebugInformation>
<EnableUAC>false</EnableUAC> <EnableUAC>false</EnableUAC>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="framework.h" /> <ClInclude Include="framework.h" />
<ClInclude Include="pch.h" /> <ClInclude Include="pch.h" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="dumper.cpp" /> <ClCompile Include="dumper.cpp" />
<ClCompile Include="pch.cpp"> <ClCompile Include="pch.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader> <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader> <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader> <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile> </ClCompile>
</ItemGroup> </ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets"> <ImportGroup Label="ExtensionTargets">
</ImportGroup> </ImportGroup>
</Project> </Project>

64
src/dumper/dumper.vcxproj.filters
Unescape Escape View File

@ -1,33 +1,33 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup> <ItemGroup>
<Filter Include="Source Files"> <Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions> <Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter> </Filter>
<Filter Include="Header Files"> <Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions> <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter> </Filter>
<Filter Include="Resource Files"> <Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter> </Filter>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="framework.h"> <ClInclude Include="framework.h">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="pch.h"> <ClInclude Include="pch.h">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="pch.cpp"> <ClCompile Include="pch.cpp">
<Filter>Source Files</Filter> <Filter>Source Files</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="dumper.cpp"> <ClCompile Include="dumper.cpp">
<Filter>Source Files</Filter> <Filter>Source Files</Filter>
</ClCompile> </ClCompile>
</ItemGroup> </ItemGroup>
</Project> </Project>

10
src/dumper/framework.h
Unescape Escape View File

@ -1,5 +1,5 @@
#pragma once #pragma once
#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
// Windows Header Files // Windows Header Files
#include <windows.h> #include <windows.h>

10
src/dumper/pch.cpp
Unescape Escape View File

@ -1,5 +1,5 @@
// pch.cpp: source file corresponding to the pre-compiled header // pch.cpp: source file corresponding to the pre-compiled header
#include "pch.h" #include "pch.h"
// When you are using pre-compiled headers, this source file is necessary for compilation to succeed. // When you are using pre-compiled headers, this source file is necessary for compilation to succeed.

36
src/dumper/pch.h
Unescape Escape View File

@ -1,18 +1,18 @@
// pch.h: This is a precompiled header file. // pch.h: This is a precompiled header file.
// Files listed below are compiled only once, improving build performance for future builds. // Files listed below are compiled only once, improving build performance for future builds.
// This also affects IntelliSense performance, including code completion and many code browsing features. // This also affects IntelliSense performance, including code completion and many code browsing features.
// However, files listed here are ALL re-compiled if any one of them is updated between builds. // However, files listed here are ALL re-compiled if any one of them is updated between builds.
// Do not add files here that you will be updating frequently as this negates the performance advantage. // Do not add files here that you will be updating frequently as this negates the performance advantage.
#ifndef PCH_H #ifndef PCH_H
#define PCH_H #define PCH_H
#include <iostream> #include <iostream>
#include <Windows.h> #include <Windows.h>
#include <Psapi.h> #include <Psapi.h>
#include <string> #include <string>
#include <detours.h> #include <detours.h>
#include <vector> #include <vector>
#pragma comment(lib, "detours.lib") #pragma comment(lib, "detours.lib")
#endif //PCH_H #endif //PCH_H

Write Preview
Loading…
Cancel
Save