registry edits done

3 years ago · 9a09527155
parent 4688174100
commit 9a09527155
4 changed files with 129 additions and 11 deletions
--- a/src/defender-control/dcontrol.cpp
+++ b/src/defender-control/dcontrol.cpp
@ -53,11 +53,10 @@ namespace REG
    return result;
  }

-  // creates a registry
+  // creates a registry in HKEY_LOCAL_MACHINE with KEY_ALL_ACCESS permissions
  //
-  bool create_registry(const wchar_t* root_name)
+  bool create_registry(const wchar_t* root_name, HKEY& hkey)
  {
-    HKEY hkey;
    LSTATUS status;

    status = RegOpenKeyExW(
@ -68,21 +67,55 @@ namespace REG
      &hkey
    );

+    if (!status)
+      return true;
+
+    status = RegCreateKeyExW(
+      HKEY_LOCAL_MACHINE,
+      root_name,
+      0, 0,
+      REG_OPTION_NON_VOLATILE,
+      KEY_ALL_ACCESS, 0,
+      &hkey,
+      0
+    );
+
    if (status)
    {
-      std::cout << "Error creating registry " << root_name << std::endl;
+      std::cout << "could not find or create " << root_name << std::endl;
      return false;
    }

    return true;
  }
+
+  bool set_keyval(HKEY& hkey, const wchar_t* value_name, DWORD value)
+  {
+    if (RegSetValueExW(hkey, value_name, 0, REG_DWORD,
+      reinterpret_cast<LPBYTE>(&value), sizeof(DWORD)))
+    {
+      return false;
+    }
+    return true;
+  }
+
+  bool set_keyval_bin(HKEY& hkey, const wchar_t* value_name, DWORD value)
+  {
+    if (RegSetValueExW(hkey, value_name, 0, REG_BINARY,
+      reinterpret_cast<LPBYTE>(&value), sizeof(DWORD)))
+    {
+      return false;
+    }
+    return true;
+    
+  }
 }

 namespace DCONTROL
 {
  // disables window defender
  //
-  bool disable_control()
+  bool disable_defender()
  {
    // create DisableRealtimeMonitoring if it does not exist then set value to 1
    // [RegCreateKeyExW]
@ -113,6 +146,80 @@ namespace DCONTROL
    // lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
    // [RegQueryValueExW]
    // lpValueName: DisableRealtimeMonitoring
+
+    HKEY hkey;
+
+    // SecurityHealth
+    {
+        if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", hkey))
+        {
+          std::cout << "failed to access CurrentVersion" << std::endl;
+          return false;
+        }
+
+      if (!REG::set_keyval_bin(hkey, L"SecurityHealth", 3))
+      {
+        std::cout << "failed to write to SecurityHealth" << std::endl;
+        return false;
+      }
+    }
+
+    // Start (3 off) (2 on)
+    {
+      if (!REG::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\WinDefend", hkey))
+      {
+        std::cout << "failed to access CurrentControlSet" << std::endl;
+        return false;
+      }
+
+      if (!REG::set_keyval(hkey, L"Start", 3))
+      {
+        std::cout << "failed to write to Start" << std::endl;
+        return false;
+      }
+    }
+
+    // DisableAntiSpyware
+    {
+      if (!REG::create_registry(L"SOFTWARE\\Policies\\Microsoft\\Windows Defender", hkey))
+      {
+        std::cout << "failed to access Policies" << std::endl;
+        return false;
+      }
+
+      if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1))
+      {
+        std::cout << "failed to write to DisableAntiSpyware" << std::endl;
+        return false;
+      }
+
+      if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender", hkey))
+      {
+        std::cout << "failed to access Windows Defender" << std::endl;
+        return false;
+      }
+
+      if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1))
+      {
+        std::cout << "failed to write to DisableAntiSpyware" << std::endl;
+        return false;
+      }
+    }
+
+    // DisableRealtimeMonitoring
+    {
+      if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", hkey))
+      {
+        std::cout << "failed to access registry" << std::endl;
+        return false;
+      }
+      if (!REG::set_keyval(hkey, L"DisableRealtimeMonitoring", 1))
+      {
+        std::cout << "failed to disable DisableRealtimeMonitoring" << std::endl;
+        return false;
+      }
+    }
+
    return true;
  }

--- a/src/defender-control/dcontrol.h
+++ b/src/defender-control/dcontrol.h
@ -8,9 +8,13 @@
 namespace REG
 {
  DWORD read_key(const wchar_t* root_name, const wchar_t* value_name, uint32_t flags = 0);
+  bool create_registry(const wchar_t* root_name, HKEY& hkey);
+  bool set_keyval(HKEY& hkey, const wchar_t* value_name, DWORD value);
+  bool set_keyval_bin(HKEY& hkey, const wchar_t* value_name, DWORD value);
 }

 namespace DCONTROL
 {
+  bool disable_defender();
  bool check_defender(uint32_t flags = 0);
 }
--- a/src/defender-control/main.cpp
+++ b/src/defender-control/main.cpp
@ -13,6 +13,10 @@ int main()
    "Windows defender is ACTIVE\n" :
    "Windows defender is OFF\n");

+  printf(DCONTROL::disable_defender() ?
+    "Defender disabled\n" :
+    "Failed to disable\n");
+
  system("pause");

  return 0;
--- a/src/dumper/dumper.cpp
+++ b/src/dumper/dumper.cpp
@ -172,6 +172,7 @@ namespace RegHooks
  {
    std::cout << "[RegCreateKeyExW]" << std::endl;
    std::cout << "lpSubKey: " << wide_to_string(lpSubKey).c_str() << std::endl;
+    std::cout << "samDesired: " << samDesired << std::endl;

    return (reinterpret_cast<RegCreateKeyExW_t>(RegCreateKeyExW_addr))
      (hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition);
@ -267,6 +268,8 @@ namespace RegHooks
  {
    std::cout << "[RegOpenKeyExW]" << std::endl;
    std::cout << "lpValueName: " << wide_to_string(lpSubKey).c_str() << std::endl;
+    std::cout << "ulOptions: " << ulOptions << std::endl;
+    std::cout << "samDesired: " << samDesired << std::endl;

    return (reinterpret_cast<RegOpenKeyExW_t>(RegOpenKeyExW_addr))
      (hKey, lpSubKey, ulOptions, samDesired, phkResult);
@ -337,14 +340,14 @@ void thread_main()

  // reg hooks
  //
-  DetourHelper::perf_hook((PVOID*)&RegHooks::regdeletekeyw_addr, RegHooks::hk_RegDeleteKeyW);
-  DetourHelper::perf_hook((PVOID*)&RegHooks::regdeletevaluew_addr, RegHooks::hk_RegDeleteValueW);
-  DetourHelper::perf_hook((PVOID*)&RegHooks::regenumvaluew_addr, RegHooks::hk_RegEnumValueW);
+  //DetourHelper::perf_hook((PVOID*)&RegHooks::regdeletekeyw_addr, RegHooks::hk_RegDeleteKeyW);
+  //DetourHelper::perf_hook((PVOID*)&RegHooks::regdeletevaluew_addr, RegHooks::hk_RegDeleteValueW);
+  //DetourHelper::perf_hook((PVOID*)&RegHooks::regenumvaluew_addr, RegHooks::hk_RegEnumValueW);
  DetourHelper::perf_hook((PVOID*)&RegHooks::regsetvalue_addr, RegHooks::hk_RegSetValueExW);
  DetourHelper::perf_hook((PVOID*)&RegHooks::RegCreateKeyExW_addr, RegHooks::hk_RegCreateKeyExW);
-  DetourHelper::perf_hook((PVOID*)&RegHooks::RegConnectRegistryW_addr, RegHooks::hk_RegConnectRegistryW);
-  DetourHelper::perf_hook((PVOID*)&RegHooks::RegEnumKeyExW_addr, RegHooks::hk_RegEnumKeyExW);
-  DetourHelper::perf_hook((PVOID*)&RegHooks::RegQueryValueExW_addr, RegHooks::hk_RegQueryValueExW);
+  //DetourHelper::perf_hook((PVOID*)&RegHooks::RegConnectRegistryW_addr, RegHooks::hk_RegConnectRegistryW);
+  //DetourHelper::perf_hook((PVOID*)&RegHooks::RegEnumKeyExW_addr, RegHooks::hk_RegEnumKeyExW);
+  //DetourHelper::perf_hook((PVOID*)&RegHooks::RegQueryValueExW_addr, RegHooks::hk_RegQueryValueExW);
  DetourHelper::perf_hook((PVOID*)&RegHooks::RegOpenKeyExW_addr, RegHooks::hk_RegOpenKeyExW);

  // native hooks