implemented defender check

3 years ago · a29d2d6aec
parent 5c81c88432
commit a29d2d6aec
4 changed files with 63 additions and 9 deletions
--- a/src/defender-control/dcontrol.cpp
+++ b/src/defender-control/dcontrol.cpp
@ -2,17 +2,65 @@

 namespace DCONTROL
 {
+  // forget about this for now
+  //
  bool enable_control()
  {
-
    return true;
  }

-
+  // write a working poc
+  //
  bool disable_control()
  {

-
    return true;
  }
+
+  // Checks whether Real-Time Protection is activated on windows
+  //
+  bool check_defender()
+  {
+    LSTATUS status;
+    HKEY hkey;
+    DWORD result{};
+    DWORD buff_sz = sizeof(DWORD);
+
+    // https://docs.microsoft.com/en-us/windows/win32/winprog64/accessing-an-alternate-registry-view
+    // KEY_WOW64_64KEY if we are in an x86 environment
+    // KEY_ALL_ACCESS to access
+    // but we only need to read for this call
+
+    status = RegOpenKeyExW(
+      HKEY_LOCAL_MACHINE,
+      L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection",
+      0,
+      KEY_READ | KEY_WOW64_64KEY,
+      &hkey
+    );
+
+    // running by default if we can't identify it
+    //
+    if (status)
+    {
+      std::cout << "Error opening Real-Time Protection key" << std::endl;
+      return true;
+    }
+
+    status = RegQueryValueExW(
+      hkey,
+      L"DisableRealtimeMonitoring",
+      0, NULL,
+      reinterpret_cast<LPBYTE>(&result),
+      &buff_sz
+    );
+
+    if (status)
+    {
+      std::cout << "Failed to read DisableRealtimeMonitoring" << std::endl;
+      return true;
+    }
+
+    return result == 0;
+  }
 }
--- a/src/defender-control/dcontrol.h
+++ b/src/defender-control/dcontrol.h
@ -1,8 +1,9 @@
 #pragma once

 #include <Windows.h>
+#include <iostream>

 namespace DCONTROL
 {
-
+  bool is_av_running();
 }
--- a/src/defender-control/defender-control.vcxproj
+++ b/src/defender-control/defender-control.vcxproj
@ -109,6 +109,7 @@
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
--- a/src/defender-control/main.cpp
+++ b/src/defender-control/main.cpp
@ -1,20 +1,24 @@
 #include "dcontrol.h"

-// We are going to reverse engineer the d-control from sordum
-// and build an open source safe version since i struggle trust
-// defender control cause of the virus total false positivies
 // to-do:
-// finish dumper
-// write poc
 // write argument parser
 // create cli program
 // maybe make a ui for this

+
+
 // entrypoint
 //
 int main()
 {
+  if (DCONTROL::is_av_running()) {
+    printf("running...\n");
+  }
+  else {
+    printf("not running...\n");
+  }

+  system("pause");

  return 0;
 }