From e7862bf25321f49fe0af97f529ff80d1cadd6e10 Mon Sep 17 00:00:00 2001 From: qtkite Date: Sun, 15 Aug 2021 15:38:45 +1000 Subject: [PATCH] updated codestyle --- src/defender-control/dcontrol.cpp | 27 +++------------------------ src/defender-control/main.cpp | 3 --- 2 files changed, 3 insertions(+), 27 deletions(-) diff --git a/src/defender-control/dcontrol.cpp b/src/defender-control/dcontrol.cpp index 43ae899..80495eb 100644 --- a/src/defender-control/dcontrol.cpp +++ b/src/defender-control/dcontrol.cpp @@ -35,7 +35,7 @@ namespace dcontrol // The state of global data maintained by dynamic-link libraries // (DLLs) may be compromised if TerminateProcess is used rather than ExitProcess. // e.g. Injecting code to execute ExitProcess - // + TerminateProcess(proc, 0); if (proc) @@ -66,11 +66,10 @@ namespace dcontrol // TODO: Add a better implementation // https://docs.microsoft.com/en-us/windows/win32/services/starting-a-service - // + if (enable) { // Change to auto-start - // if (!ChangeServiceConfigA( service, SERVICE_NO_CHANGE, @@ -84,7 +83,6 @@ namespace dcontrol } // Start the service - // if (!StartServiceA(service, 0, NULL)) { throw std::runtime_error("Failed to start service"); @@ -94,7 +92,6 @@ namespace dcontrol else { // Stop the service - // SERVICE_STATUS scStatus; if (!ControlService(service, SERVICE_CONTROL_STOP, &scStatus)) { @@ -110,7 +107,6 @@ namespace dcontrol } // Change to DEMAND - // if (!ChangeServiceConfigA( service, SERVICE_NO_CHANGE, @@ -128,7 +124,6 @@ namespace dcontrol // Allow time for service to stop // TODO: Handle this automatically - // Sleep(3000); } @@ -154,7 +149,6 @@ namespace dcontrol printf("Failed to access Policies\n"); // SecurityHealth - // if (reg::create_registry( L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", hkey)) @@ -166,7 +160,6 @@ namespace dcontrol printf("Failed to access CurrentVersion\n"); // Protected by anti-tamper - // if (reg::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender", hkey)) { if (!reg::set_keyval(hkey, L"DisableAntiSpyware", 1)) @@ -177,7 +170,6 @@ namespace dcontrol // Protected by anti-tamper // Start (3 off) (2 on) - // if (reg::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\WinDefend", hkey)) { if (!reg::set_keyval(hkey, L"Start", 3)) @@ -187,7 +179,6 @@ namespace dcontrol printf("Failed to access CurrentControlSet\n"); // Protected by anti-tamper - // if (reg::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", hkey)) { if (!reg::set_keyval(hkey, L"DisableRealtimeMonitoring", 1)) @@ -209,12 +200,10 @@ namespace dcontrol } // string types - // helper->execute("EnableControlledFolderAccess", "Disabled"); helper->execute("PUAProtection", "disable"); // bool types - // helper->execute("DisableRealtimeMonitoring", wmic::variant_type::t_bool, TRUE); helper->execute("DisableBehaviorMonitoring", wmic::variant_type::t_bool, TRUE); helper->execute("DisableBlockAtFirstSeen", wmic::variant_type::t_bool, TRUE); @@ -228,7 +217,6 @@ namespace dcontrol helper->execute("DisableAntiVirus", wmic::variant_type::t_bool, TRUE); // values - // helper->execute("SubmitSamplesConsent", wmic::variant_type::t_uint8, 2); helper->execute("MAPSReporting", wmic::variant_type::t_uint8, 0); helper->execute("HighThreatDefaultAction", wmic::variant_type::t_uint8, 6); @@ -243,13 +231,11 @@ namespace dcontrol } // Enables defender, assumes we have TrustedInstaller permissions - // bool enable_defender() { HKEY hkey; // DisableAntiSpyware - // if (reg::create_registry(L"SOFTWARE\\Policies\\Microsoft\\Windows Defender", hkey)) { if (!reg::set_keyval(hkey, L"DisableAntiSpyware", 0)) @@ -259,7 +245,6 @@ namespace dcontrol printf("Failed to access Policies\n"); // SecurityHealth - // if (reg::create_registry( L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", hkey)) @@ -271,7 +256,6 @@ namespace dcontrol printf("Failed to access CurrentVersion\n"); // Protected by anti-tamper - // if (reg::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender", hkey)) { if (!reg::set_keyval(hkey, L"DisableAntiSpyware", 0)) @@ -282,7 +266,6 @@ namespace dcontrol // Protected by anti-tamper // Start (3 off) (2 on) - // if (reg::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\WinDefend", hkey)) { if (!reg::set_keyval(hkey, L"Start", 2)) @@ -292,7 +275,6 @@ namespace dcontrol printf("Failed to access CurrentControlSet\n"); // Protected by anti-tamper - // if (reg::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", hkey)) { if (!reg::set_keyval(hkey, L"DisableRealtimeMonitoring", 0)) @@ -314,7 +296,6 @@ namespace dcontrol } // BSTR types - // helper->execute("EnableControlledFolderAccess", "Enabled"); helper->execute("PUAProtection", "enable"); @@ -323,7 +304,6 @@ namespace dcontrol }; // BOOL types - // helper_disable(helper, "DisableRealtimeMonitoring"); helper_disable(helper, "DisableBehaviorMonitoring"); helper_disable(helper, "DisableBlockAtFirstSeen"); @@ -337,7 +317,6 @@ namespace dcontrol helper_disable(helper, "DisableAntiVirus"); // Cleanup - // delete helper; manage_windefend(true); @@ -349,6 +328,7 @@ namespace dcontrol // bool check_defender(uint32_t flags) { + // Unreliable method if anti-tamper is enabled. //return REG::read_key( // L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", // L"DisableRealtimeMonitoring") == 0; @@ -362,7 +342,6 @@ namespace dcontrol if (auto error = helper->get_last_error()) { // Throw error instead - // printf("Error has occured: %d\n", error); delete helper; return true; diff --git a/src/defender-control/main.cpp b/src/defender-control/main.cpp index 02d53ed..bfaa3d3 100644 --- a/src/defender-control/main.cpp +++ b/src/defender-control/main.cpp @@ -16,7 +16,6 @@ int main(int argc, char** argv) // Because we are a primary token, we can't swap ourselves with an impersonation token. // There will always be a need to re-create the process with the token as primary. - // if (!trusted::is_system_group() && argc == 1) { printf("Restarting with privileges\n"); @@ -26,8 +25,6 @@ int main(int argc, char** argv) try { - // Disable smart screen, defender & tamper protection - // dcontrol::kill_smartscreen(); dcontrol::manage_windefend(false); dcontrol::toggle_tamper(false);