demo

src/defender-control/dcontrol.cpp

@@ -1,16 +1,13 @@
 #include "dcontrol.hpp"
 
-namespace DCONTROL
+namespace dcontrol
 {
   // disables window defender
   //
   bool disable_defender()
   {
     if (!util::sub_43604B())
-    {
-      std::cout << "permission error" << std::endl;
       return false;
-    }
 
     util::set_privilege(SE_DEBUG_NAME, TRUE);
 
@@ -19,87 +16,161 @@ namespace DCONTROL
     // DisableAntiSpyware
     {
       if (!REG::create_registry(L"SOFTWARE\\Policies\\Microsoft\\Windows Defender", hkey))
-      {
         std::cout << "failed to access Policies" << std::endl;
-        return false;
-      }
 
       if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1))
-      {
         std::cout << "failed to write to DisableAntiSpyware" << std::endl;
-        return false;
-      }
 
 #if 0
       if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender", hkey))
       {
         std::cout << "failed to access Windows Defender" << std::endl;
-        return false;
       }
 
       if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 1))
       {
         std::cout << "failed to write to DisableAntiSpyware" << std::endl;
-        return false;
       }
 #endif
     }
 
+#if 0
     // Start (3 off) (2 on)
     {
       if (!REG::create_registry(L"SYSTEM\\CurrentControlSet\\Services\\WinDefend", hkey))
       {
         std::cout << "failed to access CurrentControlSet" << std::endl;
-        return false;
       }
 
       if (!REG::set_keyval(hkey, L"Start", 3))
       {
         std::cout << "failed to write to Start" << std::endl;
-        return false;
       }
     }
-
-    std::cout << "Wrote to Start" << std::endl;
-
-
+#endif
     // SecurityHealth
     {
       if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", hkey))
-      {
         std::cout << "failed to access CurrentVersion" << std::endl;
-        return false;
-      }
 
       if (!REG::set_keyval_bin(hkey, L"SecurityHealth", 3))
-      {
         std::cout << "failed to write to SecurityHealth" << std::endl;
-        return false;
-      }
     }
 
-    std::cout << "Wrote to SecurityHealth" << std::endl;
-
-
 #if 0
     // DisableRealtimeMonitoring
     {
       if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", hkey))
       {
         std::cout << "failed to access registry" << std::endl;
-        return false;
       }
       if (!REG::set_keyval(hkey, L"DisableRealtimeMonitoring", 1))
       {
         std::cout << "failed to disable DisableRealtimeMonitoring" << std::endl;
-        return false;
-  }
-}
+      }
+    }
 #endif
 
+
+    auto helper = new wmic::helper(
+      "Root\\Microsoft\\Windows\\Defender",
+      "MSFT_MpPreference",
+      "Set"
+    );
+
+    if (auto error = helper->get_last_error())
+    {
+      printf("Error has occured: %d", error);
+      return false;
+    }
+
+    // string types
+    //
+    helper->execute("EnableControlledFolderAccess", "Disabled");
+    helper->execute("PUAProtection", "disable");
+
+    // bool types
+    //
+    helper->execute<BOOL>("DisableRealtimeMonitoring", wmic::variant_type::t_bool, TRUE);
+    helper->execute<BOOL>("DisableBehaviorMonitoring", wmic::variant_type::t_bool, TRUE);
+    helper->execute<BOOL>("DisableBlockAtFirstSeen", wmic::variant_type::t_bool, TRUE);
+    helper->execute<BOOL>("DisableIOAVProtection", wmic::variant_type::t_bool, TRUE);
+    helper->execute<BOOL>("DisablePrivacyMode", wmic::variant_type::t_bool, TRUE);
+    helper->execute<BOOL>("SignatureDisableUpdateOnStartupWithoutEngine", wmic::variant_type::t_bool, TRUE);
+    helper->execute<BOOL>("DisableArchiveScanning", wmic::variant_type::t_bool, TRUE);
+    helper->execute<BOOL>("DisableIntrusionPreventionSystem", wmic::variant_type::t_bool, TRUE);
+    helper->execute<BOOL>("DisableScriptScanning", wmic::variant_type::t_bool, TRUE);
+    helper->execute<BOOL>("DisableAntiSpyware", wmic::variant_type::t_bool, TRUE);
+    helper->execute<BOOL>("DisableAntiVirus", wmic::variant_type::t_bool, TRUE);
+
+    // values
+    //
+    helper->execute<uint8_t>("SubmitSamplesConsent", wmic::variant_type::t_uint8, 2);
+    helper->execute<uint8_t>("MAPSReporting", wmic::variant_type::t_uint8, 0);
+    helper->execute<uint8_t>("HighThreatDefaultAction", wmic::variant_type::t_uint8, 6);
+    helper->execute<uint8_t>("ModerateThreatDefaultAction", wmic::variant_type::t_uint8, 6);
+    helper->execute<uint8_t>("LowThreatDefaultAction", wmic::variant_type::t_uint8, 6);
+    helper->execute<uint8_t>("SevereThreatDefaultAction", wmic::variant_type::t_uint8, 6);
+    helper->execute<uint8_t>("ScanScheduleDay", wmic::variant_type::t_uint8, 8);
+
     return true;
   }
 
+  bool enable_defender()
+  {
+
+    if (!util::sub_43604B())
+      return false;
+
+    util::set_privilege(SE_DEBUG_NAME, TRUE);
+
+    HKEY hkey;
+
+    if (!REG::create_registry(L"SOFTWARE\\Policies\\Microsoft\\Windows Defender", hkey))
+      std::cout << "failed to access Policies" << std::endl;
+
+    if (!REG::set_keyval(hkey, L"DisableAntiSpyware", 0))
+      std::cout << "failed to write to DisableAntiSpyware" << std::endl;
+
+    if (!REG::create_registry(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", hkey))
+      std::cout << "failed to access CurrentVersion" << std::endl;
+
+    if (!REG::set_keyval_bin(hkey, L"SecurityHealth", 2))
+      std::cout << "failed to write to SecurityHealth" << std::endl;
+
+    auto helper = new wmic::helper(
+      "Root\\Microsoft\\Windows\\Defender",
+      "MSFT_MpPreference",
+      "Set"
+    );
+
+    if (auto error = helper->get_last_error())
+    {
+      printf("Error has occured: %d", error);
+      return false;
+    }
+
+    // string types
+    //
+    helper->execute("EnableControlledFolderAccess", "Enabled");
+    helper->execute("PUAProtection", "enable");
+
+    // bool types
+    //
+    helper->execute<BOOL>("DisableRealtimeMonitoring", wmic::variant_type::t_bool, FALSE);
+    helper->execute<BOOL>("DisableBehaviorMonitoring", wmic::variant_type::t_bool, FALSE);
+    helper->execute<BOOL>("DisableBlockAtFirstSeen", wmic::variant_type::t_bool, FALSE);
+    helper->execute<BOOL>("DisableIOAVProtection", wmic::variant_type::t_bool, FALSE);
+    helper->execute<BOOL>("DisablePrivacyMode", wmic::variant_type::t_bool, FALSE);
+    helper->execute<BOOL>("SignatureDisableUpdateOnStartupWithoutEngine", wmic::variant_type::t_bool, FALSE);
+    helper->execute<BOOL>("DisableArchiveScanning", wmic::variant_type::t_bool, FALSE);
+    helper->execute<BOOL>("DisableIntrusionPreventionSystem", wmic::variant_type::t_bool, FALSE);
+    helper->execute<BOOL>("DisableScriptScanning", wmic::variant_type::t_bool, FALSE);
+    helper->execute<BOOL>("DisableAntiSpyware", wmic::variant_type::t_bool, FALSE);
+    helper->execute<BOOL>("DisableAntiVirus", wmic::variant_type::t_bool, FALSE);
+
+  }
+
   // Checks whether Real-Time Protection is activated on windows
   //
   bool check_defender(uint32_t flags)

src/defender-control/dcontrol.hpp

@@ -6,9 +6,11 @@
 #include "settings.hpp"
 #include "reg.hpp"
 #include "util.hpp"
+#include "wmic.hpp"
 
-namespace DCONTROL
+namespace dcontrol
 {
   bool disable_defender();
+  bool enable_defender();
   bool check_defender(uint32_t flags = 0);
 }

src/defender-control/defender-control.vcxproj

@@ -93,6 +93,7 @@
     <Link>
       <SubSystem>Console</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
+      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
@@ -122,6 +123,7 @@
     <Link>
       <SubSystem>Console</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
+      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@@ -138,6 +140,7 @@
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
       <GenerateDebugInformation>true</GenerateDebugInformation>
+      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>

src/defender-control/main.cpp

@@ -8,27 +8,20 @@
 
 int main()
 {
-  printf(DCONTROL::check_defender() ?
-    "Windows defender is ACTIVE turning off..\n" :
-    "Windows defender is OFF turning on...\n");
+  printf(dcontrol::check_defender() ?
+    "Windows defender is ACTIVE\n" :
+    "Windows defender is OFF\n");
 
-  auto helper = new wmic::helper(
-    "Root\\Microsoft\\Windows\\Defender",
-    "MSFT_MpPreference",
-    "Set"
-  );
-
-  if (auto error = helper->get_last_error())
+  if (dcontrol::check_defender())
   {
-    printf("Error has occured: %d", error);
-    system("pause");
-    return 1;
+    if (dcontrol::disable_defender())
+      printf("Disabled windows defender!\n");
+  }
+  else
+  {
+    if (dcontrol::enable_defender())
+      printf("Enabled windows defender!\n");
   }
-
-  if (DCONTROL::check_defender())
-    helper->execute_cmd<BOOL>("DisableRealtimeMonitoring", wmic::variant_type::t_bool, TRUE);
-  else 
-    helper->execute_cmd<BOOL>("DisableRealtimeMonitoring", wmic::variant_type::t_bool, FALSE);
 
   system("pause");
   return 0;

src/defender-control/util.cpp

@@ -27,7 +27,7 @@ namespace util
     HANDLE token = nullptr;
     LUID luid = { 0,0 };
 
-    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) 
+    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token))
     {
       if (token)
         CloseHandle(token);
@@ -35,7 +35,7 @@ namespace util
       return false;
     }
 
-    if (!LookupPrivilegeValueA(nullptr, SE_DEBUG_NAME, &luid)) 
+    if (!LookupPrivilegeValueA(nullptr, SE_DEBUG_NAME, &luid))
     {
       if (token)
         CloseHandle(token);

src/defender-control/wmic.hpp

@@ -43,10 +43,42 @@ namespace wmic
     //
     int get_last_error();
 
+
+    void execute(std::string variable, std::string value)
+    {
+      VARIANT var_cmd;
+      var_cmd.vt = VT_BSTR;
+      var_cmd.bstrVal = _bstr_t(util::string_to_wide(value).c_str());
+
+      // Store the value for the parameters
+      //
+      hres = class_inst_ptr->Put(util::string_to_wide(variable).c_str(), 0, &var_cmd, 0);
+
+      // Execute 
+      //
+      IWbemClassObject* pOutParams = nullptr;
+      hres = service_ptr->ExecMethod(class_name, method_name, 0,
+        0, class_inst_ptr, &pOutParams, 0);
+
+      if (FAILED(hres))
+      {
+        last_error = 7;
+        std::cout << "error executing" << std::endl;
+      }
+
+      // Cleanup
+      //
+      VariantClear(&var_cmd);
+
+      if (pOutParams)
+        pOutParams->Release();
+    }
+
+
     // Execute WMI set function
     //
     template<typename T>
-    void execute_cmd(std::string variable, variant_type type, T value)
+    void execute(std::string variable, variant_type type, T value)
     {
       // Create values for in parameter
       //
@@ -54,11 +86,6 @@ namespace wmic
 
       switch (type)
       {
-      case variant_type::t_bstr:
-        var_cmd.vt = VT_BSTR;
-        var_cmd.bstrVal = _bstr_t(value);
-        break;
-
       case variant_type::t_bool:
         var_cmd.vt = VT_BOOL;
         var_cmd.boolVal = value;
@@ -88,6 +115,12 @@ namespace wmic
       hres = service_ptr->ExecMethod(class_name, method_name, 0,
         0, class_inst_ptr, &pOutParams, 0);
 
+      if (FAILED(hres))
+      {
+        last_error = 7;
+        std::cout << "error executing" << std::endl;
+      }
+
       // Cleanup
       //
       VariantClear(&var_cmd);