Archives
/
defender-control
mirror of https://github.com/qtkite/defender-control
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
gui
1.0.0
v1.0
v1.0.0
v1.1
v1.2
v1.3
v1.4
v1.5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
defender-control/research.md

27 KiB
Raw Permalink Blame History

Reversal

I reversed parts of the freeware with some hooks & x64 debugger, read a bunch of security papers & here are some of my findings!

x64 Debug

disabling defender

008CE9E8  043DCA88  L"HKLM64"
...
008CEA08  043DCBC0  L"SOFTWARE\\Policies\\Microsoft\\Windows Defender"

008CE8F0  043DCFE8  L"HKLM64"
...
008CE910  043DD120  L"SYSTEM\\CurrentControlSet\\Services\\WinDefend"

76122F7F | 397D 0C                  | cmp dword ptr ss:[ebp+C],edi            | [ebp+C]:L"Start"`

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start-windows_10/how-to-disable-windows-defender-in-windows-10/b834d36e-6da8-42a8-85f6-da9a520f05f2

76122FF0 | 8945 CC                  | mov dword ptr ss:[ebp-34],eax           | [ebp-34]:L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"
76122FF3 | 66:8B01                  | mov ax,word ptr ds:[ecx]                | ecx:&L"SecurityHealth"

EDX : 043DCD78     L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection"
EIP : 7591E420     <advapi32.RegCreateKeyExW>

We have 2 flags set:
DisableRealtimeMonitoring as a REG_DWORD set to 0x01
DpaDisabled as REG_DWORD set to 0x0

008CEFF8  043EB4C8  L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"

enabling defender

there seems to be a reference with "Policy Manager" using RegEnumKeyExW

It seems to call RegDeleteValueW on security health (see above)

reversing w hooks

We are going to write a simple dll to inject into defender control to dump out the parameters of the functions we are interested in.

Here are the logs:

obtained RegDeleteKeyW from 75A60000
obtained RegDeleteValueW from 75A60000
obtained RegEnumValueW from 75A60000
obtained RegSetValueExW from 75A60000
obtained RegCreateKeyExW from 75A60000
obtained RegConnectRegistryW from 75A60000
obtained RegEnumKeyExW from 75A60000
obtained RegQueryValueExW from 75A60000
obtained RegOpenKeyExW from 75A60000
imports resolved
preparing to hook

Registry Routine to check if defender activated:

[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring
[RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
[RegQueryValueExW]
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe

Routine to disable defender

[RegCreateKeyExW]
lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
[RegSetValueExW]
lpValueName: DisableAntiSpyware
[RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows Defender
[RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegCreateKeyExW]
lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
[RegSetValueExW]
lpValueName: Start
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegQueryValueExW]
lpValueName: SecurityHealth
[RegQueryValueExW]
lpValueName: SecurityHealth
[RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
[RegSetValueExW]
lpValueName: SecurityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegEnumValueW]
lpValueName: SecurityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring
[RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
[RegQueryValueExW]
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe

Routine to enable defender

[RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW]
lpValueName: Policy Manager
[RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegOpenKeyExW]
lpValueName: SYSTEM\CurrentControlSet\Services\SecLogon
[RegQueryValueExW]
lpValueName: Start
[RegQueryValueExW]
lpValueName: Start
[RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW]
lpValueName: Policy Manager
[RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
[RegOpenKeyExW]
lpValueName: Policy Manager
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegEnumValueW]
lpValueName: SecurityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegQueryValueExW]
lpValueName: SecurityHealth
[RegQueryValueExW]
lpValueName: SecurityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
[RegDeleteValueW]
lpValueNameSecurityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegEnumValueW]
lpValueName: SecurityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegQueryValueExW]
lpValueName: WindowsDefender
[RegQueryValueExW]
lpValueName: WindowsDefender
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegEnumValueW]
lpValueName: WindowsDefender
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
[RegQueryValueExW]
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
<also redacted a bunch of stuff from policy manager stuff>
-----
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
DisableRealtimeMonitoring

When it disables the AV it modifies these registries:

[RegCreateKeyExW]
lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
[RegSetValueExW]
lpValueName: DisableAntiSpyware
[RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows Defender
[RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegCreateKeyExW]
lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
[RegSetValueExW]
lpValueName: Start
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegQueryValueExW]
lpValueName: SecurityHealth
[RegCreateKeyExW]
lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
[RegSetValueExW]
lpValueName: SecurityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[RegEnumValueW]
lpValueName: SecurityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
[RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring

Dumping VTable Calls

[Control Table] 0x495b78
[Control Table] 0x493658
[Control Table] 0x4932f8
[Control Table] 0x494e1c
[Control Table] 0x4949e4
[Control Table] 0x4965e0
[Control Table] 0x496088
[Control Table] 0x4951c4
[Control Table] 0x4960d0
[Control Table] 0x49463c
[Control Table] 0x493808
[Control Table] 0x493850
[Control Table] 0x494ed0
[Control Table] 0x49382c
[Control Table] 0x49532c
[Control Table] 0x493874
[Control Table] 0x493898
[Control Table] 0x4931fc
[Control Table] 0x4931b4
[Control Table] 0x495500
[Control Table] 0x495cbc
[Control Table] 0x495ce0
[Control Table] 0x4958cc
[Control Table] 0x494a74
[Control Table] 0x495c08
[Control Table] 0x494cfc
[Control Table] 0x493c40
[Control Table] 0x493e5c
[Control Table] 0x493ea4
[Control Table] 0x493b8c
[Control Table] 0x495b0c
[Control Table] 0x495c2c
[Control Table] 0x493f7c
[Control Table] 0x4930dc
[Control Table] 0x493fe8
[Control Table] 0x494c00
[Control Table] 0x495644
[Control Table] 0x495428
[Control Table] 0x496430
[Control Table] 0x4963e8
[Control Table] 0x4954b8
[Control Table] 0x4945d0
[Control Table] 0x496040
[Control Table] 0x4960ac
[Control Table] 0x494a50
[Control Table] 0x495be4

Upon starting the AV, the program calls CreateProcessW on C:\Windows\System32\SecurityHealthSystray.exe

Windows File Protection

But theres, a catch. In a newer recent windows update - you can no longer disable the defender via registries without elevated permissions.
Well, our program runs completely in usermode, so there must be another way its making these registry changes - most likely through the powershell command Set-MpPreference if we do some research into changing the registry. So we will need to take a peek into the wmic api it accesses.

Luckily for us, all this stuff is documented. Check out these two links:

I first wanted to see how powershell called the command, so i looked through the powershell github since its open sourced and found that the command was in a cmdlet that was not documented in the repository. So after reading up on some powershell commands I dumped the powershell informating using this:

Get-Command Set-MpPreference | fl

If we wanted to read the MSFT_MpPreference class, it is documented here: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)#requirements
We can access via powershell like so:

Get-WmiObject -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender

If we look further we can write to this using the WMI - it is documented here: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal

We can find the specific wmi com classes if we do the following command:

MpPreference |fl *

We get an output and we are intrested in this:

CimClass                                      : root/Microsoft/Windows/Defender:MSFT_MpPreference
CimInstanceProperties                         : {AllowDatagramProcessingOnWinServer, AllowNetworkProtectionDownLevel,
                                                AllowNetworkProtectionOnWinServer,
                                                AttackSurfaceReductionOnlyExclusions...}
CimSystemProperties                           : Microsoft.Management.Infrastructure.CimSystemProperties

We can find the class here: https://docs.microsoft.com/en-us/dotnet/api/microsoft.management.infrastructure.cimsystemproperties?view=powershellsdk-7.0.0

It is also located in windows binaries in the following path: C:\Program Files (x86)\Reference Assemblies\Microsoft\WMI\v1.0

Here is an intersting article that got me started in understanding the WMI: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

Gaining permission

Remeber when I said you need more permissions to edit certain registries and edit services?
Well there is! You can read more about it here: https://0x00-0x00.github.io/research/2018/10/17/Windows-API-and-Impersonation-Part1.html

We adapt it into C++ code which can be found in trusted. Then using an elevated process, we can now edit those registries we can't before!.

Windows Tamper Protection

Well. We can once we disable tamper protection... But to do that without going through the security menu - we need to first kill the windefend service. Luckily now that we have TrustedInstaller privillege we can directly do that using winapi.

Windows 11

New dump:

obtained RegDeleteKeyW from 75DD0000
obtained RegDeleteValueW from 75DD0000
obtained RegEnumValueW from 75DD0000
obtained RegSetValueExW from 75DD0000
obtained RegCreateKeyExW from 75DD0000
obtained RegConnectRegistryW from 75DD0000
obtained RegEnumKeyExW from 75DD0000
obtained RegQueryValueExW from 75DD0000
obtained RegOpenKeyExW from 75DD0000
obtained CreateProcessW from 76000000
obtained ShellExecuteExW from 76DE0000
imports resolved
preparing to hook

IDLE:


[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring
[RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe



---


[RegQueryValueExW]
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdFilter
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdNisDrv
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdNisSvc
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE754
Ret: 0
[RegSetValueExW]
lpValueName: DisableAntiSpyware
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE754
Ret: 0
[RegSetValueExW]
lpValueName: DisableAntiVirus
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Microsoft\Windows Defender
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE664
Ret: 0
[RegSetValueExW]
lpValueName: DisableAntiSpyware
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Microsoft\Windows Defender
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CEB54
Ret: 0
[RegSetValueExW]
lpValueName: DisableAntiVirus
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE754
Ret: 0
[RegSetValueExW]
lpValueName: DisableRealtimeMonitoring
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CEA94
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdFilter
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdNisDrv
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdNisSvc
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE834
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE8E4
Ret: 0
[RegSetValueExW]
lpValueName: DisableAntiSpyware
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE8E4
Ret: 0
[RegSetValueExW]
lpValueName: DisableAntiVirus
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Microsoft\Windows Defender
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE7F4
Ret: 0
[RegSetValueExW]
lpValueName: DisableAntiSpyware
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Microsoft\Windows Defender
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CECE4
Ret: 0
[RegSetValueExW]
lpValueName: DisableAntiVirus
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE8E4
Ret: 0
[RegSetValueExW]
lpValueName: DisableRealtimeMonitoring
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ulOptions: 0
samDesired: 131353
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: SecurityHealth
[RegQueryValueExW]
lpValueName: SecurityHealth
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CEDD4
Ret: 0
[RegSetValueExW]
lpValueName: SecurityHealth
Reserved: 0
dwType: 3
cbData: 12
Ret: 0
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ulOptions: 0
samDesired: 131353
[RegEnumValueW]
lpValueName:→0‼rityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: Riot Vanguard
[RegQueryValueExW]
lpValueName: Riot Vanguard
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ulOptions: 0
samDesired: 131353
[RegEnumValueW]
lpValueName:→0‼ Vanguard
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE8CC
Ret: 0
[RegSetValueExW]
lpValueName: Debugger
Reserved: 0
dwType: 1
cbData: 64
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE7C4
Ret: 0
[RegSetValueExW]
lpValueName: Debugger
Reserved: 0
dwType: 1
cbData: 64
Ret: 0
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: Debugger
[RegQueryValueExW]
lpValueName: Debugger
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE834
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0


---

ENABLE:

[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdFilter
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdNisDrv
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdNisSvc
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
ulOptions: 0
samDesired: 131103
[RegEnumKeyExW]
lpName: ì☻♦
[RegOpenKeyExW]
lpValueName: Policy Manager
ulOptions: 0
samDesired: 131097
[RegEnumKeyExW]
lpName: ═☻♦
[RegEnumKeyExW]
lpName: Policy Manager
[RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
ulOptions: 0
samDesired: 131359
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
ulOptions: 0
samDesired: 131359
[RegDeleteValueW]
lpValueNameDisableAntiSpyware
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
ulOptions: 0
samDesired: 131359
[RegDeleteValueW]
lpValueNameDisableAntiVirus
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
ulOptions: 0
samDesired: 131359
[RegDeleteValueW]
lpValueNameDisableRealtimeMonitoring
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
ulOptions: 0
samDesired: 131359
[RegDeleteValueW]
lpValueNameDisableAntiSpywareRealtimeProtection
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: DisableAntiSpyware
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE834
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdFilter
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 0
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdNisDrv
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 5
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WdNisSvc
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE434
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 5
[RegCreateKeyExW]
hKey: 80000002
lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
lpClass:
samDesired: 131334
Reserved: 0
lpSecurityAttributes: 00000000
dwOptions: 0
lpdwDisposition: 008CE834
Ret: 0
[RegSetValueExW]
lpValueName: Start
Reserved: 0
dwType: 4
cbData: 4
Ret: 5
[RegOpenKeyExW]
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
ulOptions: 0
samDesired: 131103
[RegEnumKeyExW]
lpName: ]☻♦
lpValueName: DisableAntiSpyware
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: DisableRealtimeMonitoring
[CreateProcessW]
lpCommandLine: "C:\j\bin\dControl\w11 fix\dfControl.exe" /EXP |6324|
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ulOptions: 0
samDesired: 131353
[RegEnumValueW]
lpValueName: h.°$
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: SecurityHealth
[RegQueryValueExW]
lpValueName: SecurityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
ulOptions: 0
samDesired: 131359
[RegDeleteValueW]
lpValueNameSecurityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ulOptions: 0
samDesired: 131353
[RegEnumValueW]
lpValueName: h.°$rityHealth
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ulOptions: 0
samDesired: 131353
[RegQueryValueExW]
lpValueName: Riot Vanguard
[RegQueryValueExW]
lpValueName: Riot Vanguard
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ulOptions: 0
samDesired: 131353
[RegEnumValueW]
lpValueName: h.°$ Vanguard
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe
ulOptions: 0
samDesired: 131359
[RegEnumKeyExW]
lpName: ♣☻♦
[RegOpenKeyExW]
lpValueName: SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe
ulOptions: 0
samDesired: 131359
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpcmdrun.exe
ulOptions: 0
samDesired: 131353
[CreateProcessW]
lpCommandLine: C:\Program Files\Windows Defender\mpcmdrun.exe -wdenable
[RegOpenKeyExW]
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
ulOptions: 0
samDesired: 131353

Conclusion

Well thats all there is to disabling defender... TLDR: We gain TrustedInstaller permission, disable the windefend service and modify the registries & make calls to the wmi to our hearts content.

Relevant links: