You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
409 lines
15 KiB
Markdown
409 lines
15 KiB
Markdown
# defender-control
|
|
currently a work in progress - feel free to come back to check on any updates
|
|
|
|
## what is this project?
|
|
We all know that disabling windefender is a pain going through countless registries.
|
|
The next easiest solution is to use freeware and currently the most popular one is by sordum. (i won't link here - you can find it on the first google result)
|
|
however, i was first wary of this program and the virus total detections; althought they are claimed to be false positive.
|
|
but i know that this program has worked well for me and friends in the past.
|
|
|
|
but for those who like open source, i took apart this program and did the research to disable windows defender in an easy open source manner without having to worry about running malware.
|
|
|
|
## reversal
|
|
Our tool of choice will be IDA & x64 debugger for this task
|
|
firstly we are going to inspect the strings and look for anything interesting.
|
|
Strings seems to be hidden in this one, so I will do 2 different PoC of attack.
|
|
The first one, is to hook the registry functions and output their arguments. Since I know
|
|
for a fact after looking at the imports - this program works by writing into relevant registries.
|
|
|
|
The second method is to breakpoint each function with x64 debugger and take a look at the strings on runtime.
|
|
|
|
I did eventually come up with a third method, and it was to let procmon do its thing while you debug the program - but ill leave that as an exercise for another day.
|
|
|
|
## x64 Debug
|
|
|
|
### disabling defender
|
|
|
|
If we breakpoint onto RegSetKeyValue it writes into "DisableAntiSpyware" which we can research on the internet
|
|
There is a lot of occurance with the following registry directory: "Software\\Policies\\Microsoft\\Windows Defender"
|
|
It is found under the parent directory of HKLM64.
|
|
|
|
```asm
|
|
008CE9E8 043DCA88 L"HKLM64"
|
|
...
|
|
008CEA08 043DCBC0 L"SOFTWARE\\Policies\\Microsoft\\Windows Defender"
|
|
```
|
|
|
|
The second breakpoint leads us here:
|
|
|
|
```asm
|
|
008CE8F0 043DCFE8 L"HKLM64"
|
|
...
|
|
008CE910 043DD120 L"SYSTEM\\CurrentControlSet\\Services\\WinDefend"
|
|
```
|
|
|
|
So taking a look into the registry: SYSTEM\\CurrentControlSet\\Services\\WinDefend
|
|
and cross referencing back to x64 dbg: we notice this:
|
|
|
|
`76122F7F | 397D 0C | cmp dword ptr ss:[ebp+C],edi | [ebp+C]:L"Start"`
|
|
|
|
It appears that 0x03 disables windefender, while 0x02 means to enable.
|
|
A quick google search brings us here: https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start-windows_10/how-to-disable-windows-defender-in-windows-10/b834d36e-6da8-42a8-85f6-da9a520f05f2
|
|
|
|
The next one is also in HKLM:
|
|
|
|
```asm
|
|
76122FF0 | 8945 CC | mov dword ptr ss:[ebp-34],eax | [ebp-34]:L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"
|
|
76122FF3 | 66:8B01 | mov ax,word ptr ds:[ecx] | ecx:&L"SecurityHealth"
|
|
```
|
|
|
|
Seems to be set to 3 or off
|
|
|
|
Now we will look at RegCreateKey
|
|
There seems to be a regisatry opened at
|
|
|
|
```asm
|
|
EDX : 043DCD78 L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection"
|
|
EIP : 7591E420 <advapi32.RegCreateKeyExW>
|
|
```
|
|
|
|
However, there doesnt seem to be anymore functions breakpointed. So lets inspect the directory
|
|
|
|
We have 2 flags set:
|
|
DisableRealtimeMonitoring as a REG_DWORD set to 0x01
|
|
DpaDisabled as REG_DWORD set to 0x0
|
|
|
|
Another one opened here:
|
|
|
|
```asm
|
|
008CEFF8 043EB4C8 L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"
|
|
```
|
|
|
|
### enabling defender
|
|
|
|
there seems to be a reference with "Policy Manager" using RegEnumKeyExW
|
|
|
|
It seems to call RegDeleteValueW on security health (see above)
|
|
|
|
|
|
## reversing w hooks
|
|
We are going to write a simple dll to inject into defender control to dump out the parameters of the functions we are interested in.
|
|
|
|
Here are the logs:
|
|
|
|
```asm
|
|
obtained RegDeleteKeyW from 75A60000
|
|
obtained RegDeleteValueW from 75A60000
|
|
obtained RegEnumValueW from 75A60000
|
|
obtained RegSetValueExW from 75A60000
|
|
obtained RegCreateKeyExW from 75A60000
|
|
obtained RegConnectRegistryW from 75A60000
|
|
obtained RegEnumKeyExW from 75A60000
|
|
obtained RegQueryValueExW from 75A60000
|
|
obtained RegOpenKeyExW from 75A60000
|
|
imports resolved
|
|
preparing to hook
|
|
|
|
Registry Routine to check if defender activated:
|
|
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableRealtimeMonitoring
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableRealtimeMonitoring
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
|
|
[RegQueryValueExW]
|
|
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
|
|
|
|
Routine to disable defender
|
|
|
|
[RegCreateKeyExW]
|
|
lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
|
|
[RegSetValueExW]
|
|
lpValueName: DisableAntiSpyware
|
|
[RegCreateKeyExW]
|
|
lpSubKey: SOFTWARE\Microsoft\Windows Defender
|
|
[RegCreateKeyExW]
|
|
lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableAntiSpyware
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableAntiSpyware
|
|
[RegCreateKeyExW]
|
|
lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
|
|
[RegSetValueExW]
|
|
lpValueName: Start
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
[RegQueryValueExW]
|
|
lpValueName: SecurityHealth
|
|
[RegQueryValueExW]
|
|
lpValueName: SecurityHealth
|
|
[RegCreateKeyExW]
|
|
lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
|
|
[RegSetValueExW]
|
|
lpValueName: SecurityHealth
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
[RegEnumValueW]
|
|
lpValueName: SecurityHealth
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableRealtimeMonitoring
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableRealtimeMonitoring
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
|
|
[RegQueryValueExW]
|
|
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
|
|
|
|
Routine to enable defender
|
|
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
|
|
[RegOpenKeyExW]
|
|
lpValueName: Policy Manager
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableAntiSpyware
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableAntiSpyware
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableAntiSpyware
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableAntiSpyware
|
|
[RegOpenKeyExW]
|
|
lpValueName: SYSTEM\CurrentControlSet\Services\SecLogon
|
|
[RegQueryValueExW]
|
|
lpValueName: Start
|
|
[RegQueryValueExW]
|
|
lpValueName: Start
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
|
|
[RegOpenKeyExW]
|
|
lpValueName: Policy Manager
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
|
|
[RegOpenKeyExW]
|
|
lpValueName: Policy Manager
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableAntiSpyware
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableRealtimeMonitoring
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
[RegEnumValueW]
|
|
lpValueName: SecurityHealth
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
[RegQueryValueExW]
|
|
lpValueName: SecurityHealth
|
|
[RegQueryValueExW]
|
|
lpValueName: SecurityHealth
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
|
|
[RegDeleteValueW]
|
|
lpValueNameSecurityHealth
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
[RegEnumValueW]
|
|
lpValueName: SecurityHealth
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
[RegQueryValueExW]
|
|
lpValueName: WindowsDefender
|
|
[RegQueryValueExW]
|
|
lpValueName: WindowsDefender
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
[RegEnumValueW]
|
|
lpValueName: WindowsDefender
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableRealtimeMonitoring
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
|
|
[RegQueryValueExW]
|
|
lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
|
|
<also redacted a bunch of stuff from policy manager stuff>
|
|
```
|
|
|
|
So by analyzing these logs, it seems that we check if defender is enabled by reading these two registries:
|
|
|
|
```asm
|
|
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
DisableRealtimeMonitoring
|
|
```
|
|
|
|
When it disables the AV it modifies these registries:
|
|
|
|
```asm
|
|
[RegCreateKeyExW]
|
|
lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
|
|
[RegSetValueExW]
|
|
lpValueName: DisableAntiSpyware
|
|
[RegCreateKeyExW]
|
|
lpSubKey: SOFTWARE\Microsoft\Windows Defender
|
|
[RegCreateKeyExW]
|
|
lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegCreateKeyExW]
|
|
lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
|
|
[RegSetValueExW]
|
|
lpValueName: Start
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
[RegQueryValueExW]
|
|
lpValueName: SecurityHealth
|
|
[RegCreateKeyExW]
|
|
lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
|
|
[RegSetValueExW]
|
|
lpValueName: SecurityHealth
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
[RegEnumValueW]
|
|
lpValueName: SecurityHealth
|
|
[RegOpenKeyExW]
|
|
lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
|
|
[RegQueryValueExW]
|
|
lpValueName: DisableRealtimeMonitoring
|
|
```
|
|
|
|
### Dumping VTable Calls
|
|
```asm
|
|
[Control Table] 0x495b78
|
|
[Control Table] 0x493658
|
|
[Control Table] 0x4932f8
|
|
[Control Table] 0x494e1c
|
|
[Control Table] 0x4949e4
|
|
[Control Table] 0x4965e0
|
|
[Control Table] 0x496088
|
|
[Control Table] 0x4951c4
|
|
[Control Table] 0x4960d0
|
|
[Control Table] 0x49463c
|
|
[Control Table] 0x493808
|
|
[Control Table] 0x493850
|
|
[Control Table] 0x494ed0
|
|
[Control Table] 0x49382c
|
|
[Control Table] 0x49532c
|
|
[Control Table] 0x493874
|
|
[Control Table] 0x493898
|
|
[Control Table] 0x4931fc
|
|
[Control Table] 0x4931b4
|
|
[Control Table] 0x495500
|
|
[Control Table] 0x495cbc
|
|
[Control Table] 0x495ce0
|
|
[Control Table] 0x4958cc
|
|
[Control Table] 0x494a74
|
|
[Control Table] 0x495c08
|
|
[Control Table] 0x494cfc
|
|
[Control Table] 0x493c40
|
|
[Control Table] 0x493e5c
|
|
[Control Table] 0x493ea4
|
|
[Control Table] 0x493b8c
|
|
[Control Table] 0x495b0c
|
|
[Control Table] 0x495c2c
|
|
[Control Table] 0x493f7c
|
|
[Control Table] 0x4930dc
|
|
[Control Table] 0x493fe8
|
|
[Control Table] 0x494c00
|
|
[Control Table] 0x495644
|
|
[Control Table] 0x495428
|
|
[Control Table] 0x496430
|
|
[Control Table] 0x4963e8
|
|
[Control Table] 0x4954b8
|
|
[Control Table] 0x4945d0
|
|
[Control Table] 0x496040
|
|
[Control Table] 0x4960ac
|
|
[Control Table] 0x494a50
|
|
[Control Table] 0x495be4
|
|
```
|
|
|
|
To enable the AV, we just do the opposite of what we needed to disable the AV.
|
|
|
|
Upon starting the AV, the program calls CreateProcessW on C:\Windows\System32\SecurityHealthSystray.exe
|
|
|
|
## Windows Tamper Protection
|
|
|
|
But theres, a catch. In a newer recent windows update - you can no longer disable the defender via registries. Well, our program runs completely in usermode, so there must be another way its making these registry changes - most likely through the powershell command Set-MpPreference if we do some research into changing the registry. So we will need to take a peek into the wmic api it accesses.
|
|
Luckily for us, all this stuff is documented. Check out these two links:
|
|
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps
|
|
- https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-c---application-examples
|
|
|
|
So, since its kind of difficult to debug the values DefenderControl accesses and this stuff is pretty well documented - we are going to base our work off research.
|
|
|
|
I first wanted to see how powershell called the command, so i looked through the powershell github since its open sourced and found that the command was in a cmdlet that was not documented in the repository. So after reading up on some powershell commands I dumped the powershell informating using this:
|
|
|
|
```asm
|
|
Get-Command Set-MpPreference | fl
|
|
```
|
|
|
|
If we wanted to read the MSFT_MpPreference class, it is documented here:
|
|
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)#requirements
|
|
We can access via powershell like so:
|
|
|
|
```asm
|
|
Get-WmiObject -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender
|
|
```
|
|
|
|
If we look further we can write to this using the WMI as i suspected, it is documented here:
|
|
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal
|
|
|
|
We can find the specific wmi com classes if we do the following command:
|
|
|
|
`MpPreference |fl *`
|
|
|
|
We get an output and we are intrested in this:
|
|
|
|
```asm
|
|
CimClass : root/Microsoft/Windows/Defender:MSFT_MpPreference
|
|
CimInstanceProperties : {AllowDatagramProcessingOnWinServer, AllowNetworkProtectionDownLevel,
|
|
AllowNetworkProtectionOnWinServer,
|
|
AttackSurfaceReductionOnlyExclusions...}
|
|
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
|
|
```
|
|
|
|
We can find the class here: https://docs.microsoft.com/en-us/dotnet/api/microsoft.management.infrastructure.cimsystemproperties?view=powershellsdk-7.0.0
|
|
|
|
It is also located in windows binaries in the following path: C:\Program Files (x86)\Reference Assemblies\Microsoft\WMI\v1.0
|
|
|
|
|