defender-control

An open-source windows defender manager

what is this project?

we all know that disabling windefender is a pain going through countless registries.
the next easiest solution is to use freeware and currently the most popular one is by sordum. (i won't link here - you can find it on the first google result) however, i was first wary of this program and the virus total detections; althought they are claimed to be false positive. but i know that this program has worked well for me and friends in the past.

my second suspicion was this program was the fact it connected to the internet using a few of the imported functions. however after some debugging it seemed to be safe.

but for those who like open source, i took apart this program to put together a poc to disable windows defender without having to worry about installing malware.

reversal

Our tool of choice will be IDA & x64 debugger for this task
firstly we are going to inspect the strings and look for anything interesting.
Strings seems to be hidden in this one, so I will do 2 different PoC of attack.
The first one, is to hook the registry functions and output their arguments. Since I know
for a fact after looking at the imports - this program works by writing into relevant registries.

The second method is to breakpoint each function with x64 debugger and take a look at the strings on runtime.

disabling defender

x64 Debug

If we breakpoint onto RegSetKeyValue it writes into "DisableAntiSpyware" which we can research on the internet
There is a lot of occurance with the following registry directory: "Software\Policies\Microsoft\Windows Defender"
It is found under the parent directory of HKLM64.

008CE9E8  043DCA88  L"HKLM64"
008CE9EC  00000006  
008CE9F0  00000008  
008CE9F4  043DCAB0  
008CE9F8  043DCA60  
008CE9FC  00000000  
008CEA00  00000008  
008CEA04  043DC950  
008CEA08  043DCBC0  L"SOFTWARE\\Policies\\Microsoft\\Windows Defender"

The second breakpoint leads us here:

008CE8F0  043DCFE8  L"HKLM64"
008CE8F4  00000006  
008CE8F8  00000008  
008CE8FC  043DD010  
008CE900  043DCFC0  
008CE904  00000000  
008CE908  00000008  
008CE90C  043DCEB0  
008CE910  043DD120  L"SYSTEM\\CurrentControlSet\\Services\\WinDefend"

So taking a look into the registry: SYSTEM\CurrentControlSet\Services\WinDefend
and cross referencing back to x64 dbg: we notice this:

76122F7F | 397D 0C | cmp dword ptr ss:[ebp+C],edi | [ebp+C]:L"Start"

It appears that 0x03 disables windefender, while 0x02 means to enable. A quick google search brings us here: https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start-windows_10/how-to-disable-windows-defender-in-windows-10/b834d36e-6da8-42a8-85f6-da9a520f05f2

The next one is also in HKLM:

76122FF0 | 8945 CC                  | mov dword ptr ss:[ebp-34],eax           | [ebp-34]:L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"
76122FF3 | 66:8B01                  | mov ax,word ptr ds:[ecx]                | ecx:&L"SecurityHealth"

Seems to be set to 3 or off

Now we will look at RegCreateKey
There seems to be a regisatry opened at

EDX : 043DCD78     L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection"
EIP : 7591E420     <advapi32.RegCreateKeyExW>

However, there doesnt seem to be anymore functions breakpointed. So lets inspect the directory

We have 2 flags set: DisableRealtimeMonitoring as a REG_DWORD set to 0x01 DpaDisabled as REG_DWORD set to 0x0

Another one opened here:

008CEFF8  043EB4C8  L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"

enabling defender

there seems to be a reference with "Policy Manager" using RegEnumKeyExW

It seems to call RegDeleteValueW on security health (see above)