Skip to content

APTortellini/DefenderSwitch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
DefenderSwitch
DefenderSwitch
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
DefenderSwitch.sln
DefenderSwitch.sln
 
 
README.md
README.md
 
 
defsw.gif
defsw.gif
 
 

Repository files navigation

DefenderSwitch

Stop Windows Defender using the Win32 API

defender switch gif

TL;DR

Even though Defender has a lot of fancy defensive features such as tamper protection, it can still be disabled with the following chain of actions:

  1. enable SeDebugPrivilege;
  2. start the TrustedInstaller service and TrustedInstaller process;
  3. impersonate TrustedInstaller;
  4. open the WinDefend service and stop it;

DefenderSwitch does exactly that through the use of the Win32 API.

DefenderSwitch uses the standard Windows.h header and the WIL library. To install WIL use vcpkg:

C:\vcpkg> .\vcpkg.exe install wil:x86-windows
C:\vcpkg> .\vcpkg.exe install wil:x64-windows

Usage

Spawn a cmd.exe as administrator, then:

C:\Users\last> .\DefenderSwitch.exe -off
C:\Users\last> .\DefenderSwitch.exe -on

Opsec considerations

This tool as it is written is definetely not OPSEC safe. Making it so is left as an exercise to the user :)

About

Stop Windows Defender using the Win32 API

Resources

Readme
Activity
Custom properties

Stars

182 stars

Watchers

2 watching

Forks

40 forks
Report repository

Releases 2

Release x64 - v1.1.0 Latest
Feb 2, 2022
+ 1 release

Packages

 
 
 

Languages