Skip to content

Commit

Permalink
Rebuild of setup
Browse files Browse the repository at this point in the history 
Can't seem to get a handle on `HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet`, which I would imagine is a defensive feature to prevent disabling of Defender's configurations.
  • Loading branch information
@matterpreter
matterpreter committed Apr 12, 2019
1 parent 4dd0e3e commit a164a27
Showing 1 changed file with 13 additions and 52 deletions.
65 changes: 13 additions & 52 deletions DefenderCheck/DefenderCheck/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
using System.ComponentModel;
using System.Diagnostics;
using System.IO;
using System.Security.Principal;
using System.Text;

namespace DefenderCheck
Expand All @@ -12,7 +11,7 @@ class Program
{
static void Main(string[] args)
{
//Setup();
Setup();
bool debug = false;
if (args.Length == 2 && args[1].Equals("--debug"))
{
Expand All @@ -23,14 +22,11 @@ static void Main(string[] args)
string originalFileDetectionStatus = Scan(targetfile).ToString();
if (originalFileDetectionStatus.Equals("NoThreatFound"))
{
if (debug) { Console.WriteLine("Scanning the whole file first"); }
Console.WriteLine("[+] No threat found in submitted file!");
Environment.Exit(0);
}

if (!Directory.Exists(@"C:\temp"))
{
Console.WriteLine(@"[-] C:\Temp\ doesn't exist. Creating it.");
Directory.CreateDirectory(@"C:\Temp");
}
string testfilepath = @"C:\Temp\testfile.exe";
byte[] originalfilecontents = File.ReadAllBytes(targetfile);
int originalfilesize = originalfilecontents.Length;
Expand Down Expand Up @@ -64,58 +60,23 @@ static void Main(string[] args)
}
}

public static void Setup() //Not implementing this as the registry read function is broken
public static void Setup()
{
object autoSampleSubmitOrigValue;
object realtimeProtectionOrigValue;

RegistryKey autoSampleSubmit = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows Defender\Spynet", true);
autoSampleSubmitOrigValue = autoSampleSubmit.GetValue("SubmitSamplesConsent");
if (autoSampleSubmitOrigValue.Equals(1))
RegistryKey defenderService = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Policies\Microsoft\Windows Defender");
object defenderServiceValue = defenderService.GetValue("DisableAntiSpyware");
if (!defenderServiceValue.Equals(0)) //This is the case in situations like Commando
{
if (!IsAdmin())
{
Console.WriteLine("[-] Automatic sample submission is enabled. Either run this program as an admin or disable it manually.");
Environment.Exit(1);
}
else
{
Console.WriteLine("[-] Automatic sample submission is enabled. Disabling via the registry...");
autoSampleSubmit.SetValue("SubmitSampleConstent", 0);
}
Console.WriteLine("[-] The defender antispyware service is not enabled, so MpCmdRun will fail. Exiting...");
Environment.Exit(1);
}
autoSampleSubmit.Close();
defenderService.Close();

RegistryKey realtimeProtection = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows Defender\Real-Time Protection", true);
realtimeProtectionOrigValue = realtimeProtection.GetValue("DisableRealtimeMonitoring");
if (realtimeProtectionOrigValue.Equals(0))
if (!Directory.Exists(@"C:\temp"))
{
if (!IsAdmin())
{
Console.WriteLine("[-] Real-time protection is enabled. Either run this program as an admin or disable it manually.");
Environment.Exit(1);
}
else
{
Console.WriteLine("[-] Real-time protection is enabled. Disabling via the registry...");
realtimeProtection.SetValue("DisableRealtimeMonitoring", 1);
}
Console.WriteLine(@"[-] C:\Temp\ doesn't exist. Creating it.");
Directory.CreateDirectory(@"C:\Temp");
}
realtimeProtection.Close();
}

public static bool IsAdmin()
{
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
if (principal.IsInRole(WindowsBuiltInRole.Administrator))
{
return true;
}
else
{
return false;
}
}

public static byte[] HalfSplitter(byte[] originalarray, int lastgood) //Will round down to nearest int
Expand Down

0 comments on commit a164a27

Please sign in to comment.