Full Disclosure mailing list archives

Re: [Wired Security/EOF] Disable Windows Defender(Vista) PoC code

From: "Fredrick Diggle" <fdiggle () gmail com>
Date: Sat, 17 May 2008 02:31:50 +1000

Fredrick Diggle's code was signed by Fredrick Diggle himself. How much
more credibility do you want?

On Fri, May 16, 2008 at 7:33 AM,  <skyout.fd () wired-security net> wrote:




On Wed, 14 May 2008 13:49:35 -0700, "Peter Ferrie" <peter.ferrie () gmail com>
wrote:

my friend Izee from the EOF-Project(.net) team has coded a
simple PoC code, that demonstrates how to disable the Windows
Defender on Vista (tested with and without SPs on x86/x64)
using its own API made for it.


Does he realise that he must be Admin first?
Then he he can just disable the service, or delete the files, or

whatever.

Using the API doesn't gain much here.


the thing is, that microsoft says, that ONLY SIGNED processes can do this,
this
is a lie, nothing more and in my oppinion this opens an attack vector and
provides
common insecurity...

cheers,
skyout

ps: http://msdn.microsoft.com/en-us/library/bb762466(VS.85).aspx | read
remarks

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[Wired Security/EOF] Disable Windows Defender (Vista) PoC code skyout.fd (May 14)
- Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code Peter Ferrie (May 14)
  - Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code Fredrick Diggle (May 14)
  - Re: [Wired Security/EOF] Disable Windows Defender(Vista) PoC code skyout.fd (May 15)
    - Re: [Wired Security/EOF] Disable Windows Defender(Vista) PoC code Fredrick Diggle (May 16)