Windows Defender… There is so much pain in that word. Most likely, if you were even remotely connected with the spread of VPO – this antivirus has already managed to cause you a lot of inconvenience. Having the most extensive cloud base in the world, AV could not remain without the attention of cryptographers and malware, in the interests of each of whom it was in the interests to bypass it. The most primitive idea that came to everyone was to try to take down the antivirus at the root. However, the system itself prevents this, it won’t work that easily. They made it clear that this is possible through the use of “Set-Preference”. Unfortunately, due to the widespread use of the script, it is impossible to pull off this trick in the realities of proactive protection. … and actually, that’s it. This ends all the superficial information about how to disable the Defender.
In this article, I would like to talk about a method that is already known to many users, but has not been widely publicized to this day. We will talk about Privilege Tokens and manipulating them in order to disable Windows Defender.
CHAPTER 1: PREPARATION
Let’s start, as expected, with a tedious theory. Unfortunately, without it, the essence of what is happening in the future will not be clear, so I will try to tell you as briefly as possible and in an understandable language.
Privilege tokens are permissions given by the system to a process. For example, if a process has a “SeShutdownPrivilege” token, then it has the right to turn off your computer. If your program does not have this token, it will not be able to perform this action.
Windows Defender uses its privileges to check files. For example, “SeRestorePlivilege”. From this, we conclude that if you deprive the antivirus process of permission to check files, it will become useless and will not be able to perform this very check. Any explanation will become clearer if you translate it from dry text into visualization. Actually, for this reason, I suggest you download Process Hacker and look with your own eyes at the tokens available to a particular process.
Windows Defender is responsible for the process MsMpEng.exe we need to find it in the list and open the Tokens tab Here we notice that the process has many different privileges that are of key importance to it.
As you understand, we will deal with disabling these privileges. This concludes the theoretical part, and we begin to implement the POC.
At the very start, we are already plagued by two problems.
The process MsMpEng.exe it is run on behalf of System. To edit its tokens, we need to have an “NT AUTHORITY\SYSTEM” user
To get a SYSTEM, we will need to upgrade, which in turn occurs only from the administrator level.
The solution is the following scheme :
Yes, yes, we will have to restart the process as many as 2 times to get all the necessary rights.
We get administrator rights using UAC Bypass.
And then we get the SYSTEM level by stealing the token and starting our process with the stolen token.
Well, let’s start creating it.
CHAPTER 2: RAISING THE RIGHTS
There are a lot of UAC bypass implementations, you can choose any one that suits you. In this article, I will use the most common method through editing the registry.
Its essence is that the system application computerdefaults.exe , at startup, accesses regedit , in the path “Software\Classes\ms-settings\shell\open\command”. Our task is to edit this item on your application. Now at startup computerdefaults.exe our application opens, but with administrator rights. Edit the registry and add the application launch via cmd.
```
string execPath = Assembly.GetEntryAssembly().Location;
Registry.CurrentUser.CreateSubKey("Software\\Classes\\ms-settings\\shell\\open\\command");
Registry.CurrentUser.CreateSubKey("Software\\Classes\\ms-settings\\shell\\open\\command").SetValue("", execPath, RegistryValueKind.String);
Registry.CurrentUser.CreateSubKey("Software\\Classes\\ms-settings\\shell\\open\\command").SetValue("DelegateExecute", 0, RegistryValueKind.DWord);
Registry.CurrentUser.Close();
Process process = new System.Diagnostics.Process();
ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
startInfo.FileName = "cmd.exe";
startInfo.Arguments = @"/C computerdefaults.exe";
process.StartInfo = startInfo;
process.Start();```Actually, at this stage we have already launched our process as administrator, without any warnings or icons on the icon.
CHAPTER 2.1: I AM THE SYSTEM!
As already mentioned, the Windows Defender process is running on behalf of NT AUTHORITY\SYSTEM.
Being a normal process, we cannot edit a process running on behalf of the system.
To explain what happened in a nutshell: Windows has a process like winlogon, it runs with the system and is responsible for user authorization. We will duplicate the token of this process and run our own program with the stolen token.
OpenProcessToken() — Open the process token with the TOKEN_DUPLICATE access level (we get the token handle at the output)
STARTUPINFO — Set the parameters for starting the process
DuplicateTokenEx() — Duplicate the token with winlogon and write it down
CreateProcessWithTokenW() — Starting our process .exe with a token stolen from winlogon
Congratulations, you are great
Let’s make an interim result:
We forced our program to run as SYSTEM, while bypassing UAC.
Then, a UAC bypass is applied and a second process with elevated rights is opened
The second process, in turn, launches the last .exe, which has both administrator rights and is run on behalf of the system.
At this point, we have fulfilled all the conditions for editing the privileges of the system process and are ready to implement disabling Windows Defender.
CHAPTER 3: DISABLE ANTI-VIRUS
Let’s go back to the theoretical chapter of the article for a second and remember why we actually made all these upgrades. Our task is to deprive the antivirus process of privileges, thanks to which it can check files for malware.
There are two ways to solve this problem: Remove the entire list of privileges manually. Or set the Integrity Level to “Untrusted”.
During the tests, it was found that both of these solutions are interchangeable and will lead to the same result.
Therefore” we will take the path of less resistance and set the Integrity Level “Untrusted”.
Like you in the previous steps, we will use the diagram to explain the next steps.
Actually, the algorithm of actions is as follows :
OpenProcess() – get the handle of the process with access to “QueryLimitedInformation”
OpenProcessToken() – Open the process token with the access level
TOKEN_ALL_ACCESS TOKEN_MANDATORY_LABEL – fill in the structure that we will install in the process token
ConvertStringSidToSid() – get the SID of the “ML_UNTRUSTED” parameter
StructureToPtr() – we bring the structure into the format necessary for work
SetTokenInformation() – Setting the “Untrusted” trust level on our process.
The SID value of ”ML_UNTRUSTED” can be found in the Microsoft documentation, at the link. https://docs.microsoft.com/en-us/op…/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab
Actually, this is the end of all the actions that we needed to do to remove privileges from the process.
So, let’s ask ourselves the rhetorical question “Why did I do this?”
The method of deleting WD via a script is dead. The method I presented in this article can currently be implemented without defects (!!!)
This method does not cut the Antivirus from the system, it simply prohibits it from performing its functions. The user will not be suspicious of a sudden notification from the system about a disabled antivirus. The user will not see any icons on the panel. There will be no changes for him, he will not even suspect the fact that his system has been left unprotected.
A similar trick can be tried with other Antiviruses, in the article Defender is taken as the most common.
The disadvantages of this idea:
We need Administrator rights (as well as for other methods, but come on). If the user has them, we work around this problem through the UAC Bypass
Privilege tokens are re-issued to the process after the system is restarted. Therefore, if your virus remains in the system for a long time, add disabling WD to the startup
After carefully rereading the entire list of pros and cons, I come to the conclusion that this method has every chance of being used in combat.
Its main advantage is that the method is not burned by the Defender itself and will not be demolished when it hits the system.
Disable WD.zip archive with C sources#
Silent.a ZIP archive containing a pre-compiled .exe file that you can download along with the virus. It is completely invisible, runs without a console and disappears from the task manager.
