Stop Windows Defender programmatically

Last update: Dec 30, 2022

Related tags

Overview

StopDefender

Stop Windows Defender programmatically using Steal token from TrustedInstaller and winlogon processes.

One button stop action, no need for supply commandline options nor pid. Usefull for integration with Post Explotation frameworks.

Blogpost

https://www.securityartwork.es/2021/09/27/trustedinstaller-parando-windows-defender/

Credits

Comments

Operation did not complete successfully because the filecontains a virus or potentially unwanted software.
Compiling and running with VS 2019 display the it? Maybe it's because of the version change?

ENV:

Visual Studio 2019

Microsoft Windows NT 10.0.19044.0 (Win10 21H2)

.NET 6.0.8

DPI 144dpi (150% scaling)
opened by XMuli 3

WinDefend Service: OpenService failed (5)

Hi there,

I was trying to execute the StopDefender today and I realized it gets "Access Denied" (5) error when it tries to open WinDefend service. I think Microsoft updated something in Feb '22 because I was able to execute it in the same machine in January. I will write some more details if I can debug the issue. Here is the command output:

[+] TrustedInstaller already running
[+] TrustedInstaller Service Started!
[+] Current user is: x
[+] Winlogon process found!
[+] TrustedInstaller process found!
[+] WINLOGON OpenProcess() success!
[+] WINLOGON OpenProcessToken() success!
[+] WINLOGON ImpersonatedLoggedOnUser() success!
[+] WINLOGON Current user is: SYSTEM
[+] TRUSTEDINSTALLER OpenProcess() success!
[+] TRUSTEDINSTALLER OpenProcessToken() success!
[+] TRUSTEDINSTALLER ImpersonatedLoggedOnUser() success!
[+] Current user is: SYSTEM
[+] OpenSCManager success!
[-] OpenService failed (5)
[-] TRUSTEDINSTALLER StopDefenderService() Error: 5

opened by OccamsXor 2

StartService failed (1056)

PS C:\Windows\system32> C:\Users\dev\Desktop\StopDefender.exe [+] SeDebugPrivilege enabled! [+] OpenSCManager success! [-] StartService failed (1056) PS C:\Windows\system32> C:\Users\dev\Desktop\StopDefender.exe [+] SeDebugPrivilege enabled! [+] OpenSCManager success! [-] StartService failed (1056)

windows 10 1909 x64

opened by wgetnz 2
Stop attempt failed ( Error 1052)

Some test results for everyone's reference

When "tamper protection" is enabled by default

OS: Microsoft Windows 10 Enterprise 10.0.19044.2311 21H2

OS: Microsoft Windows 11 Enterprise 10.0.22000 Build 22000.1281 21H2

opened by xirotech 1
Create LICENSE

@lab52io Publishing without a license means YOU ARE ONLY SHOWING YOUR CODE, YOU ARE NOT SHARING IT. Open-source is not open-source without a license, so GitHub recommends that a license is added.

opened by Tyler887 0

Releases(Version1.1.0)

Version1.1.0(Oct 28, 2022)
Changed stopping aproach based on:

https://www.alex-ionescu.com/?paged=2&cat=2

https://github.com/rbmm/DisableSvc

Added more Defender services
Source code(tar.gz)
Source code(zip)
StopDefender_x64.exe(127.00 KB)
StopDefender_x86.exe(108.00 KB)
Version1.0.0(Sep 27, 2021)

Binaries x86 & x64
Source code(tar.gz)
Source code(zip)
StopDefenderBin.zip(141.67 KB)

Owner

lab52.io

Lab52 is the threat intelligence division of S2 Grupo, an international cybersecurity company that offers its services around the world.

GitHub

Play Doh Windows ACL Tools

PDAcl 是一个支持Windows活动目录扩展权限设置、Windows活动目录常规权限设置、Windows服务权限设置的命令工具。

61 Oct 30, 2022

This project aims to facilitate debugging a kernel driver in windows by adding support for a code change on the fly without reboot/unload, and more!

BSOD Survivor Tired of always telling yourself when you got a BSOD that what if I could just return to the caller function which caused the BSOD, and

159 Dec 21, 2022

Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)

Perfusion On Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012, the registry key of the RpcEptMapper and DnsCache (7/2008R2 only) s

397 Jan 3, 2023

CVE-2021-1732 Microsoft Windows 10 本地提权漏研究及Poc/Exploit开发

CVE-2021-1732 CVE-2021-1732 Microsoft Windows 10 本地提权漏研究及Poc/Exploit开发受影响系统及应用版本 Windows Server, version 20H2 (Server Core Installation) Windows 10

74 Nov 9, 2022

Windows user-land hooks manipulation tool.

MineSweeper Windows user-land hooks manipulation tool. Highlights Supports any x64/x86 Windows DLL (actually, any x64/x86 Windows PE for that matter)

130 Dec 9, 2022

Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux

Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux. Its main purpose is to help developers visualize the execution flow of a complex application.

3k Dec 30, 2022

Windows x64 rootkit

P4tch3r Windows x64 rootkit (tested on Windows 7) It's PoC of patching NtTerminateProcess function by just overwriting instructions catching arguments

7 Jul 22, 2022

AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows

AlleyWind AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows. AlleyWind could: Displays a graphic

22 Oct 20, 2022

WinMerge is an Open Source differencing and merging tool for Windows.

WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.

3.7k Jan 1, 2023

x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

NoPatchGuardCallback x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code Read: https://www.godeye.club/2021/05/22/00

139 Dec 26, 2022

An asynchronous directory file change watcher module for Windows, macOS and Linux wrapped for V

A V module for asynchronously watching for file changes in a directory. The module is essentially a wrapper for septag/dmon. It works for Windows, macOS and Linux.

18 Dec 14, 2022

WhyNotWin11 - Detection Script to help identify why your PC isn't Windows 11 ready

Detection Script to help identify why your PC isn't Windows 11 ready

5.9k Dec 28, 2022

C/C++ Windows Process Injector for Educational Purposes.

ProcessInjector C/C++ Windows Process Injector for Educational Purposes. What does this software do? This is a simple process injector that uses the C

8 May 3, 2022

Find patterns of vulnerabilities on Windows in order to find 0-day and write exploits of 1-days. We use Microsoft security updates in order to find the patterns.

Back 2 the Future Find patterns of vulnerabilities on Windows in order to find 0-day and write exploits of 1-days. We use Microsoft security updates i

118 Dec 30, 2022

Windows kernel hacking framework, driver template, hypervisor and API written on C++

1.3k Jan 4, 2023

simple and efficient screen recording utility for Windows

wcap Simple and efficient screen recording utility for Windows. Get latest binary here: wcap.exe press Ctrl + PrintScreen to start recording monitor (

483 Dec 31, 2022

A proof of concept demonstrating instrumentation callbacks on Windows 10 21h1 with a TLS variable to ensure all syscalls are caught.

Instrumentation callbacks are quite a fun undocumented part of Windows. All the code in this repository is released under the MIT license. This repository uses google style C++.

60 Dec 26, 2022

minimal msvc-windows exclusive lazy importer for C++

Lazy-Importer minimalistic msvc-windows exclusive lazy importer for C++20 (c++2a) Credits 0x90 (@AmJayden) @gogo9211 What is this? This lazy importer

14 Nov 10, 2022

A simple Windows kernel rootkit.

Venom RootKit A simple windows rootkit that I have wrote, In order to explore a bit about the world of rootkits and windows kernel in general. The Ven

64 Oct 9, 2022