matterpreter / defendercheck Goto Github PK

Need to automatically create c:\temp if it doesn't exist.

Sorry for the stupid question, I am not too familiar with C#.

Hello,
any idea about the cause of this error:
PS C:> .\DefenderCheck.exe C:\Temp\mimikatz.exe
Target file size: 1234696 bytes
Analyzing...

[!] Identified end of bad bytes at offset 0x2 in the original file

Unhandled Exception: System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
at DefenderCheck.Program.HalfSplitter(Byte[] originalarray, Int32 lastgood)
at DefenderCheck.Program.Main(String[] args)

When i run ./Defendercheck.exe , I got
System.NullReferenceException: Object reference not set to an instance of an object.
in DefenderCheck.Program.Setup()
in DefenderCheck.Program.Main(String[] args)

So i used your tool to check rottenpotato, and it said the binary looks good to go but when i scanned it with windows defender it detected it...

Thanks for this excellent tool. This is such a great idea! I'm having issues using it though.
When running this against any files I get the following error:

Unhandled Exception: System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Temp\testfile.exe'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.File.InternalWriteAllBytes(String path, Byte[] bytes, Boolean checkHost)
at System.IO.File.WriteAllBytes(String path, Byte[] bytes)
at DefenderCheck.Program.Main(String[] args)

I am running it against payloads in the same folder as the DefenderCheck.exe file; and I have used the following in user and admin priv powershell windows:

.\DefenderCheck.exe binary.exe
.\DefenderCheck.exe c:\gull\path\to\binary.exe

I get the same error no matter what file i run it against and no matter the privileges the powershell terminal is opened under. Thanks for your help with this!

Thanks for this amazing tool. I tested it yesterday. Thank you for your help.

C:\Users\DefenderCheck\DefenderCheck\DefenderCheck\bin\Release>DefenderCheck.exe
Unhandled Exception: System.NullReferenceException: The object reference was not set to an instance of the object.
    In the DefenderCheck.Program.Setup() location C:\Users\DefenderCheck\DefenderCheck\DefenderCheck\Program.cs: line number 65
    In the DefenderCheck.Program.Main(String[] args) location C:\Users\DefenderCheck\DefenderCheck\DefenderCheck\Program.cs: line number 14

windows:1809
vs:2015
.net:4.7.2

The file split method appears to miss the final bytes of the file resulting in false negatives.

Scanning the original file from the command line give the following output :

"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\users\test\desktop\file.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\users\test\desktop\file.exe found 1 threats.

<===========================LIST OF DETECTED THREATS==========================>
----------------------------- Threat information ------------------------------
Threat                  : EUS:Win32/CustomEnterpriseBlock
Resources               : 1 total
    file                : c:\users\test\desktop\file.exe
-------------------------------------------------------------------------------

Using DefenderCheck the output is as follows:

C:\Users\test\Desktop>DefenderCheck.exe file.exe
Target file size: 271872 bytes
Analyzing...

Exhausted the search. The binary looks good to go!

However the testfile.exe in c:\temp\ and original file are different sizes (tempfile.exe is two bytes shorter).

C:\Users\test\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 22ED-CC37

 Directory of C:\Users\test\Desktop

12/23/2021  10:15 AM    <DIR>          .
12/23/2021  10:15 AM    <DIR>          ..
12/22/2021  03:50 PM           271,872 file.exe

Directory of c:\temp

12/23/2021  10:07 AM    <DIR>          .
12/23/2021  10:07 AM    <DIR>          ..
12/23/2021  10:26 AM           271,870 testfile.exe
               1 File(s)        271,870 bytes
               2 Dir(s)  40,053,174,272 bytes free

Manually scanning the file in the temp directory gives a clean result

"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\temp\testfile.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\temp\testfile.exe found no threats.

Edit to add :

Possibly just a clarification in the 'Good to go' output? Show the initial detection and why analysis started?

i used this program on my vm (win11 updated windows defender) and try to scan my payload it said it was undetected but when my friend tried to download the payload it got detected in scantime the payload was downloaded in vm with upload.ee and the defendercheck too what did i do wrong?

Setup method to check Defender configurations exists, just need to implement it in Main.

Hey @matterpreter, thanks for the amazing tool. I tested it yesterday and the updated version today and get the following error. Appreciate your help with this.

C:\Users\st33l\Desktop>DefenderCheck.exe mimikatz.exe
Target file size: 1064448 bytes
Analyzing...

[!] Identified end of bad bytes at offset 0x2 in the original file

Unhandled Exception: System.ArgumentOutOfRangeException: Non-negative number required.
Parameter name: srcOffset
at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
at DefenderCheck.Program.HalfSplitter(Byte[] originalarray, Int32 lastgood)
at DefenderCheck.Program.Main(String[] args)

There is a bug where if the executable is flagged in the first 256 bytes, the dump of the bytes will break due to some math on the backend. Need to implement a check where if the original buffer size is <= 256 bytes, that it will just print out what's available.

(side-channel report by l0gan)

I know this looks like the same issue as #14 but that somewhat got derailed with build questions.

I just downloaded from master and build on Visual Studio 2019 on Windows Server 2019.

> .\DefenderCheck-master\DefenderCheck-master\DefenderCheck\DefenderCheck\bin\Debug\DefenderCheck.exe .\path\k.exe
Target file size: 1524224 bytes
Analyzing...

[!] Identified end of bad bytes at offset 0x2 in the original file

Unhandled Exception: System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at DefenderCheck.Program.HalfSplitter(Byte[] originalarray, Int32 lastgood) in C:\Users\Administrator\Downloads\DefenderCheck-master\DefenderCheck-master\DefenderCheck\DefenderCheck\Program.cs:line 106
   at DefenderCheck.Program.Main(String[] args) in C:\Users\Administrator\Downloads\DefenderCheck-master\DefenderCheck-master\DefenderCheck\DefenderCheck\Program.cs:line 60

I've replicated this using clean executables (according to Defender) so I don't expect it's a Defender configuration issue.

Please, could You compile x86 and x86-64 release versions, please? thank You

Will defendercheck work fine for Windows 11?

have this error: System.IndexOutOfRangeException: 'Index was outside the bounds of the array.'

To confirm in order for the tool to work as expected, I read you say that 'realtime protection' should be disabled, how about 'cloud-delivered protection'?