matterpreter / defendercheck Goto Github PK
View Code? Open in Web Editor NEWIdentifies the bytes that Microsoft Defender flags on.
License: BSD 3-Clause "New" or "Revised" License
Identifies the bytes that Microsoft Defender flags on.
License: BSD 3-Clause "New" or "Revised" License
Need to automatically create c:\temp
if it doesn't exist.
Sorry for the stupid question, I am not too familiar with C#.
Hello,
any idea about the cause of this error:
PS C:> .\DefenderCheck.exe C:\Temp\mimikatz.exe
Target file size: 1234696 bytes
Analyzing...
[!] Identified end of bad bytes at offset 0x2 in the original file
Unhandled Exception: System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
at DefenderCheck.Program.HalfSplitter(Byte[] originalarray, Int32 lastgood)
at DefenderCheck.Program.Main(String[] args)
When i run ./Defendercheck.exe , I got
System.NullReferenceException: Object reference not set to an instance of an object.
in DefenderCheck.Program.Setup()
in DefenderCheck.Program.Main(String[] args)
So i used your tool to check rottenpotato, and it said the binary looks good to go but when i scanned it with windows defender it detected it...
Thanks for this excellent tool. This is such a great idea! I'm having issues using it though.
When running this against any files I get the following error:
Unhandled Exception: System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Temp\testfile.exe'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.File.InternalWriteAllBytes(String path, Byte[] bytes, Boolean checkHost)
at System.IO.File.WriteAllBytes(String path, Byte[] bytes)
at DefenderCheck.Program.Main(String[] args)
I am running it against payloads in the same folder as the DefenderCheck.exe file; and I have used the following in user and admin priv powershell windows:
.\DefenderCheck.exe binary.exe
.\DefenderCheck.exe c:\gull\path\to\binary.exe
I get the same error no matter what file i run it against and no matter the privileges the powershell terminal is opened under. Thanks for your help with this!
Thanks for this amazing tool. I tested it yesterday. Thank you for your help.
C:\Users\DefenderCheck\DefenderCheck\DefenderCheck\bin\Release>DefenderCheck.exe
Unhandled Exception: System.NullReferenceException: The object reference was not set to an instance of the object.
In the DefenderCheck.Program.Setup() location C:\Users\DefenderCheck\DefenderCheck\DefenderCheck\Program.cs: line number 65
In the DefenderCheck.Program.Main(String[] args) location C:\Users\DefenderCheck\DefenderCheck\DefenderCheck\Program.cs: line number 14
windows:1809
vs:2015
.net:4.7.2
The file split method appears to miss the final bytes of the file resulting in false negatives.
Scanning the original file from the command line give the following output :
"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\users\test\desktop\file.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\users\test\desktop\file.exe found 1 threats.
<===========================LIST OF DETECTED THREATS==========================>
----------------------------- Threat information ------------------------------
Threat : EUS:Win32/CustomEnterpriseBlock
Resources : 1 total
file : c:\users\test\desktop\file.exe
-------------------------------------------------------------------------------
Using DefenderCheck the output is as follows:
C:\Users\test\Desktop>DefenderCheck.exe file.exe
Target file size: 271872 bytes
Analyzing...
Exhausted the search. The binary looks good to go!
However the testfile.exe in c:\temp\ and original file are different sizes (tempfile.exe is two bytes shorter).
C:\Users\test\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 22ED-CC37
Directory of C:\Users\test\Desktop
12/23/2021 10:15 AM <DIR> .
12/23/2021 10:15 AM <DIR> ..
12/22/2021 03:50 PM 271,872 file.exe
Directory of c:\temp
12/23/2021 10:07 AM <DIR> .
12/23/2021 10:07 AM <DIR> ..
12/23/2021 10:26 AM 271,870 testfile.exe
1 File(s) 271,870 bytes
2 Dir(s) 40,053,174,272 bytes free
Manually scanning the file in the temp directory gives a clean result
"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\temp\testfile.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\temp\testfile.exe found no threats.
Edit to add :
Possibly just a clarification in the 'Good to go' output? Show the initial detection and why analysis started?
i used this program on my vm (win11 updated windows defender) and try to scan my payload it said it was undetected but when my friend tried to download the payload it got detected in scantime the payload was downloaded in vm with upload.ee and the defendercheck too what did i do wrong?
Setup method to check Defender configurations exists, just need to implement it in Main
.
Hey @matterpreter, thanks for the amazing tool. I tested it yesterday and the updated version today and get the following error. Appreciate your help with this.
C:\Users\st33l\Desktop>DefenderCheck.exe mimikatz.exe
Target file size: 1064448 bytes
Analyzing...
[!] Identified end of bad bytes at offset 0x2 in the original file
Unhandled Exception: System.ArgumentOutOfRangeException: Non-negative number required.
Parameter name: srcOffset
at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
at DefenderCheck.Program.HalfSplitter(Byte[] originalarray, Int32 lastgood)
at DefenderCheck.Program.Main(String[] args)
There is a bug where if the executable is flagged in the first 256 bytes, the dump of the bytes will break due to some math on the backend. Need to implement a check where if the original buffer size is <= 256 bytes, that it will just print out what's available.
(side-channel report by l0gan)
I know this looks like the same issue as #14 but that somewhat got derailed with build questions.
I just downloaded from master and build on Visual Studio 2019 on Windows Server 2019.
> .\DefenderCheck-master\DefenderCheck-master\DefenderCheck\DefenderCheck\bin\Debug\DefenderCheck.exe .\path\k.exe
Target file size: 1524224 bytes
Analyzing...
[!] Identified end of bad bytes at offset 0x2 in the original file
Unhandled Exception: System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
at DefenderCheck.Program.HalfSplitter(Byte[] originalarray, Int32 lastgood) in C:\Users\Administrator\Downloads\DefenderCheck-master\DefenderCheck-master\DefenderCheck\DefenderCheck\Program.cs:line 106
at DefenderCheck.Program.Main(String[] args) in C:\Users\Administrator\Downloads\DefenderCheck-master\DefenderCheck-master\DefenderCheck\DefenderCheck\Program.cs:line 60
I've replicated this using clean executables (according to Defender) so I don't expect it's a Defender configuration issue.
Please, could You compile x86 and x86-64 release versions, please? thank You
Will defendercheck work fine for Windows 11?
have this error: System.IndexOutOfRangeException: 'Index was outside the bounds of the array.'
To confirm in order for the tool to work as expected, I read you say that 'realtime protection' should be disabled, how about 'cloud-delivered protection'?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.