Comments (9)
Anytime!! Thanks for the awesome tool. It's made life much easier. :)
from defendercheck.
Hey @jasc22, thanks for the report! I was actually just notified about this on the side by another person and have been looking at it.
The function to print the hexdump prints 256 bytes working backwards from the detection point. The problem is that if there is less than 256 bytes available, such as in the case where the detection happens below that number, the BufferCopy
will error out. I need to add a safety check to say "if the test buffer length is less than 256 bytes, just print the test buffer" which I will have some time to do tonight.
As for the detection on the first 2 bytes (likely just MZ
), I am not sure where that is coming from but the other reporter had the same issue. Let's fix up this first issue to see if it provides any new information and then maybe we'll have to move that to its own issue.
from defendercheck.
Thanks, @matterpreter! Appreciate it! :)
from defendercheck.
Okay, just pushed up some changes that should make this easier to pin down. Here's what would help:
- Pull the new version, recompile, and run again. Paste the output here.
- Run the following command against the file you are working with:
"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File <path to your file> -DisableRemediation -Trace
. Paste the output here.
I have a suspicion about what it could be, but that output will help me verify.
from defendercheck.
Added in some functionality to scan the whole file first to determine if any portion of it will be sig'd be Defender. I think what may have happened is that the file you're testing already slips by Defender and I wasn't factoring that use case in.
Let me know if you have a chance to give the latest version a go!
from defendercheck.
hey @matterpreter, got a chance to test the update. Please see output below.
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File mimikatz.exe -DisableRemediation -Trace
Start Time: Fri Apr 12 2019 07:07:58
MpEnsureProcessMitigationPolicy: hr = 0x1
Starting RunCommandScan.
INFO: ScheduleJob is not set. Skipping signature update.
Scanning path as file: mimikatz.exe.
Start: MpScan(MP_FEATURE_SUPPORTED, dwOptions=33558577, path mimikatz.exe, DisableRemediation = 1, BootSectorScan = 0, Timeout in days = 1)
ERROR: MpScanStart(dwOptions=33558577) Failed 800106BA
MpCmdRun: End Time: Fri Apr 12 2019 07:07:58
from defendercheck.
Het @jasc22,
That's an "application failed to initialize" error in Defender itself. Try this:
- Change
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
to0
, which should reenable the service - Restart Defender through the security center
- Rerun the command
from defendercheck.
I was testing this within Commando VM and did not check to see if Defender was on. I tested it on a different VM with an up to date Defender and it worked with no issues. I really apologize for the inconvenience and appreciate you looking into this.
C:\Users\st33l\Desktop>DefenderCheck.exe C:\Temp\mimikatz.exe Target file size: 1064448 bytes Analyzing... [!] Identified end of bad bytes at offset 0xC1C8A in the original file File matched signature: "HackTool:Win64/Mikatz!dha" 00000000 7A 00 5F 00 64 00 6F 00 4C 00 6F 00 63 00 61 00 z··d·o·L·o·c·a· 00000010 6C 00 20 00 3B 00 20 00 22 00 25 00 73 00 22 00 l· ·;· ·"·%·s·"· 00000020 20 00 6D 00 6F 00 64 00 75 00 6C 00 65 00 20 00 ·m·o·d·u·l·e· · 00000030 6E 00 6F 00 74 00 20 00 66 00 6F 00 75 00 6E 00 n·o·t· ·f·o·u·n· 00000040 64 00 20 00 21 00 0A 00 00 00 00 00 00 00 0A 00 d· ·!··········· 00000050 25 00 31 00 36 00 73 00 00 00 00 00 00 00 20 00 %·1·6·s······· · 00000060 20 00 2D 00 20 00 20 00 25 00 73 00 00 00 20 00 ·-· · ·%·s··· · 00000070 20 00 5B 00 25 00 73 00 5D 00 00 00 00 00 00 00 ·[·%·s·]······· 00000080 00 00 00 00 00 00 45 00 52 00 52 00 4F 00 52 00 ······E·R·R·O·R· 00000090 20 00 6D 00 69 00 6D 00 69 00 6B 00 61 00 74 00 ·m·i·m·i·k·a·t· 000000A0 7A 00 5F 00 64 00 6F 00 4C 00 6F 00 63 00 61 00 z··d·o·L·o·c·a· 000000B0 6C 00 20 00 3B 00 20 00 22 00 25 00 73 00 22 00 l· ·;· ·"·%·s·"· 000000C0 20 00 63 00 6F 00 6D 00 6D 00 61 00 6E 00 64 00 ·c·o·m·m·a·n·d· 000000D0 20 00 6F 00 66 00 20 00 22 00 25 00 73 00 22 00 ·o·f· ·"·%·s·"· 000000E0 20 00 6D 00 6F 00 64 00 75 00 6C 00 65 00 20 00 ·m·o·d·u·l·e· · 000000F0 6E 00 6F 00 74 00 20 00 66 00 6F 00 75 00 6E 00 n·o·t· ·f·o·u·n·
from defendercheck.
No problem at all! I got to learn a few things about Defender under the hood debugging it and I can push that fix so that others won't have to worry about it. I appreciate the report 👍
from defendercheck.
Related Issues (18)
- Force creation of test directory HOT 1
- Unhandled Exception error HOT 5
- RottenPotato Failed to be detected HOT 2
- How do I make this an exe as shown in the video
- Unhanded exception HOT 8
- Question HOT 1
- binary release HOT 1
- Error while building
- Implement setup checks HOT 1
- Unhandled exception HOT 1
- File splitting misses final bytes of file resulting in false negatives HOT 1
- For Windows 11 HOT 1
- cannot compile? HOT 5
- The program is not working properly HOT 1
- Implement safety checks for situations where file is sig'd in first 256 bytes HOT 1
- Object reference not set to an instance of an object. HOT 8
- Unhandled Exception HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from defendercheck.