Unhandled Exception about defendercheck HOT 9 CLOSED

Anytime!! Thanks for the awesome tool. It's made life much easier. :)

from defendercheck.

Hey @jasc22, thanks for the report! I was actually just notified about this on the side by another person and have been looking at it.

The function to print the hexdump prints 256 bytes working backwards from the detection point. The problem is that if there is less than 256 bytes available, such as in the case where the detection happens below that number, the BufferCopy will error out. I need to add a safety check to say "if the test buffer length is less than 256 bytes, just print the test buffer" which I will have some time to do tonight.

As for the detection on the first 2 bytes (likely just MZ), I am not sure where that is coming from but the other reporter had the same issue. Let's fix up this first issue to see if it provides any new information and then maybe we'll have to move that to its own issue.

from defendercheck.

Thanks, @matterpreter! Appreciate it! :)

from defendercheck.

Okay, just pushed up some changes that should make this easier to pin down. Here's what would help:

1. Pull the new version, recompile, and run again. Paste the output here.
2. Run the following command against the file you are working with: "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File <path to your file> -DisableRemediation -Trace. Paste the output here.

I have a suspicion about what it could be, but that output will help me verify.

from defendercheck.

Added in some functionality to scan the whole file first to determine if any portion of it will be sig'd be Defender. I think what may have happened is that the file you're testing already slips by Defender and I wasn't factoring that use case in.

Let me know if you have a chance to give the latest version a go!

from defendercheck.

hey @matterpreter, got a chance to test the update. Please see output below.

MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File mimikatz.exe -DisableRemediation -Trace
Start Time: ‎Fri ‎Apr ‎12 ‎2019 07:07:58

MpEnsureProcessMitigationPolicy: hr = 0x1
Starting RunCommandScan.
INFO: ScheduleJob is not set. Skipping signature update.
Scanning path as file: mimikatz.exe.
Start: MpScan(MP_FEATURE_SUPPORTED, dwOptions=33558577, path mimikatz.exe, DisableRemediation = 1, BootSectorScan = 0, Timeout in days = 1)
ERROR: MpScanStart(dwOptions=33558577) Failed 800106BA
MpCmdRun: End Time: ‎Fri ‎Apr ‎12 ‎2019 07:07:58

from defendercheck.

Het @jasc22,

That's an "application failed to initialize" error in Defender itself. Try this:

1. Change HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware to 0 , which should reenable the service
2. Restart Defender through the security center
3. Rerun the command

from defendercheck.

I was testing this within Commando VM and did not check to see if Defender was on. I tested it on a different VM with an up to date Defender and it worked with no issues. I really apologize for the inconvenience and appreciate you looking into this.

C:\Users\st33l\Desktop>DefenderCheck.exe C:\Temp\mimikatz.exe Target file size: 1064448 bytes Analyzing... [!] Identified end of bad bytes at offset 0xC1C8A in the original file File matched signature: "HackTool:Win64/Mikatz!dha" 00000000 7A 00 5F 00 64 00 6F 00 4C 00 6F 00 63 00 61 00 z··d·o·L·o·c·a· 00000010 6C 00 20 00 3B 00 20 00 22 00 25 00 73 00 22 00 l· ·;· ·"·%·s·"· 00000020 20 00 6D 00 6F 00 64 00 75 00 6C 00 65 00 20 00 ·m·o·d·u·l·e· · 00000030 6E 00 6F 00 74 00 20 00 66 00 6F 00 75 00 6E 00 n·o·t· ·f·o·u·n· 00000040 64 00 20 00 21 00 0A 00 00 00 00 00 00 00 0A 00 d· ·!··········· 00000050 25 00 31 00 36 00 73 00 00 00 00 00 00 00 20 00 %·1·6·s······· · 00000060 20 00 2D 00 20 00 20 00 25 00 73 00 00 00 20 00 ·-· · ·%·s··· · 00000070 20 00 5B 00 25 00 73 00 5D 00 00 00 00 00 00 00 ·[·%·s·]······· 00000080 00 00 00 00 00 00 45 00 52 00 52 00 4F 00 52 00 ······E·R·R·O·R· 00000090 20 00 6D 00 69 00 6D 00 69 00 6B 00 61 00 74 00 ·m·i·m·i·k·a·t· 000000A0 7A 00 5F 00 64 00 6F 00 4C 00 6F 00 63 00 61 00 z··d·o·L·o·c·a· 000000B0 6C 00 20 00 3B 00 20 00 22 00 25 00 73 00 22 00 l· ·;· ·"·%·s·"· 000000C0 20 00 63 00 6F 00 6D 00 6D 00 61 00 6E 00 64 00 ·c·o·m·m·a·n·d· 000000D0 20 00 6F 00 66 00 20 00 22 00 25 00 73 00 22 00 ·o·f· ·"·%·s·"· 000000E0 20 00 6D 00 6F 00 64 00 75 00 6C 00 65 00 20 00 ·m·o·d·u·l·e· · 000000F0 6E 00 6F 00 74 00 20 00 66 00 6F 00 75 00 6E 00 n·o·t· ·f·o·u·n·

from defendercheck.

No problem at all! I got to learn a few things about Defender under the hood debugging it and I can push that fix so that others won't have to worry about it. I appreciate the report 👍

from defendercheck.