APTortellini/DefenderSwitch APTortellini/DefenderSwitch

  • Stars
    star
    182
  • Rank 211,154 (Top 5 %)
  • Language
    C++
  • Created almost 3 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
APTortellini/DefenderSwitch
github

APTortellini

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Stop Windows Defender using the Win32 API

DefenderSwitch

Stop Windows Defender using the Win32 API

defender switch gif

TL;DR

Even though Defender has a lot of fancy defensive features such as tamper protection, it can still be disabled with the following chain of actions:

  1. enable SeDebugPrivilege;
  2. start the TrustedInstaller service and TrustedInstaller process;
  3. impersonate TrustedInstaller;
  4. open the WinDefend service and stop it;

DefenderSwitch does exactly that through the use of the Win32 API.

DefenderSwitch uses the standard Windows.h header and the WIL library. To install WIL use vcpkg:

C:\vcpkg> .\vcpkg.exe install wil:x86-windows
C:\vcpkg> .\vcpkg.exe install wil:x64-windows

Usage

Spawn a cmd.exe as administrator, then:

C:\Users\last> .\DefenderSwitch.exe -off
C:\Users\last> .\DefenderSwitch.exe -on

Opsec considerations

This tool as it is written is definetely not OPSEC safe. Making it so is left as an exercise to the user :)

More Repositories

1

unDefender

Killing your preferred antimalware by abusing native symbolic links and NT paths.
C++
341
star
2

DoH-Stager

C++
12
star
3

caddy-golf-sticks

HTML
1
star