In this post I will briefly describe the journey I went through while implementing defendnot.

Even though this is most likely not what you expected to see here, but rather than going into full technical details on how everything works, I will describe what rabbitholes I went through and how painful everything was due to my ✨special✨ environment.

Beware, most likely this post will be too informal unlike the previous posts of mine, I am pretty sure that all the other posts with irl tag will be written in a style like this. If you are looking for a more detailed technical description of how everything works, a writeup like this will be released a bit later by someone else and I will link it here.

A one-year step back

Almost exactly one year ago I released a tool no-defender, a project that was disabling windows defender using the special windows api made for antiviruses to let the system know that there is an another antivirus so there is no need to run defender scans.

The part of the system that manages all this mess is called Windows Security Center – WSC for short. The way how my project worked is that it was using a thirdparty code from some already existing antivirus and forced that av to register the antivirus in WSC.

Then, after a few weeks after the release, the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filled a DMCA takedown request and I didn’t really want to do anything with that so just erased everything and called it a day.

How it started

Currently, even while writing this article, I am sitting in an airbnb we rented in Seoul. After numerous trips to other parts of the planet for CTFs and stuff, me and a friend of mine decided that we want to visit Seoul and arrived a few months after that.

My current main machine for non-ctf things is an M4Pro MacBook, and usually, when I am going for a CTF I bring an another x86 laptop with me to do some extensive reverse engineering/pwn stuff as it is usually built for the x86 cpus. Emulation would kind of work for this task but it is pretty painful so I just use an another laptop for all the x86 stuff.

And, as you might have guessed, for this trip I did not bring that x86 laptop with me, but I did bring my macbook with me to do some other development stuff in my free-free time. So, I did not have any x86 machine with me to do the x86 reversing.

And, on May 4th, after a few days spent in South Korea meeting my favorite South Korean CTF friends and drinking alcohol with them, I received a message from MrBruh where they said that they were looking at no-defender and were looking into whether it would be possible to create a “clean” implementation of my project without using any AVs.

Initial research (Day 1)

I am having some troubles with my sleep schedule and I woke up a bit earlier than my friends so I decided to take a look at this while I am waiting for my friends to wake up.

MrBruh provided me the latest binaries of wsc because I was too lazy to spin up my parallels vm to get the binaries and I started looking into what we got.

As a reference implementation, I took the WSC registration implementation made by the same AV I was using a year ago. I was somewhat familiar with the internals of their thing and it was a great call.

Essentially, WSC has a COM API that all antiviruses are using, so I quickly rebuilt everything that AV was doing with it in ~1hr, booted an arm64 windows in parallels and tested the thing. I was greeted with an access denied error.

But from my last year’s courtesy I knew that WSC was somehow validating the process that calls these APIs, my guess was that they are validating the signatures, which was indeed a correct guess but I didn’t know that for sure yet.

My move then was to inject my code into the same process that is doing all the WSC stuff for that AV and register my AV from there, when I did that this is what come out:

Then, I recreated an another COM call to update the status of my fresh-new antivirus I registered and everything worked like a charm as well!

As you might have guessed, this is exactly the image I posted on twitter to let my beloved followers know that I might have something cooking:

Trying to get rid of the AVs binary (Day 1)

After my initial research, I spent many hours actually enjoying life and arrived back to airbnb late at night and started tinkering with this again.

My first idea was to create a legit-signed process, inject my module in it, and execute my shenanigans from there, the exact same thing I was doing except I would use system-provided binaries and not AV’s ones (because I didn’t want my new project to be removed from github by that AV).

As a first victim process I chose cmd.exe for no particular reason, just the first thing that came to my mind. However, to my surprise the api rejected my calls and I had to actually dig into the implementation to find out what was causing it.

After a quick look at wscsvc.dll, I found out that the binary was doing some calls to check the caller process for PPL, but, the binary I was running was created using just simple CreateProcessA call, there is no way it was PPL protected (and it indeed was not).

It was already pretty late in the morning so I went to sleep.

Setting up environment (Day 2)

When I woke up, I tried a bunch of other system processes, but nothing really worked, so I decid