Malware that Disables Windows Defender (Patreon)
Content
Windows defender is the bane of most commodity malware, in this video we'll be looking at a piece of malware that attempts to elevate its privilege's and then disable windows defender. This kind of operation is incredibly useful for us to understand as it begins to touch on the fundamentals of Windows processes and how Windows Defenders privilege's function. During our malware analysis of the binary we see that it written in .NET. The malware begins by checking the permissions of the running processes by calling Windows APIs to determine the owner. It'll then check if the owner name contains "NT". The highest privilege's of process in a Windows sytem is ran by "NT-SYSTEM". This level of privilege's is necessary for the malware to attempt to disable Windows Defender. The malware checks if it's running at this level and if not will attempt to elevate itself before disabling defender. To accomplish this the malware will use a technique to duplicate the token of winlogon. WinLogon is a high privilege's process which is ran with the "NT-System" privilege's level. The malware runs OpenProcessToken to grab the token of this process and duplicates it. It then sets startup info for a new process and calls DuplicateTokenEx to duplicate the token of winlogon. Once that's done it'll get the location of our process and create a new process for it using this high privilege's Token that was taken from winlogon.