KillDefender icon indicating copy to clipboard operation
KillDefender copied to clipboard

Published 20 hours ago verified publisher icon pwn1sher

Windows version

Open PACEJJ27 opened this issue 3 years ago • 9 comments

Test on Windows 10 20H2 ,it doesn't work image

PACEJJ27 avatar Feb 22 '22 08:02 PACEJJ27

Were you System when you ran it?

Octoberfest7 avatar Feb 22 '22 16:02 Octoberfest7

i have same problem here

tarekxxx avatar Mar 09 '22 14:03 tarekxxx

i have same problem here

Try out my version (same one in the pull request here). I modified it to elevate to system which i found necessary to make it work.

https://github.com/Octoberfest7/KillDefender

Octoberfest7 avatar Mar 09 '22 16:03 Octoberfest7

i have same problem here

Try out my version (same one in the pull request here). I modified it to elevate to system which i found necessary to make it work.

https://github.com/Octoberfest7/KillDefender

oh thanks this useful

tarekxxx avatar Mar 09 '22 19:03 tarekxxx

Test on Windows 10 20H2 ,it doesn't work image

update : Windows 10 v21H2 now completely patched, you will not get any token access from process handle with "Query Limited Information"

GetRektBoy724 avatar Jun 28 '22 08:06 GetRektBoy724

Test on Windows 10 20H2 ,it doesn't work image

update : Windows 10 v21H2 now completely patched, you will not get any token access from process handle with "Query Limited Information"

Can confirm, tested on latest path Win11. Same code can still be used to access other PPL protected process tokens (smss, csrss, etc) but doesn't work for MsMpEng.exe

Octoberfest7 avatar Jun 28 '22 15:06 Octoberfest7

Test on Windows 10 20H2 ,it doesn't work image

update : Windows 10 v21H2 now completely patched, you will not get any token access from process handle with "Query Limited Information"

Can confirm, tested on latest path Win11. Same code can still be used to access other PPL protected process tokens (smss, csrss, etc) but doesn't work for MsMpEng.exe

Wait really? From my experience, u cant get any token access from "Query limited information" process handle, regardless of the process. Can u show me a proof or something? Thanks

GetRektBoy724 avatar Jun 29 '22 10:06 GetRektBoy724

https://github.com/Octoberfest7/KillDefender/blob/main/killdefender.cpp

If you use my code here you can do it. Just change line 136 to smss.exe or csrss.exe and then check it out in process explorer, you'll be able to see that the code will set the token integrity to untrusted and strip all privs like it did for MsMpEng.exe. Obviously do it in a VM.

Octoberfest7 avatar Jun 29 '22 13:06 Octoberfest7

https://github.com/Octoberfest7/KillDefender/blob/main/killdefender.cpp

If you use my code here you can do it. Just change line 136 to smss.exe or csrss.exe and then check it out in process explorer, you'll be able to see that the code will set the token integrity to untrusted and strip all privs like it did for MsMpEng.exe. Obviously do it in a VM.

Oh wait you're right, tested csrss.exe, and it works.

GetRektBoy724 avatar Jun 29 '22 14:06 GetRektBoy724