-
-
Save joe-desimone/654cd1aef6ae5b9c3e0af7e1c42e2e06 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// MpQueryFileTrustByHandle example by @dez_ and @GabrielLandau | |
#include <windows.h> | |
#include <stdio.h> | |
typedef int (*_MpQueryFileTrustByHandle)(HANDLE, void*, void*, void*); | |
typedef struct | |
{ | |
int first; | |
int second; | |
int third; | |
} params_t; | |
void main(int argc, char** argv) | |
{ | |
if (argc != 2) | |
{ | |
printf("Usage: %s <path>\n", argv[0]); | |
return; | |
} | |
HMODULE hDefender = LoadLibrary(L"C:\\program files\\Windows Defender\\MpClient.dll"); | |
if (hDefender == 0 || hDefender == INVALID_HANDLE_VALUE) | |
{ | |
printf("Error loading mpclient\n"); | |
return; | |
} | |
printf("MpClient loaded at %p\n", hDefender); | |
_MpQueryFileTrustByHandle MpQueryFileTrustByHandle = (_MpQueryFileTrustByHandle)GetProcAddress(hDefender, "MpQueryFileTrustByHandle"); | |
if (MpQueryFileTrustByHandle == 0) | |
{ | |
printf("GetProcAddress failed for MpQueryFileTrustByHandle\n"); | |
return; | |
} | |
printf("MpQueryFileTrustByHandle at %p\n", MpQueryFileTrustByHandle); | |
int retVal = 0; | |
params_t params; | |
params.first = 16; | |
void* arg4 = 0; | |
printf("Checking rep for: %s\n", argv[1]); | |
HANDLE hFile = CreateFileA(argv[1], GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0); | |
printf("File handle: %p\n", hFile); | |
retVal = MpQueryFileTrustByHandle(hFile, ¶ms, 0, 0); | |
printf("Ret: %x, Trust: %d, Flags: %x\n", retVal, params.second, params.third); | |
if (retVal != 0) | |
{ | |
return; | |
} | |
if (params.second == 0) | |
{ | |
printf("Result: file trusted\n"); | |
} | |
else if (params.second == -1) | |
{ | |
printf("Result: file unknown\n"); | |
} | |
else if (params.second == -2) | |
{ | |
printf("Result: file malicious\n"); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment