joe-desimone/MpQueryFileTrustByHandle.cpp Secret

## MpQueryFileTrustByHandle.cpp
// MpQueryFileTrustByHandle example by @dez_ and @GabrielLandau

#include <windows.h>
#include <stdio.h>

typedef int (*_MpQueryFileTrustByHandle)(HANDLE, void*, void*, void*);
typedef struct
{
	int first;
	int second;
	int third;
} params_t;

void main(int argc, char** argv)
{
	if (argc != 2)
	{
		printf("Usage: %s <path>\n", argv[0]);
		return;
	}

	HMODULE hDefender = LoadLibrary(L"C:\\program files\\Windows Defender\\MpClient.dll");
	if (hDefender == 0 || hDefender == INVALID_HANDLE_VALUE)
	{
		printf("Error loading mpclient\n");
		return;
	}
	printf("MpClient loaded at %p\n", hDefender);

	_MpQueryFileTrustByHandle MpQueryFileTrustByHandle = (_MpQueryFileTrustByHandle)GetProcAddress(hDefender, "MpQueryFileTrustByHandle");

	if (MpQueryFileTrustByHandle == 0)
	{
		printf("GetProcAddress failed for MpQueryFileTrustByHandle\n");
		return;
	}

	printf("MpQueryFileTrustByHandle at %p\n", MpQueryFileTrustByHandle);

	int retVal = 0;
	params_t params;
	params.first = 16;

	void* arg4 = 0;
	printf("Checking rep for: %s\n", argv[1]);
	HANDLE hFile = CreateFileA(argv[1], GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0);
	printf("File handle: %p\n", hFile);
	retVal = MpQueryFileTrustByHandle(hFile, &params, 0, 0);
	printf("Ret: %x, Trust: %d, Flags: %x\n", retVal, params.second, params.third);
	if (retVal != 0)
	{
		return;
	}
	if (params.second == 0)
	{
		printf("Result: file trusted\n");
	}
	else if (params.second == -1)
	{
		printf("Result: file unknown\n");
	}
	else if (params.second == -2)
	{
		printf("Result: file malicious\n");
	}
}
	// MpQueryFileTrustByHandle example by @dez_ and @GabrielLandau

	#include <windows.h>
	#include <stdio.h>

	typedef int (_MpQueryFileTrustByHandle)(HANDLE, void, void, void);
	typedef struct
	{
	int first;
	int second;
	int third;
	} params_t;

	void main(int argc, char** argv)
	{
	if (argc != 2)
	{
	printf("Usage: %s <path>\n", argv[0]);
	return;
	}

	HMODULE hDefender = LoadLibrary(L"C:\\program files\\Windows Defender\\MpClient.dll");
	if (hDefender == 0 \|\| hDefender == INVALID_HANDLE_VALUE)
	{
	printf("Error loading mpclient\n");
	return;
	}
	printf("MpClient loaded at %p\n", hDefender);

	_MpQueryFileTrustByHandle MpQueryFileTrustByHandle = (_MpQueryFileTrustByHandle)GetProcAddress(hDefender, "MpQueryFileTrustByHandle");

	if (MpQueryFileTrustByHandle == 0)
	{
	printf("GetProcAddress failed for MpQueryFileTrustByHandle\n");
	return;
	}

	printf("MpQueryFileTrustByHandle at %p\n", MpQueryFileTrustByHandle);

	int retVal = 0;
	params_t params;
	params.first = 16;

	void* arg4 = 0;
	printf("Checking rep for: %s\n", argv[1]);
	HANDLE hFile = CreateFileA(argv[1], GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0);
	printf("File handle: %p\n", hFile);
	retVal = MpQueryFileTrustByHandle(hFile, &params, 0, 0);
	printf("Ret: %x, Trust: %d, Flags: %x\n", retVal, params.second, params.third);
	if (retVal != 0)
	{
	return;
	}
	if (params.second == 0)
	{
	printf("Result: file trusted\n");
	}
	else if (params.second == -1)
	{
	printf("Result: file unknown\n");
	}
	else if (params.second == -2)
	{
	printf("Result: file malicious\n");
	}
	}