I’ve spent a while researching malware detection. And i’ve found an Windows Defender loader today (it is old project of Tavis Ormandy for the Blackhat USA). Project URL:
Testing.
I. installation
- Install git to clone project
sudo apt install git
- Install library to build project
sudo apt install libc6-dev:i386 gcc-multilib libreadline-dev:i386
- Install cabextract to extract latest engine that will be downloaded from Microsoft homepage:
sudo apt install cabextract
II. Build project
- Clone:
git clone https://github.com/taviso/loadlibrary && cd loadlibrary
- Compile source code:
make
- Go to browser and download file
https://go.microsoft.com/fwlink/?LinkID=121721&arch=x86
. The file name ismpam-fe.exe
- Copy downloaded file to project’s folder engine
loadlibrary/engine
- Extract the files:
cd engine && cabextract mpam-fe.exe
III. Test scanner
- Create meterpreter with msfvenom
msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=127.0.0.1 lport=8888 -f exe -o meter.exe
- Scan binary file
./mpclient <path to binary>
Extra test with mirai samples
IV. Real world?
- It should be for research purposes only. Real world project could be illegal.
-
Windows Defender sucks, why da fuxx you test it?
No it isn’t bad anymore.