Skip to content

rbmm/DisableSvc

Repository files navigation

DisableSvc

for disable service - we need call ChangeServiceConfigW with SERVICE_DISABLED and for this we need open service with SERVICE_CHANGE_CONFIG (0x0002) access right (in worst case we can direct change value in registry and reboot)

for stop service we need call ControlService with SERVICE_CONTROL_STOP and for this we need open service with SERVICE_STOP (0x0020) access right

are we can open service with such rights, depend from service security descriptor and our token but for some services system do additional checks, as described here - https://www.alex-ionescu.com/?paged=2&cat=2 this done inside function ScCheckServiceProtectedProcess the system check are TrustedInstaller service SID exist in caller token ( create this sid via RtlInitUnicodeString + RtlCreateServiceSid and check via CheckTokenMembership ) and if not - RtlTestProtectedAccess will be called, where we fail

(for more details look tvi files (https://github.com/rbmm/DisableSvc/tree/main/TVI) with https://github.com/rbmm/TVI/tree/main/X64 and https://github.com/rbmm/DisableSvc/tree/main/IMG)

so we need have TrustedInstaller SID in token.

early SD for WinDefend look like

D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

DACL: T FL AcessMsK Sid A 00 0002019D [S-1-5-32-545] 'BUILTIN\Users' [Alias] A 00 0002019D [S-1-5-18] 'NT AUTHORITY\SYSTEM' [WellKnownGroup] A 00 0002019D [S-1-5-32-544] 'BUILTIN\Administrators' [Alias] A 00 0002019D [S-1-5-4] 'NT AUTHORITY\INTERACTIVE' [WellKnownGroup] A 00 0002019D [S-1-5-6] 'NT AUTHORITY\SERVICE' [WellKnownGroup] A 00 000F01FF [S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464] 'NT SERVICE\TrustedInstaller' [WellKnownGroup] A 00 000F01FF [S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736] 'NT SERVICE\WinDefend' [WellKnownGroup] SACL: T FL AcessMsK Sid U 80 000F01FF [S-1-1-0] '\Everyone' [WellKnownGroup]

(we can get string sid from sc sdshow windefend and convert it to more redable form with for instance such tool - https://github.com/rbmm/SDDL/blob/master/SDDL.exe)

visible that 'NT SERVICE\TrustedInstaller' have full ( 000F01FF ) access to service, which included SERVICE_CHANGE_CONFIG|SERVICE_STOP (0x0022) access right

but than service SD is changed to

D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

DACL: T FL AcessMsK Sid A 00 0002019D [S-1-5-32-545] 'BUILTIN\Users' [Alias] A 00 0002019D [S-1-5-18] 'NT AUTHORITY\SYSTEM' [WellKnownGroup] A 00 0002019D [S-1-5-32-544] 'BUILTIN\Administrators' [Alias] A 00 0002019D [S-1-5-4] 'NT AUTHORITY\INTERACTIVE' [WellKnownGroup] A 00 0002019D [S-1-5-6] 'NT AUTHORITY\SERVICE' [WellKnownGroup] A 00 000F01FF [S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736] 'NT SERVICE\WinDefend' [WellKnownGroup] SACL: T FL AcessMsK Sid U 80 000F01FF [S-1-1-0] '\Everyone' [WellKnownGroup]

so now - TrustedInstaller no more any access to windefend - and we must have 'NT SERVICE\WinDefend' sid in token. but still need have 'NT SERVICE\TrustedInstaller' too, for not fail in ScCheckServiceProtectedProcess

so main task in got such token. if we have debug privilege it token, this is not hard task really. we not need start TrustedInstaller and got it token. we simply need found process with token where, exist SE_CREATE_TOKEN_PRIVILEGE and impersonate with it. after this we can create by self any token. token with 'NT SERVICE\TrustedInstaller' as well also not heed hardcode any process name (lsass.exe) simply need open processes tokens and check - are token have required for us privilege set or/and another properties ( tcb, system luid, etc)

and for stop/disable services which not let 'NT SERVICE\TrustedInstaller' do this by self SD - we have 2 ways - of create and set token with required SID or change service SD better first try set SID in self token (create new token and impersonate with it) than try change something in registry however change SD in registry also must work

possible run https://github.com/rbmm/DisableSvc/tree/main/x64 app without params, in this case it try stop and disable next services:

			static const PCWSTR lpAVServices[] = {
				L"wscsvc", // Windows Security Center
				L"WinDefend", // Microsoft Defender Antivirus Service
				L"Sense", // Windows Defender Advanced Threat Protection Service
				L"WdNisSvc", // Microsoft Defender Antivirus Network Inspection Service
      				L"WdNisDrv", // Microsoft Defender Antivirus Network Inspection System Driver
			        L"WdBoot", // Microsoft Defender Antivirus Boot Driver
      				L"WdFilter", // Microsoft Defender Antivirus Mini-Filter Driver
				L"mpssvc", // Windows Defender Firewall
				L"BFE", // Base Filtering Engine
				0
			};

			static const PCWSTR lpUpdateServices[] = {
				L"wuauserv", // Windows Update
				L"UsoSvc", // Update Orchestrator Service
				L"DoSvc", // Delivery Optimization
                                    L"WaaSMedicSvc", // 
				L"edgeupdate", // Microsoft Edge Update Service (edgeupdate)
				0
			};

or use cmd line for direct set what to disable:

btsp *flags[*srv1[*svc2...]

flags:

1 - disable AV related services 2 - disable update related services 4 - different aux services

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published