Note: First of all, the tool I use below is prevented by defender. In order to bring this tool to windows, you must obfuscate the relevant code or have it marked as allow with social engineering.
Prerequisites
- Blackout Tool
- Visual Studio IDE
- Process Explorer
In this article, I will explain how to bypass (disable) Microsoft Defender. First of all, if we want to kill Microsoft Defender under normal conditions, we will see that we cannot kill it.
To perform these actions, I am going to use the Sysinternals tool, Process Explorer, instead of Task Manager. You can easily access this tool from live.sysinternals.com.
Microsoft Defender’s process name is “MsMpEng“. Let’s make a note of Defender’s Process ID here. Then let’s start an privileged Command Line to try killing the of MsMpEng.exe process.
As we see, we cannot kill Defender with an privileged account under normal conditions.
Now let’s download the Blackout Tool from Github. At this point, we can download the Blackout tool by clicking Code > Download Zip from the web interface or using the this command;
git clone https://github.com/ZeroMemoryEx/Blackout
Or
The contents of the downloaded file are as follows.
We will compile the blackout.sln file and we will get an .exe file with the same name. I am goint to use Visual Studio Community, which is the free version of Visual Studio, for the compilation process. After opening the file with VS, we click on the green compile button.
After the compilation process is completed, when we look at the contents of the file, we see that a new directory named x64 has been added and a PE named blackout.exe has been created in it.
Afterwards, the Blackout.sys drive file in the Driver folder and the Blackout.exe PE must be located in the same location.
Then all we have to do is run this .exe on CMD by giving the process id of MsMpEngine.exe, namely Defender.
As you can see, the text “Defender Terminated” appeared. Then, when we check from Process Explorer, we will see that the Defender process has been killed.
Leave a Reply