mpenum's Introduction

MpEnum

Enumerate Windows Defender threat families and dump their names according category.

System Requirements

x86/x64 Windows 8/8.1/10;
R/W access to the current directory to be able save results;
Windows Defender Client.

Usage

No specific usage required. Just run compiled executable (in command prompt for better experience).

Dump

Included dump of following versions:

AV Signatures: 1.273.443.0 / 1.273.1601.0 / 1.281.53.0 / 1.293.2098.0
AS Signatures: 1.273.443.0 / 1.273.1601.0 / 1.281.53.0 / 1.293.2098.0
NIS Signatures: 1.273.443.0 / 1.273.1601.0 / 1.281.53.0 / 1.293.2098.0

Note

Several categories are declared obsolete by MS and families moved to other categories (e.g Nuker category) or messed up with different categories for example TrojanDownloader:Win32/Delf, TrojanDownloader:Win32/Admedia and Trojan:Win32/NewCell in PUA category despite they have Trojan/TrojanDownloader family in their names.

Build

MpEnum comes with full source code written in C. Please note that included MpClient.h is build on official available Microsoft documentation with fixes and updates that actually make it work. It maybe different from MS private version. In order to build from source you need Microsoft Visual Studio 2015 and later versions.

Instructions

Select Platform ToolSet first for project in solution you want to build (Project->Properties->General):
- v120 for Visual Studio 2013;
- v140 for Visual Studio 2015;
- v141 for Visual Studio 2017.
For v140 and above set Target Platform Version (Project->Properties->General):
- If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);
- If v141 then select 10.0.17134.0 (Note that Windows 10.0.17134 SDK must be installed).

Authors

mpenum's People

Contributors

Stargazers

Watchers

mpenum's Issues

What - exactly - is the purpose of this text file?

Thanks!

How can i remove threat using Windows Defender Functions?

Hello!

I am using your code to scan folder.

First I opened windows defender manager using MpManagerOpen. Next I started scanning using MpScanStart function. And then, I enumerated all threats using MpThreatOpen function.

My goal is how to remove these threats using Windows Defender Function.

At MSDN and MPClient.h, there is no threat remove function.

After googling i found MpCleanStart function but i don't know how to use.

Please help me.

Thank you for you help.

This is my code.

    MPHANDLE        w_handle = NULL;
    MPHANDLE        w_scan_handle = NULL;
    MPHANDLE        w_threat_handle = NULL;
    HRESULT         w_result = S_OK;    
    MPSCAN_TYPE     w_type = MPSCAN_TYPE_RESOURCE;
    MPSCAN_RESOURCES w_scan_resource = {0};
    MPRESOURCE_INFO w_resource_info[1] = {0};
    LPWSTR          w_err_msg = NULL;
    MPCALLBACK_DATA w_callback_data;
    PMPTHREAT_INFO  w_threat_info_list = NULL;

    // Open
    w_result = MpManagerOpen(0, &w_handle);
    if (w_result != S_OK)
    {
        goto L_EXIT;
    }

    // Scan
    w_resource_info[0].Path = L"N:\\";
    w_resource_info[0].Scheme = L"folder";
    w_resource_info[0].Class = 0;

    w_scan_resource.dwResourceCount = 1;
    w_scan_resource.pResourceList = w_resource_info;    
    
    w_result = MpScanStart(w_handle, w_type, 0, (PMPSCAN_RESOURCES)&w_scan_resource, NULL, &w_scan_handle);
    if (w_result != S_OK)
    {
        MpErrorMessageFormat(w_handle, w_result, &w_err_msg);
        goto L_EXIT;
    }
    
    // Threat Open
    w_result = MpThreatOpen(w_scan_handle, MPTHREAT_SOURCE_SCAN, MPTHREAT_TYPE_KNOWNBAD, &w_threat_handle);
    if (w_result != S_OK)
    {
        MpErrorMessageFormat(w_handle, w_result, &w_err_msg);
        goto L_EXIT;
    }

    // Threat Enum
    while (TRUE)
    {
        w_result = MpThreatEnumerate(w_threat_handle, &w_threat_info_list);
        if (w_result != S_OK)
        {
            break;
        }
    }
    

    // Remove Threat


L_EXIT:
    if (w_handle)
    {
        MpHandleClose(w_handle);
    }

    if (w_scan_handle)
    {
        MpHandleClose(w_scan_handle);
    }

    if (w_err_msg)
    {
        MpFreeMemory(w_err_msg);
    }
    return w_result;

Recommend Projects

hfiref0x / mpenum Goto Github PK