 

      (  ),    .
    :
* : Windows 10   
* : Windows Defender (  10-).    !
*   -  ,      .       -.
*   -  ,      ,      .


  

1.    
2.            
3.      
4.   
5.       ()
6.    
7.       
8.      
9.       (     %dir%):
    %appdata%\vcmsd\
    default user\%appdata%\vcmcsd
    (.  8     -     )
10.  client ID   %dir%\FAQ
11.   
12.     
13.      client ID
         :
13.1.      client ID  
      (    API ,      
      2018-08-30 10:45:58.323278 1 3 online 
      )
13.2.      system info (    API   
      2018-08-30 10:47:59.642231 systeminfo start 0 63
      )
13.3.      injectDll (    API   
      injectDll 2018-08-30 11:20:26.490341 start Success
      )
14.     

      .       SKIPPED.
SKIPPED    ,     ,     .
        ( ,    ).




    ,       TRUE/FALSE    .

    :
1. archive_static_detect      -       3
2. unarchived_static_detect   -       5
3. proactive_detect           -       7
4. client_installed           -    ( 10)
5. client_knocked             -      ( 13.1)
6. client_sysinfo_loaded      -       13.2
7. client_inject_loaded       -       13.3
8. client_modules_detect      -       14


 

    Powershell   v2.0.    ,  v2.0       Windows 7.

     API (   ).      API
   .


API 

https://185.64.105.33/du8ASnIODJjksdb89fsibndg7s6giosulDSGsdgsyb78s87dgdsgszklj8zgh8dsgisgsdg/clientID_suffix
 clientID_suffix -      FAQ  .
,    C:/users/user/AppData/Roaming/vsmcd/FAQ   DESKTOP-4KGAGIP_W10014393.701EBF802F2CB023A6C24D34D9F31071
 clientID_suffix -   701EBF802F2CB023A6C24D34D9F31071
    HTTP POST

     :
- pass: .    -  f779f60d4868063d462c3f99656a8a6d
- timeout:    ,  .  ,      - 15 .
    ,  "" - "   ".

-     13:02
- ...
-  13:07    ,   timeout,     : 13:07-13:02 == 5.
   ,    (  )
-  13:08     ,   timeout,     : 13:08-13:02 == 6.
   ,    (  )
-  13:09     ,   timeout,     : 13:09-13:02 == 7.
    ,   ,   .      "".

  timeout  ,            ( 15-20 ).
          clientID.      ,    
      ( ,   20      ,     
     --  ;    -      ).


API 

  API   :

1.               %MACHINE%

HTTP POST /some-random-and-long-api-prefix/getfile

:

pass:   -    API. .
machine:   . .         .

: json  :
{
"file_id": 32,				//    
"file": "TVqQAAMAAAAEAAAA//8AA"		//     base64
}

    ,         .
           --
         .

2.       %MACHINE%

HTTP POST /some-random-and-long-api-prefix/setresult

:

pass:   -    API. .
machine:   . .
status: 0|1. .     -  "ok"  "failed" .    .
log:  .   ( ,  64,       )   base64.
file_id: .  ,    .

 ,      ,     .
      ,       ( 24 ),    
 .


 

     ,   PowerShell.     
     (   -        ):
1.  URL    
2.   
3.   
4.  URL 
5.   
6.   
7.     ,   (sleep_every)
8.        
     URL  ,    
9.            1 ( ) (1 )
10.          2 ( )          (1 )
11.          ( )              (5 )
12.            ( )  (5 )
13.            ( )           (15 )
    (    ,   - 13.1, 13.2  -   )
     sysInfo   - 10 
     injectDll - 5 
14.       ,     ( 13-14) ( ) (2 )
   --   ,       - .        ()
 ,       .
        ,       .


    (C-style ):

bool result = false;
time_t started = time(NULL);

while(time(NULL) - started < test_timeout) {
    if(test condition) {
        result = true;
        break;
    }
    sleep(sleep_every);
}

time_t end = time(NULL);

, ,    ,   sleep_every ,      (, ,  ).
  test_timeout   ,       .
 ,  
 true    (  :-(
 false    (  )

 Windows Defender      Event Viewer\Applications and Services Logs\Microsoft\Windows\Windows Defender
    (. https://letitknow.wordpress.com/2012/09/02/powershell-and-the-applications-and-services-logs/):

Get-WinEvent "Microsoft-Windows-Windows Defender/Operational"



 

1.            :

2018-08-14 00:01:02 archive_static_detect started
2018-08-14 00:01:12 archive_static_detect: OK
2018-08-14 00:01:22 unarchived_static_detect started
2018-08-14 00:01:32 unarchived_static_detect: OK
2018-08-14 00:01:42 proactive_detect started
2018-08-14 00:01:52 proactive_detect: FAILED!
2018-08-14 00:02:02 client_installed started
2018-08-14 00:01:12 client_installed: SKIPPED
2018-08-14 00:01:22 client_knocked started
2018-08-14 00:01:32 client_knocked: SKIPPED
2018-08-14 00:01:32 client_sysinfo_loaded started
2018-08-14 00:01:32 client_sysinfo_loaded: SKIPPED
2018-08-14 00:01:32 client_inject_loaded started
2018-08-14 00:01:32 client_inject_loaded: SKIPPED
2018-08-14 00:01:32 client_modules_detect started
2018-08-14 00:01:32 client_modules_detect: SKIPPED

2.      ,    .
3.        (     /)


 

           .

     :
-  Windows    (        ,    )
-   .    , ..      .

      API GitLab.
   2 HTTP :
-    GitLab
-   .

    Unix shell  :
https://stackoverflow.com/questions/47948887/login-to-gitlab-using-curl


,       :
- URL web- GitLab
-   GitLab
- URI     GitLab.

