Skip to content

8yteWizard/DefenderCheck

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
AllScan.png
AllScan.png
 
 
DefenderCheck.dpr
DefenderCheck.dpr
 
 
DefenderCheck.dproj
DefenderCheck.dproj
 
 
README.md
README.md
 
 
demo.gif
demo.gif
 
 

Repository files navigation

⚠️ Based on the original DefenderCheck project by matterpreter: https://github.com/matterpreter/DefenderCheck

DefenderCheck (Delphi 12 Edition)

Native binary signature isolation tool using Microsoft Defender.

This is a native Delphi 12 console implementation of a binary bisection technique designed to identify the exact byte region that triggers Microsoft Defender detection.

Overview

DefenderCheck automates binary search against MpCmdRun.exe (Microsoft Defender CLI scanner).

If a file is detected as malicious, the tool:

  1. Loads the file into memory
  2. Uses a binary search algorithm to isolate the offending byte
  3. Scans temporary file segments to determine if they are clean or dirty
  4. Identifies the precise offset where detection occurs
  5. Zeros the 256-byte context (to prevent re-detection)
  6. Outputs a hex dump and signature name
  7. (Optional) Continues scanning the remainder of the file for additional threats

This allows rapid detection analysis and signature research in controlled environments.

Features

  • Native Delphi 12 Implementation: No external DLLs or frameworks required.
  • Binary Search Algorithm: O(log N) complexity for rapid isolation of the bad byte.
  • 256-Byte Zeroing: Neutralizes the byte context to prevent re-detection during analysis.
  • JSON Output: Generates a results.json file containing all detected offsets and signatures.
  • -all Mode: Continuously scans the remaining file after finding the first signature.
  • -debug Mode: Verbose output to trace the binary search process.
  • Stdout Capture: Uses CreateProcessW and pipe redirection to capture Defender output.
  • Automatic Temp Management: Creates files in C:\Temp and cleans them up automatically.

Requirements

  • Microsoft Defender installed (Fully removing via regkeys will cause false negatives)
  • All settings can be disabled (Realtime protection, cloud submission etc can AND SHOULD all be disabled)
  • MpCmdRun.exe available at:
C:\Program Files\Windows Defender\MpCmdRun.exe
  • Delphi 12 (or compatible FPC/Lazarus setup) to compile the source.

Example Usage

DefenderCheck.exe payload.exe
DefenderCheck.exe payload.exe -all
DefenderCheck.exe payload.exe debug

Example Output

Target file size: 18432 bytes
Analyzing...

[!] Identified bad byte at offset 0x4A3F
File matched signature: "Backdoor:MSIL/XenoRat.BSA!MTB"

00004930   90 90 90 E8 34 12 00 00 48 65 6C 6C 6F 20 41 56   ....4...Hello AV
00004940   21 21 21 00 00 00 00 00                        !!!.....

[*] Neutralizing detected byte and rescanning...

[!] Identified bad byte at offset 0xAB19
File matched signature: "Backdoor:MSIL/XenoRat.BSA!MTB"

00004930   65 2B 3C 43 6F 6E 6E 65 63 74 53 75 62 53 6F 63   e+<ConnectSubSoc
...

How It Works

The detection logic relies on MpCmdRun.exe exit codes:

Exit Code Meaning
0 No threat found
2 Threat found
-1 Timeout

The algorithm performs a controlled binary search:

1. Initial Scan: Verify the entire file is dirty.
2. Split: Divide the file size in half (Low vs High).
3. Test: Write the [Low..Mid] segment to disk and scan it.
4. Decision:
   - If Dirty (Exit Code 2): The bad byte is in the left half. Set High = Mid.
   - If Clean (Exit Code 0): The bad byte is in the right half. Set Low = Mid + 1.
5. Repeat: Continue until Low == High (exact byte found).

When the exact byte is found:

  • The tool extracts the 256 bytes preceding the offset.
  • The byte and its context are zeroed (NeutralizeByte).
  • The result is added to a list and (if -all is used) the scan continues on the remaining file.

Project Structure

Core components of the Delphi 12 implementation:

  • RunProcessCapture — Creates a child process, redirects stdout to a pipe, and waits for exit.
  • Scan — Invokes MpCmdRun.exe with specific flags and parses the output for threat signatures.
  • GetHexDumpString — Formats raw bytes into a readable hex + ASCII string.
  • NeutralizeByte — Overwrites a specific index in a TBytes array with 0 (or 255).
  • FindBadBytes — Implements the binary search algorithm and manages the zeroing logic.
  • SafeWriteBytes — Writes temporary byte arrays to C:\Temp with error handling.

Intended Use

  • Detection research
  • AV behavior analysis
  • Binary testing and mutation analysis
  • Lab environments

This tool is intended for defensive research and controlled environments only.

Limitations

  • Disk-based scanning: Writes temporary files to C:\Temp.
  • File Size: Not optimized for very large files (>100MB) due to memory and temp file overhead.
  • Dependent on Defender: Relies on the availability and configuration of Windows Defender CLI.

⚠️ This readme (documentation) was generated with the assistance of AI.

⚠️ All code is human written.

About

Identifies the bytes that Microsoft Defender flags as a threat. Delphi Version

Resources

Readme
Activity

Stars

10 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases 2

v1.1.0.0 Latest
Mar 13, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages