Skip to content

Instantly share code, notes, and snippets.

@WKL-Sec
Created February 9, 2024 13:47
Show Gist options
  • Save WKL-Sec/a309b10a489c51deefc128adab13eee7 to your computer and use it in GitHub Desktop.
Save WKL-Sec/a309b10a489c51deefc128adab13eee7 to your computer and use it in GitHub Desktop.
This C++ code snippet demonstrates how to verify if an executable is launched by explorer.exe to enhance security during red team operations.
# White Knight Labs - Offensive Development
# Guardrails - Parent Process Check
#include <windows.h>
#include <tlhelp32.h>
#include <psapi.h>
#include <tchar.h>
#include <iostream>
// Function to get the ID of the parent process
DWORD GetParentProcessID() {
HANDLE hSnapshot;
PROCESSENTRY32 pe32;
DWORD ppid = 0, pid = GetCurrentProcessId();
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) return 0;
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, &pe32)) {
do {
if (pe32.th32ProcessID == pid) {
ppid = pe32.th32ParentProcessID;
break;
}
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
return ppid;
}
// Function to check if the parent process is explorer.exe
bool IsParentExplorer() {
DWORD parentPID = GetParentProcessID();
TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
bool isExplorer = false;
HANDLE hParentProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, parentPID);
if (hParentProcess) {
HMODULE hMod;
DWORD cbNeeded;
if (EnumProcessModules(hParentProcess, &hMod, sizeof(hMod), &cbNeeded)) {
GetModuleBaseName(hParentProcess, hMod, szProcessName, sizeof(szProcessName) / sizeof(TCHAR));
// Check if the parent process name is explorer.exe
isExplorer = (_tcsicmp(szProcessName, TEXT("explorer.exe")) == 0);
}
CloseHandle(hParentProcess);
}
return isExplorer;
}
int main() {
if (!IsParentExplorer()) {
std::cout << "This program must be run from explorer.exe. Exiting..." << std::endl;
return 1; // Exit the program
}
std::cout << "Program started successfully from explorer.exe." << std::endl;
// Add your program logic here...
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment