Last active
June 17, 2022 23:29
Star
You must be signed in to star a gist
C++ execution guardrail process name
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// quick and dirty C++ execution guardrail on executing process file name, inspired by @0xHop av evasion post | |
// https://0xhop.github.io/evasion/2021/04/19/evasion-pt1/ | |
#include <Windows.h> | |
#include <string> | |
#define MAX_PATH 512 | |
// check if our program has been renamed, if so may be in a sandbox or being analyzed | |
// from https://0xpat.github.io/Malware_development_part_2/ | |
bool isNamedRight (LPCTSTR exeName) | |
{ | |
wchar_t currentProcessPath[MAX_PATH]; | |
wchar_t* tempName; | |
// https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamew | |
GetModuleFileNameW (NULL, currentProcessPath, MAX_PATH + 1); | |
//CharUpperW (currentProcessPath); | |
// Attempting to split the path to only return the path result + 1, which should be the exe name only, by | |
// overloading the string comparison to return the result that is after the last \ in the file path. | |
tempName = wcsrchr (currentProcessPath, L'\\') + 1; | |
wprintf (L"Expected exe name is: %ws\n", exeName); | |
//if (!wcsstr(currentProcessPath, L"C:\\USERS\\PUBLIC\\")) return false; | |
if ( !(currentProcessPath == NULL) ) { | |
if ( !wcsstr (tempName, exeName) ) | |
{ | |
wprintf (L"FALSE - does not match our expect exe name of: %ws\n", exeName); | |
// our current exe name DOES NOT match, bail out! | |
return FALSE; | |
} | |
wprintf (L"TRUE - Exe name is: %ws\n", exeName); | |
// our current exe name matches what we expected, keep going! | |
return TRUE; | |
} | |
} | |
int main () { | |
bool exeStatus; | |
exeStatus = isNamedRight (L"isNamedRight.exe"); | |
if ( exeStatus == FALSE ) { | |
// bail out! | |
wprintf (L"Bail out!"); | |
return 1; | |
} | |
else { | |
wprintf (L"We are named correctly!"); | |
} | |
// do something evil | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment