Skip to content

Instantly share code, notes, and snippets.

@benheise
Last active June 17, 2022 23:29
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save benheise/ad7f2adb605a7ec216a506e821705a06 to your computer and use it in GitHub Desktop.
C++ execution guardrail process name
// quick and dirty C++ execution guardrail on executing process file name, inspired by @0xHop av evasion post
// https://0xhop.github.io/evasion/2021/04/19/evasion-pt1/
#include <Windows.h>
#include <string>
#define MAX_PATH 512
// check if our program has been renamed, if so may be in a sandbox or being analyzed
// from https://0xpat.github.io/Malware_development_part_2/
bool isNamedRight (LPCTSTR exeName)
{
wchar_t currentProcessPath[MAX_PATH];
wchar_t* tempName;
// https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamew
GetModuleFileNameW (NULL, currentProcessPath, MAX_PATH + 1);
//CharUpperW (currentProcessPath);
// Attempting to split the path to only return the path result + 1, which should be the exe name only, by
// overloading the string comparison to return the result that is after the last \ in the file path.
tempName = wcsrchr (currentProcessPath, L'\\') + 1;
wprintf (L"Expected exe name is: %ws\n", exeName);
//if (!wcsstr(currentProcessPath, L"C:\\USERS\\PUBLIC\\")) return false;
if ( !(currentProcessPath == NULL) ) {
if ( !wcsstr (tempName, exeName) )
{
wprintf (L"FALSE - does not match our expect exe name of: %ws\n", exeName);
// our current exe name DOES NOT match, bail out!
return FALSE;
}
wprintf (L"TRUE - Exe name is: %ws\n", exeName);
// our current exe name matches what we expected, keep going!
return TRUE;
}
}
int main () {
bool exeStatus;
exeStatus = isNamedRight (L"isNamedRight.exe");
if ( exeStatus == FALSE ) {
// bail out!
wprintf (L"Bail out!");
return 1;
}
else {
wprintf (L"We are named correctly!");
}
// do something evil
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment