Skip to content

Instantly share code, notes, and snippets.

BOOL IsParentExplorer()
{
if (HWND hwnd = GetShellWindow())
{
ULONG dwProcessId;
if (GetWindowThreadProcessId(hwnd, &dwProcessId))
{
PROCESS_BASIC_INFORMATION pbi;
if (0 <= NtQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &pbi, sizeof(pbi), 0))
{
@WKL-Sec
WKL-Sec / ParentProcessValidator.cpp
Created February 9, 2024 13:47
This C++ code snippet demonstrates how to verify if an executable is launched by explorer.exe to enhance security during red team operations.
# White Knight Labs - Offensive Development
# Guardrails - Parent Process Check
#include <windows.h>
#include <tlhelp32.h>
#include <psapi.h>
#include <tchar.h>
#include <iostream>
// Function to get the ID of the parent process