Skip to content

Instantly share code, notes, and snippets.

@WKL-Sec
WKL-Sec / get_current_process_image_filename_peb.cpp
Created May 6, 2024 16:51
Retrieve the current process's image file name using the Process Environment Block (PEB) in C++.
// White Knight Labs
// By Stigs
// Offensive Development Course - Filename Check with PEB
#include <iostream>
#include <Windows.h>
#include <winternl.h>
// Function to get the current process image file name using PEB
std::wstring GetCurrentProcessImageFileName()
@WKL-Sec
WKL-Sec / Obfuscation_Stub.cpp
Created April 24, 2024 15:48
Example C++ shellcode decoder stub using XOR, NOT, ADD operations to obfuscate and encode a calculator payload.
# White Knight Labs
# Offensive Development Course - Shellcode Decoder Stub
# Author: Stigs
#include <iostream>
#include <vector>
#include <iomanip>
#include <random>
// Modified function to apply obfuscation on shellcode using a dynamic XOR value
@WKL-Sec
WKL-Sec / DeobfuscateByteArrayInlineAsm.cpp
Last active March 15, 2024 09:02
This C++ code snippet demonstrates a method for deobfuscating a byte array using inline assembly. It intricately applies a series of bitwise NOT, decrement, and XOR operations on each byte of the array.
// White Knight Labs - Offensive Development Course
// String Deobfuscation with Inline-Assembly
// Based on - https://gist.github.com/WKL-Sec/e24830ebfafabc283bd9329e79f71164
#include <iostream>
#include <string>
#include <sstream>
#include <vector>
@WKL-Sec
WKL-Sec / StringObfuscationTechnique.cpp
Created March 7, 2024 15:49
This code snippet demonstrates a simple yet effective string obfuscation technique using a combination of XOR, NOT, and ADD operations.
// White Knight Labs - Offensive Development Course
// String Obfuscation
#include <iostream>
#include <string>
// Function to apply XOR, then NOT, and finally ADD 1 for obfuscation
std::string obfuscateString(const std::string& input) {
std::string output = input;
@WKL-Sec
WKL-Sec / FuncAddrResolver.cpp
Created March 6, 2024 13:00
Dynamically retrieves the OpenProcess function address by parsing the kernel32.dll export table using Inline Assembly.
// White Knight Labs - Offensive Development
// Inline Assembly - Get Function Address
#include <iostream>
#include <windows.h>
// Function definition
void* GetFunctionAddress(const char* functionName) {
void* getFunctionAddr = nullptr;
@WKL-Sec
WKL-Sec / GetProcAddressAlternative.cpp
Created February 28, 2024 18:22
Efficiently locates API addresses within modules without relying on GetProcAddress, enhancing stealth in payload deployment.
// White Knight Labs - Offensive Development Course
// GetProcAddress Replacement
#include <windows.h>
#include <iostream>
typedef FARPROC (*pAPIFinder)(IN HMODULE modHandle, IN LPCSTR apiName);
FARPROC APIFinder(IN HMODULE modHandle, IN LPCSTR apiName) {
PBYTE baseAddr = (PBYTE)modHandle;
@WKL-Sec
WKL-Sec / DynamicAPIResolver.cpp
Created February 28, 2024 17:56
Demonstrates dynamic resolution of OpenProcess API to bypass IAT, suitable for advanced payload development.
// White Knight Labs - Offensive Development Course
// IAT Table Bypass - GetProcAddress
#include <windows.h>
#include <iostream>
// Typedef for the OpenProcess function
typedef HANDLE (WINAPI *pOpenProcess)(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
int main() {
@WKL-Sec
WKL-Sec / Kernel32BaseAddrRetrieval.cpp
Created February 27, 2024 20:22
Retrieves the base address of kernel32.dll using x64 assembly in C++
#include <iostream>
#include <windows.h>
void* GetBaseAddressOfKernel32() {
void* kernel32BaseAddress = nullptr;
__asm {
mov rdi, 0xFFFFFFFFFFFFFFFF // Set RDI to -1
inc rdi // Increment RDI to 0
mov rax, 0 // Zero out RAX
@WKL-Sec
WKL-Sec / IndirectSyscall.c
Created February 27, 2024 17:24
Indirect Syscall implementation in C to execute our shellcode.
#include <Windows.h>
#include "winternl.h"
#pragma comment(lib, "ntdll")
UINT_PTR sysAddrNtAllocateVirtualMemory;
UINT_PTR sysAddrNtWriteVirtualMemory;
UINT_PTR sysAddrNtCreateThreadEx;
UINT_PTR sysAddrNtWaitForSingleObject;
@WKL-Sec
WKL-Sec / DoubleXOREncryption.cpp
Created February 26, 2024 19:30
Simple C++ implementation of double XOR encryption for string obfuscation, showcasing encryption and decryption with two keys.
// White Knight Labs - Offensive Development Course
// String Enbcryption- Double XOR
#include <iostream>
#include <string>
// Function to apply XOR operation between the message and a key
std::string xorEncryptDecrypt(const std::string& text, const std::string& key) {
std::string result = text; // Start with the original text