WKL-Sec · May 6, 2024 16:51
diff --git a/get_current_process_image_filename_peb.cpp b/get_current_process_image_filename_peb.cpp
 // White Knight Labs
 // By Stigs
 // Offensive Development Course - Filename Check with PEB

 #include <iostream>
 #include <Windows.h>
 #include <winternl.h>

 // Function to get the current process image file name using PEB
 std::wstring GetCurrentProcessImageFileName()
 {
    // Get a handle to the current process
    HANDLE hProcess = GetCurrentProcess();

    // Get PEB address using GS segment register
    PPEB pebAddress = nullptr;
    __asm {
        mov rax, qword ptr gs:[0x60]  // Offset 0x60 is the PEB address for x64 processes
        mov pebAddress, rax
    }

    // Check if PEB address is valid
    if (pebAddress != nullptr)
    {
        // Read the ProcessParameters field from the PEB
        RTL_USER_PROCESS_PARAMETERS* params = nullptr;
        if (ReadProcessMemory(hProcess, &pebAddress->ProcessParameters, &params, sizeof(params), nullptr))
        {
            // Read the ImagePathName field from the ProcessParameters
            WCHAR imagePathName[MAX_PATH];
            if (ReadProcessMemory(hProcess, params->ImagePathName.Buffer, imagePathName, MAX_PATH * sizeof(WCHAR), nullptr))
            {
                return std::wstring(imagePathName);
            }
        }
    }

    // Return an empty string if we couldn't retrieve the image file name
    return L"";
 }

 int main()
 {
    // Get the current process image file name
    std::wstring currentProcessImageFileName = GetCurrentProcessImageFileName();

    // Check if the process image file name is "test.exe"
    if (currentProcessImageFileName.find(L"test.exe") == std::wstring::npos)
    {
        std::wcerr << L"Invalid process image file name. Exiting." << std::endl;
        return 1; // Exit with an error code
    }

    // Proceed with the execution of the main function

    // Print out the image file name
    std::wcout << L"Current process image file name: " << currentProcessImageFileName << std::endl;

    return 0;
 }
	// White Knight Labs
	// By Stigs
	// Offensive Development Course - Filename Check with PEB

	#include <iostream>
	#include <Windows.h>
	#include <winternl.h>

	// Function to get the current process image file name using PEB
	std::wstring GetCurrentProcessImageFileName()
	{
	// Get a handle to the current process
	HANDLE hProcess = GetCurrentProcess();

	// Get PEB address using GS segment register
	PPEB pebAddress = nullptr;
	__asm {
	mov rax, qword ptr gs:[0x60] // Offset 0x60 is the PEB address for x64 processes
	mov pebAddress, rax
	}

	// Check if PEB address is valid
	if (pebAddress != nullptr)
	{
	// Read the ProcessParameters field from the PEB
	RTL_USER_PROCESS_PARAMETERS* params = nullptr;
	if (ReadProcessMemory(hProcess, &pebAddress->ProcessParameters, &params, sizeof(params), nullptr))
	{
	// Read the ImagePathName field from the ProcessParameters
	WCHAR imagePathName[MAX_PATH];
	if (ReadProcessMemory(hProcess, params->ImagePathName.Buffer, imagePathName, MAX_PATH * sizeof(WCHAR), nullptr))
	{
	return std::wstring(imagePathName);
	}
	}
	}

	// Return an empty string if we couldn't retrieve the image file name
	return L"";
	}

	int main()
	{
	// Get the current process image file name
	std::wstring currentProcessImageFileName = GetCurrentProcessImageFileName();

	// Check if the process image file name is "test.exe"
	if (currentProcessImageFileName.find(L"test.exe") == std::wstring::npos)
	{
	std::wcerr << L"Invalid process image file name. Exiting." << std::endl;
	return 1; // Exit with an error code
	}

	// Proceed with the execution of the main function

	// Print out the image file name
	std::wcout << L"Current process image file name: " << currentProcessImageFileName << std::endl;

	return 0;
	}