WKL-Sec · February 9, 2024 13:47
diff --git a/ParentProcessValidator.cpp b/ParentProcessValidator.cpp
 # White Knight Labs - Offensive Development
 # Guardrails - Parent Process Check

 #include <windows.h>
 #include <tlhelp32.h>
 #include <psapi.h>
 #include <tchar.h>
 #include <iostream>

 // Function to get the ID of the parent process
 DWORD GetParentProcessID() {
    HANDLE hSnapshot;
    PROCESSENTRY32 pe32;
    DWORD ppid = 0, pid = GetCurrentProcessId();

    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnapshot == INVALID_HANDLE_VALUE) return 0;

    pe32.dwSize = sizeof(PROCESSENTRY32);
    if (Process32First(hSnapshot, &pe32)) {
        do {
            if (pe32.th32ProcessID == pid) {
                ppid = pe32.th32ParentProcessID;
                break;
            }
        } while (Process32Next(hSnapshot, &pe32));
    }

    CloseHandle(hSnapshot);
    return ppid;
 }

 // Function to check if the parent process is explorer.exe
 bool IsParentExplorer() {
    DWORD parentPID = GetParentProcessID();
    TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
    bool isExplorer = false;

    HANDLE hParentProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, parentPID);
    if (hParentProcess) {
        HMODULE hMod;
        DWORD cbNeeded;
        if (EnumProcessModules(hParentProcess, &hMod, sizeof(hMod), &cbNeeded)) {
            GetModuleBaseName(hParentProcess, hMod, szProcessName, sizeof(szProcessName) / sizeof(TCHAR));
            // Check if the parent process name is explorer.exe
            isExplorer = (_tcsicmp(szProcessName, TEXT("explorer.exe")) == 0);
        }
        CloseHandle(hParentProcess);
    }

    return isExplorer;
 }

 int main() {
    if (!IsParentExplorer()) {
        std::cout << "This program must be run from explorer.exe. Exiting..." << std::endl;
        return 1; // Exit the program
    }

    std::cout << "Program started successfully from explorer.exe." << std::endl;
    // Add your program logic here...

    return 0;
 }
	# White Knight Labs - Offensive Development
	# Guardrails - Parent Process Check

	#include <windows.h>
	#include <tlhelp32.h>
	#include <psapi.h>
	#include <tchar.h>
	#include <iostream>

	// Function to get the ID of the parent process
	DWORD GetParentProcessID() {
	HANDLE hSnapshot;
	PROCESSENTRY32 pe32;
	DWORD ppid = 0, pid = GetCurrentProcessId();

	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hSnapshot == INVALID_HANDLE_VALUE) return 0;

	pe32.dwSize = sizeof(PROCESSENTRY32);
	if (Process32First(hSnapshot, &pe32)) {
	do {
	if (pe32.th32ProcessID == pid) {
	ppid = pe32.th32ParentProcessID;
	break;
	}
	} while (Process32Next(hSnapshot, &pe32));
	}

	CloseHandle(hSnapshot);
	return ppid;
	}

	// Function to check if the parent process is explorer.exe
	bool IsParentExplorer() {
	DWORD parentPID = GetParentProcessID();
	TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
	bool isExplorer = false;

	HANDLE hParentProcess = OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ, FALSE, parentPID);
	if (hParentProcess) {
	HMODULE hMod;
	DWORD cbNeeded;
	if (EnumProcessModules(hParentProcess, &hMod, sizeof(hMod), &cbNeeded)) {
	GetModuleBaseName(hParentProcess, hMod, szProcessName, sizeof(szProcessName) / sizeof(TCHAR));
	// Check if the parent process name is explorer.exe
	isExplorer = (_tcsicmp(szProcessName, TEXT("explorer.exe")) == 0);
	}
	CloseHandle(hParentProcess);
	}

	return isExplorer;
	}

	int main() {
	if (!IsParentExplorer()) {
	std::cout << "This program must be run from explorer.exe. Exiting..." << std::endl;
	return 1; // Exit the program
	}

	std::cout << "Program started successfully from explorer.exe." << std::endl;
	// Add your program logic here...

	return 0;
	}