White Knight Labs WKL-Sec
WKL-Sec
/ DLL_Sideloading_Protection_Example.cpp
Created
January 17, 2024 17:00
This C++ code example is part of the White Knight Labs Offensive Development Course materials. A straightforward C++ code snippet demonstrating how to prevent DLL sideloading by validating the calling executable. It uses a whitelist approach to ensure only specified executables can load the DLL.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <string> | |
| #include <vector> | |
| #include <algorithm> | |
| // White Knight Labs - Offensive Development Course | |
| // DLL Guardrails Example | |
| // This function extracts the file name from a given path | |
| // It is used later to determine the executable name loading the DLL. |
WKL-Sec
/ KillDateProtect.cpp
Created
January 24, 2024 16:14
Example of DLL code designed for protecting C2 payloads by disabling them after a predefined 'kill date', ensuring secure and time-controlled operations.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <iostream> | |
| #include <chrono> | |
| #include <ctime> | |
| #include <sstream> | |
| // White Knight Labs - Offensive Development Course | |
| // DLL Kill Date Example | |
| bool parseDate(const std::string& dateStr, std::tm& date) { |
WKL-Sec
/ FolderPathVerificationSample.cpp
Created
February 5, 2024 15:33
Folder Path Verification C++ Sample: A concise C++ example demonstrating how to verify an application's execution path against a specified directory.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # White Knight Labs - Offensive Development Course | |
| # Guardrails - Folder Check | |
| #include <windows.h> // Include Windows-specific headers for system calls | |
| #include <iostream> // Include for input and output stream operations | |
| #include <string> // Include for using string class | |
| #include <algorithm> // Include for standard algorithms, e.g., std::transform | |
| #include <cctype> // Include for character handling functions, e.g., std::tolower | |
| // Function to check if the path of the current executable is under a specified path |
WKL-Sec
/ PEB_Debugger_Detection.cpp
Created
February 7, 2024 12:46
Debugger Detection with PEB Inspection - White Knight Labs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # White Knight Labs - Offensive Development | |
| # Debugger Check - PEB | |
| #include <windows.h> | |
| #include <iostream> | |
| void TriggerBreakpoint() { | |
| __asm { | |
| int 3 // Software Breakpoint | |
| } |
WKL-Sec
/ ParentProcessValidator.cpp
Created
February 9, 2024 13:47
This C++ code snippet demonstrates how to verify if an executable is launched by explorer.exe to enhance security during red team operations.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # White Knight Labs - Offensive Development | |
| # Guardrails - Parent Process Check | |
| #include <windows.h> | |
| #include <tlhelp32.h> | |
| #include <psapi.h> | |
| #include <tchar.h> | |
| #include <iostream> | |
| // Function to get the ID of the parent process |
WKL-Sec
/ AccessViolationHandlerPayloadExecution.cpp
Created
February 12, 2024 17:45
White Knight Labs - Offensive Development Course - Demo of using Exception Filter Function in C++ to catch Access Violations for payload execution and anti-debugging.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development Course | |
| // Guardrails - Control Flow & Anti-Debugging | |
| #include <windows.h> | |
| #include <iostream> | |
| // Test function to be called when an access violation occurs | |
| void TestFunction() { | |
| std::cout << "Test function executed after catching access violation." << std::endl; | |
| } |
WKL-Sec
/ IsDebuggerPresentModification.cpp
Created
February 14, 2024 18:47
This C++ code performs an integrity check on the `IsDebuggerPresent` API function in `KERNELBASE.dll` to detect any unauthorized modifications, a technique useful for evading debugging and analysis in cybersecurity operations.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development Course | |
| // Anti-Debug Patch Check - KERNELBASE!IsDebuggerPresent function | |
| #include <iostream> | |
| #include <Windows.h> | |
| // Define the expected bytes of the KERNELBASE!IsDebuggerPresent function. | |
| // This array represents the specific sequence of bytes we expect to find at the | |
| // beginning of the IsDebuggerPresent function in a non-modified state. | |
| const unsigned char expectedBytes[] = {0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x0F, 0xB6, 0x40, 0x02, 0xC3}; |
WKL-Sec
/ SystemUserVerification.cpp
Created
February 19, 2024 19:28
This C++ code verifies if a process is running under the SYSTEM account and exits if not.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <sddl.h> | |
| #include <tchar.h> | |
| #include <iostream> | |
| #include <algorithm> | |
| #include <cctype> | |
| // Link with the Advapi32.lib to use Windows Security functions | |
| #pragma comment(lib, "advapi32.lib") |
WKL-Sec
/ DoubleXOREncryption.cpp
Created
February 26, 2024 19:30
Simple C++ implementation of double XOR encryption for string obfuscation, showcasing encryption and decryption with two keys.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development Course | |
| // String Enbcryption- Double XOR | |
| #include <iostream> | |
| #include <string> | |
| // Function to apply XOR operation between the message and a key | |
| std::string xorEncryptDecrypt(const std::string& text, const std::string& key) { | |
| std::string result = text; // Start with the original text | |
WKL-Sec
/ IndirectSyscall.c
Created
February 27, 2024 17:24
Indirect Syscall implementation in C to execute our shellcode.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include "winternl.h" | |
| #pragma comment(lib, "ntdll") | |
| UINT_PTR sysAddrNtAllocateVirtualMemory; | |
| UINT_PTR sysAddrNtWriteVirtualMemory; | |
| UINT_PTR sysAddrNtCreateThreadEx; | |
| UINT_PTR sysAddrNtWaitForSingleObject; | |
OlderNewer