White Knight Labs WKL-Sec
WKL-Sec
/ get_current_process_image_filename_peb.cpp
Created
May 6, 2024 16:51
Retrieve the current process's image file name using the Process Environment Block (PEB) in C++.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs | |
| // By Stigs | |
| // Offensive Development Course - Filename Check with PEB | |
| #include <iostream> | |
| #include <Windows.h> | |
| #include <winternl.h> | |
| // Function to get the current process image file name using PEB | |
| std::wstring GetCurrentProcessImageFileName() |
WKL-Sec
/ Obfuscation_Stub.cpp
Created
April 24, 2024 15:48
Example C++ shellcode decoder stub using XOR, NOT, ADD operations to obfuscate and encode a calculator payload.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # White Knight Labs | |
| # Offensive Development Course - Shellcode Decoder Stub | |
| # Author: Stigs | |
| #include <iostream> | |
| #include <vector> | |
| #include <iomanip> | |
| #include <random> | |
| // Modified function to apply obfuscation on shellcode using a dynamic XOR value |
WKL-Sec
/ DeobfuscateByteArrayInlineAsm.cpp
Last active
March 15, 2024 09:02
This C++ code snippet demonstrates a method for deobfuscating a byte array using inline assembly. It intricately applies a series of bitwise NOT, decrement, and XOR operations on each byte of the array.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development Course | |
| // String Deobfuscation with Inline-Assembly | |
| // Based on - https://gist.github.com/WKL-Sec/e24830ebfafabc283bd9329e79f71164 | |
| #include <iostream> | |
| #include <string> | |
| #include <sstream> | |
| #include <vector> |
WKL-Sec
/ StringObfuscationTechnique.cpp
Created
March 7, 2024 15:49
This code snippet demonstrates a simple yet effective string obfuscation technique using a combination of XOR, NOT, and ADD operations.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development Course | |
| // String Obfuscation | |
| #include <iostream> | |
| #include <string> | |
| // Function to apply XOR, then NOT, and finally ADD 1 for obfuscation | |
| std::string obfuscateString(const std::string& input) { | |
| std::string output = input; |
WKL-Sec
/ FuncAddrResolver.cpp
Created
March 6, 2024 13:00
Dynamically retrieves the OpenProcess function address by parsing the kernel32.dll export table using Inline Assembly.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development | |
| // Inline Assembly - Get Function Address | |
| #include <iostream> | |
| #include <windows.h> | |
| // Function definition | |
| void* GetFunctionAddress(const char* functionName) { | |
| void* getFunctionAddr = nullptr; |
WKL-Sec
/ GetProcAddressAlternative.cpp
Created
February 28, 2024 18:22
Efficiently locates API addresses within modules without relying on GetProcAddress, enhancing stealth in payload deployment.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development Course | |
| // GetProcAddress Replacement | |
| #include <windows.h> | |
| #include <iostream> | |
| typedef FARPROC (*pAPIFinder)(IN HMODULE modHandle, IN LPCSTR apiName); | |
| FARPROC APIFinder(IN HMODULE modHandle, IN LPCSTR apiName) { | |
| PBYTE baseAddr = (PBYTE)modHandle; |
WKL-Sec
/ DynamicAPIResolver.cpp
Created
February 28, 2024 17:56
Demonstrates dynamic resolution of OpenProcess API to bypass IAT, suitable for advanced payload development.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development Course | |
| // IAT Table Bypass - GetProcAddress | |
| #include <windows.h> | |
| #include <iostream> | |
| // Typedef for the OpenProcess function | |
| typedef HANDLE (WINAPI *pOpenProcess)(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); | |
| int main() { |
WKL-Sec
/ Kernel32BaseAddrRetrieval.cpp
Created
February 27, 2024 20:22
Retrieves the base address of kernel32.dll using x64 assembly in C++
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <iostream> | |
| #include <windows.h> | |
| void* GetBaseAddressOfKernel32() { | |
| void* kernel32BaseAddress = nullptr; | |
| __asm { | |
| mov rdi, 0xFFFFFFFFFFFFFFFF // Set RDI to -1 | |
| inc rdi // Increment RDI to 0 | |
| mov rax, 0 // Zero out RAX |
WKL-Sec
/ IndirectSyscall.c
Created
February 27, 2024 17:24
Indirect Syscall implementation in C to execute our shellcode.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include "winternl.h" | |
| #pragma comment(lib, "ntdll") | |
| UINT_PTR sysAddrNtAllocateVirtualMemory; | |
| UINT_PTR sysAddrNtWriteVirtualMemory; | |
| UINT_PTR sysAddrNtCreateThreadEx; | |
| UINT_PTR sysAddrNtWaitForSingleObject; | |
WKL-Sec
/ DoubleXOREncryption.cpp
Created
February 26, 2024 19:30
Simple C++ implementation of double XOR encryption for string obfuscation, showcasing encryption and decryption with two keys.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development Course | |
| // String Enbcryption- Double XOR | |
| #include <iostream> | |
| #include <string> | |
| // Function to apply XOR operation between the message and a key | |
| std::string xorEncryptDecrypt(const std::string& text, const std::string& key) { | |
| std::string result = text; // Start with the original text | |
NewerOlder