@@ -14,6 +14,10 @@ using namespace KeyAuth;
1414
1515namespace {
1616
17+ constexpr WinSecRuntime::Mode kSecurityMode = WinSecRuntime::Mode::Paranoid;
18+ constexpr bool kRunPeriodicChecks = true ;
19+ constexpr DWORD kPeriodicCheckMs = 15000 ;
20+
1721std::string tm_to_readable_time (std::tm ctx);
1822std::string remaining_until (const std::string& timestamp);
1923
@@ -39,9 +43,7 @@ std::string nc(const char* literal, std::string_view aad) {
3943 return nigel_string (literal, aad);
4044}
4145
42- bool run_runtime_security () {
43- WinSecRuntime::Policy policy{};
44- policy.mode = WinSecRuntime::Mode::Aggressive;
46+ secure::runtime::Config build_security_config () {
4547 secure::runtime::Config cfg{};
4648
4749 cfg.expected_parent_pid = 0 ;
@@ -50,13 +52,13 @@ bool run_runtime_security() {
5052 cfg.expected_integrity_rid = 0 ;
5153 cfg.cmdline_hash_baseline = 0 ;
5254 cfg.cwd_hash_baseline = 0 ;
53- cfg.disallow_unc = false ;
54- cfg.disallow_motw = false ;
55+ cfg.disallow_unc = true ;
56+ cfg.disallow_motw = true ;
5557 cfg.cwd_allowlist_hashes = nullptr ;
5658 cfg.cwd_allowlist_count = 0 ;
5759 cfg.image_path_allowlist_hashes = nullptr ;
5860 cfg.image_path_allowlist_count = 0 ;
59- cfg.enforce_safe_dll_search = false ;
61+ cfg.enforce_safe_dll_search = true ;
6062 cfg.known_dll_hashes = nullptr ;
6163 cfg.known_dll_count = 0 ;
6264
@@ -87,23 +89,23 @@ bool run_runtime_security() {
8789
8890 cfg.vm_vendor_hashes = nullptr ;
8991 cfg.vm_vendor_hash_count = 0 ;
90- cfg.vm_min_cores = 0 ;
91- cfg.vm_min_ram_gb = 0 ;
92+ cfg.vm_min_cores = 2 ;
93+ cfg.vm_min_ram_gb = 2 ;
9294
9395 cfg.iat_baseline = 0 ;
9496 cfg.import_name_hash_baseline = 0 ;
9597 cfg.import_module_hash_baseline = 0 ;
9698 cfg.import_module_count_baseline = 0 ;
9799 cfg.import_func_count_baseline = 0 ;
98100
99- cfg.iat_write_protect = false ;
100- cfg.iat_writable_check = false ;
101+ cfg.iat_write_protect = true ;
102+ cfg.iat_writable_check = true ;
101103 cfg.iat_count_baseline = 0 ;
102104 cfg.iat_mirror = nullptr ;
103105 cfg.iat_mirror_count = 0 ;
104- cfg.iat_bounds_check = false ;
105- cfg.iat_require_executable = false ;
106- cfg.iat_disallow_self = false ;
106+ cfg.iat_bounds_check = true ;
107+ cfg.iat_require_executable = true ;
108+ cfg.iat_disallow_self = true ;
107109
108110 cfg.text_sha256_baseline = {};
109111 cfg.text_rolling_crc_baseline = 0 ;
@@ -118,8 +120,8 @@ bool run_runtime_security() {
118120 cfg.text_chunk_count = 32 ;
119121 cfg.text_chunk_baseline = 0 ;
120122
121- cfg.nop_sled_threshold = 0 ;
122- cfg.int3_sled_threshold = 0 ;
123+ cfg.nop_sled_threshold = 8 ;
124+ cfg.int3_sled_threshold = 8 ;
123125
124126 cfg.delay_import_name_hash_baseline = 0 ;
125127
@@ -150,16 +152,38 @@ bool run_runtime_security() {
150152 cfg.prologue_guard_count = 0 ;
151153 cfg.prologue_jmp_forbidden = false ;
152154
153- policy.cfg = cfg;
155+ return cfg;
156+ }
157+
158+ bool run_runtime_security () {
159+ WinSecRuntime::Policy policy{};
160+ policy.mode = kSecurityMode ;
161+ policy.cfg = build_security_config ();
154162
155163 if (!WinSecRuntime::Initialize (policy.mode , policy.cfg ))
156164 return false ;
157165
158166 WinSecRuntime::StartIntegrityEngine (policy);
167+ WinSecRuntime::EnableAntiDebug (policy);
168+ WinSecRuntime::EnableHookGuard (policy);
159169 const auto report = WinSecRuntime::RunAll (policy);
160170 return report.ok ();
161171}
162172
173+ void start_periodic_security_checks () {
174+ if (!kRunPeriodicChecks )
175+ return ;
176+
177+ std::thread ([]() {
178+ while (true ) {
179+ Sleep (kPeriodicCheckMs );
180+ if (!run_runtime_security ()) {
181+ ExitProcess (0 );
182+ }
183+ }
184+ }).detach ();
185+ }
186+
163187bool read_int (int & out) {
164188 std::cin >> out;
165189 if (std::cin.fail ()) {
@@ -209,6 +233,7 @@ int main()
209233 Sleep (1500 );
210234 return 1 ;
211235 }
236+ start_periodic_security_checks ();
212237
213238 std::string name = nigel_string (" name" , " app:name" );
214239 std::string ownerid = nigel_string (" ownerid" , " app:ownerid" );
0 commit comments