Skip to content

Commit f4549a8

Browse files
ELF-NigelELF-Nigel
committed
secure example: full winsecruntime config + periodic checks
1 parent 035564a commit f4549a8

3 files changed

Lines changed: 87 additions & 32 deletions

File tree

README.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,11 @@ By default the config values are set to the library defaults (all baselines `0`,
3838

3939
Open `x64/main.cpp` (or `x86/main.cpp`) and edit the config block inside `run_runtime_security()`:
4040

41+
- `kSecurityMode` controls global behavior (`Minimal`, `Moderate`, `Aggressive`, `Paranoid`)
42+
- `kRunPeriodicChecks` enables periodic `RunAll()` in a background thread
43+
- `kPeriodicCheckMs` controls the interval
44+
- `build_security_config()` is where all WinSecRuntime toggles and baselines live
45+
4146
- `cfg.enforce_safe_dll_search = true;` enables safe DLL search enforcement
4247
- `cfg.disallow_unc = true;` blocks UNC execution
4348
- `cfg.disallow_motw = true;` blocks Mark‑of‑the‑Web files

x64/main.cpp

Lines changed: 41 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,10 @@ std::string remaining_until(const std::string& timestamp);
2222

2323
namespace {
2424

25+
constexpr WinSecRuntime::Mode kSecurityMode = WinSecRuntime::Mode::Paranoid;
26+
constexpr bool kRunPeriodicChecks = true;
27+
constexpr DWORD kPeriodicCheckMs = 15000;
28+
2529
void wipe_string(std::string& value) {
2630
if (value.empty())
2731
return;
@@ -44,9 +48,7 @@ std::string nc(const char* literal, std::string_view aad) {
4448
return nigel_string(literal, aad);
4549
}
4650

47-
bool run_runtime_security() {
48-
WinSecRuntime::Policy policy{};
49-
policy.mode = WinSecRuntime::Mode::Aggressive;
51+
secure::runtime::Config build_security_config() {
5052
secure::runtime::Config cfg{};
5153

5254
cfg.expected_parent_pid = 0;
@@ -55,13 +57,13 @@ bool run_runtime_security() {
5557
cfg.expected_integrity_rid = 0;
5658
cfg.cmdline_hash_baseline = 0;
5759
cfg.cwd_hash_baseline = 0;
58-
cfg.disallow_unc = false;
59-
cfg.disallow_motw = false;
60+
cfg.disallow_unc = true;
61+
cfg.disallow_motw = true;
6062
cfg.cwd_allowlist_hashes = nullptr;
6163
cfg.cwd_allowlist_count = 0;
6264
cfg.image_path_allowlist_hashes = nullptr;
6365
cfg.image_path_allowlist_count = 0;
64-
cfg.enforce_safe_dll_search = false;
66+
cfg.enforce_safe_dll_search = true;
6567
cfg.known_dll_hashes = nullptr;
6668
cfg.known_dll_count = 0;
6769

@@ -92,23 +94,23 @@ bool run_runtime_security() {
9294

9395
cfg.vm_vendor_hashes = nullptr;
9496
cfg.vm_vendor_hash_count = 0;
95-
cfg.vm_min_cores = 0;
96-
cfg.vm_min_ram_gb = 0;
97+
cfg.vm_min_cores = 2;
98+
cfg.vm_min_ram_gb = 2;
9799

98100
cfg.iat_baseline = 0;
99101
cfg.import_name_hash_baseline = 0;
100102
cfg.import_module_hash_baseline = 0;
101103
cfg.import_module_count_baseline = 0;
102104
cfg.import_func_count_baseline = 0;
103105

104-
cfg.iat_write_protect = false;
105-
cfg.iat_writable_check = false;
106+
cfg.iat_write_protect = true;
107+
cfg.iat_writable_check = true;
106108
cfg.iat_count_baseline = 0;
107109
cfg.iat_mirror = nullptr;
108110
cfg.iat_mirror_count = 0;
109-
cfg.iat_bounds_check = false;
110-
cfg.iat_require_executable = false;
111-
cfg.iat_disallow_self = false;
111+
cfg.iat_bounds_check = true;
112+
cfg.iat_require_executable = true;
113+
cfg.iat_disallow_self = true;
112114

113115
cfg.text_sha256_baseline = {};
114116
cfg.text_rolling_crc_baseline = 0;
@@ -123,8 +125,8 @@ bool run_runtime_security() {
123125
cfg.text_chunk_count = 32;
124126
cfg.text_chunk_baseline = 0;
125127

126-
cfg.nop_sled_threshold = 0;
127-
cfg.int3_sled_threshold = 0;
128+
cfg.nop_sled_threshold = 8;
129+
cfg.int3_sled_threshold = 8;
128130

129131
cfg.delay_import_name_hash_baseline = 0;
130132

@@ -155,16 +157,38 @@ bool run_runtime_security() {
155157
cfg.prologue_guard_count = 0;
156158
cfg.prologue_jmp_forbidden = false;
157159

158-
policy.cfg = cfg;
160+
return cfg;
161+
}
162+
163+
bool run_runtime_security() {
164+
WinSecRuntime::Policy policy{};
165+
policy.mode = kSecurityMode;
166+
policy.cfg = build_security_config();
159167

160168
if (!WinSecRuntime::Initialize(policy.mode, policy.cfg))
161169
return false;
162170

163171
WinSecRuntime::StartIntegrityEngine(policy);
172+
WinSecRuntime::EnableAntiDebug(policy);
173+
WinSecRuntime::EnableHookGuard(policy);
164174
const auto report = WinSecRuntime::RunAll(policy);
165175
return report.ok();
166176
}
167177

178+
void start_periodic_security_checks() {
179+
if (!kRunPeriodicChecks)
180+
return;
181+
182+
std::thread([]() {
183+
while (true) {
184+
Sleep(kPeriodicCheckMs);
185+
if (!run_runtime_security()) {
186+
ExitProcess(0);
187+
}
188+
}
189+
}).detach();
190+
}
191+
168192

169193

170194
bool read_int(int& out) {
@@ -266,6 +290,7 @@ int main()
266290
Sleep(1500);
267291
return 1;
268292
}
293+
start_periodic_security_checks();
269294

270295
// copy and paste from https://keyauth.cc/app/ and replace these string variables
271296
// Please watch tutorial HERE https://www.youtube.com/watch?v=5x4YkTmFH-U

x86/main.cpp

Lines changed: 41 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,10 @@ using namespace KeyAuth;
1414

1515
namespace {
1616

17+
constexpr WinSecRuntime::Mode kSecurityMode = WinSecRuntime::Mode::Paranoid;
18+
constexpr bool kRunPeriodicChecks = true;
19+
constexpr DWORD kPeriodicCheckMs = 15000;
20+
1721
std::string tm_to_readable_time(std::tm ctx);
1822
std::string remaining_until(const std::string& timestamp);
1923

@@ -39,9 +43,7 @@ std::string nc(const char* literal, std::string_view aad) {
3943
return nigel_string(literal, aad);
4044
}
4145

42-
bool run_runtime_security() {
43-
WinSecRuntime::Policy policy{};
44-
policy.mode = WinSecRuntime::Mode::Aggressive;
46+
secure::runtime::Config build_security_config() {
4547
secure::runtime::Config cfg{};
4648

4749
cfg.expected_parent_pid = 0;
@@ -50,13 +52,13 @@ bool run_runtime_security() {
5052
cfg.expected_integrity_rid = 0;
5153
cfg.cmdline_hash_baseline = 0;
5254
cfg.cwd_hash_baseline = 0;
53-
cfg.disallow_unc = false;
54-
cfg.disallow_motw = false;
55+
cfg.disallow_unc = true;
56+
cfg.disallow_motw = true;
5557
cfg.cwd_allowlist_hashes = nullptr;
5658
cfg.cwd_allowlist_count = 0;
5759
cfg.image_path_allowlist_hashes = nullptr;
5860
cfg.image_path_allowlist_count = 0;
59-
cfg.enforce_safe_dll_search = false;
61+
cfg.enforce_safe_dll_search = true;
6062
cfg.known_dll_hashes = nullptr;
6163
cfg.known_dll_count = 0;
6264

@@ -87,23 +89,23 @@ bool run_runtime_security() {
8789

8890
cfg.vm_vendor_hashes = nullptr;
8991
cfg.vm_vendor_hash_count = 0;
90-
cfg.vm_min_cores = 0;
91-
cfg.vm_min_ram_gb = 0;
92+
cfg.vm_min_cores = 2;
93+
cfg.vm_min_ram_gb = 2;
9294

9395
cfg.iat_baseline = 0;
9496
cfg.import_name_hash_baseline = 0;
9597
cfg.import_module_hash_baseline = 0;
9698
cfg.import_module_count_baseline = 0;
9799
cfg.import_func_count_baseline = 0;
98100

99-
cfg.iat_write_protect = false;
100-
cfg.iat_writable_check = false;
101+
cfg.iat_write_protect = true;
102+
cfg.iat_writable_check = true;
101103
cfg.iat_count_baseline = 0;
102104
cfg.iat_mirror = nullptr;
103105
cfg.iat_mirror_count = 0;
104-
cfg.iat_bounds_check = false;
105-
cfg.iat_require_executable = false;
106-
cfg.iat_disallow_self = false;
106+
cfg.iat_bounds_check = true;
107+
cfg.iat_require_executable = true;
108+
cfg.iat_disallow_self = true;
107109

108110
cfg.text_sha256_baseline = {};
109111
cfg.text_rolling_crc_baseline = 0;
@@ -118,8 +120,8 @@ bool run_runtime_security() {
118120
cfg.text_chunk_count = 32;
119121
cfg.text_chunk_baseline = 0;
120122

121-
cfg.nop_sled_threshold = 0;
122-
cfg.int3_sled_threshold = 0;
123+
cfg.nop_sled_threshold = 8;
124+
cfg.int3_sled_threshold = 8;
123125

124126
cfg.delay_import_name_hash_baseline = 0;
125127

@@ -150,16 +152,38 @@ bool run_runtime_security() {
150152
cfg.prologue_guard_count = 0;
151153
cfg.prologue_jmp_forbidden = false;
152154

153-
policy.cfg = cfg;
155+
return cfg;
156+
}
157+
158+
bool run_runtime_security() {
159+
WinSecRuntime::Policy policy{};
160+
policy.mode = kSecurityMode;
161+
policy.cfg = build_security_config();
154162

155163
if (!WinSecRuntime::Initialize(policy.mode, policy.cfg))
156164
return false;
157165

158166
WinSecRuntime::StartIntegrityEngine(policy);
167+
WinSecRuntime::EnableAntiDebug(policy);
168+
WinSecRuntime::EnableHookGuard(policy);
159169
const auto report = WinSecRuntime::RunAll(policy);
160170
return report.ok();
161171
}
162172

173+
void start_periodic_security_checks() {
174+
if (!kRunPeriodicChecks)
175+
return;
176+
177+
std::thread([]() {
178+
while (true) {
179+
Sleep(kPeriodicCheckMs);
180+
if (!run_runtime_security()) {
181+
ExitProcess(0);
182+
}
183+
}
184+
}).detach();
185+
}
186+
163187
bool read_int(int& out) {
164188
std::cin >> out;
165189
if (std::cin.fail()) {
@@ -209,6 +233,7 @@ int main()
209233
Sleep(1500);
210234
return 1;
211235
}
236+
start_periodic_security_checks();
212237

213238
std::string name = nigel_string("name", "app:name");
214239
std::string ownerid = nigel_string("ownerid", "app:ownerid");

0 commit comments

Comments
 (0)