This repository is a hardened KeyAuth C++ example that integrates WinSecRuntime and NigelCrypt for runtime security and sensitive string protection.
It is designed to be:
- easy to compile
- safe for legit users
- configurable for higher security without changing your API
- open
x64/main.cpp(orx86/main.cpp) - replace the app config strings:
nameowneridversionurlpath
- build the solution in Visual Studio (
Release | x64orRelease | x86)
x64/example.sln
Build Release | x64.
x86/example.sln
Build Release | x86.
This example includes:
- WinSecRuntime runtime integrity checks
- NigelCrypt runtime string protection
- KeyAuth client validation + session guarding
WinSecRuntime is integrated in both x64/main.cpp and x86/main.cpp.
WinSecRuntime::Initialize(...)
WinSecRuntime::StartIntegrityEngine(...)
WinSecRuntime::EnableAntiDebug(...)
WinSecRuntime::EnableHookGuard(...)
WinSecRuntime::RunAll(...)
If checks fail, the program exits early.
These are defined near the top of each main.cpp:
constexpr WinSecRuntime::Mode kSecurityMode = WinSecRuntime::Mode::Aggressive;
constexpr bool kRunPeriodicChecks = true;
constexpr DWORD kPeriodicCheckMs = 20000;
constexpr bool kEnableSafeDllSearch = true;
constexpr bool kEnableDisallowUnc = true;
constexpr bool kEnableDisallowMotw = true;
constexpr bool kEnableIatWritableCheck = true;
constexpr bool kEnableIatBoundsCheck = true;
constexpr bool kEnableIatRequireExecutable = true;
constexpr bool kEnableIatDisallowSelf = true;
constexpr bool kEnableIatWriteProtect = false;
constexpr bool kEnableVmHeuristics = false;
constexpr int kVmMinCores = 0;
constexpr int kVmMinRamGb = 0;
constexpr uint32_t kNopSledThreshold = 0;
constexpr uint32_t kInt3SledThreshold = 0;
- Aggressive is balanced (good protection, low false positives).
- Paranoid can block legit users, use only if you set baselines.
- IAT write‑protect is off by default to avoid linker/runtime conflicts.
- VM heuristics are off by default to avoid blocking dev VM users.
The full secure::runtime::Config is built in:
build_security_config()
This is where you can set:
- module hashes
- IAT baselines
- text section baselines
- parent/chain checks
- prologue/inline‑hook checks
If you want all checks enforced, keep this logic:
const auto report = WinSecRuntime::RunAll(policy);
return report.ok();
This example protects user‑visible strings and app config values using NigelCrypt.
std::string value = nc("text", "aad:label");
- NigelCrypt protects runtime storage, not compile‑time literals.
- If you need to remove plaintext literals from the binary, use the NigelCrypt packer and embed ciphertext.
Replace these values in x64/main.cpp / x86/main.cpp:
name
ownerid
version
url
path
KeyAuthApp.init()
KeyAuthApp.login()
KeyAuthApp.regstr()
KeyAuthApp.license()
KeyAuthApp.check()
This example runs:
checkAuthenticated()in a background threadsessionStatus()periodic check
Do not remove those unless you fully replace them with your own protections.
Use this push command:
GIT_SSH_COMMAND='ssh -i /home/admin/.ssh/keyauth_cpp_secured_example -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new' git push
Make sure you build the correct configuration:
- Release | x64 for
x64/example.sln - Release | x86 for
x86/example.sln
Does this break API compatibility?
No. All changes are client‑side only.
Will this block legit users?
Balanced settings are chosen by default. If you enable strict checks (e.g., IAT write‑protect, VM heuristics) you may see false positives.
Can I turn off security?
Yes. Set kSecurityMode to Minimal and disable the toggles.
- KeyAuth App: https://keyauth.cc/app/
- C++ Example (base): https://github.com/KeyAuth/KeyAuth-CPP-Example
KeyAuth is licensed under Elastic License 2.0.
Do not remove or bypass license verification functionality.
