Skip to content

Zibgame/PersistenceLib-Win64

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

10 Commits
build
build
Β 
Β 
include
include
Β 
Β 
src
src
Β 
Β 
Makefile
Makefile
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

♾️ PersistenceLib-Win64

A lightweight and modular C++ library for managing Windows persistence mechanisms through a clean and explicit API.

Designed for low-level developers, cybersecurity practitioners, and system programmers who need precise control over persistence techniques without unnecessary abstraction.

βš™οΈ Features

  • 🧩 Modular architecture
  • 🧠 Simple and explicit API
  • πŸ”„ Install / Detect / Remove workflow
  • πŸͺŸ Windows Registry persistence (Run key)
  • 🧬 WMI event-based persistence (Filter / Consumer / Binding)
  • πŸ“¦ Static library (.a) ready for integration

🧱 Project Structure

include/
    persistence.hpp

src/
    core/
        persistence.cpp
    registry/
        registry_install.cpp
        registry_detect.cpp
        registry_remove.cpp
    wmi/
        wmi_install.cpp
        wmi_detect.cpp
        wmi_remove.cpp
    utils/
        path.cpp
    examples/
        basic.cpp

build/
    libpersistence.a
    *.exe

πŸš€ Build

Using MinGW:

mingw32-make

Clean rebuild:

mingw32-make re

πŸ”— Linking the Library

Compile your program with:

g++ main.cpp -Iinclude -Lbuild -lpersistence -o app.exe

Explanation

  • -Iinclude β†’ include headers
  • -Lbuild β†’ locate the static library
  • -lpersistence β†’ link against libpersistence.a

🧠 API Overview

Enum

enum PersistType
{
    REGISTRY,
    WMI
};

Install Persistence

bool persist_install(PersistType type, const std::string& path);

➑️ Registers the given executable for persistence.

  • type β†’ persistence method
  • path β†’ absolute path to the executable

Detect Persistence

bool persist_detect(PersistType type);

➑️ Checks if persistence is currently active.

Returns:

  • true β†’ active
  • false β†’ not present

Remove Persistence

bool persist_remove(PersistType type);

➑️ Removes previously installed persistence.

πŸ§ͺ Example Usage

#include "persistence.hpp"

int main()
{
    std::string path = get_self_path();

    persist_install(REGISTRY, path);
    persist_install(WMI, path);

    if (persist_detect(REGISTRY))
        persist_remove(REGISTRY);

    if (persist_detect(WMI))
        persist_remove(WMI);

    return 0;
}

πŸͺŸ Registry Persistence

Uses the Windows Run key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • ⚑ No admin privileges required
  • 🧾 Stores executable path
  • πŸ” Executed at user logon

🧬 WMI Persistence

Implements event-based persistence using:

  • __EventFilter
  • CommandLineEventConsumer
  • __FilterToConsumerBinding

Trigger example:

SELECT * FROM Win32_LogonSession
  • 🧠 Event-driven execution
  • πŸ•΅οΈ More stealth than registry-based methods
  • ⚠️ May require elevated privileges depending on environment

πŸ“Œ Notes

  • Always use absolute paths
  • Ensure the binary exists at runtime
  • WMI persistence may be restricted by system policies or security tools
  • Designed for extensibility (startup folder, scheduled tasks, etc.)

🎯 Roadmap

  • πŸ“ Startup folder persistence
  • ⏱ Scheduled task persistence
  • 🧬 Multi-method orchestration
  • πŸ”’ Improved stealth execution (no PowerShell)

βš–οΈ Disclaimer

This project is intended for educational purposes, system programming practice, and security research.

πŸ‘€ Author

Zibgame

About

πŸ” C++ Windows library to easily set up, detect, and remove persistence mechanisms. βš™οΈ Provides simple APIs for registry, startup folder, and scheduled tasks. πŸ” Designed for security testing, automation, and controlled experimentation in a clean and structured way.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

 
 
 

Contributors

Languages