wire full winsecruntime config + document security

Author: ELF-Nigel

README.md

@@ -22,6 +22,58 @@ However, we do **NOT** provide support for adding KeyAuth to your project. If yo
 
 While our API ensures licenses validation, it's crucial to implement robust client-side protection like obfuscation and integrity checks to prevent software tampering, as vulnerabilities often stem from insufficient client security.
 
+## **Secured example security**
+
+This secured example ships with:
+- **WinSecRuntime**: runtime integrity checks and anti‑tamper signals
+- **NigelCrypt**: runtime string protection for sensitive literals
+
+### **WinSecRuntime setup**
+
+The example calls `run_runtime_security()` at startup (see `x64/main.cpp` and `x86/main.cpp`). It builds a `secure::runtime::Config cfg` and passes it into `WinSecRuntime::Initialize()` and `WinSecRuntime::RunAll()`.
+
+By default the config values are set to the library defaults (all baselines `0`, allowlists `nullptr`, toggles `false`). This makes the checks **available** but **not enforced** until you set baselines or enable flags.
+
+#### Enable or tune checks
+
+Open `x64/main.cpp` (or `x86/main.cpp`) and edit the config block inside `run_runtime_security()`:
+
+- `cfg.enforce_safe_dll_search = true;` enables safe DLL search enforcement
+- `cfg.disallow_unc = true;` blocks UNC execution
+- `cfg.disallow_motw = true;` blocks Mark‑of‑the‑Web files
+- `cfg.module_hashes` / `cfg.module_hash_count` lets you pin known module hashes
+- `cfg.iat_*` lets you harden the import table checks
+- `cfg.text_*` enables code section integrity checks (sha256/rolling crc/chunk)
+- `cfg.nop_sled_threshold` / `cfg.int3_sled_threshold` enables sled detection
+- `cfg.vm_min_cores` / `cfg.vm_min_ram_gb` can reduce VM abuse
+
+If you want the checks to **block on failure**, keep:
+```cpp
+const auto report = WinSecRuntime::RunAll(policy);
+return report.ok();
+```
+and return `false` on failure (the example exits early when `run_runtime_security()` fails).
+
+### **NigelCrypt string protection**
+
+The example replaces UI/status strings and app config strings with NigelCrypt.  
+See `nc()` and `nigel_string()` helpers in `x64/main.cpp` and `x86/main.cpp`.
+
+#### How to change or add protected strings
+
+```cpp
+std::string value = nc("My Text", "aad:label");
+```
+
+- the first argument is the plaintext string
+- the second argument is an AAD tag (any stable label you want)
+
+If you want to remove encryption for a string, replace `nc(...)` with a normal literal.
+
+#### Important note about literals
+
+NigelCrypt protects runtime storage. If you pass a literal directly, it still exists in the binary. For complete removal of plaintext literals, use the NigelCrypt packer to embed encrypted blobs.
+
 ## Copyright License
 
 KeyAuth is licensed under **Elastic License 2.0**

x64/main.cpp

@@ -4,7 +4,6 @@
 #include "auth_guard.hpp"
 #include "lib/WinSecRuntime/WinSecRuntime.h"
 #include "lib/nigelcrypt/nigelcrypt.hpp"
-#include "skStr.h"
 #include "storage.hpp"
 #include <chrono>
 #include <ctime>
@@ -41,9 +40,122 @@ std::string nigel_string(const char* literal, std::string_view aad) {
     }
 }
 
+std::string nc(const char* literal, std::string_view aad) {
+    return nigel_string(literal, aad);
+}
+
 bool run_runtime_security() {
     WinSecRuntime::Policy policy{};
     policy.mode = WinSecRuntime::Mode::Aggressive;
+    secure::runtime::Config cfg{};
+
+    cfg.expected_parent_pid = 0;
+    cfg.expected_image_path = L"...";
+    cfg.require_same_session = false;
+    cfg.expected_integrity_rid = 0;
+    cfg.cmdline_hash_baseline = 0;
+    cfg.cwd_hash_baseline = 0;
+    cfg.disallow_unc = false;
+    cfg.disallow_motw = false;
+    cfg.cwd_allowlist_hashes = nullptr;
+    cfg.cwd_allowlist_count = 0;
+    cfg.image_path_allowlist_hashes = nullptr;
+    cfg.image_path_allowlist_count = 0;
+    cfg.enforce_safe_dll_search = false;
+    cfg.known_dll_hashes = nullptr;
+    cfg.known_dll_count = 0;
+
+    cfg.parent_chain_hashes = nullptr;
+    cfg.parent_chain_hash_count = 0;
+    cfg.parent_chain_max_depth = 4;
+
+    cfg.module_hashes = nullptr;
+    cfg.module_hash_count = 0;
+
+    cfg.module_whitelist_hashes = nullptr;
+    cfg.module_whitelist_count = 0;
+
+    cfg.module_list_hash_baseline = 0;
+    cfg.module_count_baseline = 0;
+
+    cfg.driver_blacklist_hashes = nullptr;
+    cfg.driver_blacklist_count = 0;
+
+    cfg.exec_private_max_regions = 0;
+    cfg.enforce_module_path_policy = false;
+
+    cfg.process_hashes = nullptr;
+    cfg.process_hash_count = 0;
+
+    cfg.window_hashes = nullptr;
+    cfg.window_hash_count = 0;
+
+    cfg.vm_vendor_hashes = nullptr;
+    cfg.vm_vendor_hash_count = 0;
+    cfg.vm_min_cores = 0;
+    cfg.vm_min_ram_gb = 0;
+
+    cfg.iat_baseline = 0;
+    cfg.import_name_hash_baseline = 0;
+    cfg.import_module_hash_baseline = 0;
+    cfg.import_module_count_baseline = 0;
+    cfg.import_func_count_baseline = 0;
+
+    cfg.iat_write_protect = false;
+    cfg.iat_writable_check = false;
+    cfg.iat_count_baseline = 0;
+    cfg.iat_mirror = nullptr;
+    cfg.iat_mirror_count = 0;
+    cfg.iat_bounds_check = false;
+    cfg.iat_require_executable = false;
+    cfg.iat_disallow_self = false;
+
+    cfg.text_sha256_baseline = {};
+    cfg.text_rolling_crc_baseline = 0;
+    cfg.text_rolling_crc_window = 64;
+    cfg.text_rolling_crc_stride = 16;
+
+    cfg.text_entropy_min = 0.0;
+    cfg.text_entropy_max = 0.0;
+
+    cfg.text_chunk_seed = 0;
+    cfg.text_chunk_size = 64;
+    cfg.text_chunk_count = 32;
+    cfg.text_chunk_baseline = 0;
+
+    cfg.nop_sled_threshold = 0;
+    cfg.int3_sled_threshold = 0;
+
+    cfg.delay_import_name_hash_baseline = 0;
+
+    cfg.tls_callback_expected = 0;
+    cfg.tls_callback_hash_baseline = 0;
+
+    cfg.entry_prologue_size = 16;
+    cfg.entry_prologue_baseline = 0;
+
+    cfg.signature_required = false;
+
+    cfg.export_name_hash_baseline = 0;
+    cfg.export_rva_hash_baseline = 0;
+    cfg.export_name_table_hash_baseline = 0;
+    cfg.export_ordinal_table_hash_baseline = 0;
+    cfg.export_count_baseline = 0;
+
+    cfg.export_whitelist_hashes = nullptr;
+    cfg.export_whitelist_count = 0;
+
+    cfg.export_blacklist_hashes = nullptr;
+    cfg.export_blacklist_count = 0;
+
+    cfg.exec_private_whitelist = nullptr;
+    cfg.exec_private_whitelist_count = 0;
+
+    cfg.prologue_guards = nullptr;
+    cfg.prologue_guard_count = 0;
+    cfg.prologue_jmp_forbidden = false;
+
+    policy.cfg = cfg;
 
     if (!WinSecRuntime::Initialize(policy.mode, policy.cfg))
         return false;
@@ -115,28 +227,28 @@ void save_or_clear_creds(bool save, const std::string& username, const std::stri
 }
 
 void print_user_data(const api& app) {
-    std::cout << skCrypt("\n User data:");
-    std::cout << skCrypt("\n Username: ") << app.user_data.username;
-    std::cout << skCrypt("\n IP address: ") << app.user_data.ip;
-    std::cout << skCrypt("\n Hardware-Id: ") << app.user_data.hwid;
-    std::cout << skCrypt("\n Create date: ")
+    std::cout << nc("\n User data:", "ui:user_data");
+    std::cout << nc("\n Username: ", "ui:username") << app.user_data.username;
+    std::cout << nc("\n IP address: ", "ui:ip") << app.user_data.ip;
+    std::cout << nc("\n Hardware-Id: ", "ui:hwid") << app.user_data.hwid;
+    std::cout << nc("\n Create date: ", "ui:createdate")
               << tm_to_readable_time(utils::timet_to_tm(utils::string_to_timet(app.user_data.createdate)));
-    std::cout << skCrypt("\n Last login: ")
+    std::cout << nc("\n Last login: ", "ui:lastlogin")
               << tm_to_readable_time(utils::timet_to_tm(utils::string_to_timet(app.user_data.lastlogin)));
-    std::cout << skCrypt("\n Subscription(s): ");
+    std::cout << nc("\n Subscription(s): ", "ui:subs");
 
     for (size_t i = 0; i < app.user_data.subscriptions.size(); i++) {
         const auto& sub = app.user_data.subscriptions.at(i);
-        std::cout << skCrypt("\n name: ") << sub.name;
-        std::cout << skCrypt(" : expiry: ")
+        std::cout << nc("\n name: ", "ui:sub_name") << sub.name;
+        std::cout << nc(" : expiry: ", "ui:sub_expiry")
                   << tm_to_readable_time(utils::timet_to_tm(utils::string_to_timet(sub.expiry)));
-        std::cout << skCrypt(" (") << remaining_until(sub.expiry) << skCrypt(")");
+        std::cout << nc(" (", "ui:paren_open") << remaining_until(sub.expiry) << nc(")", "ui:paren_close");
     }
 }
 } // namespace
 
-const std::string compilation_date = (std::string)skCrypt(__DATE__);
-const std::string compilation_time = (std::string)skCrypt(__TIME__);
+const std::string compilation_date = nigel_string(__DATE__, "build:date");
+const std::string compilation_time = nigel_string(__TIME__, "build:time");
 void sessionStatus();
 
 static api* g_app = nullptr;
@@ -150,7 +262,7 @@ int main()
     nigelcrypt::set_strict_mode(strict);
 
     if (!run_runtime_security()) {
-        std::cout << skCrypt("\n\n Security checks failed.");
+        std::cout << nc("\n\n Security checks failed.", "ui:sec_fail");
         Sleep(1500);
         return 1;
     }
@@ -166,14 +278,14 @@ int main()
     api app_instance(name, ownerid, version, url, path);
     g_app = &app_instance;
 
-    std::string consoleTitle = skCrypt("Loader - Built at:  ").decrypt() + compilation_date + " " + compilation_time;
+    std::string consoleTitle = nc("Loader - Built at:  ", "ui:title") + compilation_date + " " + compilation_time;
     SetConsoleTitleA(consoleTitle.c_str());
-    std::cout << skCrypt("\n\n Connecting..");
+    std::cout << nc("\n\n Connecting..", "ui:connecting");
 
     app_instance.init();
     if (!app_instance.response.success)
     {
-        std::cout << skCrypt("\n Status: ") << app_instance.response.message;
+        std::cout << nc("\n Status: ", "ui:status") << app_instance.response.message;
         app_instance.init_fail_delay();
         exit(1);
     }
@@ -186,8 +298,8 @@ int main()
     wipe_string(path);
 
     if (api::lockout_active(login_guard)) {
-        std::cout << skCrypt("\n Status: Too many attempts. Try again in ")
-                  << api::lockout_remaining_ms(login_guard) << skCrypt(" ms.");
+        std::cout << nc("\n Status: Too many attempts. Try again in ", "ui:lockout")
+                  << api::lockout_remaining_ms(login_guard) << nc(" ms.", "ui:ms");
         app_instance.close_delay();
         return 0;
     }
@@ -201,48 +313,48 @@ int main()
 
     if (!used_saved_creds)
     {
-        std::cout << skCrypt("\n\n [1] Login\n [2] Register\n [3] Upgrade\n [4] License key only\n\n Choose option: ");
+        std::cout << nc("\n\n [1] Login\n [2] Register\n [3] Upgrade\n [4] License key only\n\n Choose option: ", "ui:menu");
 
         int option = 0;
         if (!read_int(option))
         {
-            std::cout << skCrypt("\n\n Status: Failure: Invalid Selection");
+            std::cout << nc("\n\n Status: Failure: Invalid Selection", "ui:bad_selection");
             app_instance.bad_input_delay();
             exit(1);
         }
 
         switch (option)
         {
         case 1:
-            std::cout << skCrypt("\n\n Enter username: ");
+            std::cout << nc("\n\n Enter username: ", "ui:enter_user");
             std::cin >> username;
-            std::cout << skCrypt("\n Enter password: ");
+            std::cout << nc("\n Enter password: ", "ui:enter_pass");
             std::cin >> password;
             app_instance.login(username, password, "");
             break;
         case 2:
-            std::cout << skCrypt("\n\n Enter username: ");
+            std::cout << nc("\n\n Enter username: ", "ui:enter_user");
             std::cin >> username;
-            std::cout << skCrypt("\n Enter password: ");
+            std::cout << nc("\n Enter password: ", "ui:enter_pass");
             std::cin >> password;
-            std::cout << skCrypt("\n Enter license: ");
+            std::cout << nc("\n Enter license: ", "ui:enter_license");
             std::cin >> key;
             app_instance.regstr(username, password, key);
             break;
         case 3:
-            std::cout << skCrypt("\n\n Enter username: ");
+            std::cout << nc("\n\n Enter username: ", "ui:enter_user");
             std::cin >> username;
-            std::cout << skCrypt("\n Enter license: ");
+            std::cout << nc("\n Enter license: ", "ui:enter_license");
             std::cin >> key;
             app_instance.upgrade(username, key);
             break;
         case 4:
-            std::cout << skCrypt("\n Enter license: ");
+            std::cout << nc("\n Enter license: ", "ui:enter_license");
             std::cin >> key;
             app_instance.license(key, "");
             break;
         default:
-            std::cout << skCrypt("\n\n Status: Failure: Invalid Selection");
+            std::cout << nc("\n\n Status: Failure: Invalid Selection", "ui:bad_selection");
             app_instance.bad_input_delay();
             exit(1);
         }
@@ -253,30 +365,31 @@ int main()
 
     if (!app_instance.response.success)
     {
-        if (app_instance.response.message == "2FA code required.") {
+        const std::string twofa_msg = nc("2FA code required.", "msg:2fa_required");
+        if (app_instance.response.message == twofa_msg) {
             if (username.empty() || password.empty()) {
-                std::cout << skCrypt("\n Your account has 2FA enabled, please enter 6-digit code:");
+                std::cout << nc("\n Your account has 2FA enabled, please enter 6-digit code:", "ui:2fa_prompt");
                 std::cin >> TfaCode;
                 app_instance.license(key, TfaCode);
             }
             else {
-                std::cout << skCrypt("\n Your account has 2FA enabled, please enter 6-digit code:");
+                std::cout << nc("\n Your account has 2FA enabled, please enter 6-digit code:", "ui:2fa_prompt");
                 std::cin >> TfaCode;
                 app_instance.login(username, password, TfaCode);
             }
 
             if (app_instance.response.message.empty())
                 exit(11);
             if (!app_instance.response.success) {
-                std::cout << skCrypt("\n Status: ") << app_instance.response.message;
+                std::cout << nc("\n Status: ", "ui:status") << app_instance.response.message;
                 std::remove(api::kSavePath);
                 api::record_login_fail(login_guard);
                 app_instance.init_fail_delay();
                 exit(1);
             }
         }
         else {
-            std::cout << skCrypt("\n Status: ") << app_instance.response.message;
+            std::cout << nc("\n Status: ", "ui:status") << app_instance.response.message;
             std::remove(api::kSavePath);
             api::record_login_fail(login_guard);
             app_instance.init_fail_delay();
@@ -285,12 +398,12 @@ int main()
     }
     api::reset_lockout(login_guard);
 
-    std::cout << skCrypt("\n\n Save credentials to disk for auto-login? [y/N]: ");
+    std::cout << nc("\n\n Save credentials to disk for auto-login? [y/N]: ", "ui:save_creds");
     const char save_choice = read_choice('n'); // read once to avoid double input. -nigel
     const bool save_creds = (save_choice == 'y' || save_choice == 'Y');
     save_or_clear_creds(save_creds, username, password, key);
     if (save_creds)
-        std::cout << skCrypt("Successfully Created File For Auto Login");
+        std::cout << nc("Successfully Created File For Auto Login", "ui:save_ok");
 
     /*
     * Do NOT remove this checkAuthenticated() function.
@@ -315,8 +428,8 @@ int main()
 
     print_user_data(app_instance);
 
-    std::cout << skCrypt("\n\n Status: ") << app_instance.response.message;
-    std::cout << skCrypt("\n\n Closing in five seconds...");
+    std::cout << nc("\n\n Status: ", "ui:status") << app_instance.response.message;
+    std::cout << nc("\n\n Closing in five seconds...", "ui:closing");
     app_instance.close_delay();
 
     return 0;