PPLBlade: Protected Process Dumper Tool

PPLBlade

Protected Process Dumper Tool that supports obfuscating memory dump and transferring it on remote workstations without dropping it onto the disk.

Key functionalities:

1. Bypassing PPL protection
2. Obfuscating memory dump files to evade Defender signature-based detection mechanisms
3. Uploading memory dump with RAW and SMB upload methods without dropping it onto the disk (fileless dump)

An overview of the techniques, used in this tool can be found here.

Note that PROCEXP15.SYS is listed in the source files for compiling purposes. It does not need to be transferred on the target machine alongside the PPLBlade.exe.

It’s already embedded into the PPLBlade.exe. The exploit is just a single executable.

Modes:

1. Dump – Dump process memory using PID or Process Name
2. Decrypt – Revert obfuscated(–obfuscate) dump file to its original state
3. Cleanup – Do cleanup manually, in case something goes wrong on execution (Note that the option values should be the same as for the execution, we’re trying to clean up)
4. DoThatLsassThing – Dump lsass.exe using Process Explorer driver (basic poc)

Handle Modes:

1. Direct – Opens PROCESS_ALL_ACCESS handle directly, using OpenProcess() function
2. Procexp – Uses PROCEXP152.sys to obtain a handle

Download