PPLdump: dumping the memory of any PPL
I wrote two blog posts about this tool. The first part is about Protected Processes concepts while the second one discusses the bypass technique itself.
- Blog post part #1: Do You Really Know About LSA Protection (RunAsPPL)?
- Blog post part #2: Bypassing LSA Protection in Userland
Does it work on all versions of Windows?
First of all, PPLs were introduced with Windows 8.1 so older versions of Windows are obviously not supported. This project mainly targets Windows 10 (and its server editions) but I also tested it on older versions. You will find a summary table of the tests I did in the eponymous section.
How is it different from other tools?
Other PPL bypass tools usually execute arbitrary code in the Kernel through a digitally signed driver. This one is different as it involves only userland tricks and is (almost) fileless.
“Userland”, you say?!
This tool leverages a very clever trick that was initially discussed by James Forshaw in 2018 (see Credits). It involves the use of the
DefineDosDevice API function to trick the system into creating an arbitrary Known DLL entry. Since PPLs do not check the digital signature of Known DLLs, this can be later used to perform a DLL hijacking attack and execute arbitrary code inside a PPL.
Is it really “fileless”?
Although this tool performs a DLL hijacking attack as a second stage, it does not create a new DLL file on disk. Instead, it makes use of an NTFS transaction to virtually replace the content of an existing one, a technique directly inspired by the work of @_ForrestOrr (see Credits).
Can this tool cause a DoS?
The short answer is “no”. First, it does not involve any direct Kernel access so there is no risk of causing a BSOD from this standpoint. In the worst-case scenario, the tool might fail to remove the created Known DLL entry but, this will not cause a Denial of Service. It will just stay there until the next machine reboot. As the created entry would just be a symbolic link pointing to a non-existent section, the system would eventually fall back to the default location (i.e. the
System32 folder) so it will not impact other programs running on the machine.
Copyright (c) 2021 Clément Labro (@itm4n)