In the last post, I covered what are Protected Processes (PP) and Protected Processes Light (PPL). Building on that understanding, in this post I talk about various methods that can be leveraged to bypass restrictions imposed by PPL.

If you recall, towards the end of the last post I mentioned that,

To alter a PPL service, it is important to remember that since non-protected processes cannot modify the configuration of a protected service, either the service must first mark itself as unprotected or it can be altered with the help of a driver. Once reconfigured to run as unprotected, the service can be altered or its memory can be dumped.

Another way to gain access to a process protected by PPL is to create a new process with same or higher signing level as the target process. So, this leaves us with following methods to bypass PPL:

• Create a new PPL process with the same or higher signing level and then use it to gain access to the target process. This is similar to you bringing in your grandparents to open the box of chocolates (to understand this analogy, please read my last post).

• Load a driver to alter a process’s PPL protections. This works at the kernel level so it requires administrator privileges. This is the most common method used in the wild to bypass PPL. PPLKiller, developed by Red Cursor Security Consulting, is a tool that implements this technique.

  One challenge in using this technique is that, by default, Windows does not allow unsigned drivers to be loaded. To get around this restriction, we’ll need to disable the Driver Signature Enforcement (DSE). DSE is part of the Code Integrity feature. It can be disabled by leveraging a vulnerable but legitimately signed driver. This approach is known as Bring Your Own Vulnerable Driver (BYOVD). A list of such drivers can be obtained from the LOLDrivers project. The flow of this method is as follows:

  • Load a known vulnerable driver.

  • Leverage this driver to disable DSE.

  • Once DSE is disabled, load the custom driver that will bypass PPL.

  • Enable DSE to prevent blue-screen-of death.

  • Unload the driver.

  Overall, this method is similar to bringing in specialized tools to break the lock and seal on the box of chocolates.

• The last method is to exploit a vulnerability in the operating system that allows manipulating PPL. One such vulnerability is discussed in the post, Windows Exploitation Tricks by James Forshaw of Google Project Zero. An exploit for this vulnerability was implemented in the tool PPLDump, developed by Clément Labro. Gabriel Landau released another tool, PPLFault, which exploits a TOCTOU vulnerability in Windows Code Integrity to achieve arbitrary code execution as WinTcb-Light then dump a specified process.

  So far, attacks of this nature have leveraged vulnerabilities in one of the following components / features to manipulate PPL:

  • CachedSigningLevel

  • KnownDLLs

  • COM

  • Code Integrity - Time of Check, Time of Use (TOCTOU)

  Unfortunately, most of these vulnerabilities have been patched and tools leveraging them won’t work on more recent versions of Windows.

  To conclude the box of chocolates analogy, this method is similar to finding faults in the way the lock and seal work (maybe the lock is of cheap quality and can be easily broken or the seal might loosely fixed) or the constitution of the box (maybe the box has a weak base or has another way of opening).

Tools which enable PPL bypass

• PPLDump - Works in User land. Does not work with Windows 10 21H2 10.0.19044.1826 (July 2022 update) and later.

• PPLKiller - Works in Kernel land. Uses the second technique to bypass PPL. Can work with BYOVD approach.

• PPLcontrol - Works in Kernel land. Uses the first technique to change a process’s protection level. Can work with a vulnerable legitimately signed driver.

• PPLFault - Works in Kernel land. The underlying vulnerability was patched in 2024, so this tool no longer works with recent versions of Windows.

• GodFault - Works in Kernel land. Leverages the same underlying vulnerability as PPLFault and chains it to another vulnerability to provide God mode access.

• mimidrv - Works in Kernel land. Uses the second technique to bypass PPL. Can work with BYOVD approach.

• PPEnum - This is not a tool to bypass PPL. It is a Beacon Object File (BOF) that helps in enumerating the protection level of a process.

Red Team Notes
- Protected Process Light (PPL) protection can be bypassed via either of the following three methods:
 - Using new PPL process with same or higher signing level to access the target process.
 - Kernel mode manipulations, by loading a custom driver, to remove PPL protections.
 - Operating system vulnerabilities that enable manipulating PPL protections.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

References

• Injecting Code into Windows Protected Processes using COM - Part 2

• PPLdump Is Dead. Long Live PPLdump!

• Bypassing LSA Protection in Userland

• Bypassing PPL in Userland (again)

• The Swan Song for Driver Signature Enforcement Tampering

• Inside Microsoft's plan to kill PPLFault

• Do You Really Know About LSA Protection (RunAsPPL)?

• Windows Exploitation Tricks

• Defeating RunAsPPL: Utilizing Vulnerable Drivers to Read Lsass with Mimikatz

• Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver