PPL Toggling
Who will protect you now?
Windows 8.1 has introduced a new concept: Process Protection Light.
This technology has been implemented in order to protect running processes from unwanted actions.
Most of the actions PPL protects will relate to malware or malicious users:
Prevent process shutdown
Prevent access to virtual memory (read/write for enumeration and injection)
Prevent a process from being Debugged
Prevent copying descriptors
Prevent thread impersonation
Prevent querying information regarding a thread’s state
Naturally, security products have rushed to implement this technology in their products, in order to prevent malicious actors from performing all of the above on their own product which may cause some embarrassment to the vendors.
Another major usage of this technology has been the RunAsPPL registry key, that when enabled, turns on the protection on the LSASS process in order to prevent credential dumps.
Fortunately for us, the PPL technology is not more then another member on the EPROCESS structure which we are already familiar with.
The member Protection of type _PS_PROTECTION is another struct which we have already introduced earlier.
In order to toggle PPL on a process we will have to perform the following steps:
1.Obtain EPROCESS address for our target process
2.Jump to the Protection member and read it
3.Cast the read information into a _PS_PROTECTION object
4.Change the Type and Signer members to the relevant values (for on / off)
5.Write the edited _PS_PROTECTION back to its address
The code will look like this:
Toggling PPL can assist an attacker in the following scenarios:
Prevent persistent malware to be turned off by a user
Turn off a security product
Dump LSASS when RunAsPPL is turned on
Debug a protected process for reverse engineering purposes
Inject or read memory from a protected process.
Last updated