# PPL Toggling

Windows 8.1 has introduced a new concept: Process Protection Light.

This technology has been implemented in order to protect running processes from unwanted actions.

Most of the actions PPL protects will relate to malware or malicious users:

* Prevent process shutdown
* Prevent access to virtual memory (read/write for enumeration and injection)
* Prevent a process from being Debugged
* Prevent copying descriptors
* Prevent thread impersonation
* Prevent querying information regarding a thread’s state

Naturally, security products have rushed to implement this technology in their products, in order to prevent malicious actors from performing all of the above on their own product which may cause some embarrassment to the vendors.

Another major usage of this technology has been the RunAsPPL registry key, that when enabled, turns on the protection on the LSASS process in order to prevent credential dumps.

Fortunately for us, the PPL technology is not more then another member on the EPROCESS structure which we are already familiar with.

The member Protection of type \_PS\_PROTECTION is another struct which we have already introduced earlier.

In order to toggle PPL on a process we will have to perform the following steps:

1.Obtain EPROCESS address for our target process

2.Jump to the Protection member and read it

3.Cast the read information into a \_PS\_PROTECTION object

4.Change the Type and Signer members to the relevant values (for on / off)

5.Write the edited \_PS\_PROTECTION back to its address

The code will look like this:

<figure><img src="/files/6fqnUUoFG91cxR4ubYdi" alt=""><figcaption></figcaption></figure>

Toggling PPL can assist an attacker in the following scenarios:

* Prevent persistent malware to be turned off by a user
* Turn off a security product
* Dump LSASS when RunAsPPL is turned on
* Debug a protected process for reverse engineering purposes
* Inject or read memory from a protected process.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://spikysabra.gitbook.io/kernelcactus/pocs/ppl-toggling.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.