PPL Toggling

Who will protect you now?

Windows 8.1 has introduced a new concept: Process Protection Light.

This technology has been implemented in order to protect running processes from unwanted actions.

Most of the actions PPL protects will relate to malware or malicious users:

• Prevent process shutdown

• Prevent access to virtual memory (read/write for enumeration and injection)

• Prevent a process from being Debugged

• Prevent copying descriptors

• Prevent thread impersonation

• Prevent querying information regarding a thread’s state

Naturally, security products have rushed to implement this technology in their products, in order to prevent malicious actors from performing all of the above on their own product which may cause some embarrassment to the vendors.

Another major usage of this technology has been the RunAsPPL registry key, that when enabled, turns on the protection on the LSASS process in order to prevent credential dumps.

Fortunately for us, the PPL technology is not more then another member on the EPROCESS structure which we are already familiar with.

The member Protection of type _PS_PROTECTION is another struct which we have already introduced earlier.

In order to toggle PPL on a process we will have to perform the following steps:

1.Obtain EPROCESS address for our target process

2.Jump to the Protection member and read it

3.Cast the read information into a _PS_PROTECTION object

4.Change the Type and Signer members to the relevant values (for on / off)

5.Write the edited _PS_PROTECTION back to its address

The code will look like this:

Toggling PPL can assist an attacker in the following scenarios:

• Prevent persistent malware to be turned off by a user

• Turn off a security product

• Dump LSASS when RunAsPPL is turned on

• Debug a protected process for reverse engineering purposes

• Inject or read memory from a protected process.