PPLdump : Dump The Memory Of A PPL With A Userland Exploit

PPLdump implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) – in this blog post – for dumping the memory of any PPL as an administrator.

I wrote two blog posts about this tool. The first part is about Protected Processes concepts while the second one dicusses the bypass technique itself.

• Blog post part #1: Do You Really Know About LSA Protection (RunAsPPL)?
• Blog post part #2: Bypassing LSA Protection in Userland

Usage

Simply run the executable without any argument and you will get a detailed help/usage.

c:\Temp>PPLdump64.exe
_
| _ | _ | | | | _ _
| | | || . | | | | . | version 0.4 || || |||__|||| | by @itm4n
|_|
Description:
Dump the memory of a Protected Process Light (PPL) with a userland exploit
Usage:
PPLdump.exe [-v] [-d] [-f]
Arguments:
PROC_NAME The name of a Process to dump
PROC_ID The ID of a Process to dump
DUMP_FILE The path of the output dump file
Options:
-v (Verbose) Enable verbose mode
-d (Debug) Enable debug mode (implies verbose)
-f (Force) Bypass DefineDosDevice error check
Examples:
PPLdump.exe lsass.exe lsass.dmp
PPLdump.exe -v 720 out.dmp

Tests

Windows version	Build	Edition	Arch	Admin	SYSTEM
Windows 10 20H2	19042	Pro	x64	✔️	✔️
Windows 10 20H2	19042	Pro	x86	✔️	✔️
Windows 10 1909	18363	Pro	x64	✔️	✔️
Windows 10 1507	10240	Educational	x64	✔️	✔️
Windows 10 1507	10240	Home	x64	✔️	✔️
Windows 10 1507	10240	Pro	x64	✔️	✔️
Windows Server 2019	17763	Standard	x64	✔️	✔️
Windows Server 2019	17763	Essentials	x64	✔️	✔️
Windows 8.1	9600	Pro	x64	⚠️	⚠️
Windows Server 2012 R2	9600	Standard	x64	⚠️	⚠️

 The exploit fails on fully updated Windows 8.1 / Server 2012 R2 machines. I have yet to figure out which patch caused the error.

[-] DefineDosDevice failed with error code 6 – The handle is invalid.

On Windows 8.1 / Server 2012 R2, you might also have to compile the binary statically (see “Build instructions” below).

Build Instructions

This Visual Studio Solution comprises two projects (the executable and a payload DLL) that need to be compiled in a specific order. Everything is pre-configured, so you just have to follow these simple instructions. The compiled payload DLL is automatically embedded into the final executable.

• Open the Solution with Visual Studio 2019.
• Select Release / x64 or Release / x86 depending on the architecture of the target machine.
• Build > Build Solution.

On Windows 8.1 / Server 2012 R2, you might have to compile the binary statically.

• Right-click on the PPLdump project.
• Go to Configuration Properties > C/C++ > Code Generation.
• Select Multi-threaded (/MT) as the Runtime Library option.
• Build the Solution.