PPLdump implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) – in this blog post – for dumping the memory of any PPL as an administrator.
I wrote two blog posts about this tool. The first part is about Protected Processes concepts while the second one dicusses the bypass technique itself.
Usage
Simply run the executable without any argument and you will get a detailed help/usage.
c:\Temp>PPLdump64.exe
_
| _ | _ | | | | _ _
| | | || . | | | | . | version 0.4 || || |||__|||| | by @itm4n
|_|
Description:
Dump the memory of a Protected Process Light (PPL) with a userland exploit
Usage:
PPLdump.exe [-v] [-d] [-f]
Arguments:
PROC_NAME The name of a Process to dump
PROC_ID The ID of a Process to dump
DUMP_FILE The path of the output dump file
Options:
-v (Verbose) Enable verbose mode
-d (Debug) Enable debug mode (implies verbose)
-f (Force) Bypass DefineDosDevice error check
Examples:
PPLdump.exe lsass.exe lsass.dmp
PPLdump.exe -v 720 out.dmp
Tests
| Windows version | Build | Edition | Arch | Admin | SYSTEM |
|---|---|---|---|---|---|
| Windows 10 20H2 | 19042 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 20H2 | 19042 | Pro | x86 | ✔️ | ✔️ |
| Windows 10 1909 | 18363 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Educational | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Home | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Pro | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Standard | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Essentials | x64 | ✔️ | ✔️ |
| Windows 8.1 | 9600 | Pro | x64 | ⚠️ | ⚠️ |
| Windows Server 2012 R2 | 9600 | Standard | x64 | ⚠️ | ⚠️ |
The exploit fails on fully updated Windows 8.1 / Server 2012 R2 machines. I have yet to figure out which patch caused the error.
[-] DefineDosDevice failed with error code 6 – The handle is invalid.
On Windows 8.1 / Server 2012 R2, you might also have to compile the binary statically (see “Build instructions” below).
Build Instructions
This Visual Studio Solution comprises two projects (the executable and a payload DLL) that need to be compiled in a specific order. Everything is pre-configured, so you just have to follow these simple instructions. The compiled payload DLL is automatically embedded into the final executable.
Release / x64 or Release / x86 depending on the architecture of the target machine.Build > Build Solution.On Windows 8.1 / Server 2012 R2, you might have to compile the binary statically.
PPLdump project.Configuration Properties > C/C++ > Code Generation.Multi-threaded (/MT) as the Runtime Library option.Have you ever come across a picture on the internet and wondered where it came…
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…
Managing user accounts is a core responsibility for any Linux administrator. Whether you’re securing a…