PPLdump implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) – in this blog post – for dumping the memory of any PPL as an administrator.
I wrote two blog posts about this tool. The first part is about Protected Processes concepts while the second one dicusses the bypass technique itself.
Usage
Simply run the executable without any argument and you will get a detailed help/usage.
c:\Temp>PPLdump64.exe
_
| _ | _ | | | | _ _
| | | || . | | | | . | version 0.4 || || |||__|||| | by @itm4n
|_|
Description:
Dump the memory of a Protected Process Light (PPL) with a userland exploit
Usage:
PPLdump.exe [-v] [-d] [-f]
Arguments:
PROC_NAME The name of a Process to dump
PROC_ID The ID of a Process to dump
DUMP_FILE The path of the output dump file
Options:
-v (Verbose) Enable verbose mode
-d (Debug) Enable debug mode (implies verbose)
-f (Force) Bypass DefineDosDevice error check
Examples:
PPLdump.exe lsass.exe lsass.dmp
PPLdump.exe -v 720 out.dmp
Tests
| Windows version | Build | Edition | Arch | Admin | SYSTEM |
|---|---|---|---|---|---|
| Windows 10 20H2 | 19042 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 20H2 | 19042 | Pro | x86 | ✔️ | ✔️ |
| Windows 10 1909 | 18363 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Educational | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Home | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Pro | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Standard | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Essentials | x64 | ✔️ | ✔️ |
| Windows 8.1 | 9600 | Pro | x64 | ⚠️ | ⚠️ |
| Windows Server 2012 R2 | 9600 | Standard | x64 | ⚠️ | ⚠️ |
The exploit fails on fully updated Windows 8.1 / Server 2012 R2 machines. I have yet to figure out which patch caused the error.
[-] DefineDosDevice failed with error code 6 – The handle is invalid.
On Windows 8.1 / Server 2012 R2, you might also have to compile the binary statically (see “Build instructions” below).
Build Instructions
This Visual Studio Solution comprises two projects (the executable and a payload DLL) that need to be compiled in a specific order. Everything is pre-configured, so you just have to follow these simple instructions. The compiled payload DLL is automatically embedded into the final executable.
Release / x64 or Release / x86 depending on the architecture of the target machine.Build > Build Solution.On Windows 8.1 / Server 2012 R2, you might have to compile the binary statically.
PPLdump project.Configuration Properties > C/C++ > Code Generation.Multi-threaded (/MT) as the Runtime Library option.Introduction Bash scripting is a powerful way to automate Linux tasks, but writing a script…
Introduction A self-signed SSL certificate is a certificate that is created and signed by the…
Introduction Debugging is an important part of Bash scripting. When a script does not work…
Introduction Cron jobs are used in Linux to run commands or Bash scripts automatically at…
Introduction Pipes are an important feature in Linux and Bash scripting. A pipe allows you…
Introduction The grep, awk, and sed commands are powerful text-processing tools in Linux. They are…