The protection applied to a process is specified in the _EPROCESS structure, which is an opaque kernel-side structure.ĭuring some years, the tool PPLDump could be used to bypass this protection, but in the last months, Microsoft patched the technique exploited by this vulnerability (discovered by Alex Ionescu and James Forshaw), and in up-to-date systems the era of PPLDump is over, if you want more details about that, you can go to the post i mentioned before (it’s a must read).
I won’t go into details about PPL and PP, because there are fantastic posts talking about this, here is a must read:įollowing there is a table with all the possible protections implemented with PP and PPL. PPL Processesīack in Windows Vista era, Microsoft introduced a protection for critical system processes called Protected Process (a.k.a PP), later in the Windows 8.1 era, Micro$oft introduced a new protection, very similar to PP, called Protected Process Light (a.k.a PPL), this last permits for example an antimalware service to protect itself, blocking termination attempts usually done by malicius software. Today we are going to talk a little bit about PPL and a possible bypass, that requires admin privileges, but not for that less interesting.Īlso we will be talking about a technique implemented to detect LSASS access in kernel side, and how process explorer can be used to bypass it. Hi everyone! After the receival of the AMSI article, i decided to come back with more. Bypass Protected Process Light / ObRegisterCallbacks using Process Explorer
0 kommentar(er)
