Process Protection Level Enumerator BOF

What is this?

• A Syscall-only BOF file intended to grab process protection attributes, limited to a handful that Red Team operators and pentesters would commonly be interested in.

What problem are you trying to solve?

• There are great tools that exist in order to stealthily obtain access to and dump LSASS memory, thanks to some wonderful authors.
  • These (to my knowledge) do not currently preempt an operator from unintentionally using the aforementioned to grab a valid handle to the LSASS process
  • Existing tooling (outside of references in blog posts from the always-helpful @itm4n) does not currently enumerate the protection levels of a given process.
    • Obtaining a handle to a PPL-enabled process can lead to a very dead Beacon in very short order
    • This aims to fill that void, allowing an operator to know exactly what a protection level of a desired process is (if any) before unintentionally shooting themselves in the foot and/or determine what their next step(s) would/should be, given the output

How do I build this?

git clone https://github.com/EspressoCake/Process_Protection_Level_BOF
cd Process_Protection_Level_BOF/src
make

How do I use this?

• Load the Aggressor .cna file from the dist directory, after building
• Determine whatever PID you wish to interrogate
• From a given Beacon:

  process_protection_enum PROCESS_ID_NUMBER

I tend to touch the stove carelessly, how are you taking care of the injury-prone?

• Currently, the Aggressor script has safeguards
  • The current Beacon is checked to ensure that it is administrative, and an x64 process

What does the output look like?

Protected Process Output

Unprotected Process Output