The recent 'Redux' upgrade to PPLFault by Gabriel Landau from Elastic Security has allowed PPL injection into all Windows 10 versions (22H2+) and into Windows 11 up to 23H2:
https://www.elastic.co/security-labs/immutable-illusion https://github.com/gabriellandau/Redux
Thank you to Gabriel Landau for this work, and to James Forshaw (@tyranid) for the underlying techniques, as well as @itm4n for PPLdump code which is extended here to create fake Knowndlls directory object to bypass dll signature enforcement à la Forshaw.
This tool is derived from PPLdump by @itm4n (https://github.com/itm4n/PPLdump), described in two blog posts. The first part is about Protected Processes concepts while the second one discusses the bypass technique itself.
- Blog post part #1: Do You Really Know About LSA Protection (RunAsPPL)?
- Blog post part #2: Bypassing LSA Protection in Userland
PPLinject implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) - in this blog post - to allow injection of an arbitrary unsigned Dll into a PPL as an administrator.
Simply run the executable without any argument and you will get a detailed help/usage.
c:\Temp>PPLinject64.exe
Description:
Inject an unsigned DLL into a Protected Process Light (PPL) with a *userland* exploit
Usage:
PPLinject.exe [-v] [-d] [-f] <PROC_ID> <DLL>
Arguments:
PROC_ID The ID of a Process to inject
DLL The path of the Dll to inject
Options:
-v (Verbose) Enable verbose mode
-d (Debug) Enable debug mode (implies verbose)
-f (Force) Bypass DefineDosDevice error check
Examples:
PPLinject.exe -d 684 C:\Users\Rebecca\AppData\Local\Temp\capemon_x64.dllFirst of all, PPLs were introduced with Windows 8.1 so older versions of Windows are obviously not supported. This project mainly targets Windows 10 (and its server editions) but I also tested it on older versions. You will find a summary table of the tests I did in the eponymous section.
Other PPL bypass tools usually execute arbitrary code in the Kernel through a digitally signed driver. This one is different as it involves only userland tricks and is (almost) fileless.
This tool leverages a very clever trick that was initially discussed by James Forshaw in 2018 (see Credits). It involves the use of the DefineDosDevice API function to trick the system into creating an arbitrary Known DLL entry. Since PPLs do not check the digital signature of Known DLLs, this can be later used to perform a DLL hijacking attack and execute arbitrary code inside a PPL.
Although this tool performs a DLL hijacking attack as a second stage, it does not create a new DLL file on disk. Instead, it makes use of an NTFS transaction to virtually replace the content of an existing one, a technique directly inspired by the work of @_ForrestOrr (see Credits).
Ths short answer is "no". First, it does not involve any direct Kernel access so there is no risk of causing a BSOD from this standpoint. In the worst case scenario, the tool might fail to remove the created Known DLL entry but, this will not cause a Denial of Service. It will just stay there until the next machine reboot. As the created entry would just be a symbolic link pointing to a non-existent section, the system would eventually fall back to the default location (i.e. the System32 folder) so it will not impact other programs running on the machine.
| Windows version | Build | Edition | Arch | Admin | SYSTEM |
|---|---|---|---|---|---|
| Windows 10 20H2 | 19042 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 20H2 | 19042 | Pro | x86 | ✔️ | ✔️ |
| Windows 10 1909 | 18363 | Pro | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Educational | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Home | x64 | ✔️ | ✔️ |
| Windows 10 1507 | 10240 | Pro | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Standard | x64 | ✔️ | ✔️ |
| Windows Server 2019 | 17763 | Essentials | x64 | ✔️ | ✔️ |
| Windows 8.1 | 9600 | Pro | x64 | ||
| Windows Server 2012 R2 | 9600 | Standard | x64 |
[-] DefineDosDevice failed with error code 6 - The handle is invalid.This Visual Studio Solution comprises two projects (the executable and a payload DLL) that need to be compiled in a specific order. Everything is pre-configured, so you just have to follow these simple instructions. The compiled payload DLL is automatically embedded into the final executable.
- Open the Solution with Visual Studio 2017.
- Select
Release / x64orRelease / x86depending on the architecture of the target machine. Build > Build Solution.
On Windows 8.1 / Server 2012 R2, you might have to compile the binary statically.
- Right-click on the
PPLinjectproject. - Go to
Configuration Properties>C/C++>Code Generation. - Select
Multi-threaded (/MT)as theRuntime Libraryoption. - Build the Solution.
- @gabriellandau (Elastic Security) - PPLFault & Redux
- @itm4n - Original PPLdump tool [https://github.com/itm4n/PPLdump]
- @tiraniddo - Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege
https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html - @_ForrestOrr - Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing
https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing - @kevoreilly - This derivative tool