PPLcontrol - Controlling Windows PP(L)s
This tool allows you to list protected processes, get the protection level of a specific process, or set an arbitrary protection level. For more information, you can read this blog post: Debugging Protected Processes.
Usage
1. Download the MSI driver
You can get a copy of the MSI driver RTCore64.sys
here: PPLKiller/driver.
2. Install the MSI driver
Disclaimer: it goes without saying that you should never install this driver on your host machine. Use a VM!
sc.exe create RTCore64 type= kernel start= auto binPath= C:\PATH\TO\RTCore64.sys DisplayName= "Micro - Star MSI Afterburner"
net start RTCore64
3. Use PPLcontrol
List protected processes.
PPLcontrol.exe list
Get the protection level of a specific process.
PPLcontrol.exe get 1234
Set an arbitrary protection level.
PPLcontrol.exe set 1234 PPL WinTcb
Protect a non-protected process with an arbitrary protection level. This will also automatically adjust the signature levels accordingly.
PPLcontrol.exe protect 1234 PPL WinTcb
Unprotect a protected process. This will set the protection level to 0
(i.e. None
) and the EXE/DLL signature levels to 0
(i.e. Unchecked
).
PPLcontrol.exe unprotect 1234
4. Uninstall the driver
net stop RTCore64
sc.exe delete RTCore64
Use cases
Debugging a protected process with WinDbg
WinDbg just needs to open the target process, so you can use PPLcontrol to set an arbitrary protection level on your windbg.exe
process.
- Get the PID of the
windbg.exe
process. - Use PPLcontrol to set an arbitrary protection level.
C:\Temp>tasklist | findstr /i windbg
windbg.exe 1232 Console 1 24,840 K
C:\Temp>PPLcontrol.exe protect 1232 PPL WinTcb
[+] The Protection 'PPL-WinTcb' was set on the process with PID 1232, previous protection was: 'None-None'.
[+] The Signature level 'WindowsTcb' and the Section signature level 'Windows' were set on the process with PID 1232.
Inspecting a protected process with API Monitor
In addition to opening the target process, API monitor injects a DLL into it. Therefore, setting an arbitrary protection level on your apimonitor.exe
process won't suffice. Since the injected DLL is not properly signed for this purpose, the Section signature flag of the target process will likely prevent it from being loaded. However, you can temporarily disable the protection on the target process, start monitoring it, and restore the protection right after.
Failed to load module in target process - Error: 577, Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
- Get the PID of the target process.
- Use PPLcontrol to get the protection level of the target process.
- Unprotect the process.
- Start monitoring the process with API Monitor.
- Restore the protection of the target process.
C:\Temp>tasklist | findstr /i target
target.exe 1337 Services 1 14,160 K
C:\Temp>PPLcontrol.exe get 1337
[+] The process with PID 1337 is a PPL with the Signer type 'WinTcb' (6).
C:\Temp>PPLcontrol.exe unprotect 1337
[+] The process with PID 1337 is no longer a PP(L).
C:\Temp>PPLcontrol.exe protect 1337 PPL WinTcb
[+] The Protection 'PPL-WinTcb' was set on the process with PID 1337, previous protection was: 'None-None'.
[+] The Signature level 'WindowsTcb' and the Section signature level 'Windows' were set on the process with PID 1337.
Build
- Open the solution in Visual Studio.
- Select
Release/x64
(x86
is not supported and will probably never be). - Build solution
Credit
- @aceb0nd for the tool PPLKiller
- @aionescu for the article Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers)