mattiwatti / pplkiller Goto Github PK

Protected Processes Light Killer

License: GNU General Public License v3.0

C++ 100.00%

process protection kernel driver debugging csrss

pplkiller's Introduction

Overview

PPLKiller ('Protected Processes Light killer', not 'people killer') is a kernel mode driver that disables Protected Process Light protection on all running processes.

PPL is a mechanism introduced in Windows 8.1 that transfers many of the security restrictions enjoyed by the System process to user mode processes such as smss.exe and csrss.exe. For example, it is not possible to open a PPL process with PROCESS_VM_READ access, even when running as the Local System user and having debug privileges enabled.

For more info on PPL, read The Evolution of Protected Processes by Alex Ionescu.

While PPL was probably designed with good intentions (and there are uses for it, such as protecting the LSA process from tampering), I mostly find it to be a nuisance that gets in the way of debugging. That's why I wrote this driver that only does one thing: it finds all PPL processes and removes their protection. Non-'light' protected processes (i.e. the System process) remain protected.

PPLKiller works on Windows 8.1 and 10, ~~and does not require disabling Kernel Patch Protection.~~ Update: as of Windows 10.0.18362.0 this is no longer true and running PPLKiller will eventually trigger a PatchGuard bugcheck with the reason "modification of a protected process". Your options for dealing with this are:

Use a kernel debugger (if you are not already using one) in combination with PPLKiller for your debugging work. This works because PatchGuard does not run when a kernel debugger is attached.
Use a tool such as EfiGuard to disable PatchGuard.

Update regarding code signature enforcement

It has been brought to my attention that Windows 10 RS2 ('Redstone 2', 'Creator's Update', Windows 1703, Windows 10.0.15063.0, and other possible names I'm not aware of) has added a new kernel mode verification of the 'binary signature policy' process mitigation type in the EPROCESS structure. This mitigation policy, while not new in itself (it has existed since Windows 8), was previously enforced only in user mode. The new update however makes it impossible to inject any code that is not signed by Microsoft into the same processes that were already 'light'-protected previously. Because this has equally disastrous effects for debugging as process protection, and is done for unjustifiable reasons (unlike other mitigation policies such as DEP, ASLR and CFG, which have a technical basis for their implementation rather than a political one), I have added functionality that will automatically disable this policy on Windows RS2 and later. Older Windows versions are currently passed over for this, unless Microsoft decides to retroactively add the check to older kernels.

Compiling

Install the WDK.
Open the solution file and compile.

Installation

Make sure test signing is enabled (bcdedit /set testsigning on), or alternatively, that you are a millionaire and have a Windows EV signing certificate.
Copy pplkiller.sys to %systemroot%\System32\drivers.
Run sc create pplkiller binPath= System32\drivers\pplkiller.sys type= kernel to install the driver. (Mind the spaces.)

Operation

Run sc start pplkiller to start the driver.
Run sc stop pplkiller to stop the driver, since it doesn't actually do anything after starting.
There should now be no more PPL protected processes. You can verify this by viewing csrss.exe in Process Explorer and checking the "Protected" field of the Security tab.

Remarks

This driver relies heavily on undocumented kernel internals. Although it does not use version-specific code, future versions of Windows may still break it for any number of reasons. If this happens, please submit an issue with your exact kernel version number.
It is possible to unprotect the System process, but there is little use for this since all threads in the System process run in kernel mode. Because of this, there are additional checks besides process protection to prevent attaching a debugger to PID 4. If you want to debug the kernel, use a kernel debugger. If you want to view detailed information on the System process, such as kernel thread stacks, there are better alternatives such as Process Hacker that do not require removing process protection.

pplkiller's People

Contributors

Stargazers

Watchers

Forkers

jackbro johnjohnsp1 wjcsharp zhuhuibeishadiao camilohe craftwar killbugs 453483289 wasseresser zfdyq0 cainiaochushi skycn999 zeeshansultan cupertinodude hgldj1966 lp25 jaomberine peterg75 xxmmy kmsecurityresearch migez heruix heyter freedecrypt fcccode mystexodus crackwei gavz explife0011 cpkt9762 h0k5 chigusa0w0 msmania coderaldrich brucehe1026 mmilmf applesky6 lallouslab developer191 sadamumu wgwjifeng bochen2027 waterman178 fengjixuchui morelli690 norths1 hymeca zengkefu modulexcite wq1282 y11en soldie k3v1n1990s myprivateclonelibrary attackgithub 9844201 mendiromania neineit 276585877 alehacksp topotam mebuis roccosec xxazesxx fr4nc1stein jessecc songbei6 m200803 zh4x renecn sheisback pokevas zanzo420 metaworm lacoil 5l1v3r1 realmadaha ltears doytsujin de-flandres eachenl vodanhkhach123 askyeye vatsalmasrani ruanjian668 mushr00m midi-in yusufqk moodykeke kohnakagawa superuser5 rciard stfzy waders909 ellen2015 galenika esc777690 jim00000 bharadwajyas pmarkive

pplkiller's Issues

Expanding PPLKiller's features

Hello,

I've been trying to give Full protection to some processes instead of removing them, but i fail to print the Results (of a existing full-protected process) on WinDbg so I can know what flags i should apply for that.

If I understand correctly, i have to change those 2 variables, https://github.com/Mattiwatti/PPLKiller/blob/master/PPLKiller/main.cpp#L544

but what's the value for Full Protection (WinTcb) ?

ERROR 1275

Hello,
I have followed the steps you indicate, and I find a problem.

When I try to start the service, receive an 1275 error. I'm testing on windows 10 x64 1607 build, and also on windows 7 x64, and on both is the same problem.

I'm in test mode.

Can you think of what is due? I have not modified anything, I have only compiled from visual studio 2015

Thanks

Cannot Test Sign the Driver

I added /debug to command line of Driver Signing.

Here is what I get

1>------ Build started: Project: PPLKiller, Configuration: Debug x64 ------
1>Building 'PPLKiller' with toolset 'WindowsKernelModeDriver10.0' and the 'Desktop' target platform.
1>PPLKiller.vcxproj -> C:\Users\Igor\Tools\PPLKiller-master\bin\pplkiller.sys
1>
1>The following certificates were considered:
1>SIGNTASK : SignTool error : No certificates were found that met all the given criteria.
1>    Issued to: 83410C25-192B-4952-B63B-D89C5F2C6AD6
1>
1>    Issued by: Apple iPhone Device CA
1>
1>    Expires:   Thu Oct 26 04:38:38 2017
1>
1>    SHA1 hash: 9B1D9443CDEACADF3C2BAE1F9841AB4435298927
1>
1>
1>    Issued to: WDKTestCert Igor,131657141306330865
1>
1>    Issued by: WDKTestCert Igor,131657141306330865
1>
1>    Expires:   Wed Mar 15 20:00:00 2028
1>
1>    SHA1 hash: 1F326A338F1C73EFB0CBA345205044CAAD69931E
1>
1>
1>After EKU filter, 1 certs were left.
1>After expiry filter, 1 certs were left.
1>After Hash filter, 1 certs were left.
1>After Private Key filter, 0 certs were left.
1>Done building project "PPLKiller.vcxproj" -- FAILED.
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

I guess the error is from the Apple iPhone Device CA I assume that comes from another tool which I used to jailbreak apple iphone.

WDK and SDK mismatch

I downloaded and installed the VS 2019 preview and the WDK there after. I loaded the solution then ran into an error saying that the WDK version 10.0.17763.0 is not available.

The WDK version is in fact 10.0.17763.1 and the solution wants 10.0.17763.0 ... any idea of how to work around this problem? Any way to relax version requirements in the solution to handle this situation?

I cant compile

i installed the provided wdk along side with c++ in visual studio but when i open the project it has 250+ errors and i cant compile

help
thanks, help

undefined PROCESS_MITIGATION policies

I am getting

PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy; PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy; PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy;

these structs as undefined. Just wondered if it is safe to comment them out as I got bsod after doing that but I am not sure if that could have anything to do with it.

contact

hi. do you have an email address? thankyou.

error : Unable to read the project file "PPLKiller.vcxproj

Win10 64, Visual Studio 2017, latest WDK. Cant open the solution

C:\Program Files (x86)\Windows Kits\10\build\WindowsDriver.KernelMode.Default.props(15,11): A numeric comparison was attempted on "$(_NT_TARGET_VERSION)" that evaluates to "" instead of a number, in condition "$(_NT_TARGET_VERSION) >= $(_NT_TARGET_VERSION_WIN10)".

help

could you add support to remove this please? I'm referring to Secure (IUM)

Window cannot verify the digital signature for this file. A recent hardware or s oftware change might have installed a file that is signed incorrectly or damaged , or that might be malicious software from an unknown source.

I'm testing PLLKiller on a fully patched and updated Windows 7 and Windows 10 x64 VMs. Did Microsoft updates break your work-around for the MS signed driver requirement?

it does not seam to find the offsets on windows 10 2004

PPLKiller works Windows 2016 .

PPLKiller works on Windows 8.1 and 10.

Will it work on Windows 2012 and Windows 2016?

restoring ppl

hi very nice project, i'm wondering if after killing PPL if it's possible to restore it? if yes how can i do that?
thanks

Windows cannot verify the digital signature for this file. (Fresh dev environment)

The certificate shows as valid, but I get this failure message: "[SC] StartService FAILED 577:"

Certificate was installed as Root level trust (Local Machine)
C++ Standard: Latest Preview
Toolset: WindowsKernelModeDriver10.0

Steps to reproduce:

Setup clean environment on Hyper-V Windows 10 Enterprise, VS Community 2019
Install WSDK and WDK
Run "bcdedit /set testsigning on" as Admin (Success)
Reboot
Run "sc create pplkiller binPath= System32\drivers\pplkiller.sys type= kernel" (Success)
Run "sc start pplkiller" (Error)

Question regarding PatchGuard check

Hi,

You mentioned that starting with 10.0.18362.0, PatchGuard will check protection level integrity on system processes. Can you give me a bit of insight on how the kernel does this? Does it have to do with PEAuth.sys? Some references to the code that causes the bugcheck would be very much appreciated!

Thank you in advance!

i use this on windows 20h2 but debug failed with windows defender(msmpeng.exe),removed ppl success

....

Windows 7 system process

i would like to ask if its possible to bypass protected in kernel

win7 x64

Hello

Just wondering where you are my friend :)

error 1168 on windows 1903

On windows 1903 i encounter the error 1168 when trying to load the driver.
Probably msft changed soemthign again :'(

[SC] StartService ERROR 1168: Element not found.

I did everything listed here but it tells me the service was not found when trying sc start pplkiller or net sc start.
The weird thing is, that eg. sc GetKeyName or other calls are working, i didnt change the name of the service or anything.
Trying to start the service with ProcessHacker gives me the same error.