19.9 C
London
Friday, September 20, 2024

PPLcontrol – Controlling Home windows PP(L)s




PPLcontrol – Controlling Home windows PP(L)s

This software means that you can checklist protected processes, get the safety stage of a selected course of, or set an arbitrary safety stage. For extra info, you’ll be able to learn this weblog publish: Debugging Protected Processes.

Utilization

1. Obtain the MSI driver

You will get a duplicate of the MSI driver RTCore64.sys right here: PPLKiller/driver.

2. Set up the MSI driver

Disclaimer: it goes with out saying that it’s best to by no means set up this driver in your host machine. Use a VM!

sc.exe create RTCore64 kind= kernel begin= auto binPath= C:PATHTORTCore64.sys DisplayName= "Micro - Star MSI Afterburner"
web begin RTCore64

3. Use PPLcontrol

Checklist protected processes.

Get the safety stage of a selected course of.

Set an arbitrary safety stage.

PPLcontrol.exe set 1234 PPL WinTcb

Defend a non-protected course of with an arbitrary safety stage. This can even robotically alter the signature ranges accordingly.

PPLcontrol.exe defend 1234 PPL WinTcb

Unprotect a protected course of. This can set the safety stage to 0 (i.e. None) and the EXE/DLL signature ranges to 0 (i.e. Unchecked).

PPLcontrol.exe unprotect 1234

4. Uninstall the motive force

web cease RTCore64
sc.exe delete RTCore64

Use instances

Debugging a protected course of with WinDbg

WinDbg simply must open the goal course of, so you should use PPLcontrol to set an arbitrary safety stage in your windbg.exe course of.

  1. Get the PID of the windbg.exe course of.
  2. Use PPLcontrol to set an arbitrary safety stage.
Console 1 24,840 Okay C:Temp>PPLcontrol.exe defend 1232 PPL WinTcb [+] The Safety ‘PPL-WinTcb’ was set on the method with PID 1232, earlier safety was: ‘None-None’. [+] The Signature stage ‘WindowsTcb’ and the Part signature stage ‘Home windows’ have been set on the method with PID 1232.” dir=”auto”>

C:Temp>tasklist | findstr /i windbg
windbg.exe 1232 Console 1 24,840 Okay
C:Temp>PPLcontrol.exe defend 1232 PPL WinTcb
[+] The Safety 'PPL-WinTcb' was set on the method with PID 1232, earlier safety was: 'None-None'.
[+] The Signature stage 'WindowsTcb' and the Part signature stage 'Home windows' have been set on the method with PID 1232.

Inspecting a protected course of with API Monitor

Along with opening the goal course of, API monitor injects a DLL into it. Due to this fact, setting an arbitrary safety stage in your apimonitor.exe course of will not suffice. Because the injected DLL isn’t correctly signed for this goal, the Part signature flag of the goal course of will possible forestall it from being loaded. Nonetheless, you’ll be able to briefly disable the safety on the goal course of, begin monitoring it, and restore the safety proper after.

Didn't load module in goal course of - Error: 577, Home windows can't confirm the digital signature for this file. A latest {hardware} or software program change might need put in a file that's signed incorrectly or broken, or that may be malicious software program from an unknown supply.
  1. Get the PID of the goal course of.
  2. Use PPLcontrol to get the safety stage of the goal course of.
  3. Unprotect the method.
  4. Begin monitoring the method with API Monitor.
  5. Restore the safety of the goal course of.
C:Temp>tasklist | findstr /i goal
goal.exe 1337 Providers 1 14,160 Okay
C:Temp>PPLcontrol.exe get 1337
[+] The method with PID 1337 is a PPL with the Signer kind 'WinTcb' (6).
C:Temp>PPLcontrol.exe unprotect 1337
[+] The method with PID 1337 is not a PP(L).

C:Temp>PPLcontrol.exe defend 1337 PPL WinTcb
[+] The Safety 'PPL-WinTcb' was set on the method with PID 1337, earlier safety was: 'None-None'.
[+] The Signature stage 'WindowsTcb' and the Part signature stage 'Home windows' have been set on the method with PID 1337.

Construct

  1. Open the answer in Visible Studio.
  2. Choose Launch/x64 (x86 isn’t supported and can in all probability by no means be).
  3. Construct answer

Credit score



Latest news
Related news

LEAVE A REPLY

Please enter your comment!
Please enter your name here