This software means that you can checklist protected processes, get the safety stage of a selected course of, or set an arbitrary safety stage. For extra info, you’ll be able to learn this weblog publish: Debugging Protected Processes.
Utilization
1. Obtain the MSI driver
You will get a duplicate of the MSI driver RTCore64.sys
right here: PPLKiller/driver.
2. Set up the MSI driver
Disclaimer: it goes with out saying that it’s best to by no means set up this driver in your host machine. Use a VM!
sc.exe create RTCore64 kind= kernel begin= auto binPath= C:PATHTORTCore64.sys DisplayName= "Micro - Star MSI Afterburner"
web begin RTCore64
3. Use PPLcontrol
Checklist protected processes.
Get the safety stage of a selected course of.
Set an arbitrary safety stage.
PPLcontrol.exe set 1234 PPL WinTcb
Defend a non-protected course of with an arbitrary safety stage. This can even robotically alter the signature ranges accordingly.
PPLcontrol.exe defend 1234 PPL WinTcb
Unprotect a protected course of. This can set the safety stage to 0
(i.e. None
) and the EXE/DLL signature ranges to 0
(i.e. Unchecked
).
PPLcontrol.exe unprotect 1234
4. Uninstall the motive force
web cease RTCore64
sc.exe delete RTCore64
Use instances
Debugging a protected course of with WinDbg
WinDbg simply must open the goal course of, so you should use PPLcontrol to set an arbitrary safety stage in your windbg.exe
course of.
- Get the PID of the
windbg.exe
course of. - Use PPLcontrol to set an arbitrary safety stage.
C:Temp>tasklist | findstr /i windbg
windbg.exe 1232 Console 1 24,840 Okay
C:Temp>PPLcontrol.exe defend 1232 PPL WinTcb
[+] The Safety 'PPL-WinTcb' was set on the method with PID 1232, earlier safety was: 'None-None'.
[+] The Signature stage 'WindowsTcb' and the Part signature stage 'Home windows' have been set on the method with PID 1232.
Inspecting a protected course of with API Monitor
Along with opening the goal course of, API monitor injects a DLL into it. Due to this fact, setting an arbitrary safety stage in your apimonitor.exe
course of will not suffice. Because the injected DLL isn’t correctly signed for this goal, the Part signature flag of the goal course of will possible forestall it from being loaded. Nonetheless, you’ll be able to briefly disable the safety on the goal course of, begin monitoring it, and restore the safety proper after.
Didn't load module in goal course of - Error: 577, Home windows can't confirm the digital signature for this file. A latest {hardware} or software program change might need put in a file that's signed incorrectly or broken, or that may be malicious software program from an unknown supply.
- Get the PID of the goal course of.
- Use PPLcontrol to get the safety stage of the goal course of.
- Unprotect the method.
- Begin monitoring the method with API Monitor.
- Restore the safety of the goal course of.
C:Temp>tasklist | findstr /i goal
goal.exe 1337 Providers 1 14,160 Okay
C:Temp>PPLcontrol.exe get 1337
[+] The method with PID 1337 is a PPL with the Signer kind 'WinTcb' (6).
C:Temp>PPLcontrol.exe unprotect 1337
[+] The method with PID 1337 is not a PP(L).C:Temp>PPLcontrol.exe defend 1337 PPL WinTcb
[+] The Safety 'PPL-WinTcb' was set on the method with PID 1337, earlier safety was: 'None-None'.
[+] The Signature stage 'WindowsTcb' and the Part signature stage 'Home windows' have been set on the method with PID 1337.
Construct
- Open the answer in Visible Studio.
- Choose
Launch/x64
(x86
isn’t supported and can in all probability by no means be). - Construct answer
Credit score