Skip to content

elastic/PPLGuard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
PPLGuard
PPLGuard
 
 
PPLGuardDll
PPLGuardDll
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE.txt
LICENSE.txt
 
 
PPLGuard.sln
PPLGuard.sln
 
 
README.md
README.md
 
 

Repository files navigation

PPLGuard

By Gabriel Landau at Elastic Security.

Update 2023-07-29 Microsoft has since patched both of these vulnerabilities. You can read more about the LPE patch here and the token nerfing patch here.

Introduction

PPLGuard is a proof of concept tool that can mitigate two currently-unpatched Windows security flaws which pose threats to Protected Processes Light (PPL) processes, such as AntiMalware services. To apply these mitigations, PPLGuard exploits an unpatched Windows local privilege escalation vulnerability to execute code with WinTcb Protected Processs (PP) privileges.

Mitigating Admin->PP local privilege escalation

PPLGuard can close the same Admin -> PP privilege escalation vulerability that it exploits. It does so by using the WinTcb privileges to apply a GENERIC_WRITE DENY ACL to \KnownDlls and \KnownDlls32, breaking a critical step in the exploit. You can think of it like sudo chmod 555 \KnownDlls, with an elaborate sudo.

See this article for more information about this attack and mitigation.

Protecting AntiMalware services against token nerfing attacks

PPLGuard can also harden AntiMalware PPL processes against token nerfing attacks by adding an AntiMalware trust label to their tokens. This trust label prevents modification of the token by non-PPL processes. Adding this trust label requires execution as PPL, so PPLGuard employs the aforementioned WinTcb exploit.

See this article for for more information about this attack and mitigation.

This is a proof of concept. Use it at your own risk.

This project is based heavily on PPLDump, with permission from the author.

Usage

Compile the PPLGuard.sln with Visual Studio 2019 or download a precompiled release.

Run the executable with -h to get a detailed help/usage.

C:\git\PPLGuard\x64\Release>PPLGuard.exe -h
    ____  ____  __    ______                     __
   / __ \/ __ \/ /   / ____/_  ______ __________/ /
  / /_/ / /_/ / /   / / __/ / / / __ `/ ___/ __  /
 / ____/ ____/ /___/ /_/ / /_/ / /_/ / /  / /_/ /
/_/   /_/   /_____/\____/\__,_/\__,_/_/   \__,_/

version 0.2 by @gabriellandau
based on PPLDump by 0.4 by @itm4n

Description:
  Use a userland Admin -> PP exploit to mitigate itself until reboot.

Usage:
  PPLGuard.exe [-v] [-d] [-f] [-a]

Options:
  -v         (Verbose) Enable verbose mode
  -d         (Debug) Enable debug mode (implies verbose)
  -f         (Force) Bypass DefineDosDevice error check
  -a         (AntiMalware) Instead of hardening KnownDlls, harden the tokens of AntiMalware processes

Examples:
  PPLGuard.exe
  PPLGuard.exe -d

Running the tool disables the exploit, so running it twice results in an error. This means that if you intend to mitigate both of these vulnerabilities, you must apply the AntiMalware (-a) one first.

C:\git\PPLGuard\x64\Release>PPLGuard.exe
[+] Hardening operation successful! :)

C:\git\PPLGuard\x64\Release>PPLGuard.exe
[-] DefineDosDevice failed with error code 5 - Access is denied.

Credits

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

68 stars

Watchers

7 watching

Forks

18 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages