Giter VIP home page Giter VIP logo

pplguard's Introduction

PPLGuard

PPLGuard is a proof of concept tool that can mitigate two currently-unpatched Windows security flaws which pose threats to Protected Processes Light (PPL) processes, such as AntiMalware services. To apply these mitigations, PPLGuard exploits an unpatched Windows local privilege escalation vulnerability to execute code with WinTcb Protected Processs (PP) privileges.

Mitigating Admin->PP local privilege escalation

PPLGuard can close the same Admin -> PP privilege escalation vulerability that it exploits. It does so by using the WinTcb privileges to apply a GENERIC_WRITE DENY ACL to \KnownDlls and \KnownDlls32, breaking a critical step in the exploit. You can think of it like sudo chmod 555 \KnownDlls, with an elaborate sudo.

See this article for more information about this attack and mitigation.

Protecting AntiMalware services against token nerfing attacks

PPLGuard can also harden AntiMalware PPL processes against token nerfing attacks by adding an AntiMalware trust label to their tokens. This trust label prevents modification of the token by non-PPL processes. Adding this trust label requires execution as PPL, so PPLGuard employs the aforementioned WinTcb exploit.

See this article for for more information about this attack and mitigation.

This is a proof of concept. Use it at your own risk.

This project is based heavily on PPLDump, with permission from the author.

Usage

Compile the PPLGuard.sln with Visual Studio 2019 or download a precompiled release.

Run the executable with -h to get a detailed help/usage.

C:\git\PPLGuard\x64\Release>PPLGuard.exe -h
    ____  ____  __    ______                     __
   / __ \/ __ \/ /   / ____/_  ______ __________/ /
  / /_/ / /_/ / /   / / __/ / / / __ `/ ___/ __  /
 / ____/ ____/ /___/ /_/ / /_/ / /_/ / /  / /_/ /
/_/   /_/   /_____/\____/\__,_/\__,_/_/   \__,_/

version 0.2 by @gabriellandau
based on PPLDump by 0.4 by @itm4n

Description:
  Use a userland Admin -> PP exploit to mitigate itself until reboot.

Usage:
  PPLGuard.exe [-v] [-d] [-f] [-a]

Options:
  -v         (Verbose) Enable verbose mode
  -d         (Debug) Enable debug mode (implies verbose)
  -f         (Force) Bypass DefineDosDevice error check
  -a         (AntiMalware) Instead of hardening KnownDlls, harden the tokens of AntiMalware processes

Examples:
  PPLGuard.exe
  PPLGuard.exe -d

Running the tool disables the exploit, so running it twice results in an error. This means that if you intend to mitigate both of these vulnerabilities, you must apply the AntiMalware (-a) one first.

C:\git\PPLGuard\x64\Release>PPLGuard.exe
[+] Hardening operation successful! :)

C:\git\PPLGuard\x64\Release>PPLGuard.exe
[-] DefineDosDevice failed with error code 5 - Access is denied.

Credits

pplguard's People

Contributors

fengjixuchui avatar gabriellandau avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.