GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Mattiwatti → Pplkiller

Mattiwatti / Pplkiller

Licence: gpl-3.0
Protected Processes Light Killer

Labels

kerneldriverdebuggingprocessprotection

Projects that are alternatives of or similar to Pplkiller

KMAC
Some usefull info when reverse engineering Kernel Mode Anti-Cheat
Stars: ✭ 31 (-93.16%)
Mutual labels:  kernel, driver
pps-gen-gpio
Linux kernel PPS generator using GPIO pins
Stars: ✭ 25 (-94.48%)
Mutual labels:  kernel, driver
Driver.NET
Lightweight and flexible library to load and communicate with kernel drivers on Windows.
Stars: ✭ 59 (-86.98%)
Mutual labels:  kernel, driver
windbgtree
A command tree based on commands and extensions for Windows Kernel Debugging.
Stars: ✭ 94 (-79.25%)
Mutual labels:  debugging, kernel
Winfsp
Windows File System Proxy - FUSE for Windows
Stars: ✭ 4,071 (+798.68%)
Mutual labels:  driver, kernel
fix-linux-mouse
Hints how to fix USB mouse issues on Linux
Stars: ✭ 36 (-92.05%)
Mutual labels:  kernel, driver
pearlfan
GNU/Linux kernel driver and libusb app for a Pearl's USB LED fan
Stars: ✭ 20 (-95.58%)
Mutual labels:  kernel, driver
Garhal csgo
A project that demonstrates how to screw with CSGO from Kernel Space. (CSGO Kernel Cheat/Hack) All cleaned up, and with updated offsets.
Stars: ✭ 179 (-60.49%)
Mutual labels:  driver, kernel
Razer Laptop Control
Project to create driver/software to control performance of razer laptops
Stars: ✭ 268 (-40.84%)
Mutual labels:  driver, kernel
KDBG
The windows kernel debugger consists of two parts, KMOD which is the kernel driver handling ring3 request and KCLI; the command line interface for the driver. It originated due to insufficient useability with CheatEngine's DBVM driver while debugging games running under certain AntiCheat software.
Stars: ✭ 28 (-93.82%)
Mutual labels:  kernel, driver
Wmi Static Spoofer
Spoofing the Windows 10 HDD/diskdrive serialnumber from kernel without hooking
Stars: ✭ 199 (-56.07%)
Mutual labels:  driver, kernel
Procfs
procfs provides functions to retrieve system, kernel and process metrics from the pseudo-filesystem proc.
Stars: ✭ 414 (-8.61%)
Mutual labels:  kernel, process
Vulnerable Kext
A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation
Stars: ✭ 188 (-58.5%)
Mutual labels:  driver, kernel
w1-gpio-cl
Command line configured kernel mode 1-wire bus master driver. w1-gpio standard Linux module enhancement/substitution.
Stars: ✭ 17 (-96.25%)
Mutual labels:  kernel, driver
Ksocket
KSOCKET provides a very basic example how to make a network connections in the Windows Driver by using WSK
Stars: ✭ 183 (-59.6%)
Mutual labels:  driver, kernel
slabdbg
GDB plug-in that helps exploiting the Linux kernel's SLUB allocator
Stars: ✭ 55 (-87.86%)
Mutual labels:  debugging, kernel
Pubg Pak Hacker
use windows kernel deriver hidden file and itself to Bypass BE
Stars: ✭ 157 (-65.34%)
Mutual labels:  driver, kernel
Ioctlbf
Windows Kernel Drivers fuzzer
Stars: ✭ 170 (-62.47%)
Mutual labels:  driver, kernel
Cat-Driver
CatDriver - The Kernel Mode Driver that written in C++. It is an useful driver and has the highest privilege level on the Windows platform. It can be used for Game Hacking and others.
Stars: ✭ 41 (-90.95%)
Mutual labels:  kernel, driver
Winspd
Windows Storage Proxy Driver - User mode disk storage
Stars: ✭ 335 (-26.05%)
Mutual labels:  driver, kernel
View All Similar Projects ➔

Overview

PPLKiller ('Protected Processes Light killer', not 'people killer') is a kernel mode driver that disables Protected Process Light protection on all running processes.

PPL is a mechanism introduced in Windows 8.1 that transfers many of the security restrictions enjoyed by the System process to user mode processes such as smss.exe and csrss.exe. For example, it is not possible to open a PPL process with PROCESS_VM_READ access, even when running as the Local System user and having debug privileges enabled.

For more info on PPL, read The Evolution of Protected Processes by Alex Ionescu.

While PPL was probably designed with good intentions (and there are uses for it, such as protecting the LSA process from tampering), I mostly find it to be a nuisance that gets in the way of debugging. That's why I wrote this driver that only does one thing: it finds all PPL processes and removes their protection. Non-'light' protected processes (i.e. the System process) remain protected.

PPLKiller works on Windows 8.1 and 10, and does not require disabling Kernel Patch Protection. Update: as of Windows 10.0.18362.0 this is no longer true and running PPLKiller will eventually trigger a PatchGuard bugcheck with the reason "modification of a protected process". Your options for dealing with this are:

  1. Use a kernel debugger (if you are not already using one) in combination with PPLKiller for your debugging work. This works because PatchGuard does not run when a kernel debugger is attached.
  2. Use a tool such as EfiGuard to disable PatchGuard.

Update regarding code signature enforcement

It has been brought to my attention that Windows 10 RS2 ('Redstone 2', 'Creator's Update', Windows 1703, Windows 10.0.15063.0, and other possible names I'm not aware of) has added a new kernel mode verification of the 'binary signature policy' process mitigation type in the EPROCESS structure. This mitigation policy, while not new in itself (it has existed since Windows 8), was previously enforced only in user mode. The new update however makes it impossible to inject any code that is not signed by Microsoft into the same processes that were already 'light'-protected previously. Because this has equally disastrous effects for debugging as process protection, and is done for unjustifiable reasons (unlike other mitigation policies such as DEP, ASLR and CFG, which have a technical basis for their implementation rather than a political one), I have added functionality that will automatically disable this policy on Windows RS2 and later. Older Windows versions are currently passed over for this, unless Microsoft decides to retroactively add the check to older kernels.

Compiling

  1. Install the WDK.
  2. Open the solution file and compile.

Installation

  1. Make sure test signing is enabled (bcdedit /set testsigning on), or alternatively, that you are a millionaire and have a Windows EV signing certificate.
  2. Copy pplkiller.sys to %systemroot%\System32\drivers.
  3. Run sc create pplkiller binPath= System32\drivers\pplkiller.sys type= kernel to install the driver. (Mind the spaces.)

Operation

  1. Run sc start pplkiller to start the driver.
  2. Run sc stop pplkiller to stop the driver, since it doesn't actually do anything after starting.
  3. There should now be no more PPL protected processes. You can verify this by viewing csrss.exe in Process Explorer and checking the "Protected" field of the Security tab.

Remarks

  • This driver relies heavily on undocumented kernel internals. Although it does not use version-specific code, future versions of Windows may still break it for any number of reasons. If this happens, please submit an issue with your exact kernel version number.
  • It is possible to unprotect the System process, but there is little use for this since all threads in the System process run in kernel mode. Because of this, there are additional checks besides process protection to prevent attaching a debugger to PID 4. If you want to debug the kernel, use a kernel debugger. If you want to view detailed information on the System process, such as kernel thread stacks, there are better alternatives such as Process Hacker that do not require removing process protection.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].