PPLdump Is Dead. Long Live PPLdump!

Conference:  Black Hat Asia 2023


Authors:   Gabriel Landau


The Windows Protected Process Light (PPL) mechanism hardens anti-malware and critical Windows services against tampering, even by administrators. This special status is guarded by the Windows Code Integrity (CI) subsystem which ensures that PPL processes will only run code with special signatures from Microsoft or trusted vendors.PPL has a history of bypasses. The most notorious is PPLdump, a turnkey user mode tool that exploits a Windows vulnerability to achieve arbitrary PPL code execution and dump any PPL process. This can be used to dump the Windows credential store, LSASS, enabling lateral movement. PPLdump is open source, making it easy to alter the payload to perform other privileged actions such as disabling security software.PPL bypasses are particularly interesting because Microsoft considers PPL a defense-in-depth measure, not a formal security boundary, so these bugs do not qualify for patches. This can result in long-lived vulnerabilities with real-world impact and no patch in sight. The vulnerability underlying and predating PPLdump was publicly disclosed in 2018, but Microsoft didn't patch it until 2022, over a year after PPLdump's 2021 release.In this talk, we'll review PPL's design, as well as some historical exploits and their mitigations. Next, we'll describe a few new attacks against PPL, including a design flaw in CI that enables unsigned fully-privileged PPL code execution without kernel exploitation. We will demonstrate this flaw and release two tools that exploit it. The first is a pure-usermode PPL process dumper, similar to PPLdump. The second tool demonstrates how this vulnerability effectively grants full read-write access to physical memory. Finally, we will release code that anti-malware vendors can employ to mitigate this type of attack and discuss a few changes to Windows that could stop it entirely.