Home

Awesome

PPLRunner

This project is to enable running 'arbitrary*' process as an Anti Malware Protected-Process-Light (PPL), for research purposes. (* See the Restrictions section for more details)

See this blog I wrote for more details and the reasoning behind this project.

Overview

System protected process is a security model in Windows designed to protect system and anti-virus processes from tampering or introspection, even by Administrators/SYSTEM.

Processes started as an Anti Malware 'Protected Process-Light' (PPL) are restricted in what they can do, can only load signed code, but cannot be debugged, inspected, or stopped by non-Protected Processes. Additionally, they can get access to special data, such as the Microsoft-Windows-Threat-Intelligence ETW Provider.

This project creates an Early-Launch Anti Malware (ELAM) driver and usermode service. The service will launch a configurable child process when it starts which will also be marked as PPL.

The child binary must be signed with the same certificate as the service, along with some other restrictions, but can otherwise be any binary and commandline arguments you chose.

Honestly I'm not doing a good job of explaining what ELAM and PPL are, instead I recommend starting here:

Pre-Built/Easy mode

You can grab a pre-built and signed version of the PPLRunner service and kernel module from Releases. The release also has the autogenerated certificate and private key in a .pfx file, which is password-protected with the password password. I did say this is for research-purposes only right?

Manual

To generate and build your own project:

Setup

Make sure you have Windows SDKs installed.

Open generate_cert.ps1 and sign_file.ps1, and change the $password variable to something else (they must match each other).

Run generate_cert.ps1. This will generate a ppl_runner.pfx with a new private and public certificate. This will be used to sign all binaries used by PPLRunner.

Build

Build ppl_runner.sln. This will produce 3 binaries:

elam_driver.sys

The ELAM Kernel Driver that has the certificate information in it. The driver doesn't actually do anything, and won't actually be loaded, it is just used as a vessel for the signing certificate.

ppl_runner.exe

The Service installer and binary. As a PPL service, when started it will launch a child process, also as PPL, then stop and exit.

child_example.exe

An example executable that will be signed with the correct certificate by Visual Studio at build time. PPLRunner can run almost any binary, this is just an example that will be automatically signed.

Install

NOTE Only install on a testing machine, not production/your home PC.

  1. Once built, copy elam_driver.sys and ppl_runner.exe to a folder on the target machine.

  2. Enable test signing by running this from an elevated prompt, then reboot:

bcdedit /set testsigning on
  1. From an elevated command prompt, browse to the folder containing the copied executables and run:
ppl_runner.exe install

This should install a service named ppl_runner.

Configure

To sign a binary to run, sign it with the ppl_runner.pfx cert, using either the sign_file.ps1 script, or just running signtool.exe yourself. If you don't have signtool.exe, it is in the Windows SDKs.

Create the registry key HKLM\SOFTWARE\PPL_RUNNER. Set the default/empty key to be a REG_SZ, containing the full path to the binary to execute, and any commandline argument. e.g. from the commandline:

REG.exe ADD HKLM\SOFTWARE\PPL_RUNNER /ve /t REG_SZ /d "C:\path\to\binay --argument 1"

Run

To make the service launch the executable, just run from an elevated prompt:

net start ppl_runner

As a PPL service, when started ppl_runner will read the registry key, launch the child process, also as PPL, then stop and exit. A successful launch will still say the service failed to run, but if you check the return code with sc query ppl_runner, it should be 0, i.e. ERROR_SUCCESS.

The Child process will not be visible, however if you can use Debug Outputs and DBGView.exe to get some form of output (see the child_example code).

Cleanup/Removal

As the service is also Anti Malware PPL, it can only be stopped and deleted by a similarly high-level process. However, we can use PPLRunner to remove itself, simply set the command in the registry key to be:

C:\path\to\ppl_runner.exe remove

And run the Service. i.e. run:

REG.exe ADD HKLM\SOFTWARE\PPL_RUNNER /ve /t REG_SZ /d "C:\path\to\ppl_runner.exe remove"
net start ppl_runner

Restrictions

Debugging

Run Sysinternal's DBGView and log Win32 Global, filtering on *[PPL_RUNNER]*. This will show all logs from the service and installer.

Example uses

TBD - Sealighter blog

Similar Projects

James Forshaw created an awesome project to inject code into existing PPL processes.

Futher Reading and Thanks

Following Alex Ionescu is probably the best way to learn more about ELAM and PPL. Possibly start with this: https://www.crowdstrike.com/blog/protected-processes-part-3-windows-pki-internals-signing-levels-scenarios-signers-root-keys/

Following Matt Graeber and James Forshaw is another great way.

Massive thanks to Matt for the powershell script to get the 'To-Be-Signed' hash from a certificate.

James has written a lot about PPL and its flaws.