├── CreateProcessAsPPL.vcxproj.filters
├── README.md
├── CreateProcessAsPPL.sln
├── .gitattributes
├── CreateProcessAsPPL.vcxproj
├── .gitignore
└── CreateProcessAsPPL.cpp


/CreateProcessAsPPL.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="CreateProcessAsPPL.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ### CreateProcessAsPPL
 2 | 
 3 | If you want to run a program with PPL protection enabled, then this tool will help you do that.
 4 | 
 5 | ### Command Line Syntax
 6 | 
 7 | **CreateProcessAsPPL.exe Mode:0-4 path_to_exe arg0 arg1 ...**
 8 | 
 9 | **Mode:**
10 | 
11 | * PROTECTION_LEVEL_WINTCB_LIGHT       0
12 | * PROTECTION_LEVEL_WINDOWS            1
13 | * PROTECTION_LEVEL_WINDOWS_LIGHT      2
14 | * PROTECTION_LEVEL_ANTIMALWARE_LIGHT  3
15 | * PROTECTION_LEVEL_LSA_LIGHT          4
16 | 
17 | ## Links
18 | 
19 | [An article about exploiting the PPL program to destroy Windows Defender](https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html)
20 | 
21 | [WSASS - Tool to dump the LSASS process on modern Windows 11](https://github.com/TwoSevenOneT/WSASS)
22 | 
23 | [An article about exploiting WerFaultSecure.exe to dump LSASS](https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html)
24 | 
25 | ## ☕ Like what I do? You can fuel my creativity with a coffee!
26 | 
27 | [![Buy Me A Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoffee.com/twosevenonethree)
28 | 
29 | ## Tools For Security Researcher and Hacker
30 | 
31 | Essential tools that every security researcher and hacker should have in their toolkit:
32 | 
33 | [Essential Tools For Security Researcher and Hacker](https://www.zerosalarium.com/p/essential-tools-for-security-researcher.html)
34 | 
35 | ## READING
36 | 
37 | Some books you should read to sharpen your cybersecurity skills, especially in offensive security:
38 | 
39 | [Books on Programming and Cybersecurity recommended by Zero Salarium Researchers](https://www.zerosalarium.com/2025/10/books-on-programming-and-cybersecurity-recommended.html)
40 | 
41 | ## Author:
42 | 
43 | [Two Seven One Three](https://x.com/TwoSevenOneT)
44 | 


--------------------------------------------------------------------------------
/CreateProcessAsPPL.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.13.35825.156 d17.13
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CreateProcessAsPPL", "CreateProcessAsPPL.vcxproj", "{4E850EA4-209F-44A7-9104-E4A34A00CB83}"
 7 | EndProject
 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PPLSupportCheck", "..\PPLSupportCheck\PPLSupportCheck.vcxproj", "{62DB1282-7224-41F9-A328-5F52241D8E0D}"
 9 | EndProject
10 | Global
11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|x64 = Release|x64
15 | 		Release|x86 = Release|x86
16 | 	EndGlobalSection
17 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | 		{4E850EA4-209F-44A7-9104-E4A34A00CB83}.Debug|x64.ActiveCfg = Debug|x64
19 | 		{4E850EA4-209F-44A7-9104-E4A34A00CB83}.Debug|x64.Build.0 = Debug|x64
20 | 		{4E850EA4-209F-44A7-9104-E4A34A00CB83}.Debug|x86.ActiveCfg = Debug|Win32
21 | 		{4E850EA4-209F-44A7-9104-E4A34A00CB83}.Debug|x86.Build.0 = Debug|Win32
22 | 		{4E850EA4-209F-44A7-9104-E4A34A00CB83}.Release|x64.ActiveCfg = Release|x64
23 | 		{4E850EA4-209F-44A7-9104-E4A34A00CB83}.Release|x64.Build.0 = Release|x64
24 | 		{4E850EA4-209F-44A7-9104-E4A34A00CB83}.Release|x86.ActiveCfg = Release|Win32
25 | 		{4E850EA4-209F-44A7-9104-E4A34A00CB83}.Release|x86.Build.0 = Release|Win32
26 | 		{62DB1282-7224-41F9-A328-5F52241D8E0D}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{62DB1282-7224-41F9-A328-5F52241D8E0D}.Debug|x64.Build.0 = Debug|x64
28 | 		{62DB1282-7224-41F9-A328-5F52241D8E0D}.Debug|x86.ActiveCfg = Debug|Win32
29 | 		{62DB1282-7224-41F9-A328-5F52241D8E0D}.Debug|x86.Build.0 = Debug|Win32
30 | 		{62DB1282-7224-41F9-A328-5F52241D8E0D}.Release|x64.ActiveCfg = Release|x64
31 | 		{62DB1282-7224-41F9-A328-5F52241D8E0D}.Release|x64.Build.0 = Release|x64
32 | 		{62DB1282-7224-41F9-A328-5F52241D8E0D}.Release|x86.ActiveCfg = Release|Win32
33 | 		{62DB1282-7224-41F9-A328-5F52241D8E0D}.Release|x86.Build.0 = Release|Win32
34 | 	EndGlobalSection
35 | 	GlobalSection(SolutionProperties) = preSolution
36 | 		HideSolutionNode = FALSE
37 | 	EndGlobalSection
38 | 	GlobalSection(ExtensibilityGlobals) = postSolution
39 | 		SolutionGuid = {DA304F95-660D-4540-A20E-2244CD10F7F0}
40 | 	EndGlobalSection
41 | EndGlobal
42 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/CreateProcessAsPPL.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>17.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{4e850ea4-209f-44a7-9104-e4a34a00cb83}</ProjectGuid>
 25 |     <RootNamespace>CreateProcessAsPPL</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <ClCompile>
 75 |       <WarningLevel>Level3</WarningLevel>
 76 |       <SDLCheck>true</SDLCheck>
 77 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 78 |       <ConformanceMode>true</ConformanceMode>
 79 |     </ClCompile>
 80 |     <Link>
 81 |       <SubSystem>Console</SubSystem>
 82 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 83 |     </Link>
 84 |   </ItemDefinitionGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 89 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 97 |       <OptimizeReferences>true</OptimizeReferences>
 98 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 99 |     </Link>
100 |   </ItemDefinitionGroup>
101 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
102 |     <ClCompile>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <SDLCheck>true</SDLCheck>
105 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106 |       <ConformanceMode>true</ConformanceMode>
107 |     </ClCompile>
108 |     <Link>
109 |       <SubSystem>Console</SubSystem>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <FunctionLevelLinking>true</FunctionLevelLinking>
117 |       <IntrinsicFunctions>true</IntrinsicFunctions>
118 |       <SDLCheck>true</SDLCheck>
119 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <ConformanceMode>true</ConformanceMode>
121 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
122 |     </ClCompile>
123 |     <Link>
124 |       <SubSystem>Console</SubSystem>
125 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
126 |       <OptimizeReferences>true</OptimizeReferences>
127 |       <GenerateDebugInformation>true</GenerateDebugInformation>
128 |     </Link>
129 |   </ItemDefinitionGroup>
130 |   <ItemGroup>
131 |     <ClCompile Include="CreateProcessAsPPL.cpp" />
132 |   </ItemGroup>
133 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
134 |   <ImportGroup Label="ExtensionTargets">
135 |   </ImportGroup>
136 | </Project>


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Oo]ut/
 33 | [Ll]og/
 34 | [Ll]ogs/
 35 | 
 36 | # Visual Studio 2015/2017 cache/options directory
 37 | .vs/
 38 | # Uncomment if you have tasks that create the project's static files in wwwroot
 39 | #wwwroot/
 40 | 
 41 | # Visual Studio 2017 auto generated files
 42 | Generated\ Files/
 43 | 
 44 | # MSTest test Results
 45 | [Tt]est[Rr]esult*/
 46 | [Bb]uild[Ll]og.*
 47 | 
 48 | # NUnit
 49 | *.VisualState.xml
 50 | TestResult.xml
 51 | nunit-*.xml
 52 | 
 53 | # Build Results of an ATL Project
 54 | [Dd]ebugPS/
 55 | [Rr]eleasePS/
 56 | dlldata.c
 57 | 
 58 | # Benchmark Results
 59 | BenchmarkDotNet.Artifacts/
 60 | 
 61 | # .NET Core
 62 | project.lock.json
 63 | project.fragment.lock.json
 64 | artifacts/
 65 | 
 66 | # ASP.NET Scaffolding
 67 | ScaffoldingReadMe.txt
 68 | 
 69 | # StyleCop
 70 | StyleCopReport.xml
 71 | 
 72 | # Files built by Visual Studio
 73 | *_i.c
 74 | *_p.c
 75 | *_h.h
 76 | *.ilk
 77 | *.meta
 78 | *.obj
 79 | *.iobj
 80 | *.pch
 81 | *.pdb
 82 | *.ipdb
 83 | *.pgc
 84 | *.pgd
 85 | *.rsp
 86 | *.sbr
 87 | *.tlb
 88 | *.tli
 89 | *.tlh
 90 | *.tmp
 91 | *.tmp_proj
 92 | *_wpftmp.csproj
 93 | *.log
 94 | *.vspscc
 95 | *.vssscc
 96 | .builds
 97 | *.pidb
 98 | *.svclog
 99 | *.scc
100 | 
101 | # Chutzpah Test files
102 | _Chutzpah*
103 | 
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 | 
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 | 
121 | # Visual Studio Trace Files
122 | *.e2e
123 | 
124 | # TFS 2012 Local Workspace
125 | $tf/
126 | 
127 | # Guidance Automation Toolkit
128 | *.gpState
129 | 
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 | 
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 | 
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 | 
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 | 
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 | 
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 | 
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 | 
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 | 
163 | # Web workbench (sass)
164 | .sass-cache/
165 | 
166 | # Installshield output folder
167 | [Ee]xpress/
168 | 
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 | 
179 | # Click-Once directory
180 | publish/
181 | 
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 | 
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 | 
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 | 
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 | 
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 | 
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 | 
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 | 
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 | 
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 | 
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 | 
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 | 
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 | 
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 | 
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 | 
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 | 
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 | 
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 | 
288 | # Visual Studio 6 build log
289 | *.plg
290 | 
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 | 
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 | 
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 | 
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 | 
309 | # FAKE - F# Make
310 | .fake/
311 | 
312 | # CodeRush personal settings
313 | .cr/personal
314 | 
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 | 
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 | 
323 | # Tabs Studio
324 | *.tss
325 | 
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 | 
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 | 
335 | # OpenCover UI analysis results
336 | OpenCover/
337 | 
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 | 
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 | 
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 | 
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 | 
350 | # Local History for Visual Studio
351 | .localhistory/
352 | 
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 | 
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 | 
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 | 
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd


--------------------------------------------------------------------------------
/CreateProcessAsPPL.cpp:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include <iostream>
  3 | #include <string>
  4 | #include <vector>
  5 | #include <cstdlib>
  6 | 
  7 | #pragma comment(lib, "advapi32.lib")
  8 | 
  9 | class PPLProcessCreator
 10 | {
 11 | private:
 12 |     HANDLE m_hProcess;
 13 |     HANDLE m_hThread;
 14 | 
 15 | public:
 16 |     PPLProcessCreator() : m_hProcess(nullptr), m_hThread(nullptr) {}
 17 |     ~PPLProcessCreator()
 18 |     {
 19 |         if (m_hProcess) CloseHandle(m_hProcess);
 20 |         if (m_hThread) CloseHandle(m_hThread);
 21 |     }
 22 | 
 23 |     DWORD GetPPLProtectionLevel(DWORD processId)
 24 |     {
 25 |         DWORD protectionLevel = 0;
 26 |         HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processId);
 27 | 
 28 |         if (hProcess)
 29 |         {
 30 |             PROCESS_PROTECTION_LEVEL_INFORMATION protectionInfo;
 31 |             DWORD returnLength = 0;
 32 | 
 33 |             if (GetProcessInformation(hProcess, ProcessProtectionLevelInfo,
 34 |                 &protectionInfo, sizeof(protectionInfo)))
 35 |             {
 36 |                 protectionLevel = protectionInfo.ProtectionLevel;
 37 |             }
 38 | 
 39 |             CloseHandle(hProcess);
 40 |         }
 41 | 
 42 |         return protectionLevel;
 43 |     }
 44 |     std::wstring GetPPLProtectionLevelName(DWORD protectionLevel)
 45 |     {
 46 |         switch (protectionLevel)
 47 |         {
 48 |         case PROTECTION_LEVEL_WINTCB_LIGHT:
 49 |             return L"PROTECTION_LEVEL_WINTCB_LIGHT";
 50 |         case PROTECTION_LEVEL_WINDOWS:
 51 |             return L"PROTECTION_LEVEL_WINDOWS";
 52 |         case PROTECTION_LEVEL_WINDOWS_LIGHT:
 53 |             return L"PROTECTION_LEVEL_WINDOWS_LIGHT";
 54 |         case PROTECTION_LEVEL_ANTIMALWARE_LIGHT:
 55 |             return L"PROTECTION_LEVEL_ANTIMALWARE_LIGHT";
 56 |         case PROTECTION_LEVEL_LSA_LIGHT:
 57 |             return L"PROTECTION_LEVEL_LSA_LIGHT";
 58 |         default:
 59 |             return L"Unknown protection level";
 60 |         }
 61 |     }
 62 |     bool CreatePPLProcess(DWORD protectionLevel, const std::wstring& executablePath, const std::wstring& commandLine = L"")
 63 |     {
 64 |         SIZE_T size = 0;
 65 |         STARTUPINFOEXW siex = { 0 };
 66 |         siex.StartupInfo.cb = sizeof(siex);
 67 |         PROCESS_INFORMATION pi = { 0 };
 68 |         LPPROC_THREAD_ATTRIBUTE_LIST ptal = nullptr;
 69 | 
 70 |         // Initialize attribute list size
 71 |         if (!InitializeProcThreadAttributeList(nullptr, 1, 0, &size) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
 72 |         {
 73 |             std::wcerr << L"InitializeProcThreadAttributeList failed: " << GetLastError() << std::endl;
 74 |             return false;
 75 |         }
 76 | 
 77 |         // Allocate attribute list
 78 |         ptal = reinterpret_cast<LPPROC_THREAD_ATTRIBUTE_LIST>(HeapAlloc(GetProcessHeap(), 0, size));
 79 |         if (!ptal)
 80 |         {
 81 |             std::wcerr << L"HeapAlloc failed: " << GetLastError() << std::endl;
 82 |             return false;
 83 |         }
 84 | 
 85 |         // Initialize attribute list
 86 |         if (!InitializeProcThreadAttributeList(ptal, 1, 0, &size))
 87 |         {
 88 |             std::wcerr << L"InitializeProcThreadAttributeList failed: " << GetLastError() << std::endl;
 89 |             HeapFree(GetProcessHeap(), 0, ptal);
 90 |             return false;
 91 |         }
 92 | 
 93 |         // Set protection level
 94 |         //DWORD protectionLevel = PROTECTION_LEVEL_ANTIMALWARE_LIGHT;
 95 |         if (!UpdateProcThreadAttribute(ptal, 0, PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL, &protectionLevel, sizeof(protectionLevel), nullptr, nullptr))
 96 |         {
 97 |             std::wcerr << L"UpdateProcThreadAttribute failed: " << GetLastError() << std::endl;
 98 |             DeleteProcThreadAttributeList(ptal);
 99 |             HeapFree(GetProcessHeap(), 0, ptal);
100 |             return false;
101 |         }
102 | 
103 |         siex.lpAttributeList = ptal;
104 | 
105 |         // Prepare command line (CreateProcessW requires modifiable string)
106 |         std::wstring fullCommandLine = L"\"" + executablePath + L"\"";
107 |         if (!commandLine.empty()) {
108 |             fullCommandLine += L" " + commandLine;
109 |         }
110 | 
111 |         std::vector<wchar_t> cmdLineBuffer(fullCommandLine.begin(), fullCommandLine.end());
112 |         cmdLineBuffer.push_back(L'\0');
113 | 
114 |         // Create process with PPL protection
115 |         if (!CreateProcessW(
116 |             executablePath.c_str(),    // Application name
117 |             cmdLineBuffer.data(),      // Command line
118 |             nullptr,                   // Process security attributes
119 |             nullptr,                   // Thread security attributes
120 |             FALSE,                     // Inherit handles
121 |             EXTENDED_STARTUPINFO_PRESENT | CREATE_PROTECTED_PROCESS,
122 |             nullptr,                   // Environment
123 |             nullptr,                   // Current directory
124 |             &siex.StartupInfo,         // Startup info
125 |             &pi))                       // Process information
126 |         {
127 |             std::wcerr << L"CreateProcessW failed: " << GetLastError() << std::endl;
128 |             DeleteProcThreadAttributeList(ptal);
129 |             HeapFree(GetProcessHeap(), 0, ptal);
130 |             return false;
131 |         }
132 | 
133 |         // Clean up attribute list
134 |         DeleteProcThreadAttributeList(ptal);
135 |         HeapFree(GetProcessHeap(), 0, ptal);
136 | 
137 |         m_hProcess = pi.hProcess;
138 |         m_hThread = pi.hThread;
139 | 
140 |         std::wcout << L"Successfully created PPL process with PID: " << pi.dwProcessId << std::endl;
141 |         std::wcerr << L"Protection level: " << GetPPLProtectionLevelName(GetPPLProtectionLevel(pi.dwProcessId)) << std::endl;
142 |         return true;
143 |     }
144 | 
145 |     bool WaitForProcess(DWORD timeout = INFINITE)
146 |     {
147 |         if (!m_hProcess) return false;
148 | 
149 |         DWORD result = WaitForSingleObject(m_hProcess, timeout);
150 |         if (result == WAIT_OBJECT_0) {
151 |             DWORD exitCode;
152 |             if (GetExitCodeProcess(m_hProcess, &exitCode)) {
153 |                 std::wcout << L"Process exited with code: " << exitCode << std::endl;
154 |             }
155 |             return true;
156 |         }
157 | 
158 |         return false;
159 |     }
160 | 
161 |     HANDLE GetProcessHandle() const { return m_hProcess; }
162 |     HANDLE GetThreadHandle() const { return m_hThread; }
163 | };
164 | 
165 | // Function to check if we have sufficient privileges
166 | bool CheckPrivileges()
167 | {
168 |     HANDLE hToken;
169 |     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
170 |     {
171 |         return false;
172 |     }
173 | 
174 |     TOKEN_ELEVATION elevation;
175 |     DWORD dwSize;
176 |     bool isElevated = false;
177 | 
178 |     if (GetTokenInformation(hToken, TokenElevation, &elevation, sizeof(elevation), &dwSize))
179 |     {
180 |         isElevated = elevation.TokenIsElevated;
181 |     }
182 | 
183 |     CloseHandle(hToken);
184 |     return isElevated;
185 | }
186 | 
187 | int wmain(int argc, wchar_t* argv[])
188 | {
189 |     std::wcout << L"\nPPL Process Creator" << std::endl;
190 |     std::wcout << L"Two Seven One Three: x.com/TwoSevenOneT" << std::endl;
191 |     std::wcout << L"==================================================" << std::endl << std::endl;
192 |     //
193 | 
194 |     // Check if running with sufficient privileges
195 |     if (!CheckPrivileges())
196 |     {
197 |         std::wcerr << L"Error: This program requires elevated privileges (Run as Administrator)" << std::endl;
198 |         return 1;
199 |     }
200 | 
201 |     if (argc < 3)
202 |     {
203 |         std::wcout << L"Usage: " << argv[0] << L"[mode:0-4] <executable_path> [command_line_args]" << std::endl << std::endl;
204 |         std::wcout << L"Example: " << argv[0] << L" 1 \"C:\\Windows\\System32\\PPL.exe\"" << std::endl << std::endl;
205 |         std::wcout << L"MODE: " << std::endl;
206 |         std::wcout << L"PROTECTION_LEVEL_WINTCB_LIGHT       00000000" << std::endl;
207 |         std::wcout << L"PROTECTION_LEVEL_WINDOWS            00000001" << std::endl;
208 |         std::wcout << L"PROTECTION_LEVEL_WINDOWS_LIGHT      00000002" << std::endl;
209 |         std::wcout << L"PROTECTION_LEVEL_ANTIMALWARE_LIGHT  00000003" << std::endl;
210 |         std::wcout << L"PROTECTION_LEVEL_LSA_LIGHT          00000004" << std::endl;
211 |         return 1;
212 |     }
213 |     //#define PROTECTION_LEVEL_WINTCB_LIGHT       0x00000000
214 |     //#define PROTECTION_LEVEL_WINDOWS            0x00000001
215 |     //#define PROTECTION_LEVEL_WINDOWS_LIGHT      0x00000002
216 |     //#define PROTECTION_LEVEL_ANTIMALWARE_LIGHT  0x00000003
217 |     //#define PROTECTION_LEVEL_LSA_LIGHT          0x00000004
218 |     wchar_t* end;
219 |     long value = wcstol(argv[1], &end, 10);
220 |     DWORD protectionLevel = PROTECTION_LEVEL_ANTIMALWARE_LIGHT;
221 |     switch (value)
222 |     {
223 |     case 0:
224 |     {
225 |         protectionLevel = PROTECTION_LEVEL_WINTCB_LIGHT;
226 |         break;
227 |     }
228 |     case 1:
229 |     {
230 |         protectionLevel = PROTECTION_LEVEL_WINDOWS;
231 |         break;
232 |     }
233 |     case 2:
234 |     {
235 |         protectionLevel = PROTECTION_LEVEL_WINDOWS_LIGHT;
236 |         break;
237 |     }
238 |     case 4:
239 |     {
240 |         protectionLevel = PROTECTION_LEVEL_LSA_LIGHT;
241 |         break;
242 |     }
243 |     default:
244 |         break;
245 |     }
246 | 
247 |     PPLProcessCreator creator;
248 |     std::wstring executablePath = argv[2];
249 |     std::wstring commandLine;
250 | 
251 |     // Build command line from remaining arguments
252 |     for (int i = 3; i < argc; ++i)
253 |     {
254 |         if (!commandLine.empty())
255 |         {
256 |             commandLine += L" ";
257 |         }
258 |         commandLine += argv[i];
259 |     }
260 | 
261 |     // Create the PPL process
262 |     if (creator.CreatePPLProcess(protectionLevel, executablePath, commandLine))
263 |     {
264 |         std::wcout << L"Process created successfully. Waiting for completion..." << std::endl;
265 |         creator.WaitForProcess();
266 |         return 0;
267 |     }
268 |     else
269 |     {
270 |         std::wcerr << L"Failed to create PPL process." << std::endl;
271 |         return 1;
272 |     }
273 | }
274 | 


--------------------------------------------------------------------------------