mattiwatti / pplkiller Goto Github PK

it does not seam to find the offsets on windows 10 2004

The certificate shows as valid, but I get this failure message: "[SC] StartService FAILED 577:"

Certificate was installed as Root level trust (Local Machine)
C++ Standard: Latest Preview
Toolset: WindowsKernelModeDriver10.0

Steps to reproduce:

1. Setup clean environment on Hyper-V Windows 10 Enterprise, VS Community 2019
2. Install WSDK and WDK
3. Run "bcdedit /set testsigning on" as Admin (Success)
4. Reboot
5. Run "sc create pplkiller binPath= System32\drivers\pplkiller.sys type= kernel" (Success)
6. Run "sc start pplkiller" (Error)

I did everything listed here but it tells me the service was not found when trying sc start pplkiller or net sc start.
The weird thing is, that eg. sc GetKeyName or other calls are working, i didnt change the name of the service or anything.
Trying to start the service with ProcessHacker gives me the same error.

I added /debug to command line of Driver Signing.

Here is what I get

1>------ Build started: Project: PPLKiller, Configuration: Debug x64 ------
1>Building 'PPLKiller' with toolset 'WindowsKernelModeDriver10.0' and the 'Desktop' target platform.
1>PPLKiller.vcxproj -> C:\Users\Igor\Tools\PPLKiller-master\bin\pplkiller.sys
1>
1>The following certificates were considered:
1>SIGNTASK : SignTool error : No certificates were found that met all the given criteria.
1>    Issued to: 83410C25-192B-4952-B63B-D89C5F2C6AD6
1>
1>    Issued by: Apple iPhone Device CA
1>
1>    Expires:   Thu Oct 26 04:38:38 2017
1>
1>    SHA1 hash: 9B1D9443CDEACADF3C2BAE1F9841AB4435298927
1>
1>
1>    Issued to: WDKTestCert Igor,131657141306330865
1>
1>    Issued by: WDKTestCert Igor,131657141306330865
1>
1>    Expires:   Wed Mar 15 20:00:00 2028
1>
1>    SHA1 hash: 1F326A338F1C73EFB0CBA345205044CAAD69931E
1>
1>
1>After EKU filter, 1 certs were left.
1>After expiry filter, 1 certs were left.
1>After Hash filter, 1 certs were left.
1>After Private Key filter, 0 certs were left.
1>Done building project "PPLKiller.vcxproj" -- FAILED.
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

I guess the error is from the Apple iPhone Device CA I assume that comes from another tool which I used to jailbreak apple iphone.

Hello,
I have followed the steps you indicate, and I find a problem.

When I try to start the service, receive an 1275 error. I'm testing on windows 10 x64 1607 build, and also on windows 7 x64, and on both is the same problem.

I'm in test mode.

Can you think of what is due? I have not modified anything, I have only compiled from visual studio 2015

Thanks

I'm testing PLLKiller on a fully patched and updated Windows 7 and Windows 10 x64 VMs. Did Microsoft updates break your work-around for the MS signed driver requirement?

Just wondering where you are my friend :)

Win10 64, Visual Studio 2017, latest WDK. Cant open the solution

C:\Program Files (x86)\Windows Kits\10\build\WindowsDriver.KernelMode.Default.props(15,11): A numeric comparison was attempted on "$(_NT_TARGET_VERSION)" that evaluates to "" instead of a number, in condition "$(_NT_TARGET_VERSION) >= $(_NT_TARGET_VERSION_WIN10)".

PPLKiller works on Windows 8.1 and 10.

Will it work on Windows 2012 and Windows 2016?

could you add support to remove this please? I'm referring to Secure (IUM)

On windows 1903 i encounter the error 1168 when trying to load the driver.
Probably msft changed soemthign again :'(

hi. do you have an email address? thankyou.

hi very nice project, i'm wondering if after killing PPL if it's possible to restore it? if yes how can i do that?
thanks

Hello,

I've been trying to give Full protection to some processes instead of removing them, but i fail to print the Results (of a existing full-protected process) on WinDbg so I can know what flags i should apply for that.

If I understand correctly, i have to change those 2 variables, https://github.com/Mattiwatti/PPLKiller/blob/master/PPLKiller/main.cpp#L544

but what's the value for Full Protection (WinTcb) ?

I downloaded and installed the VS 2019 preview and the WDK there after. I loaded the solution then ran into an error saying that the WDK version 10.0.17763.0 is not available.

The WDK version is in fact 10.0.17763.1 and the solution wants 10.0.17763.0 ... any idea of how to work around this problem? Any way to relax version requirements in the solution to handle this situation?

I am getting

PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy; PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy; PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy;

these structs as undefined. Just wondered if it is safe to comment them out as I got bsod after doing that but I am not sure if that could have anything to do with it.

....

i would like to ask if its possible to bypass protected in kernel

win7 x64

Hi,

You mentioned that starting with 10.0.18362.0, PatchGuard will check protection level integrity on system processes. Can you give me a bit of insight on how the kernel does this? Does it have to do with PEAuth.sys? Some references to the code that causes the bugcheck would be very much appreciated!

Thank you in advance!