This project is to enable running 'arbitrary*' process as an Anti Malware Protected-Process-Light (PPL), for research purposes. (* See the Restrictions section for more details)
See this blog I wrote for more details and the reasoning behind this project.
System protected process is a security model in Windows designed to protect system and anti-virus processes from tampering or introspection, even by Administrators/SYSTEM.
Processes started as an Anti Malware 'Protected Process-Light' (PPL) are restricted in what they can do, can only load signed code, but cannot be debugged, inspected, or stopped by non-Protected Processes. Additionally, they can
get access to special data, such as the Microsoft-Windows-Threat-Intelligence ETW Provider.
This project creates an Early-Launch Anti Malware (ELAM) driver and usermode service. The service will launch a configurable child process when it starts which will also be marked as PPL.
The child binary must be signed with the same certificate as the service, along with some other restrictions, but can otherwise be any binary and commandline arguments you chose.
Honestly I'm not doing a good job of explaining what ELAM and PPL are, instead I recommend starting here:
- Chapter 3, Windows Internals Part 1 (#1 resource for anything Windows honestly)
- https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-
- https://www.crowdstrike.com/blog/protected-processes-part-3-windows-pki-internals-signing-levels-scenarios-signers-root-keys/
- https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html
You can grab a pre-built and signed version of the PPLRunner service and kernel module from Releases. The release also has the autogenerated certificate and private key in a .pfx
file, which is password-protected with the password password. I did say this is for research-purposes only right?
To generate and build your own project:
Make sure you have Windows SDKs installed.
Open generate_cert.ps1 and sign_file.ps1, and change the $password variable to something else (they must match each other).
Run generate_cert.ps1. This will generate a ppl_runner.pfx with a new private and public certificate.
This will be used to sign all binaries used by PPLRunner.
Build ppl_runner.sln. This will produce 3 binaries:
The ELAM Kernel Driver that has the certificate information in it. The driver doesn't actually do anything, and won't actually be loaded, it is just used as a vessel for the signing certificate.
The Service installer and binary. As a PPL service, when started it will launch a child process, also as PPL, then stop and exit.
An example executable that will be signed with the correct certificate by Visual Studio at build time. PPLRunner can run almost any binary, this is just an example that will be automatically signed.
NOTE Only install on a testing machine, not production/your home PC.
-
Once built, copy
elam_driver.sysandppl_runner.exeto a folder on the target machine. -
Enable test signing by running this from an elevated prompt, then reboot:
bcdedit /set testsigning on- From an elevated command prompt, browse to the folder containing the copied executables and run:
ppl_runner.exe installThis should install a service named ppl_runner.
To sign a binary to run, sign it with the ppl_runner.pfx cert, using either the sign_file.ps1 script,
or just running signtool.exe yourself. If you don't have signtool.exe, it is in the Windows SDKs.
Create the registry key HKLM\SOFTWARE\PPL_RUNNER.
Set the default/empty key to be a REG_SZ, containing the full path to the binary to execute,
and any commandline argument. e.g. from the commandline:
REG.exe ADD HKLM\SOFTWARE\PPL_RUNNER /ve /t REG_SZ /d "C:\path\to\binay --argument 1"To make the service launch the executable, just run from an elevated prompt:
net start ppl_runnerAs a PPL service, when started ppl_runner will read the registry key, launch the child process,
also as PPL, then stop and exit. A successful launch will still say the service failed to run,
but if you check the return code with sc query ppl_runner, it should be 0, i.e. ERROR_SUCCESS.
The Child process will not be visible, however if you can use Debug Outputs and DBGView.exe to get
some form of output (see the child_example code).
As the service is also Anti Malware PPL, it can only be stopped and deleted by a similarly high-level process. However, we can use PPLRunner to remove itself, simply set the command in the registry key to be:
C:\path\to\ppl_runner.exe removeAnd run the Service. i.e. run:
REG.exe ADD HKLM\SOFTWARE\PPL_RUNNER /ve /t REG_SZ /d "C:\path\to\ppl_runner.exe remove"
net start ppl_runner- This project only works in
testsigningmode. ppl_runner.exe installmust be re-run after every reboot- The child binary must be signed with the same certificate as the service
- Any DLLs the binary loads must also be signed
Run Sysinternal's DBGView and log Win32 Global, filtering on *[PPL_RUNNER]*.
This will show all logs from the service and installer.
TBD - Sealighter blog
James Forshaw created an awesome project to inject code into existing PPL processes.
Following Alex Ionescu is probably the best way to learn more about ELAM and PPL. Possibly start with this: https://www.crowdstrike.com/blog/protected-processes-part-3-windows-pki-internals-signing-levels-scenarios-signers-root-keys/
Following Matt Graeber and James Forshaw is another great way.
Massive thanks to Matt for the powershell script to get the 'To-Be-Signed' hash from a certificate.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent