pathtofile / pplrunner Goto Github PK
View Code? Open in Web Editor NEWRun Processes as PPL with ELAM
pplrunner's Issues
[PPL_RUNNER] install_elam_cert: install_elam_certificateInfo Error: 577
When execute ppl_runner.exe install, I get this error:
[PPL_RUNNER] main: Start
[PPL_RUNNER] setting up ELAM stuff...
[PPL_RUNNER] install_elam_cert: Opening driver file: elam_driver.sys
[PPL_RUNNER] install_elam_cert: install_elam_certificateInfo Error: 577
Is this still working ?
I was able to install the service successfully and when I try to start Sealighter (via the PPLRunner registry key) to log the Threat Intelligence ETW nothing happens:
C:\WINDOWS\system32>cd C:\Users\William\Desktop
C:\Users\William\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 1C25-AC41
Directory of C:\Users\William\Desktop
04/16/2021 07:29 AM <DIR> .
04/16/2021 07:29 AM <DIR> ..
03/31/2021 08:00 AM 2,099 Developer Command Prompt for VS 2019.lnk
04/15/2021 02:24 PM <DIR> EDR
04/15/2021 04:12 PM 10,488 elam_driver.sys
04/15/2021 04:12 PM 141,616 ppl_runner.exe
04/15/2021 04:12 PM 2,606 ppl_runner.pfx
04/15/2021 04:13 PM 799,232 sealighter.exe
5 File(s) 956,041 bytes
3 Dir(s) 15,246,749,696 bytes free
C:\Users\William\Desktop>ppl_runner.exe install
[PPL_RUNNER] main: Start
[PPL_RUNNER] setting up ELAM stuff...
[PPL_RUNNER] install_elam_cert: Opening driver file: elam_driver.sys
[PPL_RUNNER] install_elam_cert: Installed ELAM driver cert
[PPL_RUNNER] Installing Service...
[PPL_RUNNER] install_service: install_service: Created Service: C:\Users\William\Desktop\ppl_runner.exe service
[PPL_RUNNER] install_service: Run 'net start ppl_runner' to start the service
C:\Users\William\Desktop>"C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /fd SHA256 /a /v /ph /f "C:\Users\William\Desktop\ppl_runner.pfx" /p password C:\Users\William\Desktop\sealighter.exe
The following certificate was selected:
Issued to: ppl_runner
Issued by: ppl_runner
Expires: Thu Dec 16 10:19:29 2021
SHA1 hash: A1ACEFDA23A0874A61A72D68F21CF1F3BE159F82
Done Adding Additional Store
Successfully signed: C:\Users\William\Desktop\sealighter.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
C:\Users\William\Desktop>REG.exe ADD HKLM\SOFTWARE\PPL_RUNNER /ve /t REG_SZ /d "C:\Users\William\Desktop\sealighter.exe C:\Users\William\Desktop\sealighter.conf"
The operation completed successfully.
C:\Users\William\Desktop>net start ppl_runner
The ppl_runner service is starting.
The ppl_runner service could not be started.
The service did not report an error.
More help is available by typing NET HELPMSG 3534.
C:\Users\William\Desktop>sc query ppl_runner
SERVICE_NAME: ppl_runner
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
This is what I can see in dbgview:
[5948] [PPL_RUNNER] main: Start
[5948] [PPL_RUNNER] Starting as a service...
[5948] [PPL_RUNNER] ServiceMain: Starting
[5948] [PPL_RUNNER] start_child_process: Starting
[5948] [PPL_RUNNER] start_child_process: Looking for command in RegKey: HKLM\SOFTWARE\PPL_RUNNER
[5948] [PPL_RUNNER] start_child_process: Creating Process: 'C:\Users\William\Desktop\sealighter.exe C:\Users\William\Desktop\sealighter.conf'
[5948] [PPL_RUNNER] start_child_process finished
[5948] [PPL_RUNNER] ServiceMain: Finished
This is the sealighter configuration I am using:
{
"session_properties": {
"session_name": "Sealighter-Trace",
"output_format": "file",
"output_filename": "output.json"
},
"user_traces": [
{
"trace_name": "TI-Trace",
"provider_name": "Microsoft-Windows-Threat-Intelligence"
}
]
}
I can see that Sealighter was started but stopped abruptly:
7:42:19.1794340 AM ppl_runner.exe 6892 Process Start SUCCESS Parent PID: 648, Command line: C:\Users\William\Desktop\ppl_runner.exe service, Current directory: C:\WINDOWS\system32\, Environment:
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\WINDOWS\system32\config\systemprofile\AppData\Roaming
ChocolateyInstall=C:\ProgramData\chocolatey
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=DESKTOP-44DELBI
ComSpec=C:\WINDOWS\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
LOCALAPPDATA=C:\WINDOWS\system32\config\systemprofile\AppData\Local
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SDKs\TypeScript\1.0\;C:\Program Files\Microsoft SQL Server\120\Tools\Binn\;C:\Program Files\Git\cmd;C:\RE\openjdk-11.0.2_windows-x64_bin\jdk-11.0.2\bin;C:\Program Files (x86)\LLVM\bin;C:\ProgramData\chocolatey\bin;C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 142 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=8e0a
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
USERDOMAIN=WORKGROUP
USERNAME=DESKTOP-44DELBI$
USERPROFILE=C:\WINDOWS\system32\config\systemprofile
VS120COMNTOOLS=C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\Tools\
windir=C:\WINDOWS
7:42:19.1794412 AM ppl_runner.exe 6892 Thread Create SUCCESS Thread ID: 6700
7:42:19.1827563 AM ppl_runner.exe 6892 Load Image C:\Users\William\Desktop\ppl_runner.exe SUCCESS Image Base: 0x7ff6e4ea0000, Image Size: 0x27000
7:42:19.1828115 AM ppl_runner.exe 6892 Load Image C:\Windows\System32\ntdll.dll SUCCESS Image Base: 0x7ffc9df80000, Image Size: 0x1f0000
7:42:19.1835440 AM ppl_runner.exe 6892 Load Image C:\Windows\System32\kernel32.dll SUCCESS Image Base: 0x7ffc9d190000, Image Size: 0xb2000
7:42:19.1836497 AM ppl_runner.exe 6892 Load Image C:\Windows\System32\KernelBase.dll SUCCESS Image Base: 0x7ffc9b120000, Image Size: 0x2a5000
7:42:19.1845719 AM ppl_runner.exe 6892 Load Image C:\Windows\System32\advapi32.dll SUCCESS Image Base: 0x7ffc9d8f0000, Image Size: 0xa3000
7:42:19.1846624 AM ppl_runner.exe 6892 Load Image C:\Windows\System32\msvcrt.dll SUCCESS Image Base: 0x7ffc9dd00000, Image Size: 0x9e000
7:42:19.1847417 AM ppl_runner.exe 6892 Thread Create SUCCESS Thread ID: 2312
7:42:19.1847964 AM ppl_runner.exe 6892 Load Image C:\Windows\System32\sechost.dll SUCCESS Image Base: 0x7ffc9c980000, Image Size: 0x97000
7:42:19.1848796 AM ppl_runner.exe 6892 Load Image C:\Windows\System32\rpcrt4.dll SUCCESS Image Base: 0x7ffc9de20000, Image Size: 0x11f000
7:42:19.1872683 AM ppl_runner.exe 6892 Thread Create SUCCESS Thread ID: 8156
7:42:19.1919210 AM ppl_runner.exe 6892 Thread Create SUCCESS Thread ID: 8180
7:42:19.2889720 AM ppl_runner.exe 6892 Process Create C:\Users\William\Desktop\sealighter.exe SUCCESS PID: 4164, Command line: C:\Users\William\Desktop\sealighter.exe
7:42:19.2889786 AM sealighter.exe 4164 Process Start SUCCESS Parent PID: 6892, Command line: C:\Users\William\Desktop\sealighter.exe, Current directory: C:\WINDOWS\system32\, Environment:
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\WINDOWS\system32\config\systemprofile\AppData\Roaming
ChocolateyInstall=C:\ProgramData\chocolatey
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=DESKTOP-44DELBI
ComSpec=C:\WINDOWS\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
LOCALAPPDATA=C:\WINDOWS\system32\config\systemprofile\AppData\Local
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SDKs\TypeScript\1.0\;C:\Program Files\Microsoft SQL Server\120\Tools\Binn\;C:\Program Files\Git\cmd;C:\RE\openjdk-11.0.2_windows-x64_bin\jdk-11.0.2\bin;C:\Program Files (x86)\LLVM\bin;C:\ProgramData\chocolatey\bin;C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 142 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=8e0a
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
USERDOMAIN=WORKGROUP
USERNAME=DESKTOP-44DELBI$
USERPROFILE=C:\WINDOWS\system32\config\systemprofile
VS120COMNTOOLS=C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\Tools\
windir=C:\WINDOWS
7:42:19.2889849 AM sealighter.exe 4164 Thread Create SUCCESS Thread ID: 6104
7:42:19.2943972 AM ppl_runner.exe 6892 Thread Exit SUCCESS Thread ID: 8156, User Time: 0.0000000, Kernel Time: 0.0000000
7:42:19.2944938 AM sealighter.exe 4164 Load Image C:\Users\William\Desktop\sealighter.exe SUCCESS Image Base: 0x7ff6a75f0000, Image Size: 0xc9000
7:42:19.2945379 AM sealighter.exe 4164 Load Image C:\Windows\System32\ntdll.dll SUCCESS Image Base: 0x7ffc9df80000, Image Size: 0x1f0000
7:42:19.2954528 AM sealighter.exe 4164 Load Image C:\Windows\System32\kernel32.dll SUCCESS Image Base: 0x7ffc9d190000, Image Size: 0xb2000
7:42:19.2955677 AM sealighter.exe 4164 Load Image C:\Windows\System32\KernelBase.dll SUCCESS Image Base: 0x7ffc9b120000, Image Size: 0x2a5000
7:42:19.2993516 AM sealighter.exe 4164 Process Create C:\WINDOWS\system32\conhost.exe SUCCESS PID: 3996, Command line: \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
7:42:19.3019438 AM ppl_runner.exe 6892 Load Image C:\Windows\System32\kernel.appcore.dll SUCCESS Image Base: 0x7ffc9ae60000, Image Size: 0x11000
7:42:19.3021754 AM ppl_runner.exe 6892 Thread Exit SUCCESS Thread ID: 6700, User Time: 0.0000000, Kernel Time: 0.0000000
7:42:19.3118863 AM ppl_runner.exe 6892 Thread Exit SUCCESS Thread ID: 8180, User Time: 0.0000000, Kernel Time: 0.0000000
7:42:19.3119109 AM ppl_runner.exe 6892 Thread Exit SUCCESS Thread ID: 2312, User Time: 0.0000000, Kernel Time: 0.0000000
7:42:19.3149935 AM ppl_runner.exe 6892 Process Exit SUCCESS Exit Status: 0, User Time: 0.0000000 seconds, Kernel Time: 0.0156250 seconds, Private Bytes: 749,568, Peak Private Bytes: 749,568, Working Set: 3,485,696, Peak Working Set: 3,489,792
7:42:19.4263398 AM sealighter.exe 4164 Load Image C:\Windows\System32\advapi32.dll SUCCESS Image Base: 0x7ffc9d8f0000, Image Size: 0xa3000
7:42:19.4264514 AM sealighter.exe 4164 Load Image C:\Windows\System32\msvcrt.dll SUCCESS Image Base: 0x7ffc9dd00000, Image Size: 0x9e000
7:42:19.4265357 AM sealighter.exe 4164 Thread Create SUCCESS Thread ID: 2256
7:42:19.4265971 AM sealighter.exe 4164 Load Image C:\Windows\System32\sechost.dll SUCCESS Image Base: 0x7ffc9c980000, Image Size: 0x97000
7:42:19.4275787 AM sealighter.exe 4164 Load Image C:\Windows\System32\rpcrt4.dll SUCCESS Image Base: 0x7ffc9de20000, Image Size: 0x11f000
7:42:19.4286444 AM sealighter.exe 4164 Thread Create SUCCESS Thread ID: 4524
7:42:19.4289258 AM sealighter.exe 4164 Load Image C:\Windows\System32\ole32.dll SUCCESS Image Base: 0x7ffc9d6c0000, Image Size: 0x157000
7:42:19.4290147 AM sealighter.exe 4164 Load Image C:\Windows\System32\combase.dll SUCCESS Image Base: 0x7ffc9ce50000, Image Size: 0x336000
7:42:19.4290995 AM sealighter.exe 4164 Load Image C:\Windows\System32\ucrtbase.dll SUCCESS Image Base: 0x7ffc9b530000, Image Size: 0xfa000
7:42:19.4292078 AM sealighter.exe 4164 Load Image C:\Windows\System32\bcryptprimitives.dll SUCCESS Image Base: 0x7ffc9bf50000, Image Size: 0x81000
7:42:19.4296578 AM sealighter.exe 4164 Load Image C:\Windows\System32\gdi32.dll SUCCESS Image Base: 0x7ffc9dc20000, Image Size: 0x26000
7:42:19.4297420 AM sealighter.exe 4164 Load Image C:\Windows\System32\win32u.dll SUCCESS Image Base: 0x7ffc9b090000, Image Size: 0x21000
7:42:19.4298248 AM sealighter.exe 4164 Load Image C:\Windows\System32\gdi32full.dll SUCCESS Image Base: 0x7ffc9aef0000, Image Size: 0x198000
7:42:19.4299073 AM sealighter.exe 4164 Load Image C:\Windows\System32\msvcp_win.dll SUCCESS Image Base: 0x7ffc9b680000, Image Size: 0x9e000
7:42:19.4300223 AM sealighter.exe 4164 Load Image C:\Windows\System32\user32.dll SUCCESS Image Base: 0x7ffc9ca20000, Image Size: 0x194000
7:42:19.4301406 AM sealighter.exe 4164 Load Image C:\Windows\System32\oleaut32.dll SUCCESS Image Base: 0x7ffc9d820000, Image Size: 0xc5000
7:42:19.4354924 AM sealighter.exe 4164 Load Image C:\Windows\System32\tdh.dll SUCCESS Image Base: 0x7ffc99bf0000, Image Size: 0xc4000
7:42:19.4367883 AM sealighter.exe 4164 Load Image C:\Windows\System32\mintdh.dll SUCCESS Image Base: 0x7ffc99a90000, Image Size: 0x6a000
7:42:19.4454161 AM sealighter.exe 4164 Load Image C:\Windows\System32\kernel.appcore.dll SUCCESS Image Base: 0x7ffc9ae60000, Image Size: 0x11000
7:42:19.4458773 AM sealighter.exe 4164 Thread Exit SUCCESS Thread ID: 6104, User Time: 0.0000000, Kernel Time: 0.0000000
7:42:19.4472737 AM sealighter.exe 4164 Thread Exit SUCCESS Thread ID: 4524, User Time: 0.0000000, Kernel Time: 0.0000000
7:42:19.4489688 AM sealighter.exe 4164 Thread Exit SUCCESS Thread ID: 2256, User Time: 0.0000000, Kernel Time: 0.0000000
7:42:19.4517161 AM sealighter.exe 4164 Process Exit SUCCESS Exit Status: 1, User Time: 0.0000000 seconds, Kernel Time: 0.0000000 seconds, Private Bytes: 1,294,336, Peak Private Bytes: 1,294,336, Working Set: 5,406,720, Peak Working Set: 5,410,816
PS: Thanks for sharing this !!!
Signature Error
Hey! Thanks for the awesome project. I am utilizing the binaries within "Releases" and am getting the following:
PS C:\Tools\Random> .\ppl_runner.exe install
[PPL_RUNNER] main: Start
[PPL_RUNNER] setting up ELAM stuff...
[PPL_RUNNER] install_elam_cert: Opening driver file: elam_driver.sys
[PPL_RUNNER] install_elam_cert: Installed ELAM driver cert
[PPL_RUNNER] Installing Service...
[PPL_RUNNER] install_service: install_service: Created Service: C:\Tools\Random\ppl_runner.exe service
[PPL_RUNNER] install_service: Run 'net start ppl_runner' to start the service
PS C:\Tools\Random> net start ppl_runner
System error 577 has occurred.
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source
Generated a new cert via the .ps1 and signed - sealighter.exe, ppl_runner.exe, elam_driver.sys.
Test Signing is turned on.
Thanks in advance!
Release doesnt seem to be able to start the service
Using release 1.1
windows 10 pro 22H2
Error setting element data (bcdedit)
When execute bcdedit /set testsigning on, I get this message:
Error setting element data.
The value is protected by the Secure Boot policy and cannot be changed or deleted.
net start ppl_runner failed with error code 577
done :
closed secure boot
bcdedit /set testsigning on and reboot, in test mode successful
1: ppl_runner install successful
2. REG.exe ADD HKLM\SOFTWARE\PPL_RUNNER /ve /t REG_SZ /d "c:\test.exe" successful
3. net start ppl_runner failed
4. sc query ppl_runner
Avoid close GUI Desktop Application
I have a desktop application, is it possible to run this application with ppl_runner? I want to prevent users from closing the application from the task manager.
This is the path of application:
C:\Users\Sistemas\AppData\Local\Programs\Cattr\Cattr.exe
Expired cert
FYI release cert has expired.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.