GitHub - TH3P1T/PPL-0day: Demoting PPL anti-malware services to less than a guest user

Wrote this a while back. Micro$uck never responded to my email, consider this repsonsible.

Can disable any antivirus at boot. Works with any system protected process but is most applicable to AVs.

A race condition allows us to start an anti-malware service and replace it's access token with one corresponding to a supremely deprivileged security context.

Creates WMI filter/consumer to start on boot before svchost.exe: https://github.com/pulpocaminante/PPL-0day/blob/main/AntiAV.hpp

This results in our payload being executed as the SYSTEM user, which then has full privileges to modify the security context of a paused protected child process.

PoC for starting the process paused, replacing the token and resuming it: https://github.com/pulpocaminante/PPL-0day/blob/main/PPL_Start.hpp

The rest of the files are just dependencies.

Requires phnt headers: https://github.com/winsiderss/phnt

For more info on PPLs:

https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-

Name		Name	Last commit message	Last commit date
Latest commit History 27 Commits
AntiAV.hpp		AntiAV.hpp
BindingInterface.hpp		BindingInterface.hpp
Cipher.hpp		Cipher.hpp
ClassFactory.hpp		ClassFactory.hpp
ComWrapper.hpp		ComWrapper.hpp
ExportInterface.hpp		ExportInterface.hpp
PPL_Start.hpp		PPL_Start.hpp
README.md		README.md
RegInterface.hpp		RegInterface.hpp
WMIConnection.hpp		WMIConnection.hpp
WMIFSInterface.hpp		WMIFSInterface.hpp
Win32Interface.hpp		Win32Interface.hpp
config.h		config.h
kernel_defs.h		kernel_defs.h
util.h		util.h
wmi.h		wmi.h
wmi_defs.h		wmi_defs.h
wmicfg.hpp		wmicfg.hpp

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

About

Releases

Packages

Languages

TH3P1T/PPL-0day

Folders and files

Latest commit

History

Repository files navigation

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages