Combining Sealighter with unpatched exploits and PPLDump to run the
Microsoft-Windows-Threat-Intelligence ETW Provider without a signed driver.
The Problem - PPL and Anti-Malware
Microsoft-Windows-Threat-Intelligence ETW Provider is an excellent tool to detect process injection, and other type of attacks. Unlike usermode hooking or in-process ETW Providers, avoiding or tampering with the
Threat-Intelligence is very difficult.
However, to subscribe to this Provider requires a process with very special privileges, marked as Protected Process Light (PPL) 'Anti-Malware' or higher. To legitimately run a program at this level you must submit a driver to Microsoft to be co-signed by them, something not everyone has the inclination or reputation to do.
I originally created a research project named PPLRunner that would allow you create PPL process in a test environment, however it requires Windows to be put into a debug or 'test signing' mode. This could in theory also have the effect of altering the behaviour of the malware or program you are attempting to analyse, which may behave differently if it believes it is not on a 'real' machine.
The Solution - Exploit to success
Back in 2018 Alex Ionescu and James Forshaw presented a series of talks, as well as some blogs, covering many ways you could trick Windows into illegitimately running arbitrary code at the PPL level. A number of these techniques remain unpatched to this day.
The Glue - SealighterTI
PPLDump uses its elevated access to dump the memory of
lsass.exe. I've taken Clément's awesome code, and instead combined it with my ETW Logging tool Sealighter, to enable you to get events from the
Microsoft-Windows-Threat-Intelligence logging to the Windows Event Log. This is possible from a 'production' machine, without the need for a signed driver or to put the machine into 'test signing' mode.
To use pre-built binaries, download the
sealigher_provider.man from The Releases Page.
To build manually, first check out the source code (make sure to use
git clone --recursive https://github.com/pathtofile/SealighterTI.git
In most circumstances, only the 'Release' Build will actually inject successfully, so build and use that for 99% of cases
First Open up the
sealigher_provider.man in a text editor, and replace all uses of
!!SEALIGHTER_LOCATION!! with the full path to the
SealighterTI.exe binary. Then from an elevated command prompt run:
wevtutil im path/to/sealigher_provider.man
Then just run
SealighterTI.exe. For the first run, I recommend running with the debug flag:
For the first run I also recommend having a copy of Sysinternal's DBGView open with the "Capture Global Win32" option set, so you can see the debug logs from the DLL/PPL Process as well. If run correctly It should look like this:
To stop the trace, press 'ctrl+c' in the
See this blog for the technical details about how everything works.
The code has lots of 'PPLDump' files and functions?
Yep, I chose to fork PPLDump and alter only the parts I needed to in order to get the ETW Trace working. This is both to ensure people know the exploit parts of the code are courtesy of Clément Labro, but also to make it easy if PPLDump gets updated with any bug fixes I may want to also pull into Sealighter-TI.
This has only been tested on Windows 10 x64.