Expanding PPLKiller's features
Closed this issue · 2 comments
Hello,
I've been trying to give Full protection to some processes instead of removing them, but i fail to print the Results (of a existing full-protected process) on WinDbg so I can know what flags i should apply for that.
If I understand correctly, i have to change those 2 variables, https://github.com/Mattiwatti/PPLKiller/blob/master/PPLKiller/main.cpp#L544
but what's the value for Full Protection (WinTcb) ?
I doubt you want to change the image and section signature levels of a process to WinTcb, unless you have the private key for a Microsoft TCB certificate of course. But in that case your time would be better spent on becoming a millionaire by selling to government agencies and many other possible evil endeavours.
You are probably looking for the PS_PROTECTION field. PS_PROTECTED_TYPE Type
determines the actual protection level. This is PsProtectedTypeProtected
for the highest level.
Set Audit
to 0.
You can set Signer
to any value you want since as far as I'm aware this is only used at process creation time to verify whether a protected process is allowed to create another protected process. But I may be wrong there as I've never tried this. But for the sake of completeness, this value is always PsProtectedSignerWinSystem
for System
and system-like processes like Memory Compression and Registry, and PsProtectedSignerWindows
for licensing related stuff (sppsvc.exe
, GenValObj.exe
).
It works! Thanks a lot for the tips!