Expanding PPLKiller's features

[Deleted user]

Hello,

I've been trying to give Full protection to some processes instead of removing them, but i fail to print the Results (of a existing full-protected process) on WinDbg so I can know what flags i should apply for that.

If I understand correctly, i have to change those 2 variables, https://github.com/Mattiwatti/PPLKiller/blob/master/PPLKiller/main.cpp#L544

but what's the value for Full Protection (WinTcb) ?

[Mattiwatti]

I doubt you want to change the image and section signature levels of a process to WinTcb, unless you have the private key for a Microsoft TCB certificate of course. But in that case your time would be better spent on becoming a millionaire by selling to government agencies and many other possible evil endeavours.

You are probably looking for the PS_PROTECTION field. PS_PROTECTED_TYPE Type determines the actual protection level. This is PsProtectedTypeProtected for the highest level.

Set Audit to 0.

You can set Signer to any value you want since as far as I'm aware this is only used at process creation time to verify whether a protected process is allowed to create another protected process. But I may be wrong there as I've never tried this. But for the sake of completeness, this value is always PsProtectedSignerWinSystem for System and system-like processes like Memory Compression and Registry, and PsProtectedSignerWindows for licensing related stuff (sppsvc.exe, GenValObj.exe).

[Deleted user]

It works! Thanks a lot for the tips!