The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services

December 11, 2013

| | Counter Adversary Operations
In this continuing series on the improvements of the protected process mechanism in Windows, we’ll move on past the single use case of

 

LSASS protection and pass-the-hash mitigation

 

through the Protected Process Light (PPL) feature, and into generalized system-wide use cases for PPLs.
In this part, we’ll see how Windows uses PPLs to guard critical system processes against modification and how this has prevented the Windows 8 RT jailbreak from working on 8.1. We’ll also take a look at how services can now be configured to run as a PPL (including service hosts), and how the PPL concept brings yet another twist to the unkillable process argument and semantics. System Protected Processes To start the analysis, let’s begin with a simple WinDBG script (you should collapse it into one line) to dump the current PID, name, and protection level of all running processes:
lkd> !for_each_process "
r? @$t0 = (nt!_EPROCESS*) @#Process;
.if @@(@$t0->Protection.Level) 
{
.printf /D "%08x <b>
Breaches Stop Here