The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services

December 11, 2013

| | Counter Adversary Operations
In this continuing series on the improvements of the protected process mechanism in Windows, we’ll move on past the single use case of

 

LSASS protection and pass-the-hash mitigation

 

through the Protected Process Light (PPL) feature, and into generalized system-wide use cases for PPLs. In this part, we’ll see how Windows uses PPLs to guard critical system processes against modification and how this has prevented the Windows 8 RT jailbreak from working on 8.1. We’ll also take a look at how services can now be configured to run as a PPL (including service hosts), and how the PPL concept brings yet another twist to the unkillable process argument and semantics. System Protected Processes To start the analysis, let’s begin with a simple WinDBG script (you should collapse it into one line) to dump the current PID, name, and protection level of all running processes: 
lkd> !for_each_process "
r? @$t0 = (nt!_EPROCESS*) @#Process;
.if @@(@$t0->Protection.Level) 
{
.printf /D "%08x <b>
Breaches Stop Here
Related Content
U.S. Department of Justice Indicts Hacktivist Group Anonymous Sudan for Prominent DDoS Attacks in 2023 and 2024
U.S. Department of Justice Indicts Hacktivist Group Anonymous Sudan for Prominent DDoS Attacks in 2023 and 2024
International Authorities Indict, Sanction Additional INDRIK SPIDER Members and Detail Ties to BITWISE SPIDER and Russian State Activity
International Authorities Indict, Sanction Additional INDRIK SPIDER Members and Detail Ties to BITWISE SPIDER and Russian State Activity
How CrowdStrike Hunts, Identifies and Defeats Cloud-Focused Threats
How CrowdStrike Hunts, Identifies and Defeats Cloud-Focused Threats