In this continuing series on the improvements of the protected process mechanism in Windows, we’ll move on past the single use case of
LSASS protection and pass-the-hash mitigation
through the Protected Process Light (PPL) feature, and into generalized system-wide use cases for PPLs. In this part, we’ll see how Windows uses PPLs to guard critical system processes against modification and how this has prevented the Windows 8 RT jailbreak from working on 8.1. We’ll also take a look at how services can now be configured to run as a PPL (including service hosts), and how the PPL concept brings yet another twist to the unkillable process argument and semantics. System Protected Processes To start the analysis, let’s begin with a simple WinDBG script (you should collapse it into one line) to dump the current PID, name, and protection level of all running processes:
|