Process Protection Level Enumerator BOF
August 30, 2021 ยท View on GitHub
What is this?
- A Syscall-only BOF file intended to grab process protection attributes, limited to a handful that Red Team operators and pentesters would commonly be interested in.
What problem are you trying to solve?
- There are great tools that exist in order to stealthily obtain access to and dump
LSASSmemory, thanks to some wonderful authors.- These (to my knowledge) do not currently preempt an operator from unintentionally using the aforementioned to grab a valid
handleto theLSASSprocess - Existing tooling (outside of references in blog posts from the always-helpful @itm4n) does not currently enumerate the protection levels of a given process.
- Obtaining a handle to a PPL-enabled process can lead to a very dead
Beaconin very short order - This aims to fill that void, allowing an operator to know exactly what a protection level of a desired process is (if any) before unintentionally shooting themselves in the foot and/or determine what their next step(s) would/should be, given the output
- Obtaining a handle to a PPL-enabled process can lead to a very dead
- These (to my knowledge) do not currently preempt an operator from unintentionally using the aforementioned to grab a valid
How do I build this?
git clone https://github.com/EspressoCake/Process_Protection_Level_BOF
cd Process_Protection_Level_BOF/src
make
How do I use this?
- Load the
Aggressor.cnafile from thedistdirectory, after building - Determine whatever
PIDyou wish to interrogate - From a given
Beacon:process_protection_enum PROCESS_ID_NUMBER
I tend to touch the stove carelessly, how are you taking care of the injury-prone?
- Currently, the
Aggressorscript has safeguards- The current
Beaconis checked to ensure that it is administrative, and anx64process
- The current
What does the output look like?
Protected Process Output
Unprotected Process Output
