- Justin Lucas (@the_bit_diddler)
- Brad Campbell (@hackersoup)
Jokingly, an exercise of my own personal sanity maintenance. In reality, this is a faithful porting of @itm4n's PPLDump project.
As one may imagine, this is a fully-fledged BOF to dump an arbitrary protected process.
The goal isn't the destination, but the journey. Or that's what I told myself to make the endless suffering of this endeavor a bit less acute. :)
- An administrative session of some kind
- Knowledge of the
PPLprocess ID (PID) you wish to dump - Currently residing in a 64-bit process
- Currently residing on a
Windows 10or greater endpoint
This is a one-to-one dump of the original resource file created during building the PPLDump project DLL, and you're more than welcome and encouraged to fact-check this. As the original resource file was embedded (and therefore not usable due to a lack of linking for Beacon Object Files). This was a way around that. In the future, I may implement this ability to bring them arbitrarily, but use at your own risk.
- You MUST change the
wcPIDvaraible, found inmain.cto be the same as your desired process ID. Seriously. - As a result, you MUST build this project from source per endpoint you wish to do this on. There's a
Makefile, just run it. - Optionally, you may change the location/name of the
dmpfile. This isDEFAULT_DUMP_FILEinsrc/headers/exploit.h
- Build the project via the
Makefilein thesrcdirectory, ensuring again, that you have ABSOLUTELY changed the variable mentioned above. - Load the
AggressorCNAfile in thedistdirectory. - Within your Beacon of choice (and one that meets the criteria):
ppldump YOUR_PROTECTED_PROCESS_PID
- Port more function calls to
syscalls, but this is a very time-consuming process. - Fix the unfortunate fail-pile of casting the desired process identifier to a
wchar_t*. Nothing I tried worked. - Add support for a user-supplied DLL for other shenanigans.