mattiwatti / pplkiller Goto Github PK
View Code? Open in Web Editor NEWProtected Processes Light Killer
License: GNU General Public License v3.0
Protected Processes Light Killer
License: GNU General Public License v3.0
Hello,
I've been trying to give Full protection to some processes instead of removing them, but i fail to print the Results (of a existing full-protected process) on WinDbg so I can know what flags i should apply for that.
If I understand correctly, i have to change those 2 variables, https://github.com/Mattiwatti/PPLKiller/blob/master/PPLKiller/main.cpp#L544
but what's the value for Full Protection (WinTcb) ?
I downloaded and installed the VS 2019 preview and the WDK there after. I loaded the solution then ran into an error saying that the WDK version 10.0.17763.0 is not available.
The WDK version is in fact 10.0.17763.1 and the solution wants 10.0.17763.0 ... any idea of how to work around this problem? Any way to relax version requirements in the solution to handle this situation?
Just wondering where you are my friend :)
I added /debug to command line of Driver Signing.
Here is what I get
1>------ Build started: Project: PPLKiller, Configuration: Debug x64 ------
1>Building 'PPLKiller' with toolset 'WindowsKernelModeDriver10.0' and the 'Desktop' target platform.
1>PPLKiller.vcxproj -> C:\Users\Igor\Tools\PPLKiller-master\bin\pplkiller.sys
1>
1>The following certificates were considered:
1>SIGNTASK : SignTool error : No certificates were found that met all the given criteria.
1> Issued to: 83410C25-192B-4952-B63B-D89C5F2C6AD6
1>
1> Issued by: Apple iPhone Device CA
1>
1> Expires: Thu Oct 26 04:38:38 2017
1>
1> SHA1 hash: 9B1D9443CDEACADF3C2BAE1F9841AB4435298927
1>
1>
1> Issued to: WDKTestCert Igor,131657141306330865
1>
1> Issued by: WDKTestCert Igor,131657141306330865
1>
1> Expires: Wed Mar 15 20:00:00 2028
1>
1> SHA1 hash: 1F326A338F1C73EFB0CBA345205044CAAD69931E
1>
1>
1>After EKU filter, 1 certs were left.
1>After expiry filter, 1 certs were left.
1>After Hash filter, 1 certs were left.
1>After Private Key filter, 0 certs were left.
1>Done building project "PPLKiller.vcxproj" -- FAILED.
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========
I guess the error is from the Apple iPhone Device CA I assume that comes from another tool which I used to jailbreak apple iphone.
I did everything listed here but it tells me the service was not found when trying sc start pplkiller or net sc start.
The weird thing is, that eg. sc GetKeyName or other calls are working, i didnt change the name of the service or anything.
Trying to start the service with ProcessHacker gives me the same error.
hi. do you have an email address? thankyou.
The certificate shows as valid, but I get this failure message: "[SC] StartService FAILED 577:"
Certificate was installed as Root level trust (Local Machine)
C++ Standard: Latest Preview
Toolset: WindowsKernelModeDriver10.0
Steps to reproduce:
hi very nice project, i'm wondering if after killing PPL if it's possible to restore it? if yes how can i do that?
thanks
....
it does not seam to find the offsets on windows 10 2004
PPLKiller works on Windows 8.1 and 10.
Will it work on Windows 2012 and Windows 2016?
Hello,
I have followed the steps you indicate, and I find a problem.
When I try to start the service, receive an 1275 error. I'm testing on windows 10 x64 1607 build, and also on windows 7 x64, and on both is the same problem.
I'm in test mode.
Can you think of what is due? I have not modified anything, I have only compiled from visual studio 2015
Thanks
i installed the provided wdk along side with c++ in visual studio but when i open the project it has 250+ errors and i cant compile
Win10 64, Visual Studio 2017, latest WDK. Cant open the solution
C:\Program Files (x86)\Windows Kits\10\build\WindowsDriver.KernelMode.Default.props(15,11): A numeric comparison was attempted on "$(_NT_TARGET_VERSION)" that evaluates to "" instead of a number, in condition "$(_NT_TARGET_VERSION) >= $(_NT_TARGET_VERSION_WIN10)".
I am getting
PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy; PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy; PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy;
these structs as undefined. Just wondered if it is safe to comment them out as I got bsod after doing that but I am not sure if that could have anything to do with it.
I'm testing PLLKiller on a fully patched and updated Windows 7 and Windows 10 x64 VMs. Did Microsoft updates break your work-around for the MS signed driver requirement?
Hi,
You mentioned that starting with 10.0.18362.0, PatchGuard will check protection level integrity on system processes. Can you give me a bit of insight on how the kernel does this? Does it have to do with PEAuth.sys? Some references to the code that causes the bugcheck would be very much appreciated!
Thank you in advance!
On windows 1903 i encounter the error 1168 when trying to load the driver.
Probably msft changed soemthign again :'(
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.