Serious Discussion Inside Microsoft's plan to kill PPLFault

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142

Inside Microsoft's plan to kill PPLFault (by Gabriel Landau)​

www.elastic.co

Inside Microsoft's plan to kill PPLFault — Elastic Security Labs

In this research publication, we'll learn about upcoming improvements to the Windows Code Integrity subsystem that will make it harder for malware to tamper with Anti-Malware processes and other important security features.
www.elastic.co www.elastic.co
see also
www.elastic.co

Forget vulnerable drivers - Admin is all you need — Elastic Security Labs

Bring Your Own Vulnerable Driver (BYOVD) is an increasingly popular attacker technique whereby a threat actor brings a known-vulnerable signed driver alongside their malware, loads it into the kernel, then exploits it to perform some action within the kernel that they would not otherwise be able...
www.elastic.co www.elastic.co

On September 1, 2023, Microsoft released a new build of Windows Insider Canary, version 25941. Insider builds are pre-release versions of Windows that include experimental features that may or may not ever reach General Availability (GA). Build 25941 includes improvements to the Code Integrity (CI) subsystem that mitigate a long-standing issue that enables attackers to load unsigned code into Protected Process Light (PPL) processes.

The PPL mechanism was introduced in Windows 8.1, enabling specially-signed programs to run in such a way that they are protected from tampering and termination, even by administrative processes. The goal was to keep malware from running amok — tampering with critical system processes and terminating anti-malware applications. There is a hierarchy of PPL “levels,” with higher-privilege ones immune from tampering by lower-privilege ones, but not vice-versa. Most PPL processes are managed by Microsoft but members of the Microsoft Virus Initiative are allowed to run their products at the less-trusted Anti-Malware PPL level.


1695680148717.png


(...)

Exploitation​

In September 2022, Gabriel Landau from Elastic Security filed VULN-074311 with MSRC, notifying them of two zero-day vulnerabilities in Windows: one admin-to-PPL and one PPL-to-kernel. Two exploits for these vulnerabilities were provided named PPLFault and GodFault, respectively, along with their source code. These exploits allow malware to bypass LSA protection, terminate or blind EDR software, and modify kernel memory to tamper with core OS behavior - all without the use of any vulnerable drivers. See this article for more details on their impact.

The admin-to-PPL exploit PPLFault leverages the fact that page hashes are not validated for PPL and employs the Cloud Filter API to violate immutability assumptions of files backing SEC_IMAGE sections. PPLFault uses paging to inject code into a DLL loaded within a PPL process running as WinTcb-Light, the most privileged form of PPL. The PPL-to-kernel exploit GodFault first uses PPLFault to get WinTcb-Light code execution, then exploits the kernel’s trust of WinTcb-Light processes to modify kernel memory, granting itself full read-write access to physical memory.

Though MSRC declined to take any action on these vulnerabilities, the Windows Defender team has shown interest. PPLFault and GodFault were released at Black Hat Asia in May 2023 alongside a mitigation to stop these exploits called NoFault.

Mitigation​

On September 1, 2023, Microsoft released build 25941 of Windows Insider Canary. This build adds a new check to the memory manager function MiValidateSectionCreate which enables page hashes for all images that reside on remote devices.
Click to expand...
 
  • Like
Reactions: plat, Idanox, TairikuOkami and 8 others
Bot

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,460
According to the article, Microsoft has released a new build of Windows Insider Canary that includes improvements to the Code Integrity subsystem to mitigate vulnerabilities in Protected Process Light (PPL) processes. The vulnerabilities, known as PPLFault and GodFault, allow attackers to bypass LSA protection, terminate or blind EDR software, and modify kernel memory without the use of vulnerable drivers. Although the vulnerabilities were initially declined by MSRC, the Windows Defender team has shown interest. The article also mentions a mitigation called NoFault, which was released at Black Hat Asia. Finally, Microsoft's new build adds a check to the memory manager function to enable page hashes for all images on remote devices.
 
  • Like
Reactions: plat and vtqhtr413
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
oldschool said:
They want to kill people now? ;):D
Click to expand...
Only faulty ones.:alien:
But seriously, the last few years are not good for the security of the Windows kernel. That is why Microsoft forces solutions based on Virtualization Based Security (VBS).
It is possible that after 10 years, we will have to use UVBS = Under VBS (to protect VBS). :confused:
 
Last edited:
  • Like
  • Applause
Reactions: plat, simmerskool, oldschool and 3 others
SpyNetGirl

SpyNetGirl

Level 3
Well-known
Jan 30, 2023
113
I can't even begin to explain how deceptive and misleading these articles released by 3rd party companies are.

"Admin is all you need", yes, always has been. What's the next news? The sky is blue?

Honestly just read Microsoft Security Servicing Criteria for Windows

Or better yet, read my article here: Harden-Windows-Security/Rationale.md at main · HotCakeX/Harden-Windows-Security

Don't let these companies mislead you by their clickbait posts. They only have 1 mission, to say Microsoft is bad, we are good, so buy our products.

If you already have Admin access, you can disable any protection you want. You don't need any exploits. You have Admin access? you can nicely just turn off any EDR using their dashboard.
 
  • Like
Reactions: simmerskool and [correlate]
SpyNetGirl

SpyNetGirl

Level 3
Well-known
Jan 30, 2023
113
Andy Ful said:
It is interesting how differently people can see the same article. :)
I had several thoughts after reading that article, but nothing similar to the @SpyNetGirl post.
Click to expand...

I only care about the facts. I talked to the people who wrote that article, seen so many other similar articles from other rival companies.

They all have 1 mission: sh*t on Microsoft, sell their own products. It's an easily recognizable trend and I'm not the only one who is seeing this trend. What matters is clicks, attention and views, nothing else.

Next time I'm gonna make a video of myself turning off Defender or adding the entire C folder to exclusion list and then will be like: Oh here is a bypass, forget about exploits, all you need is admin. lol
 
  • Like
Reactions: [correlate] and simmerskool
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,662
SpyNetGirl said:
I only care about the facts. I talked to the people who wrote that article, seen so many other similar articles from other rival companies.

They all have 1 mission: sh*t on Microsoft, sell their own products. It's an easily recognizable trend and I'm not the only one who is seeing this trend. What matters is clicks, attention and views, nothing else.

Next time I'm gonna make a video of myself turning off Defender or adding the entire C folder to exclusion list and then will be like: Oh here is a bypass, forget about exploits, all you need is admin. lol
Click to expand...
I only care about facts as well. Here are five.

First, most of the third party cybersecurity companies existed long before Microsoft decided to get serious about malware. Many of these third party companies developed tech that Microsoft utilizes in their own cybersecurity products today. Do you want all third party cybersecurity companies to step aside, and simply shut down their business because Microsoft “has everything under control”?

Second, there are hundreds or thousands of cybersecurity features and tech that third party products offer, that no one else can. These features increase efficacy bigtime.

Third, have you ever heard the phrase “security through obscurity”? Microsoft is by far the biggest target for malware authors, and this will only worsen over time.

Forth, WDAC and SAC are not nearly as great or effective as you suggest. In short, WDAC is inflexible and SAC is not zero-trust. A kernel mode driver, written mainly by Microsoft, and supplied by a third party has tons of advantages over WDAC and SAC, not just is efficacy, but in usability as well. There is absolutely no comparison.

Fifth, your product is third party as well. Just because it is a script, and not a pre-compiled binary, does not exclude it from third party status. If Microsoft did not write it, then it is third party.
 
  • Like
Reactions: [correlate], plat, upnorth and 1 other person
SpyNetGirl

SpyNetGirl

Level 3
Well-known
Jan 30, 2023
113
danb said:
I only care about facts as well. Here are five.

First, most of the third party cybersecurity companies existed long before Microsoft decided to get serious about malware. Many of these third party companies developed tech that Microsoft utilizes in their own cybersecurity products today. Do you want all third party cybersecurity companies to step aside, and simply shut down their business because Microsoft “has everything under control”?

Second, there are hundreds or thousands of cybersecurity features and tech that third party products offer, that no one else can. These features increase efficacy bigtime.

Third, have you ever heard the phrase “security through obscurity”? Microsoft is by far the biggest target for malware authors, and this will only worsen over time.

Forth, WDAC and SAC are not nearly as great or effective as you suggest. In short, WDAC is inflexible and SAC is not zero-trust. A kernel mode driver, written mainly by Microsoft, and supplied by a third party has tons of advantages over WDAC and SAC, not just is efficacy, but in usability as well. There is absolutely no comparison.

Fifth, your product is third party as well. Just because it is a script, and not a pre-compiled binary, does not exclude it from third party status. If Microsoft did not write it, then it is third party.
Click to expand...

Well, you're from voodooshield company and have to sell your product too and make a living, nobody is against that of course, so I understand the sentiment and where you're coming from.

No, I don't say 3rd party companies should shut down, but they do need to stop with fake articles and attention seeking posts.

Yes, Microsoft is a big target because they have large user base. Just like Wordpress, Android etc. that are used by billions of people. However, what Microsoft is doing is fundamental changes. They have full control over their environment.
Google for example can't make any changes they want to the Android, they are limited by the Linux community and their support. This article is a good read

You're completely wrong about WDAC and SAC stuff though, off topic to go into details about them in here, but if you're interested, I suggest reading my articles and then ask specific questions about them on GitHub and I can explain further.

I never said my content is 1st party.
 
  • Like
Reactions: [correlate] and simmerskool
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,662
SpyNetGirl said:
Well, you're from voodooshield company and have to sell your product too and make a living, nobody is against that of course, so I understand the sentiment and where you're coming from.

No, I don't say 3rd party companies should shut down, but they do need to stop with fake articles and attention seeking posts.

Yes, Microsoft is a big target because they have large user base. Just like Wordpress, Android etc. that are used by billions of people. However, what Microsoft is doing is fundamental changes. They have full control over their environment.
Google for example can't make any changes they want to the Android, they are limited by the Linux community and their support. This article is a good read

You're completely wrong about WDAC and SAC stuff though, off topic to go into details about them in here, but if you're interested, I suggest reading my articles and then ask specific questions about them on GitHub and I can explain further.

I never said my content is 1st party.
Click to expand...
I certainly appreciate your enthusiasm for cybersecurity, and I think you have done an amazing job describing several aspects of Windows Security that many people do not spend the time or effort to understand. I also agree with you on the marketing aspect, but please keep in mind that when other people read your verbiage (as well as CyberLocks), they have the same reaction. You and I use particular verbiage because we believe it to be true, but other people might not see it that way.

A kernel mode driver will provide a developer all the access they need to properly protect a computer. Even MD uses a kernel mode driver. I think what you are trying to exemplify is that, for example, many users have requested a version of VS / CL for Android and Apple. But since we do not have access to the kernel, we are not able to build a version of our software for their platform.

I have read through your material several times, and I could be wrong about WDAC, so I created a new thread so we can intelligently and civilly discuss this further...

malwaretips.com

Serious Discussion - WDAC vs Kernel Mode Drivers

We have considered replacing CyberLocks's Kernel Mode Driver with WDAC many times in the past, but every time we start researching this possibility, we immediately realize that WDAC is simply not flexible enough, and it would require removing tons of features that would negatively impact...
malwaretips.com malwaretips.com

As far as SAC is concerned, here is Microsoft's description...

What is Smart App Control? - Microsoft Support

Smart App Control is a feature of Windows 11 that helps to block malicious, untrusted, or potentially unwanted apps from running on your device.
support.microsoft.com support.microsoft.com

How does Smart App Control work?​


When you try to run an app on Windows, Smart App Control will check to see if our intelligent cloud-powered security service can make a confident prediction about its safety. If the service believes the app to be safe, Smart App Control will let it run. If the app is believed to be malicious or potentially unwanted, then Smart App Control will block it.


If the security service is unable to make a confident prediction about the app, then Smart App Control checks to see if the app has a valid signature. If the app has a valid signature, Smart App Control will let it run. If the app is unsigned, or the signature is invalid, Smart App Control will consider it untrusted and block it for your protection.
Click to expand...
I am sorry, but that is not deny-by-default / zero-trust. Auto allowing by digital signature alone is dangerous and lazy.

As far as WDAC is concerned...

WDAC without ISG is unusable. WDAC with ISG is not true deny-by-default / zero-trust.

Edit: I forgot to mention that I have a list of 19,000+ files / hashes from the WhitelistCloud database that are likely malware and will likely bypass SmartScreen, SAC and ISG.
 
Last edited:
  • +Reputation
  • Like
Reactions: [correlate] and simmerskool
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,662
Andy Ful said:
How did you check it?
How many of them could compromise the combo MS Defender (paid or tweaked) + SmartScreen?

Post edited.
Click to expand...
The file is executed and a lot of data is extracted and evaluated. I hope to be able to do this with ISG as well soon, and then compare the SmartScreen results.

MS Defender is disabled during the tests (as it is in almost all malware tests), so I have no idea if MD would have blocked the malware or not, since that was not the focus of the analysis.

My only point is that a lot of people consider WDAC + ISG to be deny-by-default / zero-trust, when it actually is not. In other words, one cannot cobble together 3-4 relatively effective security layers, and honestly claim that it is true zero-trust. In order to be true zero-trust, there needs to be a single monolithic blocking mechanism that blocks everything that needs to be blocked. It is nice to have extra layers as an added precaution, but the main blocking mechanism should not be easily bypassable for the same attack vector if the samples change slightly.
 
  • Like
Reactions: Trident, Andy Ful and Digmor Crusher
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
danb said:
...
My only point is that a lot of people consider WDAC + ISG to be deny-by-default / zero-trust, when it actually is not.
Click to expand...

WDAC + ISG is smart deny-by-default in a similar meaning to CyberLock. It is not zero-trust, but it can be a part of Zero Trust Model in the meaning promoted by Microsoft:

Zero Trust Model - Modern Security Architecture | Microsoft Security

A Zero Trust model provides security against ransomware and cybersecurity threats by assigning the least required access needed to perform specific tasks.
www.microsoft.com
 
  • Like
Reactions: simmerskool and Trident

Similar threads

bjm_
    • Like
New Update Sandboxie-Plus 1.13.0 + 1.13.1 (Experimental) + 1.13.2
Replies
9
Views
870
Sandboxie
bjm_
bjm_
Gandalf_The_Grey
    • Like
Mozi malware botnet goes dark after mysterious use of kill-switch
Replies
1
Views
541
News Archive
ForgottenSeer 97327
F
Ink
    • Like
    • +Reputation
New Update DashLane Free plan users will be limited to 25 passwords
Replies
1
Views
562
Passwords and passkeys
entropism
E

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top