Bypassing Windows Defender and PPL Protection with PPLBlade to dump LSASS without Detection | 2 September 2023

Being an offensive security operator, it's crucial to evade the protective measures in place on Windows systems and successfully extract secure processes from memory, such as LSASS.exe. The defensive tools integrated into Windows and those provided by security product vendors continually improve. Consequently, red team professionals must develop new tools or heavily modify existing ones to counter these evolving defense tooling and techniques.

There is a new tool named PPLBlade which is a process memory dumper tool to bypass PPL and avoid detections, developed by pepperoni in the following Github repository:
This is simply a Protected Process Dumper Tool which supports the obfuscation of memory dumps such as LSASS process dumps and facilitates dump file transfer to remote machines without the need to save them onto the disk.

I was interested in experimenting with this program to gauge its effectiveness in extracting credentials from a secured LSASS process, evading Windows Defender.

Capabilities of PPLBlade as mentioned by the author:
1. Bypassing Windows PPL protection
2. Obfuscating memory dump files to evade Defender signature-based detection mechanisms
3. Uploading memory dump file with RAW and SMB upload methods without writing it onto the disk

What is Windows PPL protection?

Quoting the following article:
In Windows 8.1, a new concept of protected service has been introduced to allow anti-malware user-mode services to be launched as a protected service. After the service is launched as protected, Windows uses code integrity to only allow trusted code to load into the protected service. Windows also protects these processes from code injection and other attacks from admin processes. Protected Process Light (PPL) technology is used for controlling and protecting running processes and protecting them from infection by malicious code and the potentially harmful effects of other processes.

How PPLBlade bypasses Windows Protected Process Light (PPL):

PPLBlade abuses PROCEXP152.sys to bypass PPL and obtain a PROCESS_ALL_ACCESS handle to a process protected by PPL. Activities such as process termination, dumping memory etc. are possible after obtaining the PROCESS_ALL_ACCESS handle to a protected process.

Bypassing Defender signature detection for LSASS dump files:

PPLBlade uses a custom callback function based on MiniDumpWriteDump that will receive the bytes of a process dump, and store the bytes in the memory, instead of touching the disk.
The data stored in the memory can be obfuscated/XOR-ed and dropped on the disk. These steps help us to successfully evade the Defender signature-based detection for the dump files.

PPLBlade in Action!

Here is a short video made during the experiments with PPLBlade, just to showcase the basic functionality to bypass PPL and signature detections.

Basic usage as shown in the above video, which uses PROCEXP152.sys to dump LSASS.exe and obfuscate the file before touching the disk:
PPLBlade.exe --mode dothatlsassthing --obfuscate

Deobfuscate memory dump: [It was not shown in the video.]
PPLBlade.exe --mode descrypt --dumpname PPLBlade.dmp --key PPLBlade


PPLBlade GitHub Repository:
Detailed technical blog post by pepperoni:

Last updated on 02 Sep 2023

Go back to Adversary Tactics