(Translated by https://www.hiragana.jp/)
GitHub - int3hh/ppldump: BYOD (Bring Your Own Driver) Approach to Dumping PPL Procs (Shellcode Injection lol)
Skip to content
/ ppldump Public
forked from topotam/ppldump

BYOD (Bring Your Own Driver) Approach to Dumping PPL Procs (Shellcode Injection lol)

1 star 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

int3hh/ppldump

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
shellcode64
shellcode64
 
 
README.md
README.md
 
 
hexstr.py
hexstr.py
 
 
main.c
main.c
 
 
mlwrfox.c
mlwrfox.c
 
 
mlwrfox.h
mlwrfox.h
 
 
service.c
service.c
 
 
service.h
service.h
 
 
shellcode.x64.h
shellcode.x64.h
 
 
util.c
util.c
 
 
util.h
util.h
 
 

Repository files navigation

Credit

Original Credit goes to @Dark_Puzzle whom disclosed Here the privileged registration. I only expanded upon this to use an additional IOCTL to open a thread (it calls ZwOpenThread())

Build

You can build the shellcode / executable using mingw-w64. To do so, just run from a Unix / MacOS X Installation : x86_64-w64-mingw32-gcc *.c -o ppldump.exe. Currently only supports x64, as I have not been able to obtain a 32 bit version of the zam.sys driver.

Written by Austin Hudson of GuidePoint Security

Usage

About

BYOD (Bring Your Own Driver) Approach to Dumping PPL Procs (Shellcode Injection lol)

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 94.7%
  • Makefile 3.0%
  • Python 1.4%
  • Assembly 0.9%