Explore the intricacies of Windows Protected Process Light (PPL) mechanism and its vulnerabilities in this 30-minute Black Hat conference talk. Delve into the history of PPL bypasses, focusing on the notorious PPLdump tool and its implications for Windows security. Learn about the design of PPL, its role in hardening anti-malware and critical Windows services, and the Windows Code Integrity subsystem. Examine the long-lived vulnerabilities in PPL, their real-world impact, and Microsoft's approach to patching these issues. Gain insights into historical exploits, their mitigations, and the ongoing challenges in securing Windows systems against PPL bypasses.
Overview
Syllabus
PPLdump Is Dead. Long Live PPLdump!
Taught by
Black Hat
Related Courses
-
How to Bypass AM-PPL & Disable EDRs - A Red Teamer's Story
-
A New CVE-2015-0057 Exploit Technology
-
Black Box is Dead - Long Live Black Box!
-
Back to the Epilogue - How to Evade Windows' Control Flow Guard with Less than 16 Bytes
-
Digging for IE11 Sandbox Escapes Part 1
-
Analysis of the Attack Surface of Windows 10 Virtualization-Based Security
