Clément Labro

"Bypassing PPL in Userland (again)"

Over the past 6 months, I worked on a new Userland exploit for injecting unsigned code in a PPL. In this new blog post, I discuss my methodology and all the issues I had to solve to achieve this result.

https://blog.scrt.ch/2023/03/17/bypassing-ppl-in-userland-again/

Bypassing PPL in Userland (again) – Sec Team Blog

Mar 17, 2023 at 4:01pmWeb
Show threadMichael SchneiderMar 17, 2023
@itm4n Astonishing work! 🤯
Show threadS4ntiagoPMar 17, 2023
@itm4n omfg, fantastic work man!
Show threadDavid KaplanMar 18, 2023
@itm4n This is excellent work. Great research.
That typelib issue is a difficult one to mitigate. :)
In the upcoming Win11 we have a very tactical mitigation to make abuse of LdrpKnownDllDirectoryHandle more difficult. May consider backporting it.
Naturally a fully controlled write in a target PPL could make direct arb codeexec possible but at least limited write targeting the dll directory handle should be mitigated.