last-byte/RIPPL last-byte/RIPPL

  • Stars
    star
    6
  • Rank 2,539,965 (Top 51 %)
  • Language
    C
  • License
    MIT License
  • Created over 2 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
last-byte/RIPPL
github

last-byte

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows

RIPPL

Manipulating PPL protected processes without using a driver

defender funny

This tool implements a userland exploit to manipulate Windows PPL protected processes. The technique was initially discussed by James Forshaw (a.k.a. @tiraniddo) and Clément Labro (a.k.a. @itm4n) in the following blogposts.

Usage

Warning: the safe version of the binary NEVER outputs anything, as all the strings and print function are stripped away using conditional compilation macros.

Simply run the executable without any argument and you will get a detailed help/usage (only valid for binaries compiled without defining the OPSEC macro)

c:\Temp>.\rippl.exe
  _____  _____ _____  _____  _
 |  __ \|_   _|  __ \|  __ \| |
 | |__) | | | | |__) | |__) | |      version 0.1
 |  _  /  | | |  ___/|  ___/| |      by @last0x00
 | | \ \ _| |_| |    | |    | |____  forked by itm4n's PPLDump
 |_|  \_\_____|_|    |_|    |______|

Description:
  Manipulate Protected Process Light (PPL) processes with a *userland* exploit

Usage:
  rippl.exe (-D|-K|-S|-R|-L|-X|-W|-Z|-T|-U) [-v] [-d] [-f] (PROC_NAME|PID) [DUMP_FILE|DRIVER_NAME]
  () -> mandatory arguments
  [] -> optional arguments

Operation modes (choose ONLY one):
  -D -> Dump the given process
  -K -> Kill the given process
  -S -> Suspend the given process
  -R -> Resume the previously suspended process
  -L -> Leak a PROCESS_ALL_ACCESS handle to the given process (not yet implemented)
  -X -> Kill the given process by assigning it to a job object and terminating the object
  -W -> Freeze the process by assigning it to a job object and severely constraining its CPU resources
  -Z -> Kill the given process by injecting a thread into it which calls exit(0)
  -T -> Sandbox the process by disabling all of its token's privileges and lowering integrity to untrusted
  -U -> Unload the provided driver

Arguments:
  PROC_NAME   -> The name of the process to interact with
  PID         -> The ID of the process to interact with
  DUMP_FILE   -> The path of the output dump file - valid ONLY with the -D option
  DRIVER_NAME -> The name of the driver to unload - valid ONLY with the -U option

Options:
  -d -> (Debug) Enable debug mode
  -f -> (Force) Bypass DefineDosDevice error check

Examples:
  rippl.exe -K MsMpEng.exe
  rippl.exe -S MsMpEng.exe
  rippl.exe -R MsMpEng.exe
  rippl.exe -D -f lsass.exe lsass.dmp
  rippl.exe -D -d -f 720 out.dmp
  rippl.exe -U Wdfilter

More Repositories

1

PersistenceSniper

Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte
PowerShell
1,895
star
2

unDefender

Killing your preferred antimalware by abusing native symbolic links and NT paths.
C++
168
star
3

HppDLL

Source code for HppDLL - local password dumping using MsvpPasswordValidate hooks
C++
76
star
4

DefenderSwitch

Stop Windows Defender using the Win32 API
C++
28
star
5

hybris

Tool to spawn processes as SYSTEM by stealing tokens
C++
21
star
6

Slides

Repository containing slides and talks material
4
star
7

RAII-types

Code to handle certain Windows types using the RAII paradigm
C++
4
star
8

GRIP

Golang RIP Injection Program
Go
2
star