gabriellandau / pplfault Goto Github PK

I compiled x64-release build and then run PPLFault.exe -v 1548 lsass.dmp which was successfull.

I tried GodFault.exe -v and in its latest steps Windows crashed with BSOD:

It stuck on 100% for an hour and then I force shutdown the laptop.
I tried all windows recovery options but didn't help.
Windows version was win11 22h2.

Can you point where GodFault tried to modify? so I can restore it via cmd in Recovery environment.

OpenPhysicalMemoryDevice fails to close handle to the system process, resulting in a handle leak.

This is a low sev bug in what seems to be test code, but noting it for completeness. e.g. it may be called only via wmain where all handles will be closed at process exit anyway. It is also possible that in testing with this code path, the programmer wants the system process handle in a local variable for assisting with debugging.

    
    // Open the System process (PID 4) for full access (PROCESS_ALL_ACCESS)
    {
!        hSystemProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 4);   <<< hSystemProcess handle acquired
        if (NULL == hSystemProcess)
        {
            Log(Error, "Failed to open PROCESS_ALL_ACCESS to System process with GLE 0x%08x", GetLastError());
            goto Cleanup;
        }
        Log(Info, "Opened System process as PROCESS_ALL_ACCESS.  Handle is 0x%x", HandleToULong(hSystemProcess));
    }

    //__debugbreak();
    Log(Info, "Press any key to continue...");
    _getch();

Cleanup:
+      if (NULL != hSystemProcess)
+        {
+                CloseHandle( hSystemProcess );
+        }
    return hSection;
}

https://github.com/gabriellandau/PPLFault/blob/ba4798aa86ecfe81d1c763445712db72eb43984a/GodFault/GodFault.cpp#LL371C1-L381C6

I was unable to compile the project successfully

GetSystem leaks token handle to CSRSS' token. The code should add a CloseHandle (hToken) before returning.

// Impersonate CSRSS, which runs as SYSTEM
bool GetSystem()
{
    HANDLE hToken = NULL;
    HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll");
    CsrGetProcessId_t pCsrGetProcessId = (CsrGetProcessId_t)GetProcAddress(hNtdll, "CsrGetProcessId");
    HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pCsrGetProcessId());
    
!    if (OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_DUPLICATE, &hToken))  <<< acquiring hToken
    {
        CloseHandle(hProcess);
!        return ImpersonateLoggedOnUser(hToken); <<< return path fails to close hToken 
    }

    Log(Error, "Failed to open CSRSS's token");
    
    CloseHandle(hProcess);
    return false;
}

[?] Server does not appear to be running. Attempting to install it...
[+] GetShellcode: 2304 bytes of shellcode written over DLL entrypoint
[+] CSRSS PID is 780
[+] Benign: C:\Windows\System32\EventAggregation.dll.bak
[+] Payload: C:\GodFaultTemp\GodFaultPayload.dll
[+] Placeholder: C:\GodFaultTemp\EventAggregationPH.dll
[+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll
[+] Testing initial ability to acquire PROCESS_ALL_ACCESS to System: Failure
[+] Ready. Spawning WinTcb.
[+] SpawnPPL: Waiting for child process to finish.
[!] SpawnPPL: WaitForSingleObject returned 258. Expected WAIT_OBJECT_0. GLE: 5
[!] Server does not appear to be running.
[+] No cleanup necessary. Backup does not exist.

services.exe spawned does not use any CPU, maybe its my pc