gabriellandau / pplfault Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
I compiled x64-release build and then run PPLFault.exe -v 1548 lsass.dmp
which was successfull.
I tried GodFault.exe -v
and in its latest steps Windows crashed with BSOD:
It stuck on 100% for an hour and then I force shutdown the laptop.
I tried all windows recovery options but didn't help.
Windows version was win11 22h2.
Can you point where GodFault tried to modify? so I can restore it via cmd in Recovery environment.
OpenPhysicalMemoryDevice
fails to close handle to the system process, resulting in a handle leak.
This is a low sev bug in what seems to be test code, but noting it for completeness. e.g. it may be called only via wmain where all handles will be closed at process exit anyway. It is also possible that in testing with this code path, the programmer wants the system process handle in a local variable for assisting with debugging.
// Open the System process (PID 4) for full access (PROCESS_ALL_ACCESS)
{
! hSystemProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 4); <<< hSystemProcess handle acquired
if (NULL == hSystemProcess)
{
Log(Error, "Failed to open PROCESS_ALL_ACCESS to System process with GLE 0x%08x", GetLastError());
goto Cleanup;
}
Log(Info, "Opened System process as PROCESS_ALL_ACCESS. Handle is 0x%x", HandleToULong(hSystemProcess));
}
//__debugbreak();
Log(Info, "Press any key to continue...");
_getch();
Cleanup:
+ if (NULL != hSystemProcess)
+ {
+ CloseHandle( hSystemProcess );
+ }
return hSection;
}
I was unable to compile the project successfully
GetSystem
leaks token handle to CSRSS' token. The code should add a CloseHandle (hToken)
before returning.
// Impersonate CSRSS, which runs as SYSTEM
bool GetSystem()
{
HANDLE hToken = NULL;
HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll");
CsrGetProcessId_t pCsrGetProcessId = (CsrGetProcessId_t)GetProcAddress(hNtdll, "CsrGetProcessId");
HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pCsrGetProcessId());
! if (OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_DUPLICATE, &hToken)) <<< acquiring hToken
{
CloseHandle(hProcess);
! return ImpersonateLoggedOnUser(hToken); <<< return path fails to close hToken
}
Log(Error, "Failed to open CSRSS's token");
CloseHandle(hProcess);
return false;
}
Line 75 in ba4798a
[?] Server does not appear to be running. Attempting to install it...
[+] GetShellcode: 2304 bytes of shellcode written over DLL entrypoint
[+] CSRSS PID is 780
[+] Benign: C:\Windows\System32\EventAggregation.dll.bak
[+] Payload: C:\GodFaultTemp\GodFaultPayload.dll
[+] Placeholder: C:\GodFaultTemp\EventAggregationPH.dll
[+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll
[+] Testing initial ability to acquire PROCESS_ALL_ACCESS to System: Failure
[+] Ready. Spawning WinTcb.
[+] SpawnPPL: Waiting for child process to finish.
[!] SpawnPPL: WaitForSingleObject returned 258. Expected WAIT_OBJECT_0. GLE: 5
[!] Server does not appear to be running.
[+] No cleanup necessary. Backup does not exist.
services.exe spawned does not use any CPU, maybe its my pc
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.