Bypass LSA protection using the BYODLL technique

Focus17 · 22.09.2024

This is a proof-of-concept that shows how a technique such as Bring Your Own Vulnerable DLL (BYODLL) could be used to bypass LSA Protection, or more generally execute arbitrary code within Protected Processes on Windows.

For more information, please check out my blog post series entitled "Ghost in the PPL".

GitHub - itm4n/PPLrevenant: Bypass LSA protection using the BYODLL technique

Bypass LSA protection using the BYODLL technique. Contribute to itm4n/PPLrevenant development by creating an account on GitHub.

github.com

Sec13B · 25.09.2024

to Bypass LSA protection with BYODLL technique, you need follow all step`s from the series entitled blog "Ghost in the PPL".

shrekushka · 18.03.2025

The technique is almost always:
1. Use OS intrnl structs to identify a rarely used codepath that runs inside the target PPL proc or in an equally privileged PPL.
2. Force or entice that codepath to load your (catalog signed) DLL / to open a handle on your behalf.
3. Profit.

Bypass LSA protection using the BYODLL technique

Focus17

(L2) cache

GitHub - itm4n/PPLrevenant: Bypass LSA protection using the BYODLL technique

Sec13B

(L3) cache

shrekushka

(L1) cache