Study how Windows Protected Process Light (PPL) protections work at the kernel level.
List all protected processes on a test system along with their protection and signer type.
Test whether PPL protections on an authorized system can be bypassed or removed.
Research BYOVD (Bring Your Own Vulnerable Driver) techniques for defensive security work.
| redteamfortress/pplshade | alphapixel/eric-graham-1987-juggler-raytracer-1.0 | maftymanicemu/dukex | |
|---|---|---|---|
| Stars | 54 | 54 | 52 |
| Language | C | C | C |
| Setup difficulty | hard | hard | hard |
| Complexity | 5/5 | 2/5 | 5/5 |
| Audience | researcher | general | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Visual Studio 2022 with C++ latest standard and a vulnerable signed kernel driver to load.
PPLShade is a Windows security research tool written in C that manipulates Protected Process Light (PPL) protections at the kernel level. PPL is a Windows feature that restricts which software can interact with sensitive system processes, including antivirus and endpoint detection tools. The project is aimed at security researchers and red teamers who study how these protections work or test whether they can be bypassed on systems they are authorized to test. The tool uses a technique called BYOVD, short for Bring Your Own Vulnerable Driver. This involves loading a legitimate but known-vulnerable kernel driver and using its memory access capabilities to read and write data inside the Windows kernel. Three specific drivers are included as supported options, each identified by its cryptographic hash. Once a driver is loaded, PPLShade can list all protected processes on the system along with their protection level and signer type, query the protection attributes of a specific process by its ID, change or remove those attributes, or terminate a protected process by first stripping its protection. Protection levels in Windows include PP (fully protected) and PPL (Protected Process Light), and each carries a signer type such as WinTcb, Lsa, or Antimalware that determines what can access it. PPLShade resolves kernel structure offsets dynamically at runtime rather than using hardcoded values, which helps it work across different builds of Windows 10 and 11. Building the project requires Visual Studio 2022 and the C++ latest language standard, because the memory address translation layer uses a modern C++ feature called std::expected. The resulting binary is a single standalone executable with no external library dependencies. A disclaimer in the README states the tool is intended for educational and authorized security research only, and that using it against systems you do not own or have explicit written permission to test is illegal.
A Windows security research tool that uses a vulnerable driver to inspect and strip Protected Process Light protections.
Mainly C. The stack also includes C, Windows Kernel, BYOVD.
The README does not state a license, so usage rights beyond the stated research disclaimer are unclear.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.