whatisgithub

What is pplshade?

redteamfortress/pplshade — explained in plain English

Analysis updated 2026-05-18

54CAudience · researcherComplexity · 5/5Setup · hard

In one sentence

A Windows security research tool that uses a vulnerable driver to inspect and strip Protected Process Light protections.

Mindmap

mindmap
  root((repo))
    What it does
      Manipulates PPL protections
      Uses vulnerable driver
      Lists protected processes
    Tech stack
      C
      Windows kernel
      Visual Studio 2022
    Use cases
      Security research
      Test PPL bypass
      Study BYOVD
    Audience
      Security researchers
      Red teamers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study how Windows Protected Process Light (PPL) protections work at the kernel level.

USE CASE 2

List all protected processes on a test system along with their protection and signer type.

USE CASE 3

Test whether PPL protections on an authorized system can be bypassed or removed.

USE CASE 4

Research BYOVD (Bring Your Own Vulnerable Driver) techniques for defensive security work.

What is it built with?

CWindows KernelBYOVDVisual Studio 2022

How does it compare?

redteamfortress/pplshadealphapixel/eric-graham-1987-juggler-raytracer-1.0maftymanicemu/dukex
Stars545452
LanguageCCC
Setup difficultyhardhardhard
Complexity5/52/55/5
Audienceresearchergeneraldeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires Visual Studio 2022 with C++ latest standard and a vulnerable signed kernel driver to load.

The README does not state a license, so usage rights beyond the stated research disclaimer are unclear.

So what is it?

PPLShade is a Windows security research tool written in C that manipulates Protected Process Light (PPL) protections at the kernel level. PPL is a Windows feature that restricts which software can interact with sensitive system processes, including antivirus and endpoint detection tools. The project is aimed at security researchers and red teamers who study how these protections work or test whether they can be bypassed on systems they are authorized to test. The tool uses a technique called BYOVD, short for Bring Your Own Vulnerable Driver. This involves loading a legitimate but known-vulnerable kernel driver and using its memory access capabilities to read and write data inside the Windows kernel. Three specific drivers are included as supported options, each identified by its cryptographic hash. Once a driver is loaded, PPLShade can list all protected processes on the system along with their protection level and signer type, query the protection attributes of a specific process by its ID, change or remove those attributes, or terminate a protected process by first stripping its protection. Protection levels in Windows include PP (fully protected) and PPL (Protected Process Light), and each carries a signer type such as WinTcb, Lsa, or Antimalware that determines what can access it. PPLShade resolves kernel structure offsets dynamically at runtime rather than using hardcoded values, which helps it work across different builds of Windows 10 and 11. Building the project requires Visual Studio 2022 and the C++ latest language standard, because the memory address translation layer uses a modern C++ feature called std::expected. The resulting binary is a single standalone executable with no external library dependencies. A disclaimer in the README states the tool is intended for educational and authorized security research only, and that using it against systems you do not own or have explicit written permission to test is illegal.

Copy-paste prompts

Prompt 1
Explain how Protected Process Light works in Windows and why PPLShade needs a vulnerable driver.
Prompt 2
Walk me through what BYOVD means and how this repo uses it to access kernel memory.
Prompt 3
What protection levels and signer types does this README describe, and what do they control?
Prompt 4
Summarize the disclaimer in this README about authorized use of PPLShade.

Frequently asked questions

What is pplshade?

A Windows security research tool that uses a vulnerable driver to inspect and strip Protected Process Light protections.

What language is pplshade written in?

Mainly C. The stack also includes C, Windows Kernel, BYOVD.

What license does pplshade use?

The README does not state a license, so usage rights beyond the stated research disclaimer are unclear.

How hard is pplshade to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is pplshade for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.