This tool allows you to list protected processes, get the protection level of a specific process, or set an arbitrary protection level. For more information, you can read this blog post: Debugging Protected Processes.
1. Download the MSI driver
You can get a copy of the MSI driver
RTCore64.sys here: PPLKiller/driver.
2. Install the MSI driver
Disclaimer: it goes without saying that you should never install this driver on your host machine. Use a VM!
sc.exe create RTCore64 type= kernel start= auto binPath= C:PATHTORTCore64.sys DisplayName= "Micro - Star MSI Afterburner"
net start RTCore64
3. Use PPLcontrol
List protected processes.
Get the protection level of a specific process.
Set an arbitrary protection level.
PPLcontrol.exe set 1234 PPL WinTcb
Protect a non-protected process with an arbitrary protection level. This will also automatically adjust the signature levels accordingly.
PPLcontrol.exe protect 1234 PPL WinTcb
Unprotect a protected process. This will set the protection level to
None) and the EXE/DLL signature levels to
PPLcontrol.exe unprotect 1234
4. Uninstall the driver
net stop RTCore64
sc.exe delete RTCore64
Debugging a protected process with WinDbg
WinDbg just needs to open the target process, so you can use PPLcontrol to set an arbitrary protection level on your
- Get the PID of the
- Use PPLcontrol to set an arbitrary protection level.
C:Temp>tasklist | findstr /i windbg
windbg.exe 1232 Console 1 24,840 K
C:Temp>PPLcontrol.exe protect 1232 PPL WinTcb
[+] The Protection 'PPL-WinTcb' was set on the process with PID 1232, previous protection was: 'None-None'.
[+] The Signature level 'WindowsTcb' and the Section signature level 'Windows' were set on the process with PID 1232.
Inspecting a protected process with API Monitor
In addition to opening the target process, API monitor injects a DLL into it. Therefore, setting an arbitrary protection level on your
apimonitor.exe process won’t suffice. Since the injected DLL is not properly signed for this purpose, the Section signature flag of the target process will likely prevent it from being loaded. However, you can temporarily disable the protection on the target process, start monitoring it, and restore the protection right after.
- Get the PID of the target process.
- Use PPLcontrol to get the protection level of the target process.
- Unprotect the process.
- Start monitoring the process with API Monitor.
- Restore the protection of the target process.
- Open the solution in Visual Studio.
x86is not supported and will probably never be).
- Build solution