SkillAgentSearch skills...

KPPL

Kill Protected Process Light Process (include av)

GenerateConvertImprove

Install / Use

/learn @BeneficialCode/KPPL
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

KPPL

Kill Protected Process Light Process (include av)

Some antimalware process has some object callbacks by using ObRegisterCallbacks to avoid extern killing.

Somtimes, we have got the process handle right. We can do other thing. For example, we can dump the lsass.exe.

0: kd> dt nt!_object_type ffffe78f`93ca8d20
   +0x000 TypeList         : _LIST_ENTRY [ 0xffffe78f`93ca8d20 - 0xffffe78f`93ca8d20 ]
   +0x010 Name             : _UNICODE_STRING "Process"
   +0x020 DefaultObject    : (null) 
   +0x028 Index            : 0x7 ''
   +0x02c TotalNumberOfObjects : 0x1f8
   +0x030 TotalNumberOfHandles : 0x728
   +0x034 HighWaterNumberOfObjects : 0x1f8
   +0x038 HighWaterNumberOfHandles : 0x881
   +0x040 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0x0b8 TypeLock         : _EX_PUSH_LOCK
   +0x0c0 Key              : 0x636f7250
   +0x0c8 CallbackList     : _LIST_ENTRY [ 0xffffd105`77373e40 - 0xffffd105`77373e40 ]

0: kd> dx -id 0,0,ffffe78f93c5d080 -r1 (*((ntkrnlmp!_OBJECT_TYPE_INITIALIZER *)0xffffe78f93ca8d60))
(*((ntkrnlmp!_OBJECT_TYPE_INITIALIZER *)0xffffe78f93ca8d60))                 [Type: _OBJECT_TYPE_INITIALIZER]
    [+0x000] Length           : 0x78 [Type: unsigned short]
    [+0x002] ObjectTypeFlags  : 0xca [Type: unsigned short]
    [+0x002 ( 0: 0)] CaseInsensitive  : 0x0 [Type: unsigned char]
    [+0x002 ( 1: 1)] UnnamedObjectsOnly : 0x1 [Type: unsigned char]
    [+0x002 ( 2: 2)] UseDefaultObject : 0x0 [Type: unsigned char]
    [+0x002 ( 3: 3)] SecurityRequired : 0x1 [Type: unsigned char]
    [+0x002 ( 4: 4)] MaintainHandleCount : 0x0 [Type: unsigned char]
    [+0x002 ( 5: 5)] MaintainTypeList : 0x0 [Type: unsigned char]
    [+0x002 ( 6: 6)] SupportsObjectCallbacks : 0x1 [Type: unsigned char] \\ This flag effect the callback function
    [+0x002 ( 7: 7)] CacheAligned     : 0x1 [Type: unsigned char]
    [+0x003 ( 0: 0)] UseExtendedParameters : 0x0 [Type: unsigned char]
    [+0x003 ( 7: 1)] Reserved         : 0x0 [Type: unsigned char]
    ......

ObDuplicateObject
ObpFilterOperation
ObpCallPreOperationCallbacks
ObpCallPostOperationCallbacks
ObpCreateHandle

return (a1->TypeInfo.ObjectTypeFlags & 0x40) != 0 && a1->CallbackList.Flink != &a1->CallbackList;

BeneficialCode

View profile

View on GitHub
GitHub Stars57
CategoryDevelopment
Updated1mo ago
Forks24
BeneficialCode/KPPL

Languages

C++

Security Score

95/100

Audited on Mar 1, 2026

No findings