0xHabib

Protected Process Bypass (DKOM)

Interactive simulation of a Direct Kernel Object Manipulation (DKOM) attack against Windows Protected Processes (PPL). Steps through loading a driver, locating the EPROCESS structure, and patching the protection bit.

By 0xHabibDecember 20, 2025
Post Related
#windows-internals
#kernel
#rootkit
#red-teaming

This visualization demonstrates the specific kernel memory manipulation required to strip "Protected Process Light" (PPL) protection from a target process like LSASS.

Attack Phases

  1. Driver Load: Gaining Ring 0 execution is the prerequisite.
  2. Object Lookup: Using PsLookupProcessByProcessId to find the target's kernel object (EPROCESS).
  3. Patching: Overwriting the PS_PROTECTION byte at a specific offset (e.g., 0x87a).
  4. Access Check: Once patched, ObOpenObjectByPointer no longer returns STATUS_ACCESS_DENIED.
Protected Process Bypass Simulation
Visualizing Direct Kernel Object Manipulation (DKOM) against PPL
User Mode
Mimikatz.exe
PID: 666
SeDebugPrivilege: ON
Ticket Request: BLOCKED
Kernel Mode (Ring 0)
ObOpenObjectByPointer
if (Target.PPL > Caller.PPL)
  return STATUS_ACCESS_DENIED;
Target Process
lsass.exe
PID: 442
EPROCESS Structure
Protection: PPL-WinTcb

root@kernel:~$Initial State: LSASS is running as PPL. The Kernel (ObOpenObjectByPointer) blocks access from user mode.