Process Protection
Apply or remove Protected Process Light (PPL) protection via direct_EPROCESS structure modification.
Overview
Windows Protected Process Light (PPL) prevents unauthorized access to protected processes. DioProcess can manipulate these protection flags directly in kernel memory.
🛡️ Protect Process
Apply WinTcb-Light protection (highest PPL level) to any process
🔓 Unprotect Process
Remove PPL protection from protected processes (lsass.exe, AV, etc.)
Protection Levels
| Level | Value | Description |
|---|---|---|
| PS_PROTECTED_WINTCB_LIGHT | 0x61 | WinTcb + Light (default for protect) |
| PS_PROTECTED_WINDOWS_LIGHT | 0x51 | Windows + Light |
| PS_PROTECTED_LSA_LIGHT | 0x41 | LSA + Light (lsass.exe) |
| PS_PROTECTED_ANTIMALWARE_LIGHT | 0x31 | Antimalware + Light (AV processes) |
Algorithm
Protect Process
- Call
GetWindowsVersion()to detect current Windows build PsLookupProcessByProcessId()to get EPROCESS pointer- Calculate protection address:
EPROCESS + PROCESS_PROTECTION_OFFSET[version] - Write protection values:
- •
SignatureLevel = 0x3E(SE_SIGNING_LEVEL_WINDOWS_TCB) - •
SectionSignatureLevel = 0x3C(SE_SIGNING_LEVEL_WINDOWS) - •
Protection.Type = 2(PsProtectedTypeProtectedLight) - •
Protection.Signer = 6(PsProtectedSignerWinTcb)
- •
ObDereferenceObject(eProcess)
Unprotect Process
Same algorithm, but zero out all protection fields instead of setting them.
Structure Offsets
The PROCESS_PROTECTION_OFFSET varies by Windows version:
// PROCESS_PROTECTION_OFFSET array (indexed by WINDOWS_VERSION)
Win 10 1809 (17763): 0x6ca
Win 10 2004 (19041): 0x87a
Win 11 21H2 (22000): 0x87a
Win 11 22H2 (22621): 0x87a
Win 11 23H2 (22631): 0x87a
Win 11 24H2 (26100): 0x87aUsage
- Ensure the kernel driver is loaded
- Right-click on a process in the Process tab
- Navigate to Miscellaneous
- Select 🛡️ Protect Process or 🔓 Unprotect Process
Note
These options are grayed out when the driver is not loaded.
Use Cases
- • Protect benign processes — Prevent termination or injection
- • Unprotect lsass.exe — Enable credential dumping for research
- • Unprotect AV processes — Analyze security product behavior
- • Test PPL bypass techniques — Security research and red teaming
Implementation
| Item | Location |
|---|---|
| Rust binding | crates/callback/src/driver.rs |
| Kernel code | kernelmode/.../DioProcessDriver.cpp |
| IOCTL (Protect) | IOCTL_DIOPROCESS_PROTECT_PROCESS (0x805) |
| IOCTL (Unprotect) | IOCTL_DIOPROCESS_UNPROTECT_PROCESS (0x806) |