My current understanding is that in order to make a service PPL one needs to have an ELAM driver in the system. If someone has a need to have a protected service, and doesn’t want to write the ELAM component, is there a way to still do it? Does Windows perhaps have an ELAM driver which this service can use as it’s ELAM store?
As I understand it, and this blog goes into in very nice detail [ https://blog.tofile.dev/2020/12/16/elam.html ] you will need an ELAM driver associated with the service; this fits into the “chain of trust” model that Windows uses (essentially, each link in the chain verifies the next link) … so the UEFI BIOS verifies the OS bootloader, the OS bootloader verifies the OS image, the OS image verifies the ELAM driver and the (existence of) the ELAM driver verifies the PPL associated with that ELAM driver … chain of trust …
The whole point of having a PPL is making it inaccessible to other processes; if I were able to make a PPL without associating it with a “trusted” driver I would simply gen up a Malware service, mark it as PPL and merrily avoid any annoying antivirus programs …
The PPL is a good way to make processes secure, inside core windows, does no service take advantage of PPL? There are so many core services which are attacked, injected into etc, or does Microsoft perhaps have an all purpose ELAM for their own internal usage?
@craig_howard said:
As I understand it, and this blog goes into in very nice detail [ https://blog.tofile.dev/2020/12/16/elam.html ] you will need an ELAM driver associated with the service; this fits into the “chain of trust” model that Windows uses (essentially, each link in the chain verifies the next link) … so the UEFI BIOS verifies the OS bootloader, the OS bootloader verifies the OS image, the OS image verifies the ELAM driver and the (existence of) the ELAM driver verifies the PPL associated with that ELAM driver … chain of trust …The whole point of having a PPL is making it inaccessible to other processes; if I were able to make a PPL without associating it with a “trusted” driver I would simply gen up a Malware service, mark it as PPL and merrily avoid any annoying antivirus programs …
From the blog it appears that MS is moving to a different mechanism than PPL in the future … regardless, that’s a MS question. MS already has mechanisms in place to prevent core services being compromised, PPL appears to be simply there to allow malware ELAM services to get stuff done in usermode rather than in kernelmode …
1 Like