This is a proof-of-concept that shows how a technique such as Bring Your Own Vulnerable DLL (BYODLL) could be used to bypass LSA Protection, or more generally execute arbitrary code within Protected Processes on Windows.

For more information, please check out my blog post series entitled "Ghost in the PPL".

• Ghost in the PPL Part 1: BYOVDLL
• Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
• Ghost in the PPL Part 3: LSASS Memory Dump

• @GabrielLandau - Post about the BYOVDLL technique on Twitter/X
• @KeyZ3r0 (a.k.a. k0shl) - Isolate me from sandbox - Explore elevation of privilege of CNG Key Isolation
• @cplearns2h4ck (a.k.a. chiefpie) - PoC for CVE-2023-28229