PPL 相关控制属性

0: kd> vertarget
Windows 10 Kernel Version 18362 MP (2 procs) Free x64
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff801`11400000 PsLoadedModuleList = 0xfffff801`11848190
Debug session time: Mon Mar  2 16:11:36.908 2020 (UTC + 8:00)
System Uptime: 0 days 0:00:27.667

0: kd> !process 0 0 services.exe
PROCESS ffffc98f29730100
    SessionId: 0  Cid: 0250    Peb: 726339d000  ParentCid: 01ec
    DirBase: 0ef75002  ObjectTable: ffff8001401d76c0  HandleCount:  34.
    Image: services.exe

0: kd> dt nt!_EPROCESS ffffc98f29730100
   +0x000 Pcb              : _KPROCESS
   +0x2e0 ProcessLock      : _EX_PUSH_LOCK
   +0x2e8 UniqueProcessId  : 0x00000000`00000250 Void
   +0x2f0 ActiveProcessLinks : _LIST_ENTRY [ 0xfffff801`11838b40 - 0xffffc98f`2973f430 ]
   +0x300 RundownProtect   : _EX_RUNDOWN_REF
   +0x308 Flags2           : 0xd000
   ......
   +0x6f8 SignatureLevel   : 0x38 '8'			// 定义了主模块的签名要求。
   +0x6f9 SectionSignatureLevel : 0x8 ''		// 定义了要加载到进程中的DLL的最低签名级别要求。
   +0x6fa Protection       : _PS_PROTECTION		// 表示进程的保护状态。
   ......

1: kd> dt _PS_PROTECTION
ntdll!_PS_PROTECTION
   +0x000 Level            : UChar
   +0x000 Type             : Pos 0, 3 Bits
   +0x000 Audit            : Pos 3, 1 Bit
   +0x000 Signer           : Pos 4, 4 Bits
0: kd> dx -id 0,0,ffffc98f29730100 -r1 (*((ntkrnlmp!_PS_PROTECTION *)0xffffc98f297307fa))
(*((ntkrnlmp!_PS_PROTECTION *)0xffffc98f297307fa))                 [Type: _PS_PROTECTION]
    [+0x000] Level            : 0x61 [Type: unsigned char]
    [+0x000 ( 2: 0)] Type             : 0x1 [Type: unsigned char]
    [+0x000 ( 3: 3)] Audit            : 0x0 [Type: unsigned char]
    [+0x000 ( 7: 4)] Signer           : 0x6 [Type: unsigned char]