Tool to bypass LSA Protection (aka Protected Process Light / PPL)
- Writes the RTCore64.sys kernel driver to disk (byte array embedded via
#loadat compile time — no base64 decoding needed) - Enables
SeLoadDriverPrivilegeviaAdjustTokenPrivileges - Installs and starts the RTCore64 kernel service
- Opens
\\.\RTCore64device and usesDeviceIoControlto read/write physical memory - Walks the kernel
EPROCESSlinked list, findslsass.exe, and zeroes itsSignatureLevel→ disables PPL - Cleans up: stops the service, deletes the driver file
No flags/parameters needed — runs fully automated.
Requires Odin (https://odin-lang.org) and Administrator privileges at runtime.
odin build pplkiller.odin -file -out:PPLKiller_Odin.exe
If the RTCore64.sys driver file is not present during compilation, place it at C:\Users\Public\Documents\RTCore64.sys first — the #load directive embeds it into the binary.
PPLKiller_Odin.exe
The PowerShell script embeds PPLKiller_Odin.exe (GZip-compressed + Base64) and runs it entirely from memory.
EPROCESS offsets are resolved at runtime via the CurrentBuild registry key (fallback: ReleaseId).
| Build Range | Windows Version |
|---|---|
| 14393 | Windows 10 1607 / Server 2016 |
| 15063 | Windows 10 1703 |
| 16299 | Windows 10 1709 |
| 17134 | Windows 10 1803 |
| 17763 | Windows 10 1809 / Server 2019 |
| 18362–18363 | Windows 10 1903–1909 |
| 19041–19045 | Windows 10 2004–22H2 |
| 20348–21999 | Windows Server 2022 |
| 22000+ | Windows 11 21H2–24H2 / Server 2025 |
| File | Description |
|---|---|
pplkiller.odin |
Odin source — full PPLKiller rewrite |
PPLKiller_Odin.exe |
Compiled x64 binary |
README.md |
This file |
- Requires Administrator privileges (driver loading)
- On systems with HVCI / Memory Integrity or Secure Boot, the unsigned driver may be blocked
- The driver binary (
RTCore64.sys) is embedded at compile time via Odin's#loaddirective — no external files needed at runtime - After execution, the driver service and file are automatically cleaned up