BOOL ProcessIsAMPPL()

in PPLGuardDll/dllexploit.cpp [450:468]

• 16 lines of code
• 3 McCabe index (conditional complexity)

BOOL ProcessIsAMPPL(HANDLE hProcess)
{
    BOOL bResult = FALSE;
    PS_PROTECTION protection = { 0, };
    NTSTATUS status = STATUS_SUCCESS;
    ULONG resultLength = 0;

    status = NtQueryInformationProcess(hProcess, ProcessProtectionInformation, &protection, sizeof(protection), &resultLength);
    if (!NT_SUCCESS(status))
    {
        goto end;
    }

    bResult = (PsProtectedSignerAntimalware == protection.Signer) &&
        (PsProtectedTypeProtectedLight == protection.Type);

end:
    return bResult;
}