# Windows PE (DLL / PPL)

The Windows PE (DLL / PPL) agent is a native Windows implant in Control Pack designed to operate as a DLL-based payload instead of a standalone executable.

<figure><img src="/files/HDa7ZY7RuBAAYwARk5Vi" alt=""><figcaption></figcaption></figure>

It provides two operational modes:

* **DLL + PPL bypass implant**
* **DLL library implant**

Both options focus on executing code from inside an existing process context, rather than launching a separate EXE, helping reduce visibility and improve operational flexibility.

An optional UnHooker binary can also be included to reduce interference from user-mode monitoring.

***

### Agent Types

When generating this agent, Control Pack provides two options under *Agent type*:

#### DLL library implant

This option generates a standard DLL-based implant that can be loaded into a process and executed as a library payload.

This mode is more suitable when:

* A DLL-based implant is required
* PPL-specific behavior is not necessary
* A simpler in-process execution method is sufficient

It still avoids the need to run a visible standalone executable.

#### DLL + PPL bypass implant

This option generates a DLL implant designed to execute in a trusted process context and includes techniques intended to operate in environments where additional protections may be present (such as PPL-related constraints).

This mode is intended for scenarios where:

* Higher trust execution context is desired
* Additional protection mechanisms are expected
* Stealth and stability are more important than simplicity

It is typically used in more advanced scenarios.

***

### Optional UnHooker Binary

When enabled, the generated implant includes an additional component designed to remove user-mode API hooks that may be introduced by:

* Security monitoring tools
* Endpoint protection software
* Instrumentation frameworks

This helps:

* Reduce interference during execution
* Improve stability
* Avoid unexpected behavior caused by hooked APIs

The UnHooker is optional and can be enabled only when needed.

***

### Execution Model

Both implant types follow the same general model:

* The payload is delivered as a **DLL**, not an EXE
* Execution occurs inside an existing process context
* No standalone process needs to be created
* Disk presence and visible artifacts are reduced compared to traditional executables

This makes these implants useful in environments where launching new binaries is undesirable.

###


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://exploit-pack.gitbook.io/exploit-pack-manual-pages/control-pack/windows-pe-dll-ppl.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.