fibratus icon indicating copy to clipboard operation
fibratus copied to clipboard
verified publisher icon rabbitstack

ALPC events

Open rabbitstack opened this issue 5 years ago • 0 comments

Description

ALPC is the Windows internal messaging system. ALPC is frequently utilized by malware actors to inject shellcode into benign processes. If we could get the visibility into ALPC message flow, that would allow surfacing the ALPC indicators of compromise. The NT Kernel Logger ETW provider permits gathering the ALPC events, however, the event parameters are vague and not really useful. For example, we can't get the content of the ALPC message, just its identifier. The following ALPC events are produced by the NT Kernel Logger:

  • Send Message
  • Receive Message
  • Wait For Reply
  • Wait For New Message
  • Unwait

We could probably have the following ALPC events in Fibratus:

  • AlpcSend with message_id parameter. I'm not sure if we could get anything meaningful from this parameter without peeking into kernel space. ALPC port name?
  • AlpcRecv with message_id and source_pid parameters. Anything else that we could dig out?

Prior art

rabbitstack avatar Dec 03 '20 14:12 rabbitstack