Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upGitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Description
ALPC is the Windows internal messaging system. ALPC is frequently utilized by malware actors to inject shellcode into benign processes. If we could get the visibility into ALPC message flow, that would allow surfacing the ALPC indicators of compromise. The NT Kernel Logger ETW provider permits gathering the ALPC events, however, the event parameters are vague and not really useful. For example, we can't get the content of the ALPC message, just its identifier. The following APC events are produced by the NT Kernel Logger:
We could probably have the following ALPC events in Fibratus:
AlpcSendwithmessage_idparameter. I'm not sure if we could get anything meaningful from this parameter without peeking into kernel space. ALPC port name?AlpcRecvwithmessage_idandsource_pidparameters. Anything else that we could dig?Prior art