Why should I care?
ALPC is a replacement LPC subsystem on Windows since around Vista. RPC, DCOM, a whole lot of custom ‘raw’ endpoints and even things like DHCP and DNS resolution run on top of it. Every single Windows process talks ALPC. Although ALPC connections can be secured by access control lists, this is rarely done in practice. So, long story short, if you control ANY process you can connect and send messages to at least one SYSTEM privileged target, bypassing any RPC bind/accept.
What do I get?
A programmer’s tour of the undocumented ntdll API, and then a whole bunch of tools:
– Basic ALPC client / server echo ( good learning source )
– Send / Recv to any open ALPC port using JSONRPC ( language agnostic )
– Monitor messages received by any process
– Map all ALPC connections on your system with pretty graphs
– Dump the destination ports of a process by PID and UID ( great for targeting )
– MitM fuzz any ALPC connection
Who should attend?
Programmers.
