COMMSEC: ALPChecker – Detecting Spoofing and Blinding Attacks

Date

August 24, 2023

Time

12:30

Track

CommSec Track

In recent years, there has been a significant increase in the number of attacks on the Windows operating system carried out using kernel drivers. To date, there is a trend for attacks targeting AV\EDR systems. One of the vectors of such attacks targets the Asynchronous Local Procedure Call (ALPC) technology. Windows client-server interaction ALPC mechanism is not protected from this type of attacks.

ALPC is a fast, powerful and very extensively used within the Windows operating system inter-process communication facility. To date, there are no security instruments to protect ALPC mechanism and control the integrity of ALPC structures.

At LABScon 2022 and Ekoparty 2022 conferences Binarly Team researchers demonstrated attacks on the ALPC connection that led to termination of the ALPC connection without triggering security alert. As a result, Windows management and security tools were blinded and stopped receiving information about system events.

In this research we have demonstrated that ALPC connection can be attacked using kernel drivers without closing the connection secretly from programs and the operating system. Three new spoofing and blinding kernel attacks on ALPC were carried out. The presented attacks were based on patching ALPC ports structures in kernel memory. These attacks result in spoofing and blinding the corresponding ALPC connections, without triggering any security reaction, such as BSOD from PatchGuard. Although the attacked ALPC connection is not closed, the input-output data cannot be transferred thought it.

We want to propose a new security tool named ALPChecker. ALPChecker is designed to detect kernel mode attacks on the ALPC interaction. ALPChecker is written in Python using livekd with livekdd.sys driver in order to work in user mode, but collect and analyze kernel mode information. The detection technique of suspicious ALPC connections is based on checking the client and server ALPC information of the same connection in the system. If the ALPC connection is correct, client and server will have the same information about the ALPC port structures. ALPChecker successfully detected all three attacks and showed the security warning. The instrument will help to eliminate the possibility of bypassing and disabling Windows protection tools through attacks on ALPC and prevent a violation of the information security of the system.

Bachelor Student

Department of Cryptology and Cybersecurity, MEPhI

I am MEPhI bachelor student, Department of Cryptology and Cybersecurity. I study Windows Interprocess Communication security, in particular, the ALPC mechanism. I am engaged in the development of new security solutions for Linux and Windows operationg systems.

Independent Security Researcher

Independent

Igor Korkin Independent Researcher Igor Korkin, Ph.D. is a security researcher from Moscow, Russia. He has been in cybersecurity for about 10 years working on various areas related to the rootkit detection, memory forensics, and Windows OS kernel security. He enjoys applying both academic knowledge and practical expertise to make computer systems secure and reliable. In his thesis, he carried out cross-disciplinary research to detect hidden hardware-based hypervisors. He is keen on responding to real-world challenges. His research results were presented at EKOPARTY 2022 (Argentina), ROOTCON 2022 (Philippines), LABScon 2022 (USA), BlackHat 2022 (USA), BlackHat 2021 (UK), Texas Cyber Summit 2021 (USA), IEEE SP SADFE 2021 (USA), HITB 2020 (Singapore), BlackHat 2018 (UK), REcon 2016 (Canada), seven ADFSL conferences 2014-2022 (USA), RusCrypto 2011 (Russia).