Date

March 16, 2024

Time

10:38

Track

Track 1

TESTING PAGE: ALPChecker – Detecting Spoofing and Blinding Attacks

Founder

Flysmart Digi

Independent Security Researcher

In recent years, there has been a significant increase in the number of attacks on the Windows operating system carried out using kernel drivers. To date, there is a trend for attacks targeting AV\EDR systems. One of the vectors of such attacks targets the Asynchronous Local Procedure Call (ALPC) technology. Windows client-server interaction ALPC mechanism is not protected from this type of attacks.

ALPC is a fast, powerful and very extensively used within the Windows operating system inter-process communication facility. To date, there are no security instruments to protect ALPC mechanism and control the integrity of ALPC structures.

At LABScon 2022 and Ekoparty 2022 conferences Binarly Team researchers demonstrated attacks on the ALPC connection that led to termination of the ALPC connection without triggering security alert. As a result, Windows management and security tools were blinded and stopped receiving information about system events.

In this research we have demonstrated that ALPC connection can be attacked using kernel drivers without closing the connection secretly from programs and the operating system. Three new spoofing and blinding kernel attacks on ALPC were carried out. The presented attacks were based on patching ALPC ports structures in kernel memory. These attacks result in spoofing and blinding the corresponding ALPC connections, without triggering any security reaction, such as BSOD from PatchGuard. Although the attacked ALPC connection is not closed, the input-output data cannot be transferred thought it.

We want to propose a new security tool named ALPChecker. ALPChecker is designed to detect kernel mode attacks on the ALPC interaction. ALPChecker is written in Python using livekd with livekdd.sys driver in order to work in user mode, but collect and analyze kernel mode information. The detection technique of suspicious ALPC connections is based on checking the client and server ALPC information of the same connection in the system. If the ALPC connection is correct, client and server will have the same information about the ALPC port structures. ALPChecker successfully detected all three attacks and showed the security warning. The instrument will help to eliminate the possibility of bypassing and disabling Windows protection tools through attacks on ALPC and prevent a violation of the information security of the system.