In recent years, Windows OS has faced a surge in attacks exploiting kernel drivers, notably targeting AV and EDR systems. The vulnerable Asynchronous Local Procedure Call (ALPC) technology, vital for client-server interactions, lacks essential safeguards, as demonstrated in successful attacks at LABScon 2022 and Ekoparty 2022.
To address ALPC vulnerabilities, we propose ALPChecker, a proactive security tool detecting kernel mode attacks by checking client and server ALPC ports. It plays a critical role in preventing bypassing and disabling of Windows protection tools, ensuring the ongoing integrity of ALPC connections in the Windows operating environment.
The details are here:
- slides: slides.pdf
- github: AnastasiKro/ALPChecker
Kropova, A., Korkin, I. (2023, May 24-27). ALPChecker – Detecting Spoofing and Blinding Attacks. In Proceedings of the Hack In The Box Security Conference (HITBSecConf2023), CommSec Track, Phuket, Thailand, August 21-25, 2023, Retrieved from https://conference.hitb.org/hitbsecconf2023hkt/session/commsec-alpchecker-detecting-spoofing-and-blinding-attacks/
|