{"title":"ALPC Is In Danger: ALPChecker Detects Spoofing and Blinding","authors":"Anastasiia Kropova, Igor Korkin","doi":"arxiv-2401.01376","DOIUrl":null,"url":null,"abstract":"The purpose of this study is to evaluate the possibility of implementing an\nattack on ALPC connection in the Windows operating system through the kernel\nwithout closing the connection covertly from programs and the operating system\nand to propose a method of protection against this type of attacks.\nAsynchronous Local Procedure Call technology (ALPC) is used in various Windows\ninformation protection systems, including antivirus systems (AV) and Endpoint\nDetection and Response systems (EDR). To ensure the concealment of malicious\nsoftware, attackers need to disrupt the operation of AV, EDR tools, which in\nturn can be achieved by destructive impact on the components of the ALPC\ntechnology. Examples of such attacks already exist and are covered in this\npaper. To counteract such new threats, it is necessary to advance the\nimprovement of information security systems and the ALPC security research was\nconducted. The most difficult case, Windows kernel driver attack, was\nconsidered. Three attacks on the ALPC connection were carried out, based on\nchanging the ALPC structures in the kernel memory, which led to creation of\nillegitimate connections in the system and the disruption of correct\nconnections. ALPChecker protection tool has been developed. The tool was\nsuccessfully tested on three demonstrated attacks.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"87 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2023-12-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2401.01376","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
The purpose of this study is to evaluate the possibility of implementing an
attack on ALPC connection in the Windows operating system through the kernel
without closing the connection covertly from programs and the operating system
and to propose a method of protection against this type of attacks.
Asynchronous Local Procedure Call technology (ALPC) is used in various Windows
information protection systems, including antivirus systems (AV) and Endpoint
Detection and Response systems (EDR). To ensure the concealment of malicious
software, attackers need to disrupt the operation of AV, EDR tools, which in
turn can be achieved by destructive impact on the components of the ALPC
technology. Examples of such attacks already exist and are covered in this
paper. To counteract such new threats, it is necessary to advance the
improvement of information security systems and the ALPC security research was
conducted. The most difficult case, Windows kernel driver attack, was
considered. Three attacks on the ALPC connection were carried out, based on
changing the ALPC structures in the kernel memory, which led to creation of
illegitimate connections in the system and the disruption of correct
connections. ALPChecker protection tool has been developed. The tool was
successfully tested on three demonstrated attacks.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
