ALPC Is In Danger: ALPChecker Detects Spoofing and Blinding

Anastasiia Kropova, Igor Korkin
{"title":"ALPC Is In Danger: ALPChecker Detects Spoofing and Blinding","authors":"Anastasiia Kropova, Igor Korkin","doi":"arxiv-2401.01376","DOIUrl":null,"url":null,"abstract":"The purpose of this study is to evaluate the possibility of implementing an\nattack on ALPC connection in the Windows operating system through the kernel\nwithout closing the connection covertly from programs and the operating system\nand to propose a method of protection against this type of attacks.\nAsynchronous Local Procedure Call technology (ALPC) is used in various Windows\ninformation protection systems, including antivirus systems (AV) and Endpoint\nDetection and Response systems (EDR). To ensure the concealment of malicious\nsoftware, attackers need to disrupt the operation of AV, EDR tools, which in\nturn can be achieved by destructive impact on the components of the ALPC\ntechnology. Examples of such attacks already exist and are covered in this\npaper. To counteract such new threats, it is necessary to advance the\nimprovement of information security systems and the ALPC security research was\nconducted. The most difficult case, Windows kernel driver attack, was\nconsidered. Three attacks on the ALPC connection were carried out, based on\nchanging the ALPC structures in the kernel memory, which led to creation of\nillegitimate connections in the system and the disruption of correct\nconnections. ALPChecker protection tool has been developed. The tool was\nsuccessfully tested on three demonstrated attacks.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"87 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2023-12-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2401.01376","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

The purpose of this study is to evaluate the possibility of implementing an attack on ALPC connection in the Windows operating system through the kernel without closing the connection covertly from programs and the operating system and to propose a method of protection against this type of attacks. Asynchronous Local Procedure Call technology (ALPC) is used in various Windows information protection systems, including antivirus systems (AV) and Endpoint Detection and Response systems (EDR). To ensure the concealment of malicious software, attackers need to disrupt the operation of AV, EDR tools, which in turn can be achieved by destructive impact on the components of the ALPC technology. Examples of such attacks already exist and are covered in this paper. To counteract such new threats, it is necessary to advance the improvement of information security systems and the ALPC security research was conducted. The most difficult case, Windows kernel driver attack, was considered. Three attacks on the ALPC connection were carried out, based on changing the ALPC structures in the kernel memory, which led to creation of illegitimate connections in the system and the disruption of correct connections. ALPChecker protection tool has been developed. The tool was successfully tested on three demonstrated attacks.
ALPC 处于危险之中ALPChecker 检测欺骗和欺骗行为
本研究的目的是评估通过内核对 Windows 操作系统中的 ALPC 连接实施攻击的可能性,而不从程序和操作系统隐蔽地关闭连接,并提出一种防范此类攻击的方法。异步本地过程调用技术(ALPC)用于各种 Windows 信息保护系统,包括防病毒系统(AV)和端点检测与响应系统(EDR)。为确保隐藏恶意软件,攻击者需要破坏 AV 和 EDR 工具的运行,而这可以通过对 ALPC 技术组件的破坏性影响来实现。此类攻击的例子已经存在,本文将对此进行介绍。为了应对此类新威胁,有必要推进信息安全系统的改进,因此开展了 ALPC 安全研究。研究考虑了最困难的情况,即 Windows 内核驱动程序攻击。通过改变内核内存中的 ALPC 结构,对 ALPC 连接进行了三次攻击,从而在系统中创建了非法连接并破坏了正确的连接。ALPChecker 保护工具已经开发出来。该工具在三次演示攻击中进行了成功测试。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信