{"id":6790,"date":"2019-09-21T23:07:50","date_gmt":"2019-09-21T23:07:50","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6790"},"modified":"2019-09-21T23:56:00","modified_gmt":"2019-09-21T23:56:00","slug":"alpc-ports","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/09\/21\/alpc-ports\/","title":{"rendered":"ALPC Ports"},"content":{"rendered":"\n<p>In my <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/09\/19\/silentprocessexit-quick-look-under-the-hood\/\">post<\/a> about SilentProcessExit I mentioned an ALPC interface. Programs (clients) using this mechanism usually connect to a specific port (addressed via a unique name), and then exchange messages with a server.<\/p>\n\n\n\n<p>I was curious what other native ALPC ports exist out there apart from <em>WindowsErrorReportingServicePort<\/em>, and this post is an attempt to list as many of them as possible&#8230;<\/p>\n\n\n\n<p>After looking at executables and libraries that reference <em>ZwAlpcConnectPort<\/em> and <em>NtAlpcConnectPort<\/em> functions, I came up with this list (port + list of files that references it):<\/p>\n\n\n\n<ul><li><strong>\\WindowsErrorReportingServicePort<\/strong> <ul><li>Faultrep.dll<\/li><li>PsmServiceExtHost.dll<\/li><li>WerFault.exe<\/li><li>audiodg.exe<\/li><li>audiosrv.dll<\/li><li>daxexec.dll<\/li><li>dwmghost.dll<\/li><li>modernexecserver.dll<\/li><li>ntdll.dll<\/li><li>psmsrv.dll<\/li><li>wermgr.exe<\/li><li>werui.dll<\/li><li>win32kfull.sys<\/li><li>winsrvext.dll<\/li><\/ul><\/li><li><strong>\\PdcPort<\/strong> <ul><li>AzureSettingSyncProvider.dll<\/li><li>DeviceDirectoryClient.dll<\/li><li>DeviceEnroller.exe<\/li><li>InstallService.dll<\/li><li>LocationFramework.dll<\/li><li>LockController.dll<\/li><li>LockHostingFramework.dll<\/li><li>MusNotification.exe<\/li><li>NcaSvc.dll<\/li><li>NetEvtFwdr.exe<\/li><li>OneDriveSettingSyncProvider.dll<\/li><li>PsmServiceExtHost.dll<\/li><li>SensorService.dll<\/li><li>SettingSyncCore.dll<\/li><li>SettingSyncHost.exe<\/li><li>TpmCoreProvisioning.dll<\/li><li>WPTaskScheduler.dll<\/li><li>Windows.Cortana.OneCore.dll<\/li><li>Windows.Devices.Haptics.dll<\/li><li>Windows.System.SystemManagement.dll<\/li><li>audiosrv.dll<\/li><li>bisrv.dll<\/li><li>cdp.dll<\/li><li>dhcpcore.dll<\/li><li>dhcpcore6.dll<\/li><li>diagtrack.dll<\/li><li>dmcertinst.exe<\/li><li>gpsvc.dll<\/li><li>modernexecserver.dll<\/li><li>moshostcore.dll<\/li><li>ncsi.dll<\/li><li>networkhelper.dll<\/li><li>ngcrecovery.dll<\/li><li>omadmclient.exe<\/li><li>powrprof.dll<\/li><li>qmgr.dll<\/li><li>rdbui.dll<\/li><li>sysmain.dll<\/li><li>termsrv.dll<\/li><li>tetheringservice.dll<\/li><li>twinui.pcshell.dll<\/li><li>ubpm.dll<\/li><li>umpo.dll<\/li><li>updatehandlers.dll<\/li><li>usocore.dll<\/li><li>wbiosrvc.dll<\/li><li>wcmsvc.dll<\/li><li>wer.dll<\/li><li>wifinetworkmanager.dll<\/li><li>wifitask.exe<\/li><li>wpncore.dll<\/li><li>wpnprv.dll<\/li><li>wuaueng.dll<\/li><li>wwansvc.dll<\/li><\/ul><\/li><li><strong>\\BaseNamedObjects\\FontCachePort <\/strong><ul><li>DWrite.dll<\/li><\/ul><\/li><li><strong>\\RPC Control\\AutoRotationApiPort<\/strong><ul><li>RotMgr.dll<\/li><\/ul><\/li><li><strong>\\ConsoleInputServerPort<\/strong><ul><li>conhost.exe<\/li><\/ul><\/li><li><strong>\\BaseNamedObjects\\msctf.server<\/strong><ul><li>msctf.dll<\/li><\/ul><\/li><li><strong>\\SmApiPort<\/strong><ul><li>ntdll.dll<\/li><\/ul><\/li><li><strong>\\PowerPort<\/strong><ul><li>umpo.dll<\/li><\/ul><\/li><li><strong>\\SmSsWinStationApiPort<\/strong><ul><li>winsrvext.dll<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>I know there are a possibly a few more, but static analysis were not worth it to chase after names passed via complex set of arguments\/structures and nested functions. We will eventually figure it out anyway.<\/p>\n\n\n\n<p>There is an interesting bit I came across with regards to WER Port (\\<em>WindowsErrorReportingServicePort<\/em>). It would seem that its name is configurable and specified by this Registry Entry:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ErrorPort=&lt;Port name><\/p><\/blockquote>\n\n\n\n<p>The thing tho is that some of the Windows components retrieve that name dynamically, and some rely on a hard-coded name&#8230;<\/p>\n\n\n\n<p>Another ALPC server that is configured via Registry is WDI ALPC Server:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>HKLM\\SYSTEM\\CurrentControlSet\\Control\\WDI\\Config<br>ServerName =&lt;Port name> <\/p><\/blockquote>\n\n\n\n<p>And that&#8217;s it&#8230; If anything, at least you can use these names in your further research. There is a possibility some of them don&#8217;t check the message data integrity and this could lead to some new vulnerabilities being discovered. And if not, it&#8217;s always a good thing to know which strings we come across are actually OS-native. I think ALPC needs a lot more research and we will hear about more of its issues in the future.<\/p>\n\n\n\n<p>Adding some bits here after posting the main post:<\/p>\n\n\n\n<p>The \\PdcPort is very interesting as many components &#8216;talk to it&#8217;; quick check confirms that the Port is created by a kernel driver pdc.sys.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my post about SilentProcessExit I mentioned an ALPC interface. Programs (clients) using this mechanism usually connect to a specific port (addressed via a unique name), and then exchange messages with a server. I was curious what other native ALPC &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/09\/21\/alpc-ports\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[67],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6790"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6790"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6790\/revisions"}],"predecessor-version":[{"id":6796,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6790\/revisions\/6796"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}