ALPC Logger is an open-source security tool developed by Windows internals expert Pavel Yosifovich (zodiacon) that tracks Advanced Local Procedure Call (ALPC) activity across the Windows operating system.
ALPC is the fast, undocumented internal communication system that powers standard Windows mechanisms like RPC, COM, and WMI. Because malware frequently abuses ALPC to inject code or escalate privileges, security analysts use ALPC Logger to uncover hidden indicators of compromise and trace exactly which process triggered a specific local call. How ALPC Logger Works Under the Hood
The tool leverages Event Tracing for Windows (ETW) to capture data natively inside the kernel. It requests the operating system to start a trace session using the EVENT_TRACE_FLAG_ALPC flag. Because it reads direct kernel streams, it can intercept high-speed messages without requiring invasive API hooks or modifying running system files. Steps to Use ALPC Logger
Because it registers kernel-level trace streams, you must run it with elevated privileges. zodiacon/ALPCLogger: Log ALPC activity – GitHub
Log ALPC activity. Contribute to zodiacon/ALPCLogger development by creating an account on GitHub. ALPC class – Win32 apps – Microsoft Learn
Leave a Reply