Needle in a Haystack: Automated and Scalable Vulnerability Hunting in the Windows ALPC Sea

Windows services utilizing Remote Procedure Call (RPC) and Component Object Model (COM) technology over the underlying Advanced Local Procedure Call (ALPC) transport present a significant attack surface. However, previous research often focused on known vulnerability patterns or required time-consuming reverse engineering, which hinders scalable vulnerability discovery. We developed a tool designed to automate and scale the fuzzing of ALPC communications. It employs a record-and-replay based strategy, capturing live system-wide ALPC traffic and replaying mutated payloads directly at the ALPC layer, thereby overcoming the scalability barrier posed by the manual preparation required with conventional methods. Furthermore, it integrates dedicated detection techniques to identify information leakage vulnerabilities that crash-centric fuzzers often miss. After evaluating various versions of Windows operating systems, we discovered 12 vulnerabilities confirmed by Microsoft, 10 of which have already been assigned CVE numbers.