(Inter-Process Communication)
Search ASCII
s -a 0 L?ffffffff "TARGET"
da <ADDRESS>
Common IPC channels in Windows malware
| IPC Type | Example | Malware Usage | Detection |
|---|---|---|---|
| Named Pipes | \\.\pipe\abc | token theft, beacon child comms, potato exploits | \\\\.\\pipe\\, CreateNamedPipe, ConnectNamedPipe |
| Shared Memory | CreateFileMapping, MapViewOfFile | shellcode exchange, injected buffers, config sharing | CreateFileMapping, MapViewOfFile, OpenFileMapping |
| Mutex | Global\abc | single instance control, infection guard | Global\, CreateMutex, OpenMutex |
| Events | CreateEvent, SetEvent | thread/process signaling | CreateEvent, OpenEvent, SetEvent |
| COM | COM CLSIDs / COM objects | stealth execution, lateral COM abuse | CoCreateInstance, CLSID strings, IUnknown |
| RPC | RPC endpoint binding | service interaction, remote control | RpcBinding, RpcStringBinding |
| ALPC | native Windows IPC | advanced native malware | NtAlpc, ZwAlpc |
| Localhost Sockets | 127.0.0.1:xxxx | local proxying, staged loaders | 127.0.0.1, localhost, bind, connect |
| Clipboard / Temp Files | temp file exchange | crude staging | %TEMP%, .tmp, repeated file writes |