Viewing messages being sent over ALPC Port?

Question

I am trying to figure out the messages being used on a specific ALPC port in Windows 7, and since it doesn't seem like there is any place where the ports messages are documented only the actual ports themselves, I would like to listen in to certain ports an view the messages being sent to the port.

Does anyone have any idea how this can be done?

Answer 1

ALPC calls are intended to be fast, so there's not a lot of interception points. Your best bets are:

1. Enable ETW kernel logging and monitor the message flows with the ALPC class (strongly recommended)
2. Hack around with the Detours library. I don't recommend this, as it's a global solution, and doesn't let you look at specific ports. If you need to deploy the solution, it's even worse.