Sysinternals tool-pipelist Analysis

During this time, the pipelist tool in sysinternalssuite was used to view what namedpipe was used. After using the pipelist tool, I wanted to know how it worked, so I did a disassembly, but I did not expect it to be unexpectedly simple.

The following is the pseudo code decompiled up.

int __cdecl main(int argc, const char **argv, const char **envp){  int result; // eax@2  HMODULE v4; // eax@3  HMODULE v5; // eax@6  HANDLE hHandle; // ebp@9  DWORD v7; // eax@10  FILE_DIRECTORY_INFORMATION *FileInformation; // edi@11  int v9; // eax@12  FILE_DIRECTORY_INFORMATION *i; // esi@13  int v11; // [sp+34h] [bp-94Ch]@12  int IoStatusBlock; // [sp+38h] [bp-948h]@12  char v13; // [sp+40h] [bp-940h]@14  char v14; // [sp+E0h] [bp-8A0h]@14  __int16 v15[1024]; // [sp+180h] [bp-800h]@14  LOBYTE(v11) = 1;  printf("\nPipeList v1.01\n");  printf("by Mark Russinovich\n");  printf("http://www.sysinternals.com\n\n");  if ( EulaAccept((LPARAM)"PipeList") )  {    v4 = GetModuleHandleA("ntdll.dll");    pfnNtQueryDirectoryFile = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))GetProcAddress(v4, "NtQueryDirectoryFile");    if ( !pfnNtQueryDirectoryFile )    {      printf("\nCould not find NtQueryDirectoryFile entry point in NTDLL.DLL\n");      exit(1);    }    v5 = GetModuleHandleA("ntdll.dll");    pfnRtlNtStatusToDosError = (int)GetProcAddress(v5, "RtlNtStatusToDosError");    if ( !pfnRtlNtStatusToDosError )    {      printf("\nCould not find RtlNtStatusToDosError entry point in NTDLL.DLL\n");      exit(1);    }    hHandle = CreateFileA("\\\\.\\Pipe\\", 0x80000000u, 7u, 0, 3u, 0, 0);    if ( hHandle == (HANDLE)-1 )    {      v7 = GetLastError();      sub_401050((int)"Pipe error", v7);      result = 0;    }    else    {      printf("%-40s%14s%20s\n", "Pipe Name", "Instances", "Max Instances");      printf("%-40s%14s%20s\n", "---------", "---------", "-------------");      FileInformation = (FILE_DIRECTORY_INFORMATION *)malloc(0x1000u);      while ( 1 )      {        v9 = pfnNtQueryDirectoryFile(hHandle, 0, 0, 0, &IoStatusBlock, FileInformation, 4096, 1, 0, 0, v11);        if ( v9 < 0 )          break;        for ( i = FileInformation; ; i = (FILE_DIRECTORY_INFORMATION *)((char *)i + i->NextEntryOffset) )        {          swprintf((wchar_t *)&v14, (size_t)L"%d   ", (const wchar_t *)i->EndOfFile.LowPart);          swprintf((wchar_t *)&v13, (size_t)L"%d      ", (const wchar_t *)i->AllocationSize.LowPart);          wcsncpy((wchar_t *)v15, i->FileName, i->FileNameLength >> 1);          v15[i->FileNameLength >> 1] = 0;          wprintf(L"%-40s%14s%20s\n", v15, &v14, &v13);          if ( !i->NextEntryOffset )            break;        }        LOBYTE(v11) = 0;      }      if ( v9 != -2147483642 )        sub_401000((int)"Error querying pipe directory:", v9);      free(FileInformation);      CloseHandle(hHandle);      result = 0;    }  }  else  {    result = 1;  }  return result;}

Named Pipes is a simple mechanism for inter-process communication (IPC. Supports reliable, one-way or two-way data communication between different processes of the same computer or between different processes of different computers across a network. Named Pipe is a mechanism designed around the Windows File System. It uses the named pipe File System (npfs) interface, client and server applications can use standard Win32 File System related API functions.

Naming pipeline IDs are named in UNC format:

\ Server \ PIPE \ [path] Name

 

From the decompiling code above, we can see that ntquerydirectoryfile is used to query file information under \. \ PIPE. View the declaration of ntquerydirectoryfile (which can be found in window nt 2000 native API, called zwquerydirectoryfile)

ZwQueryDirectoryFile retrieves information about the contents of a directory.NTSYSAPINTSTATUSNTAPIZwQueryDirectoryFile(IN HANDLE FileHandle,IN HANDLE Event OPTIONAL,IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,IN PVOID ApcContext OPTIONAL,OUT PIO_STATUS_BLOCK IoStatusBlock,OUT PVOID FileInformation,IN ULONG FileInformationLength,IN FILE_INFORMATION_CLASS FileInformationClass,IN BOOLEAN ReturnSingleEntry,IN PUNICODE_STRING FileName OPTIONAL,IN BOOLEAN RestartScan);

 

The key to this function is:

1. createfilea ("\\\\\\\ pipe \\", generic_read, file_pai_read | file_pai_write | file_pai_delete, 0, open_existing, 0, 0 );

2. ntquerydirectoryfile (hhandle, 0, 0, 0, & iostatusblock, fileinformation, 4096, filedirectoryinformation/* = 1 */, 0, 0, V11 );

Of course, in addition to enumerating the named pipes of the local computer, you can also enumerate other machines, as long as the corresponding server name is added to the path, for example, \ m y s e r v e r \ PIPE \. In this way, the named pipes of the server \ m y s e r v e r can be cited. Of course, you must have the permission.