Sysinternals tool-pipelist Analysis

Source: Internet
Author: User

During this time, the pipelist tool in sysinternalssuite was used to view what namedpipe was used. After using the pipelist tool, I wanted to know how it worked, so I did a disassembly, but I did not expect it to be unexpectedly simple.

The following is the pseudo code decompiled up.

int __cdecl main(int argc, const char **argv, const char **envp){  int result; // eax@2  HMODULE v4; // eax@3  HMODULE v5; // eax@6  HANDLE hHandle; // ebp@9  DWORD v7; // eax@10  FILE_DIRECTORY_INFORMATION *FileInformation; // edi@11  int v9; // eax@12  FILE_DIRECTORY_INFORMATION *i; // esi@13  int v11; // [sp+34h] [bp-94Ch]@12  int IoStatusBlock; // [sp+38h] [bp-948h]@12  char v13; // [sp+40h] [bp-940h]@14  char v14; // [sp+E0h] [bp-8A0h]@14  __int16 v15[1024]; // [sp+180h] [bp-800h]@14  LOBYTE(v11) = 1;  printf("\nPipeList v1.01\n");  printf("by Mark Russinovich\n");  printf("http://www.sysinternals.com\n\n");  if ( EulaAccept((LPARAM)"PipeList") )  {    v4 = GetModuleHandleA("ntdll.dll");    pfnNtQueryDirectoryFile = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))GetProcAddress(v4, "NtQueryDirectoryFile");    if ( !pfnNtQueryDirectoryFile )    {      printf("\nCould not find NtQueryDirectoryFile entry point in NTDLL.DLL\n");      exit(1);    }    v5 = GetModuleHandleA("ntdll.dll");    pfnRtlNtStatusToDosError = (int)GetProcAddress(v5, "RtlNtStatusToDosError");    if ( !pfnRtlNtStatusToDosError )    {      printf("\nCould not find RtlNtStatusToDosError entry point in NTDLL.DLL\n");      exit(1);    }    hHandle = CreateFileA("\\\\.\\Pipe\\", 0x80000000u, 7u, 0, 3u, 0, 0);    if ( hHandle == (HANDLE)-1 )    {      v7 = GetLastError();      sub_401050((int)"Pipe error", v7);      result = 0;    }    else    {      printf("%-40s%14s%20s\n", "Pipe Name", "Instances", "Max Instances");      printf("%-40s%14s%20s\n", "---------", "---------", "-------------");      FileInformation = (FILE_DIRECTORY_INFORMATION *)malloc(0x1000u);      while ( 1 )      {        v9 = pfnNtQueryDirectoryFile(hHandle, 0, 0, 0, &IoStatusBlock, FileInformation, 4096, 1, 0, 0, v11);        if ( v9 < 0 )          break;        for ( i = FileInformation; ; i = (FILE_DIRECTORY_INFORMATION *)((char *)i + i->NextEntryOffset) )        {          swprintf((wchar_t *)&v14, (size_t)L"%d   ", (const wchar_t *)i->EndOfFile.LowPart);          swprintf((wchar_t *)&v13, (size_t)L"%d      ", (const wchar_t *)i->AllocationSize.LowPart);          wcsncpy((wchar_t *)v15, i->FileName, i->FileNameLength >> 1);          v15[i->FileNameLength >> 1] = 0;          wprintf(L"%-40s%14s%20s\n", v15, &v14, &v13);          if ( !i->NextEntryOffset )            break;        }        LOBYTE(v11) = 0;      }      if ( v9 != -2147483642 )        sub_401000((int)"Error querying pipe directory:", v9);      free(FileInformation);      CloseHandle(hHandle);      result = 0;    }  }  else  {    result = 1;  }  return result;}

Named Pipes is a simple mechanism for inter-process communication (IPC. Supports reliable, one-way or two-way data communication between different processes of the same computer or between different processes of different computers across a network. Named Pipe is a mechanism designed around the Windows File System. It uses the named pipe File System (npfs) interface, client and server applications can use standard Win32 File System related API functions.

Naming pipeline IDs are named in UNC format:

\ Server \ PIPE \ [path] Name

 

From the decompiling code above, we can see that ntquerydirectoryfile is used to query file information under \. \ PIPE. View the declaration of ntquerydirectoryfile (which can be found in window nt 2000 native API, called zwquerydirectoryfile)

ZwQueryDirectoryFile retrieves information about the contents of a directory.NTSYSAPINTSTATUSNTAPIZwQueryDirectoryFile(IN HANDLE FileHandle,IN HANDLE Event OPTIONAL,IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,IN PVOID ApcContext OPTIONAL,OUT PIO_STATUS_BLOCK IoStatusBlock,OUT PVOID FileInformation,IN ULONG FileInformationLength,IN FILE_INFORMATION_CLASS FileInformationClass,IN BOOLEAN ReturnSingleEntry,IN PUNICODE_STRING FileName OPTIONAL,IN BOOLEAN RestartScan);

 

The key to this function is:

1. createfilea ("\\\\\\\ pipe \\", generic_read, file_pai_read | file_pai_write | file_pai_delete, 0, open_existing, 0, 0 );

2. ntquerydirectoryfile (hhandle, 0, 0, 0, & iostatusblock, fileinformation, 4096, filedirectoryinformation/* = 1 */, 0, 0, V11 );

Of course, in addition to enumerating the named pipes of the local computer, you can also enumerate other machines, as long as the corresponding server name is added to the path, for example, \ m y s e r v e r \ PIPE \. In this way, the named pipes of the server \ m y s e r v e r can be cited. Of course, you must have the permission.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.