这段时间用到了SysinternalsSuite中的pipelist工具来查看使用的NamedPipe是什么,用过之后就想自己了解下它是怎样工作,于是就反汇编一下,没想到却意外的简单。
下面是反汇编出的伪代码
int __cdecl main(int argc, const char **argv, const char **envp) { int result; // eax@2 HMODULE v4; // eax@3 HMODULE v5; // eax@6 HANDLE hHandle; // ebp@9 DWORD v7; // eax@10 FILE_DIRECTORY_INFORMATION *FileInformation; // edi@11 int v9; // eax@12 FILE_DIRECTORY_INFORMATION *i; // esi@13 int v11; // [sp+34h] [bp-94Ch]@12 int IoStatusBlock; // [sp+38h] [bp-948h]@12 char v13; // [sp+40h] [bp-940h]@14 char v14; // [sp+E0h] [bp-8A0h]@14 __int16 v15[1024]; // [sp+180h] [bp-800h]@14 LOBYTE(v11) = 1; printf("\nPipeList v1.01\n"); printf("by Mark Russinovich\n"); printf("http://www.sysinternals.com\n\n"); if ( EulaAccept((LPARAM)"PipeList") ) { v4 = GetModuleHandleA("ntdll.dll"); pfnNtQueryDirectoryFile = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))GetProcAddress(v4, "NtQueryDirectoryFile"); if ( !pfnNtQueryDirectoryFile ) { printf("\nCould not find NtQueryDirectoryFile entry point in NTDLL.DLL\n"); exit(1); } v5 = GetModuleHandleA("ntdll.dll"); pfnRtlNtStatusToDosError = (int)GetProcAddress(v5, "RtlNtStatusToDosError"); if ( !pfnRtlNtStatusToDosError ) { printf("\nCould not find RtlNtStatusToDosError entry point in NTDLL.DLL\n"); exit(1); } hHandle = CreateFileA("\\\\.\\Pipe\\", 0x80000000u, 7u, 0, 3u, 0, 0); if ( hHandle == (HANDLE)-1 ) { v7 = GetLastError(); sub_401050((int)"Pipe error", v7); result = 0; } else { printf("%-40s%14s%20s\n", "Pipe Name", "Instances", "Max Instances"); printf("%-40s%14s%20s\n", "---------", "---------", "-------------"); FileInformation = (FILE_DIRECTORY_INFORMATION *)malloc(0x1000u); while ( 1 ) { v9 = pfnNtQueryDirectoryFile(hHandle, 0, 0, 0, &IoStatusBlock, FileInformation, 4096, 1, 0, 0, v11); if ( v9 < 0 ) break; for ( i = FileInformation; ; i = (FILE_DIRECTORY_INFORMATION *)((char *)i + i->NextEntryOffset) ) { swprintf((wchar_t *)&v14, (size_t)L"%d ", (const wchar_t *)i->EndOfFile.LowPart); swprintf((wchar_t *)&v13, (size_t)L"%d ", (const wchar_t *)i->AllocationSize.LowPart); wcsncpy((wchar_t *)v15, i->FileName, i->FileNameLength >> 1); v15[i->FileNameLength >> 1] = 0; wprintf(L"%-40s%14s%20s\n", v15, &v14, &v13); if ( !i->NextEntryOffset ) break; } LOBYTE(v11) = 0; } if ( v9 != -2147483642 ) sub_401000((int)"Error querying pipe directory:", v9); free(FileInformation); CloseHandle(hHandle); result = 0; } } else { result = 1; } return result; }
Named Pipes是一种简单的进程间通信(IPC)机制。可在同一台计算机的不同进程之间,或在跨越一个网络的不同计算机的不同进程之间,支持可靠的、单向或双向的数据通信。命名管道是围绕Windows文件系统设计的一种机制,采用“命名管道文件系统”(Named Pipe File System,NPFS)接口,客户机和服务器应用可利用标准的Win32文件系统相关API函数。
命名管道的标识采用UNC格式的进行命名的:
从上面反汇编出代码可以看出,它是使用NtQueryDirectoryFile来查询\\.\pipe\下的File Information。查看NtQueryDirectoryFile的声明(在Window NT 2000 Native API这文档中可以找到,叫做ZwQueryDirectoryFile)
ZwQueryDirectoryFile retrieves information about the contents of a directory. NTSYSAPI NTSTATUS NTAPI ZwQueryDirectoryFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG FileInformationLength, IN FILE_INFORMATION_CLASS FileInformationClass, IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL, IN BOOLEAN RestartScan );
这个功能的关键在于:
1、CreateFileA("\\\\.\\Pipe\\", GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, 0, OPEN_EXISTING, 0, 0);
2、NtQueryDirectoryFile(hHandle, 0, 0, 0, &IoStatusBlock, FileInformation, 4096, FileDirectoryInformation /*=1*/, 0, 0, v11);
当然除了枚举本地计算机的Named Pipes,也可以枚举其他机器的,只要把对应的服务器名加到路径中,如\ \ m y s e r v e r \ pipe \ ,这样可枚举出服务器\ \ m y s e r v e r 的Named Pipes,当然要有权限才行。