Skip to content

Commit

Permalink
Merge pull request #118 from GhostPack/namedpipe_changes
Browse files Browse the repository at this point in the history 
Namedpipe session ID
  • Loading branch information
@HarmJ0y
HarmJ0y authored Jan 5, 2024
2 parents af5af1d + 29965eb commit 5c7c42b
Show file tree
Hide file tree
Showing 3 changed files with 81 additions and 74 deletions.
147 changes: 76 additions & 71 deletions Seatbelt/Commands/Windows/NamedPipesCommand.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
using System.Security.AccessControl;
using static Seatbelt.Interop.Kernel32;
using System.IO;

using Seatbelt.Interop;
using System;

namespace Seatbelt.Commands.Windows
{
Expand Down Expand Up @@ -40,101 +41,99 @@ public NamedPipesCommand(Runtime runtime) : base(runtime)

foreach (var namedPipe in namedPipes)
{
FileSecurity security;
var sddl = "";
int iProcessId = 0;
string svProcessName = "";
string svProcessPath = "";
System.IntPtr hPipe = System.IntPtr.Zero;
bool bvRet = false;
string? svProcessPath = null;
int? svProcessId = null;
string? svProcessName = null;
int? svSessionId = null;
IntPtr hPipe = IntPtr.Zero;

// Try to identify ProcessID and ProcessName
try
{
//Get a handle to the pipe
hPipe = CreateFile(
System.String.Format("\\\\.\\pipe\\{0}", namedPipe), // The name of the file or device to be created or opened.
FileAccess.Read, // The requested access to the file or device.
FileShare.None, // The requested sharing mode of the file or device.
System.IntPtr.Zero, // Optional. A pointer to a SECURITY_ATTRIBUTES structure.
FileMode.Open, // An action to take on a file or device that exists or does not exist.
FileAttributes.Normal, // The file or device attributes and flags.
System.IntPtr.Zero); // Optional. A valid handle to a template file with the GENERIC_READ access right.

$"\\\\.\\pipe\\{namedPipe}",
FileAccess.Read,
FileShare.None,
IntPtr.Zero,
FileMode.Open,
FileAttributes.Normal,
IntPtr.Zero);

if (hPipe.ToInt64() != -1) //verify CreateFile did not return "INVALID_HANDLE_VALUE"
{

//Retrieve the ProcessID registered for the pipe.
bvRet = GetNamedPipeServerProcessId(
hPipe, // A handle to an instance of a named pipe.
out iProcessId); // The process identifier.
if (hPipe.ToInt64() != Win32Error.InvalidHandle)
{
bool bvRet = GetNamedPipeServerProcessId(
hPipe,
out int pipeServerPid);

//If GetNamedPipeServerProcessId was successful, get the process name for the returned ProcessID
if (bvRet)
{
var svProcess = System.Diagnostics.Process.GetProcessById(iProcessId);
var svProcess = System.Diagnostics.Process.GetProcessById(pipeServerPid);

svProcessId = pipeServerPid;
svProcessName = svProcess.ProcessName;
svProcessPath = svProcess.MainModule.FileName;
}
else

bvRet = GetNamedPipeServerSessionId(
hPipe,
out int pipeServerSessionId);

if (bvRet)
{
//GetNamedPipeServerProcessId was unsuccessful
svProcessName = "Unk";
svSessionId = pipeServerSessionId;
}

//Close the pipe handle
CloseHandle(hPipe);
}
else
{
//CreateFile returned "INVALID_HANDLE_VALUE" or 0xffffffff.
svProcessName = "Unk";
}
}
catch
{
//Catch the exception. ProcessName is set to Unk.
svProcessName = "Unk";
}

try
{
security = File.GetAccessControl(System.String.Format("\\\\.\\pipe\\{0}", namedPipe));
sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
}
catch
finally
{
sddl = "ERROR";
if (hPipe != IntPtr.Zero && hPipe.ToInt64() != Win32Error.InvalidHandle)
{
CloseHandle(hPipe);
}
}

string? sddl = GetSddl("\\\\.\\pipe\\{0}");


yield return new NamedPipesDTO()
{
Name = namedPipe,
Sddl = sddl,
//SecurityDescriptor = null

ServerProcessName = svProcessName,
ServerProcessPID = iProcessId,
ServerProcessPath = svProcessPath
ServerProcessPID = svProcessId,
ServerProcessPath = svProcessPath,
ServerSessionId = svSessionId,
};
}
}

private string? GetSddl(string namedPipe)
{
try
{
var security = File.GetAccessControl($"\\\\.\\pipe\\{namedPipe}");
var sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
return sddl;
}
catch
{
return null;
}
}
}

internal class NamedPipesDTO : CommandDTOBase
{
public string Name { get; set; }

public string Sddl { get; set; }

public string ServerProcessName { get; set; }

public int ServerProcessPID { get; set; }

public string ServerProcessPath { get; set; }

// public RawSecurityDescriptor SecurityDescriptor { get; set; }
public string? Sddl { get; set; }
public string? ServerProcessName { get; set; }
public int? ServerProcessPID { get; set; }
public string? ServerProcessPath { get; set; }
public int? ServerSessionId { get; internal set; }
}

[CommandOutputType(typeof(NamedPipesDTO))]
Expand All @@ -149,24 +148,30 @@ public override void FormatResult(CommandBase? command, CommandDTOBase result, b
var dto = (NamedPipesDTO)result;

WriteLine("\n{0}", dto.Name);
WriteLine(" Server Process Id : {0}", dto.ServerProcessPID.ToString());

if (dto.ServerProcessPID != null)
{
WriteLine($" Server Process Id : '{dto.ServerProcessPID}'");
}

if (!string.IsNullOrEmpty(dto.ServerProcessPath))
{
WriteLine(" Server Process Name : {0}", dto.ServerProcessName);
WriteLine($" Server Process Name : {dto.ServerProcessName}");
}

if (!string.IsNullOrEmpty(dto.ServerProcessPath))
{
WriteLine(" Server Process Path : {0}", dto.ServerProcessPath);
WriteLine($" Server Process Path : {dto.ServerProcessPath}");
}
if (!dto.Sddl.Equals("ERROR"))

if (!string.IsNullOrEmpty(dto.Sddl))
{
WriteLine($" Pipe SDDL : {dto.Sddl}");
}

if (dto.ServerSessionId != null)
{
//WriteLine(" Owner : {0}", dto.SecurityDescriptor.Owner);
//foreach (CommonAce rule in dto.SecurityDescriptor.DiscretionaryAcl)
//{
// WriteLine(" {0} :", rule.SecurityIdentifier);
// WriteLine(" {0} : {1}", rule.AceType, (GenericAceMask)rule.AccessMask);
//}
WriteLine(" Pipe SDDL : {0}", dto.Sddl);
WriteLine($" Server Session Id : {dto.ServerSessionId}");
}
}
}
Expand Down
7 changes: 4 additions & 3 deletions Seatbelt/Interop/Kernel32.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,10 @@ public static extern IntPtr CreateFile(
IntPtr templateFile);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool GetNamedPipeServerProcessId(
IntPtr hPipe,
out int ClientProcessId);
public static extern bool GetNamedPipeServerProcessId(IntPtr hPipe, out int ProcessId);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool GetNamedPipeServerSessionId(IntPtr hPipe, out int ProcessId);

[Flags]
public enum ProcessAccess
Expand Down
1 change: 1 addition & 0 deletions Seatbelt/Interop/Win32Error.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
// Only list error codes that are actually used in our code
internal class Win32Error
{
public const int InvalidHandle = -1;
public const int Success = 0;
public const int NERR_Success = 0;
public const int AccessDenied = 0x0000005;
Expand Down

0 comments on commit 5c7c42b

Please sign in to comment.