search

googleprojectzero / sandbox-attacksurface-analysis-tools

Set of tools to analyze Windows sandboxes for exposed attack surface.
Apache License 2.0
2.07k stars 433 forks source link

How to Get-NtNamedPipeFile programmatically? #64

Closed g3rzi closed 1 year ago

g3rzi commented 1 year ago

Hi,

With PowerShell we can run: 

PS C:\WINDOWS\system32> Get-NtNamedPipeFile("\Device\NamedPipe\initShutdown")

Handle Name         NtTypeName Inherit ProtectFromClose
------ ----         ---------- ------- ----------------
2988   InitShutdown File       False   False

I want to do it programmatically with C#. I found how it is being called with C#:
https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/c02ed8ba04324e54a0a188ab9877ee6aa372dfac/NtObjectManager/Cmdlets/Object/GetNtNamedPipeFileCmdlet.cs#L41-L63

I made the below function but I don't know how to initialize NtObject root : 

FileShareMode ShareMode = FileShareMode.Read | FileShareMode.Write;
FileOpenOptions Options = FileOpenOptions.SynchronousIoNonAlert;
FileAccessRights Access = FileAccessRights.GenericRead | FileAccessRights.GenericWrite | FileAccessRights.Synchronize;

using (ObjectAttributes obj_attributes = new ObjectAttributes(i_NamedPipe, AttributeFlags.CaseInsensitive, root))
{
    var a = NtFile.CreateNamedPipe(obj_attributes, Access, ShareMode, Options, FileDisposition.Open, NamedPipeType.Bytestream,
                NamedPipeReadMode.ByteStream, NamedPipeCompletionMode.CompleteOperation, 0, 0, 0, NtWaitTimeout.FromMilliseconds(0));
}
g3rzi commented 1 year ago

I found the NtObject constructors: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/6f6a8510db51415e563cb605c3688d27a6f92339/NtApiDotNet/NtObject.cs#L95-L104

Now I need to find how to get SafeKernelObjectHandle handle.

g3rzi commented 1 year ago

OK, I found how to do it: 

i_NamedPipe = @"\Device\NamedPipe\initShutdown";
FileShareMode ShareMode = FileShareMode.Read | FileShareMode.Write;
FileOpenOptions Options = FileOpenOptions.SynchronousIoNonAlert;
FileAccessRights Access = FileAccessRights.GenericRead | FileAccessRights.GenericWrite | FileAccessRights.Synchronize;
var a = NtFile.CreateNamedPipe(obj_attributes, Access, ShareMode, Options, FileDisposition.Open, NamedPipeType.Bytestream, NamedPipeReadMode.ByteStream, NamedPipeCompletionMode.CompleteOperation, 0, 0, 0, NtWaitTimeout.FromMilliseconds(0));

I need to use the name: \Device\NamedPipe\initShutdown.