Skip to content

synacktiv/thats_no_pipe

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
agent
agent
 
 
backend
backend
 
 
docs
docs
 
 
tests
tests
 
 
tools
tools
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

Thats no pipe

Frida-based project to intercept Windows named pipe communication

Objectives

This project aims at intercepting IPC communications by hooking specific WinAPI functions and forwarding them to an HTTP proxy using a websocket.

Architecture

Read from and write to a named pipe can happen in different functions. In this section, WriteFile depicts a write to a named pipe and ReadFile depicts a read from a named pipe.

When intercepted, data to be written follows this schema.

WriteFile --> frida hook --> python process --> websocket client --> HTTP Proxy --> websocket server --> python process --> frida hook --> WriteFile

On the other side, data to be read by the process follows this schema.

ReadFile --> frida hook --> python process --> websocket server --> HTTP Proxy --> websocket client --> python process --> frida hook --> ReadFile

The HTTP Proxy will receive a message "to the server" when the action is a write to a named pipe, and a message "to the client" when the action is the read from a named pipe.

Setup

Using Burp as an HTTP Proxy

Add a proxy on port 8090, listening on all interfaces

Build the project

Build the frida agent script using make build, the agent will be in agent/dist/

Windows setup

  1. Copy the backend/*.py and backend/requirements.txt (backend) and agent/dist/agent.js (agent) to the windows host
  2. py -m pip install -r requirements.txt
  3. py .\main.py <pid_of_target> .\agent.js --ws-port 9090 --ws-host <ip_of_windows> --http-proxy-port 8090 --http-proxy-host <ip_of_burp> --handle-regexes '.*' --log-level INFO

Disclamer

Data sent to the HTTP Proxy follows a specific format defined in docs/format.md, tools to manipulate this custom format are provieded in tools/. Modifying metadata can result in unability of the project to recognize and correctly route the message to the correct named pipe.

The frida script indefinitely waits for a response, therefore the process can hang indefinitely if you decide to drop the message.

Injecting new messages is currently not supported by the project.

Development

LSP

Frida provides typescript bindings to develop the agent. Once devDependencies have been installed, VSCode should recognize types automagically.

A Makefile target make dev-env is provided to easily setup a development environment.

About

Windows named pipe hooking toolkit

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages