Handling CreatePipe function

NTDEV
1

Hi everybody,

I must hook the ‘CreatePipe’ function from kernel mode driver (Windows 9x
and NT).
I must do this to disable this inter process communication method.

Do you know how can I do this?

Thanks in advance.
-Abel.

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

I do not think that there will be a documented way of doing this.
But all of the fun stuff involves hacking anyway. I once “hooked”
TerminateProcess in Win9x by getting the entry point of the function ( in
Kernel32.dll ), overwriting the entry point with a jmp instruction to my own
system Dll ( system Dll’s are loaded in kernel space ), performing my own
logic to see if I wanted to allow this call to continue. If I wanted to
fail the call I just cleaned up the stack and failed it. If I wanted to
allow it to continue I executed the instructions I overwrote with the jmp (
previously saved ) and returned to the point in TerminateProcess just beyond
the jmp. This all had to be performed on the in memory images to make it at
least partially immune to service packs. Note that this approach probably
would never work under NT.

Sean O’Connor
Spectra Logic
Boulder, CO

-----Original Message-----
From: Abel Mu?oz Alcaraz [mailto:xxxxx@trymedia.com]
Sent: Friday, January 26, 2001 4:49 AM
To: NT Developers Interest List
Subject: [ntdev] Handling CreatePipe function

Hi everybody,

I must hook the ‘CreatePipe’ function from kernel mode driver
(Windows 9x
and NT).
I must do this to disable this inter process communication method.

Do you know how can I do this?

Thanks in advance.
-Abel.

You are currently subscribed to ntdev as: xxxxx@spectralogic.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

Thanks Sean,
I will use it.

-Abel.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sean O’Connor
Sent: viernes, 26 de enero de 2001 17:26
To: NT Developers Interest List
Subject: [ntdev] RE: Handling CreatePipe function

I do not think that there will be a documented way of doing this.
But all of the fun stuff involves hacking anyway. I once “hooked”
TerminateProcess in Win9x by getting the entry point of the function ( in
Kernel32.dll ), overwriting the entry point with a jmp instruction to my own
system Dll ( system Dll’s are loaded in kernel space ), performing my own
logic to see if I wanted to allow this call to continue. If I wanted to
fail the call I just cleaned up the stack and failed it. If I wanted to
allow it to continue I executed the instructions I overwrote with the jmp (
previously saved ) and returned to the point in TerminateProcess just beyond
the jmp. This all had to be performed on the in memory images to make it at
least partially immune to service packs. Note that this approach probably
would never work under NT.

Sean O’Connor
Spectra Logic
Boulder, CO

-----Original Message-----
From: Abel Muñoz Alcaraz [mailto:xxxxx@trymedia.com]
Sent: Friday, January 26, 2001 4:49 AM
To: NT Developers Interest List
Subject: [ntdev] Handling CreatePipe function

Hi everybody,

I must hook the ‘CreatePipe’ function from kernel mode driver
(Windows 9x
and NT).
I must do this to disable this inter process communication method.

Do you know how can I do this?

Thanks in advance.
-Abel.

You are currently subscribed to ntdev as: xxxxx@spectralogic.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@trymedia.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

4

On NT you can hook Native APIs calls by modifying the System services table.
You can find a real good example by looking at the source code of the
registry monitor downloadable from www.sysinternals.com

By replacing one or more Native API functions with your code, you can decide
to execute the code and call the real Native API or just fail. In the
registry motitor they replaced some registry related functions with their
own version.

Matteo

----- Original Message -----
From: “Abel Muñoz Alcaraz”
To: “NT Developers Interest List”
Sent: Friday, January 26, 2001 12:48 PM
Subject: [ntdev] Handling CreatePipe function

> Hi everybody,
>
> I must hook the ‘CreatePipe’ function from kernel mode driver (Windows 9x
> and NT).
> I must do this to disable this inter process communication method.
>
> Do you know how can I do this?
>
> Thanks in advance.
> -Abel.
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@dolce.it
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

5

On NT/2000 you have to use some more clear method.
You have to filter Named Pipe File System (NPFS) driver.
But there are some minor problems which should be solved.

  1. Attaching to this driver
  • probably something like cyclic checking for existence
    \Device\NamedPipe and then attaching your filter device
    to it

  1. Special file types for IoCreateFile (CreateFileType is
    CreateFileTypeNamedPipe or CreateFileTypeMailslot)
    takes another argument ExtraCreateParameters which
    is pointer to structure built either by NtCreateNamedPipeFile
    or NtCreateMailslotFile. This structure is undocumented.
    So you must find out it yourself.

  2. IoCreateFile builds not IRP_MJ_CREATE but
    IRP_MJ_CREATE_NAMED_PIPE when creating or opening
    named pipe.

Hope this helps
Paul

PS: Here is also prototype for importatnt undocumented routine

NTSYSAPI
NTSTATUS
NTAPI
NtCreateNamedPipeFile (
OUT PHANDLE MailslotFileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG Disposition,
IN ULONG CreateOptions,
IN ULONG NamedPipeType,
IN ULONG ReadMode,
IN ULONG CompletionMode,
IN ULONG MaximumInstances,
IN ULONG InputBufferSize,
IN ULONG OutputBufferSize,
IN PLARGE_INTEGER DefaultTimeout OPTIONAL
);

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Abel Mu?oz Alcaraz
Sent: Friday, January 26, 2001 6:27 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Handling CreatePipe function

Thanks Sean,
I will use it.

-Abel.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sean O’Connor
Sent: viernes, 26 de enero de 2001 17:26
To: NT Developers Interest List
Subject: [ntdev] RE: Handling CreatePipe function

I do not think that there will be a documented way of doing
this.
But all of the fun stuff involves hacking anyway. I once “hooked”
TerminateProcess in Win9x by getting the entry point of the function (
in
Kernel32.dll ), overwriting the entry point with a jmp instruction to my
own
system Dll ( system Dll’s are loaded in kernel space ), performing my
own
logic to see if I wanted to allow this call to continue. If I wanted to
fail the call I just cleaned up the stack and failed it. If I wanted to
allow it to continue I executed the instructions I overwrote with the
jmp (
previously saved ) and returned to the point in TerminateProcess just
beyond
the jmp. This all had to be performed on the in memory images to make
it at
least partially immune to service packs. Note that this approach
probably
would never work under NT.

Sean O’Connor
Spectra Logic
Boulder, CO

-----Original Message-----
From: Abel Munoz Alcaraz [mailto:xxxxx@trymedia.com]
Sent: Friday, January 26, 2001 4:49 AM
To: NT Developers Interest List
Subject: [ntdev] Handling CreatePipe function

Hi everybody,

I must hook the ‘CreatePipe’ function from kernel mode driver
(Windows 9x
and NT).
I must do this to disable this inter process communication
method.

Do you know how can I do this?

Thanks in advance.
-Abel.

You are currently subscribed to ntdev as: xxxxx@spectralogic.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@trymedia.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

6

RE: [ntdev] RE: Handling CreatePipe functionI was probably wrong… Pipe creation function aren’t in the Native API system table? Cannot they be hooked there? (In fact they don’t seem to be exported by ntoskrnl.exe)

Thanks
Matteo
----- Original Message -----
From: Hrdina Pavel
To: NT Developers Interest List
Sent: Friday, January 26, 2001 7:47 PM
Subject: [ntdev] RE: Handling CreatePipe function

On NT/2000 you have to use some more clear method.
You have to filter Named Pipe File System (NPFS) driver.
But there are some minor problems which should be solved.

  1. Attaching to this driver
  • probably something like cyclic checking for existence
    \Device\NamedPipe and then attaching your filter device
    to it

  1. Special file types for IoCreateFile (CreateFileType is
    CreateFileTypeNamedPipe or CreateFileTypeMailslot)
    takes another argument ExtraCreateParameters which
    is pointer to structure built either by NtCreateNamedPipeFile
    or NtCreateMailslotFile. This structure is undocumented.
    So you must find out it yourself.

  2. IoCreateFile builds not IRP_MJ_CREATE but
    IRP_MJ_CREATE_NAMED_PIPE when creating or opening
    named pipe.

Hope this helps
Paul

PS: Here is also prototype for importatnt undocumented routine

NTSYSAPI
NTSTATUS
NTAPI
NtCreateNamedPipeFile (
OUT PHANDLE MailslotFileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG Disposition,
IN ULONG CreateOptions,
IN ULONG NamedPipeType,
IN ULONG ReadMode,
IN ULONG CompletionMode,
IN ULONG MaximumInstances,
IN ULONG InputBufferSize,
IN ULONG OutputBufferSize,
IN PLARGE_INTEGER DefaultTimeout OPTIONAL
);

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of Abel Mu?oz Alcaraz
Sent: Friday, January 26, 2001 6:27 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Handling CreatePipe function

Thanks Sean,
I will use it.

-Abel.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sean O’Connor
Sent: viernes, 26 de enero de 2001 17:26
To: NT Developers Interest List
Subject: [ntdev] RE: Handling CreatePipe function

I do not think that there will be a documented way of doing this.
But all of the fun stuff involves hacking anyway. I once “hooked”
TerminateProcess in Win9x by getting the entry point of the function ( in
Kernel32.dll ), overwriting the entry point with a jmp instruction to my own
system Dll ( system Dll’s are loaded in kernel space ), performing my own
logic to see if I wanted to allow this call to continue. If I wanted to
fail the call I just cleaned up the stack and failed it. If I wanted to
allow it to continue I executed the instructions I overwrote with the jmp (
previously saved ) and returned to the point in TerminateProcess just beyond
the jmp. This all had to be performed on the in memory images to make it at
least partially immune to service packs. Note that this approach probably
would never work under NT.

Sean O’Connor
Spectra Logic
Boulder, CO

-----Original Message-----
From: Abel Munoz Alcaraz [mailto:xxxxx@trymedia.com]
Sent: Friday, January 26, 2001 4:49 AM
To: NT Developers Interest List
Subject: [ntdev] Handling CreatePipe function

Hi everybody,

I must hook the ‘CreatePipe’ function from kernel mode driver
(Windows 9x
and NT).
I must do this to disable this inter process communication method.

Do you know how can I do this?

Thanks in advance.
-Abel.

You are currently subscribed to ntdev as: xxxxx@spectralogic.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@trymedia.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@dolce.it
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

7

Now I have also exact structure.
Pointer to?it?is in irp stack location ->Parameters.Create.EaLength.
?
typedef struct _NAMED_PIPE_CREATE_PARAMETERS {
??? ULONG NamedPipeType;
??? ULONG ReadMode;
??? ULONG CompletionMode;
??? ULONG MaximumInstances;
??? ULONG InboundQuota;
??? ULONG OutboundQuota;
??? LARGE_INTEGER DefaultTimeout;
??? BOOLEAN TimeoutSpecified;
} NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS;
?
Paul

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Hrdina Pavel
Sent: Friday, January 26, 2001 8:07 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Handling CreatePipe function

On NT/2000 you have to use some more clear method.
You have to filter Named Pipe File System (NPFS) driver.
But there are some minor problems which should be solved.

  1. Attaching to this driver
    ?? - probably something like cyclic checking for existence
    ??? \Device\NamedPipe and then attaching your filter device
    ??? to it

  2. Special file types for IoCreateFile (CreateFileType is
    ??? CreateFileTypeNamedPipe or CreateFileTypeMailslot)
    ??? takes another argument ExtraCreateParameters which
    ??? is pointer to structure built either by NtCreateNamedPipeFile
    ??? or NtCreateMailslotFile. This structure is undocumented.
    ??? So you must find out it yourself.

  3. IoCreateFile builds not IRP_MJ_CREATE but
    ??? IRP_MJ_CREATE_NAMED_PIPE when creating or opening
    ??? named pipe.

Hope this helps
Paul

PS: Here is also prototype for importatnt undocumented routine

NTSYSAPI
NTSTATUS
NTAPI
NtCreateNamedPipeFile (
??? OUT PHANDLE MailslotFileHandle,
??? IN ACCESS_MASK DesiredAccess,
??? IN POBJECT_ATTRIBUTES ObjectAttributes,
??? OUT PIO_STATUS_BLOCK IoStatusBlock,
??? IN ULONG ShareAccess,
??? IN ULONG Disposition,
??? IN ULONG CreateOptions,
??? IN ULONG NamedPipeType,
??? IN ULONG ReadMode,
??? IN ULONG CompletionMode,
??? IN ULONG MaximumInstances,
??? IN ULONG InputBufferSize,
??? IN ULONG OutputBufferSize,
??? IN PLARGE_INTEGER DefaultTimeout OPTIONAL
??? );

-----Original Message-----
From: xxxxx@lists.osr.com [
mailto:xxxxx@lists.osr.com]On Behalf Of Abel Mu?oz Alcaraz
Sent: Friday, January 26, 2001 6:27 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Handling CreatePipe function

Thanks Sean,
??? I will use it.

-Abel.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sean O’Connor
Sent: viernes, 26 de enero de 2001 17:26
To: NT Developers Interest List
Subject: [ntdev] RE: Handling CreatePipe function

??? I do not think that there will be a documented way of doing
this.
But all of the fun stuff involves hacking anyway.? I once “hooked”
TerminateProcess in Win9x by getting the entry point of the function (
in
Kernel32.dll ), overwriting the entry point with a jmp instruction to my
own
system Dll ( system Dll’s are loaded in kernel space ), performing my
own
logic to see if I wanted to allow this call to continue.? If I wanted to

fail the call I just cleaned up the stack and failed it.? If I wanted to

allow it to continue I executed the instructions I overwrote with the
jmp (
previously saved ) and returned to the point in TerminateProcess just
beyond
the jmp.? This all had to be performed on the in memory images to make
it at
least partially immune to service packs.? Note that this approach
probably
would never work under NT.

Sean O’Connor
Spectra Logic
Boulder, CO

-----Original Message-----
From: Abel Munoz Alcaraz [mailto:xxxxx@trymedia.com]
Sent: Friday, January 26, 2001 4:49 AM
To: NT Developers Interest List
Subject: [ntdev] Handling CreatePipe function

Hi everybody,

??? I must hook the ‘CreatePipe’ function from kernel mode driver
(Windows 9x
and NT).
??? I must do this to disable this inter process communication
method.

??? Do you know how can I do this?

Thanks in advance.
-Abel.

You are currently subscribed to ntdev as: xxxxx@spectralogic.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@trymedia.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

8

Pointer to the NtCreateNamedPipeFile?physically resides in service
table.
But there is not ZwCreateNamedPipeFile routine exported by ntoskrnl.exe
so you can’t simply obtain service index. The only method is to obtain
this
index from ntdll.dll, but the code to do this is too complicated. You
have to
open the dll, map it into address space, call your own
LdrGetProcedureAddress
routine to obtain pointer to ZwCreateNamedPipeFile, then obtain index,
unmap
and close the dll. Too complicated and too dirty - filtering npfs is
much more
simple and cleaner.
?
Paul

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Matteo Pelati
Sent: Friday, January 26, 2001 9:18 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Handling CreatePipe function

I was probably wrong… Pipe creation function aren’t in the Native API
system table? Cannot they be hooked there? (In fact they don’t seem to
be exported by ntoskrnl.exe)
?
Thanks
Matteo

----- Original Message -----
From: Hrdina Pavel
To: NT Developers Interest List
Sent: Friday, January 26, 2001 7:47 PM
Subject: [ntdev] RE: Handling CreatePipe function

On NT/2000 you have to use some more clear method.
You have to filter Named Pipe File System (NPFS) driver.
But there are some minor problems which should be solved.

  1. Attaching to this driver
    ?? - probably something like cyclic checking for existence
    ??? \Device\NamedPipe and then attaching your filter device
    ??? to it

  2. Special file types for IoCreateFile (CreateFileType is
    ??? CreateFileTypeNamedPipe or CreateFileTypeMailslot)
    ??? takes another argument ExtraCreateParameters which
    ??? is pointer to structure built either by NtCreateNamedPipeFile
    ??? or NtCreateMailslotFile. This structure is undocumented.
    ??? So you must find out it yourself.

  3. IoCreateFile builds not IRP_MJ_CREATE but
    ??? IRP_MJ_CREATE_NAMED_PIPE when creating or opening
    ??? named pipe.

Hope this helps
Paul

PS: Here is also prototype for importatnt undocumented routine

NTSYSAPI
NTSTATUS
NTAPI
NtCreateNamedPipeFile (
??? OUT PHANDLE MailslotFileHandle,
??? IN ACCESS_MASK DesiredAccess,
??? IN POBJECT_ATTRIBUTES ObjectAttributes,
??? OUT PIO_STATUS_BLOCK IoStatusBlock,
??? IN ULONG ShareAccess,
??? IN ULONG Disposition,
??? IN ULONG CreateOptions,
??? IN ULONG NamedPipeType,
??? IN ULONG ReadMode,
??? IN ULONG CompletionMode,
??? IN ULONG MaximumInstances,
??? IN ULONG InputBufferSize,
??? IN ULONG OutputBufferSize,
??? IN PLARGE_INTEGER DefaultTimeout OPTIONAL
??? );

-----Original Message-----
From: xxxxx@lists.osr.com [
mailto:xxxxx@lists.osr.com]On Behalf Of Abel Mu?oz Alcaraz
Sent: Friday, January 26, 2001 6:27 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Handling CreatePipe function

Thanks Sean,
??? I will use it.

-Abel.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sean O’Connor
Sent: viernes, 26 de enero de 2001 17:26
To: NT Developers Interest List
Subject: [ntdev] RE: Handling CreatePipe function

??? I do not think that there will be a documented way of doing
this.
But all of the fun stuff involves hacking anyway.? I once “hooked”
TerminateProcess in Win9x by getting the entry point of the function (
in
Kernel32.dll ), overwriting the entry point with a jmp instruction to my
own
system Dll ( system Dll’s are loaded in kernel space ), performing my
own
logic to see if I wanted to allow this call to continue.? If I wanted to

fail the call I just cleaned up the stack and failed it.? If I wanted to

allow it to continue I executed the instructions I overwrote with the
jmp (
previously saved ) and returned to the point in TerminateProcess just
beyond
the jmp.? This all had to be performed on the in memory images to make
it at
least partially immune to service packs.? Note that this approach
probably
would never work under NT.

Sean O’Connor
Spectra Logic
Boulder, CO

-----Original Message-----
From: Abel Munoz Alcaraz [mailto:xxxxx@trymedia.com]
Sent: Friday, January 26, 2001 4:49 AM
To: NT Developers Interest List
Subject: [ntdev] Handling CreatePipe function

Hi everybody,

??? I must hook the ‘CreatePipe’ function from kernel mode driver
(Windows 9x
and NT).
??? I must do this to disable this inter process communication
method.

??? Do you know how can I do this?

Thanks in advance.
-Abel.

You are currently subscribed to ntdev as: xxxxx@spectralogic.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@trymedia.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@dolce.it
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

9

really hooking in the case is very simple and filtering certainly much more
complex but more clean method.
Try http://www.pedestalsoftware.com/download/ipd.zip as example.

Andrey.

HP> Pointer to the NtCreateNamedPipeFile physically resides in service
HP> table.
HP> But there is not ZwCreateNamedPipeFile routine exported by ntoskrnl.exe
HP> so you can’t simply obtain service index. The only method is to obtain
HP> this
HP> index from ntdll.dll, but the code to do this is too complicated. You
HP> have to
HP> open the dll, map it into address space, call your own
HP> LdrGetProcedureAddress
HP> routine to obtain pointer to ZwCreateNamedPipeFile, then obtain index,
HP> unmap
HP> and close the dll. Too complicated and too dirty - filtering npfs is
HP> much more
HP> simple and cleaner.
HP>  
HP> Paul

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com