I would like to inspect Named Pipe communications between two different machines and I noticed that FileMon already give me pretty good picture of what is happening during communications.
But what I do not see is the fact that the client is trying to connect to the server. In other words, I am trying to know when the client from remote machine tries to connect to the server and I am only looking at the server in my local machine.
I can set the breakpoint on ConnectNamedPipe() in my server program but I would like to know how windows direct the client connection request to the server.
I assumed that Server FSD in the kernel connects the client to the server but I could not quite find where and how that happens.
After some research, it seems to me that if I get to implement mini-filter driver, I might be able to inspect these connection requests but that is just my guess.
Please give me some advice and let me know if I am in the right direction or what I need to look at for the things that I want to do. Thank you.
Thank you for your reply.
I noticed that there is no system services for ConnectNamedPipe even though there is NtCreateNamedPipe/NtCreateFile.
I guess that somewhere in the kernel does connection job to the server.
My understanding is that Named Pipe relies on SMB for networking and SMB in turn relies on TCP/IP. Therefore, I can effectively put myself as TDI transport driver to inspect all the packets but that seems to be very heavy and undesirable. So I assumed that these packets will be directed to Server FSD which talks to Local FSD(NTFS, FAT).
So I am assuming that if I can somehow put myself between server FSD and local FSD, I might be able to inspect connect calls but that is purely my guess so if anyone could give me some feedback, I will really appreciate it. Thank you.
As this issue is rather interesting.
As I told you I don’t have any expertise in this area, but I’ve found this name space: \FileSystem\NpFs .
You can get extra DEVICE_OBJECT or DRIVER_OBJECT info by typeing !devoj or !drvobj in the debugger with the respective pointers.
It is rather sad because I found this on MS: http://msdn.microsoft.com/en-us/library/aa940098.aspx
But it is some good news to, because the dev team at reactos has this that might interrest you: http://www.reactos.org/generated/doxygen/db/d50/drivers_2filesystems_2np_2create_8c-source.html
As I can see from those source implemented, they just invoke the FileSystem to implement these. So just do the initializing in the create as you’d do it in the connect, or do it on you’re first read/write. And on cleanup reverse the process.
Good luck
Named pipes between remote machines are transported through SMB/CIFS protocol. CIFS server runs as a user mode service, so I think you should be able to monitor calls. There is no magic in kernel mode. ConnectNamedPipe is implemented through IOCTL. Try also FileSpy (www.zezula.net). CIFS protocol is quite well documented on MSDN site.
Thank you for all the input and FileSys is great because it shows all the transacations that are made to named pipe instances that I wanted to see.
Yet, there is one point that I am still not clear and in fact I do not know if it is possible to achieve. Let me try to explain what I want to achieve in the end and ask a question accordingly.
I am using IP Helpers to assign multiple IP addresses in my machine and I am running a named pipe server in the same machine. I want to be able to filter connection request by looking at which IP address the client uses to connect to this machine. Please note that I am not looking for source IP address but destination IP address.
Because this machine has multiple IP addresses, I want to process differently depending on what IP address client uses to connect to my named pipe server.
So my question is that where/how I can obtain this information? I looked at LSP, minifilters, CIFS and a few other stuff but it is not still clear to me if I have that information available in any approaches that I looked at. Thank you again and any comment will be very appreciated.