NamedPipeMaster: A tool used to analyze and monitor in named pipes

by ddos ·

NamedPipeMaster

NamedPipeMaster is a versatile tool for analyzing and monitoring in named pipes. It includes Ring3NamedPipeConsumer for direct server interaction, Ring3NamedPipeMonitor for DLL-based API hooking and data collection, and Ring0NamedPipeFilter for comprehensive system-wide monitoring. The tool supports proactive and passive interactions, collects detailed communication data, and features a filter for specific event searches.

monitor named pipes

Feature

  • Named Pipe Interaction:
    • Proactive Interaction: Actively interact with a named pipe server.
    • Passive Connection: Be passively connected by a named pipe client.
    • Proxy Interaction: Inject a DLL into a process to serve as a proxy for interacting with a named pipe server.
  • Information Collection via DLL Injection (Ring3 Hook):
    • Monitors and collects information on named pipe communication by hooking relevant APIs.
    • Dumps the call stack in detoured functions and checks the process’s impersonation capability.
    • Specific API hooks include:
      • NtCreateNamedPipeFile: Named pipe creation.
      • NtCreateFile: Named pipe connection.
      • NtFsControlFile: Named pipe connection completion.
      • NtReadFile: Reading data from a named pipe.
      • NtWriteFile: Writing data to a named pipe.
  • System-Wide Monitoring with Minifilter Driver:
    • Captures system-wide named pipe activities by monitoring key IRPs (I/O Request Packets):
      • IRP_MJ_CREATE_NAMED_PIPE: Named pipe creation.
      • IRP_MJ_CREATE: Named pipe connection.
      • IRP_MJ_FILE_SYSTEM_CONTROL: Named pipe connection completion.
      • IRP_MJ_READ: Reading data from a named pipe.
      • IRP_MJ_WRITE: Writing data to a named pipe.

Download & Use

Tags: monitor named pipes