NamedPipeMaster: A tool used to analyze and monitor in named pipes

NamedPipeMaster

NamedPipeMaster is a versatile tool for analyzing and monitoring in named pipes. It includes Ring3NamedPipeConsumer for direct server interaction, Ring3NamedPipeMonitor for DLL-based API hooking and data collection, and Ring0NamedPipeFilter for comprehensive system-wide monitoring. The tool supports proactive and passive interactions, collects detailed communication data, and features a filter for specific event searches.

Feature

• Named Pipe Interaction:
  • Proactive Interaction: Actively interact with a named pipe server.
  • Passive Connection: Be passively connected by a named pipe client.
  • Proxy Interaction: Inject a DLL into a process to serve as a proxy for interacting with a named pipe server.
• Information Collection via DLL Injection (Ring3 Hook):
  • Monitors and collects information on named pipe communication by hooking relevant APIs.
  • Dumps the call stack in detoured functions and checks the process’s impersonation capability.
  • Specific API hooks include:
    • NtCreateNamedPipeFile: Named pipe creation.
    • NtCreateFile: Named pipe connection.
    • NtFsControlFile: Named pipe connection completion.
    • NtReadFile: Reading data from a named pipe.
    • NtWriteFile: Writing data to a named pipe.
• System-Wide Monitoring with Minifilter Driver:
  • Captures system-wide named pipe activities by monitoring key IRPs (I/O Request Packets):
    • IRP_MJ_CREATE_NAMED_PIPE: Named pipe creation.
    • IRP_MJ_CREATE: Named pipe connection.
    • IRP_MJ_FILE_SYSTEM_CONTROL: Named pipe connection completion.
    • IRP_MJ_READ: Reading data from a named pipe.
    • IRP_MJ_WRITE: Writing data to a named pipe.

Download & Use