vatyx / namedpipecapture Goto Github PK

It is unknown whether or not this will cause a problem in a running process or not, as it is difficult to determine whether or not handling from GetQueuedCompletionportStatus is handled properly in a given process. Priming GetQueuedCompletionportStatus with PostCompletionportStatus may result in unknown behaviour.

Multiple named pipe connections should be tracked as separate trackable connections within WireShark

In my case, InitializeProcess API call returns -1. Sadly I can't find more detailed information about this error.

The DLL gets attached to the target (verified with Process Explorer), the input pipe is there in the system, the output pipe does not get created - verified with PowerShell [System.IO.Directory]::GetFiles("\\.\\pipe\\")

Process ID refers to a normal user process, started by the same user trying the hook.

This is Microsoft Windows [Version 10.0.19045.3570]

C:\Programs\myhome>.\NamedPipeLauncher.exe --input \\.\pipe\Input_Pipe --output \\.\pipe\traffic --processid 14484  --load
orig fcn ptr = 00007FF6C9B01440
fcnptr = 0000000000000000
InitializeProcess returned 4294967295
Warning: Make certain the DLL is unloaded when the test is done.
If it is not unloaded, the DLL will remain within the process for the life
of the process.
Input pipe: \\.\pipe\Input_Pipe
Output pipe: \\.\pipe\traffic
Process ID: 14484
Client port: 0
Server port: 0

Add a disconnection sequence into the stream when a named pipe handle is closed.

Add a Syn,Syn+ACK, ACK sequence into the stream to track the start of a given named pipe connection.