Hooking Windows Named Pipes#2154
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://www.synacktiv.com/en/publications/hooking-windows-named-pipes.html Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (or a new subsection/page) -> Named Pipes (IPC) MITM, First-Instance Race (FILE_FLAG_FIRST_PIPE_INSTANCE), and Frida-based interception/hooking of NtReadFile/NtWriteFile/IOCP/APC". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title / context
Synacktiv explains how Windows Named Pipes work at the Windows API + syscall level, why they frequently become a privilege-boundary attack surface (low-privileged user-session processes talking to SYSTEM services), and presents a Frida-based interception tool (
thats_no_pipe) to sniff/modify/inject named-pipe traffic by hooking low-level I/O primitives and forwarding messages to an HTTP-proxy-like workflow over W...🔧 Technical Details
Named-pipe MITM via instances + permissions: if a target pipe’s DACL grants
FILE_GENERIC_WRITE/GENERIC_WRITE, an attacker can callCreateNamedPipeto create an extra server instance of the same pipe name. Because clients bind to server instances in FIFO order, attacker-created instances can be interleaved with legitimate ones, enabling interception, modification, and relaying of protocol messages (MITM) when a legitimate client connects to the attacker’s instance.First-instance security-descriptor race: because
lpSecurityAttributesare only applied when the first instance of a named pipe name is created, an attacker can pre-create the pipe name with a permissive DACL before a privileged service starts. The service’s laterCreateNamedPipecalls then inherit attacker-defined security. Mitigate by usingFILE_FLAG_FIRST_PIPE_INSTANCEinCreateNamedPipeso creation fails if the name a...🤖 Agent Actions
I’m mapping the Windows and IPC-related sections first, then I’ll read the most relevant existing pages before deciding whether this belongs in an existing privilege-escalation page or needs a new one.
The repo already has a dedicated named-pipe privesc page and an IPC abuse page. I’m reading those plus adjacent Windows LPE material now to avoid duplicating what HackTricks already covers and to match the local style.
The dedicated page already covers client impersonation and a lighter proxying workflow, but it does not document the first-instance race, instance/FIFO MITM mechanics, or the lower-level async/completion-port/APC interception pivots from the Synacktiv post. I’m pulling Microsoft docs now to anchor those additions precisely.
I’ve got enough context to edit now. The best fit is the existing
named-pipe-client-impersonation.mdpage, extending its IPC abuse section instead of creating a second named-pipe page.I’m replacing the current short IPC abuse subsection with a tighter, more technical version that adds the missing attack classes from the Synacktiv post while preserving the existing proxy/tooling angle already present in HackTricks.
Updated named-pipe-client-impersonation.md to add the missing technical content from the Synacktiv post in the existing Windows LPE named-pipe page.
The new material covers permissive-DACL instance MITM, the first-instance security-descriptor race and
FILE_FLAG_FIRST_PIPE_INSTANCE, why PID/signature checks are only hardening, and Frida-style interception pivots for synchronous, overlapped, IOCP, and APC/completion-routine models. I also updated the file’s single## Referencessection with the Synacktiv article,thats_no_pipe, and relevant Microsoft docs.Verification: reviewed the final diff and file tail; only this one existing file was changed, and the banner/footer plus end-of-file references structure remain intact.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.