[Ntdebugging]Named Pipe 의 서버 Process 찾기

  • Article

How to Find the Owner of a Named Pipe

https://blogs.msdn.com/ntdebugging/archive/2008/03/18/how-to-find-the-owner-of-a-named-pipe.aspx

 

위의 포스트에서는 NamedPipe 의 서버 프로세스를 찾는 방법에 대해서 설명하고 있습니다.

NamedPipe 의 FileObject 의 FsContext는 CCB 를 가리키고 있고 FsContext2는 NonPaged_CCB를 가리키고 있습니다.

ReadFile 의 첫번째 파라미터인 Handle 에서 FileObject를 얻어내고 FsContext2의 값을 pool 에서 확인해 보면 어떤 프로세스인지 확인할 수 있습니다.

 

THREAD 81e70858  Cid 06bc.06c0  Teb: 7ffdf000 Win32Thread: 00000000 WAIT: (Executive) UserMode Non-Alertable

    81baaf7c  NotificationEvent

Not impersonating

DeviceMap                 e25176b8

Owning Process            81b3a020       Image:         client.exe

Attached Process          N/A            Image:         N/A

Wait Start TickCount      73194          Ticks: 1599 (0:00:00:24.984)

Context Switch Count      21            

UserTime                  00:00:00.000

KernelTime                00:00:00.000

Win32 Start Address client (0x00401376)

Start Address kernel32!BaseProcessStartThunk (0x77e617f8)

Stack Init f7450000 Current f744fc04 Base f7450000 Limit f744d000 Call 0

Priority 10 BasePriority 8 PriorityDecrement 2

ChildEBP RetAddr  Args to Child             

f744fc1c 808202b6 81e70858 81e70900 00000700 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4])

f744fc34 8081fb6e 8207dac0 00000000 81baaf20 nt!KiSwapThread+0x83 (FPO: [Non-Fpo])

f744fc78 8092deb3 81baaf7c 00000000 81f93601 nt!KeWaitForSingleObject+0x2e0 (FPO: [Non-Fpo])

f744fca0 80924ca9 81f936e0 00000103 81baaf20 nt!IopSynchronousServiceTail+0x180 (FPO: [Non-Fpo])

f744fd38 8082350b 00000024 00000000 00000000 nt!NtReadFile+0x5d5 (FPO: [Non-Fpo])

f744fd38 7c8285ec 00000024 00000000 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f744fd64)

0012eed4 7c82776b 77e418b2 00000024 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])

0012eed8 77e418b2 00000024 00000000 00000000 ntdll!NtReadFile+0xc (FPO: [9,0,0])

0012ef40 004010ab 00000024 0012ef60 00001000 kernel32!ReadFile+0x16c (FPO: [Non-Fpo])

0012ff78 0040131f 00000001 00323038 00323078 client+0x10ab

0012ffc0 77e6f23b 00000000 00000000 7ffd8000 client+0x131f

0012fff0 00000000 00401376 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

 

kd> !handle 00000024 f 81b3a020

processor number 0, process 81b3a020

PROCESS 81b3a020  SessionId: 0  Cid: 06bc    Peb: 7ffd8000  ParentCid: 0f2c

    DirBase: 1d486000  ObjectTable: e252bbc8  HandleCount:  10.

    Image: client.exe

Handle table at e2845000 with 10 Entries in use

0024: Object: 81baaf20  GrantedAccess: 0012019f Entry: e2845048

Object: 81baaf20  Type: (823ceca0) File

    ObjectHeader: 81baaf08 (old version)

        HandleCount: 1  PointerCount: 3

        Directory Object: 00000000  Name: \mynamedpipe {NamedPipe}

 

kd> dt nt!_FILE_OBJECT 81baaf20 FsContext2

   +0x010 FsContext2       : 0x81b5cc90

The FsContext2 field points to an NPFS CCB structure. The importance of this structure is that it is charged to the server process which created it. The !pool extension can be used to display information about the ownership of the memory the file object is stored in.

kd> !pool 0x81b5cc90  2

Pool page 81b5cc90 region is Nonpaged pool

*81b5cc88 size:   50 previous size:  140  (Allocated) *NpFc Process: 81be0d88

              Pooltag NpFc : CCB, client control block, Binary : npfs.sys

PROCESS 81be0d88  SessionId: 0  Cid: 07b4    Peb: 7ffd4000  ParentCid: 0160

    DirBase: 02b6f000  ObjectTable: e234a530  HandleCount:  10.

    Image: server.exe

 

감사합니다.