News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

Non-Admin user calling CreateNamedPipe

Started by AgentSmithers, March 12, 2014, 09:27:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

AgentSmithers

March 12, 2014, 09:27:59 AM
Code Select

.386
.model flat,stdcall
option casemap:none


Include c:\masm32\include\windows.inc
Include c:\masm32\include\kernel32.inc
Include c:\masm32\include\user32.inc
Include c:\masm32\include\advapi32.inc
include \masm32\include\masm32.inc
include \masm32\include\wtsapi32.inc
include \masm32\include\userenv.inc

IncludeLib c:\masm32\lib\kernel32.lib
IncludeLib c:\masm32\lib\user32.lib
IncludeLib c:\masm32\lib\advapi32.lib
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\wtsapi32.lib
includelib \masm32\lib\userenv.lib

Include c:\masm32\include\Ws2_32.inc
IncludeLib c:\masm32\lib\Ws2_32.lib
.data
NamedPipeIn db "\\.\pipe\MyPipeIn", 0
NamedPipeOut db "\\.\pipe\MyPipeOut", 0

sd SECURITY_DESCRIPTOR<>

.Data?
;CUSTOM .DATA?
hPipeIn dd ?
hPipeOut dd ?
hPipeCreateFile dd ?
OpenMode dd ?
PipeMode dd ?

.code

main:


mov OpenMode, PIPE_ACCESS_INBOUND + FILE_FLAG_WRITE_THROUGH

mov PipeMode, PIPE_WAIT
or PipeMode, PIPE_TYPE_BYTE
or PipeMode, PIPE_READMODE_BYTE

invoke InitializeSecurityDescriptor, ADDR sd, SECURITY_DESCRIPTOR_REVISION
invoke SetSecurityDescriptorDacl, ADDR sd, TRUE, NULL, FALSE 

mov sa.nLength, sizeof SECURITY_ATTRIBUTES
lea eax, sd
mov sa.lpSecurityDescriptor, 0;eax
mov sa.bInheritHandle, TRUE

;Issue with CreateNamedPipe as nonAdmin

invoke CreateNamedPipe, ADDR NamedPipeIn, OpenMode, PipeMode, PIPE_UNLIMITED_INSTANCES, 8192, 8192, 0, addr sa
mov hPipeIn, eax

;invoke CreateNamedPipe, ADDR NamedPipeImpersonation, OpenMode, PipeMode, PIPE_UNLIMITED_INSTANCES, 8192, 8192, 0, addr sa
;mov hPipeImpersonation, eax

mov OpenMode, PIPE_ACCESS_OUTBOUND + FILE_FLAG_WRITE_THROUGH

invoke CreateNamedPipe, ADDR NamedPipeOut, OpenMode, PipeMode, PIPE_UNLIMITED_INSTANCES, 8192, 8192, 0, addr sa
mov hPipeOut, eax

invoke ConnectNamedPipe, hPipeIn, 0
invoke ConnectNamedPipe, hPipeOut, 0



Hi Everyone!
    Currently this is known as working code in the Administrator world. But when I try to use CreateNamedPipe as a "built-in\user" account it fails to create. Anyone have any input on the proper security securitor so that a normal user account can listen for incoming data from a client connection using named pipes?
Thank you!

hutch--

#1
March 12, 2014, 10:56:39 AM
You would need to check the Microsoft documentation on the API call to see if they have a reason to restrict non administrator profiles from accessing this capacity. With each successive OS version more restrictions are applied for security reasons so you may find that it changes from XP to Vista to win7 and then win8.
Print
Go Up Pages1
User actions