Use named pipes, anonymous pipes are somehow broken

CERT-Polska · Aug 9, 2024 · a8dc1e5 · a8dc1e5
1 parent a344cc6
commit a8dc1e5
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 13 deletions.
diff --git a/drakshell/guest/drakshell.c b/drakshell/guest/drakshell.c
@@ -122,30 +122,99 @@ static bool init_std_handles(PSTD_HANDLES handles) {
     handles->hStderrRead = INVALID_HANDLE_VALUE;
     handles->hStderrWrite = INVALID_HANDLE_VALUE;
 
-    if(!CreatePipe(&(handles->hStdinRead), &(handles->hStdinWrite), &saInheritHandle, 0)) {
-        OutputDebugStringW(L"init_std_handles: CreatePipe failed for stdin");
+    handles->hStdinRead = CreateNamedPipe(
+        L"\\\\.\\pipe\\drakshell-stdin",
+        PIPE_ACCESS_INBOUND | FILE_FLAG_OVERLAPPED,
+        0, // byte & wait mode
+        1,
+        4096,
+        4096,
+        0,
+        &saInheritHandle
+    );
+
+    if(handles->hStdinRead == INVALID_HANDLE_VALUE) {
+        OutputDebugStringW(L"init_std_handles: CreateNamedPipe failed for stdin");
         return false;
     }
-    if(!SetHandleInformation(handles->hStdinWrite, HANDLE_FLAG_INHERIT, 0)) {
-        OutputDebugStringW(L"init_std_handles: SetHandleInformation failed for stdin");
+
+    handles->hStdinWrite = CreateFileW(
+        L"\\\\.\\pipe\\drakshell-stdin",
+        GENERIC_WRITE,
+        0,
+        NULL,
+        OPEN_EXISTING,
+        FILE_FLAG_OVERLAPPED,
+        NULL
+    );
+
+    if(handles->hStdinWrite == INVALID_HANDLE_VALUE) {
+        OutputDebugStringW(L"init_std_handles: CreateFileW failed for stdin");
         return false;
     }
-    if(!CreatePipe(&(handles->hStdoutRead), &(handles->hStdoutWrite), &saInheritHandle, 0)) {
-        OutputDebugStringW(L"init_std_handles: CreatePipe failed for stdout");
+
+    handles->hStdoutWrite = CreateNamedPipe(
+        L"\\\\.\\pipe\\drakshell-stdout",
+        PIPE_ACCESS_OUTBOUND | FILE_FLAG_OVERLAPPED,
+        0, // byte & wait mode
+        1,
+        4096,
+        4096,
+        0,
+        &saInheritHandle
+    );
+
+    if(handles->hStdoutWrite == INVALID_HANDLE_VALUE) {
+        OutputDebugStringW(L"init_std_handles: CreateNamedPipe failed for stdout");
         return false;
     }
-    if(!SetHandleInformation(handles->hStdoutWrite, HANDLE_FLAG_INHERIT, 0)) {
-        OutputDebugStringW(L"init_std_handles: SetHandleInformation failed for stdout");
+
+    handles->hStdoutRead = CreateFileW(
+        L"\\\\.\\pipe\\drakshell-stdout",
+        GENERIC_READ,
+        0,
+        NULL,
+        OPEN_EXISTING,
+        FILE_FLAG_OVERLAPPED,
+        NULL
+    );
+
+    if(handles->hStdoutRead == INVALID_HANDLE_VALUE) {
+        OutputDebugStringW(L"init_std_handles: CreateFileW failed for stdout");
         return false;
     }
-    if(!CreatePipe(&(handles->hStderrRead), &(handles->hStderrWrite), &saInheritHandle, 0)) {
-        OutputDebugStringW(L"init_std_handles: CreatePipe failed for stderr");
+
+    handles->hStderrWrite = CreateNamedPipe(
+        L"\\\\.\\pipe\\drakshell-stderr",
+        PIPE_ACCESS_OUTBOUND | FILE_FLAG_OVERLAPPED,
+        0, // byte & wait mode
+        1,
+        4096,
+        4096,
+        0,
+        &saInheritHandle
+    );
+
+    if(handles->hStderrWrite == INVALID_HANDLE_VALUE) {
+        OutputDebugStringW(L"init_std_handles: CreateNamedPipe failed for stderr");
         return false;
     }
-    if(!SetHandleInformation(handles->hStderrWrite, HANDLE_FLAG_INHERIT, 0)) {
-        OutputDebugStringW(L"init_std_handles: SetHandleInformation failed for stderr");
+
+    handles->hStderrRead = CreateFileW(
+        L"\\\\.\\pipe\\drakshell-stderr",
+        GENERIC_READ,
+        0,
+        NULL,
+        OPEN_EXISTING,
+        FILE_FLAG_OVERLAPPED,
+        NULL
+    );
+
+    if(handles->hStderrRead == INVALID_HANDLE_VALUE) {
+        OutputDebugStringW(L"init_std_handles: CreateFileW failed for stderr");
         return false;
     }
+
     return true;
 }
 
@@ -545,7 +614,7 @@ void __attribute__((noinline)) __attribute__((force_align_arg_pointer)) drakshel
         0,
         NULL,
         OPEN_EXISTING,
-        0,
+        FILE_FLAG_OVERLAPPED,
         NULL
     );
     if(hComm == INVALID_HANDLE_VALUE)

diff --git a/drakshell/guest/include/nt_loader.h b/drakshell/guest/include/nt_loader.h
@@ -17,6 +17,11 @@
 #define STARTF_USESTDHANDLES 0x00000100
 #define ERROR_IO_PENDING 0x000003e5
 #define ERROR_BROKEN_PIPE 0x0000006d
+#define PIPE_ACCESS_DUPLEX 0x00000003
+#define PIPE_ACCESS_OUTBOUND 0x00000002
+#define PIPE_ACCESS_INBOUND 0x00000001
+#define FILE_FLAG_OVERLAPPED 0x40000000
+#define FILE_FLAG_FIRST_PIPE_INSTANCE 0x00080000
 
 typedef uint8_t BYTE;
 typedef uint16_t WORD;
@@ -311,5 +316,18 @@ typedef BOOL (WINAPI* PTerminateProcess)(
 extern PTerminateProcess pTerminateProcess;
 #define TerminateProcess (*pTerminateProcess)
 
+typedef HANDLE (WINAPI* PCreateNamedPipeW)(
+    LPCWSTR lpName,
+    DWORD dwOpenMode,
+    DWORD dwPipeMode,
+    DWORD nMaxInstances,
+    DWORD nOutBufferSize,
+    DWORD nInBufferSize,
+    DWORD nDefaultTimeOut,
+    LPSECURITY_ATTRIBUTES lpSecurityAttributes
+);
+extern PCreateNamedPipeW pCreateNamedPipeW;
+#define CreateNamedPipe (*pCreateNamedPipeW)
+
 extern void* get_func_from_peb(const wchar_t* libraryName, const char* procName);
 extern bool load_winapi();
diff --git a/drakshell/guest/nt_loader.c b/drakshell/guest/nt_loader.c
@@ -228,6 +228,7 @@ PGetOverlappedResult pGetOverlappedResult;
 PCancelIo pCancelIo;
 PGetExitCodeProcess pGetExitCodeProcess;
 PTerminateProcess pTerminateProcess;
+PCreateNamedPipeW pCreateNamedPipeW;
 
 bool load_winapi() {
     HANDLE hKernel32, hUser32;
@@ -264,6 +265,7 @@ bool load_winapi() {
     pCancelIo = GetProcAddress(hKernel32, "CancelIo");
     pGetExitCodeProcess = GetProcAddress(hKernel32, "GetExitCodeProcess");
     pTerminateProcess = GetProcAddress(hKernel32, "TerminateProcess");
+    pCreateNamedPipeW = GetProcAddress(hKernel32, "CreateNamedPipeW");
 
     return true;
 }