RPC to Go v.3 – Named Pipes

  • Article

? ?????? Named Pipe? ????, Named Pipe ??? ??? ????? ??? ??? ???? ? ????? ? ??? ???? ????? ???. ???? ?? RPC to Go v.1? v.2? ?? ???? ???. ? ???? ?????? ??? ? ? ???. ? ??? ??? ??? ??? ?? ?? ??? ?????. ? “????”?? ???? ?? ??? ?? RPC? ??? ?? ???? ???? ???? ????? ??? ??? ? ????.

? ??? ??? ? ???? ??? ?????. ? ??? ??? ???? ??? ?? ???? ?? ?????. ?? ??? ??? ????. ??? ??? Process Monitor? handle leak? ?? ?????. (Process Monitor? www.sysinternals.com?? ???? ?? ? ????) ?? ??? ???? ??? ??? ?? ??? ? ? ?? ??????.

? ??? ??? ????? ???(XP SP2), ? ??(Windows Server 2003 with IIS) ??? ?????? ??(Windows Server 2003 with SQL 2005)? ???? ????. ????? ? ??? ???? ??? ?? ? ??? ??????? ?????. ?? ???? ??? ??? ?? ???. ???? ??? ??? ???? ?? ??(?? ?????) ?? ??? ?? ?? ?? ?? ?????.

??? ??? ??? ?? ??? ?? ??? ???? ????? ?????. ?? ??? ?? ??? ?? ?????: process explorer(?? ?? ???), ?? ??? ?? ?? ??(???? “netstat –ano”? ??) ??? network capture. ???? ?? ??? ??? ?? ????? ?????? ?? ??? ???? ??? ? ?????. ??? process explorer? ???????. System ???? ?????? ???? ???? ???????. SQL server??? ???????.

Network capture?? ?(TCP port 80)? SQL (TCP port 1433) ???? ??? ?????. ? connection?? open?? close???? ??? ?????. ?? ??? ?? ??? ??? ?? ?????. ? ? ??? ??? 445 ?? ??? ???? SQL server??? ???? ?? ?????. SQL server? ??? ??? STATUS_PIPE_DISCONNECTED ??? ??? ?????. ??? ??? ?????? ???? SQL query procedure? ?? “call socket” ??? Name Pipe? ???? SQL server? ????? ?? ?????. ??? SQL server? Name Pipe? ??? Liesten??? ????? ??? ?? ?????.

NAMED PIPE? ?????

Named Pipe?, RPC? ??, inter-process communication(IPC)???. MSDN? ??? named pipe? ?? ???? ??, ?? ???? process?? data? ???? ?? ?????. inter-process communcation ???? ?? ???? ?? ???? socket connection? ????? ??? ? ? ????. ?? ???? ?? ???? ?? link? ?????.

https://msdn.microsoft.com/en-us/library/aa365574(VS.85).aspx#base.using_pipes_for_ipc

Named Pipe connection establish? ??? ???? ?????. RPC?? ??? Named Pipe?? end point mapper(EPM) ??? ????. ?? ?? host?? Inter-process communcation?? ??? ???? ?? ??? ????.

  • ??? ?? ??? ??? ?? ??? ???.
  • ?? ??? ????? ?? ?? ?? ???.
  • ?? ????? ??? ? ??? ???(?? listening ??? ???? ????)
    • RPC? ???? ??? ?? Universally Unique Udentifier(UUID)? ?????.
    • Named Pipe? \\MachineName\IPC$? ?? ???.

? ???? ???? ??? Named Pipe? Microsoft? ??? CIFS – Server Nessage Block ????, ?? SMB (?? ?? ??? blog? ??? ?????. ??? ?? link? ?? ?? ?????: https://msdn.microsoft.com/en-us/library/aa365233.aspx)? ?????.

IPC$ ??? ???? ?? ?? ??? RPC bind? call? SMB? ??? ?? ????? ?? TCP port 139? 445? ?? ?? ???. ??? process? ??? ? ? SMB Create Andx Requst? ?????. ??? ?????? request? \\machinename\IPC$\ServiceName???. ?? ??, “wkssvc,”? workstation service???.

PRC ???? ???? RPC ??? ???? ????. UUID? transfer syntax ??? OpNum? ?????. ??? ‘AssociationGroupID’? ????. ?? ??? ?? ????? ??? ??? ? ???? ??? ???? ???.

??? ?? ???

  • ???? ????? ?????? ??? ???:
    • ?? ??? ???? ?????.
    • ??? IP address? ?? ??(route)? ??? ?????.
  • ????? ????? ?? ???? ??? ??? ???:
    • ?? ???? 139 ?? 445 ??? listening?? ??? ?????. Server ???? ????? ???.
    • ?????, ?? ??? ?? ??? ??? ??? ??? ?????.
  • ??? ??? ??? SMB ???? reset ???:
    • ??? ???? ?? ???? IPC$ ??? ??? ??? ?????.
    • ?? ??? ?????. ?? ???? DC? ??? Kerberos ??? ?? ??(route)? ??? ??? ???.
  • SMB? ?? ????? RPC call? BIND_NAK ??? ????:
    • remote ???? ????? ?????.(???? RPC ???? UUID? ?????) ? ? ?? ????? ??? ??? ?? “RPC to Go”  ??? ?????.
  • network trace? ????? IPC$?? error ???? ??? ? ????. ??? ??? ???? ?? ???? ?? ????. ?? ???? ??? ???? ??? ???? ?????.

NETWORK CAPTURES

??? remote registry? ???? Fabfile-1 ??? Named Pipe? ???? ?????. IPC$? ?? SMB tree ??, remote procedure? ?? ??? ??? RPC ??? ?? ?? ????.

1. Tree Connect Request?? ?? ??? ?????:

65 08:43:34.724815 192.168.3.100 192.168.3.5 SMB Tree Connect AndX Request, Path: \\FABFILE-1\IPC$

2. Create Andx Request??, WinReg? file ???? IPC$ ??? ???? ?? ?????.

67 08:43:34.725799 192.168.3.100         192.168.3.5           SMB      NT Create AndX Request, FID: 0x4000, Path: \winreg
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        [Response in: 68]
        SMB Command: NT Create AndX (0xa2)
        NT Status: STATUS_SUCCESS (0x00000000)
        Flags: 0x18
        Flags2: 0xc807
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
       Tree ID: 2048 (\\FABFILE-1\IPC$)
        Process ID: 792
        User ID: 2048
        Multiplex ID: 192
    NT Create AndX Request (0xa2)
      [FID: 0x4000 (\winreg)]

3. ???? RPC bind?? WINREG? ?? UUID? ???? ‘x86’ transfer syntax? ?????. ??? ??? procedure call? ???? ? remote procedure? ?????.

Ctx Item[1]: ID:0
        Context ID: 0
        Num Trans Items: 1
        Abstract Syntax: WINREG V1.0
            Interface: WINREG UUID: 338cd001-2244-31f1-aaaa-900038001003
            Interface Ver: 1
            Interface Ver Minor: 0
       Transfer Syntax[1]: 8a885d04-1ceb-11c9-9fe8-08002b104860 V2
            Transfer Syntax: 8a885d04-1ceb-11c9-9fe8-08002b104860  ver: 2

? ???? Name Pipe? connection establishment ??? ???? ??? ?? ? ??? ??? ???? ??? ???? ???. ?? “RPC to Go” ???? ??? support call? ???? ??? ???? ????.

- Rich Chambers