进程间通信之alpc

已于 2024-01-05 17:23:36 修改
阅读量630 收藏 9
点赞数 6
分类专栏: windows inners 文章标签: windows ipc alpc
于 2024-01-05 17:18:00 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/pureman_mega/article/details/135414119
版权

参考:

1,Offensive Windows IPC Internals 3: ALPC · csandker.io

2,GitHub - csandker/InterProcessCommunication-Samples: Some Code Samples for Windows based Inter-Process-Communication (IPC)

***

下面出现的代码都来自参考链接中,非本人编写

***

常见的进程间通信有管道,共享内存等。下面代码演示一种交少见的机制,alpc (advanced local procedure call) 。

文件ALPC.h

#pragma once

#include <Windows.h>
#include <winternl.h>


//
// CONSTANTS
//


// PORT ATTRIBUTE FLAGS
#define ALPC_PORTFLG_NONE 0x0
#define ALPC_PORTFLG_LPCPORT 0x1000 // Only usable in kernel
#define ALPC_PORTFLG_ALLOWIMPERSONATION 0x10000 // Can be set by client to allow server to impersonation this client
#define ALPC_PORTFLG_ALLOW_LPC_REQUESTS 0x20000
#define ALPC_PORTFLG_WAITABLE_PORT 0x40000	// Allow port to be used with synchronization mechanisms like Semaphores
#define ALPC_PORTFLG_SYSTEM_PROCESS 0x100000 // Only usable in kernel
#define ALPC_PORTFLG_ALLOW_DUP_OBJECT 0x80000
#define ALPC_PORTFLG_LRPC_WAKE_POLICY1 0x200000
#define ALPC_PORTFLG_LRPC_WAKE_POLICY2 0x400000
#define ALPC_PORTFLG_LRPC_WAKE_POLICY3 0x800000
#define ALPC_PORTFLG_DIRECT_MESSAGE 0x1000000	// There are 5 queues, Main queue, Direct message queue, Large message queue, Pending queue, Canceled queue... guess this attribute specifies to use the direct message queue instead of main queue

// Uncertain
//#define ALPC_PORTFLG_ACCEPT_INDIRECT_HANDLES (from https://github.com/microsoft/terminal/blob/059f2031583fd22fb7b5f498e4a30196cf3150d4/src/interactivity/onecore/ConIoSrvComm.cpp)
//#define ALPC_PORTFLG_ALLOW_MULTI_HANDLE_ATTRIBUTE 0x2000000


// ERROS
/// just the ones i need to integrate into my code flow
const NTSTATUS STATUS_BUFFER_TOO_SMALL = 0xC0000023;
const NTSTATUS STATUS_PORT_CONNECTION_REFUSED = 0xC0000041;
const NTSTATUS STATUS_ACCESS_DENIED = 0xC0000022;
const NTSTATUS STATUS_SERVER_SID_MISMATCH = 0xC00002A0;

// ALPC Message Attributes
#define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000
#define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000
#define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000
#define ALPC_MESSAGE_HANDLE_ATTRIBUTE 0x10000000
#define ALPC_MESSAGE_TOKEN_ATTRIBUTE 0x8000000
#define ALPC_MESSAGE_DIRECT_ATTRIBUTE 0x4000000
#define ALPC_MESSAGE_WORK_ON_BEHALF_ATTRIBUTE 0x2000000
#define ALPC_MESSAGE_ATTRIBUTE_ALL ALPC_MESSAGE_SECURITY_ATTRIBUTE | ALPC_MESSAGE_VIEW_ATTRIBUTE | ALPC_MESSAGE_CONTEXT_ATTRIBUTE | ALPC_MESSAGE_HANDLE_ATTRIBUTE | ALPC_MESSAGE_TOKEN_ATTRIBUTE | ALPC_MESSAGE_DIRECT_ATTRIBUTE | ALPC_MESSAGE_WORK_ON_BEHALF_ATTRIBUTE

// ALPC Message Flags
#define ALPC_MSGFLG_NONE 0x0
#define ALPC_MSGFLG_REPLY_MESSAGE 0x1
#define ALPC_MSGFLG_LPC_MODE 0x2
#define ALPC_MSGFLG_RELEASE_MESSAGE 0x10000
#define ALPC_MSGFLG_SYNC_REQUEST 0x20000		// synchronous message, needs a receive buffer or else error 0xC0000705 is returned
#define ALPC_MSGFLG_WAIT_USER_MODE 0x100000
#define ALPC_MSGFLG_WAIT_ALERTABLE 0x200000
#define ALPC_MSGFLG_WOW64_CALL 0x80000000

// ALPC Connection FLAGS
/// From: https://recon.cx/2008/a/thomas_garnier/LPC-ALPC-paper.pdf
#define ALPC_SYNC_CONNECTION 0x20000 // Synchronous connection request
#define ALPC_USER_WAIT_MODE 0x100000 // Wait in user mode
#define ALPC_WAIT_IS_ALERTABLE 0x200000 // Wait in alertable mode

// 0xc0020000 connection flag causing SF flag to be "1" in nt!AlpcpExposeViewAttribute and therefore calling nt!AlpcpExposeViewAttribute


//
// STRUCTS
//


// Based on https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/NtApiDotNet/NtAlpcNative.cs#L82-L97
enum ALPC_MESSAGE_TYPE
{
	None = 0,
	Request = 1,
	Reply = 2,
	Datagram = 3,
	LostReply = 4,
	PortClosed = 5,
	ClientDied = 6,
	Exception = 7,
	DebugEvent = 8,
	ErrorEvent = 9,
	ConnectionRequest = 10,
	ConnectionReply = 11,
	UNKNOWN12 = 12,	// Seems to be something like an empty reply, PID and TID pointing to own thread
	PortDisconnected = 13 // Used by the kernel when disconnecting an exception port.
};
// End Based  ON

typedef struct _ALPC_PORT_ATTRIBUTES
{
    unsigned long Flags;
    SECURITY_QUALITY_OF_SERVICE SecurityQos;
    unsigned __int64 MaxMessageLength;
    unsigned __int64 MemoryBandwidth;
    unsigned __int64 MaxPoolUsage;
    unsigned __int64 MaxSectionSize;
    unsigned __int64 MaxViewSize;
    unsigned __int64 MaxTotalSectionSize;
	ULONG DupObjectTypes;
#ifdef _WIN64
	ULONG Reserved;
#endif
} ALPC_PORT_ATTRIBUTES, * PALPC_PORT_ATTRIBUTES;

typedef struct _ALPC_MESSAGE_ATTRIBUTES
{
	ULONG AllocatedAttributes;
	ULONG ValidAttributes;
} ALPC_MESSAGE_ATTRIBUTES, * PALPC_MESSAGE_ATTRIBUTES;

typedef struct _PORT_MESSAGE
{
	union
	{
		struct
		{
			USHORT DataLength;
			USHORT TotalLength;
		} s1;
		ULONG Length;
	} u1;
	union
	{
		struct
		{
			USHORT Type;
			USHORT DataInfoOffset;
		} s2;
		ULONG ZeroInit;
	} u2;
	union
	{
		CLIENT_ID ClientId;
		double DoNotUseThisField;
	};
	ULONG MessageId;
	union
	{
		SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages
		ULONG CallbackId; // only valid for LPC_REQUEST messages
	};
} PORT_MESSAGE, * PPORT_MESSAGE;


// FROM https://docs.rs/ntapi/0.3.6/ntapi/ntlpcapi/struct.ALPC_HANDLE_ATTR.html
typedef struct _ALPC_DATA_VIEW_ATTR {
	ULONG Flags;
	HANDLE SectionHandle;
	PVOID ViewBase;
	SIZE_T ViewSize;
} ALPC_DATA_VIEW_ATTR, * PALPC_DATA_VIEW_ATTR;

typedef struct _ALPC_TOKEN_ATTR
{
	ULONGLONG TokenId;
	ULONGLONG AuthenticationId;
	ULONGLONG ModifiedId;
} ALPC_TOKEN_ATTR, * PALPC_TOKEN_ATTR;

typedef struct _AlpcPortContext {
	HANDLE Handle;
} AlpcPortContext, * PAlpcPortContext;

typedef struct _ALPC_CONTEXT_ATTR {
	PVOID PortContext;
	PVOID MessageContext;
	ULONG Sequence;
	ULONG MessageId;
	ULONG CallbackId;
} ALPC_CONTEXT_ATTR, * PALPC_CONTEXT_ATTR;

typedef struct _ALPC_SECURITY_ATTR {
	ULONG Flags;
	PSECURITY_QUALITY_OF_SERVICE pQOS;
	HANDLE ContextHandle;
} ALPC_SECURITY_ATTR, * PALPC_SECURITY_ATTR;


typedef struct _SECURITY_CLIENT_CONTEXT
{
	SECURITY_QUALITY_OF_SERVICE SecurityQos;	//_KALPC_SECURITY_DATA
	LPVOID ClientToken;
	UCHAR DirectlyAccessClientToken;
	UCHAR DirectAccessEffectiveOnly;
	UCHAR ServerIsRemote;
	_TOKEN_CONTROL ClientTokenControl;
} SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT;

// From https://github.com/hakril/PythonForWindows/blob/3149961634cda0029a288e6ffa7779e4492adb13/ctypes_generation/definitions/structures/alpc.txt
typedef struct _ALPC_DIRECT_ATTR
{
	HANDLE Event;
} ALPC_DIRECT_ATTR, * PALPC_DIRECT_ATTR;

typedef struct _ALPC_WORK_ON_BEHALF_ATTR
{
	ULONGLONG Ticket;
} ALPC_WORK_ON_BEHALF_ATTR, * PALPC_WORK_ON_BEHALF_ATTR;

typedef struct _ALPC_HANDLE_ATTR
{
	ULONG Flags;
	HANDLE Handle;
	ULONG ObjectType;
	ACCESS_MASK DesiredAccess;
} ALPC_HANDLE_ATTR, * PALPC_HANDLE_ATTR;

typedef struct _ALPC_HANDLE_ENTRY {
	LPVOID Object;
};

typedef struct _PORT_VIEW
{
	ULONG Length;
	HANDLE SectionHandle;
	ULONG SectionOffset;
	SIZE_T ViewSize;
	PVOID ViewBase;
	PVOID ViewRemoteBase;
} PORT_VIEW, * PPORT_VIEW;

typedef enum _ALPC_PORT_INFORMATION_CLASS
{
	AlpcBasicInformation, // q: out ALPC_BASIC_INFORMATION
	AlpcPortInformation, // s: in ALPC_PORT_ATTRIBUTES
	AlpcAssociateCompletionPortInformation, // s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT
	AlpcConnectedSIDInformation, // q: in SID
	AlpcServerInformation, // q: inout ALPC_SERVER_INFORMATION
	AlpcMessageZoneInformation, // s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION
	AlpcRegisterCompletionListInformation, // s: in ALPC_PORT_COMPLETION_LIST_INFORMATION
	AlpcUnregisterCompletionListInformation, // s: VOID
	AlpcAdjustCompletionListConcurrencyCountInformation, // s: in ULONG
	AlpcRegisterCallbackInformation, // kernel-mode only
	AlpcCompletionListRundownInformation, // s: VOID
	AlpcWaitForPortReferences
} ALPC_PORT_INFORMATION_CLASS;

typedef struct _ALPC_SERVER_INFORMATION
{
	union
	{
		struct
		{
			HANDLE ThreadHandle;
		} In;
		struct
		{
			BOOLEAN ThreadBlocked;
			HANDLE ConnectedProcessId;
			UNICODE_STRING ConnectionPortName;
		} Out;
	};
} ALPC_SERVER_INFORMATION, * PALPC_SERVER_INFORMATION;

typedef struct _ALPC_BASIC_INFORMATION
{
	ULONG Flags;
	ULONG SequenceNo;
	PVOID PortContext;
} ALPC_BASIC_INFORMATION, * PALPC_BASIC_INFORMATION;

typedef enum _ALPC_MESSAGE_INFORMATION_CLASS {
	AlpcMessageSidInformation, // out PSID
	AlpcMessageTokenModifiedIdInformation,  // q: out LUID
	AlpcMessageDirectStatusInformation,
	AlpcMessageHandleInformation, // ALPC_MESSAGE_HANDLE_INFORMATION
	MaxAlpcMessageInfoClass
} ALPC_MESSAGE_INFORMATION_CLASS, * PALPC_MESSAGE_INFORMATION_CLASS;

typedef struct _ALPC_MESSAGE_HANDLE_INFORMATION {
	ULONG Index;
	ULONG Flags;
	ULONG Handle;
	ULONG ObjectType;
	ACCESS_MASK GrantedAccess;
} ALPC_MESSAGE_HANDLE_INFORMATION, * PALPC_MESSAGE_HANDLE_INFORMATION;


//
// FUNCTIONS
//


EXTERN_C
LPVOID NTAPI AlpcGetMessageAttribute(
	_In_ PALPC_MESSAGE_ATTRIBUTES Buffer,
	_In_ ULONG AttributeFlag
);

EXTERN_C
NTSTATUS NTAPI AlpcInitializeMessageAttribute(
	_In_ ULONG AttributeFlags,
	_Out_opt_ PALPC_MESSAGE_ATTRIBUTES Buffer,
	_In_ SIZE_T BufferSize,
	_Out_ PSIZE_T RequiredBufferSize
);

EXTERN_C
NTSTATUS NTAPI NtAlpcCreatePort(
	_Out_ PHANDLE PortHandle,
	_In_ POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes
);

EXTERN_C
NTSTATUS NTAPI NtAlpcConnectPort(
	_Out_ PHANDLE PortHandle,
	_In_ PUNICODE_STRING PortName,
	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes,
	_In_ DWORD ConnectionFlags,
	_In_opt_ PSID RequiredServerSid,
	_In_opt_ PPORT_MESSAGE ConnectionMessage,
	_Inout_opt_ PSIZE_T ConnectMessageSize,
	_In_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes,
	_In_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes,
	_In_opt_ PLARGE_INTEGER Timeout
);

EXTERN_C
NTSTATUS NTAPI NtAlpcSendWaitReceivePort(
    _In_ HANDLE PortHandle,
    _In_ DWORD Flags,
    _In_opt_ PPORT_MESSAGE SendMessage_,
    _In_opt_ PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes,
    _Inout_opt_ PPORT_MESSAGE ReceiveMessage,
    _Inout_opt_ PSIZE_T BufferLength,
    _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes,
    _In_opt_ PLARGE_INTEGER Timeout
);

EXTERN_C
NTSTATUS NTAPI NtAlpcAcceptConnectPort(
	_Out_ PHANDLE PortHandle,
	_In_ HANDLE ConnectionPortHandle,
	_In_ DWORD Flags,
	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes,
	_In_opt_ PVOID PortContext,
	_In_ PPORT_MESSAGE ConnectionRequest,
	_Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes,
	_In_ BOOLEAN AcceptConnection
);

EXTERN_C
SIZE_T NTAPI AlpcGetHeaderSize(
	ULONG TypeFlag
);

EXTERN_C
NTSTATUS NTAPI NtAlpcImpersonateClientOfPort(
	_In_ HANDLE         PortHandle,
	_In_ PPORT_MESSAGE  PortMessage,
	_Reserved_ PVOID    Reserved
);

EXTERN_C
NTSTATUS NTAPI NtAlpcImpersonateClientContainerOfPort(
	_In_ HANDLE PortHandle,
	_In_ PPORT_MESSAGE Message,
	_In_ ULONG Flags
);

EXTERN_C
NTSTATUS NTAPI NtAlpcDisconnectPort(
	_In_ HANDLE PortHandle,
	_In_ ULONG Flags
);

EXTERN_C
NTSTATUS NTAPI NtAlpcCreatePortSection(
	_In_ HANDLE PortHandle,
	_In_ ULONG Flags,
	_In_opt_ HANDLE SectionHandle,
	_In_ SIZE_T SectionSize,
	_Out_ PHANDLE AlpcSectionHandle,
	_Out_ PSIZE_T ActualSectionSize
);
EXTERN_C
NTSTATUS NTAPI NtAlpcCreateSectionView(
	_In_ HANDLE PortHandle,
	_Reserved_ ULONG Flags,
	_Inout_ PALPC_DATA_VIEW_ATTR ViewAttributes
);
EXTERN_C
ULONG NTAPI AlpcMaxAllowedMessageLength();

EXTERN_C
NTSTATUS NTAPI NtAlpcQueryInformationMessage(
	_In_ HANDLE PortHandle,
	_In_ PPORT_MESSAGE PortMessage,
	_In_ ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass,
	__out_bcount(Length) PVOID MessageInformation,
	_In_ SIZE_T Length,
	_Out_opt_ PSIZE_T ReturnLength
);

// From https://processhacker.sourceforge.io/doc/ntlpcapi_8h.html#a1c4ea76677db393f9bb13baabdcb242a
EXTERN_C
NTSTATUS NTAPI NtAlpcCreateSecurityContext(
	_In_ HANDLE  	PortHandle,
	_Reserved_ ULONG  	Flags,
	_Inout_ PALPC_SECURITY_ATTR  	SecurityAttribute
);

//EXTERN_C
//NTSTATUS NTAPI NtAlpcOpenSenderThread(
//	_Out_ PHANDLE ThreadHandle,
//	_In_ HANDLE PortHandle,
//	_In_ PPORT_MESSAGE PortMessage,
//	_In_ ULONG Flags,
//	_In_ ACCESS_MASK DesiredAccess,
//	_In_ POBJECT_ATTRIBUTES ObjectAttributes
//);


//
// CUSTOM Additions for my specific ALPC serer
//


typedef struct _CS_PORT_CONTEXT {
	ULONG PID;
	ULONG TID;
	ULONG ID;
} CS_PORT_CONTEXT, * PCS_PORT_CONTEXT;


typedef struct _ALPC_MESSAGE {
	PORT_MESSAGE PortHeader;
	BYTE PortMessage[1000]; // Hard limit for this is 65488. An Error is thrown if AlpcMaxAllowedMessageLength() is exceeded
} ALPC_MESSAGE, * PALPC_MESSAGE;


//
// OTHER Stuff
//


//typedef struct _PH_TOKEN_ATTRIBUTES
//{
//	HANDLE TokenHandle;
//	struct
//	{
//		ULONG Elevated : 1;
//		ULONG ElevationType : 2;
//		ULONG ReservedBits : 29;
//	};
//	ULONG Reserved;
//	PSID TokenSid;
//} PH_TOKEN_ATTRIBUTES, * PPH_TOKEN_ATTRIBUTES;


//0x4 bytes (sizeof)
struct _EX_PUSH_LOCK
{
	union
	{
		struct
		{
			ULONG Locked : 1;                                                 //0x0
			ULONG Waiting : 1;                                                //0x0
			ULONG Waking : 1;                                                 //0x0
			ULONG MultipleShared : 1;                                         //0x0
			ULONG Shared : 28;                                                //0x0
		};
		ULONG Value;                                                        //0x0
		PVOID Ptr;                                                          //0x0
	};
};

typedef struct _ALPC_HANDLE_TABLE{
	_ALPC_HANDLE_ENTRY Handles;
	UINT TotalHandles;
	UINT Flags;
	_EX_PUSH_LOCK Lock;
} ALPC_HANDLE_TABLE, * PALPC_HANDLE_TABLE;


//typedef struct _EPROCESS* PEPROCESS;
typedef struct _KALPC_SECURITY_DATA
{
	PALPC_HANDLE_TABLE HandleTable;	//_KALPC_SECURITY_DATA
	LPVOID ContextHandle;
	LPVOID OwningProcess;
	LPVOID OwnerPort;
	_SECURITY_CLIENT_CONTEXT DynamicSecurity;
} KALPC_SECURITY_DATA, * PKALPC_SECURITY_DATA;

文件CommandALPC.cpp

//#include<iostream>
#include<stdio.h>
#include<windows.h>
#include <sddl.h>

#include <AclAPI.h>

#include"ALPC.h"

// This could also be defined in the project properties, but i wanted to ensure everyone spots that you need to link against those libs
#pragma comment( lib, "ntdll" )
#pragma comment( lib, "User32" )

typedef struct _csTOKEN {
	LPWSTR pwsUSERSID;
	TOKEN_TYPE TokenType;
	LPWSTR pwsTokenType;
	LPWSTR pwsTokenImpersonationLevel;
} CSTOKEN, * PCSTOKEN;

BOOL EnablePriv(HANDLE hToken, LPCTSTR priv)
{
	TOKEN_PRIVILEGES tp;
	LUID luid;

	if (!LookupPrivilegeValue(NULL, priv, &luid))
	{
		printf("Priv Lookup FALSE\n");
		return FALSE;
	}

	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	if (!AdjustTokenPrivileges(
		hToken,
		FALSE,
		&tp,
		sizeof(TOKEN_PRIVILEGES),
		(PTOKEN_PRIVILEGES)NULL,
		(PDWORD)NULL))
	{
		printf("Priv Adjust FALSE\n");
		return FALSE;
	}

	return TRUE;
}

BOOL printTokenType(HANDLE hToken, PCSTOKEN pCSToken) {
	PTOKEN_TYPE ptt = NULL;
	DWORD dwSize = 0;
	pCSToken->pwsTokenType = (LPWSTR)L"";
	if (!GetTokenInformation(hToken, TokenType, NULL, 0, &dwSize)
		&& ERROR_INSUFFICIENT_BUFFER != GetLastError())
	{
		return FALSE;
	}
	if (NULL != (ptt = (PTOKEN_TYPE)LocalAlloc(LPTR, dwSize)))
	{
		if (!GetTokenInformation(hToken, TokenType, ptt, dwSize, &dwSize))
		{
			LocalFree((HLOCAL)ptt);
			return FALSE;
		}
		pCSToken->TokenType = (TOKEN_TYPE)*ptt;
		switch (pCSToken->TokenType)
		{
		case TokenImpersonation:
			pCSToken->pwsTokenType = (LPWSTR)L"ImpersonationToken";
			return TRUE;
		case TokenPrimary:
			pCSToken->pwsTokenType = (LPWSTR)L"PrimaryToken";
			return TRUE;
		default:
			wprintf(L"[-] Undefined Token Type. \n");
			return FALSE;
		}

		LocalFree((HLOCAL)ptt);
	}
	return FALSE;
}

BOOL printTokenImpersonationLeven(HANDLE hToken, PCSTOKEN pCSToken) {
	PSECURITY_IMPERSONATION_LEVEL psil = NULL;
	DWORD dwSize = 0;
	pCSToken->pwsTokenImpersonationLevel = (LPWSTR)L"";
	if (!GetTokenInformation(hToken, TokenImpersonationLevel, NULL, 0, &dwSize)
		&& ERROR_INSUFFICIENT_BUFFER != GetLastError())
	{
		return FALSE;
	}
	if (NULL != (psil = (PSECURITY_IMPERSONATION_LEVEL)LocalAlloc(LPTR, dwSize)))
	{
		if (!GetTokenInformation(hToken, TokenImpersonationLevel, psil, dwSize, &dwSize))
		{
			LocalFree((HLOCAL)psil);
			return FALSE;
		}
		switch (*psil)
		{
		case SecurityAnonymous:
			pCSToken->pwsTokenImpersonationLevel = (LPWSTR)L"SecurityAnonymous";
			return TRUE;
		case SecurityIdentification:
			pCSToken->pwsTokenImpersonationLevel = (LPWSTR)L"SecurityIdentification";
			return TRUE;
		case SecurityImpersonation:
			pCSToken->pwsTokenImpersonationLevel = (LPWSTR)L"SecurityImpersonation";
			return TRUE;
		case SecurityDelegation:
			pCSToken->pwsTokenImpersonationLevel = (LPWSTR)L"SecurityDelegation";
			return TRUE;
		default:
			wprintf(L"[-] Undefined Impersonation Level. \n");
			return FALSE;
		}
		LocalFree((HLOCAL)psil);
	}
	return FALSE;
}

BOOL printTokenUserSid(HANDLE hToken, PCSTOKEN pCSToken)
{
	PTOKEN_USER ptu = NULL;
	DWORD dwSize = 0;
	pCSToken->pwsUSERSID = (LPWSTR)L"";
	if (!GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize)
		&& ERROR_INSUFFICIENT_BUFFER != GetLastError())
	{
		return FALSE;
	}
	if (NULL != (ptu = (PTOKEN_USER)LocalAlloc(LPTR, dwSize)))
	{
		LPWSTR StringSid = NULL;
		if (!GetTokenInformation(hToken, TokenUser, ptu, dwSize, &dwSize))
		{
			LocalFree((HLOCAL)ptu);
			return FALSE;
		}
		if (ConvertSidToStringSidW(ptu->User.Sid, &StringSid))
		{
			pCSToken->pwsUSERSID = StringSid;

			//LocalFree((HLOCAL)StringSid);
			LocalFree((HLOCAL)ptu);
			return TRUE;
		}
		else {
			wprintf(L"[-] Failed to resolve SID to string.\n");
			return FALSE;
		}
		LocalFree((HLOCAL)ptu);
	}
	return FALSE;
}


void ExtractTokenInformation(HANDLE hToken) {
	BOOL result;
	PCSTOKEN pCSToken = new CSTOKEN;
	// Get UserSID
	result = printTokenUserSid(hToken, pCSToken);
	if (!result) wprintf(L" [-]... failed to get Token SID\n");
	else wprintf(L" [+] UserSID: %s\n", pCSToken->pwsUSERSID);
	// GET TokenType
	result = printTokenType(hToken, pCSToken);
	if (!result) wprintf(L" [-]... failed to get Token Type\n");
	else wprintf(L" [+] TokenType: %s\n", pCSToken->pwsTokenType);
	if (pCSToken->TokenType == TokenImpersonation) {
		// GET TokenImpersonationLevel
		result = printTokenImpersonationLeven(hToken, pCSToken);
		if (!result) wprintf(L" [-]... failed to get Token Type\n");
		else wprintf(L" [+] ImpersonationLevel: %s\n", pCSToken->pwsTokenImpersonationLevel);
	}

	if (pCSToken->pwsUSERSID)
	{
		LocalFree((HLOCAL)pCSToken->pwsUSERSID);
	}
}

void setWindowAccess() {
	DWORD error;
	wprintf(L"[*] Gettinng current process Window...");
	HWINSTA hWinSta = GetProcessWindowStation();
	if (hWinSta) {
		wprintf(L"Success.\n");
		wprintf(L"[*] Setting Security of current Proccess Window...");
		error = SetSecurityInfo(hWinSta,
			SE_WINDOW_OBJECT,
			DACL_SECURITY_INFORMATION,
			NULL,	// don't set the ownerSID
			NULL,	// don't set the primary GROUP
			NULL,	// DACL pointer, NULL=> full access to everyone
			NULL	// no setting SACL
		);
		if (error == ERROR_SUCCESS) wprintf(L"Success.\n");
		else wprintf(L"Error: %d.\n", error);
	}
	else wprintf(L"Error: %d.\n", GetLastError());
}

void setDesktopAccess() {
	DWORD error;
	wprintf(L"[*] Getting current Desktop..");
	HDESK hDesk = GetThreadDesktop(GetCurrentThreadId());
	if (hDesk) {
		wprintf(L"Success\n");
		wprintf(L"[*] Setting Security of current Desktop...");
		error = SetSecurityInfo(
			hDesk,
			SE_WINDOW_OBJECT,
			DACL_SECURITY_INFORMATION,
			NULL,	// don't set the ownerSID
			NULL,	// don't set the primary GROUP
			NULL,	// DACL pointer, NULL=> full access to everyone
			NULL	// no setting SACL
		);
		if (error == ERROR_SUCCESS) wprintf(L"Success\n");
		else wprintf(L"Error: %d\n", error);
	}
	else wprintf(L"Error: %d\n", GetLastError());
}

BOOL execCommand(HANDLE hDuppedToken, LPCWSTR command) {
	// -- Execute Process
	BOOL bSuccess;
	PROCESS_INFORMATION pi;
	STARTUPINFOW si;
	//SECURITY_ATTRIBUTES sa;
	ZeroMemory(&si, sizeof(STARTUPINFO));
	ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
	//memset(&pi, 0x00, sizeof(PROCESS_INFORMATION));
	si.cb = sizeof(STARTUPINFO);
	wprintf(L"[*] Trying to launch '%s' with CreateProcessWithTokenW ... ", command);
	/*
	创建新进程及其主线程。 新进程在指定令牌的安全上下文中运行。 它可以选择性地加载指定用户的用户配置文件。

    调用 CreateProcessWithTokenW 的进程必须具有SE_IMPERSONATE_NAME特权。
	如果此函数失败并出现 ERROR_PRIVILEGE_NOT_HELD (1314) ,请改用 CreateProcessAsUser 或 CreateProcessWithLogonW 函数。
	通常,调用的进程CreateProcessAsUser 必须具有SE_INCREASE_QUOTA_NAME特权,并且如果令牌不可分配,
	则可能需要SE_ASSIGNPRIMARYTOKEN_NAME特权。 CreateProcessWithLogonW 不需要特殊权限,但必须允许指定的用户帐户以交互方式登录。 
	通常,最好使用 CreateProcessWithLogonW 创建具有备用凭据的进程。
	*/
	bSuccess = CreateProcessWithTokenW(
		hDuppedToken,
		0,
		command,
		NULL,
		CREATE_NEW_CONSOLE,
		NULL,
		NULL,
		&si,
		&pi
	);
	if (!bSuccess) {
		wprintf(L"failed (Error: %d).\n", GetLastError());
	}
	else wprintf(L"Success.\n");
	return bSuccess;
}

BOOL execImpersonatedWindowCommand(HANDLE hPort, ALPC_MESSAGE pmReceived, LPCWSTR command) {
	BOOL bSuccess;
	HANDLE hToken, hDuppedToken;
	//HANDLE hDuppedToken = INVALID_HANDLE_VALUE;

	wprintf(L"[*] Trying to impersonate client...");
	NTSTATUS lSuccess = NtAlpcImpersonateClientOfPort(
		hPort, // client connection port
		(PPORT_MESSAGE)&pmReceived,//&PortMessage,	// the port messages
		NULL			// reserved
	);
	if (NT_SUCCESS(lSuccess)) {
		wprintf(L"Success.\n");
		wprintf(L"[*] Trying to open Thread token...");
		bSuccess = OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hToken);
		if (bSuccess) {
			wprintf(L"Success.\n");
			ExtractTokenInformation(hToken);

			// Duplicate Token
			wprintf(L"[*] Trying to duplicate impersonated token...");
			bSuccess = DuplicateTokenEx(hToken,
				TOKEN_ALL_ACCESS,
				NULL,
				SecurityImpersonation,
				TokenPrimary,
				&hDuppedToken);
			if (bSuccess) wprintf(L"Success!\n");
			else wprintf(L"Error: %d.\n", GetLastError());
			ExtractTokenInformation(hDuppedToken);

			// -- Revert back to original thread identity 
			wprintf(L"Reverting back to self...");
			bSuccess = RevertToSelf();
			if (!bSuccess)
			{
				wprintf(L"Failed to revert back from RPC client impersonation to server identity. Error 0x%x.\n", GetLastError());
			}
			else printf("Success.\n");

			bSuccess = execCommand(hDuppedToken, command);
			// Close Handles
			CloseHandle(hToken);
			CloseHandle(hDuppedToken);
		}
		else {
			wprintf(L"Error: %d\n", GetLastError());
			bSuccess = false;
		}
	}
	else if (lSuccess == STATUS_ACCESS_DENIED) {
		wprintf(L"Access Denied! (Error: 0x%X) Maybe the ALPC_PORTFLG_AllowImpersonation was not set?\n", lSuccess);
		bSuccess = false;
	}
	else {
		wprintf(L"Error: 0x%X\n", lSuccess);
		bSuccess = false;
	}
	return bSuccess;
}
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ALPC_MESSAGE_TYPE get_message_type(ULONG ulType) {
	ULONG ulConverted = ulType & 0xFF;
	return ALPC_MESSAGE_TYPE(ulConverted);
}

LPCWSTR message_type_to_sz(ULONG ulType) {
	ALPC_MESSAGE_TYPE mType = get_message_type(ulType);
	switch (mType)
	{
	case None:   return L"None";
	case Request:   return L"Request";
	case Reply: return L"Reply";
	case Datagram: return L"Datagram";
	case LostReply: return L"LostReply";
	case PortClosed: return L"PortClosed";
	case ClientDied: return L"ClientDied";
	case Exception: return L"Exception";
	case DebugEvent: return L"DebugEvent";
	case ErrorEvent: return L"ErrorEvent";
	case ConnectionRequest: return L"ConnectionRequest";
	case ConnectionReply: return L"ConnectionReply";
	case UNKNOWN12: return L"UNKNOWN12";
	case PortDisconnected: return L"PortDisconnected";
	default:      return L"Unknown";
	}
}

VOID print_port_message(ALPC_MESSAGE portMessage) {
	for (int i = 0; i <= portMessage.PortHeader.u1.s1.DataLength; i++) {
		BYTE* pbyReadPointer = (BYTE*)portMessage.PortMessage + i;
		BYTE byRead = *pbyReadPointer;
		printf("%c", byRead);
	}
	wprintf(L"\n");
}

VOID print_clientSID_from_alpc_message(HANDLE hConnectionPort, PPORT_MESSAGE pPortMessage) {
	NTSTATUS lSuccess;
	LPVOID pAlloced;
	SIZE_T ulRequiredSize;
	SIZE_T ulAllocedSize = 0x1c;
	// Allow memory for SID
	pAlloced = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ulAllocedSize);

	lSuccess = NtAlpcQueryInformationMessage(
		hConnectionPort,
		pPortMessage,
		ALPC_MESSAGE_INFORMATION_CLASS::AlpcMessageSidInformation,
		pAlloced,
		ulAllocedSize,
		&ulRequiredSize
	);
	if (NT_SUCCESS(lSuccess)) {
		PSID pSID = (PSID)pAlloced;
		LPWSTR szSID;
		ConvertSidToStringSidW(
			pSID,
			&szSID
		);
		wprintf(L"%s\n", szSID);
	}
}

NTSTATUS impersonate_client(HANDLE hPort, ALPC_MESSAGE pmReceived) {
	BOOL bSuccess;

	// usually not needed for local impersonation
	/*setWindowAccess();
	setDesktopAccess();*/

	wchar_t command[] = L"C:\\Windows\\System32\\cmd.exe";
	bSuccess = execImpersonatedWindowCommand(hPort, pmReceived, command);
	return bSuccess;
}

VOID add_request_message(PALPC_MESSAGE pMessage, LPCSTR messageContent) {
	 Add a message
	//LPVOID lpPortMessage = &(pMessage.PortMessage);
	int lMsgLen = wcslen(messageContent);
	//char msg[100] = "Hello Client";
	//int lMsgLen = strlen(msg);

	//memmove(lpPortMessage, msg, lMsgLen);
	//pMessage.PortHeader.u1.s1.DataLength = lMsgLen;
	//pMessage.PortHeader.u1.s1.TotalLength = sizeof(PORT_MESSAGE) + lMsgLen;
	pMessage.PortHeader.u1.s1.TotalLength = sizeof(pMessage);


	LPVOID lpPortMessage = pMessage->PortMessage;
	//char msg[100] = "Hello Client";
	//int lMsgLen = strlen(msg);
	int lMsgLen = strlen(messageContent);
	memmove(lpPortMessage, messageContent, lMsgLen);
	pMessage->PortHeader.u1.s1.DataLength = lMsgLen;
	pMessage->PortHeader.u1.s1.TotalLength = sizeof(PORT_MESSAGE) + lMsgLen;
}

VOID print_received_alpc_message(ALPC_MESSAGE pmReceived, HANDLE hAlpcPort, BOOL printRequestingSID) {
	TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, (DWORD)pmReceived.PortHeader.ClientId.UniqueProcess);

	//GetProcessImageFileName(hProcess, szProcessName, MAX_PATH);

	// PROCESS CONNECTION
	wprintf(L"[+] Received data!\n\tFom Process PID: %d (Thead TID: %d) [Process: %s]\n\tType: %s\n\tConnectionMessage Length: %d\n",
		pmReceived.PortHeader.ClientId.UniqueProcess,
		pmReceived.PortHeader.ClientId.UniqueThread,
		szProcessName,
		message_type_to_sz(pmReceived.PortHeader.u2.s2.Type),
		pmReceived.PortHeader.u1.s1.DataLength
	);
	if (pmReceived.PortHeader.u1.s1.DataLength > 0) {
		wprintf(L"\tConnecting Message: ");
		print_port_message(pmReceived);
	}
	else { wprintf(L"\n"); }
	if (printRequestingSID) {
		wprintf(L"\tClient SID: ");
		print_clientSID_from_alpc_message(hAlpcPort, (PPORT_MESSAGE)&pmReceived);
	}
}


typedef enum _POOL_TYPE
{
	NonPagedPool,
	PagedPool,
	NonPagedPoolMustSucceed,
	DontUseThisType,
	NonPagedPoolCacheAligned,
	PagedPoolCacheAligned,
	NonPagedPoolCacheAlignedMustS
} POOL_TYPE, * PPOOL_TYPE;

typedef struct _OBJECT_TYPE_INFORMATION
{
	UNICODE_STRING Name;
	ULONG TotalNumberOfObjects;
	ULONG TotalNumberOfHandles;
	ULONG TotalPagedPoolUsage;
	ULONG TotalNonPagedPoolUsage;
	ULONG TotalNamePoolUsage;
	ULONG TotalHandleTableUsage;
	ULONG HighWaterNumberOfObjects;
	ULONG HighWaterNumberOfHandles;
	ULONG HighWaterPagedPoolUsage;
	ULONG HighWaterNonPagedPoolUsage;
	ULONG HighWaterNamePoolUsage;
	ULONG HighWaterHandleTableUsage;
	ULONG InvalidAttributes;
	GENERIC_MAPPING GenericMapping;
	ULONG ValidAccess;
	BOOLEAN SecurityRequired;
	BOOLEAN MaintainHandleCount;
	USHORT MaintainTypeList;
	POOL_TYPE PoolType;
	ULONG PagedPoolUsage;
	ULONG NonPagedPoolUsage;
} OBJECT_TYPE_INFORMATION, * POBJECT_TYPE_INFORMATION;

typedef struct _SYSTEM_HANDLE
{
	ULONG ProcessId;
	BYTE ObjectTypeNumber;
	BYTE Flags;
	USHORT Handle;
	PVOID Object;
	ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, * PSYSTEM_HANDLE;


typedef struct _SYSTEM_HANDLE_INFORMATION
{
	ULONG HandleCount;
	SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;

VOID print_valid_message_attribues(PALPC_MESSAGE_ATTRIBUTES pMsgAttr, BOOL bIsServer = FALSE) {
	int iFoundFlags = 0;
	wprintf(L"[*] Valid Message Attributes:\n");
	if (pMsgAttr->ValidAttributes & ALPC_MESSAGE_TOKEN_ATTRIBUTE) {
		wprintf(L"\tALPC_MESSAGE_TOKEN_ATTRIBUTE\n");
		ALPC_TOKEN_ATTR tokenAttr = *(PALPC_TOKEN_ATTR)AlpcGetMessageAttribute(pMsgAttr, ALPC_MESSAGE_TOKEN_ATTRIBUTE);
		wprintf(L"\t  TokenId: %lu -- AuthenticationId: %lu -- ModifiedId: %lu \n", tokenAttr.TokenId, tokenAttr.AuthenticationId, tokenAttr.ModifiedId);
		iFoundFlags += ALPC_MESSAGE_TOKEN_ATTRIBUTE;
	}
	if (pMsgAttr->ValidAttributes & ALPC_MESSAGE_SECURITY_ATTRIBUTE) {
		wprintf(L"\tALPC_MESSAGE_SECURITY_ATTRIBUTE\n");
		ALPC_SECURITY_ATTR securitAttr = *(PALPC_SECURITY_ATTR)AlpcGetMessageAttribute(pMsgAttr, ALPC_MESSAGE_SECURITY_ATTRIBUTE);
		iFoundFlags += ALPC_MESSAGE_SECURITY_ATTRIBUTE;
	}
	if (pMsgAttr->ValidAttributes & ALPC_MESSAGE_CONTEXT_ATTRIBUTE) {
		wprintf(L"\tALPC_MESSAGE_CONTEXT_ATTRIBUTE\n");
		if(  bIsServer ){
			ALPC_CONTEXT_ATTR contextAttr = *(PALPC_CONTEXT_ATTR)AlpcGetMessageAttribute(pMsgAttr, ALPC_MESSAGE_CONTEXT_ATTRIBUTE);
			CS_PORT_CONTEXT csPortContext = *(PCS_PORT_CONTEXT)contextAttr.PortContext;
			wprintf(L"\t  Caller ID: %d\n", csPortContext.ID);
		}
		iFoundFlags += ALPC_MESSAGE_CONTEXT_ATTRIBUTE;
	}
	if (pMsgAttr->ValidAttributes & ALPC_MESSAGE_VIEW_ATTRIBUTE) {
		wprintf(L"\tALPC_MESSAGE_VIEW_ATTRIBUTE\n");
		ALPC_DATA_VIEW_ATTR viewAttr = *(PALPC_DATA_VIEW_ATTR)AlpcGetMessageAttribute(pMsgAttr, ALPC_MESSAGE_VIEW_ATTRIBUTE);
		wprintf(L"\t ViewSize: %d\n", viewAttr.ViewSize);
		iFoundFlags += ALPC_MESSAGE_VIEW_ATTRIBUTE;
	}
	if (pMsgAttr->ValidAttributes & ALPC_MESSAGE_HANDLE_ATTRIBUTE) {
		wprintf(L"\tALPC_MESSAGE_HANDLE_ATTRIBUTE\n");
		ALPC_HANDLE_ATTR handleAttr = *(PALPC_HANDLE_ATTR)AlpcGetMessageAttribute(pMsgAttr, ALPC_MESSAGE_HANDLE_ATTRIBUTE);
		// We could Query the object type like this, code snippet taken from: https://github.com/SinaKarvandi/Process-Magics/blob/master/EnumAllHandles/EnumAllHandles/EnumAllHandles.cpp
		//POBJECT_TYPE_INFORMATION OBJECT_TYPE;
		//ULONG GuessSize = 256;
		//ULONG ulRequiredSize;
		 Allocate Memory
		//OBJECT_TYPE = (POBJECT_TYPE_INFORMATION)VirtualAlloc(NULL, (SIZE_T)GuessSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
		//NTSTATUS lSuccess = NtQueryObject(handleAttr.Handle, ObjectTypeInformation, OBJECT_TYPE, GuessSize, &ulRequiredSize);
		// We could read the file like this
		//LPVOID lpAllocTest = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 100);
		//BOOL success = ReadFile(handleAttr.Handle, lpAllocTest, 10, NULL, NULL);
		
		iFoundFlags += ALPC_MESSAGE_HANDLE_ATTRIBUTE;
	}
	if (pMsgAttr->ValidAttributes & ALPC_MESSAGE_DIRECT_ATTRIBUTE) {
		wprintf(L"\tALPC_MESSAGE_DIRECT_ATTRIBUTE\n");
		iFoundFlags += ALPC_MESSAGE_DIRECT_ATTRIBUTE;
	}
	if (pMsgAttr->ValidAttributes & ALPC_MESSAGE_WORK_ON_BEHALF_ATTRIBUTE) {
		wprintf(L"\tALPC_MESSAGE_WORK_ON_BEHALF_ATTRIBUTE\n");
		iFoundFlags += ALPC_MESSAGE_WORK_ON_BEHALF_ATTRIBUTE;
	}
	if (iFoundFlags != pMsgAttr->ValidAttributes) {
		wprintf(L"\t 0x%X Unkwon Message Attribute(s)\n", pMsgAttr->ValidAttributes - iFoundFlags);
	}
}

VOID print_port_flags(ULONG ulPortAttributeFlags) {
	int iFoundFlags = 0;
	wprintf(L"[*] Valid Message Attributes: ");
	if (ALPC_PORTFLG_LPCPORT & ulPortAttributeFlags) {
		wprintf(L"ALPC_PORTFLG_LPCPORT  | ");
		iFoundFlags += ALPC_PORTFLG_LPCPORT;
	}
	if (ALPC_PORTFLG_ALLOWIMPERSONATION & ulPortAttributeFlags) {
		wprintf(L"ALPC_PORTFLG_ALLOWIMPERSONATION | ");
		iFoundFlags += ALPC_PORTFLG_ALLOWIMPERSONATION;
	}
	if (ALPC_PORTFLG_ALLOW_LPC_REQUESTS & ulPortAttributeFlags) {
		wprintf(L"ALPC_PORTFLG_ALLOW_LPC_REQUESTS | ");
		iFoundFlags += ALPC_PORTFLG_ALLOW_LPC_REQUESTS;
	}
	if (ALPC_PORTFLG_WAITABLE_PORT & ulPortAttributeFlags) {
		wprintf(L"ALPC_PORTFLG_WAITABLE_PORT | ");
		iFoundFlags += ALPC_PORTFLG_WAITABLE_PORT;
	}
	if (ALPC_PORTFLG_SYSTEM_PROCESS & ulPortAttributeFlags) {
		wprintf(L"ALPC_PORTFLG_SYSTEM_PROCESS | ");
		iFoundFlags += ALPC_PORTFLG_SYSTEM_PROCESS;
	}
	if (ALPC_PORTFLG_ALLOW_DUP_OBJECT & ulPortAttributeFlags) {
		wprintf(L"ALPC_PORTFLG_ALLOW_DUP_OBJECT | ");
		iFoundFlags += ALPC_PORTFLG_ALLOW_DUP_OBJECT;
	}
	if (ALPC_PORTFLG_LRPC_WAKE_POLICY1 & ulPortAttributeFlags) {
		wprintf(L"ALPC_PORTFLG_LRPC_WAKE_POLICY1 | ");
		iFoundFlags += ALPC_PORTFLG_LRPC_WAKE_POLICY1;
	}
	if (ALPC_PORTFLG_LRPC_WAKE_POLICY2 & ulPortAttributeFlags) {
		wprintf(L"ALPC_PORTFLG_LRPC_WAKE_POLICY2 | ");
		iFoundFlags += ALPC_PORTFLG_LRPC_WAKE_POLICY2;
	}
	if (ALPC_PORTFLG_LRPC_WAKE_POLICY3 & ulPortAttributeFlags) {
		wprintf(L"ALPC_PORTFLG_LRPC_WAKE_POLICY3 | ");
		iFoundFlags += ALPC_PORTFLG_LRPC_WAKE_POLICY3;
	}
	if (ALPC_PORTFLG_DIRECT_MESSAGE & ulPortAttributeFlags) {
		wprintf(L"ALPC_PORTFLG_DIRECT_MESSAGE | ");
		iFoundFlags += ALPC_PORTFLG_DIRECT_MESSAGE;
	}
	
	if (iFoundFlags != ulPortAttributeFlags) {
		wprintf(L"\n[!]\t 0x%X unkwon Port Flag(s)\n", ulPortAttributeFlags - iFoundFlags);
	}
	else {
		wprintf(L"\n");
	}
}

BOOL accept_connection_request() {
	//
	// ACCEPT OR DENY DECISION
	//
	NTSTATUS lSuccess;
	BOOL bAutoAcceptConnection = TRUE;
	BOOL bAcceptConnection;

	if (!bAutoAcceptConnection) {
		wprintf(L"[.] Do you want to accept the connection? [Y]: ");
		WCHAR wcAcceptConnection[2];

		//std::wcin.getline(wcAcceptConnection, 2);

		if (wcscmp(wcAcceptConnection, L"Y") == 0 || wcscmp(wcAcceptConnection, L"y") == 0) {
			bAcceptConnection = TRUE;
		}
		else {
			bAcceptConnection = FALSE;
		};
	}
	else { bAcceptConnection = TRUE; }

	return bAcceptConnection;
}

PSECURITY_DESCRIPTOR create_sd_from_string(LPCWSTR szDACL) {
	PSECURITY_DESCRIPTOR pSD;
	ULONG ulSDSize = 0;
	BOOL success = ConvertStringSecurityDescriptorToSecurityDescriptorW(
		szDACL,
		SDDL_REVISION_1,
		&pSD,
		&ulSDSize
	);
	return pSD;
}

PALPC_MESSAGE_ATTRIBUTES alloc_message_attribute(ULONG ulAttributeFlags) {
	NTSTATUS lSuccess;
	PALPC_MESSAGE_ATTRIBUTES pAttributeBuffer;
	LPVOID lpBuffer;
	SIZE_T lpReqBufSize;
	SIZE_T ulAllocBufSize;

	ulAllocBufSize = AlpcGetHeaderSize(ulAttributeFlags); // this calculates: sizeof(ALPC_MESSAGE_ATTRIBUTES) + size of attribute structures
	lpBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ulAllocBufSize);
	if (GetLastError() != 0) {
		wprintf(L"[-] Failed to allocate memory for ALPC Message attributes.\n");
		return NULL;
	}
	pAttributeBuffer = (PALPC_MESSAGE_ATTRIBUTES)lpBuffer;
	//wprintf(L"[*] Initializing ReceiveMessage Attributes (0x%X)...", ulAttributeFlags);
	lSuccess = AlpcInitializeMessageAttribute(
		ulAttributeFlags,	// attributes
		pAttributeBuffer,	// pointer to attributes structure
		ulAllocBufSize,	// buffer size
		&lpReqBufSize
	);
	if (!NT_SUCCESS(lSuccess)) {
		//wprintf(L"Error: 0x%X\n", lSuccess);
		//pAttributeBuffer->ValidAttributes = ulAttributeFlags;
		return NULL;
	}
	else {
		//wprintf(L"Success.\n");
		return pAttributeBuffer;
	}
}

PALPC_MESSAGE_ATTRIBUTES setup_sample_message_attributes(HANDLE hAlpcPort, HANDLE hSection, ULONG ulMessageAttributes) {
	NTSTATUS lSuccess;
	INT iNextMsgAttrBufferOffset;
	SIZE_T ulReqBufSize;
	SIZE_T ulMessageAttributeBufSize = AlpcGetHeaderSize(ulMessageAttributes);
	LPVOID lpAllocTest = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ulMessageAttributeBufSize); // NOTE: This buffer is never freed... for this sample i just don't care for this
	PALPC_MESSAGE_ATTRIBUTES pMsgAttrSend = (PALPC_MESSAGE_ATTRIBUTES)lpAllocTest;

	lSuccess = AlpcInitializeMessageAttribute(
		ulMessageAttributes,			// the MessageAttribute 
		pMsgAttrSend,				// pointer to allocated buffer that is used to holf attributes structures
		ulMessageAttributeBufSize,	// buffer that has been allocated
		&ulReqBufSize				// the size that would be needed (in case of the buffer allocated was too small)
	);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"Error calling AlpcInitializeMessageAttribute: 0x%X\n", lSuccess);
	}
	iNextMsgAttrBufferOffset = 8; // 4 bytes allocated attributes + 4 bytes valid attributes
	
	if (ulMessageAttributes & ALPC_MESSAGE_SECURITY_ATTRIBUTE) {
		// ALPC_MESSAGE_SECURITY_ATTRIBUTE
		SECURITY_QUALITY_OF_SERVICE SecurityQos;
		ALPC_SECURITY_ATTR securityAttr;
		RtlZeroMemory(&securityAttr, sizeof(securityAttr));
		SecurityQos.ImpersonationLevel = SecurityImpersonation; // SecurityIdentification;
		SecurityQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
		SecurityQos.EffectiveOnly = 0;
		SecurityQos.Length = sizeof(SecurityQos);
		securityAttr.pQOS = &SecurityQos;
		securityAttr.Flags = 0; // 0x10000;
		lSuccess = NtAlpcCreateSecurityContext(hAlpcPort, 0, &securityAttr);
		if (!NT_SUCCESS(lSuccess)) {
			wprintf(L"[-] Error creating security context: 0x%X\n", lSuccess);
		}
		else {
			memmove((PBYTE)pMsgAttrSend + iNextMsgAttrBufferOffset, &securityAttr, sizeof(securityAttr));
			iNextMsgAttrBufferOffset += sizeof(securityAttr);
		}
		//RtlSecureZeroMemory(&securityAttr, sizeof(securityAttr));
		/*securityAttr.ContextHandle = &securityContext;
		securityAttr.Flags = 0;
		securityAttr.pQOS = &SecurityQos;*/
	}
	if (ulMessageAttributes & ALPC_MESSAGE_VIEW_ATTRIBUTE) {
		// ALPC_MESSAGE_VIEW_ATTRIBUTE
		ALPC_DATA_VIEW_ATTR viewAttr;
		viewAttr.Flags = 0;	//unknown
		viewAttr.SectionHandle = hSection;
		viewAttr.ViewBase = 0;
		viewAttr.ViewSize = 20*1024;//50;//sizeof(PORT_VIEW);
		lSuccess = NtAlpcCreateSectionView(
			hAlpcPort, //_In_ HANDLE PortHandle,
			0, // _Reserved_ ULONG Flags,
			&viewAttr //_Inout_ PALPC_DATA_VIEW_ATTR ViewAttributes
		);
		if (!NT_SUCCESS(lSuccess)) {
			wprintf(L"[-] Error creating SectionView: 0x%X\n", lSuccess);
		}
		else {
			// Fill section with some sample junk
			RtlFillMemory(viewAttr.ViewBase, 0x41, 50);
			// place ALPC_MESSAGE_VIEW_ATTRIBUTE structure
			memmove((PBYTE)pMsgAttrSend + iNextMsgAttrBufferOffset, &viewAttr, sizeof(viewAttr));
		};
		iNextMsgAttrBufferOffset += sizeof(viewAttr);
	}
	
	if (ulMessageAttributes & ALPC_MESSAGE_HANDLE_ATTRIBUTE) {
		// ALPC_MESSAGE_HANDLE_ATTRIBUTE
		HANDLE hFile = CreateFileW(L"C:\\Users\\Public\\testfile.txt", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
		ALPC_HANDLE_ATTR handleAttr;
		handleAttr.Handle = hFile;
		handleAttr.ObjectType = 0;
		handleAttr.Flags = 0;
		handleAttr.DesiredAccess = GENERIC_READ;
		memmove((PBYTE)pMsgAttrSend + iNextMsgAttrBufferOffset, &handleAttr, sizeof(handleAttr));
		iNextMsgAttrBufferOffset += sizeof(handleAttr);
	}
	
	if (ulMessageAttributes & ALPC_MESSAGE_HANDLE_ATTRIBUTE) {
		// ALPC_MESSAGE_DIRECT_ATTRIBUTE
		/// not yet implemented
	}

	if (ulMessageAttributes & ALPC_MESSAGE_WORK_ON_BEHALF_ATTRIBUTE) {
		//ALPC_MESSAGE_WORK_ON_BEHALF_ATTRIBUTE
		/// not yet implemented
	}

	return pMsgAttrSend;
}

文件CPP-ALPC-Basic-Client.cpp

//#include <winnt.h>
//#include <sddl.h>

#include "..\ALPC-Utils\ALPC.h"
#include "..\ALPC-Utils\CommonALPC.cpp"

const long MAX_MESSAGE_SIZE = 0x100;

int main() {
	HANDLE hSrvCommPort;
	NTSTATUS lSuccess;
	CLIENT_ID clientID;
	ALPC_MESSAGE pmReceived;
	ALPC_MESSAGE pmSend;
	SIZE_T ulSendSize;
	SIZE_T ulReceivedSize;
	SECURITY_QUALITY_OF_SERVICE SecurityQos;
	ALPC_PORT_ATTRIBUTES PortAttributes;
	PALPC_MESSAGE_ATTRIBUTES pMsgAttrSend;
	PALPC_MESSAGE_ATTRIBUTES pMsgAttrReceived;
	ALPC_MESSAGE_ATTRIBUTES inMsgAttr;
	UNICODE_STRING usPortName;
	LPCWSTR pwsPortName = L"\\RPC Control\\CSALPCPort"; // the name of the ALPC port we're attempting to connect to 
	PSID pSID = NULL;
	BOOL bVerifyServerSID = FALSE;

	//
	// INITIALIZAITONS
	//
	DWORD dwPID = GetCurrentProcessId();
	DWORD dwTID = GetCurrentThreadId();
	clientID.UniqueProcess = &dwPID;
	clientID.UniqueThread = &dwTID;
	// Received Message attributes.. I'm fine with getting all of them
	pMsgAttrReceived = alloc_message_attribute(ALPC_MESSAGE_ATTRIBUTE_ALL);

	// QOS
	SecurityQos.ImpersonationLevel = SecurityImpersonation; // SecurityIdentification; // ;
	SecurityQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
	SecurityQos.EffectiveOnly = 0;
	SecurityQos.Length = sizeof(SecurityQos);
	// ALPC Port Attributs
	PortAttributes.Flags = ALPC_PORTFLG_ALLOW_DUP_OBJECT | ALPC_PORTFLG_ALLOWIMPERSONATION | ALPC_PORTFLG_LRPC_WAKE_POLICY1 | ALPC_PORTFLG_LRPC_WAKE_POLICY2 | ALPC_PORTFLG_LRPC_WAKE_POLICY3; // | ALPC_PORTFLG_DIRECT_MESSAGE;
	PortAttributes.MaxMessageLength = sizeof(ALPC_MESSAGE); // technically the hard limit for this is 65535, if no constrains you can use AlpcMaxAllowedMessageLength() to set this limit
	PortAttributes.MemoryBandwidth = 512;
	PortAttributes.MaxSectionSize = 0xffffffff; // 20000; 
	PortAttributes.MaxViewSize = 0xffffffff; // 20000; // sizeof(PORT_VIEW); 
	PortAttributes.MaxTotalSectionSize = 0xffffffff;// 20000;
	PortAttributes.DupObjectTypes = 0xffffffff;
	PortAttributes.MaxPoolUsage = 0xffffffff; // 0x4000;
	PortAttributes.SecurityQos = SecurityQos;

	wprintf(L"[*] Starting Client. PID: %d | TID: %d\n", dwPID, dwTID);

	RtlInitUnicodeString(&usPortName, pwsPortName);	// Initialize Unicode String
	//
	// CONNECT TO SERVER PORT
	//
	RtlSecureZeroMemory(&pmSend, sizeof(pmSend));
	add_request_message(&pmSend, "Hello Server");
	ulSendSize = sizeof(pmSend);
	// OPTIONALLY: Verify SID 
	if (bVerifyServerSID) {
		ConvertStringSidToSid(L"S-1-5-21-258271829-1673813934-3670761721-1000", &pSID);
	}
	wprintf(L"[*] Connecting to port '%s'...", pwsPortName);
	
	/*LARGE_INTEGER timeout;
	timeout.QuadPart = 10000000;*/
	lSuccess = NtAlpcConnectPort(
		&hSrvCommPort,				// REQUIRED: empty Communication port handle, fill be set by kernel
		&usPortName,				// REQUIRED: Server Connect port name to connect to
		NULL,						// OPTIONAL: Object Attributes, none in this case
		&PortAttributes,			// OPTIONAL: PortAtrributes, used to set various port connection attributes, most imporatnly port flags
		ALPC_SYNC_CONNECTION,		// OPTOONAL: Message Flags, no Flags
		pSID,						// OPTIONAL: Server SID
		(PPORT_MESSAGE)&pmSend,		// connection message
		&ulSendSize,				// connection message size
		NULL,//pMsgAttrSend,		// out messages attribtus
		pMsgAttrReceived,			// in message attributes
		0 //&timeout				// OPTIONAL: Timeout, none in this case
	);
	if (lSuccess == STATUS_PORT_CONNECTION_REFUSED) {
		wprintf(L"\n[*] The Server denied the connection request.\n");
		return 0;
	}
	else if (lSuccess == STATUS_SERVER_SID_MISMATCH) {
		wprintf(L"\n[*] The specified Server SID does not match with the Server. Connected to the wrong server?.\n");
		return 0;
	}
	else if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"Error: 0x%X\n", lSuccess);
		return 1;
	}
	else wprintf(L"Success.\n");
	print_received_alpc_message(pmSend, NULL, false);
	print_valid_message_attribues(pMsgAttrReceived);

	// Impersonation Attempt
	/*lSuccess = impersonate_client(hSrvCommPort, pmSend);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"[-] Failed to impersonate: 0x%X\n", lSuccess);
	};*/

	//
	// Send Message To Server
	//
	RtlSecureZeroMemory(&pmReceived, sizeof(pmReceived));
	RtlSecureZeroMemory(&pmSend, sizeof(pmSend));
	add_request_message(&pmSend, "Whatzzzzzuuuuuup");

	HANDLE hServerSection;
	SIZE_T nServerSectionSize;
	wprintf(L"[*] Creating Port Section...");
	lSuccess = NtAlpcCreatePortSection(
		hSrvCommPort,		// _In_ HANDLE PortHandle,
		0,					// _In_ flags	// 0x40000 found in rpcrt4.dll
		NULL,				// OPTIONAL SectionHandle,
		1024,				// SectionSize,
		&hServerSection,	// _Out_ HANDLE AlpcSectionHandle,
		&nServerSectionSize // _Out_ ActualSectionSize
	);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"Error: 0x%X\n", lSuccess);
		return 1;
	}
	else wprintf(L"Success, Section created. Size: %d\n", nServerSectionSize);
	pMsgAttrSend = setup_sample_message_attributes(hSrvCommPort, hServerSection, ALPC_MESSAGE_VIEW_ATTRIBUTE); //ALPC_MESSAGE_SECURITY_ATTRIBUTE

	wprintf(L"[*] [PID: %d; TID: %d] Sending Message (len: %d) to Port ....", GetCurrentProcessId(), GetCurrentThreadId(), pmSend.PortHeader.u1.s1.DataLength);
	pMsgAttrSend->ValidAttributes |= ALPC_MESSAGE_VIEW_ATTRIBUTE;  // Mark an attribute as valid
	lSuccess = NtAlpcSendWaitReceivePort(
		hSrvCommPort,				// our port handle
		ALPC_MSGFLG_SYNC_REQUEST,		// message Flags
		(PPORT_MESSAGE)&pmSend,		// sending message
		pMsgAttrSend,				// sending attributes
		(PPORT_MESSAGE)&pmReceived,		// receiving message
		&ulReceivedSize,						// receiving message length
		pMsgAttrReceived,			// receive message attributes
		0							// no timeout
	);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"Error: 0x%X\n", lSuccess);
		return 1;
	}
	else wprintf(L"Success.\n");
	print_received_alpc_message(pmReceived, NULL, false);
	print_valid_message_attribues(pMsgAttrReceived);
			
	//
	// CLOSING Port
	//
	wprintf(L"[*] Closing Port connection...");
	NtAlpcDisconnectPort(hSrvCommPort, 0);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"Error: 0x%X\n", lSuccess);
		return 1;
	}
	else wprintf(L"Success.\n");
	CloseHandle(hSrvCommPort);

	getchar();
	// Finish
	return 0;
}

 文件CPP-ALPC-Basic-Server.cpp

#include<stdio.h>

#include "..\ALPC-Utils\ALPC.h"
#include "..\ALPC-Utils\CommonALPC.cpp"

#pragma comment( lib, "ntdll" )
#pragma comment( lib, "User32" )

int main(){
	//
	// DEFINITIONS
	//
	NTSTATUS lSuccess;
	HANDLE hConnectionPort;
	HANDLE hCommunicationPort;
	UNICODE_STRING usAlpcPortName;
	OBJECT_ATTRIBUTES objAttributes;
	ALPC_PORT_ATTRIBUTES PortAttributes;
	SECURITY_QUALITY_OF_SERVICE SecurityQos;
	ALPC_MESSAGE pmReceived;
	ALPC_MESSAGE pmRequest;
	SIZE_T ulReceivedSize;
	PALPC_MESSAGE_ATTRIBUTES pMsgAttrSend;
	PALPC_MESSAGE_ATTRIBUTES pMsgAttrReceived;
	LPCWSTR pwsPortName = L"\\RPC Control\\CSALPCPort"; // the name of the ALPC port we're creating
	CS_PORT_CONTEXT portContext;
	UUID uuid;
	BOOL bAttemptImpersonation = TRUE;
	//
	// INITIALIZAITONS
	//
	DWORD dwPID = GetCurrentProcessId();
	DWORD dwTID = GetCurrentThreadId();
	// QOS
	//RtlZeroMemory(&SecurityQos, sizeof(SECURITY_QUALITY_OF_SERVICE));
	SecurityQos.ImpersonationLevel = SecurityIdentification; // SecurityImpersonation; // ; // ; // ;// ;
	SecurityQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
	SecurityQos.EffectiveOnly = 0;
	SecurityQos.Length = sizeof(SecurityQos);
	// ALPC Port Attributs
	PortAttributes.Flags = ALPC_PORTFLG_ALLOW_DUP_OBJECT | ALPC_PORTFLG_ALLOWIMPERSONATION | ALPC_PORTFLG_LRPC_WAKE_POLICY1 | ALPC_PORTFLG_LRPC_WAKE_POLICY2 | ALPC_PORTFLG_LRPC_WAKE_POLICY3; //0xb84a3f0;// ALPC_PORTFLG_ALLOW_DUP_OBJECT | ALPC_PORTFLG_AllowImpersonation | ALPC_PORTFLG_LRPC_WAKE_POLICY1 | ALPC_PORTFLG_LRPC_WAKE_POLICY2 | ALPC_PORTFLG_LRPC_WAKE_POLICY3; // ; //0x8080000;// ALPC_PORFLG_ALLOW_LPC_REQUESTS;// ALPC_PORFLG_ALLOW_LPC_REQUESTS;// | ALPC_PORFLG_SYSTEM_PROCESS;//0x010000 | 0x020000;	// Found '0x3080000' in rpcrt4.dll
	PortAttributes.MaxMessageLength = sizeof(ALPC_MESSAGE); // technically the hard limit for this is 65535, if no constrains you can use AlpcMaxAllowedMessageLength() to set this limit
	PortAttributes.MemoryBandwidth = 512;
	PortAttributes.MaxPoolUsage = 0xffffffff;
	PortAttributes.MaxSectionSize = 0xffffffff; // 20000;  
	PortAttributes.MaxViewSize = 0xffffffff; // 20000; // sizeof(PORT_VIEW); 
	PortAttributes.MaxTotalSectionSize = 0xffffffff; // 20000;
	PortAttributes.DupObjectTypes = 0xffffffff;
	RtlSecureZeroMemory(&SecurityQos, sizeof(SecurityQos));
	PortAttributes.SecurityQos = SecurityQos;
	// Security Descriptopr
	LPCWSTR szDACL = L"D:(A;OICI;GAGW;;;AU)";// Allow full control to authenticated users
	PSECURITY_DESCRIPTOR pSD = create_sd_from_string(szDACL);
	
	// Received Message attributes.. I'm fine with getting all of them
	pMsgAttrReceived = alloc_message_attribute(ALPC_MESSAGE_ATTRIBUTE_ALL);

	wprintf(L"[*] Starting Server. PID: %d | TID: %d\n", dwPID, dwTID);
	
	// 
	// CREATE PORT
	//
	RtlInitUnicodeString(&usAlpcPortName, pwsPortName);	// Initialize Unicode String
	InitializeObjectAttributes(						// set up OBJECT_ATTRIBUTES structure
		&objAttributes,		// the pointer to the OBJECT_ATTRIBUTES structure
		&usAlpcPortName,	// the name the object we want to obtain a handle for
		0,					// no flags, ref.: https://docs.microsoft.com/en-us/windows/win32/api/ntdef/nf-ntdef-initializeobjectattributes
		NULL,				// no root directry handle as our port name is a full qualified path
		NULL//pSD				// security descriptor
	);
	wprintf(L"[*] Creating ALPC Port '%s'...", pwsPortName);
	lSuccess = NtAlpcCreatePort(
		&hConnectionPort,			// the handle to our port name
		&objAttributes,		// the OBJECT_ATTRIBUTES structure we just initialized
		&PortAttributes //0 				// additional port attributes
	);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"Error: 0x%X\n", lSuccess);
		return 1;
	}
	else wprintf(L"Success.\n");
	print_port_flags(PortAttributes.Flags);

	//
	// Create Section - just to play around with sections, not necessarily needed
	//
	HANDLE hServerSection;
	SIZE_T nServerSectionSize;
	wprintf(L"[*] Creating Port Section...");
	lSuccess = NtAlpcCreatePortSection(
		hConnectionPort, //_In_ HANDLE PortHandle,
		0, //_In_ ULONG Flags,	// 0x40000 found in rpcrt4.dll
		NULL, //_In_opt_ HANDLE SectionHandle,
		1000, // _In_ SIZE_T SectionSize,
		&hServerSection, //_Out_ HANDLE AlpcSectionHandle,
		&nServerSectionSize //_Out_ PSIZE_T ActualSectionSize
	);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"Error: 0x%X\n", lSuccess);
		return 1;
	}
	else wprintf(L"Success, Section created. Size: %d\n", nServerSectionSize);
	
	//
	// Setup Message attributes
	//	--> We set these up once, and reuse the buffer while specifing different valid attributes for different messages
	//
	pMsgAttrSend = setup_sample_message_attributes(hConnectionPort, hServerSection, ALPC_MESSAGE_SECURITY_ATTRIBUTE | ALPC_MESSAGE_VIEW_ATTRIBUTE | ALPC_MESSAGE_HANDLE_ATTRIBUTE);
	
	//
	// WAIT FOR INITIAL CONNECTION
	//
	wprintf(L"[*] Wait for incoming connections...");
	RtlSecureZeroMemory(&pmReceived, sizeof(pmReceived));
	lSuccess = NtAlpcSendWaitReceivePort(
		hConnectionPort,
		ALPC_MSGFLG_NONE,			// no flags
		NULL,		// SendMessage_
		NULL,		// SendMessageAttributes
		(PPORT_MESSAGE)&pmReceived,	// ReceiveBuffer
		&ulReceivedSize,		// BufferLength
		pMsgAttrReceived,//&test,		// ReceiveMessageAttributes
		0				// no timeout
	);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"Error: 0x%X.\n", lSuccess);
		return 1;
	}
	else {
		wprintf(L"Success.\n");
	}
	print_received_alpc_message(pmReceived, NULL, false);
	print_valid_message_attribues(pMsgAttrReceived, TRUE);

	
	//
	// ACCEPT OR REJECT MESSAGE
	//
	BOOL bAcceptConnection = accept_connection_request();
	RtlSecureZeroMemory(&pmRequest, sizeof(pmRequest));
	pmRequest.PortHeader.MessageId = pmReceived.PortHeader.MessageId; // Set the messageID from the received client connection to send the message back to the same client
	
	// Create client context so I can identify the client in every call
	portContext.PID = (ULONG)pmReceived.PortHeader.ClientId.UniqueProcess;
	portContext.TID = (ULONG)pmReceived.PortHeader.ClientId.UniqueThread;
	portContext.ID = portContext.PID + portContext.TID; // not a good UUID for production purposes...just as an example, could be anything
	
	pMsgAttrSend->ValidAttributes |= ALPC_MESSAGE_SECURITY_ATTRIBUTE; // ALPC_MESSAGE_HANDLE_ATTRIBUTE; // Mark the an attribute as valid
	if (bAcceptConnection) { 
		wprintf(L"[*] Accepting Incoming Connection...");
		add_request_message(&pmRequest, "I'll accept your connection...");
	}
	else {
		wprintf(L"[*] Denying Incoming Connection...");
		add_request_message(&pmRequest, "Nope, you're not allowed to connect...");
	}
	lSuccess = NtAlpcAcceptConnectPort(
		&hCommunicationPort,		// Communication port handle
		hConnectionPort,			// Connection port handle
		ALPC_SYNC_CONNECTION,		// connection flags
		NULL,						// no object attributs
		&PortAttributes, //0,		// port attributes
		&portContext,				// port context
		(PPORT_MESSAGE)&pmRequest,	// connection request
		pMsgAttrSend,				// connection message attributes
		bAcceptConnection			// accepting the connection
	);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"Error: 0x%X\n", lSuccess);
		return 1;
	}
	else wprintf(L"Done\n");

	//
	// WAIT FOR INCOMING DATA
	//
	RtlSecureZeroMemory(&pmReceived, sizeof(pmReceived));
	RtlSecureZeroMemory(&pmRequest, sizeof(pmRequest));
	wprintf(L"[*] Waiting for incoming data...");
	lSuccess = NtAlpcSendWaitReceivePort(
		hConnectionPort,					// we need to use the connection port
		ALPC_MSGFLG_LPC_MODE,				// message flags
		NULL,//(PPORT_MESSAGE)&pmRequest,	//Sending message
		NULL, //pMsgAttrSend,				// SendMessageAttributes
		(PPORT_MESSAGE)&pmReceived,			// ReceivingMessage
		&ulReceivedSize,					// Receive BufferLength
		pMsgAttrReceived,					// ReceiveMessageAttributes
		0									// no timeout
	);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"[-] Error: 0x%X\n", lSuccess);
		return 1;
	}
	else wprintf(L"Success.\n");
	print_received_alpc_message(pmReceived, hConnectionPort, true);
	print_valid_message_attribues(pMsgAttrReceived, TRUE);

	//
	// ATTEMPT IMPERSONATION 
	//
	if (bAttemptImpersonation) {
		wprintf(L"[*] Trying to impersonate client...\n");
		lSuccess = impersonate_client(hCommunicationPort, pmReceived);
		if (!NT_SUCCESS(lSuccess)) {
			wprintf(L"[-] Error: 0x%X\n", lSuccess);
		}
		else wprintf(L"Done.\n");
	}

	//
	// REPLY TO client 
	//	-- note this could as well have been included in the previous NtAlpcSendWaitReceivePort call, this is just to show case that you could also do something with the message before responding
	//
	add_request_message(&pmRequest, "Data received!");
	pmRequest.PortHeader.MessageId = pmReceived.PortHeader.MessageId;
	pMsgAttrSend->ValidAttributes |= ALPC_MESSAGE_VIEW_ATTRIBUTE; // ALPC_MESSAGE_SECURITY_ATTRIBUTE; // Mark the an attribute as valid
	wprintf(L"[*] Sending data to port");
	lSuccess = NtAlpcSendWaitReceivePort(
		hConnectionPort,		// we need to use the connection port
		ALPC_MSGFLG_REPLY_MESSAGE,			// no flags
		(PPORT_MESSAGE)&pmRequest, //		// SendMessage_
		pMsgAttrSend,		// SendMessageAttributes
		NULL, //(PPORT_MESSAGE)&pmReceived,//ReceiveMessage,  // ReceiveBuffer
		NULL, //&pmReceivedSize,		// Receive BufferLength
		NULL, // pMsgAttrReceived,		// ReceiveMessageAttributes
		0		// no timeout
	);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"[-] Error: 0x%X\n", lSuccess);
		return 1;
	}
	else wprintf(L"Success.\n");

	// We could wait for new data, but this is just a PoC...
	//wprintf(L"Sleeping for 1 seconds..");
	//Sleep(1000);
	//while (TRUE) {

	//	wprintf(L"[*] Wait for incoming connections...");
	//	RtlSecureZeroMemory(&pmReceived, sizeof(pmReceived));
	//	lSuccess = NtAlpcSendWaitReceivePort(
	//		hConnectionPort,
	//		ALPC_MSGFLG_LPC_MODE,			// no flags
	//		NULL,		// SendMessage_
	//		NULL,		// SendMessageAttributes
	//		(PPORT_MESSAGE)&pmReceived,	// ReceiveBuffer
	//		&ulReceivedSize,		// BufferLength
	//		pMsgAttrReceived,//&test,		// ReceiveMessageAttributes
	//		0				// no timeout
	//	);
	//	if (!NT_SUCCESS(lSuccess)) {
	//		wprintf(L"Error: 0x%X.\n", lSuccess);
	//		return 1;
	//	}
	//	else {
	//		wprintf(L"Success.\n");
	//	}
	//	print_received_alpc_message(pmReceived, hConnectionPort, FALSE);
	//	print_valid_message_attribues(pMsgAttrReceived, TRUE);
	//}

	//
	// CLOSING Port
	//
	wprintf(L"[*] Closing Port connection...");
	NtAlpcDisconnectPort(hCommunicationPort, 0);
	NtAlpcDisconnectPort(hConnectionPort, 0);
	if (!NT_SUCCESS(lSuccess)) {
		wprintf(L"Error: 0x%X\n", lSuccess);
	}
	else wprintf(L"Success.\n");
	CloseHandle(hConnectionPort);
	CloseHandle(hCommunicationPort);

	getchar();

	// Finish
	return 0;
}

 

编译运行结果如下图:

pureman_mega
关注
  • 6
    点赞
  • 9
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
windows ALPC简单研究
weixin_43787608的博客
11-26 9086
0x00 本文是对ALPC的简单研究,由于时间有限,还有很多细节没有搞清楚,还有很多疏漏。希望能起到抛砖引玉的作用,能找到高手讨论学习。 ALPC(Advanced/Asynchronous Local Procedure Call),是微软发展出来替代LPC,用于本机RPC的一种C/S模型技术。但是对用户来说,能看到只有RPC概念,很少能看到ALPC。 我们看一个典型的ALPC同步调用堆栈: ...
systeminfo卡死一例分析
u010607621的博客
06-07 1296
Win7 64位OS。设备与打印机窗口的进度条持续不能走完,此时打开设备管理器也依然卡住,systeminfo.exe程序也会卡住。此故障现象偶现难以复现。鉴于另外两个进程的线程太多了,就优先从systeminfo进程入手研究。 给systeminfo进程下dmp,用windbg打开dmp,先查看每个线程的栈回溯: 姑且猜测是0号线程,在等待应答,进而整个进程卡住。0号线程最后调用的是NtAlpcSendWaitReceivePort。这个api类似于网络socket的send和recv一体。它的声明如下:
Windows ALPC漏洞复现
skyh的博客
06-10 2182
ALPC 漏洞复现
Windows核心编程》读书笔记二十五章 未处理异常,向量化异常处理与C++异常
sesiria的博客
12-25 1256
第二十五章  未处理异常,向量化异常处理与C++异常 本章内容 25.1 UnhandledExceptionFilter函数详解 25.2 即时调试 25.3 电子表格示例程序 25.4 向量化异常和继续处理程序 25.5 C++异常与结构化异常的比较 25.6 异常与调试器 前一章讨论的异常过滤函数返回EXCEPTION_CONTINUE_SEARCH会继续向外
通信协议——Http、TCP、UDP
06-29
通信协议——Http、TCP、UDP
理解Windows内核模式与用户模式
热门推荐
06-19 1万+
1、基础 运行 Windows 的计算机中的处理器有两个不同模式:“用户模式”和“内核模式”。根据处理器上运行的代码的类型,处理器在两个模式之间切换。应用程序在用户模式下运行,核心操作系统组件在内核模式下运行。多个驱动程序在内核模式下运行,但某些驱动程序在用户模式下运行。 当启动用户模式的应用程序时,Windows 会为该应用程序创建“进程”。进程为应用程序提供专用的“虚拟地址空间
进程间通信IPC
weixin_44421186的博客
07-16 275
一个进程需要将它的数据发送给另一个进程,发送的数据量在一个字节到几兆字节之间。多个进程想要操作共享数据,一个进程对共享数据的修改,别的进程应该立刻看到。一个进程需要向另一个或一组进程发送消息,通知它(它们)发生了某种事件(如进程终止时要通知父进程)。多个进程之间共享同样的资源。为了作到这一点,需要内核提供锁和同步机制。有些进程希望完全控制另一个进程的执行(如Debug进程),此时控制进程希望能够拦截另一个进程的所有陷入和异常,并能够及时知道它的状态改变。所以使用进程间通信可以根据上面几种情况进行判断。...
进程间通信
pmt123456的博客
02-22 766
参考资料:               http://blog.csdn.net/alexlee1986/article/details/21227417               http://blog.csdn.net/alexlee1986/article/details/21227417                   《UNIX网络编程》卷1、2 进程间通信
alpc-1.0.jar
10-09
该行显示生成的文档是一个版本为1.0的文件,在lpc中,摘要保存在lpc对象中,当文档关闭时已经写入lpc中了,因此,没有关于为什么不能修改库来满足任何时候添加或更改摘要的技术原因
alpc48模板_ACM代码模板.pdf
09-17
"alpc48模板_ACM代码模板.pdf"正是为参赛者提供的一份宝贵的资源,它涵盖了ACM比赛常用的各种算法模板,旨在帮助参赛者更高效地解决问题。 ACM Fighting!这份文档不仅是参赛者的技术指南,也是学习计算几何和算法...
alpc:航空语言语音转换器,用Rust编写
03-06
ALPC从stdin读取数据,因此您可以将文本通过管道传输到APLC echo "hello 123" | alpc 另外,运行alpc将提供输入提示。 特征 转换A..Z为ALPHA..ZULU 将0..9转换为0..NINER 去做 仅将大写字母转换为语音字母。 (要...
C语言实现TCP/IP协议通信和UDP协议通信(代码+报告)
07-27
在IT领域,网络通信是至关重要的组成部分,而C语言因其高效和灵活性,常被用于实现底层的网络协议通信。...在实践中,还可以进一步探索多线程、多进程、异步I/O等高级主题,以适应更复杂的网络应用场景。
谷歌浏览器调用本地dll_如何在Windows ALPC中找到本地提权漏洞(CVE-2018-8440分析)...
weixin_39861627的博客
12-14 690
调试环境: Windows10 + rpc viewer + IDA pro什么是ALPC?ALPC(高级本地过程调用)是一种内部的,未记录的进程间通信工具,由Microsoft Windows NT内核提供,用于在同一台计算机上的进程之间进行轻量级的通信。Windows会在以下情况调用ALPC:1.使用Microsoft RPC API在本地进行通信时,即在同一台机器上的进程之间进行通信2.使用...
所有com结构体大全
如鹿渴慕泉水的专栏
05-05 7361
enum tagTYPEFLAGS { TYPEFLAG_FAPPOBJECT = 1, TYPEFLAG_FCANCREATE = 2, TYPEFLAG_FLICENSED = 4, TYPEFLAG_FPREDECLID = 8, TYPEFLAG_FHIDDEN = 16, TYPEFLAG_FCONTROL = 32, TYPEFLAG_FDUAL = 64, TYPEF...
redistemplate注入为null_Windows不太常见的进程注入学习小记(二)
weixin_39875941的博客
11-25 402
0x00 前前言这个只是我学习的笔记,真正的代码实现都是网上有人已经公开了的,给了参考链接了,这不是我发现的也不是我研究的,这只是我学习的。利用ALPC来实现进程注入0x01前言本地过程调用(LPC,Local Procedure Call,通常也被称为轻量过程调用或者本地进程间通信是一种由Windows NT内核提供的内部进程间通信方式。通过这一方式,同一计算机上的进程可以进行轻量的通...
驱动加载监控
kernweak的博客
05-31 1516
Hook_ZwLoadDriver和HOOK_ZwSetSystemInformation(xp) Hook_ZwLoadDriver( IN PUNICODE_STRING DriverServiceName )//服务名,在注册表 所以要在注册表改驱动ImagePath看驱动路径。 注意通过instrDrv加载驱动不一定看到的是原本加载驱动的文件,是通信方式加载驱动,在ZwLoadD...
KeWaitForSingleObject简析
pureman_mega的博客
12-29 5384
这个函数在进行同步操作时经常会用到,它内部的工作流程是什么样的呢?让我来试着分析分析吧. (以反编译的汇编代码片段为材料)NTSTATUS KeWaitForSingleObject( IN PVOID Object,//分发器对象(dispatcher object),像(event,mutex,semaphore,thread or timer) IN KWAIT_REASON
RPC、COM、ALPC
最新发布
04-16
这些都是不同的进程间通信技术。RPC(Remote Procedure Call)是一种用于分布式计算的通信协议,它允许在不同进程间的数据传输和函数调用。COM(Component Object Model)是一种用于Windows软件开发的技术,它提供了一种标准的、可重用的组件模型,以方便程序员进行开发。ALPC(Advanced Local Procedure Call)是Windows操作系统提供的一种高级进程间通信机制,它提供了更高级别的API,可以支持更丰富的交互方式。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值