pipetap a Windows named pipe proxy tool

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://sensepost.com/blog/2025/pipetap-a-windows-named-pipe-proxy-tool/
• Blog Title: pipetap: a Windows named pipe proxy tool
• Suggested Section: 🪟 Windows Hardening -> Windows Local Privilege Escalation (add a subsection such as "Named Pipe IPC Abuse & MITM (DLL Injection, API Hooking, PID Validation Bypass)")

🎯 Content Summary

pipetap is a Windows named pipe proxy and analysis tool aimed at reverse engineering and exploiting named-pipe–based IPC, especially where a privileged service exposes a pipe to less‑privileged clients. It focuses on live interception, inspection, and modification of named pipe traffic, and on working around pipe hardening mechanisms such as PID-based client validation.

Architecture & Hooking Model
At its core, pipetap is a proxy that operat...

🔧 Technical Details

API Hooking to Intercept and Modify Named Pipe IPC
Inject a DLL into a Windows process that uses named pipes and hook low-level I/O APIs such as ReadFile and WriteFile (and variants) for pipe handles, using an inline hooking framework like Microsoft Detours. For each call, copy the buffer and metadata, send them to a controller (e.g., via a control pipe), optionally modify them, then invoke the original API. This turns arbitrary named-pipe traffic into an inspectable and editable stream, enabling protocol reverse engineering, triggering edge cases, and exploring attack surfaces such as unsafe deserialization or command injection in privileged services.

Bypassing PID-Based Named Pipe Client Validation via Remote Client Execution
When a named pipe server validates clients by querying the connecting process’s PID and inspecting attributes (code signature, image path, etc.), an external tool’s direct conn...

🤖 Agent Actions

Summary:

• Expanded windows-local-privilege-escalation/named-pipe-client-impersonation.md with a new “Named Pipe IPC Abuse & MITM (DLL Injection, API Hooking, PID Validation Bypass)” section that distills the pipetap workflow. The section covers inline Detours-based hooking of ReadFile/WriteFile, operating the control channel to edit/drop payloads, leveraging remote client mode to bypass PID-based validation, systematic enumeration/probing via pipelist and the message composer, and the TCP→pipe bridge plus Python SDK for automation/fuzzing.
• Added operational considerations (latency/deadlocks, partial async support, non-stealthy injection) so readers understand practical limits.
• Updated the References block to use markdown hyperlinks and include the pipetap blog URL as the new source.

Tests: Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://sensepost.com/blog/2025/pipetap-a-windows-named-pipe-proxy-tool/

Content Categories: Based on the analysis, this content was categorized under "🪟 Windows Hardening -> Windows Local Privilege Escalation (add a subsection such as "Named Pipe IPC Abuse & MITM (DLL Injection, API Hooking, PID Validation Bypass)")".

Repository Maintenance:

• MD Files Formatting: 914 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0