GetLsaPidFromNamedPipe
typedef NTSTATUS(NTAPI* NTOPENFILE)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, ULONG, ULONG);
typedef NTSTATUS(NTAPI* NTFSCONTROLFILE)(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG);
typedef NTSTATUS(NTAPI* NTCLOSE)(HANDLE);
DWORD MpfGetLsaPidFromNamedPipe(VOID)
{
UNICODE_STRING Pipe = { 0 };
NTOPENFILE NtOpenFile = NULL;
NTFSCONTROLFILE NtfsControlFile = NULL;
NTCLOSE NtClose = NULL;
HMODULE hModule = NULL;
IO_STATUS_BLOCK IoBlock = { 0 };
OBJECT_ATTRIBUTES Attributes = { 0 };
DWORD ProcessId = ERROR_SUCCESS;
HANDLE hHandle = INVALID_HANDLE_VALUE;
NTSTATUS Status = STATUS_SUCCESS;
LPSTR InputBuffer = (LPSTR)"ServerProcessId";
hModule = GetModuleHandleW(L"ntdll.dll");
if (hModule == NULL)
return -1;
NtOpenFile = (NTOPENFILE)GetProcAddress(hModule, "NtOpenFile");
NtfsControlFile = (NTFSCONTROLFILE)GetProcAddress(hModule, "NtFsControlFile");
NtClose = (NTCLOSE)GetProcAddress(hModule, "NtClose");
if (!NtOpenFile || !NtfsControlFile || !NtClose)
return -1;
RtlInitUnicodeString(&Pipe, L"\\Device\\NamedPipe\\lsass");
InitializeObjectAttributes(&Attributes, &Pipe, OBJ_CASE_INSENSITIVE, 0, NULL);
Status = NtOpenFile(&hHandle, FILE_READ_ATTRIBUTES, &Attributes, &IoBlock, FILE_SHARE_READ, NULL);
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
Status = NtfsControlFile(hHandle, NULL, NULL, NULL, &IoBlock, FSCTL_PIPE_GET_PIPE_ATTRIBUTE, InputBuffer, (ULONG)StringLengthA(InputBuffer) + 1, &ProcessId, sizeof(DWORD));
if (!NT_SUCCESS(Status))
goto EXIT_ROUTINE;
EXIT_ROUTINE:
if (hHandle)
NtClose(hHandle);
return ProcessId;
}Last updated