Explaining the Usages of Pipes in Virus coding
by berniee
                            ...::Explaining the Usages::...
                            ....of Pipes in Virus coding....
				....by  berniee/[Xero].....

I am bored,listing to avril lavign instead of Oomph!,then I remembered an article
I dunno where it was ;but it was about how to connect your process to a console process,
and read the output of it by your process,this method called piping;I heard it is one of 
microsoft's ripped off ideas from linux..
So away from that article which I lost ,I decided After tiny googling and having quick peek at M$ sdk ,I found pretty 
beautiful explanation,especially from Iczelion's .
Now how could we create pipes and implementt it in viruses.thats what I am going to explain in this article
 by describing how to create pipes(Anonymous types only,see next).

-What is pipes?
As Iczelion in his tutorial 21 said :"Pipe is a communication conduit or pathway with two ends. 
You can use pipe to exchange the data between two different processes, or within the same process. 
It's like a walkie-talkie. You give the other party one set and he can use it to communicate with you."
Beautiful Quote :),and by this we give each of the both processes a walkie-talkie.
Pipes is categorized into Anonymous and Named pipes;anonymous from the name mean
you create the pipe but you won't know the name inorder to handle it,while named pipes you will need
to know their names to get them work(duh!)..

-How to create a pipe?
let's see the following function
BOOL CreatePipe(
  PHANDLE hReadPipe,
  PHANDLE hWritePipe,
  DWORD nSize

so the CreatePipe api takes four parameters;note that this function creates anonymous pipes; 
the parameters will be explained as follows:

1-hReadPipe this will be pointer to handle(DWORD)of the pipe read end.
2-hWritePipe this will be the pointer to the handle of the pipe write end
*pipes have read and write ends to communicate* 
3-lpPipeAttributes pointer to security descriptor structure that we should fill,it is as
typedef struct _SECURITY_ATTRIBUTES 
  DWORD nLength; 
  LPVOID lpSecurityDescriptor;
  BOOL bInheritHandle;

where nLenght will point to the security descriptor struct size,lpSecurityDescriptor will
be left zeroed :),and the bInheritableHandle should be true so as the pipe will be inheritable.
4-nSize is "Size of the buffer for the pipe, in bytes. The size is only a suggestion;
 the system uses the value to calculate an appropriate buffering mechanism. If this parameter is zero,
 the system uses the default buffer size"taken from m$ SDK.

now lets put all of the above in a code
;--------------------cut from here
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

db "piping is fun!!",0
run_ db "cmd.exe /c dir",0 ;our test command

pipe_read dd ?
pipe_write dd ?

bwr dd ?

security_attrib  SECURITY_ATTRIBUTES
buffer db 1024 dup(?)


mov security_attrib.lpSecurityDescriptor,0
mov security_attrib.bInheritHandle,TRUE
mov security_attrib.nLength,sizeof SECURITY_ATTRIBUTES

invoke CreatePipe,offset pipe_read,offset pipe_write,offset security_attrib,0 
or eax,eax
jz exit

;------------------stop cutting!!

-how to get the pipe working?
till now we created a pipe with specific securtiy attributes ,then what next...
here is the next,we will create child process and inforce it to send its output
through the pipe_read handle,so going to create a process first, we should
fill STARTUPINFO structure,we should call GetStartupInfo to fill our strucure first inorder to make things work 
in both win9x and NT as Iczelion says.
Then we change certain values in the STARTUPINFO struct which are :
hStdOutput and change it to our pipe_write handle,this where we redirect the child process
to pipe write end instead of its default StdOutput, also set hStdError as we did to hStdOutPut,
and dwFlags to "STARTF_USESHOWWINDOW , STARTF_USESTDHANDLES" indicating that hStdOutput, hStdError and wShowWindow members 
are valid and must be used ;lastly we
set wShowWindow component to SW_HIDE.
then we create the child process ;followed by closing the handle of the pipe_write
"If we don't close the write handle from our end, there will be two write ends"Iczellions'

Now see the following code:

;---------------------cut'paste below the above cut code

mov stinfo.cb,sizeof STARTUPINFO
mov eax, pipe_write
mov stinfo.hStdOutput,eax 
mov stinfo.hStdError,eax 
mov stinfo.wShowWindow,SW_HIDE 

invoke CreateProcess,0,offset run_,0,0,TRUE,0,0,0,offset stinfo,offset pinfo
or eax,eax
jz exit
invoke CloseHandle,pipe_write

;-----------------End of cut

-Retrieving What?
Now,we will enter into an infinite loop trying to read from the read end of our
created file which was pipe_read  [since we launched our child process ,
it will send us the data through the pipe write end] in this loop we use ReadFile function inorder to read 
data output from the child process we have created.
the code :

;---------------------cut'paste below the above cut code
invoke ReadFile,pipe_read,offset buffer,1024,offset bwr,0
or eax,eax
jz found_
jmp loop_
invoke MessageBox,0,offset buffer,0,0
invoke ExitProcess,0
end start
;-----------------End of cut

I found this quite attractive to me when I wanted to look for some help;that could be
taken from some windows console appilcation..for e.g.
  e.g.1 Imagine you want to get Mail Exchanger servers list from DNS;
	 you can change the above run_ variable to 
	"nslookup -type=mx google.com" and here you will have the list,ofcourse
	after some string fixation,inorder to get it ptoperly.

 e.g.2	Imagine you want to use batch files but without its annoying console;and you
	want them to work by sending data to your running process,you also do that
	make you own batch and run it  the same way above

 and the examples continue..there are alot of implementaions to the piping,just use your brain.

-Final Words:
I hope the reader got the idea of this subject;and I would like to thank
Iczelion for his magnificant work in win32asm ;and thank my friend mh for downloading
m$ SDK for me[dude your hacked wireless is better than my paid one :( ]
and yes I hope you have enjoyed reading this article/tutorial/crap...and for any
thoughts e-mail me at:fakedminded@zeysan.every1.net

(C)fakedminded 2006