[InvokeStatic]

Hi,

I'm trying to understand how a kernel-mode driver talks to it's usermode component.

I attempted to do this by hooking DeviceIOControl on the target usermode process but the usermode process does not actually make that request (it works the other way) but I did find out that it uses the named pipe \NamedPipe\Battleye. Static analysis is not possible.

Additionally, the communication is very time-sensitive so using WinDbg to breakpoint Read/Write is simply not feasible.

How would I go about sniffing this pipe? As I've stated packets are sent to ring3 from ring0 so hooking the API functions doesn't really work.


Thanks.

[EP_X0FF]

Try wireshark.

[InvokeStatic]

Try wireshark.

I already tried. It doesn't truly support named pipes.

[EP_X0FF]

Then hook read/write api in user mode and inspect in/out buffers. There is no magic monitors or magic API that will do that simply or in different way.

[Vrtule]

If you need to inspect the application in a relatively new versions of Windows ony, you can write a minifilter driver to do this. When registering the minifilter, you can specify that you wish to filter named pipes (FLTFL_REGISTRATION_SUPPORT_NPFS_MSFS).

AFAIK named pipes are implemented as a file system driver so it would be theoretically possiable to attach a device onto this FS and monitor (or filter) requests of your interest.