Known Participant

Question

Creating Named Pipe in protected mode.

Forum|Forum|6 years ago
March 10, 2020
1 reply
2796 views

Hello i have an issue with creating COM objects in protected mode. As far as i know this type of action is forbiden in protected mode so i found this link. It says that I able to create named pipe if I specify something in NAMEDPIPES_ALLOW_ANY section. I tried with different naming and formats without result.
To be more clear i have a host application where named pipe created (C# application) and i want to connect to it from Adobe plug-in.

Also I looked at broker process but didn't found any information about possibility of creating COM objects if i implement custom broker.

So my question is: what name format should be at NAMEDPIPES_ALLOW_ANY to allow me create named pipe?

This topic has been closed for replies.

T

Test Screen Name

Legend

I’ve never worked with this but perhaps we can check your work. Please describe all the steps in detail that you have used to set the policy to enable named pipes.

yevheniiy81221888Author

Known Participant

Thx for your help.
1. I have host application where I created named pipe like this:

Task.Factory.StartNew(() =>
                {
                    var server = new NamedPipeServerStream("foo");
                    server.WaitForConnection();
                    StreamWriter writer = new StreamWriter(server);

                    while (true)
                    {
                        writer.WriteLine("hello");
                        writer.Flush();
                    }
                });

2. In Adobe plug-in (ACCB1 ASBool ACCB2 PluginInit(void) function) I tried to connect to it :

HANDLE hPipe;

hPipe = CreateFile(TEXT("\\\\.\\pipe\\foo"),
		GENERIC_READ | GENERIC_WRITE,
		0,
		NULL,
		OPEN_EXISTING,
		0,
		NULL);

if (hPipe != INVALID_HANDLE_VALUE)
{
 // do stuff 
}

And I always get INVALID_HANDLE_VALUE result.

Add setting in reg. (HKLM_Software/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bUseWhitelistConfigFile = 1)
In ProtectedModeWhitelistConfig.txt file which placed in C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader folder I added this lines :

FILES_ALLOW_ANY = pipe\*
NAMEDPIPES_ALLOW_ANY = \.\pipe\foo

I tried different string patterns in NAMEDPIPES_ALLOW_ANY section :
\\\\.\\pipe\\foo.*

\\\\.\\pipe\\foo
pipe\foo.*
pipe\foo
pipe\*
\\\\.\\pipe\\*
\.\pipe\*

Tried put only pipe name.
As well as at FILES_ALLOW_ANY section.
Also i enabled logs

Go to HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\(version)\Privileged.
Right click and choose New > REG_SZ Value.
Create tBrokerLogfilePath.
Right click on tBrokerLogfilePath and choose Modify.
Set the value. For example: C:\DOCUME~1\<username>\LOCALS~1\Temp\BrL4FBA.tmp.

Log :

[03:10/16:53:53] NtCreateFile: STATUS_ACCESS_DENIED
[03:10/16:53:53] real path: \??\pipe\foo
[03:10/16:53:53] Consider modifying policy using these policy rules: FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY

I got this message every time with different string pattern.

T

Test Screen Name

Legend

Thank you for the detail.

I would expect the pipe name to be either

\.\pipe\name or

\servername\pipe\name

However, I speculate we need to be led by the mesasge, which tells you to use FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY. I think this is because, as a client, you are using CreateFile. The sandbox does not need to know this is a named pipe. I look at the message. It mentions \??\pipe\foo. Is that ?? actually your redacted server name?

Whatever text is used, I would suggest using

FILES_ALLOW_ANY \??\pipe\foo

where ?? is as per the message.

The other thing would be to double check that the registry key HKLM/Software/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bUseWhitelistConfigFile is a DWORD not a string, I have made this sort of mistake before.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded