Skip to main content
yevheniiy81221888
yevheniiy81221888
Known Participant
March 10, 2020
Question

Creating Named Pipe in protected mode.

  • March 10, 2020
  • 1 reply
  • 2796 views

Hello i have an issue with creating COM objects in protected mode. As far as i know this type of action is forbiden in protected mode so i found this link. It says that I able to create named pipe if I specify something in  NAMEDPIPES_ALLOW_ANY section. I tried with different naming and formats without result.
To be more clear i have a host application where named pipe created (C# application) and i want to connect to it from Adobe plug-in.

Also I looked at broker process but didn't found any information about possibility of creating COM objects if i implement custom broker. 

So my question is: what name format should be at NAMEDPIPES_ALLOW_ANY to allow me create named pipe? 

This topic has been closed for replies.

1 reply

T
Test Screen Name
Legend
March 11, 2020

I’ve never worked with this but perhaps we can check your work. Please describe all the steps in detail that you have used to set the policy to enable named pipes. 

yevheniiy81221888
yevheniiy81221888Author
Known Participant
March 11, 2020

Thx for your help.
1. I have host application where I created named pipe like this: 

Task.Factory.StartNew(() =>
                {
                    var server = new NamedPipeServerStream("foo");
                    server.WaitForConnection();
                    StreamWriter writer = new StreamWriter(server);

                    while (true)
                    {
                        writer.WriteLine("hello");
                        writer.Flush();
                    }
                });

2. In Adobe plug-in (ACCB1 ASBool ACCB2 PluginInit(void) function) I tried to connect to it :

HANDLE hPipe;

hPipe = CreateFile(TEXT("\\\\.\\pipe\\foo"),
		GENERIC_READ | GENERIC_WRITE,
		0,
		NULL,
		OPEN_EXISTING,
		0,
		NULL);

if (hPipe != INVALID_HANDLE_VALUE)
{
 // do stuff 
}

And I always get INVALID_HANDLE_VALUE result. 

Add setting in reg. (HKLM_Software/Policies/Adobe/Acrobat Reader/DC/FeatureLockDown/bUseWhitelistConfigFile = 1)
In ProtectedModeWhitelistConfig.txt file which placed in C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader folder I added this lines : 

FILES_ALLOW_ANY = pipe\*
NAMEDPIPES_ALLOW_ANY = \.\pipe\foo

I tried different string patterns in NAMEDPIPES_ALLOW_ANY  section :
\\\\.\\pipe\\foo.*

\\\\.\\pipe\\foo
pipe\foo.*
pipe\foo
pipe\*
\\\\.\\pipe\\*
\.\pipe\*

Tried put only pipe name. 
As well as at FILES_ALLOW_ANY  section.
Also i enabled logs 

Go to HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\(version)\Privileged.
Right click and choose New > REG_SZ Value.
Create tBrokerLogfilePath.
Right click on tBrokerLogfilePath and choose Modify.
Set the value. For example: C:\DOCUME~1\<username>\LOCALS~1\Temp\BrL4FBA.tmp.

Log : 

[03:10/16:53:53] NtCreateFile: STATUS_ACCESS_DENIED
[03:10/16:53:53] real path: \??\pipe\foo
[03:10/16:53:53] Consider modifying policy using these policy rules: FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY

I got this message every time with different string pattern. 

T
Test Screen Name
Legend
March 11, 2020

Ok... that seems to have reached the limit of my knowledge. I someone else may visit the forum and have an idea.


Well, only one thought. I assume you have tested the client pipe creation in a standalone app (not the same app as the server end) and it works OK? A C app, I mean, using CreateFile. I have not seen anything about how to map pipe namespaces between .Net and C.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices