ProcessClientThread creates a named pipe handle hPipe but never closes it, resulting in a handle leak.
if (success)
{
responseMsg = $"[*] Impersonating token {capturedSession.Value.TokenHandle} for LUID {capturedSession.Value.Luid} to {pipeName}";
// 0x80000000 | 0x40000000 -> GENERIC_READ | GENERIC_WRITE
// 3 -> OPEN_EXISTING
Thread.Sleep(1000);
IntPtr hPipe = Interop.CreateFile($"{pipeName}", 0x80000000 | 0x40000000, 0, 0, 3, 0, 0);
if (hPipe.ToInt64() == -1)
{
var ex = new Win32Exception(Marshal.GetLastWin32Error());
Console.WriteLine($" [X] Error conecting to {pipeName} : {ex.Message} ({ex.ErrorCode})");
}
else
{
// write a single byte out so we can fulfil the ReadFile() requirement on the other side of the pipe
byte[] bytes = new byte[1];
uint written = 0;
Interop.WriteFile(hPipe, bytes, (uint)bytes.Length, out written, IntPtr.Zero);
Thread.Sleep(500);
+ CloseHandle(hPipe); <<< need to close this handle before the variable goes out of scope
}
Interop.RevertToSelf();
ProcessClientThreadcreates a named pipe handlehPipebut never closes it, resulting in a handle leak.if (success) { responseMsg = $"[*] Impersonating token {capturedSession.Value.TokenHandle} for LUID {capturedSession.Value.Luid} to {pipeName}"; // 0x80000000 | 0x40000000 -> GENERIC_READ | GENERIC_WRITE // 3 -> OPEN_EXISTING Thread.Sleep(1000); IntPtr hPipe = Interop.CreateFile($"{pipeName}", 0x80000000 | 0x40000000, 0, 0, 3, 0, 0); if (hPipe.ToInt64() == -1) { var ex = new Win32Exception(Marshal.GetLastWin32Error()); Console.WriteLine($" [X] Error conecting to {pipeName} : {ex.Message} ({ex.ErrorCode})"); } else { // write a single byte out so we can fulfil the ReadFile() requirement on the other side of the pipe byte[] bytes = new byte[1]; uint written = 0; Interop.WriteFile(hPipe, bytes, (uint)bytes.Length, out written, IntPtr.Zero); Thread.Sleep(500); + CloseHandle(hPipe); <<< need to close this handle before the variable goes out of scope } Interop.RevertToSelf();Koh/Koh/Pipe.cs
Line 289 in 0283d9f