Projects
Next →

Project

In Progress

WinIPCScout

2 min read

Stack
C++, CMake, Windows API, MSVC, nlohmann/json, PowerShell
Status
In Progress
Year
2026
View on GitHub
Contents

Overview

WinIPCScout is a Windows security triage tool for local named-pipe IPC surfaces. It inventories pipes, gathers access and ownership evidence where the OS allows it, enriches results with process and service context, and ranks endpoints so a human tester knows what to review first.

The tool is built for authorized red team, penetration testing, and defensive assessment work. It does not include exploitation modules, protocol payloads, or remote enumeration.

What It Does

  • Enumerates local named pipes under \\.\pipe\.
  • Inspects one pipe directly by name.
  • Collects current token context, including groups, privileges, integrity, elevation, session, and logon LUID.
  • Reads security descriptors and SDDL where accessible.
  • Performs zero-payload safe probes with configurable timeout.
  • Resolves server process and service context.
  • Adds signer and Microsoft/third-party classification where available.
  • Checks service binary path writability.
  • Produces console, JSON, and Markdown reports.

Technical Shape

The project is implemented in modern C++ with CMake and the Windows API. The scanner separates collection, enrichment, scoring, and reporting so each phase can be tested and reasoned about independently.

The scoring model is intentionally a prioritization signal, not a vulnerability verdict. A high score means “look here first” based on access, privilege context, ownership, service relationship, DACL breadth, naming signals, signer information, and binary path writability.

Why It Matters

Named pipes are common in Windows services and security products, but reviewing them manually can be noisy. WinIPCScout turns that noisy local surface into structured evidence and a ranked report. That makes it useful as a focused assessment companion rather than a broad exploitation framework.

For portfolio review, it demonstrates Windows internals, API-heavy C++ work, defensive boundaries, schema-backed reporting, and the ability to design security tooling with clear limits.

Scope

In scope: local named-pipe enumeration, safe probing, process/service/token enrichment, scoring, and report generation.

Out of scope: exploitation, fuzzing, payload delivery, remote scanning, ALPC, RPC endpoint parsing, COM, WCF, and ETW-assisted correlation.

Lessons Learned

The main engineering challenge is that Windows security evidence is partial by nature: permissions, transient pipes, unavailable descriptors, and service mapping can all vary. The tool handles that by preserving evidence status instead of pretending every field is always available.