update

readme.md

@@ -54,7 +54,7 @@ Note: this is an undocumented structure, some information was obtained through [
 
 An overview of the fields above and some of the mechanisms implemented by npfs:
 
-**NextEntry**: used to create a circular linked list with all the queued data entries. Entries are primarily related to read and write operations. One way of creating write operation entries is through the WriteFile API call and those entries are removed from the list when all of their data are read by a client (e.g. using the ReadFile). The list includes a sentinel node, which is stored within the CCB of the named pipe.
+**NextEntry**: used to create a doubly linked list with all the queued data entries. Entries are primarily related to read and write operations. One way of creating write operation entries is through the WriteFile API call and those entries are removed from the list when all of their data are read by a client (e.g. using the ReadFile). The list includes a sentinel node, which is stored within the CCB of the named pipe.
 
 <p align="center">
   <img src="././images/linkedlist.svg" />
@@ -115,7 +115,7 @@ This is the length of the user data associated with the current DATA_QUEUE_ENTRY
 **x**: this field is uninitialized in the entry creation, probably used for padding
 
 **Quota management mechanism**: allows the server-end of the communication channel to specify the maximum size of data the queues can hold. When that limit is exceeded:
-1) In blocking mode (PIPE_WAIT) the entry is created with QuotaInEntry set to the number of bytes available in the current queue. Then, after every read (not peek) operation on a buffered entry, the read size gets added to the QuotaInEntry of the stalled write. When the QuotaInEntry becomes equal to the DataSize, that signals that there is enough space to hold that entry in the pipe's quota and its associated irp gets completed.
+1) In blocking mode (PIPE_WAIT) the entry is created with QuotaInEntry set to the number of bytes available in the current queue. Then, after every read (not peek) operation on a buffered entry, the read size gets added to the QuotaInEntry of the stalled write. When the QuotaInEntry becomes equal to the DataSize, that signals that there is enough space to hold that entry in the pipe's quota and its associated irp gets completed and removed from the current data entry.
 2) In non-blocking mode (PIPE_NOWAIT), the operation will fail. (the number of written bytes will be equal to 0)
 
 # Exploitation
@@ -403,7 +403,7 @@ Potential use-cases:
 
 # Future work
 
-1. Find a way to identify corrupted pipes in PIPE_TYPE_BYTE mode (should be a difficult task) or try to have Microsoft fix this important bug! (probably even more difficult task). This would allow us to earn the final ✔ for the category "No Data Control && No Size Control". 
+1. Find a way to identify corrupted pipes in PIPE_TYPE_BYTE mode (should be a difficult task) or try to have Microsoft fix the important bug mentioned in "Identifying Corrupted Pipes"! (probably even more difficult task). This would allow us to earn the final ✔ for the category "No Data Control && No Size Control". 
 2. It should be interesting to escalate privileges through the SECURITY_CLIENT_CONTEXT approach. (challenging but should be feasible)
 
 # References