First post, long time lurker. Threading is something I feel was lacking from my Comp Sci education and I never really learned pipes/named pipes, peaking at pipes, and how that all relates to threads. I realize its a method of communication, and you can do things like binding a pipe to socket.send() and then just push data to the pipe and send it over the network. I primarily do malware analysis and would love a basic explanation of how to analyze these and correctly interpret their use. Especially what I should know when looking at a particular thread in its execution.

Here are a couple snippets from the malware I'm currently looking at, I'm sure its stuff you guys have seen a million times. I'll happily post more context if you would like.

1. What are these going to be used for?
3002

2. What does this do?
3003

3. Why is create pipe called twice? Once each for read/write? If so, how is the read pipe accessed?
3004

You probably would need to add a little more context to #1 imo, it's hard to follow as-is. #2 & #3, in general, PeekNamedPipe will be called on a pipe to see if there's data there, if so read it, or whatever is done at the branch, and yes you could be correct with creating two pipes. Often you'll see one pipe for stdin and another for stdout. If you search for "createthread" "createpipe" and "peeknamedpipe" you'll probably return lots of hits with C code doing at least something similar to what you're looking at. Have you looked at the start address to see what the thread does?

Thanks, I'm starting to piece this together now. So the "push offset hReadPipe" before CreateThread is the only variable passed to the function at startAddress (which I looked into earlier, it copies a file and creates a process of it, waits for the process to exit, and the deletes the file). Arg0 for the function at startAddress is a pointer to hReadPipe which we can see below:
3006

It gets set to the stdout and stderr. So whenever peekNamedPipe(hReadPipe,x,x,...) gets called it will return the output from that thread, however, peekNamedPipe is never called with that in the program...programmer error maybe? hWritePipe isn't used anywhere else other than in the pipe creation as well...

peekNamedPipe is only called once in the entire program and its just used when reading a file. I went and looked up cross references to hFile, that's just used for generic file read/writes as a file handle.

Referent to threads, knowing this little trick does makes life easy, the famous EBFE trick.
http://paulslaboratory.blogspot.com/2014/04/ebfe-debugging-remote-thread.html