下面示例仅支持x64

common.h

#include <windows.h>
#include <NTSecAPI.h>
using namespace std;

#define MAX_LPC_DATA		0x148
#define LPC_MESSAGE_LENGTH  48
#define MAX_COMMUN_NUMBER	10
#define LARGE_MESSAGE_SIZE	0x10000
typedef struct _CLIENT_ID
{
	HANDLE UniqueProcess;
	HANDLE UniqueThread;
} CLIENT_ID, * PCLIENT_ID;

typedef struct _PORT_MESSAGE
{
	union
	{
		struct
		{
			USHORT DataLength;          // Length of data following the header (bytes)
			USHORT TotalLength;         // Length of data + sizeof(PORT_MESSAGE)
		} s1;
		ULONG Length;
	} u1;

	union
	{
		struct
		{
			USHORT Type;
			USHORT DataInfoOffset;
		} s2;
		ULONG ZeroInit;
	} u2;

	union
	{
		CLIENT_ID ClientId;
		double   DoNotUseThisField;     // Force quadword alignment
	};

	ULONG  MessageId;                   // Identifier of the particular message instance

	union
	{
		ULONG_PTR ClientViewSize;       // Size of section created by the sender (in bytes)
		ULONG  CallbackId;              // 
	};

} PORT_MESSAGE, * PPORT_MESSAGE;

typedef struct _TRANSFERED_MESSAGE
{
	PORT_MESSAGE Header;
	ULONG   Command;
	WCHAR   MessageText[48];

} TRANSFERED_MESSAGE, * PTRANSFERED_MESSAGE;

//
// Define structure for initializing shared memory on the caller's side of the port
//

typedef struct _PORT_VIEW {

	ULONG  Length;                      // Size of this structure
	HANDLE SectionHandle;               // Handle to section object with
										// SECTION_MAP_WRITE and SECTION_MAP_READ
	ULONG  SectionOffset;               // The offset in the section to map a view for
										// the port data area. The offset must be aligned 
										// with the allocation granularity of the system.
	SIZE_T ViewSize;                    // The size of the view (in bytes)
	PVOID  ViewBase;                    // The base address of the view in the creator
										// 
	PVOID  ViewRemoteBase;              // The base address of the view in the process
										// connected to the port.
} PORT_VIEW, * PPORT_VIEW;

//
// 定义来自远程端口的共享内存
//

typedef struct _REMOTE_PORT_VIEW {

	ULONG  Length;                      // 结构体大小
	SIZE_T ViewSize;                    // view大小
	PVOID  ViewBase;                    // view 基地址

} REMOTE_PORT_VIEW, * PREMOTE_PORT_VIEW;
typedef struct _COMMUNICATE_
{
	PORT_VIEW			ServerView;
	REMOTE_PORT_VIEW	ClientView;
	HANDLE				hCommunicateHandle;
	HANDLE				hSectionHandle;
}COMMUNICATE, * PCOMMUNICATE;
#define InitializeMessageHeader(ph, l, t)                              \
{                                                                      \
	(ph)->u1.s1.TotalLength      = (USHORT)(l);                        \
	(ph)->u1.s1.DataLength       = (USHORT)(l - sizeof(PORT_MESSAGE)); \
	(ph)->u2.s2.Type             = (USHORT)(t);                        \
	(ph)->u2.s2.DataInfoOffset   = 0;                                  \
	(ph)->ClientId.UniqueProcess = NULL;                               \
	(ph)->ClientId.UniqueThread  = NULL;                               \
	(ph)->MessageId              = 0;                                  \
	(ph)->ClientViewSize         = 0;                                  \
}

#define InitializeObjectAttributes( p, n, a, r, s ) {   \
	(p)->Length = sizeof( LSA_OBJECT_ATTRIBUTES );      \
	(p)->RootDirectory = r;                             \
	(p)->Attributes = a;                                \
	(p)->ObjectName = n;                                \
	(p)->SecurityDescriptor = s;                        \
	(p)->SecurityQualityOfService = NULL;               \
}

enum LPC_MSG_TYPE
{
	LPC_COMMAND_REQUEST_NOREPLY,
	LPC_COMMAND_REQUEST_REPLY,
	LPC_COMMAND_STOP
};
NTSTATUS(NTAPI* NtCreatePort)(PHANDLE PortHandle, PLSA_OBJECT_ATTRIBUTES ObjectAttributes, ULONG MaxConnectionInfoLength, ULONG MaxMessageLength, PULONG MaxPoolUsage);
NTSTATUS(NTAPI* NtAcceptConnectPort)(PHANDLE PortHandle, PVOID PortContext, PPORT_MESSAGE ConnectionRequest, BOOL AcceptConnection, PVOID ServerView, PVOID ClientView);
NTSTATUS(NTAPI* NtCompleteConnectPort)(HANDLE PortHandle);
NTSTATUS(NTAPI* NtReplyWaitReceivePort)(HANDLE PortHandle, PVOID* PortContext, PPORT_MESSAGE ReplyMessage, PPORT_MESSAGE ReceiveMessage);
NTSTATUS(NTAPI* NtRequestWaitReplyPort)(HANDLE PortHandle, PPORT_MESSAGE RequestMessage, PPORT_MESSAGE ReplyMessage);
NTSTATUS(NTAPI* RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
NTSTATUS(NTAPI* NtListenPort)(HANDLE PortHandle, PPORT_MESSAGE ConnectionRequest);
NTSTATUS(NTAPI* NtReplyPort)(HANDLE PortHandle, PPORT_MESSAGE ReplyMessage);
NTSTATUS(NTAPI* NtClose)(HANDLE Handle);
NTSTATUS(NTAPI* NtConnectPort)(PHANDLE PortHandle, PUNICODE_STRING PortName, PSECURITY_QUALITY_OF_SERVICE SecurityQos, PVOID ClientView, PVOID ServerView, PULONG MaxMessageLength, PVOID ConnectionInformation, PULONG ConnectionInformationLength);
NTSTATUS(NTAPI* NtRequestPort)(HANDLE PortHandle, PPORT_MESSAGE RequestMessage);

NTSTATUS(NTAPI* NtCreateSection)(
	OUT PHANDLE SectionHandle,
	IN  ACCESS_MASK DesiredAccess,
	IN  PLSA_OBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
	IN  PLARGE_INTEGER MaximumSize OPTIONAL,
	IN  ULONG SectionPageProtection,
	IN  ULONG AllocationAttributes,
	IN  HANDLE FileHandle OPTIONAL
	);
void InitLpc()
{
	HMODULE NtdllModule = GetModuleHandleW(L"ntdll.dll");
	if (NtdllModule == NULL)
	{
		return;
	}
	(FARPROC&)NtCreatePort = GetProcAddress(NtdllModule, "NtCreatePort");
	(FARPROC&)NtAcceptConnectPort = GetProcAddress(NtdllModule, "NtAcceptConnectPort");
	(FARPROC&)NtCompleteConnectPort = GetProcAddress(NtdllModule, "NtCompleteConnectPort");
	(FARPROC&)NtReplyWaitReceivePort = GetProcAddress(NtdllModule, "NtReplyWaitReceivePort");
	(FARPROC&)NtRequestWaitReplyPort = GetProcAddress(NtdllModule, "NtRequestWaitReplyPort");
	(FARPROC&)RtlInitUnicodeString = GetProcAddress(NtdllModule, "RtlInitUnicodeString");
	(FARPROC&)NtListenPort = GetProcAddress(NtdllModule, "NtListenPort");
	(FARPROC&)NtReplyPort = GetProcAddress(NtdllModule, "NtReplyPort");
	(FARPROC&)NtClose = GetProcAddress(NtdllModule, "NtClose");
	(FARPROC&)NtConnectPort = GetProcAddress(NtdllModule, "NtConnectPort");
	(FARPROC&)NtRequestPort = GetProcAddress(NtdllModule, "NtRequestPort");
	(FARPROC&)NtCreateSection = GetProcAddress(NtdllModule, "NtCreateSection");
}
#define SERVER_PORT_NAME	L"\\ServerPortName"

server.cpp

#include "..//..//Common//Common.h"
#include <stdio.h>
BOOL g_Stop = FALSE;
volatile LONG	g_dwCurrentClient = 0;
DWORD WINAPI CommunicationThread(LPVOID lParam)
{
	NTSTATUS	NtStatus = 0;
	PCOMMUNICATE		pCommunicate = (PCOMMUNICATE)lParam;
	PORT_MESSAGE		RecvMsg;
	PORT_MESSAGE		SendMsg;
	InterlockedAdd(&g_dwCurrentClient, 1);
	while (!g_Stop)
	{
		InitializeMessageHeader(&SendMsg, sizeof(PORT_MESSAGE), 0);
		ZeroMemory(&RecvMsg, sizeof(PORT_MESSAGE));
		NtStatus = NtRequestWaitReplyPort(pCommunicate->hCommunicateHandle,
			&SendMsg,
			&RecvMsg);
		if (NtStatus != 0)
		{
			CloseHandle(pCommunicate->hSectionHandle);
			NtClose(pCommunicate->hCommunicateHandle);
			printf("NtReplyWaitReceivePort:%d\r\n", GetLastError());
			break;
		}
		printf("MessageType:%d\r\nClientID<%d,%d>\r\nToTalLength:%d\r\nMessage:%ws\r\n",
			RecvMsg.u2.s2.Type,
			RecvMsg.ClientId.UniqueProcess,
			RecvMsg.ClientId.UniqueThread,
			RecvMsg.u1.s1.TotalLength,
			pCommunicate->ClientView.ViewBase);
	}
	InterlockedExchange(&g_dwCurrentClient, g_dwCurrentClient - 1);

	return 0;
}

void StartServer(const WCHAR* szServerPortName)
{
	NTSTATUS	 Status = 0;
	PORT_MESSAGE LpcMessage;
	LSA_OBJECT_ATTRIBUTES	ObjAttr;
	UNICODE_STRING		PortName;
	HANDLE				hSectionHandle;
	HANDLE				hServerConnectionHandle;
	SECURITY_DESCRIPTOR		SecurityDesc = { 0 };

	LARGE_INTEGER SectionSize = { LARGE_MESSAGE_SIZE };
	g_Stop = FALSE;
	while (!g_Stop)
	{
		if (!InitializeSecurityDescriptor(&SecurityDesc, SECURITY_DESCRIPTOR_REVISION))
		{
			printf("InitializeSecurityDescriptor:%d\r\n", GetLastError());
			break;
		}

		if (!SetSecurityDescriptorDacl(&SecurityDesc, TRUE, NULL, FALSE))
		{
			printf("SetSecurityDescriptorDacl:%d\r\n", GetLastError());
			break;
		}

		RtlInitUnicodeString(&PortName, SERVER_PORT_NAME);
		InitializeObjectAttributes(&ObjAttr, &PortName, 0, NULL, &SecurityDesc);
		Status = NtCreatePort(&hServerConnectionHandle,
			&ObjAttr,
			NULL,
			sizeof(PORT_MESSAGE),
			0
		);

		if (Status != 0)
		{
			printf("NtCreatePort:%d\r\n", GetLastError());
			break;
		}

		while (!g_Stop)
		{
			HANDLE		hServerCommunicateHandle;
			Status = NtListenPort(hServerConnectionHandle, &LpcMessage);

			if (Status != 0)
			{
				printf("NtListenPort:%d\r\n", GetLastError());
				g_Stop = TRUE;
				break;
			}
			if (g_dwCurrentClient < MAX_COMMUN_NUMBER)
			{
				PCOMMUNICATE pThreadPara = new COMMUNICATE;

				Status = NtCreateSection(&pThreadPara->hSectionHandle,
					SECTION_MAP_READ | SECTION_MAP_WRITE,
					NULL,// 使用页文件,而不是文件映射
					&SectionSize,
					PAGE_READWRITE,
					SEC_COMMIT,
					NULL);
				if (Status != 0)
				{
					printf("NtCreateSection:%d\r\n", GetLastError());
					break;
				}

				//
				// 接受端口的连接
				//
				pThreadPara->ServerView.Length = sizeof(PORT_VIEW);
				pThreadPara->ServerView.SectionHandle = pThreadPara->hSectionHandle;
				pThreadPara->ServerView.SectionOffset = 0;
				pThreadPara->ServerView.ViewSize = LARGE_MESSAGE_SIZE;
				pThreadPara->ClientView.Length = sizeof(REMOTE_PORT_VIEW);


				Status = NtAcceptConnectPort(&pThreadPara->hCommunicateHandle,
					NULL,
					&LpcMessage,
					TRUE,
					&pThreadPara->ServerView,
					&pThreadPara->ClientView);
				if (Status != 0)
				{
					printf("NtAcceptConnectPort:%d\r\n", GetLastError());
					g_Stop = TRUE;
					CloseHandle(pThreadPara->hSectionHandle);
					break;
				}
				//
				// 完成连接请求Complete the connection
				//

				Status = NtCompleteConnectPort(pThreadPara->hCommunicateHandle);
				if (Status != 0)
				{
					printf("NtCompleteConnectPort:%d\r\n", GetLastError());
					g_Stop = TRUE;
					CloseHandle(pThreadPara->hSectionHandle);
					break;
				}
				printf("MessageType:%d\r\nClientID<%d,%d>\r\nToTalLength:%d\r\nServerBase:%p\tServerSize:%x\r\nClientBase:%p\tClientSize:%x\r\n",
					LpcMessage.u2.s2.Type,
					LpcMessage.ClientId.UniqueProcess,
					LpcMessage.ClientId.UniqueThread,
					LpcMessage.u1.s1.TotalLength,
					pThreadPara->ServerView.ViewBase, pThreadPara->ServerView.ViewSize,
					pThreadPara->ClientView.ViewBase, pThreadPara->ClientView.ViewSize);

				CreateThread(NULL, 0, CommunicationThread, pThreadPara, 0, NULL);
			}
			else
			{
				NtAcceptConnectPort(&hServerCommunicateHandle, NULL,
					&LpcMessage,
					FALSE,
					NULL, NULL);
			}
		}
	}
}
int main()
{
	InitLpc();
	StartServer(SERVER_PORT_NAME);

	return 0;
}

  client.cpp

#include "..//..//Common//Common.h"
#include <stdio.h>
#include <iostream>


BOOL ConnectServer(const WCHAR* szServerPortName, COMMUNICATE& ClientCommunicate)
{
	SECURITY_QUALITY_OF_SERVICE SecurityQos;
	UNICODE_STRING	PortName;
	PORT_MESSAGE	LpcMessage;
	PORT_MESSAGE	LpcReply;


	NTSTATUS Status = 0;


	LARGE_INTEGER	SectionSize = { LARGE_MESSAGE_SIZE };
	__try
	{
		Status = NtCreateSection(&ClientCommunicate.hSectionHandle,
			SECTION_MAP_READ | SECTION_MAP_WRITE,
			NULL,
			&SectionSize,
			PAGE_READWRITE,
			SEC_COMMIT,
			NULL);
		if (Status != 0)
		{
			printf("NtReplyWaitReceivePort:%d\r\n", GetLastError());
			__leave;
		}
		RtlInitUnicodeString(&PortName, szServerPortName);
		SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
		SecurityQos.ImpersonationLevel = SecurityImpersonation;
		SecurityQos.EffectiveOnly = FALSE;
		SecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;


		ClientCommunicate.ServerView.Length = sizeof(PORT_VIEW);
		ClientCommunicate.ServerView.SectionHandle = ClientCommunicate.hSectionHandle;
		ClientCommunicate.ServerView.SectionOffset = 0;
		ClientCommunicate.ServerView.ViewSize = LARGE_MESSAGE_SIZE;
		ClientCommunicate.ClientView.Length = sizeof(REMOTE_PORT_VIEW);


		Status = NtConnectPort(&ClientCommunicate.hCommunicateHandle,
			&PortName,
			&SecurityQos,
			&ClientCommunicate.ServerView,
			&ClientCommunicate.ClientView,
			0,
			NULL,
			NULL);




		if (Status != 0)
		{
			DWORD err = GetLastError();

			std::cout << "NtConnectPort Status " << Status << " error " << err << "\n";
			CloseHandle(ClientCommunicate.hSectionHandle);
			printf("NtConnectPort:%d\r\n", GetLastError());
			__leave;
		}
	}
	__finally
	{
		if (Status != 0)
		{
			return FALSE;
		}
	}
	printf("NtConnectPort Success\r\n");
	return TRUE;
}
void CommunicateWithServer(COMMUNICATE& ClientCommunicate)
{
	PORT_MESSAGE	LpcSndMsg = { 0 };
	PORT_MESSAGE	LpcRecvMsg = { 0 };
	InitializeMessageHeader(&LpcRecvMsg, sizeof(TRANSFERED_MESSAGE), 0);
	NTSTATUS NtStatus = 0;
	NtStatus = NtReplyWaitReceivePort(ClientCommunicate.hCommunicateHandle, NULL, NULL, &LpcRecvMsg);


	while (NtStatus == 0)
	{
		LpcSndMsg = LpcRecvMsg;


		scanf_s("%ws", ClientCommunicate.ServerView.ViewBase, 0x1000);
		NtStatus = NtReplyWaitReceivePort(ClientCommunicate.hCommunicateHandle, NULL, &LpcSndMsg, &LpcRecvMsg);
		if (NtStatus != 0)
		{
			NtClose(ClientCommunicate.hCommunicateHandle);
			CloseHandle(ClientCommunicate.hSectionHandle);
			printf("GetLastError:%d\r\n", GetLastError());
			break;
		}
	}
}
int main()
{
	InitLpc();
	COMMUNICATE	ClientCommunicate = { 0 };
	if (ConnectServer(SERVER_PORT_NAME, ClientCommunicate) == TRUE)
	{
		CommunicateWithServer(ClientCommunicate);
	}


	return 0;
}