{"id":18894191,"url":"https://github.com/trailofbits/rpcinvestigator","last_synced_at":"2025-04-06T10:13:58.427Z","repository":{"id":65395436,"uuid":"547544593","full_name":"trailofbits/RpcInvestigator","owner":"trailofbits","description":"Exploring RPC interfaces on Windows","archived":false,"fork":false,"pushed_at":"2024-01-30T21:44:48.000Z","size":863,"stargazers_count":320,"open_issues_count":19,"forks_count":28,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-03-30T09:07:59.306Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trailofbits.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-07T21:40:29.000Z","updated_at":"2025-03-18T10:48:07.000Z","dependencies_parsed_at":"2024-02-06T04:45:17.650Z","dependency_job_id":null,"html_url":"https://github.com/trailofbits/RpcInvestigator","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":"trailofbits/dylint-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2FRpcInvestigator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2FRpcInvestigator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2FRpcInvestigator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2FRpcInvestigator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trailofbits","download_url":"https://codeload.github.com/trailofbits/RpcInvestigator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247464225,"owners_count":20942970,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T08:19:43.487Z","updated_at":"2025-04-06T10:13:58.405Z","avatar_url":"https://github.com/trailofbits.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# RPC Investigator\n\nPlease read our [blog post announcement](https://blog.trailofbits.com/2023/01/17/rpc-investigator-microsoft-windows-remote-procedure-call/).\n\nRPC Investigator (RPCI) is a .NET/C# Windows Forms UI application that provides an advanced discovery and analysis interface to Windows RPC endpoints. The tool provides a visual interface around the existing core RPC capabilities of the [NtApiDotNet](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main/NtApiDotNet) platform, including:\n\n* Enumerating all active ALPC RPC servers\n* Parsing RPC servers from any PE file\n* Parsing RPC servers from processes and their loaded modules, including services\n* Pulling symbol information from a Symbol Server\n* Exporting RPC server definitions as serialized .NET objects for your own scripting\n\nBeyond these core features, RPCI provides additional capabilities:\n\n* The Client Workbench allows you to create and execute an RPC client binary on-the-fly by right-clicking on an RPC server of interest. The workbench has a C# code editor pane that allows you to edit the client in real time and observe results from RPC procedures executed in your code.\n* Discovered RPC servers are organized into a searchable library, allowing you to pivot RPC server data in useful ways, such as searching all RPC procedures for all servers for interesting routines through a customizable search interface.\n* The RPC Sniffer tool adds visibility into RPC-related ETW data to provide a near real-time view of active RPC calls. By combining ETW data with RPC server data from NtApiDotNet, we can build a more complete picture of ongoing RPC activity.\n\n## Common Workflows\n\nThere are several workflows that the RPC Investigator supports:\n\n- **Auditing**\n  - Enumerating all active ALPC RPC servers across all processes that are communicating with an ALPC endpoint\n  - Enumerating all RPC servers running in a Windows service\n  - Loading offline RPC servers defined in a PE file (such as an EXE or DLL)\n- **Interactive**\n  - Client Workbench: Automatically generate RPC client code that can be customized and used to call into any RPC service.\n  - RPC Sniffer: Realtime monitor of RPC-related Event Tracing for Windows (ETW) data.\n\n## Example Workflow: Analyzing the Task Scheduler RPC\n\nIn this example, we'll be inspecting the Windows Task Scheduler RPC service, which is used to manage and execute scheduled tasks. We'll find the service, generate client code, and then customize the client to interact with one of the exposed procedures.\n\nFirst, load the Windows services list by clicking **File -\u003e Load From Service**. This opens a new service list window:\n\n![](docs/img/ServiceListWindow.png)\n\nFind the **Schedule** service, which is the Windows Task Scheduler, select the service and click **Go**.\n\n![](docs/img/ScheduleService.png)\n\nYou will be prompted prior to RPCI loading all associated RPC DLLs. Click **Yes** to continue. Once loaded, you will see a list of all RPC servers discovered across all modules loaded in the service process. The Windows Task Scheduler RPC server has an Interface ID of [`86D35949-83C9-4044-B424-DB363231FD0C`](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/fbab083e-f79f-4216-af4c-d5104a913d40). Find the row within the list that has this Interface ID, which should have a running service named **Task Scheduler**, right-click on the row and select **New Client**.\n\n![](docs/img/TaskSchedulerClient.png)\n\nThe left portion of the client window shows RPC server metadata and command line output from the client code. The right side shows two tabs:\n\n- **Client Code** - Auto generated C# client code that can be customized to interact with one or more procedures. \n- **Procedures** - List of exposed RPC procedures.\n\nIn this example we'll be calling the [`SchRpcHighestVersion`](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/b266c231-52db-4244-88da-725cf2a9557a) procedure. This method accepts a single argument, `out int version`, which, after calling the procedure, will contain the highest Task Scheduler protocol version supported by the RPC interface. The high 16-bits are the major version and the low 16-bits are the minor version.\n\nTo call this procedure:\n\n1. In the **Client Code** window, find the **`Run`** method, which is the main entry point for the RPC client.\n2. Edit the **`Run`** method body to call the procedure:\n   ```cs\n   public async Task\u003cbool\u003e Run()\n   {\n       int version;\n       int status = SchRpcHighestVersion(out version);\n       if (status == 0) {\n           long major = (version \u0026 0xffff0000) \u003e\u003e 16;\n           long minor = version \u0026 0x0000ffff;\n           Console.WriteLine(\"highest supported RPC version: {0}.{1}\", major, minor);\n       } else {\n           Console.WriteLine(\"call to SchRpcHighestVersion failed with error: {0:X}\", status);\n       }\n       return true;\n   }\n   ```\n\n3. After adding this code, run the client by clicking the **Run** button. This will compile the C# code and then execute the **`Run`** method.\n   - You will see a popup box with any compilation errors if the client code could not be compiled.\n\nIf compilation is successful, you will see something similar to the following in the **Output** box:\n\n```\n\u003e Run() output:\nhighest supported RPC version: 1.6\n```\n\n![](docs/img/TaskSchedulerClient-Version.png)\n\n\n### Configuration\n\nThe Rpc Investigator has several configuration settings.\n\n| Setting | Description | Default |\n|---------|-------------|---------|\n| dbghelp.dll | File location of the `dbghelp.dll` module | Find latest version within installed Windows Kits. |\n| Symbol Path | Path to Windows symbols, which can be a symbol server or local directory | Default public Windows Server: `srv*c:\\symbols*https://msdl.microsoft.com/download/symbols` |\n| Trace Level | The logging trace level | `info` |\n\nThe configuration settings can be modified within the application through the **Edit -\u003e Settings** menu.\n\n## Troubleshooting\n\nAfter its initial release, RPC Investigator was converted from a .NET Framework application to a .NET 7 application. If you run into build issues, make sure Visual Studio is up-to-date. Wiping all build output folders prior to building from the .NET Framework version is a good idea.\n\nAlso, due to the move from the insecure BinaryFormatter class to protobuf-net, RPC libraries generated with the .NET framework version are incompatible with the .NET version.\n\nIf you're experiencing random crashes in RPC Investigator, you might find a solution in asking your administrator to tweak your EDR. We have found that some EDRs do not behave sanely with JIT'ed languages.\n\nIn some cases RPC Investigator is detected as malicious by EDRs, including some false positives on Virus Total. This is a known issue. That's because RPC Investigator contains NtObjectManager - a package created by James Forshaw that's known to be detected (false positive) by a lot of EDRs, including Windows Defender.\n\n## Development Environment\n\n1. Install [Visual Studio Community 2022](https://visualstudio.microsoft.com/vs/community/), make sure to select the **.NET Desktop Development** workflow.\n2. Download and install the latest [Windows 10 SDK](https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/). Perform a full installation so that .NET 4.8.1 and Debugging Tools are installed.\n3. Open the Solution and verify that the projects loaded correctly. If there is an error about missing .NET 4.8.1 Targeting Pack, download and install [.NET Framework 4.8.1 Developer Pack](https://dotnet.microsoft.com/en-us/download/dotnet-framework/net481) and then restart Visual Studio.\n\n## Further Reading\n\nBecause Windows RPC has been a popular research topic for well over a decade, there are too many related resources and research efforts to name here. We've listed a few below that we encountered while building this tool:\n\n* https://clearbluejar.github.io/posts/surveying-windows-rpc-discovery-tools/\n* https://www.powerofcommunity.net/poc2019/James.pdf\n* https://www.tiraniddo.dev/2022/06/finding-running-rpc-server-information.html \n* https://clearbluejar.github.io/posts/from-ntobjectmanager-to-petitpotam/ \n* https://itm4n.github.io/from-rpcview-to-petitpotam/ \n* https://learn.microsoft.com/en-us/windows/win32/rpc/rpc-security-essentials \n* https://www.cyberark.com/resources/threat-research-blog/understanding-windows-containers-communication \n* https://github.com/silverf0x/RpcView\n* https://github.com/xpn/RpcEnum\n* https://github.com/cyberark/RPCMon \n* https://github.com/tyranid/WindowsRpcClients \n\nIf you're unfamiliar with RPC internals or need a technical refresher, we would recommend one of the authoritative sources on the topic - Alex Ionescu's 2014 SyScan talk in Singapore, [All about the RPC, LRPC, ALPC, and LPC in your PC](https://www.youtube.com/watch?v=UNpL5csYC1E).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Frpcinvestigator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrailofbits%2Frpcinvestigator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Frpcinvestigator/lists"}