OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: October 26, 2008 06:24 CDT by nickycoder .

Hi,

This is a query regarding MSRPC interfaces and identifying its idl information when mida and !getrpc fails.

I would like to ask the forum on available options if I fail in identifying the function pointers and idl info using mida in ida and !getrpc module in immunity debugger (if rpc interfaces and their opnums are present).

I hit such a challenge while reversing netapi32.dll recently. I was able to get the rpc interfaces using mida but not the opnums or function pointers(so no idl info ). Then I tried it in immunity debugger and found that it didnt give me any information. So I checked the "getrpc script" itself and found that the offsets it was trying to fetch (which is the transfer syntax) had no information other than the rpc interface address [ no dispatch table info or "Interpreter Info"]. So thats why getrpc failed to give any valuable information. [more details attached below]

1. Is there any other way to find the rpc info from a dll or exe and also its function pointers and idl information.
2. Is the logic of finding rpc interface same as !getrpc where it tries to find "\x04\x5d\x88\x8a"[transfer syntax] in the module and offset set to "-18" from the current location of "\x04\x5d\x88\x8a".

------------------
[Details of rpc in raw format]
[offset + codeaddr is 0x5b8642f8, codeaddr is the module base; copied from getrpc script; Thanks to jms]

(offset + codeaddr =>     "Length")
(offset + codeaddr+4=>    "Interface UUID: (uuid, major, minor))
(offset + codeaddr+0x18=> "Transfer syntax")
(offset + codeaddr+0x2c=> "Dispatch Table")
(offset + codeaddr+0x30=> "RpcProtseqEndpointCount")
(offset + codeaddr+0x34=> "RpcProtseqEndpoint")
(offset + codeaddr+0x38=> "Default Manager")
(offset + codeaddr+0x3c=> "Interpreter Info")
(offset + codeaddr+0x40=> "Flags")

.text:5B8642F0  00 00 00 00 00 00 00 00  44 00 00 00 C8 4F 32 4B
.text:5B864300  70 16 D3 01 12 78 5A 47  BF 6E E1 88 03 00 00 00
.text:5B864310  04 5D 88 8A EB 1C C9 11  9F E8 08 00 2B 10 48 60
.text:5B864320  02 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
.text:5B864330  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

Any ideas or information regarding this is very appreciable!!!

anonymouse		October 27, 2008 09:45.22 CDT
rpc_server_interface is typedef struct _RPC_SERVER_INTERFACE { unsigned int Length; RPC_SYNTAX_IDENTIFIER InterfaceId; RPC_SYNTAX_IDENTIFIER TransferSyntax; PRPC_DISPATCH_TABLE DispatchTable; unsigned int RpcProtseqEndpointCount; PRPC_PROTSEQ_ENDPOINT RpcProtseqEndpoint; RPC_MGR_EPV __RPC_FAR DefaultManagerEpv; void const __RPC_FAR InterpreterInfo; unsigned int Flags ; } RPC_SERVER_INTERFACE, __RPC_FAR * PRPC_SERVER_INTERFACE; rpc syntax identifier is typedef struct _RPC_SYNTAX_IDENTIFIER { GUID SyntaxGUID; RPC_VERSION SyntaxVersion; } RPC_SYNTAX_IDENTIFIER, __RPC_FAR * PRPC_SYNTAX_IDENTIFIER; rpc version is typedef struct _RPC_VERSION { unsigned short MajorVersion; unsigned short MinorVersion; } RPC_VERSION; guid is #ifndef GUID_DEFINED #define GUID_DEFINED #if defined(__midl) typedef struct { unsigned long Data1; unsigned short Data2; unsigned short Data3; byte Data4[ 8 ]; } GUID; #else typedef struct _GUID { unsigned long Data1; unsigned short Data2; unsigned short Data3; unsigned char Data4[ 8 ]; } GUID; #endif #endif this guid is defined in ms-rpce document 2.2.4.10 NDR Transfer Syntax Identifier [C706-AppendixIProtocolID] Appendix I, Protocol Identifiers, specifies the NDR transfer syntax identifier. These extensions augment the version number of the same NDR transfer syntax UUID to be 2.0, as specified in the following table. UUID Version Comments 8a885d04-1ceb-11c9-9fe8-08002b104860 02 Version 2.0 data representation protocol so putting netapi on windbg and looking for that uuid i can find the follwing instances of rpc_server_interface 0:002> .foreach /ps 5 /pS 0 ( place {s -d 5b860000 L?(5b8b4000-5b860000) 0x8a885d04 } ) {dt ntdll!_guid place; .echo place} {8a885d04-1ceb-11c9-9fe8-08002b104860} +0x000 Data1 : 0x8a885d04 +0x004 Data2 : 0x1ceb +0x006 Data3 : 0x11c9 +0x008 Data4 : [8] "???" 5b863d28 {8a885d04-1ceb-11c9-9fe8-08002b104860} +0x000 Data1 : 0x8a885d04 +0x004 Data2 : 0x1ceb +0x006 Data3 : 0x11c9 +0x008 Data4 : [8] "???" 5b863e58 {8a885d04-1ceb-11c9-9fe8-08002b104860} +0x000 Data1 : 0x8a885d04 +0x004 Data2 : 0x1ceb +0x006 Data3 : 0x11c9 +0x008 Data4 : [8] "???" 5b864150 {8a885d04-1ceb-11c9-9fe8-08002b104860} +0x000 Data1 : 0x8a885d04 +0x004 Data2 : 0x1ceb +0x006 Data3 : 0x11c9 +0x008 Data4 : [8] "???" 5b864310 {8a885d04-1ceb-11c9-9fe8-08002b104860} +0x000 Data1 : 0x8a885d04 +0x004 Data2 : 0x1ceb +0x006 Data3 : 0x11c9 +0x008 Data4 : [8] "???" 5b8652f0 {8a885d04-1ceb-11c9-9fe8-08002b104860} +0x000 Data1 : 0x8a885d04 +0x004 Data2 : 0x1ceb +0x006 Data3 : 0x11c9 +0x008 Data4 : [8] "???" 5b865aa8 {8a885d04-1ceb-11c9-9fe8-08002b104860} +0x000 Data1 : 0x8a885d04 +0x004 Data2 : 0x1ceb +0x006 Data3 : 0x11c9 +0x008 Data4 : [8] "???" 5b867368 {8a885d04-1ceb-11c9-9fe8-08002b104860} +0x000 Data1 : 0x8a885d04 +0x004 Data2 : 0x1ceb +0x006 Data3 : 0x11c9 +0x008 Data4 : [8] "???" 5b867858 so if !getrpc is looking for that hardcoded bytes then it seems to be the logical way these are .data ? section so they are probably filled with interpreterinfo etc just before they are called try breaking on one call which utilises these fields and you probably might find filled up structures

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit