Rpcview

RpcView is an open-source tool to explore and decompile all RPC functionalities present on a Microsoft system.You can download the last automatically built releaseWarning: you have to install "Microsoft Visual C++ 2019 Redistributable" to use RpcView.How to add a new RPC runtimeBasically you have two possibilities to support a new RPC runtime (rpcrt4.dll) version:The easy way: just edit the RpcInternals.h file in the corresponding RpcCore directories (32 and 64-bit versions) to add your runtime version in the RPC_CORE_RUNTIME_VERSION table.The best way: reverse the rpcrt4.dll to define the required structures used by RpcView, e.g. RPC_SERVER, RPC_INTERFACE and RPC_ADDRESS.Currently, the supported versions are organized as follows:RpcCore1 for Windows XPRpcCore2 for Windows 7RpcCore3 for Windows 8RpcCore4 for Windows 8.1 and 10CompilationRequired elements to compiled the project:Visual Studio (currently Visual Studio 2019 Community)CMake (currently 3.13.2)Qt5 (currently 5.15.2)Before running CMake you have to set the CMAKE_PREFIX_PATH environment variable with the Qt full path, for instance (x64):set CMAKE_PREFIX_PATH=C:\Qt\5.15.2\msvc2019_64\Before running CMake to produce the project solution you have to create the build directories:RpcView/Build/x64 for 64-bit targetsRpcView/Build/x86 for 32-bit targets.Here is an example to generate the x64 solution with Visual Studio 2019 from the RpcView/Build/x64 directory:cmake ../../ -A x64-- Building for: Visual Studio 16 2019-- Selecting Windows SDK version 10.0.17763.0 to target Windows 10.0.19041.-- The C compiler identification is MSVC 19.28.29334.0-- The CXX compiler identification is MSVC 19.28.29334.0-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.28.29333/bin/Hostx64/x64/cl.exe-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.28.29333/bin/Hostx64/x64/cl.exe -- works-- Detecting C compiler ABI info-- Detecting C compiler ABI info - done-- Detecting C compile features-- Detecting C compile features - done-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.28.29333/bin/Hostx64/x64/cl.exe-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.28.29333/bin/Hostx64/x64/cl.exe -- works-- Detecting CXX compiler ABI info-- Detecting CXX compiler ABI info - done-- Detecting CXX compile features-- Detecting CXX compile features - done[RpcView][RpcDecompiler][RpcCore1_32bits][RpcCore2_32bits][RpcCore2_64bits][RpcCore3_32bits][RpcCore3_64bits][RpcCore4_32bits][RpcCore4_64bits]-- Configuring done-- Generating done-- Build files have been written to: C:/Dev/RpcView/Build/x64To produce the Win32 solution:set CMAKE_PREFIX_PATH=C:\Qt\5.15.2\msvc2019Then from the RpcView/Build/x86 directory:cmake ../../ -A win32-- Building for: Visual Studio 16 2019-- Selecting Windows SDK version 10.0.17763.0 to target Windows 10.0.19041.-- The C compiler identification is MSVC 19.28.29334.0-- The CXX compiler identification is MSVC 19.28.29334.0-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.28.29333/bin/Hostx64/x86/cl.exe-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.28.29333/bin/Hostx64/x86/cl.exe -- works-- Detecting C compiler ABI info-- Detecting C compiler ABI info - done-- Detecting C compile features-- Detecting C compile features - done-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.28.29333/bin/Hostx64/x86/cl.exe-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.28.29333/bin/Hostx64/x86/cl.exe -- works-- Detecting CXX compiler ABI info-- Detecting CXX compiler ABI info - done-- Detecting CXX compile features-- Detecting CXX compile features - done[RpcView][RpcDecompiler][RpcCore1_32bits][RpcCore2_32bits][RpcCore3_32bits][RpcCore4_32bits]-- Configuring done-- Generating done-- Build files have been written to: C:/Dev/RpcView/Build/x86Now you can compile the solution with Visual Studio or CMAKE:cmake --build . --config ReleaseRpcView32 binaries are produced in the RpcView/Build/bin/x86 directory and RpcView64 ones in the RpcView/Build/bin/x64AcknowledgementsJeremyJulienYoanneBruno

From scratch. Fortunately, Microsoft RPC is a well-known protocol and has been well reverse-engineered by researchers over the past couple of decades. As a result, researchers have open-sourced a tool named RpcView, which is a very handy tool for identifying RPC services running on the Windows Operating System. This is definitely one of my favourite RPC tools, with many useful features such as searching the RPC interface Universal Unique Identifier (UUID), RPC interface names, etc.However, it does not serve our purpose here to decompile and export all the RPC information into a text file. Fortunately, upon reading the source code we found that the authors have included the functionality we need, but it is not enabled by default and can only be triggered in debug mode with a specific command line parameter. Because of this limitation, we enabled and adapted the existing DecompileAllInterfaces function into an RpcView GUI. If you are interested in using this feature, our custom RpcView tool is available on our Github repository. We can now discuss the benefit of the “Decompile All Interfaces” feature in the next section.Figure 1: RpcView Decompile All Interfaces feature When analysing the behaviours of an RPC server, we always call the APIs exposed via the RPC interface. Such interaction with an RPC server of interest can be achieved by sending an RPC request via the RPC Client to the server and then observing its behaviours using the Process Monitor tool in SysInternals. In my opinion, the most convenient way to do this is by scripting rather than writing a C/C++ RPC client that requires program compilation, which is time consuming.Instead, we are going to use PythonForWindows. It provides abstractions around some of the Windows features in a pythonic way, which relies heavily on Python’s ctypes. It also consists of an RPC library which provides some convenient wrapper functions that save us time when writing the RPC client. For example, a typical RPC client binary needs to define the interface definition language, and you need to manually implement the binding operation, which usually involves some C++ codes. See Listing 1 and Listing

Be able to spot the potential symbolic link attack patterns using the Process Monitor output alone. This is why static analysis via disassembler comes into play in helping us in discovering race condition issues, which will be discussed in the second part of this blog series.Microsoft Universal Telemetry Client (UTC) Case StudyHave you ever heard that Microsoft is collecting customer information, data, and file starting details on Windows 10 and above? Have you ever wondered how this works? If you are interested, you can read about it in this excellent article about the mechanism behind UTC.To start the next phase of our analysis, we first exported all the RPC interfaces from the RpcView GUI to text files. The resulting text files consisted of all the RPC APIs that were callable from the RPC Servers. From the output text files we then looked for the RPC APIs that accept wide string as input until we encountered one of the more interesting RPC interfaces from diagtrack.dll. Later, we confirmed that this DLL component is responsible for the implementation of UTC functionality, especially when judging from the name Microsoft Windows Diagnostic Tracking, from its description shown in the RpcView GUI.Figure 3: RpcView reveals UTC’s DLL component, and one of its RPC interfaces accepts wide string as input Keep in mind that our goal here is to find the API that could possibly accept an input file path that could eventually lead to privilege escalation, as demonstrated by the Windows Task Scheduler bug. But that requirement alone gives us 16 possible APIs, as shown in Figure 3. Obviously, we need to filter out those APIs that are out of our interest. So we used IDA Pro and started with static analysis to find out which API we should dive into.I normally first locate the RPC function RpcServerRegisterIf, which is typically used to register an interface specification over RPC server. The interface specification contains the definition of the RPC interface hosted by a particular RPC server. According to the MSDN document, the interface specification is located in the first parameter of the function, which is