четверг, 2 ноября 2017 г.

how to find rpcrt4!GlobalRpcServer

I looked through sources of rpcview and found that they used some kind of brute-force in file RpcCore.c in function GetRpcServerAddressInProcess. It looks very strange and slow - they already has some code for pdb reading, so why not just ask address of ?GlobalRpcServer@@3PEAVRPC_SERVER@@EA ?

Anyway there is better way. Lets run my exref.pl in IDA Pro on rpcrt4.dll from windows 10 build 16278:
_I_RpcServerUseProtseq2W@20: 4EFACEB0 addr 4EFACEED
_RpcServerInqBindings@4: 4EFADA90 addr 4EFADAAC
_RpcServerRegisterIfEx@24: 4EFADCB0 addr 4EFADCCC
_RpcMgmtIsServerListening@4: 4EFAE470 addr 4EFAE48D
_RpcServerInterfaceGroupActivate@4: 4EFAE5B0 addr 4EFAE5C2
_RpcServerInterfaceGroupDeactivate@8: 4EFAE5E0 addr 4EFAE5F2
_I_RpcServerUseProtseqEp2W@24: 4EFB33E0 addr 4EFB33FF
_RpcServerUnregisterIf@12: 4EFB50B0 addr 4EFB50C5
_RpcServerRegisterIf3@32: 4EFB51F0 addr 4EFB5222
_RpcServerRegisterIf2@28: 4EFDFF40 addr 4EFDFF5C
_RpcServerInqBindingsEx@8: 4EFE0080 addr 4EFE0098
_RpcServerRegisterIf@12: 4EFE02E0 addr 4EFE02F5
_I_RpcServerRegisterForwardFunction@4: 4EFE03E0 addr 4EFE03F2
_RpcServerInterfaceGroupInqBindings@8: 4F0070D0 addr 4F0070E7
_RpcServerUseAllProtseqsEx@12: 4F007150 addr 4F00722C


wow, it seems that this will be easy
Lets look at exported function I_RpcServerRegisterForwardFunction:

_I_RpcServerRegisterForwardFunction@4 proc near

pForwardFunction= dword ptr  8

                mov     edi, edi
                push    ebp
                mov     ebp, esp
                cmp     ?RpcHasBeenInitialized@@3HA, 0 ; int RpcHasBeenInitialized
                jz      loc_4F002811

loc_4EFE03F2:                         
                mov     eax, ?GlobalRpcServer@@3PAVRPC_SERVER@@A ; RPC_SERVER * GlobalRpcServer
                mov     ecx, [ebp+pForwardFunction]
                mov     [eax+0F4h], ecx
                xor     eax, eax

loc_4EFE0402:                           ; CODE XREF: I_RpcServerRegisterForwardFunction(x)+22438 j
                pop     ebp
                retn    4


With simple disasm of this function you can get GlobalRpcServer, flag RpcHasBeenInitialized and offset to RPC_SERVER_T.pRpcForwardFunction

Комментариев нет:

Отправить комментарий