Information Security News

RPC Investigator: advanced discovery and analysis interface to Windows RPC endpoints

by ·

RPC Investigator

RPC Investigator (RPCI) is a .NET/C# Windows Forms UI application that provides an advanced discovery and analysis interface to Windows RPC endpoints. The tool provides a visual interface around the existing core RPC capabilities of the NtApiDotNet platform, including:

  • Enumerating all active ALPC RPC servers
  • Parsing RPC servers from any PE file
  • Parsing RPC servers from processes and their loaded modules, including services
  • Pulling symbol information from a Symbol Server
  • Exporting RPC server definitions as serialized .NET objects for your own scripting

Beyond these core features, RPCI provides additional capabilities:

  • The Client Workbench allows you to create and execute an RPC client binary on-the-fly by right-clicking on an RPC server of interest. The workbench has a C# code editor pane that allows you to edit the client in real time and observe results from RPC procedures executed in your code.
  • Discovered RPC servers are organized into a searchable library, allowing you to pivot RPC server data in useful ways, such as searching all RPC procedures for all servers for interesting routines through a customizable search interface.
  • The RPC Sniffer tool adds visibility into RPC-related ETW data to provide a near real-time view of active RPC calls. By combining ETW data with RPC server data from NtApiDotNet, we can build a more complete picture of ongoing RPC activity.

Common Workflows

There are several workflows that the RPC Investigator supports:

  • Auditing
    • Enumerating all active ALPC RPC servers across all processes that are communicating with an ALPC endpoint
    • Enumerating all RPC servers running in a Windows service
    • Loading offline RPC servers defined in a PE file (such as an EXE or DLL)
  • Interactive
    • Client Workbench: Automatically generate RPC client code that can be customized and used to call into any RPC service.
    • RPC Sniffer: Realtime monitor of RPC-related Event Tracing for Windows (ETW) data.

Please read our blog post announcement.

Install & Use

Copyright (C) 2023 trailofbits

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags:

Leave a Reply