RPC Investigator: advanced discovery and analysis interface to Windows RPC endpoints

RPC Investigator

RPC Investigator (RPCI) is a .NET/C# Windows Forms UI application that provides an advanced discovery and analysis interface to Windows RPC endpoints. The tool provides a visual interface around the existing core RPC capabilities of the NtApiDotNet platform, including:

• Enumerating all active ALPC RPC servers
• Parsing RPC servers from any PE file
• Parsing RPC servers from processes and their loaded modules, including services
• Pulling symbol information from a Symbol Server
• Exporting RPC server definitions as serialized .NET objects for your own scripting

Beyond these core features, RPCI provides additional capabilities:

• The Client Workbench allows you to create and execute an RPC client binary on-the-fly by right-clicking on an RPC server of interest. The workbench has a C# code editor pane that allows you to edit the client in real time and observe results from RPC procedures executed in your code.
• Discovered RPC servers are organized into a searchable library, allowing you to pivot RPC server data in useful ways, such as searching all RPC procedures for all servers for interesting routines through a customizable search interface.
• The RPC Sniffer tool adds visibility into RPC-related ETW data to provide a near real-time view of active RPC calls. By combining ETW data with RPC server data from NtApiDotNet, we can build a more complete picture of ongoing RPC activity.

Common Workflows

There are several workflows that the RPC Investigator supports:

• Auditing
  • Enumerating all active ALPC RPC servers across all processes that are communicating with an ALPC endpoint
  • Enumerating all RPC servers running in a Windows service
  • Loading offline RPC servers defined in a PE file (such as an EXE or DLL)
• Interactive
  • Client Workbench: Automatically generate RPC client code that can be customized and used to call into any RPC service.
  • RPC Sniffer: Realtime monitor of RPC-related Event Tracing for Windows (ETW) data.

Please read our blog post announcement.

Install & Use

Copyright (C) 2023 trailofbits