RPCMon v1.2 releases: RPC Monitor tool based on Event Tracing for Windows

by do son · Published August 15, 2022 · Updated February 10, 2023

RPCMon

A GUI tool for scanning RPC communication through Event Tracing for Windows (ETW). The tool was published as part of research on RPC communication between the host and a Windows container.

Overview

RPCMon can help researchers to get a high-level view over an RPC communication between processes. It was built like Procmon for easy usage, and uses James Forshaw .NET library for RPC. RPCMon can show you the RPC functions being called, the process who called them, and other relevant information.
RPCMon uses a hardcoded RPC dictionary for fast RPC information processing which contains information about RPC modules. It also has an option to build an RPC database so it will be updated from your computer in case some details are missing in the hardcoded RPC dictionary.

Features

A detailed overview of RPC functions activity.
Build an RPC database to parse RPC modules or use a hardcoded database.
Filter\highlight rows based on cells.
Bold specific rows.

Usage

Double click the EXE binary and you will get the GUI Windows.
RPCMon needs a DB to be able to get the details on the RPC functions, without a DB you will have missing information.
To load the DB, press on DB -> Load DB… and choose your DB. You can a DB we added to this project: /DB/RPC_UUID_Map_Windows10_1909_18363.1977.rpcdb.json.

Changelog v1.2

Fix bug in searching, filtering, and highlighting, and added auto-scroll (#3)
Fixing the filter and highlight algorithm (#5)
Fixing Column Selection window, doesn’t save selected checkboxes (#6)
Adding import and export from/to JSON, Drag&Drop, case sensitive to search\filter\highlight and change About button (#7)
Adding a wrapper function for export and changing a variable name (#8)
Adding TimeStamp column (#9 and #10)
Supporting RpcServerStart, RpcServerStop and RpcClientStart events (#11)