Skip to content

Latest commit

 

History

History
139 lines (102 loc) · 5.05 KB

README.md

File metadata and controls

139 lines (102 loc) · 5.05 KB

rpv is a v library for analyzing RPC servers and interfaces on the Windows operating system. It is inspired by RpcView and uses similar ideas for finding and investigating RPC servers. rpv does not provide a graphical user interface or a command line interface itself. The examples folder contains some examples how rpv can be used within your own projects. Moreover, the rpv-web project provides a browser based graphical user interface.

Installation


rpv is available on vpm. Assuming that v is installed, installing rpv can be done using the following command:

[user@host ~]$ v install qtc-de.rpv

After installation, rpv can be used to analyze RPC servers and interfaces in x64 processes. If you need to investigate x86 instead, you need to replace the file rpv/internals/rpc-internal-structs.v within your v modules folder (usually at ~/.vmodules) with the appropriate file from the alternate folder.

In future, this will hopefully no longer be necessary when toplevel compile time statements are added to v.

As it is already implemented by RpcView, the alternate folder may also contain different struct definitions for different versions of Windows in future. Currently, only the struct definitions for the most recent Windows releases were ported from RpcView to v.

Qickstart


The following listing shows an example on how the library can be used to enumerate RPC servers and interfaces. More examples can be found within examples folder.

import qtc_de.rpv

fn main()
{
    infos := rpv.get_rpv_process_infos() or { panic(err) }

    for info in infos
    {
        if info.rpc_info.rpc_type in [.no_rpc, .wrong_arch]
        {
            continue
        }

        println('[+]')
        println('[+] Process Name: ${info.name}')
        println('[+] PID         : ${info.pid}')
        println('[+] User        : ${info.user}')
        println('[+] Path        : ${info.path}')
        println('[+] RPC Endpoints:')

        for endpoint in info.rpc_info.server_info.endpoints
        {
            println('[+]\t ${endpoint.protocol} - ${endpoint.name}')
        }

        println('[+] RPC Interfaces:')

        for intf in info.rpc_info.interface_infos
        {
            println('[+]\t ${intf.id} (${intf.methods.len} methods)')
        }
    }
}

Documentation


Detailed documentation for the defined methods and structures can be found within the auto generated html docs. A more usage oriented documentation does not exist at the time of writing. It is recommended to look at the examples folder or the rpv-web project to learn how the library can be used.

Future Work


In future, rpv will probably extended to also work for analyzing RPC servers and interfaces from files without running processes.

Disclaimer


rpv should not be used to create applications that are accessible by untrusted clients. The library contains several unsafe code blocks, that bypass the memory safety features of v. This is required, to get the C interop working, but may introduce well known memory corruption bugs. Therefore, the library should only be used for local research projects and should not be used for applications that are exposed to untrusted clients.

Acknowledgments


Writing rpv would not have been possible without the excellent work by silverf0x (RpcView), James Forshaw (sandbox-attacksurface-analysis-tools), Nicolas Pouvesle (mIDA) and all the others that contributed to these projects. They did the real work by figuring out the different data formats used by the RPC runtime. My part was only to use this knowledge and to write a v wrapper around it :)