GithubHelp home page GithubHelp logo

hartl3y94 / rpcsniffer Goto Github PK

View Code? Open in Web Editor NEW

This project forked from adiko/rpcsniffer

0.0 0.0 0.0 477 KB

RPCSniffer sniffs WINDOWS RPC messages in a given RPC server process.

Python 100.00%

rpcsniffer's Introduction

RPCSniffer

RPCSniffer sniffs RPC messages in a given RPC server process.

sniffing example in spoolsv process

General Information

With RPCSniffer you can explore RPC Messages that present on Microsoft system. The data given for each RPC message contains the following details:

  • Type (Async/Sync , Request/Response)
  • Process number
  • Thread number
  • Procedure number
  • Transfer Info
    • GUID
    • RPC minor version
    • RPC major version
  • Interface Info
    • GUID
    • Dispatch table pointer
    • Dispatch table size
    • Dispatch table function pointer
  • Midl Info
    • Dispatch pointer
    • Server function address
  • RPC Flags
  • RPC Data

Install steps

  1. Install python 2.7 (64 bit)

  2. Install the latest Winappdbg python package

  3. Install Wireshark

  4. Intsall the latest Pyreshark python module for wireshark

  5. grab the file "pyreshark_rpc_dissector/rpc_protocol.py" to "c:\Program Files\Wireshark\python\protocols"

Run

  1. Start Wireshark from cmd and prepare it to use rpcsniffer's pipe
	"C:\Program Files\Wireshark\Wireshark.exe" -i \\.\pipe\RPCSniffer
  1. Run python main.py with the server process to listen
    python main.py --help
    usage: main.py [-h] (-p PID | -n PROCNAME)
    main.py: error: one of the arguments -p/--pid -n/--procname is required
  1. go back to wireshark and click "start"
  2. from now you'll get all rpc messages in wireshark

Implementation

Check the wiki for more info.

TODO

This project is a POC for now, but you can help me add some stunning features that will allow us to really understand RPC internals.

  • Dissect the rpc raw data (maybe by using the RPCView decompiler and find a MIDL-dissector?)
  • Integrate it with the wireshark midl-dissector itself
  • Retreive more data from the rpc message (I used REACTOS to parse the RPC MESSAGE). Can you find more usefull data from this windows struct?
  • ALPC sniffing
  • Record all RPC messages for fun and fuzzing

Anyway, I'd be more than happy to receive bug reports, suggestions and anything else.

Some Comments

  • It's very usefull to use the powerful and free tool called RPCView for finding interesting RPC server processes, decompile its interfaces and more. Take a look at http://rpcview.org/index.html

rpcsniffer's People

Contributors

adiko avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.