A_OSWindowsRPC
, ,
Source
Edit
History

【RPC】ALPC 调用详解(翻译|TODO)

文章目录

概述:ALPC 调用过程

学习rpc调用过程看到了csandker 的这篇文章,学习记录一下吧,供大家参考 Offensive Windows IPC Internals 3: ALPC · csandker.io

补一张作者画的图,是alpc的客户端和服务端创建及交互的过程。

补充一个 RPC 函数被调用时的堆栈,如下所示为调用 INetListManager::get_IsConnectedToInternet 时,服务端调用到 CImplINetworkListManager::IsConnectedToInternet 时,服务端的调用堆栈。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[0x0]   netprofmsvc!CImplINetworkListManager::IsConnectedToInternet   0xa4edffe048   0x7ffc5c7fa2d3   
[0x1]   RPCRT4!Invoke+0x73   0xa4edffe050   0x7ffc5c85beeb   
[0x2]   RPCRT4!Ndr64StubWorker+0xb0b   0xa4edffe0a0   0x7ffc5c7919e9   
[0x3]   RPCRT4!NdrStubCall3+0xc9   0xa4edffe760   0x7ffc5df9c490   
[0x4]   combase!CStdStubBuffer_Invoke+0x60   0xa4edffe7c0   0x7ffc5c7dd17b   
[0x5]   RPCRT4!CStdStubBuffer_Invoke+0x3b   0xa4edffe800   0x7ffc5df469c3   
[0x6]   combase!RoGetAgileReference+0x7313   0xa4edffe830   0x7ffc5df4674e   
[0x7]   combase!RoGetAgileReference+0x709e   0xa4edffe890   0x7ffc5df9efb6   
[0x8]   combase!HSTRING_UserSize+0x116   0xa4edffe9f0   0x7ffc5df270b3   
[0x9]   combase!DllGetClassObject+0x683   0xa4edffea30   0x7ffc5df98d5d   
[0xa]   combase!CoGetApartmentType+0x1cd   0xa4edffed80   0x7ffc5df0eb26   
[0xb]   combase!RoGetActivatableClassRegistration+0x87f6   0xa4edffedd0   0x7ffc5dfdc0c8   
[0xc]   combase!InternalDoATClassCreate+0x9c98   0xa4edfff190   0x7ffc5df10ae9   
[0xd]   combase!RoGetActivatableClassRegistration+0xa7b9   0xa4edfff4b0   0x7ffc5c7db128   
[0xe]   RPCRT4!DispatchToStubInCNoAvrf+0x18   0xa4edfff4e0   0x7ffc5c7b8146   
[0xf]   RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x1a6   0xa4edfff530   0x7ffc5c7b7d76   
[0x10]   RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x186   0xa4edfff610   0x7ffc5c7c4eff   
[0x11]   RPCRT4!LRPC_SCALL::DispatchRequest+0x16f   0xa4edfff6b0   0x7ffc5c7c44b8   
[0x12]   RPCRT4!LRPC_SCALL::HandleRequest+0x7f8   0xa4edfff780   0x7ffc5c7c3aa1   
[0x13]   RPCRT4!LRPC_ADDRESS::HandleRequest+0x341   0xa4edfff890   0x7ffc5c7c350e   
[0x14]   RPCRT4!LRPC_ADDRESS::ProcessIO+0x89e   0xa4edfff930   0x7ffc5c7c7b62   
[0x15]   RPCRT4!LrpcIoComplete+0xc2   0xa4edfffa70   0x7ffc5e710330   
[0x16]   ntdll!TppAlpcpExecuteCallback+0x260   0xa4edfffb10   0x7ffc5e73d566   
[0x17]   ntdll!TppWorkerThread+0x456   0xa4edfffb90   0x7ffc5dd17374   
[0x18]   KERNEL32!BaseThreadInitThunk+0x14   0xa4edfffe90   0x7ffc5e73cc91   
[0x19]   ntdll!RtlUserThreadStart+0x21   0xa4edfffec0   0x0