⚠ Switch to EXCALIDRAW VIEW in the MORE OPTIONS menu of this document. ⚠ You can decompress Drawing data with the command palette: ‘Decompress current Excalidraw file’. For more info check in plugin settings under ‘Saving’
RPC_SERVER_INTERFACE
typedef struct _RPC_SERVER_INTERFACE
{
unsigned int Length;
RPC_SYNTAX_IDENTIFIER InterfaceId;
RPC_SYNTAX_IDENTIFIER TransferSyntax;
PRPC_DISPATCH_TABLE DispatchTable; // RPC_DISPATCH_TABLE
unsigned int RpcProtseqEndpointCount;
PRPC_PROTSEQ_ENDPOINT RpcProtseqEndpoint;
RPC_MGR_EPV __RPC_FAR *DefaultManagerEpv;
void const __RPC_FAR *InterpreterInfo; // _MIDL_SERVER_INFO_
} RPC_SERVER_INTERFACE, __RPC_FAR * PRPC_SERVER_INTERFACE;ShellCode
如下所示为 combase.dll 中 [[【调试技术】RPC|RPC]]_SERVER_INTERFACE 的内容:
60 00 00 00 70 07 F7 18 64 8E CF 11 9A F1 00 20
AF 6E 72 F4 00 00 00 00 04 5D 88 8A EB 1C C9 11
9F E8 08 00 2B 10 48 60 02 00 00 00 00 00 00 00
C0 4C 25 80 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
80 4C 25 80 01 00 00 00 00 00 00 04 00 00 00 00上述内容可以直接用 RPC_SERVER_INTERFACE 解析,结构体是对齐的。
NDR_PROC_DESC
typedef struct _NDR_PROC_DESC
{
unsigned short ClientBufferSize; // The Oi2 header
unsigned short ServerBufferSize; //
INTERPRETER_OPT_FLAGS Oi2Flags; //
unsigned char NumberParams; //
NDR_PROC_HEADER_EXTS NdrExts;
} NDR_PROC_DESC, * PNDR_PROC_DESC;RPC_DISPATCH_TABLE
typedef struct {
unsigned int DispatchTableCount;
RPC_DISPATCH_FUNCTION __RPC_FAR * DispatchTable;
int Reserved;
} RPC_DISPATCH_TABLE, __RPC_FAR * PRPC_DISPATCH_TABLE;MIDL_SERVER_INFO
typedef struct _MIDL_SERVER_INFO_
{
PMIDL_STUB_DESC pStubDesc;
const SERVER_ROUTINE * DispatchTable;
PFORMAT_STRING ProcString;
const unsigned short * FmtStringOffset;
const STUB_THUNK * ThunkTable;
} MIDL_SERVER_INFO, *PMIDL_SERVER_INFO;Excalidraw Data
Text Elements
RPC Interface GUID and Version
Transfer Syntax DCE: 8A885D04-1CEB-11C9-9FE8-08002B104860 NDR64: 71710533-BEBA-4937-8319-B5DBEF9CCC36
Server NDR Format String
RPC 提供的接口 Interface
📌这里主要看这个标志位的值,如果值为 0x32,则 NDR_PROC_DESC 位于偏移 0x0E 处,否则就位于偏移 0x10 处。 (byte*)ProcString == 0x32
00000000 00 68 00 00 00 00 00 00 38 00 32 00 00 00 06 00 .h…8.2… 00000010 24 00 47 06 0A 03 01 00 00 00 00 00 00 00 48 00 $.G…H. 00000020 08 00 06 00 0B 00 10 00 02 00 50 21 18 00 08 00 …P!… 00000030 13 20 20 00 0A 00 13 20 28 00 0A 00 70 00 30 00 . … (…p.0. 00000040 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
Hex View 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
PNDR_PROC_DESC = (byte*)ProcString[0x10] ^fKmQGb3e
PNDR_PROC_DESC = (byte*)ProcString[0xE]
00000000 00 68 00 00 00 00 00 00 38 00 33 00 00 00 06 00 .h…8.2… 00000010 24 00 47 06 0A 03 01 00 00 00 00 00 00 00 48 00 $.G…H. 00000020 08 00 06 00 0B 00 10 00 02 00 50 21 18 00 08 00 …P!… 00000030 13 20 20 00 0A 00 13 20 28 00 0A 00 70 00 30 00 . … (…p.0. 00000040 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
Hex View 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
RPC_SERVER_INTERFACE 结构体解析
Embedded Files
5b8ca2125ef7c9178081a30f3e08d0d67bcf9a22: IMG-20250117161744626.png 8915f9b3cd45d3fd830480932a1c8e669d791c44: IMG-20250117161745026.png 998ce1ac314968207548444ffc273f3ac72a730a: IMG-20250117161745107.png e79b56e48909168c5647181ebaa3a75f01ae383c: IMG-20250117161745270.png
