silverf0x / rpcview Goto Github PK
View Code? Open in Web Editor NEWRpcView is a free tool to explore and decompile Microsoft RPC interfaces
License: GNU General Public License v3.0
RpcView is a free tool to explore and decompile Microsoft RPC interfaces
License: GNU General Public License v3.0
RpcView hangs when it tries to read LsaIso process because the return value of EnumProcessModulesEx is not checked (it fails on trustlet and sets last error to ERROR_NOACCESS) moreover cbSize is not initialized to 0 (may be large -> hang during loop).
Lines 210 to 227 in 7302b61
Tested Fix:
L226 if(!EnumProcessModulesEx(hProcess, NULL, 0, &cbSize, LIST_MODULES_ALL))
L227 goto End;
In order to facilitate compilation, please support compiling the project from GitHub Actions, which is very important to me, thank you author
There is a buffer overrun in GetUserAndDomainName function.
RpcCommon/Misc.c
Line 379 in c108da2
Where UserName is array of 260 elements with size of 520 bytes total
Line 364 in c108da2
and dwSize set to 520
Line 378 in c108da2
however LookupAccountSidW take third parameter cchName as a number of TCHAR's.
https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-lookupaccountsidw
So writable size is 520 bytes but 1040 bytes might be written.
Perhaps you miss _countof instead of sizeof.
If no pdb is found use the .ini file to get the procedure names
Hey there,
I'm too lazy to make a pull request. In order to make this work with VS2019, the following should be added to CMakeLists.txt
in ./RpcCore
:
RpcView/RpcCore/CMakeLists.txt
Line 26 in 60569c6
if(${CMAKE_GENERATOR} MATCHES "Win64")
AddRpcCore(${Dir})
elseif(${CMAKE_GENERATOR_PLATFORM} MATCHES "x64")
AddRpcCore(${Dir})
Edit:
The following line should be used when building the project:
cmake -G"Visual Studio 16 2019" -A x64 ../../
This is all because they introduced a new semantic in CMAKE for VS2019.
Cheers
Mamène qu'est-ce qui s'est passé ? J'ai téléchargé RpcView
tel qu'il est packagé par Appveyor, et je téma ce genre de look au lancement :
T'es nostalgique des années NT 4.0
, c'est ça ? On est en 2018, il faut que ça blingue si tu veux espérer refourguer ta came.
Allez je te chambre, c'est en réalité de la faute des srabs de chez Qt : default widget style is not flat anymore. Depuis Qt 5.10
il faut également packager le dossier styles
(comme pour le dossier platform
) pour obtenir les styles spécifiques windows.
Tkt le poto Lolo a charbonné et t'as trouvé la solution : winqtdeploy
est un exe qui s'occupe de déployer les dépendances Qt automatiquement, comme ça t'as plus a t'occuper de savoir quelles dlls à copier :
cd C:\projects\RpcView
mkdir Build\x64
cd C:\projects\RpcView\Build\x64
set CMAKE_PREFIX_PATH=C:\Qt\5.10.0\msvc2015_64
cmake ..\.. -G"Visual Studio 14 2015 Win64" -T"v140_xp"
cmake --build . --config release
cd C:\projects\RpcView\Build\x64\bin\Release
mkdir RpcView64
copy *.dll RpcView64\
copy *.exe RpcView64\
C:\Qt\5.10.0\msvc2015_64\bin\windeployqt.exe --release RpcView64\
7z a RpcView64.7z RpcView64
cd C:\projects\RpcView
mkdir Build\x86
cd C:\projects\RpcView\Build\x86
set CMAKE_PREFIX_PATH=C:\Qt\5.10.0\msvc2015
cmake ..\.. -G"Visual Studio 14 2015" -T"v140_xp"
cmake --build . --config release
cd C:\projects\RpcView\Build\x86\bin\Release
mkdir RpcView32
copy *.exe RpcView32\
copy *.dll RpcView32\
C:\Qt\5.10.0\msvc2015\bin\windeployqt.exe --release RpcView32\
7z a RpcView32.7z RpcView32
ça a quand même plus de gueule avec le style correct :
Tu peux tester mes artifacts ici : https://ci.appveyor.com/project/1orenz0/rpcview/build/1.0.23
QDS,
L'Empereur du Sale.
There is an always false expression in RpcDecompiler/RpcDecompiler.cpp RpcDecompilerPrintHiddenFUProcedure function.
The following expression is always false
RpcView/RpcDecompiler/RpcDecompiler.cpp
Line 496 in c108da2
because bResult was already checked against FALSE at line
RpcView/RpcDecompiler/RpcDecompiler.cpp
Line 489 in c108da2
and bResult wasn't changed before second check.
Perhaps there is a misprint here or some other variable should be used.
Hi! Please support version of runtime 10.0.17763.1697 (0xA0000456306A1LL). I've added pull request #49
OS version: Win10 18363.657 (1909)
this unsupported message pop up, and this reop not updated for 3 years, does anyone can help to check it?
thanks.
Howdy RpcView team,
I wanted to download the automatic build of RpcView but the artifacts seem to expire and disappear after some time:
https://ci.appveyor.com/project/silverf0x/rpcview/build/artifacts
Can you recompile the latest version and/or make them not expire?
Merci beaucoup!
How can I see ip information from process that is running rpc?
i did a build of RpcView on Windows 10.0.19041.546, but i do not see any process, also when i click on File "Show Detail of All Processes is grayed out"
There is an always true expression in RpcDecompiler/InternalComplexTypesArrays.cpp processComplexArray function.
There is a callbacksCalled array, declared as UINT16
and initialized as
which is in result initialization with 0xffff values, because callbacksCalled it is an array of unsigned short values.
Next the following comparison is made
Because it is always true and this code has no other references compiler will optimize out this expression resulting in
will be always executed. I assume this wasn't catched because making this piece of code work require rare conditions to meet as "i" iterator was always 0 for me.
if(callbacksCalled[j] != (UINT16)-1)
or equivalent type cast must be used to make this line actually work.
RpcDecompiler/internalComplexTypesArrays.cpp
There is a twice assigned value in the switch. See arraySize.
case FC_LGFARRAY:
case FC_LGVARRAY:
RPC_GET_PROCESS_DATA(pType, &longArray, sizeof(LGFixedSizedArrayHeader_t));
arraySize = longArray.totalSize;
default:
arraySize = POINTER_SIZE;
break;
Split from #17
In InterfacesWidget_C::InterfaceSelected, the QByteArray object returned by QString::toLatin1() is released immediately after QByteArray ::data() call (it runs out-of-scope https://doc.qt.io/qt-5/qbytearray.html#data) causing an Use-After-Free in UuidFromStringA when accessing pUuidStringA.
RpcView/RpcView/InterfacesWidget.cpp
Lines 47 to 55 in c108da2
This issue can cause RpcCoreGetInterfaceInfo to fail to retrieve the interface information (race condition overwriting UUID resulting in empty window for interface properties and procedure list).
Repro: Enable page heap, select one interface -> access violation
Tested Fix:
L51 QByteArray UuidStringARef;
L52 RPC_IF_ID RpcIfId;
L53 UCHAR* pUuidStringA;
L54
L55 QString PidString = pProxyModel->data( pProxyModel->index(Index.row(), Column_Pid) ).toString();
L56 UuidStringARef = pProxyModel->data( pProxyModel->index(Index.row(), Column_Uuid) ).toString().toLatin1();
L57 pUuidStringA = (UCHAR*)UuidStringARef.data();
Hello
Please add 0xA00004A610276LL for build 10.0.19041.630.
There is a potential null pointer dereference in RpcCore/RpcCore.c GetRpcServerAddressInProcess function.
The result of malloc call is not validated.
Line 228 in c108da2
In MS runtime malloc return NULL if call was unsuccessful (https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/malloc?view=vs-2017)
In case of failure null pointer will be dereferenced next.
I've checked all malloc calls in this project and they check return value like 50/50.
Identical issue located in RpcView/RpcView.cpp wWinMain.
The argv variable is not checked if it was allocated, dereferenced and then argv[i] not checked if it was allocated and dererenced.
While memory allocation failure could be a super extra rare case and probably most of other code will fail to run in that case too, I think it is still good to have things handled.
There is a logical error in conditional statement in processCorrelationDescriptorNaked function.
The condition is an if(condition1) else if(condition2) else if(condition3).
It starts with
next "else if"
next "else if"
The last one is always false and probably copy-paste misprint, judging from comment. Condition should be FC_TOP_LEVEL_MULTID_CONFORMANCE but not FC_POINTER_CONFORMANCE as it was checked before.
There is a potential memory access outside an array in RpcCoreInit function.
Line 292 in c108da2
while "i" is supposedly array element iterator, iterations count is set to
sizeof(RPC_CORE_RUNTIME_VERSION)
where RPC_CORE_RUNTIME_VERSION is an array of UINT64 type.
With sizeof(RPC_CORE_RUNTIME_VERSION) number of iterations could be 320 (as per 54b08a8 commit) while actual array contain only 40 elements.
Hi,
My RPCRT4.dll version is 10.0.18362.1237, 0xA000047BA04D5LL.
Added it myself and re-compiled but it seems to crash. Not sure what's causing it (my compiling or the rpc runtime version).
Hello,
thanks for this useful tool. Compiled it with Visual Studio 2017.
So there is my bugreport and maybe a suggestion also.
Compilation note from readme doesn't explicitly state that you need to put your exact path to the qt runtime. This was my first confusion when I tried to build project files with cmake.
set CMAKE_PREFIX_PATH=C:\Qt\Qt5.9.1\5.9.1\msvc2015_64
My Qt installed in C:\Qt\5.9.1...
So perhaps sort of clarification is needed.
Next readme doesn't state you need to create Build\x64 or Build\x86 directories in RpcView.
This is really small issues, but solving them can save some time if someone trying to build your tool and following your instructions step-by-step.
RpcCommon\Misc.c
memcpy(pLocationInfo->Location, pUnloadEventTrace->ImageName, sizeof(pLocationInfo->Location));
where
destination = pLocationInfo->Location is WCHAR Location[MAX_PATH];
source = pUnloadEventTrace->ImageName is WCHAR ImageName[32];
num = sizeof(pLocationInfo->Location) is 520 bytes.
If string is zero terminated this code will work okay. However 520 bytes copied from source may lead to crash if memory beyound this array is not available.
So perhaps you mean
memcpy(pLocationInfo->Location, pUnloadEventTrace->ImageName, sizeof(pUnloadEventTrace->ImageName));
instead?
I'm looking further (I want to get it actually work on my Windows 10 LTSB ) so if found anything else will report.
internalComplexTypesArrays.cpp
UINT __fastcall getArrayMemorySize(
_In_ VOID* pContext,
_In_ RVA_T pType)
There is a twice assigned value in the switch. See arraySize. Perhaps you missed break? If it intended, then I don't understand this code tbh.
case FC_LGFARRAY:
case FC_LGVARRAY:
RPC_GET_PROCESS_DATA(pType, &longArray, sizeof(LGFixedSizedArrayHeader_t));
arraySize = longArray.totalSize;
default:
arraySize = POINTER_SIZE;
break;
Thanks.
The last release is uploaded in 2017, can you upload a new one?
RpcCommon\Misc.c
Line 222 in c108da2
where
memcpy destination
Line 27 in c108da2
memcpy source
Line 178 in c108da2
memcpy number of bytes to copy = sizeof(pLocationInfo->Location) is 520 bytes.
The 520 bytes copied from source may lead to crash if memory beyond this array is not available.
Split from #17
Edit:
By the way, I can't find where this routine used.
Very good tool, but I've got a lot of trouble building it from sources. Future researches should use exactly Qt 5.15.1 msvc_2015_64 compiler. It has Qt5WidgetsConfig.cmake file and does not raise Qt compilation errors.
set CMAKE_PREFIX_PATH=C:\Qt\5.15.1\msvc2015_64\
I followed the build instructions to the letter and have all prerequisites installed. After building, when I run RpcView.exe I get this error:
"The application failed to start because no Qt platform plugin could be initialized"
The O.S. is Windows 10 Pro 21H2 19044.2006.
The following knowledge is just my own understanding and may be wrong.
In the simple Oi style parameter descriptor, FC_IGNORE is one of the type values used. Currently in RpcView, the decompiled human-readable string corresponding to this simple type is "void * / * FC_IGNORE * /". As far as I know, FC_IGNORE should correspond to the MIDL predefined type handle_t. Although it is actually the same as the pointer type, it has more precise semantics.
@silverf0x Could you please confirm my opinion? Thanks a lot!
Could you please how you build it via appveyor? I wouldn't like to download the whole VS + Qt stack on my computer and it'd be great if I could play around with my Fork + Appveyor :)
Thank you!
DLLs: rpcrt4-dlls.zip
Version 10.0.22000.434 found on Windows 11 in Q1 2022.
There is an incorrect check of function return value in EnumProcess function
Line 52 in c108da2
and then
Line 53 in c108da2
and in the end of function
Line 64 in c108da2
When CreateToolhelp32Snapshot fails it return INVALID_HANDLE_VALUE (https://docs.microsoft.com/en-us/windows/desktop/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot#return-value) which is not NULL. Thus failed call to CreateToolhelp32Snapshot will lead to invalid handle passed to CloseHandle.
CreateToolhelp32Snapshot return value must be checked against INVALID_HANDLE_VALUE.
Hi folks,
I have been playing around with RPC using RpcView and Process Hacker. Listing down all open handles in process hacker for a service running as SYSTEM shows me that a handle to \NamedPipe\dbxsvc is opened and this name pipe is accessible by everyone.
On other hand, using RpcView to view this name pipe just returns everything and it doesn't even contain the application dbxsvc.exe in interface list.
It seems to me that there is a issue with some sort of exception handling in RpcView where if it encounters any error, it will list all RPC Interface exposed on the system.
Let me know what you guys think of this
There is a potential null pointer dereference in RpcView/RpcCoreManager.c RpcCoreInit function.
The result of OS_ALLOC call is not validated. OS_ALLOC declared as call to HeapAlloc(GetProcessHeap).
RpcView/RpcView/RpcCoreManager.c
Line 94 in c108da2
If the HeapAlloc fails it return NULL (https://docs.microsoft.com/en-us/windows/desktop/api/heapapi/nf-heapapi-heapalloc#return-value).
Thus in case of HeapAlloc failure null pointer will be dereferenced next.
Hello,
Compilation note from readme doesn't explicitly state that you need to put your exact path to the qt runtime. This was my first confusion when I tried to build project files with cmake.
set CMAKE_PREFIX_PATH=C:\Qt\Qt5.9.1\5.9.1\msvc2015_64 My Qt installed in C:\Qt\5.9.1...
So perhaps sort of clarification is needed.
Next readme doesn't state you need to create Build\x64 or Build\x86 directories in RpcView.
This is really small issues, but solving them can save some time if someone trying to build your tool and following your instructions step-by-step.
Split from #17
Thanks.
According to the README, the only option to download a built release is through AppVeyor.
Problem is, in AppVeayor artifacts older than 1 month are automatically deleted.
So 1 month after a commit (right now, for example) it is not possible to download a built release.
Please add an option to download a built release from an external storage or make the artifacts not expire.
Also, recompiling it would also be helpful for now.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.