Uncovering RPC Servers through Windows API Analysis

Have you ever tried to reverse a simple Win32 API? If not, let’s look at one together today! This article serves as a hand-holding walkthrough and documents in detail how I analyzed a simple Win32 API: LogonUserA.

This article provides a comprehensive overview of Windows Remote Procedure Call (RPC) and its use in reverse engineering. It begins by discussing the basics of RPC, including its purpose, how it works, and its components. It then explains how to use IDA Pro to reverse engineer RPC functions, as well as how to set up breakpoints and debug. Additionally, the article covers some of the more advanced topics, such as how to use WMI internals and the Fortinet blog post to gain a better understanding of RPC.

The article then provides a detailed walkthrough of how to analyze a simple Win32 API, LogonUserA. It explains how to use IDA to open the Advapi32.dll DLL and how to use the search function to find the LogonUserEXEXW function. It then explains how to use Visual Studio or Windows SDK header files to find the logonType and logonProvider values. It then explains how the LogonUserCommonA and LogonUserCommonW functions convert the American National Standards Institute (ANSI) encoded string arguments into the UNICODE_STRING type. It then explains how the SspiCli.dll imports the LogonUserEXEXW function and how the function verifies the logonType and logonProvider arguments. It then explains how the logOn32MsvAuthPkgID and LogOn32NegoAuthPkgId are initialized static variables and how the four zeros are arguments for the LogonUserEXEXW function. It then explains how the L32GetDefaultDomainName function calls the LsaLookupGetDomainInfo to get the local computer name and how the L32pLogonUser function allocates a heap memory for the length of the buffer. Finally, it explains how the AuthInformation buffer contains the supplied username, password, and domain.

The article then moves on to the RPC server side, where it explains how to use the first four bytes of the InterfaceId to search for the RPC interface in SspiSrv.dll. It then explains how to use IDA to find the function table for the interface and how to use the OpNum argument to determine which function the RPC client is trying to call. Finally, it explains how to use the MIDL_SERER_INFO.Dispatchable to find the 13th function in the function table, which is SspiLogonUser.

Overall, this article provides a comprehensive overview of Windows Remote

📓 Uncovering RPC Servers through Windows API Analysis

👉🏽 Have you ever tried to reverse a simple Win32 API? If not, let’s look at one together today! This article serves as a hand-holding walkthrough and documents in detail how I analyzed a simple Win32 API: LogonUserA. Procedure Call (RPC) and its use in reverse engineering. The main purpose of this text is to:

👉🏽 Explain the basics of RPC, including its purpose, functioning, and components. 👉🏽 Teach how to use IDA Pro for reverse engineering RPC functions. 👉🏽 Guide in setting up breakpoints and debugging RPC functions. 👉🏽 Discuss advanced topics like using WMI internals and the Fortinet blog post for RPC understanding. 👉🏽 Walkthrough the analysis of LogonUserA function and how to find it using IDA. 👉🏽 Explain the process of finding logonType and logonProvider values using Visual Studio or Windows SDK header files. 👉🏽 Describe how ANSI encoded string arguments are converted into the UNICODE_STRING type. 👉🏽 Detail the steps of how logonType and logonProvider arguments are verified by the LogonUserEXEXW function. 👉🏽 Discuss the initialization of static variables and the arguments used for the LogonUserEXEXW function. 👉🏽 Provide insights into the functions used for obtaining local computer name and allocating memory.

🔗 source link: https://posts.specterops.io/uncovering-rpc-servers-through-windows-api-analysis-5d23c0459db6

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/uncovering-rpc-servers-through-windows-api-analysis

#WindowsRPC #ReverseEngineering #IDAPro #Win32API #RPCClient