silverf0x / rpcview Goto Github PK

Hi folks,

I have been playing around with RPC using RpcView and Process Hacker. Listing down all open handles in process hacker for a service running as SYSTEM shows me that a handle to \NamedPipe\dbxsvc is opened and this name pipe is accessible by everyone.

On other hand, using RpcView to view this name pipe just returns everything and it doesn't even contain the application dbxsvc.exe in interface list.

It seems to me that there is a issue with some sort of exception handling in RpcView where if it encounters any error, it will list all RPC Interface exposed on the system.

Let me know what you guys think of this

There is an always false expression in RpcDecompiler/RpcDecompiler.cpp RpcDecompilerPrintHiddenFUProcedure function.

The following expression is always false

because bResult was already checked against FALSE at line

and bResult wasn't changed before second check.

Perhaps there is a misprint here or some other variable should be used.

There is a logical error in conditional statement in processCorrelationDescriptorNaked function.

The condition is an if(condition1) else if(condition2) else if(condition3).

It starts with

next "else if"

next "else if"

The last one is always false and probably copy-paste misprint, judging from comment. Condition should be FC_TOP_LEVEL_MULTID_CONFORMANCE but not FC_POINTER_CONFORMANCE as it was checked before.

According to the README, the only option to download a built release is through AppVeyor.
Problem is, in AppVeayor artifacts older than 1 month are automatically deleted.
So 1 month after a commit (right now, for example) it is not possible to download a built release.
Please add an option to download a built release from an external storage or make the artifacts not expire.

Also, recompiling it would also be helpful for now.

In InterfacesWidget_C::InterfaceSelected, the QByteArray object returned by QString::toLatin1() is released immediately after QByteArray ::data() call (it runs out-of-scope https://doc.qt.io/qt-5/qbytearray.html#data) causing an Use-After-Free in UuidFromStringA when accessing pUuidStringA.

This issue can cause RpcCoreGetInterfaceInfo to fail to retrieve the interface information (race condition overwriting UUID resulting in empty window for interface properties and procedure list).

Repro: Enable page heap, select one interface -> access violation
Tested Fix:

L51	QByteArray 			UuidStringARef;
L52 	RPC_IF_ID			RpcIfId;
L53	UCHAR*				pUuidStringA;
L54	
L55	QString	PidString = pProxyModel->data( pProxyModel->index(Index.row(), Column_Pid) ).toString();
L56	UuidStringARef = pProxyModel->data( pProxyModel->index(Index.row(), Column_Uuid) ).toString().toLatin1();
L57	pUuidStringA = (UCHAR*)UuidStringARef.data(); 

https://github.com/Nukley/Nukley.github.io/blob/master/rpcrt4.dll

How can I see ip information from process that is running rpc?

Howdy RpcView team,

I wanted to download the automatic build of RpcView but the artifacts seem to expire and disappear after some time:
https://ci.appveyor.com/project/silverf0x/rpcview/build/artifacts

Can you recompile the latest version and/or make them not expire?

Merci beaucoup!

There is an incorrect check of function return value in EnumProcess function

and then

and in the end of function

When CreateToolhelp32Snapshot fails it return INVALID_HANDLE_VALUE (https://docs.microsoft.com/en-us/windows/desktop/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot#return-value) which is not NULL. Thus failed call to CreateToolhelp32Snapshot will lead to invalid handle passed to CloseHandle.

CreateToolhelp32Snapshot return value must be checked against INVALID_HANDLE_VALUE.

Hello

Please add 0xA00004A610276LL for build 10.0.19041.630.

The following knowledge is just my own understanding and may be wrong.

In the simple Oi style parameter descriptor, FC_IGNORE is one of the type values used. Currently in RpcView, the decompiled human-readable string corresponding to this simple type is "void * / * FC_IGNORE * /". As far as I know, FC_IGNORE should correspond to the MIDL predefined type handle_t. Although it is actually the same as the pointer type, it has more precise semantics.

@silverf0x Could you please confirm my opinion? Thanks a lot!

Hi! Please support version of runtime 10.0.17763.1697 (0xA0000456306A1LL). I've added pull request #49

There is a potential null pointer dereference in RpcCore/RpcCore.c GetRpcServerAddressInProcess function.

The result of malloc call is not validated.

In MS runtime malloc return NULL if call was unsuccessful (https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/malloc?view=vs-2017)

In case of failure null pointer will be dereferenced next.

I've checked all malloc calls in this project and they check return value like 50/50.

Identical issue located in RpcView/RpcView.cpp wWinMain.
The argv variable is not checked if it was allocated, dereferenced and then argv[i] not checked if it was allocated and dererenced.

While memory allocation failure could be a super extra rare case and probably most of other code will fail to run in that case too, I think it is still good to have things handled.

RpcDecompiler/internalComplexTypesArrays.cpp

There is a twice assigned value in the switch. See arraySize.

       case FC_LGFARRAY:
	case FC_LGVARRAY:

		RPC_GET_PROCESS_DATA(pType, &longArray, sizeof(LGFixedSizedArrayHeader_t));
		arraySize = longArray.totalSize;

	default:
		arraySize = POINTER_SIZE;
		break;

Split from #17

In order to facilitate compilation, please support compiling the project from GitHub Actions, which is very important to me, thank you author

There is an always true expression in RpcDecompiler/InternalComplexTypesArrays.cpp processComplexArray function.

There is a callbacksCalled array, declared as UINT16

and initialized as

which is in result initialization with 0xffff values, because callbacksCalled it is an array of unsigned short values.

Next the following comparison is made

Because it is always true and this code has no other references compiler will optimize out this expression resulting in

will be always executed. I assume this wasn't catched because making this piece of code work require rare conditions to meet as "i" iterator was always 0 for me.

if(callbacksCalled[j] != (UINT16)-1) or equivalent type cast must be used to make this line actually work.

Hello,

thanks for this useful tool. Compiled it with Visual Studio 2017.
So there is my bugreport and maybe a suggestion also.

Compilation note from readme doesn't explicitly state that you need to put your exact path to the qt runtime. This was my first confusion when I tried to build project files with cmake.
set CMAKE_PREFIX_PATH=C:\Qt\Qt5.9.1\5.9.1\msvc2015_64 My Qt installed in C:\Qt\5.9.1...
So perhaps sort of clarification is needed.

Next readme doesn't state you need to create Build\x64 or Build\x86 directories in RpcView.

This is really small issues, but solving them can save some time if someone trying to build your tool and following your instructions step-by-step.

RpcCommon\Misc.c

memcpy(pLocationInfo->Location, pUnloadEventTrace->ImageName, sizeof(pLocationInfo->Location));

where
destination = pLocationInfo->Location is WCHAR Location[MAX_PATH];
source = pUnloadEventTrace->ImageName is WCHAR ImageName[32];
num = sizeof(pLocationInfo->Location) is 520 bytes.

If string is zero terminated this code will work okay. However 520 bytes copied from source may lead to crash if memory beyound this array is not available.

So perhaps you mean
memcpy(pLocationInfo->Location, pUnloadEventTrace->ImageName, sizeof(pUnloadEventTrace->ImageName));

instead?

I'm looking further (I want to get it actually work on my Windows 10 LTSB ) so if found anything else will report.

internalComplexTypesArrays.cpp

UINT __fastcall getArrayMemorySize(
	_In_	VOID* pContext,
	_In_	RVA_T pType)

There is a twice assigned value in the switch. See arraySize. Perhaps you missed break? If it intended, then I don't understand this code tbh.

       case FC_LGFARRAY:
	case FC_LGVARRAY:

		RPC_GET_PROCESS_DATA(pType, &longArray, sizeof(LGFixedSizedArrayHeader_t));
		arraySize = longArray.totalSize;

	default:
		arraySize = POINTER_SIZE;
		break;

Thanks.

Very good tool, but I've got a lot of trouble building it from sources. Future researches should use exactly Qt 5.15.1 msvc_2015_64 compiler. It has Qt5WidgetsConfig.cmake file and does not raise Qt compilation errors.

1. Install qt installer
2. Run C:\Qt\MaintenanceTool.exe
3. On Select component stage you can choose only Qt->Qt 5.15.1->MSVC 2015 64-bit and install it
4. Follow the original README instructions using set CMAKE_PREFIX_PATH=C:\Qt\5.15.1\msvc2015_64\

Could you please how you build it via appveyor? I wouldn't like to download the whole VS + Qt stack on my computer and it'd be great if I could play around with my Fork + Appveyor :)

Thank you!

i did a build of RpcView on Windows 10.0.19041.546, but i do not see any process, also when i click on File "Show Detail of All Processes is grayed out"

If no pdb is found use the .ini file to get the procedure names

RpcCommon\Misc.c

where

memcpy destination

memcpy source

memcpy number of bytes to copy = sizeof(pLocationInfo->Location) is 520 bytes.

The 520 bytes copied from source may lead to crash if memory beyond this array is not available.

Split from #17

Edit:
By the way, I can't find where this routine used.

Mamène qu'est-ce qui s'est passé ? J'ai téléchargé RpcView tel qu'il est packagé par Appveyor, et je téma ce genre de look au lancement :

T'es nostalgique des années NT 4.0, c'est ça ? On est en 2018, il faut que ça blingue si tu veux espérer refourguer ta came.

Allez je te chambre, c'est en réalité de la faute des srabs de chez Qt : default widget style is not flat anymore. Depuis Qt 5.10 il faut également packager le dossier styles (comme pour le dossier platform) pour obtenir les styles spécifiques windows.

Tkt le poto Lolo a charbonné et t'as trouvé la solution : winqtdeploy est un exe qui s'occupe de déployer les dépendances Qt automatiquement, comme ça t'as plus a t'occuper de savoir quelles dlls à copier :

cd C:\projects\RpcView
mkdir Build\x64
cd C:\projects\RpcView\Build\x64
set CMAKE_PREFIX_PATH=C:\Qt\5.10.0\msvc2015_64
cmake ..\.. -G"Visual Studio 14 2015 Win64" -T"v140_xp"
cmake --build . --config release
cd C:\projects\RpcView\Build\x64\bin\Release
mkdir RpcView64
copy *.dll RpcView64\
copy *.exe RpcView64\
C:\Qt\5.10.0\msvc2015_64\bin\windeployqt.exe --release RpcView64\
7z a RpcView64.7z RpcView64
cd C:\projects\RpcView
mkdir Build\x86
cd C:\projects\RpcView\Build\x86
set CMAKE_PREFIX_PATH=C:\Qt\5.10.0\msvc2015
cmake ..\.. -G"Visual Studio 14 2015" -T"v140_xp"
cmake --build . --config release
cd C:\projects\RpcView\Build\x86\bin\Release
mkdir RpcView32
copy *.exe RpcView32\
copy *.dll RpcView32\
C:\Qt\5.10.0\msvc2015\bin\windeployqt.exe --release RpcView32\
7z a RpcView32.7z RpcView32

ça a quand même plus de gueule avec le style correct :

Tu peux tester mes artifacts ici : https://ci.appveyor.com/project/1orenz0/rpcview/build/1.0.23

QDS,

L'Empereur du Sale.

RpcView hangs when it tries to read LsaIso process because the return value of EnumProcessModulesEx is not checked (it fails on trustlet and sets last error to ERROR_NOACCESS) moreover cbSize is not initialized to 0 (may be large -> hang during loop).

Tested Fix:

L226	if(!EnumProcessModulesEx(hProcess, NULL, 0, &cbSize, LIST_MODULES_ALL))
L227		goto End;

There is a potential memory access outside an array in RpcCoreInit function.

while "i" is supposedly array element iterator, iterations count is set to

sizeof(RPC_CORE_RUNTIME_VERSION)

where RPC_CORE_RUNTIME_VERSION is an array of UINT64 type.

With sizeof(RPC_CORE_RUNTIME_VERSION) number of iterations could be 320 (as per 54b08a8 commit) while actual array contain only 40 elements.

Hi,

My RPCRT4.dll version is 10.0.18362.1237, 0xA000047BA04D5LL.

Added it myself and re-compiled but it seems to crash. Not sure what's causing it (my compiling or the rpc runtime version).

The last release is uploaded in 2017, can you upload a new one?

There is a potential null pointer dereference in RpcView/RpcCoreManager.c RpcCoreInit function.

The result of OS_ALLOC call is not validated. OS_ALLOC declared as call to HeapAlloc(GetProcessHeap).

If the HeapAlloc fails it return NULL (https://docs.microsoft.com/en-us/windows/desktop/api/heapapi/nf-heapapi-heapalloc#return-value).

Thus in case of HeapAlloc failure null pointer will be dereferenced next.

Hey there,
I'm too lazy to make a pull request. In order to make this work with VS2019, the following should be added to CMakeLists.txt in ./RpcCore:

if(${CMAKE_GENERATOR} MATCHES "Win64")
            AddRpcCore(${Dir})
elseif(${CMAKE_GENERATOR_PLATFORM} MATCHES "x64")
	    AddRpcCore(${Dir})

Edit:
The following line should be used when building the project:
cmake -G"Visual Studio 16 2019" -A x64 ../../

This is all because they introduced a new semantic in CMAKE for VS2019.

Cheers

I followed the build instructions to the letter and have all prerequisites installed. After building, when I run RpcView.exe I get this error:

"The application failed to start because no Qt platform plugin could be initialized"

The O.S. is Windows 10 Pro 21H2 19044.2006.

There is a buffer overrun in GetUserAndDomainName function.

RpcCommon/Misc.c

Where UserName is array of 260 elements with size of 520 bytes total

and dwSize set to 520

however LookupAccountSidW take third parameter cchName as a number of TCHAR's.
https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-lookupaccountsidw

So writable size is 520 bytes but 1040 bytes might be written.

Perhaps you miss _countof instead of sizeof.

Hello,

Compilation note from readme doesn't explicitly state that you need to put your exact path to the qt runtime. This was my first confusion when I tried to build project files with cmake.
set CMAKE_PREFIX_PATH=C:\Qt\Qt5.9.1\5.9.1\msvc2015_64 My Qt installed in C:\Qt\5.9.1...
So perhaps sort of clarification is needed.

Next readme doesn't state you need to create Build\x64 or Build\x86 directories in RpcView.

This is really small issues, but solving them can save some time if someone trying to build your tool and following your instructions step-by-step.

Split from #17

Thanks.

DLLs: rpcrt4-dlls.zip

Version 10.0.22000.434 found on Windows 11 in Q1 2022.

OS version: Win10 18363.657 (1909)

this unsupported message pop up, and this reop not updated for 3 years, does anyone can help to check it?

thanks.