A GUI device for scanning RPC communication by way of Occasion Tracing for Home windows (ETW). The device was revealed as a part of a analysis on RPC communication between the host and a Home windows container.
Overview
RPCMon may help researchers to get a excessive degree view over an RPC communication between processes. It was constructed like Procmon for simple utilization, and makes use of James Forshaw .NET library for RPC. RPCMon can present you the RPC features being known as, the method who known as them, and different related data.
RPCMon makes use of a hardcoded RPC dictionary for quick RPC data processing which incorporates details about RPC modules. It additionally has an choice to construct an RPC database so it will likely be up to date out of your laptop in case some particulars are lacking within the hardcoded RPC dictionary.
Utilization
Double click on the EXE binary and you’ll get the GUI Home windows.
RPCMon wants a DB to have the ability to get the main points on the RPC features, with out a DB you’ll have lacking data.
To load the DB, press on DB -> Load DB... and select your DB. You’ll be able to a DB we added to this venture: /DB/RPC_UUID_Map_Windows10_1909_18363.1977.rpcdb.json.
Options
- An in depth overview of RPC features exercise.
- Construct an RPC database to parse RPC modules or use hardcoded database.
- Filterhighlight rows primarily based on cells.
- Daring particular rows.
Credit score
We wish to thank James Forshaw (@tyranid) for creating the open supply NtApiDotNet which allowed us to get the RPC features.
License
Copyright (c) 2022 CyberArk Software program Ltd. All rights reserved
This repository is licensed underneath Apache-2.0 License – see LICENSE for extra particulars.
References:
For extra feedback, ideas or questions, you possibly can contact Eviatar Gerzi (@g3rzi) and CyberArk Labs.
