标题: Win10中rpcexts.dll已废
创建: 2021-11-15 20:36 更新: 链接: https://scz.617.cn/windows/202111152036.txt
windbg有个rpcexts.dll,在windbg帮助里搜"RPC Debugging"可以看到它的用法。其 原始目的是对RPC调试提供帮助,比如在RPC Server中获取RPC Client的PID。
需要事先在组策略中进行配置
gpedit.msc Computer Configuration Administrative Templates System Remote Procedure Call Maintain RPC Troubleshooting State Information Enabled Full
重启OS使之生效。后续所有操作要求"Enabling RPC State Information"。
!rpcexts.help !IF - Dumps an RPC Interface !addrvect - Dumps the address vector at the given location !ama - Displays the ALPC message attributes !asyncmsg - Dumps NDR_ASYNC_MESSAGE !asyncrpc - Dumps RPC_ASYNC_STATE !authinfo - Dumps CLIENT_AUTH_INFO !copacket - Dumps CO packet !dict - Dumps SDICT !dict2 - Dumps SDICT2 !eeinfo - Prints the extended error info chain !eerecord - Prints the extended error info record given !error - Translates an error value into the error message !fwscan - Searches for a string pattern in the RpcFw log !getcallinfo - Searches the system for call info !getclientcallinfo - Searches the system for client call info !getdbgcell - Gets info for the specified cell !getendpointinfo - Searches the system for endpoint info !getthreadinfo - Searches the system for thread info !getvalidateerror - Dumps error code for the failed VALIDATE !help - Displays information on available extension commands !listcalls - Dumps addresses, associations, and calls active within the RPC_SERVER at address !lpcaddr - Dumps LRPC_ADDRESS !lpcbh - Dumps LRPC_BINDING_HANDLE !lpcca - Dumps LRPC_CASSOCIATION !lpcccall - Dumps LRPC_CCALL !lpcsa - Dumps LRPC_SASSOCIATION !lpcscall - Dumps LRPC_SCALL !mode - Switches the extensions to debug one of these 3 modes (rpcrt4, msrpc, rhttpaa). Default is rpcrt4 !obj - Dumps an RPC Object !overlap - Dumps object associated with OVERLAPPED pointer !pasync - Dumps RPC_ASYNC_STATE !pipedesc - Dumps NDR_PIPE_DESC !pipemsg - Dumps NDR_PIPE_MESSAGE !pipestate - Dumps NDR_PIPE_STATE !protocols - Dumps PnP protocols map & related objects !queue - Dumps QUEUE !rpcheap - Dumps rpc heap on checked builds !rpcmsg - Dumps RPC_MESSAGE !rpcreadstack - Reads an RPC client side stack and retrieves the call info !rpcsvr - Dumps RPC_SERVER !rpctime - Displays current system time !rpcverbosestack - Toggles the state of the verbose spew when reading the stack !rpcverifier - Dumps the RPC verifier settings !scan - Dumps the event log !secinfo - Dumps security provider/package info !sizes - Prints sizes of the data structures !stackmatch - Matches stack symbols and target addresses !stubmsg - Dumps MIDL_STUB_MESSAGE !thread - Dumps the RPCRT4 thread object !traceasynccall - Traces an LRPC call chain starting with a given RPC_ASYNC_STATE object !tracesynccall - Traces an LRPC call chain starting with a given thread !trans - Dumps most NT RPC transport objects !transinfo - Dumps TRANS_INFO !version - Prints version information for the current rpc extension library !help
will give more information for a particular command !rpcexts.help rpcmsg !rpcmsg
address - the address of the RPC_MESSAGE struct Dumps RPC_MESSAGE
前面的命令列表看上去很诱人。但根据《Advanced Windows Debugging》第8章的说 法,绝大部分命令依赖Private PDB,而我们只有Public PDB,后者只支持极其有限 的几条命令,比如
!getcallinfo - Searches the system for call info !getclientcallinfo - Searches the system for client call info !getdbgcell - Gets info for the specified cell !getendpointinfo - Searches the system for endpoint info !getthreadinfo - Searches the system for thread info
遗憾的是,这几条只依赖Public PDB的扩展命令在Win10上也几乎不工作了,只有 !getendpointinfo还能输出有效信息。
为什么Win10中rpcexts.dll不灵了?
有两个重要的布尔型全局变量
RPCRT4!g_fClientSideDebugInfoEnabled RPCRT4!g_fServerSideDebugInfoEnabled
XP源码中LRPC_CCALL::SendReceive会检查上述两个全局变量,若为真则调用 CCALL::SetDebugClientCallInformation。用IDA看Win10的rpcrt4.dll,查看上述两 变量的交叉引用,注意到函数
RPCRT4!ReadPolicySettings
顾名思义,读组策略中的设置,这部分与早期Windows相符。但是,Win10中只有 OSF_CCALL::FastSendReceive还会调用CCALL::SetDebugClientCallInformation,已 经没有其他的_CCALL::SendReceive调用CCALL::SetDebugClientCallInformation。 换句话说,Win10不再保存为rpcexts.dll所用的RPC调试信息,组策略设置形同虚设。 Win10从根上废了这条技术路线。