Features

Just a few reasons to use RpcView

Exploring the RPC landscape

Most of existing RPC monitoring tools are based on the EndpointMapper system component in order to enumerate all registered interfaces. Nevertheless, many software use RPC with unregistered interfaces as IPC mechanism. In this sense, requesting the EndpointMapper is not a perfect method to enumerate local RPC interfaces. Based on the RPC runtime internals, RpcView is not only able to analyse all interfaces present on a system but is also able to decompile most of them.

The above screenshot illustrates the whole tool aspect. RpcView is composed by several dock widgets whose details are given below:

Processes

A view of all processes present on the system, whether they are RPC (highlighted) servers or not.

This view is the main and minimal one given by RpcView. Look for RPC servers, just see which ones are highlighted. Given information are:
  • Name
  • Identifiant (Pid)
  • Path
  • Description
  • Type of image
  • User
  • Command line
  • MaxCalls

Interfaces

A view of all interfaces present on the system, whether they are registered (highlighted) or not.

  • Pid
  • UIID
  • Version
  • Type
  • Number of procedures
  • Name
  • Type of stub
  • Security callback address
  • Procedures location
  • Flags
  • Module description
  • EpMapper
  • Annotation
  • Transfert Syntax

Endpoints

This widget presents all current system endpoints with the following information:
  • the Pid of the process hosting this endpoint;
  • the used protocol among which the main ones are ncacn_ip_tcp, ncacn_np and ncalrpc;
  • the endpoint name depending of the underlying protocol:
    • port value for ncacn_ip_tcp or ncadg_ip_udp
    • pipe name prefixed by \pipe\ for ncacn_np
    • (A)LPC port name for ncalrpc

Procedures

When symbols are accessible on the system and well-configured, RpcView can use PDB files to obtain procedure names. To go further, this widget presents the address and NDR format for each procedure.

Process Properties

Presents detailed information as illustrated in the following figures:

Interface Properties

Presents detailed information as illustrated in the following figures:

Decompilation

The Microsoft NDR specification allows the decompilation of server stub in charge of the marshalling process. RpcView is able to reconstruct a MIDL compatible IDL file describing an interface.