13. windows.rpc – ALPC-based Windows RPC — PythonForWindows 1.0.4 documentation

The windows.rpc allows to perform the basic for MS-RPC:

find interface endpoints

connect to it

bind to interfaces

perform call

Marshall/Unmarshall NDR

13.1. RPCClient¶

class windows.rpc.RPCClient(port)[source]¶

A client for RPC-over-ALPC able to bind to interface and perform calls using NDR32 marshalling

alpc_client¶: The windows.alpc.AlpcClient used to communicate with the server

bind(iid, version=(1, 0))[source]¶

Bind to the IID with the given version

Returns:: windows.generated_def.IID

call(IID, method_offset, params, ipid=None)[source]¶

Call method number method_offset of interface IID with mashalled params. Handle ORPC calls via the ipid parameter.

param IID IID:

An IID previously returned by bind()

param int method_offset:

param str params:

The mashalled parameters (NDR32)

param GUID ipid:

The IPID for ORPC calls

returns:

str

Note

Since 1.0.3 if the call is an ORPC call, the ORPCTHAT & LOCALTHAT present in the response are parsed and striped from the result.

forge_alpc_request(IID, method_offset, params, ipid=None)[source]¶: Craft an ALPC message containing an RPC request to call method_offset of interface IID` with ``params. Can be used to craft request without directly sending it

13.2. Epmapper¶

class windows.rpc.epmapper.UnpackTower(protseq, endpoint, address, object, syntax)¶

address¶: Alias for field number 2

endpoint¶: Alias for field number 1

object¶: Alias for field number 3

protseq¶: Alias for field number 0

syntax¶: Alias for field number 4

13.2.1. `find_alpc_endpoints()`¶

windows.rpc.find_alpc_endpoints(targetiid, version=(1, 0), nb_response=1, sid=_WELL_KNOWN_SID_TYPE.WinLocalSystemSid(0x16))[source]¶

Ask the EPMapper for ALPC endpoints of targetiid:version (maximum of nb_response)

Parameters:

targetiid (str) – The IID of the requested interface
version ((int,int)) – The version requested interface
nb_response (int) – The maximum number of response
sid (WELL_KNOWN_SID_TYPE) – The SID used to request the EPMapper

Returns:

[UnpackTower] – A list of UnpackTower

Example:

>>> import windows.rpc
>>> UAC_UIID = "201ef99a-7fa0-444c-9399-19ba84f12a1a"
>>> windows.rpc.find_alpc_endpoints(UAC_UIID)
[UnpackTower(protseq='ncalrpc',
                endpoint=bytearray(b'LRPC-c30c67fef2afa1612b'),
                address=None,
                object=<RPC_IF_ID "201EF99A-7FA0-444C-9399-19BA84F12A1A" (1, 0)>,
                syntax=<RPC_IF_ID "8A885D04-1CEB-11C9-9FE8-08002B104860" (2, 0)>)]

13.2.2. `find_alpc_endpoint_and_connect()`¶

windows.rpc.find_alpc_endpoint_and_connect(targetiid, version=(1, 0), sid=_WELL_KNOWN_SID_TYPE.WinLocalSystemSid(0x16))[source]¶

Ask the EPMapper for ALPC endpoints of targetiid:version and connect to one of them.

Parameters:

targetiid (str) – The IID of the requested interface
version ((int,int)) – The version requested interface
sid (WELL_KNOWN_SID_TYPE) – The SID used to request the EPMapper

Returns:

A connected RPCClient

Example:

>>> import windows.rpc
>>> UAC_UIID = "201ef99a-7fa0-444c-9399-19ba84f12a1a"
>>> client = windows.rpc.find_alpc_endpoint_and_connect(UAC_UIID)
>>> client
<windows.rpc.client.RPCClient object at 0x046A1470>
>>> client.alpc_client.port_name
'\\RPC Control\\LRPC-c30c67fef2afa1612b'
>>> iid = client.bind(UAC_UIID)
>>> iid
<IID "201EF99A-7FA0-444C-9399-19BA84F12A1A">

13.3. Ndr¶

The windows.rpc.ndr module offers some construction to help marshalling types and structures to NDR.

Note

The NDR supported for now is 8a885d04-1ceb-11c9-9fe8-08002b104860 version 2.0

Each NDR class has a function pack().

class windows.rpc.ndr.NdrSID[source]¶

classmethod pack(psid)[source]¶

Pack a PSID

Parameters:: psid (PSID)

classmethod unpack(stream)[source]¶: Unpack a PSID, partial implementation that returns a str and not a PSID

>>> import windows.generated_def as gdef
>>> sid = windows.utils.get_known_sid(gdef.WinLocalSystemSid)
>>> sid
c_void_p(78304040)
>>> psidstr = windows.rpc.ndr.NdrSID.pack(sid)
>>> psidstr
'\x01\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00'
>>> windows.rpc.ndr.NdrSID.unpack(windows.rpc.ndr.NdrStream(psidstr))
# Implementation is partial for now and does not return a PSID but a string
'\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00'

class windows.rpc.ndr.NdrWString[source]¶

classmethod pack(data)[source]¶: Pack string data. append \x00 if not present at the end of the string

>>> from windows.rpc import ndr
>>> x = ndr.NdrWString.pack("Test-String\x00")
>>> x
'\x0c\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00T\x00e\x00s\x00t\x00-\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00'
>>> ndr.NdrWString.unpack(ndr.NdrStream(x))
u'Test-String\x00'

class windows.rpc.ndr.NdrCString[source]¶

classmethod pack(data)[source]¶: Pack string data. append \x00 if not present at the end of the string

>>> from windows.rpc import ndr
>>> x = ndr.NdrCString.pack("Test-String\x00")
>>> x
'\x0c\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00Test-String\x00'
# TODO: implem unpack

class windows.rpc.ndr.NdrLong[source]¶

>>> from windows.rpc import ndr
>>> x = ndr.NdrLong.pack(0x01020304)
>>> x
'\x04\x03\x02\x01'
>>> hex(ndr.NdrLong.unpack(ndr.NdrStream(x)))
'0x1020304'

class windows.rpc.ndr.NdrHyper[source]¶

>>> from windows.rpc import ndr
>>> x = ndr.NdrHyper.pack(0x0102030405060708)
>>> x
'\x08\x07\x06\x05\x04\x03\x02\x01'
>>> hex(ndr.NdrHyper.unpack(ndr.NdrStream(x)))
'0x102030405060708L'

class windows.rpc.ndr.NdrShort[source]¶

>>> from windows.rpc import ndr
>>> x = ndr.NdrShort.pack(0x0102)
>>> x
'\x02\x01'
>>> hex(ndr.NdrShort.unpack(ndr.NdrStream(x)))
'0x102'

class windows.rpc.ndr.NdrByte[source]¶

>>> from windows.rpc import ndr
>>> x = ndr.NdrByte.pack(0x42)
>>> x
'B'
>>> hex(ndr.NdrByte.unpack(ndr.NdrStream(x)))
'0x42'

class windows.rpc.ndr.NdrUniquePTR(subcls)[source]¶: Create a UNIQUE PTR around a given Ndr type

>>> from windows.rpc import ndr
>>> ndr.NdrLong.pack(0x11111111)
'\x11\x11\x11\x11'
>>> ndr.NdrUniquePTR(ndr.NdrLong).pack(0x11111111)
'\x02\x02\x02\x02\x11\x11\x11\x11'

class windows.rpc.ndr.NdrConformantArray[source]¶

class windows.rpc.ndr.NdrConformantVaryingArrays[source]¶

class windows.rpc.ndr.NdrLongConformantArray[source]¶

>>> windows.rpc.ndr.NdrLongConformantArray.pack([1,2,3,4])
'\x04\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00'

class windows.rpc.ndr.NdrByteConformantArray[source]¶

>>> windows.rpc.ndr.NdrByteConformantArray.pack([1,2,3,4])
'\x04\x00\x00\x00\x01\x02\x03\x04'

class windows.rpc.ndr.NdrStructure[source]¶

a NDR structure that tries to respect the rules of pointer packing, this class should be subclassed with an attribute MEMBERS describing the members of the class

classmethod pack(data)[source]¶: Pack data into the struct, data size must equals the number of members in the structure

classmethod unpack(stream)[source]¶: Unpack the structure from the stream

>>> from windows.rpc import ndr
>>> class NDRTest(ndr.NdrStructure):
...     MEMBERS = [ndr.NdrLong, ndr.NdrLong, ndr.NdrWString]
...
>>> x = NDRTest.pack([1, 2, "Test\x00"])
>>> x
'\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00T\x00e\x00s\x00t\x00\x00\x00PP'
>>> NDRTest.unpack(ndr.NdrStream(x))
[1, 2, u'Test\x00']

class windows.rpc.ndr.NdrParameters[source]¶: a class to pack NDR parameters together to performs RPC call, this class should be subclassed with an attribute MEMBERS describing the members of the class

13.3.1. NDR STREAM¶

class windows.rpc.ndr.NdrStream(data, use_memoryview=False)[source]¶

A stream of bytes used for NDR unpacking

align(size)[source]¶: Discard some bytes to align the remaining stream on size

>>> from windows.rpc import ndr
>>> x = ndr.NdrStream("AAAABBBBCCCC")
>>> hex(ndr.NdrLong.unpack(x))
'0x41414141'
>>> x.data
'BBBBCCCC'
>>> hex(ndr.NdrShort.unpack(x))
'0x4242'
>>> x.data
'BBCCCC'
>>> x.align(4)
>>> x.data
'CCCC'
>>> hex(ndr.NdrLong.unpack(x))
'0x43434343'