{"id":179,"date":"2022-05-25T18:14:58","date_gmt":"2022-05-25T10:14:58","guid":{"rendered":"http:\/\/www.aqwu.net\/wp\/?p=179"},"modified":"2022-05-25T18:14:58","modified_gmt":"2022-05-25T10:14:58","slug":"offensive-windows-ipc-internals-2-rpc","status":"publish","type":"post","link":"https:\/\/www.aqwu.net\/wp\/?p=179","title":{"rendered":"Offensive Windows IPC Internals 2: RPC"},"content":{"rendered":"\n<p>\u539f\u6587\u94fe\u63a5\uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html\">https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-series\">\u8be5\u7cfb\u5217<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#the-series\"><\/a><\/h2>\n\n\n\n<p>\u8fd9\u662f\u6211\u7684\u7cfb\u5217\u6587\u7ae0\u7684\u7b2c 2 \u90e8\u5206\uff1aOffensive Windows IPC Internals\u3002<br>\u5982\u679c\u60a8\u9519\u8fc7\u4e86\u7b2c\u4e00\u90e8\u5206\u5e76\u60f3\u770b\u4e00\u770b\uff0c\u53ef\u4ee5\u5728\u6b64\u5904\u627e\u5230\u5b83\uff1a<a href=\"https:\/\/csandker.io\/2021\/01\/10\/Offensive-Windows-IPC-1-NamedPipes.html\">Offensive Windows IPC Internals 1\uff1aNamed Pipes<\/a>\u3002<br>\u7b2c2\u90e8\u5206\u6700\u521d\u8ba1\u5212\u662f\u5173\u4e8eLPC\u548cALPC\u7684\uff0c\u4f46\u4e8b\u5b9e\u8bc1\u660e\uff0c\u6316\u6398\u51fa\u5173\u4e8e\u8fd9\u4e9b\u6280\u672f\u7684\u6240\u6709\u672a\u8bb0\u5f55\u7684\u6bd4\u7279\u548c\u6280\u5de7\u662f\u76f8\u5f53\u8017\u65f6\u7684\u3002\u56e0\u6b64\uff0c\u6211\u9996\u5148\u8ba8\u8bba\u4e86\u5982\u4f55\u53d1\u8868\u6211\u5bf9RPC\u7684\u77e5\u8bc6\uff0c\u7136\u540e\u518d\u5c06\u5934\u8f6c\u5411ALPC\u3002<\/p>\n\n\n\n<p>\u6211\u6700\u521d\u8ba1\u5212\u5728RPC\u4e4b\u524d\u53d1\u5e03LPC\u548cALPC\u7684\u539f\u56e0\u662f\uff0cRPC\u5728\u672c\u5730\u4f7f\u7528\u65f6\u5728\u540e\u53f0\u4f7f\u7528ALPC\uff0c\u751a\u81f3\u66f4\u591a\uff1aRPC\u662f\u5feb\u901f\u672c\u5730\u8fdb\u7a0b\u95f4\u901a\u4fe1\u7684\u9884\u671f\u89e3\u51b3\u65b9\u6848\uff0c\u56e0\u4e3aRPC\u53ef\u4ee5\u88ab\u6307\u793a\u901a\u8fc7\u7279\u6b8a\u7684ALPC\u534f\u8bae\u5e8f\u5217\u5904\u7406\u672c\u5730\u901a\u4fe1\uff08\u4f46\u662f\u60a8\u5728\u9605\u8bfb\u65f6\u4f1a\u53d1\u73b0\u8fd9\u4e00\u70b9\uff09\u3002<\/p>\n\n\n\n<p>\u65e0\u8bba\u5982\u4f55\uff0c\u8fd9\u91cc\u7684\u6559\u8bad\u662f\uff08\u6211\u731c\uff09\u6709\u65f6\u6700\u597d\u5728\u4e00\u4ef6\u4e8b\u4e0a\u505c\u4e0b\u6765\uff0c\u8ba9\u4f60\u7684\u5934\u8111\u6e05\u9192\uff0c\u5e76\u5728\u4f60\u8ff7\u5931\u5728\u5c1a\u672a\u51c6\u5907\u597d\u5411\u4f60\u63ed\u793a\u5176\u5965\u79d8\u7684\u4e8b\u60c5\u4e2d\u4e4b\u524d\uff0c\u5728\u5176\u4ed6\u4e8b\u60c5\u4e0a\u53d6\u5f97\u8fdb\u5c55\u3002<\/p>\n\n\n\n<p>\u559d\u676f\u5496\u5561\u548c\u4e00\u628a\u8212\u9002\u7684\u6905\u5b50\uff0c\u7136\u540e\u7cfb\u597d\u5b89\u5168\u5e26\u8fdb\u884cRPC&#8230;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"introduction\">\u4ecb\u7ecd<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#introduction\"><\/a><\/h2>\n\n\n\n<p><strong>R<\/strong>emote&nbsp;<strong>P<\/strong>rocedure&nbsp;<strong>C<\/strong>alls \uff08RPC\uff09 \u662f\u4e00\u79cd\u8de8\u8fdb\u7a0b\u548c\u673a\u5668\u8fb9\u754c\uff08\u7f51\u7edc\u901a\u4fe1\uff09\u5b9e\u73b0\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u4e4b\u95f4\u6570\u636e\u901a\u4fe1\u7684\u6280\u672f\u3002\u56e0\u6b64\uff0cRPC \u662f\u4e00\u79cd\u8fdb\u7a0b\u95f4\u901a\u4fe1 \uff08<strong>IPC<\/strong>\uff09 \u6280\u672f\u3002\u6b64\u7c7b\u522b\u4e2d\u7684\u5176\u4ed6\u6280\u672f\u5305\u62ec LPC\u3001ALPC \u6216<a href=\"https:\/\/csandker.io\/2021\/01\/10\/Offensive-Windows-IPC-1-NamedPipes.html\">\u547d\u540d\u7ba1\u9053<\/a>\u3002<br>\u987e\u540d\u601d\u4e49\uff0c\u6b64\u7c7b\u522b\u610f\u5473\u7740 RPC \u7528\u4e8e\u8c03\u7528\u8fdc\u7a0b\u670d\u52a1\u5668\u4ee5\u4ea4\u6362\/\u4f20\u9012\u6570\u636e\u6216\u89e6\u53d1\u8fdc\u7a0b\u4f8b\u7a0b\u3002\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u672f\u8bed\u201c\u8fdc\u7a0b\u201d\u5e76\u4e0d\u63cf\u8ff0\u901a\u4fe1\u7684\u8981\u6c42\u3002RPC \u670d\u52a1\u5668\u4e0d\u5fc5\u4f4d\u4e8e\u8fdc\u7a0b\u8ba1\u7b97\u673a\u4e0a\uff0c\u7406\u8bba\u4e0a\u751a\u81f3\u4e0d\u5fc5\u4f4d\u4e8e\u4e0d\u540c\u7684\u8fdb\u7a0b\u4e2d\uff08\u5c3d\u7ba1\u8fd9\u662f\u6709\u9053\u7406\u7684\uff09\u3002<br>\u4ece\u7406\u8bba\u4e0a\u8bb2\uff0c\u60a8\u53ef\u4ee5\u5728 DLL \u4e2d\u5b9e\u73b0 RPC \u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\uff0c\u5c06\u5b83\u4eec\u52a0\u8f7d\u5230\u76f8\u540c\u7684\u8fdb\u7a0b\u4e2d\u5e76\u4ea4\u6362\u6d88\u606f\uff0c\u4f46\u60a8\u4e0d\u4f1a\u83b7\u5f97\u592a\u591a\u6536\u76ca\uff0c\u56e0\u4e3a\u6d88\u606f\u4ecd\u5c06\u901a\u8fc7\u8fdb\u7a0b\u5916\u90e8\u7684\u5176\u4ed6\u7ec4\u4ef6\uff08\u4f8b\u5982\u5185\u6838\uff0c\u4f46\u7a0d\u540e\u4f1a\u8be6\u7ec6\u4ecb\u7ecd\uff09\u8fdb\u884c\u8def\u7531\uff0c\u5e76\u4e14\u60a8\u5c06\u5c1d\u8bd5\u4f7f\u7528\u201c\u5185\u90e8\u201d\u8fdb\u7a0b\u901a\u4fe1\u6280\u672f\u8fdb\u884c\u201c\u5185\u90e8\u201d\u8fdb\u7a0b\u901a\u4fe1\u3002<br>\u6b64\u5916\uff0cRPC \u670d\u52a1\u5668\u4e0d\u9700\u8981\u4f4d\u4e8e\u8fdc\u7a0b\u8ba1\u7b97\u673a\u4e0a\uff0c\u4f46\u4e5f\u53ef\u4ee5\u4ece\u672c\u5730\u5ba2\u6237\u7aef\u8c03\u7528\u3002<\/p>\n\n\n\n<p>\u5728\u8fd9\u7bc7\u535a\u5ba2\u6587\u7ae0\u4e2d\uff0c\u60a8\u53ef\u4ee5\u548c\u6211\u4e00\u8d77\u53d1\u73b0RPC\u7684\u5185\u90e8\uff0c\u5b83\u662f\u5982\u4f55\u5de5\u4f5c\u7684\u548c\u64cd\u4f5c\uff0c\u4ee5\u53ca\u5982\u4f55\u5b9e\u73b0\u548c\u653b\u51fbRPC\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u3002<br>\u8fd9\u7bc7\u6587\u7ae0\u662f\u4ece\u8fdb\u653b\u7684\u89d2\u5ea6\u51fa\u53d1\u7684\uff0c\u8bd5\u56fe\u4ece\u653b\u51fb\u8005\u7684\u89d2\u5ea6\u6db5\u76d6RPC\u653b\u51fb\u9762\u6700\u76f8\u5173\u7684\u65b9\u9762\u3002\u4f8b\u5982\uff0c\u5173\u4e8eRPC\u7684\u66f4\u5177\u9632\u5fa1\u6027\u7684\u89c2\u70b9\u53ef\u4ee5\u5728<a href=\"https:\/\/twitter.com\/jsecurity101\">Jonathan Johnson<\/a><a href=\"https:\/\/ipc-research.readthedocs.io\/en\/latest\/subpages\/RPC.html\">\u7684 https:\/\/ipc-research.readthedocs.io\/en\/latest\/subpages\/RPC.html<\/a>&nbsp;\u4e2d\u627e\u5230\u3002<\/p>\n\n\n\n<p>\u4e0b\u9762\u7684\u5e16\u5b50\u5c06\u5305\u542b\u5bf9\u6211\u7684\u793a\u4f8b\u5b9e\u73b0\u4e2d\u7684\u4ee3\u7801\u7684\u4e00\u4e9b\u5f15\u7528\uff0c\u6240\u6709\u8fd9\u4e9b\u4ee3\u7801\u90fd\u53ef\u4ee5\u5728\u8fd9\u91cc\u627e\u5230\uff1a<br><a href=\"https:\/\/github.com\/csandker\/InterProcessCommunication-Samples\/tree\/master\/RPC\/CPP-RPC-Client-Server\">https:\/\/github.com\/csandker\/InterProcessCommunication-Samples\/tree\/master\/RPC\/CPP-RPC-Client-Server<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"history\">\u5386\u53f2<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#history\"><\/a><\/h2>\n\n\n\n<p>\u5fae\u8f6f\u7684RPC\u5b9e\u73b0\u57fa\u4e8e\u5f00\u653e\u8f6f\u4ef6\u57fa\u91d1\u4f1a\uff08OSF\uff09\u4e8e1993\u5e74\u5f00\u53d1\u7684\u5206\u5e03\u5f0f\u8ba1\u7b97\u73af\u5883\uff08DCE\uff09\u6807\u51c6\u7684RPC\u5b9e\u73b0\u3002<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u201c\u4e3aDCE\u5b9e\u65bd\u505a\u51fa\u8d21\u732e\u7684\u5173\u952e\u516c\u53f8\u4e4b\u4e00\u662fApollo Computer\uff0c\u5b83\u5f15\u5165\u4e86NCA &#8211; &#8216;\u7f51\u7edc\u8ba1\u7b97\u67b6\u6784&#8217;\uff0c\u540e\u6765\u6210\u4e3a\u7f51\u7edc\u8ba1\u7b97\u7cfb\u7edf\uff08NCS\uff09\uff0c\u7136\u540e\u662fDCE \/ RPC\u672c\u8eab\u7684\u4e3b\u8981\u90e8\u5206\u201d<br><em>\u6765\u6e90\uff1a<a href=\"https:\/\/kganugapati.wordpress.com\/tag\/msrpc\/\">https:\/\/kganugapati.wordpress.com\/tag\/msrpc\/<\/a><\/em><\/p><\/blockquote>\n\n\n\n<p>\u5fae\u8f6f\u8058\u8bf7\u4e86Paul Leach\uff081991\u5e74\uff09\uff0c\u4ed6\u662fApollo\u7684\u521b\u59cb\u5de5\u7a0b\u5e08\u4e4b\u4e00\uff0c<em>\u8fd9\u53ef\u80fd\u662f<\/em>RPC\u8fdb\u5165Windows\u7684\u65b9\u5f0f\u3002<\/p>\n\n\n\n<p>\u5fae\u8f6f\u8c03\u6574\u4e86DCE\u6a21\u578b\u4ee5\u9002\u5e94\u4ed6\u4eec\u7684\u7f16\u7a0b\u65b9\u6848\uff0c<strong>\u57fa\u4e8e\u547d\u540d\u7ba1\u9053\u4e0a\u7684RPC\u901a\u4fe1<\/strong>\uff0c\u5e76\u5728Windows 95\u4e2d\u5c06\u5176\u5b9e\u73b0\u5e26\u5230\u4e86\u65e5\u5149\u4e4b\u4e0b\u3002<br>\u56de\u5230\u8fc7\u53bb\uff0c\u4f60\u53ef\u80fd\u60f3\u77e5\u9053\u4e3a\u4ec0\u4e48\u4ed6\u4eec\u57fa\u4e8e\u547d\u540d\u7ba1\u9053\u8fdb\u884c\u901a\u4fe1\uff0c\u56e0\u4e3a\u5fae\u8f6f\u57281994\u5e74\u521a\u521a\u63d0\u51fa\u4e86\u4e00\u79cd\u540d\u4e3a\u672c\u5730\u8fc7\u7a0b\u8c03\u7528\uff08<strong>LPC<\/strong>\uff09\u7684\u65b0\u6280\u672f\uff0c\u542c\u8d77\u6765\u5c06\u4e00\u79cd\u79f0\u4e3a\u8fdc\u7a0b\u8fc7\u7a0b\u8c03\u7528\u7684\u6280\u672f\u5efa\u7acb\u5728\u79f0\u4e3a\u672c\u5730\u8fc7\u7a0b\u8c03\u7528\u7684\u4e1c\u897f\u4e0a\u662f\u6709\u610f\u4e49\u7684\uff0c\u5bf9\u5427?&#8230;\u597d\u5427\uff0c\u662f\u7684\uff0cLPC\u5c06\u662f\u5408\u4e4e\u903b\u8f91\u7684\u9009\u62e9\uff08\u6211\u731c\u4ed6\u4eec\u6700\u521d\u4f7f\u7528LPC\uff09\uff0c\u4f46\u662fLPC\u6709\u4e00\u4e2a\u5173\u952e\u7684\u7f3a\u9677\uff1a\u5b83\u4e0d\u652f\u6301\uff08\u5e76\u4e14\u4ecd\u7136\u4e0d\u652f\u6301\uff09\u5f02\u6b65\u8c03\u7528\uff08\u5f53\u6211\u6700\u7ec8\u5b8c\u6210\u6211\u7684LPC \/ ALPC\u5e16\u5b50\u65f6\uff0c\u4f1a\u5bf9\u6b64\u8fdb\u884c\u66f4\u591a\u4ecb\u7ecd&#8230;\uff09\uff0c\u8fd9\u5c31\u662f\u4e3a\u4ec0\u4e48Microsoft\u57fa\u4e8eName Pipes\u7684\u539f\u56e0\u3002<\/p>\n\n\n\n<p>\u6b63\u5982\u6211\u4eec\u7a0d\u540e\u5c06\u770b\u5230\u7684\uff08<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-protocol-sequence\">RPC \u534f\u8bae\u5e8f\u5217<\/a>\u90e8\u5206\uff09\uff0c\u5728\u4f7f\u7528 RPC \u5b9e\u73b0\u4f8b\u7a0b\u65f6\uff0c\u5f00\u53d1\u4eba\u5458\u9700\u8981\u544a\u8bc9 RPC \u5e93\u4f7f\u7528\u4ec0\u4e48\u201c\u534f\u8bae\u201d\u8fdb\u884c\u4f20\u8f93\u3002\u6700\u521d\u7684DCE \/ RCP\u6807\u51c6\u5df2\u7ecf\u4e3aTCP\u548cUDP\u8fde\u63a5\u5b9a\u4e49\u4e86\u201cncacn_ip_tcp\u201d\u548c\u201cncadg_ip_udp\u201d\u3002\u5fae\u8f6f\u6dfb\u52a0\u4e86\u201cncacn_np\u201d\uff0c\u7528\u4e8e\u57fa\u4e8e\u547d\u540d\u7ba1\u9053\uff08\u901a\u8fc7SMB\u534f\u8bae\u4f20\u8f93\uff09\u7684\u5b9e\u73b0\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"rpc-messaging\">RPC \u6d88\u606f\u4f20\u9012<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-messaging\"><\/a><\/h2>\n\n\n\n<p>RPC \u662f\u4e00\u79cd\u5ba2\u6237\u7aef-\u670d\u52a1\u5668\u6280\u672f\uff0c\u5176\u6d88\u606f\u4f20\u9012\u4f53\u7cfb\u7ed3\u6784\u7c7b\u4f3c\u4e8e COM\uff08\u7ec4\u4ef6\u5bf9\u8c61\u6a21\u578b\uff09\uff0c\u5728\u8f83\u9ad8\u7ea7\u522b\u4e0a\u7531\u4ee5\u4e0b\u4e09\u4e2a\u7ec4\u4ef6\u7ec4\u6210\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u8d1f\u8d23\u6ce8\u518c RPC \u63a5\u53e3\u548c\u5173\u8054\u7ed1\u5b9a\u4fe1\u606f\u7684\u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u8fdb\u7a0b\uff08\u7a0d\u540e\u5c06\u5bf9\u6b64\u8fdb\u884c\u8be6\u7ec6\u4ecb\u7ecd\uff09<\/li><li>\u8d1f\u8d23\u7f16\u7ec4\u4f20\u5165\u548c\u4f20\u51fa\u6570\u636e\u7684\u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u5b58\u6839<\/li><li>\u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u7684 RPC \u8fd0\u884c\u65f6\u5e93 \uff08rpcrt4.dll\uff09\uff0c\u5b83\u83b7\u53d6\u5b58\u6839\u6570\u636e\u5e76\u4f7f\u7528\u6307\u5b9a\u7684\u534f\u8bae\u901a\u8fc7\u7f51\u7edc\u53d1\u9001\u5b83\u4eec\uff08\u793a\u4f8b\u548c\u8be6\u7ec6\u4fe1\u606f\u5c06\u9075\u5faa\uff09<\/li><\/ul>\n\n\n\n<p>\u53ef\u4ee5\u5728&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/how-rpc-works\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/how-rpc-works<\/a>&nbsp;\u4e2d\u627e\u5230\u6b64\u6d88\u606f\u4f53\u7cfb\u7ed3\u6784\u7684\u53ef\u89c6\u5316\u6982\u8ff0\uff0c\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/csandker.io\/public\/img\/2021-02-21-Offensive-Windows-IPC-2-RPC\/RPC_Message_Flow.png\" alt=\"RPC \u6d88\u606f\u6d41\"\/><\/figure>\n\n\n\n<p>\u7a0d\u540e\uff0c\u5728&nbsp;<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-communication-flow\">RPC \u901a\u4fe1\u6d41<\/a>\u90e8\u5206\u4e2d\uff0c\u6211\u5c06\u6982\u8ff0\u4ece\u521b\u5efa RPC \u670d\u52a1\u5668\u5230\u53d1\u9001\u6d88\u606f\u6240\u6d89\u53ca\u7684\u6b65\u9aa4\uff0c\u4f46\u5728\u6df1\u5165\u7814\u7a76\u4e4b\u524d\uff0c\u6211\u4eec\u9700\u8981\u6f84\u6e05\u4e00\u4e9b RPC \u672f\u8bed\u4f4d\u3002<\/p>\n\n\n\n<p>\u5728\u8fd9\u91cc\u88f8\u9732\u7740\u6211\uff0c\u800c\u6211\u4eec\u6df1\u5165\u7814\u7a76RPC\u7684\u5185\u90e8\u3002\u4e3a\u4e86\u4e0eRPC\u76f8\u5904\uff0c\u4ee5\u4e0b\u4e8b\u9879\u81f3\u5173\u91cd\u8981\u3002<br>\u5982\u679c\u60a8\u8ff7\u5931\u5728\u65b0\u672f\u8bed\u548cAPI\u8c03\u7528\u4e2d\uff0c\u800c\u60a8\u65e0\u6cd5\u6392\u961f\uff0c\u60a8\u53ef\u4ee5\u968f\u65f6\u8df3\u5230<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-communication-flow\">RPC\u901a\u4fe1\u6d41<\/a>\u90e8\u5206\uff0c\u4ee5\u4e86\u89e3\u8fd9\u4e9b\u4e1c\u897f\u5728\u901a\u4fe1\u94fe\u4e2d\u7684\u4f4d\u7f6e\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"rpc-protocol-sequence\">RPC \u534f\u8bae\u5e8f\u5217<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-protocol-sequence\"><\/a><\/h3>\n\n\n\n<p><strong>RPC \u534f\u8bae\u5e8f\u5217<\/strong>\u662f\u4e00\u4e2a\u5e38\u91cf\u5b57\u7b26\u4e32\uff0c\u7528\u4e8e\u5b9a\u4e49 RPC \u8fd0\u884c\u65f6\u5e94\u4f7f\u7528\u54ea\u4e2a\u534f\u8bae\u6765\u4f20\u8f93\u6d88\u606f\u3002<br>\u6b64\u5b57\u7b26\u4e32\u5b9a\u4e49\u5e94\u4f7f\u7528\u54ea\u4e2a RPC \u534f\u8bae\u3001\u4f20\u8f93\u548c\u7f51\u7edc\u534f\u8bae\u3002<br>\u5fae\u8f6f\u652f\u6301\u4ee5\u4e0b\u4e09\u79cdRPC\u534f\u8bae\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u7f51\u7edc\u8ba1\u7b97\u4f53\u7cfb\u7ed3\u6784\u9762\u5411\u8fde\u63a5\u7684\u534f\u8bae \uff08NCACN\uff09<\/li><li>\u7f51\u7edc\u8ba1\u7b97\u67b6\u6784\u6570\u636e\u62a5\u534f\u8bae \uff08NCADG\uff09<\/li><li>\u7f51\u7edc\u8ba1\u7b97\u4f53\u7cfb\u7ed3\u6784\u672c\u5730\u8fdc\u7a0b\u8fc7\u7a0b\u8c03\u7528 \uff08NCALRPC\uff09<\/li><\/ul>\n\n\n\n<p>\u5728\u8de8\u7cfb\u7edf\u8fb9\u754c\u5efa\u7acb\u8fde\u63a5\u7684\u5927\u591a\u6570\u60c5\u51b5\u4e0b\uff0c\u60a8\u4f1a\u53d1\u73b0 NCACN\uff0c\u800c\u5efa\u8bae\u5c06 NCALRPC \u7528\u4e8e\u672c\u5730 RPC \u901a\u4fe1\u3002<\/p>\n\n\n\n<p>\u534f\u8bae\u5e8f\u5217\u662f\u4ece\u4e0a\u8ff0\u90e8\u5206\u7ec4\u88c5\u800c\u6210\u7684\u5df2\u5b9a\u4e49\u5e38\u91cf\u5b57\u7b26\u4e32\uff0c\u4f8b\u5982\uff0cncacn_ip_tcp\u7528\u4e8e\u57fa\u4e8e TCP \u6570\u636e\u5305\u7684\u9762\u5411\u8fde\u63a5\u7684\u901a\u4fe1\u3002<br>RPC \u534f\u8bae\u5e8f\u5217\u5e38\u91cf\u7684\u5b8c\u6574\u5217\u8868\u53ef\u5728\u4ee5\u4e0b\u4f4d\u7f6e\u627e\u5230\uff1a<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/protocol-sequence-constants\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/protocol-sequence-constants<\/a>\u3002<\/p>\n\n\n\n<p>\u6700\u76f8\u5173\u7684\u534f\u8bae\u5e8f\u5217\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>\u5e38\u91cf\/\u503c<\/th><th>\u63cf\u8ff0<\/th><\/tr><\/thead><tbody><tr><td>ncacn_ip_tcp<\/td><td>\u9762\u5411\u8fde\u63a5\u7684\u4f20\u8f93\u63a7\u5236\u534f\u8bae\/\u4e92\u8054\u7f51\u534f\u8bae \uff08TCP\/IP\uff09<\/td><\/tr><tr><td>ncacn_http<\/td><td>\u9762\u5411\u8fde\u63a5\u7684 TCP\/IP \u4f7f\u7528 Microsoft Internet Information Server \u4f5c\u4e3a HTTP \u4ee3\u7406<\/td><\/tr><tr><td>ncacn_np<\/td><td>\u9762\u5411\u8fde\u63a5\u7684\u547d\u540d\u7ba1\u9053\uff08\u901a\u8fc7 SMB\uff09\u3002<\/td><\/tr><tr><td>ncadg_ip_udp<\/td><td>\u6570\u636e\u62a5\uff08\u65e0\u8fde\u63a5\uff09\u7528\u6237\u6570\u636e\u62a5\u534f\u8bae\/\u4e92\u8054\u7f51\u534f\u8bae \uff08UDP\/IP\uff09<\/td><\/tr><tr><td>ncalrpc<\/td><td>\u672c\u5730\u8fc7\u7a0b\u8c03\u7528\uff08\u901a\u8fc7 ALPC \u53d1\u5e03 Windows Vista\uff09<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"rpc-interfaces\">RPC \u63a5\u53e3<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-interfaces\"><\/a><\/h3>\n\n\n\n<p>\u4e3a\u4e86\u5efa\u7acb\u901a\u4fe1\u901a\u9053\uff0cRPC \u8fd0\u884c\u65f6\u9700\u8981\u77e5\u9053\u54ea\u4e9b\u65b9\u6cd5\uff08\u4e5f\u79f0\u4e3a.\u201c\u51fd\u6570\u201d\uff09\u548c\u670d\u52a1\u5668\u63d0\u4f9b\u7684\u53c2\u6570\u4ee5\u53ca\u5ba2\u6237\u7aef\u6b63\u5728\u53d1\u9001\u7684\u6570\u636e\u3002\u8fd9\u4e9b\u4fe1\u606f\u5728\u6240\u8c13\u7684\u201c\u63a5\u53e3\u201d\u4e2d\u5b9a\u4e49\u3002<br><em>\u9644\u6ce8\uff1a\u5982\u679c\u60a8\u719f\u6089COM\u4e2d\u7684\u63a5\u53e3\uff0c\u8fd9\u662f\u4e00\u56de\u4e8b\u3002<\/em><\/p>\n\n\n\n<p>\u4e3a\u4e86\u4e86\u89e3\u5982\u4f55\u5b9a\u4e49\u63a5\u53e3\uff0c\u8ba9\u6211\u4eec\u4ece\u6211\u7684<a href=\"https:\/\/github.com\/csandker\/InterProcessCommunication-Samples\/blob\/master\/RPC\/CPP-RPC-Client-Server\/RPC-Interface1\/Interface1-Implicit.idl\">\u793a\u4f8b\u4ee3\u7801<\/a>\u4e2d\u83b7\u53d6\u6b64\u793a\u4f8b\uff1a<\/p>\n\n\n\n<p><strong>\u63a5\u53e31.idl<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;\n\t\/\/ UUID: A unique identifier that distinguishes this\n\t\/\/ interface from other interfaces.\n\tuuid(9510b60a-2eac-43fc-8077-aaefbdf3752b),\n\n\t\/\/ This is version 1.0 of this interface.\n\tversion(1.0),\n\n\t\n\t\/\/ Using an implicit handle here named hImplicitBinding:\n\timplicit_handle(handle_t hImplicitBinding)\n\t\n]\ninterface Example1 \/\/ The interface is named Example1\n{\n\t\/\/ A function that takes a zero-terminated string.\n\tint Output(\n\t\t&#91;in, string] const char* pszOutput);\n\n\tvoid Shutdown();\n}\n<\/code><\/pre>\n\n\n\n<p>\u9996\u5148\u8981\u6ce8\u610f\u7684\u662f\uff0c\u63a5\u53e3\u662f\u5728\u63a5\u53e3\u5b9a\u4e49\u8bed\u8a00 \uff08IDL\uff09 \u6587\u4ef6\u4e2d\u5b9a\u4e49\u7684\u3002\u7a0d\u540e\uff0cMicrosoft IDL \u7f16\u8bd1\u5668 \uff08midl.exe\uff09 \u5c06\u7f16\u8bd1\u4e3a\u53ef\u4f9b\u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u4f7f\u7528\u7684\u6807\u5934\u548c\u6e90\u4ee3\u7801\u6587\u4ef6\u3002<br>\u63a5\u53e3\u5934\u5bf9\u7ed9\u5b9a\u7684\u6ce8\u91ca\u662f\u76f8\u5f53\u4e0d\u8a00\u81ea\u660e\u7684 &#8211; \u73b0\u5728\u5ffd\u7565<em>implicit_handle<\/em>\u6307\u4ee4\uff0c\u6211\u4eec\u5f88\u5feb\u5c31\u4f1a\u8fdb\u5165\u9690\u5f0f\u548c\u663e\u5f0f\u53e5\u67c4\u3002<br>\u63a5\u53e3\u7684\u4e3b\u4f53\u63cf\u8ff0\u6b64\u63a5\u53e3\u516c\u5f00\u7684\u65b9\u6cd5\u3001\u5176\u8fd4\u56de\u503c\u53ca\u5176\u53c2\u6570\u3002<em>Output<\/em>&nbsp;\u51fd\u6570\u7684\u53c2\u6570\u5b9a\u4e49\u4e2d\u7684\u8bed\u53e5\u4e0d\u662f\u5fc5\u9700\u7684\uff0c\u4f46\u6709\u52a9\u4e8e\u7406\u89e3\u6b64\u53c2\u6570\u7684\u7528\u9014\u3002<code>[in, string]<\/code><\/p>\n\n\n\n<p>\u9644\u6ce8\uff1a\u60a8\u8fd8\u53ef\u4ee5\u5728\u5e94\u7528\u7a0b\u5e8f\u914d\u7f6e\u6587\u4ef6 \uff08ACF\uff09 \u4e2d\u6307\u5b9a\u5404\u79cd\u63a5\u53e3\u5c5e\u6027\u3002\u5176\u4e2d\u4e00\u4e9b\uff08\u5982\u7ed1\u5b9a\u7c7b\u578b\uff08\u663e\u5f0f\u4e0e\u9690\u5f0f\uff09\uff09\u53ef\u4ee5\u653e\u5728 IDL \u6587\u4ef6\u4e2d\uff0c\u4f46\u5bf9\u4e8e\u66f4\u590d\u6742\u7684\u63a5\u53e3\uff0c\u60a8\u53ef\u80fd\u5e0c\u671b\u4e3a\u6bcf\u4e2a\u63a5\u53e3\u6dfb\u52a0\u4e00\u4e2a\u989d\u5916\u7684 ACF \u6587\u4ef6\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"rpc-binding\">RPC \u7ed1\u5b9a<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-binding\"><\/a><\/h3>\n\n\n\n<p>\u4e00\u65e6\u60a8\u7684\u5ba2\u6237\u7aef\u8fde\u63a5\u5230RPC\u670d\u52a1\u5668\uff08\u6211\u4eec\u7a0d\u540e\u5c06\u4ecb\u7ecd\u5982\u4f55\u5b8c\u6210\u6b64\u64cd\u4f5c\uff09\uff0c\u60a8\u5c31\u4f1a\u521b\u5efaMicrosoft\u6240\u8c13\u7684\u201c\u7ed1\u5b9a\u201d\u3002\u6216\u8005\u7528<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/binding-handles\">\u5fae\u8f6f\u7684\u8bdd\u6765\u8bf4<\/a>\uff1a<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u7ed1\u5b9a\u662f\u5728\u5ba2\u6237\u7aef\u7a0b\u5e8f\u548c\u670d\u52a1\u5668\u7a0b\u5e8f\u4e4b\u95f4\u521b\u5efa\u903b\u8f91\u8fde\u63a5\u7684\u8fc7\u7a0b\u3002\u7ec4\u6210\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u4e4b\u95f4\u7ed1\u5b9a\u7684\u4fe1\u606f\u7531\u79f0\u4e3a\u7ed1\u5b9a\u53e5\u67c4\u7684\u7ed3\u6784\u8868\u793a\u3002<\/p><\/blockquote>\n\n\n\n<p>\u4e00\u65e6\u6211\u4eec\u6dfb\u52a0\u4e86\u4e00\u4e9b\u4e0a\u4e0b\u6587\uff0c<strong>\u7ed1\u5b9a\u53e5\u67c4<\/strong>\u7684\u672f\u8bed\u5c31\u4f1a\u53d8\u5f97\u66f4\u52a0\u6e05\u6670\u3002\u4ece\u6280\u672f\u4e0a\u8bb2\uff0c\u6709\u4e09\u79cd\u7c7b\u578b\u7684\u7ed1\u5b9a\u53e5\u67c4\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u542b\u84c4<\/li><li>\u660e\u786e<\/li><li>\u81ea\u52a8<\/li><\/ul>\n\n\n\n<p>\u65c1\u6ce8\uff1a\u60a8\u53ef\u4ee5\u5b9e\u73b0\u81ea\u5b9a\u4e49\u7ed1\u5b9a\u53e5\u67c4\uff0c\u5982<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/primitive-and-custom-binding-handles\">\u6b64\u5904<\/a>\u6240\u8ff0\uff0c\u4f46\u6211\u4eec\u5728\u672c\u6587\u4e2d\u5ffd\u7565\u4e86\u8fd9\u4e00\u70b9\uff0c\u56e0\u4e3a\u8fd9\u79cd\u60c5\u51b5\u5e76\u4e0d\u5e38\u89c1\uff0c\u5e76\u4e14\u60a8\u5bf9\u9ed8\u8ba4\u7c7b\u578b\u611f\u5230\u6ee1\u610f\u3002<\/p>\n\n\n\n<p><strong>\u9690\u5f0f\u7ed1\u5b9a\u53e5\u67c4<\/strong>\u5141\u8bb8\u5ba2\u6237\u7aef\u8fde\u63a5\u5230\u7279\u5b9a\u7684 RPC \u670d\u52a1\u5668\u5e76\u4e0e\u4e4b\u901a\u4fe1\uff08\u7531 IDL \u6587\u4ef6\u4e2d\u7684 UUID \u6307\u5b9a\uff09\u3002\u7f3a\u70b9\u662f\u9690\u5f0f\u7ed1\u5b9a\u4e0d\u662f\u7ebf\u7a0b\u5b89\u5168\u7684\uff0c\u56e0\u6b64\u591a\u7ebf\u7a0b\u5e94\u7528\u7a0b\u5e8f\u5e94\u4f7f\u7528\u663e\u5f0f\u7ed1\u5b9a\u3002\u9690\u5f0f\u7ed1\u5b9a\u53e5\u67c4\u5728 IDL \u6587\u4ef6\u4e2d\u5b9a\u4e49\uff0c\u5982\u4e0a\u9762\u7684\u793a\u4f8b IDL \u4ee3\u7801\u6216\u6211\u7684<a href=\"https:\/\/github.com\/csandker\/InterProcessCommunication-Samples\/blob\/master\/RPC\/CPP-RPC-Client-Server\/RPC-Interface1\/Interface1-Implicit.idl\">\u793a\u4f8b\u9690\u5f0f\u63a5\u53e3<\/a>\u4e2d\u6240\u793a\u3002<br><strong>\u663e\u5f0f\u7ed1\u5b9a\u53e5\u67c4<\/strong>\u5141\u8bb8\u5ba2\u6237\u7aef\u8fde\u63a5\u5230\u591a\u4e2a RPC \u670d\u52a1\u5668\u5e76\u4e0e\u4e4b\u901a\u4fe1\u3002\u5efa\u8bae\u4f7f\u7528\u663e\u5f0f\u7ed1\u5b9a\u53e5\u67c4\uff0c\u56e0\u4e3a\u5b83\u662f\u7ebf\u7a0b\u5b89\u5168\u7684\uff0c\u5e76\u4e14\u5141\u8bb8\u591a\u4e2a\u8fde\u63a5\u3002\u663e\u5f0f\u7ed1\u5b9a\u53e5\u67c4\u5b9a\u4e49\u7684\u793a\u4f8b\u53ef\u4ee5<a href=\"https:\/\/github.com\/csandker\/InterProcessCommunication-Samples\/blob\/master\/RPC\/CPP-RPC-Client-Server\/RPC-Interface1\/Interface1-Explicit.idl\">\u5728\u6b64\u5904<\/a>\u7684\u4ee3\u7801\u4e2d\u627e\u5230\u3002<br>\u5bf9\u4e8e\u61d2\u60f0\u7684\u5f00\u53d1\u4eba\u5458\u6765\u8bf4\uff0c<strong>\u81ea\u52a8\u7ed1\u5b9a<\/strong>\u662f\u4ecb\u4e8e\u4e24\u8005\u4e4b\u95f4\u7684\u89e3\u51b3\u65b9\u6848\uff0c\u4ed6\u4eec\u4e0d\u60f3\u6446\u5f04\u7ed1\u5b9a\u53e5\u67c4\u5e76\u8ba9 RPC \u8fd0\u884c\u65f6\u627e\u51fa\u6240\u9700\u7684\u5185\u5bb9\u3002\u6211\u7684\u5efa\u8bae\u662f\u4f7f\u7528\u663e\u5f0f\u53e5\u67c4\u53ea\u662f\u4e3a\u4e86\u77e5\u9053\u4f60\u5728\u505a\u4ec0\u4e48\u3002<\/p>\n\n\n\n<p>\u4e3a\u4ec0\u4e48\u6211\u9700\u8981\u7ed1\u5b9a\u53e5\u67c4\uff0c\u9996\u5148\u4f60\u53ef\u80fd\u4f1a\u95ee\u3002<br>\u60f3\u8c61\u4e00\u4e0b\uff0c\u7ed1\u5b9a\u53e5\u67c4\u8868\u793a\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u4e4b\u95f4\u7684\u901a\u4fe1\u901a\u9053\uff0c\u5c31\u50cf<a href=\"https:\/\/www.google.com\/search?q=tin+can+phone&amp;oq=tin+can+phone&amp;sclient=img\">\u7f50\u5934\u7535\u8bdd<\/a>\u4e2d\u7684\u7535\u7ebf\u4e00\u6837\uff08\u6211\u60f3\u77e5\u9053\u6709\u591a\u5c11\u4eba\u77e5\u9053\u8fd9\u4e9b\u201c\u8bbe\u5907\u201d&#8230;\uff09\u3002\u5047\u8bbe\u4f60\u6709\u4e00\u4e2a\u901a\u4fe1\u9999\u5948\u513f\uff08\u201c\u7ebf\u201d\uff09\u7684\u8868\u793a\uff0c\u4f60\u53ef\u4ee5\u4e3a\u8fd9\u4e2a\u901a\u4fe1\u6e20\u9053\u6dfb\u52a0\u5c5e\u6027\uff0c\u6bd4\u5982\u753b\u4f60\u7684\u7ebf\uff0c\u4f7f\u5b83\u66f4\u52a0\u72ec\u7279\u3002<br>\u5c31\u50cf\u7ed1\u5b9a\u53e5\u67c4\u5141\u8bb8\u60a8\u4fdd\u62a4\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u4e4b\u95f4\u7684\u8fde\u63a5\u4e00\u6837\uff08\u56e0\u4e3a\u60a8\u83b7\u5f97\u4e86\u53ef\u4ee5\u5411\u5176\u6dfb\u52a0\u5b89\u5168\u6027\u7684\u4e1c\u897f\uff09\uff0c\u4ece\u800c\u5f62\u6210Microsoft\u672f\u8bed<strong>\u201c\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u201d\u7684\u7ed1\u5b9a<\/strong>\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"anonymous--authenticated-bindings\">\u533f\u540d\u548c\u8ba4\u8bc1\u7ed1\u5b9a<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#anonymous--authenticated-bindings\"><\/a><\/h3>\n\n\n\n<p>\u5047\u8bbe\u60a8\u6b63\u5728\u8fd0\u884c\u4e00\u4e2a\u7b80\u5355\u660e\u4e86\u7684 RPC \u670d\u52a1\u5668\uff0c\u73b0\u5728\u5ba2\u6237\u7aef\u8fde\u63a5\u5230\u60a8\u7684\u670d\u52a1\u5668\u3002\u5982\u679c\u60a8\u6ca1\u6709\u6307\u5b9a\u4efb\u4f55\u671f\u671b\u7684\u6700\u4f4e\u9650\u5ea6\uff08\u6211\u5f88\u5feb\u5c31\u4f1a\u5217\u51fa\uff09\uff0c\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u4e4b\u95f4\u7684\u8fd9\u79cd\u8fde\u63a5\u88ab\u79f0\u4e3a<strong>\u533f\u540d<\/strong>\u6216<strong>\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684<\/strong>\u7ed1\u5b9a\uff0c\u56e0\u4e3a\u60a8\u7684\u670d\u52a1\u5668\u4e0d\u77e5\u9053\u8c01\u8fde\u63a5\u5230\u5b83\u3002<br>\u4e3a\u4e86\u907f\u514d\u4efb\u4f55\u5ba2\u6237\u7aef\u8fde\u63a5\u5e76\u589e\u5f3a\u670d\u52a1\u5668\u7684\u5b89\u5168\u6027\uff0c\u60a8\u53ef\u4ee5\u8f6c\u52a8\u4e09\u4e2a\u9f7f\u8f6e\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u60a8\u53ef\u4ee5\u5728\u6ce8\u518c\u670d\u52a1\u5668\u63a5\u53e3\u65f6\u8bbe\u7f6e\u6ce8\u518c\u6807\u5fd7;\u548c\/\u6216<\/li><li>\u60a8\u53ef\u4ee5\u4f7f\u7528\u81ea\u5b9a\u4e49\u4f8b\u7a0b\u8bbe\u7f6e\u5b89\u5168\u56de\u8c03\uff0c\u4ee5\u68c0\u67e5\u662f\u5426\u5e94\u5141\u8bb8\u6216\u62d2\u7edd\u8bf7\u6c42\u5ba2\u6237\u7aef;\u548c\/\u6216<\/li><li>\u53ef\u4ee5\u8bbe\u7f6e\u4e0e\u7ed1\u5b9a\u53e5\u67c4\u5173\u8054\u7684\u8eab\u4efd\u9a8c\u8bc1\u4fe1\u606f\uff0c\u4ee5\u6307\u5b9a\u5b89\u5168\u670d\u52a1\u63d0\u4f9b\u7a0b\u5e8f\uff0c\u5e76\u8bbe\u7f6e SPN \u6765\u8868\u793a RPC \u670d\u52a1\u5668\u3002<\/li><\/ul>\n\n\n\n<p>\u8ba9\u6211\u4eec\u4e00\u6b65\u4e00\u6b65\u6765\u770b\u770b\u8fd9\u4e09\u4e2a\u6863\u4f4d\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"registration-flags\">\u6ce8\u518c\u6807\u5fd7<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#registration-flags\"><\/a><\/h4>\n\n\n\n<p>\u9996\u5148\uff0c\u5f53\u60a8\u521b\u5efa\u670d\u52a1\u5668\u65f6\uff0c\u60a8\u9700\u8981\u6ce8\u518c\u63a5\u53e3\uff0c\u4f8b\u5982\u8c03\u7528<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverregisterif2\">RpcServerRegisterIf2<\/a>&nbsp;&#8211; \u6211\u5c06\u5728<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-communication-flow\">RPC\u901a\u4fe1\u6d41<\/a>\u90e8\u5206\u4e2d\u5411\u60a8\u5c55\u793a\u6b64\u8c03\u7528\u7684\u4f5c\u7528\u3002\u4f5c\u4e3a&nbsp;<em>RpcServerRegisterIf2 \u7684\u7b2c<\/em>\u56db\u4e2a\u53c2\u6570\uff0c\u60a8\u53ef\u4ee5\u6307\u5b9a<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/interface-registration-flags\">\u63a5\u53e3\u6ce8\u518c\u6807\u5fd7<\/a>\uff0c\u4f8b\u5982RPC_IF_ALLOW_LOCAL_ONLY\u4ee5\u4ec5\u5141\u8bb8\u672c\u5730\u8fde\u63a5\u3002<br><em>\u9644\u6ce8\uff1a\u5c06\u6b64\u5185\u5bb9\u89e3\u8bfb\u4e3aRPC_\u6211<strong><\/strong>ace_ALLOW_LOCAL_ONLY<strong><\/strong><\/em><\/p>\n\n\n\n<p>\u793a\u4f8b\u8c03\u7528\u53ef\u80fd\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RPC_STATUS rpcStatus = RpcServerRegisterIf2(\n    Example1_v1_0_s_ifspec,         \/\/ Interface to register.\n    NULL,                           \/\/ NULL type UUID\n    NULL,                           \/\/ Use the MIDL generated entry-point vector.\n    RPC_IF_ALLOW_LOCAL_ONLY,        \/\/ Only allow local connections\n    RPC_C_LISTEN_MAX_CALLS_DEFAULT, \/\/ Use default number of concurrent calls.\n    (unsigned)-1,                   \/\/ Infinite max size of incoming data blocks.\n    NULL                            \/\/ No security callback.\n);\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"security-callbacks\">\u5b89\u5168\u56de\u8c03<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#security-callbacks\"><\/a><\/h4>\n\n\n\n<p>\u5217\u8868\u4e2d\u7684\u4e0b\u4e00\u4e2a\u662f\u5b89\u5168\u56de\u8c03\uff0c\u60a8\u53ef\u4ee5\u5c06\u5176\u8bbe\u7f6e\u4e3a\u4e0a\u8ff0\u8c03\u7528\u7684\u6700\u540e\u4e00\u4e2a\u53c2\u6570\u3002\u59cb\u7ec8\u5141\u8bb8\u7684\u56de\u8c03\u53ef\u80fd\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ Naive security callback.\nRPC_STATUS CALLBACK SecurityCallback(RPC_IF_HANDLE hInterface, void* pBindingHandle)\n{\n\treturn RPC_S_OK; \/\/ Always allow anyone.\n}\n<\/code><\/pre>\n\n\n\n<p>\u8981\u5305\u542b\u6b64\u5b89\u5168\u56de\u8c03\uff0c\u53ea\u9700\u5c06&nbsp;<em>RpcServerRegisterIf2<\/em>&nbsp;\u51fd\u6570\u7684\u6700\u540e\u4e00\u4e2a\u53c2\u6570\u8bbe\u7f6e\u4e3a\u5b89\u5168\u56de\u8c03\u51fd\u6570\u7684\u540d\u79f0\uff0c\u5728\u672c\u4f8b\u4e2d\uff0c\u8be5\u51fd\u6570\u4ec5\u547d\u540d\u4e3a\u201cSecurityCallback\u201d\uff0c\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RPC_STATUS rpcStatus = RpcServerRegisterIf2(\n    Example1_v1_0_s_ifspec,         \/\/ Interface to register.\n    NULL,                           \/\/ Use the MIDL generated entry-point vector.\n    NULL,                           \/\/ Use the MIDL generated entry-point vector.\n    RPC_IF_ALLOW_LOCAL_ONLY,        \/\/ Only allow local connections\n    RPC_C_LISTEN_MAX_CALLS_DEFAULT, \/\/ Use default number of concurrent calls.\n    (unsigned)-1,                   \/\/ Infinite max size of incoming data blocks.\n    SecurityCallback                \/\/ No security callback.\n);\n<\/code><\/pre>\n\n\n\n<p>\u6b64\u56de\u8c03\u51fd\u6570\u53ef\u4ee5\u4ee5\u60a8\u559c\u6b22\u7684\u4efb\u4f55\u65b9\u5f0f\u5b9e\u73b0\uff0c\u4f8b\u5982\uff0c\u60a8\u53ef\u4ee5\u57fa\u4e8eIP\u5141\u8bb8\/\u62d2\u7edd\u8fde\u63a5\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"authenticated-bindings\">\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#authenticated-bindings\"><\/a><\/h4>\n\n\n\n<p>\u597d\u4e86\uff0c\u6211\u4eec\u8d8a\u6765\u8d8a\u63a5\u8fd1RPC\u672f\u8bed\u548c\u80cc\u666f\u90e8\u5206\u7684\u7ed3\u5c3e\u4e86&#8230;\u5728\u6211\u4eec\u6df1\u5165\u7814\u7a76\u6700\u540e\u7684\u6982\u5ff5\u65f6\uff0c\u8bf7\u4e0e\u6211\u4fdd\u6301\u8054\u7cfb\u3002<br>\u7531\u4e8e\u6211\u80fd\u611f\u53d7\u5230\u8ddf\u8fdb\u6240\u6709\u8fd9\u4e9b\u672f\u8bed\u7684\u4eba\u7684\u75db\u82e6\uff0c\u8ba9\u6211\u4eec\u82b1\u70b9\u65f6\u95f4\u56de\u987e\u4e00\u4e0b\uff1a<\/p>\n\n\n\n<p>\u597d\u7684\uff0c\u5230\u76ee\u524d\u4e3a\u6b62\uff0c\u60a8\u5e94\u8be5\u77e5\u9053\u60a8\u53ef\u4ee5\u521b\u5efa\u9690\u5f0f\u548c\u663e\u5f0f\u63a5\u53e3\uff0c\u5e76\u4f7f\u7528\u4e00\u4e9bWindows API\u8c03\u7528\u6765\u8bbe\u7f6eRPC\u670d\u52a1\u5668\u3002\u5728\u4e0a\u4e00\u8282\u4e2d\uff0c\u6211\u6dfb\u52a0\u4e86\u4e00\u4e2a\u6ce8\u518c\u670d\u52a1\u5668\uff0c\u60a8\u53ef\u4ee5\u8bbe\u7f6e\u6ce8\u518c\u6807\u5fd7\u548c\uff08\u5982\u679c\u9700\u8981\uff09\u56de\u8c03\u51fd\u6570\u6765\u4fdd\u62a4\u670d\u52a1\u5668\u5e76\u8fc7\u6ee4\u53ef\u4ee5\u8bbf\u95ee\u670d\u52a1\u5668\u7684\u5ba2\u6237\u7aef\u3002\u62fc\u56fe\u4e2d\u7684\u6700\u540e\u4e00\u5757\u73b0\u5728\u662f\u4e00\u4e2a\u989d\u5916\u7684Windows API\uff0c\u5b83\u5141\u8bb8\u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u9a8c\u8bc1\u60a8\u7684\u7ed1\u5b9a\uff08\u8bf7\u8bb0\u4f4f\uff0c\u62e5\u6709\u7ed1\u5b9a\u53e5\u67c4\u7684\u597d\u5904\u4e4b\u4e00\u662f\u60a8\u53ef\u4ee5\u9a8c\u8bc1\u7ed1\u5b9a\uff0c\u4f8b\u5982\u201c\u4e3a\u7f50\u5934\u624b\u673a\u6d82\u4e0a\u7535\u7ebf\u201d\uff09\u3002<br>&#8230;\u4f46\u662f\u4f60\u4e3a\u4ec0\u4e48\u8981\/\u5e94\u8be5\u8fd9\u6837\u505a\u5462\uff1f<br><strong>\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\u4e0e\u6b63\u786e\u7684\u6ce8\u518c\u6807\u5fd7 \uff08RPC_IF_ALLOW_SECURE_ONLY\uff09 \u76f8\u7ed3\u5408\uff0c\u4f7f RPC \u670d\u52a1\u5668\u80fd\u591f\u786e\u4fdd\u53ea\u6709\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u624d\u80fd\u8fde\u63a5\u3002\u5e76\u4e14 &#8211; \u5982\u679c\u5ba2\u6237\u7aef\u5141\u8bb8 &#8211; \u4f7f\u670d\u52a1\u5668\u80fd\u591f\u901a\u8fc7\u6a21\u62df\u5ba2\u6237\u7aef\u6765\u786e\u5b9a\u8c01\u8fde\u63a5\u5230\u5b83<\/strong>\u3002<\/p>\n\n\n\n<p><em>\u8981\u5907\u4efd\u60a8\u4e4b\u524d\u5b66\u5230\u7684\u5185\u5bb9\uff1a<\/em>\u60a8\u4e5f\u53ef\u4ee5\u4f7f\u7528 SecurityCallback \u6765\u62d2\u7edd\u4efb\u4f55\u533f\u540d\u5ba2\u6237\u7aef\u8fdb\u884c\u8fde\u63a5\uff0c\u4f46\u60a8\u9700\u8981\u6839\u636e\u60a8\u63a7\u5236\u7684\u5c5e\u6027\u81ea\u884c\u5b9e\u73b0\u8fc7\u6ee4\u673a\u5236\u3002<br>\u793a\u4f8b\uff1a\u4f8b\u5982\uff0c\u60a8\u5c06\u65e0\u6cd5\u786e\u5b9a\u5ba2\u6237\u7aef\u662f\u5426\u4e3a\u6709\u6548\u7684\u57df\u7528\u6237\uff0c\u56e0\u4e3a\u60a8\u65e0\u6743\u8bbf\u95ee\u8fd9\u4e9b\u5e10\u6237\u4fe1\u606f\u3002<\/p>\n\n\n\n<p>\u597d\u7684\uff0c\u90a3\u4e48\u5982\u4f55\u6307\u5b9a\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\u5462\uff1f<br>\u60a8\u53ef\u4ee5\u5728\u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u5bf9\u7ed1\u5b9a\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u3002\u5728\u670d\u52a1\u5668\u7aef\uff0c\u60a8\u5e0c\u671b\u5b9e\u73b0\u6b64\u9879\u4ee5\u786e\u4fdd\u5b89\u5168\u7684\u8fde\u63a5\uff0c\u800c\u5728\u5ba2\u6237\u7aef\uff0c\u60a8\u53ef\u80fd\u9700\u8981\u5b9e\u73b0\u6b64\u8fde\u63a5\u624d\u80fd\u8fde\u63a5\u5230\u670d\u52a1\u5668\uff08\u6b63\u5982\u6211\u4eec\u7a0d\u540e\u5c06\u5728<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#access-matrix\">\u8bbf\u95ee\u77e9\u9635<\/a>\u4e2d\u770b\u5230\u7684\u90a3\u6837\uff09\u3002)<\/p>\n\n\n\n<p><strong>\u5728\u670d\u52a1\u5668\u7aef\u5bf9\u7ed1\u5b9a\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff1a<\/strong>[\u53d6\u81ea\u6b64\u5904<a href=\"https:\/\/github.com\/csandker\/InterProcessCommunication-Samples\/blob\/master\/RPC\/CPP-RPC-Client-Server\/RPC-Server1-Explicit-SecurityCallback-Auth\/RPC-Server-Explicit-SecurityCallback-Auth.cpp#L179\">\u7684\u793a\u4f8b\u4ee3\u7801<\/a>]<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RPC_STATUS rpcStatus = RpcServerRegisterAuthInfo(\n    pszSpn,             \/\/ Server principal name\n    RPC_C_AUTHN_WINNT,\t\/\/ using NTLM as authentication service provider\n    NULL,               \/\/ Use default key function, which  is ignored for NTLM SSP\n    NULL                \/\/ No arg for key function\n);\n<\/code><\/pre>\n\n\n\n<p><strong>\u5728\u5ba2\u6237\u7aef\u5bf9\u7ed1\u5b9a\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff1a<\/strong>[\u53d6\u81ea\u6b64\u5904<a href=\"https:\/\/github.com\/csandker\/InterProcessCommunication-Samples\/blob\/master\/RPC\/CPP-RPC-Client-Server\/RPC-Client1-Explicit-Auth-QOS\/RPC-Client1-Explicit-Auth-QOS.cpp#L84\">\u7684\u793a\u4f8b\u4ee3\u7801<\/a>]<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RPC_STATUS status = RpcBindingSetAuthInfoEx(\n    hExplicitBinding,\t\t\/\/ the client's binding handle\n    pszHostSPN,\t\t\t\/\/ the server's service principale name (SPN)\n    RPC_C_AUTHN_LEVEL_PKT,\t\/\/ authentication level PKT\n    RPC_C_AUTHN_WINNT,\t\t\/\/ using NTLM as authentication service provider\n    NULL,\t\t\t\/\/ use current thread credentials\n    RPC_C_AUTHZ_NAME,\t\t\/\/ authorization based on the provided SPN\n    &amp;secQos\t\t\t\/\/ Quality of Service structure\n);\n<\/code><\/pre>\n\n\n\n<p>\u5ba2\u6237\u7aef\u7684\u6709\u8da3\u4e4b\u5904\u5728\u4e8e\uff0c\u60a8\u53ef\u4ee5\u4f7f\u7528\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\u53e5\u67c4\u8bbe\u7f6e<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/winnt\/ns-winnt-security_quality_of_service\"><strong>\u670d\u52a1\u8d28\u91cf \uff08QOS\uff09<\/strong><\/a>&nbsp;\u7ed3\u6784\u3002\u4f8b\u5982\uff0c\u6b64QOS\u7ed3\u6784\u53ef\u4ee5\u5728\u5ba2\u6237\u7aef\u7528\u4e8e\u786e\u5b9a<strong>\u6a21\u62df\u7ea7\u522b<\/strong>\uff08\u6709\u5173\u80cc\u666f\u4fe1\u606f\uff0c\u8bf7\u67e5\u770b\u6211<a href=\"https:\/\/csandker.io\/2021\/01\/10\/Offensive-Windows-IPC-1-NamedPipes.html#impersonation\">\u4e4b\u524d\u7684IPC\u5e16\u5b50<\/a>\uff09\uff0c\u6211\u4eec\u7a0d\u540e\u5c06\u5728<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#client-impersonation\">\u5ba2\u6237\u7aef\u6a21\u62df<\/a>\u90e8\u5206\u4e2d\u4ecb\u7ecd\u3002<\/p>\n\n\n\n<p><strong>\u91cd\u8981\u63d0\u793a<\/strong>\uff1a<br><strong>\u5728\u670d\u52a1\u5668\u7aef\u8bbe\u7f6e\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\u4e0d\u4f1a\u5728\u5ba2\u6237\u7aef\u5f3a\u5236\u6267\u884c\u8eab\u4efd\u9a8c\u8bc1\u3002<\/strong><br>\u4f8b\u5982\uff0c\u5982\u679c\u5728\u670d\u52a1\u5668\u7aef\u672a\u8bbe\u7f6e\u6807\u5fd7\u6216\u4ec5\u8bbe\u7f6e<em>\u4e86RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH<\/em>\uff0c\u5219\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u5ba2\u6237\u7aef\u4ecd\u53ef\u4ee5\u8fde\u63a5\u5230 RPC \u670d\u52a1\u5668\u3002<br>\u4f46\u662f\uff0c\u8bbe\u7f6e<em>RPC_IF_ALLOW_SECURE_ONLY<\/em>\u6807\u5fd7\u53ef\u9632\u6b62\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u5ba2\u6237\u7aef\u7ed1\u5b9a\uff0c\u56e0\u4e3a\u5982\u679c\u4e0d\u521b\u5efa\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\uff0c\u5ba2\u6237\u7aef\u5c31\u65e0\u6cd5\u8bbe\u7f6e\u8eab\u4efd\u9a8c\u8bc1\u7ea7\u522b\uff08\u4f7f\u7528\u6b64\u6807\u5fd7\u68c0\u67e5\u7684\u7ea7\u522b\uff09\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"well-known-vs-dynamic-endpoints\">\u4f17\u6240\u5468\u77e5\u4e0e\u52a8\u6001\u7aef\u70b9<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#well-known-vs-dynamic-endpoints\"><\/a><\/h3>\n\n\n\n<p>\u6700\u540e\u4f46\u5e76\u975e\u6700\u4e0d\u91cd\u8981\u7684\u4e00\u70b9\u662f\uff0c\u6211\u4eec\u5fc5\u987b\u9610\u660eRPC\u901a\u4fe1\u7684\u6700\u540e\u4e00\u4e2a\u91cd\u8981\u65b9\u9762\uff1a\u4f17\u6240\u5468\u77e5\u7684\u4e0e\u52a8\u6001\u7aef\u70b9\u3002<br>\u6211\u4f1a\u5c3d\u91cf\u4f7f\u8fd9\u4e2a\u7b80\u77ed\uff0c\u56e0\u4e3a\u5b83\u4e5f\u5f88\u5bb9\u6613\u7406\u89e3&#8230;&#8230;<\/p>\n\n\n\n<p>\u5f53\u60a8\u542f\u52a8RPC\u670d\u52a1\u5668\u65f6\uff0c\u670d\u52a1\u5668\u6ce8\u518c\u4e00\u4e2a\u63a5\u53e3\uff08\u6b63\u5982\u6211\u4eec\u5728\u4e0a\u9762\u7684<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverregisterif2\">RpcServerRegisterIf2<\/a>\u4ee3\u7801\u793a\u4f8b\u4e2d\u770b\u5230\u7684\u90a3\u6837\uff09\uff0c\u5e76\u4e14\u5b83\u8fd8\u9700\u8981\u5b9a\u4e49\u5b83\u60f3\u8981\u4fa6\u542c\u7684\u534f\u8bae\u5e8f\u5217\uff08\u4f8b\u5982\u201cncacn_ip_tcp\u201d\uff0c\u201cncacn_np\u201d\u7b49\uff09\u3002<br>\u73b0\u5728\uff0c\u60a8\u5728\u670d\u52a1\u5668\u4e2d\u6307\u5b9a\u7684\u534f\u8bae\u5e8f\u5217\u5b57\u7b26\u4e32\u4e0d\u8db3\u4ee5\u6253\u5f00 RPC \u7aef\u53e3\u8fde\u63a5\u3002\u60f3\u8c61\u4e00\u4e0b\uff0c\u60a8\u6307\u5b9a\u201cncacn_ip_tcp\u201d\u4f5c\u4e3a\u534f\u8bae\u5e8f\u5217\uff0c\u8fd9\u610f\u5473\u7740\u60a8\u6307\u793a\u670d\u52a1\u5668\u6253\u5f00\u4e00\u4e2aRPC\u8fde\u63a5\uff0c\u8be5\u8fde\u63a5\u63a5\u53d7\u901a\u8fc7TCP \/ IP\u8fde\u63a5\u7684\u8fde\u63a5\u3002\u4f46\u3002\u3002\u3002\u670d\u52a1\u5668\u5e94\u8be5\u5728\u54ea\u4e2aTCP\u7aef\u53e3\u4e0a\u5b9e\u9645\u6253\u5f00\u8fde\u63a5\uff1f<br>\u4e0e<em>ncacn_ip_tcp<\/em>\u5176\u4ed6\u534f\u8bae\u5e8f\u5217\u4e5f\u9700\u8981\u66f4\u591a\u5173\u4e8e<em>\u5728\u4f55\u5904<\/em>\u6253\u5f00\u8fde\u63a5\u5bf9\u8c61\u7684\u4fe1\u606f\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>ncacn_ip_tcp\u9700\u8981\u4e00\u4e2a TCP \u7aef\u53e3\u53f7\uff0c\u4f8b\u5982 9999<\/li><li>ncacn_np\u9700\u8981\u547d\u540d\u7ba1\u9053\u540d\u79f0\uff0c\u4f8b\u5982\u201c\\pipe\\FRPC-NP\u201d<\/li><li>ncalrpc \u9700\u8981\u4e00\u4e2a ALPC \u7aef\u53e3\u540d\u79f0\uff0c\u4f8b\u5982 \u201c\\RPC Control\\FRPC-LRPC\u201d<\/li><\/ul>\n\n\n\n<p>\u8ba9\u6211\u4eec\u5047\u8bbe\u60a8\u6307\u5b9a<em>\u4e86ncacn_np<\/em>\u4f5c\u4e3a\u534f\u8bae\u5e8f\u5217\uff0c\u5e76\u9009\u62e9\u547d\u540d\u7ba1\u9053\u540d\u79f0\u4e3a\u201c\\pipe\\FRPC-NP\u201d\u3002<br>\u60a8\u7684 RPC \u670d\u52a1\u5668\u5c06\u6109\u5feb\u5730\u542f\u52a8\uff0c\u73b0\u5728\u6b63\u5728\u7b49\u5f85\u5ba2\u6237\u7aef\u8fde\u63a5\u3002\u53e6\u4e00\u65b9\u9762\uff0c\u5ba2\u6237\u7aef\u9700\u8981\u77e5\u9053\u5b83\u5e94\u8be5\u8fde\u63a5\u5230\u54ea\u91cc\u3002\u544a\u8bc9\u5ba2\u6237\u7aef\u670d\u52a1\u5668\u7684\u540d\u79f0\uff0c\u6307\u5b9a\u8981<em>ncacn_np<\/em>\u7684\u534f\u8bae\u5e8f\u5217\uff0c\u5e76\u5c06\u547d\u540d\u7ba1\u9053\u540d\u79f0\u8bbe\u7f6e\u4e3a\u60a8\u5728\u670d\u52a1\u5668\u4e2d\u5b9a\u4e49\u7684\u76f8\u540c\u540d\u79f0\uff08\u201c\\pipe\\FRPC-NP\u201d\uff09\u3002\u5ba2\u6237\u7aef\u8fde\u63a5\u6210\u529f\uff0c\u5c31\u50cf\u4f60\u57fa\u4e8e\u5df2\u77e5\u7ec8\u7ed3\u70b9\u6784\u5efa\u4e86 RPC \u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u4e00\u6837&#8230;\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\u662f\uff1a\u201c\\pipe\\FRPC-NP\u201d\u3002<br>\u4f7f\u7528<strong>\u4f17\u6240\u5468\u77e5\u7684<\/strong>&nbsp;RPC \u7ec8\u7ed3\u70b9\u4ec5\u610f\u5473\u7740\u4f60\u9884\u5148\u77e5\u9053\u6240\u6709\u7ed1\u5b9a\u4fe1\u606f\uff08\u534f\u8bae\u5e8f\u5217\u548c\u7ec8\u7ed3\u70b9\u5730\u5740\uff09\uff0c\u5e76\u4e14\u5982\u679c\u9700\u8981\uff0c\u8fd8\u53ef\u4ee5\u5728\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u4e2d\u5bf9\u8fd9\u4e9b\u4fe1\u606f\u8fdb\u884c\u786c\u7f16\u7801\u3002\u4f7f\u7528\u5df2\u77e5\u7ec8\u7ed3\u70b9\u662f\u5efa\u7acb\u7b2c\u4e00\u4e2a RPC \u5ba2\u6237\u7aef\/\u670d\u52a1\u5668\u8fde\u63a5\u7684\u6700\u7b80\u5355\u65b9\u6cd5\u3002<\/p>\n\n\n\n<p>\u90a3\u4e48\u4ec0\u4e48\u662f<strong>\u52a8\u6001\u7aef\u70b9<\/strong>\uff0c\u4e3a\u4ec0\u4e48\u8981\u4f7f\u7528\u5b83\u4eec\uff1f<br>\u5728\u4e0a\u9762\u7684\u793a\u4f8b\u4e2d\uff0c\u6211\u4eec\u9009\u62e9<em>ncacn_np<\/em>\uff0c\u53ea\u662f\u9009\u62e9\u4efb\u610f\u547d\u540d\u7ba1\u9053\u540d\u79f0\u6765\u6253\u5f00\u6211\u4eec\u7684\u670d\u52a1\u5668\uff0c\u8fd9\u5de5\u4f5c\u5f97\u5f88\u597d\uff0c\u56e0\u4e3a\u6211\u4eec\u77e5\u9053\uff08\u81f3\u5c11\u6211\u4eec\u5e0c\u671b\uff09\u6211\u4eec\u7528\u8fd9\u4e2a\u540d\u5b57\u6253\u5f00\u7684\u547d\u540d\u7ba1\u9053\u5728\u670d\u52a1\u5668\u7aef\u8fd8\u4e0d\u5b58\u5728\uff0c\u56e0\u4e3a\u6211\u4eec\u521a\u521a\u505a\u4e86\u4e00\u4e2a\u540d\u5b57\u3002\u5982\u679c\u6211\u4eec\u73b0\u5728\u9009\u62e9<em>ncacn_ip_tcp<\/em>\u4f5c\u4e3a\u534f\u8bae\u5e8f\u5217\uff0c\u6211\u4eec\u5982\u4f55\u77e5\u9053\u54ea\u4e2aTCP\u7aef\u53e3\u4ecd\u7136\u53ef\u7528\uff1f\u597d\u5427\uff0c\u6211\u4eec\u53ef\u4ee5\u6307\u5b9a\u6211\u4eec\u7684\u7a0b\u5e8f\u9700\u8981\u7aef\u53e39999\u624d\u80fd\u6b63\u5e38\u5de5\u4f5c\uff0c\u5e76\u5c06\u5176\u7559\u7ed9\u7ba1\u7406\u5458\u4ee5\u786e\u4fdd\u6b64\u7aef\u53e3\u672a\u4f7f\u7528\uff0c\u4f46\u6211\u4eec\u4e5f\u53ef\u4ee5\u8981\u6c42Windows\u4e3a\u6211\u4eec\u5206\u914d\u4e00\u4e2a\u514d\u8d39\u7684\u7aef\u53e3\u3002\u8fd9\u5c31\u662f<strong>\u52a8\u6001\u7aef\u70b9<\/strong>\u3002\u5bb9\u6613\u3002\u3002\u3002\u6848\u4ef6\u5df2\u7ed3\u6848\uff0c\u8ba9\u6211\u4eec\u53bb\u559d\u5564\u9152<br>\u7b49\u4e00\u4e0b\uff1a\u5982\u679c\u6211\u4eec\u52a8\u6001\u5730\u5206\u914d\u4e86\u4e00\u4e2a\u7aef\u53e3\uff0c\u5ba2\u6237\u5982\u4f55\u77e5\u9053\u8fde\u63a5\u5230\u54ea\u91cc\uff1f\uff01&#8230;<br>\u8fd9\u662f\u52a8\u6001\u7ec8\u7ed3\u70b9\u7684\u53e6\u4e00\u4ef6\u4e8b\uff1a\u5982\u679c\u4f60\u9009\u62e9\u4e86\u52a8\u6001\u7ec8\u7ed3\u70b9\uff0c\u5219\u9700\u8981\u6709\u4eba\u544a\u8bc9\u4f60\u7684\u5ba2\u6237\u7aef\u4f60\u83b7\u5f97\u4e86\u54ea\u4e2a\u7aef\u53e3\uff0c\u5e76\u4e14\u6709\u4eba\u662f&nbsp;<strong>RPC \u7ec8\u7ed3\u70b9\u6620\u5c04\u7a0b\u5e8f<\/strong>\u670d\u52a1\uff08\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u5728 Windows \u7cfb\u7edf\u4e0a\u542f\u52a8\u548c\u8fd0\u884c\uff09\u3002\u5982\u679c\u670d\u52a1\u5668\u4f7f\u7528\u7684\u662f\u52a8\u6001\u7ec8\u7ed3\u70b9\uff0c\u5219\u9700\u8981\u8c03\u7528 RPC \u7ec8\u7ed3\u70b9\u6620\u5c04\u7a0b\u5e8f\uff0c\u4ee5\u544a\u77e5\u5b83\u6ce8\u518c\u5176\u63a5\u53e3\u548c\u51fd\u6570\uff08\u5728 IDL \u6587\u4ef6\u4e2d\u6307\u5b9a\uff09\u3002\u4e00\u65e6\u5ba2\u6237\u7aef\u5c1d\u8bd5\u521b\u5efa\u7ed1\u5b9a\uff0c\u5b83\u5c06\u67e5\u8be2\u670d\u52a1\u5668\u7684 RPC \u7ec8\u7ed3\u70b9\u6620\u5c04\u7a0b\u5e8f\u4ee5\u67e5\u627e\u5339\u914d\u7684\u63a5\u53e3\uff0c\u7ec8\u7ed3\u70b9\u6620\u5c04\u7a0b\u5e8f\u5c06\u586b\u5145\u7f3a\u5c11\u7684\u4fe1\u606f\uff08\u4f8b\u5982 TCP \u7aef\u53e3\uff09\u4ee5\u521b\u5efa\u7ed1\u5b9a\u3002<\/p>\n\n\n\n<p><strong>\u52a8\u6001\u7ec8\u7ed3\u70b9<\/strong>\u7684\u4e3b\u8981\u4f18\u70b9\u662f\u5728\u7ec8\u7ed3\u70b9\u5730\u5740\u7a7a\u95f4\u6709\u9650\u65f6\u81ea\u52a8\u67e5\u627e\u53ef\u7528\u7684\u7ec8\u7ed3\u70b9\u5730\u5740\uff0c\u5c31\u50cf TCP \u7aef\u53e3\u4e00\u6837\u3002\u547d\u540d\u7ba1\u9053\u548c\u57fa\u4e8e ALPC \u7684\u8fde\u63a5\u4e5f\u53ef\u4ee5\u5b89\u5168\u5730\u4f7f\u7528<strong>\u5df2\u77e5<\/strong>\u7ec8\u7ed3\u70b9\u5b8c\u6210\uff0c\u56e0\u4e3a\u5730\u5740\u7a7a\u95f4\uff08\u4e5f\u79f0\u4e3a\u60a8\u9009\u62e9\u7684\u4efb\u610f\u7ba1\u9053\u6216\u7aef\u53e3\u540d\u79f0\uff09\u8db3\u591f\u5927\u4ee5\u907f\u514d\u51b2\u7a81\u3002<\/p>\n\n\n\n<p>\u6211\u4eec\u5c06\u4f7f\u7528\u6765\u81ea\u670d\u52a1\u5668\u7aef\u7684\u4ee3\u7801\u7247\u6bb5\u6765\u603b\u7ed3\u8fd9\u4e00\u70b9\uff0c\u4ee5\u786e\u5b9a\u6211\u4eec\u5bf9\u5df2\u77e5\u548c\u52a8\u6001\u7aef\u70b9\u7684\u7406\u89e3\u3002<\/p>\n\n\n\n<p><strong>\u4f17\u6240\u5468\u77e5\u7684\u7aef\u70b9\u5b9e\u65bd<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RPC_STATUS rpcStatus;\n\/\/ Create Binding Information\nrpcStatus = RpcServerUseProtseqEp(\n    (RPC_WSTR)L\"ncacn_np\",          \/\/ using Named Pipes here\n    RPC_C_PROTSEQ_MAX_REQS_DEFAULT, \/\/ Ignored for Named Pipes (only used for ncacn_ip_tcp, but set this anyway)\n    (RPC_WSTR)L\"\\\\pipe\\\\FRPC-NP\",   \/\/ example Named Pipe name\n    NULL                            \/\/ No Secuirty Descriptor\n);\n\/\/ Register Interface\nrpcStatus = RpcServerRegisterIf2(...) \/\/ As shown in the examples above\n\/\/ OPTIONAL: Register Authentication Information\nrpcStatus = RpcServerRegisterAuthInfo(...) \/\/ As shown in the example above\n\/\/ Listen for incoming client connections\nrpcStatus = RpcServerListen(\n    1,                              \/\/ Recommended minimum number of threads.\n    RPC_C_LISTEN_MAX_CALLS_DEFAULT, \/\/ Recommended maximum number of threads.\n    FALSE                           \/\/ Start listening now.\n);\n<\/code><\/pre>\n\n\n\n<p><strong>\u52a8\u6001\u7aef\u70b9\u5b9e\u73b0<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RPC_STATUS rpcStatus;\nRPC_BINDING_VECTOR* pbindingVector = 0;\n\/\/ Create Binding Information\nrpcStatus = RpcServerUseProtseq(\n    (RPC_WSTR)L\"ncacn_ip_tcp\",      \/\/ using Named Pipes here\n    RPC_C_PROTSEQ_MAX_REQS_DEFAULT, \/\/ Backlog queue length for the ncacn_ip_tcp protocol sequenc\n    NULL                            \/\/ No Secuirty Descriptor\n);\n\/\/ Register Interface\nrpcStatus = RpcServerRegisterIf2(...) \/\/ As shown in the examples above\n\/\/ OPTIONAL: Register Authentication Information\nrpcStatus = RpcServerRegisterAuthInfo(...) \/\/ As shown in the example above\n\/\/ Get Binding vectors (dynamically assigend)\nrpcStatus = RpcServerInqBindings(&amp;pbindingVector);\n\/\/ Register with RPC Endpoint Mapper\nrpcStatus = RpcEpRegister(\n    Example1_v1_0_s_ifspec,             \/\/ your interface as defined via IDL\n    pbindingVector,                     \/\/ your dynamic binding vectors\n    0,                                  \/\/ We don't want to register the vectors with UUIDs\n    (RPC_WSTR)L\"MyDyamicEndpointServer\" \/\/ Annotation used for information purposes only, max 64 characters      \n);\n\/\/ Listen for incoming client connections\nrpcStatus = RpcServerListen(\n    1,                              \/\/ Recommended minimum number of threads.\n    RPC_C_LISTEN_MAX_CALLS_DEFAULT, \/\/ Recommended maximum number of threads.\n    FALSE                           \/\/ Start listening now.\n);\n<\/code><\/pre>\n\n\n\n<p>\u6ce8\u610f\uff1a\u5982\u679c\u60a8\u4f7f\u7528\u7684\u662f\u4f17\u6240\u5468\u77e5\u7684\u7aef\u70b9\uff0c\u5219\u8fd8\u53ef\u4ee5\u901a\u8fc7\u8c03\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverinqbindings\">RpcServerInqBindings<\/a>&nbsp;&amp;&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcepregister\">RpcEpRegister<\/a>\uff08\u5982\u679c\u9700\u8981\uff09\u5c06 RPC \u670d\u52a1\u5668\u6ce8\u518c\u5230\u672c\u5730 RPC \u7aef\u70b9\u6620\u5c04\u7a0b\u5e8f\u3002\u60a8\u4e0d\u9700\u8981\u8fd9\u6837\u505a\u5373\u53ef\u4f7f\u60a8\u7684\u5ba2\u6237\u80fd\u591f\u8fde\u63a5\uff0c\u4f46\u60a8\u53ef\u4ee5\u3002<\/p>\n\n\n\n<p>\u5982\u679c\u60a8\u60f3\u9605\u8bfb\u6709\u5173\u6b64\u5185\u5bb9\u7684\u66f4\u591a\u4fe1\u606f\uff0c\u53ef\u4ee5\u5728\u6b64\u5904\u627e\u5230\u6709\u5173\u6b64\u4e3b\u9898\u7684 Microsoft \u6587\u6863\uff1a<br><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/specifying-endpoints\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/specifying-endpoints<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"rpc-communication-flow\">RPC \u901a\u4fe1\u6d41<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-communication-flow\"><\/a><\/h3>\n\n\n\n<p>\u603b\u7ed3\u4ee5\u4e0a\u6240\u6709\u5185\u5bb9\uff0c\u901a\u4fe1\u6d41\u7a0b\u53ef\u4ee5\u603b\u7ed3\u5982\u4e0b\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li><strong>\u670d\u52a1\u5668<\/strong>\u6ce8\u518c\u63a5\u53e3\uff0c\u4f8b\u5982\u4f7f\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverregisterif2\">RpcServerRegisterIf2<\/a><\/li><li><strong>\u670d\u52a1\u5668<\/strong>\u4f7f\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserveruseprotseq\">RpcServerUseProtseq<\/a>&nbsp;&amp;&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverinqbindings\">RpcServerInqBindings<\/a>&nbsp;\u521b\u5efa\u7ed1\u5b9a\u4fe1\u606f\uff08<em>RpcServerInqBinding \u5bf9\u4e8e<\/em>\u5df2\u77e5\u7aef\u70b9\u662f\u53ef\u9009<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#well-known-vs-dynamic-endpoints\">\u7684\uff09<\/a>)<\/li><li><strong>\u670d\u52a1\u5668<\/strong>\u4f7f\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcepregister\">RpcEpRegister<\/a>&nbsp;\u6ce8\u518c\u7ec8\u7ed3\u70b9\uff08\u5bf9\u4e8e<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#well-known-vs-dynamic-endpoints\">\u5df2\u77e5\u7ec8\u7ed3\u70b9\u662f\u53ef\u9009\u7684\uff09<\/a>)<\/li><li><strong>\u670d\u52a1\u5668<\/strong>\u53ef\u4ee5\u4f7f\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverregisterauthinfo\">RpcServerRegisterAuthInfo<\/a>&nbsp;\u6ce8\u518c\u8eab\u4efd\u9a8c\u8bc1\u4fe1\u606f\uff08\u53ef\u9009\uff09<\/li><li><strong>\u670d\u52a1\u5668<\/strong>\u4fa6\u542c\u4f7f\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverlisten\">RpcServerListen<\/a>&nbsp;\u7684\u5ba2\u6237\u7aef\u8fde\u63a5<\/li><li><strong>\u5ba2\u6237\u7aef<\/strong>\u4f7f\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcstringbindingcompose\">RpcStringBindingCompose<\/a>&nbsp;&amp;&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcbindingfromstringbinding\">RpcBindingFromStringBinding<\/a>&nbsp;\u521b\u5efa\u4e00\u4e2a\u7ed1\u5b9a\u53e5\u67c4<\/li><li><strong>\u5ba2\u6237<\/strong>RPC \u8fd0\u884c\u65f6\u5e93\u901a\u8fc7\u67e5\u8be2\u670d\u52a1\u5668\u4e3b\u673a\u7cfb\u7edf\u4e0a\u7684\u7ec8\u7ed3\u70b9\u6620\u5c04\u7a0b\u5e8f\u6765\u67e5\u627e\u670d\u52a1\u5668\u8fdb\u7a0b\uff08\u4ec5<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#well-known-vs-dynamic-endpoints\">\u52a8\u6001\u7ec8\u7ed3\u70b9\u9700\u8981\uff09<\/a>)<\/li><li><strong>\u5ba2\u6237\u7aef<\/strong>\u53ef\u4ee5\u4f7f\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcbindingsetauthinfo\">RpcBindingSetAuthInfo<\/a>\uff08\u53ef\u9009\uff09\u5bf9\u7ed1\u5b9a\u53e5\u67c4\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1<\/li><li><strong>\u5ba2\u6237\u7aef<\/strong>\u901a\u8fc7\u8c03\u7528\u5728\u4f7f\u7528\u7684\u63a5\u53e3\u4e2d\u5b9a\u4e49\u7684\u51fd\u6570\u4e4b\u4e00\u8fdb\u884c RPC \u8c03\u7528<\/li><li><strong>\u5ba2\u6237<\/strong>RPC \u8fd0\u884c\u65f6\u5e93\u5728 NDR \u8fd0\u884c\u65f6\u7684\u5e2e\u52a9\u4e0b\u4ee5&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/rpc-ndr-engine\">NDR<\/a>&nbsp;\u683c\u5f0f\u5c01\u9001\u53c2\u6570\uff0c\u5e76\u5c06\u5176\u53d1\u9001\u5230\u670d\u52a1\u5668\uff0c<\/li><li><strong>\u670d\u52a1\u5668\u7684<\/strong>&nbsp;RPC \u8fd0\u884c\u65f6\u5e93\u5c06\u5c01\u9001\u53c2\u6570\u63d0\u4f9b\u7ed9\u5b58\u6839\uff0c\u5b58\u6839\u53d6\u6d88\u5c01\u9001\u53c2\u6570\uff0c\u7136\u540e\u5c06\u5176\u4f20\u9012\u7ed9\u670d\u52a1\u5668\u4f8b\u7a0b\u3002<\/li><li>\u5f53&nbsp;<strong>Server<\/strong>&nbsp;\u4f8b\u7a0b\u8fd4\u56de\u65f6\uff0c\u5b58\u6839\u9009\u53d6 [out] \u548c [in\uff0c out] \u53c2\u6570\uff08\u5728\u63a5\u53e3 IDL \u6587\u4ef6\u4e2d\u5b9a\u4e49\uff09\u548c\u8fd4\u56de\u503c\uff0c\u5c01\u9001\u5b83\u4eec\uff0c\u5e76\u5c06\u5c01\u9001\u7684\u6570\u636e\u53d1\u9001\u5230\u670d\u52a1\u5668\u7684 RPC \u8fd0\u884c\u65f6\u5e93\uff0c\u540e\u8005\u5c06\u5b83\u4eec\u4f20\u8f93\u56de\u5ba2\u6237\u7aef\u3002<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/csandker.io\/public\/img\/2021-02-21-Offensive-Windows-IPC-2-RPC\/RPC_Communication_Flow.png\" alt=\"RPC \u8bbf\u95ee\u77e9\u9635\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"sample-implementation\">\u793a\u4f8b\u5b9e\u73b0<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#sample-implementation\"><\/a><\/h3>\n\n\n\n<p>\u5982\u5f00\u5934\u6240\u8ff0\uff0c\u4e0a\u9762\u7684\u793a\u4f8b\u53d6\u81ea\u6211\u7684\u793a\u4f8b\u5b9e\u73b0\uff0c\u53ef\u5728\u4ee5\u4e0b\u4f4d\u7f6e\u516c\u5f00\u83b7\u53d6\uff1a<br><a href=\"https:\/\/github.com\/csandker\/InterProcessCommunication-Samples\/tree\/master\/RPC\/CPP-RPC-Client-Server\">https:\/\/github.com\/csandker\/InterProcessCommunication-Samples\/tree\/master\/RPC\/CPP-RPC-Client-Server<\/a>\u3002<br>\u5728\u6b64\u5b58\u50a8\u5e93\u4e2d\uff0c\u60a8\u5c06\u627e\u5230\u4ee5\u4e0b\u793a\u4f8b\u5b9e\u73b0\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u652f\u6301\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u9690\u5f0f\u7ed1\u5b9a\u7684\u57fa\u672c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u670d\u52a1\u5668<\/li><li>\u652f\u6301\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u9690\u5f0f\u7ed1\u5b9a\u7684\u57fa\u672c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u5ba2\u6237\u7aef<\/li><li>\u652f\u6301\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u663e\u5f0f\u7ed1\u5b9a\u7684\u57fa\u672c\u670d\u52a1\u5668<\/li><li>\u652f\u6301\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u663e\u5f0f\u7ed1\u5b9a\u7684\u57fa\u672c\u670d\u52a1\u5668<\/li><li>\u57fa\u672c\u5ba2\u6237\u7aef\u652f\u6301\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u663e\u5f0f\u7ed1\u5b9a\uff0c\u65e0\u9700 QOS<\/li><li>\u652f\u6301\u4f7f\u7528 QOS \u8fdb\u884c\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u663e\u5f0f\u7ed1\u5b9a\u7684\u57fa\u672c\u5ba2\u6237\u7aef<\/li><\/ul>\n\n\n\n<p>\u4e0b\u9762\u53ef\u4ee5\u770b\u5230\u8fd9\u4e9b PoC \u7684\u5916\u89c2\u793a\u4f8b\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/csandker.io\/public\/img\/2021-02-21-Offensive-Windows-IPC-2-RPC\/RPC_ClientServer_Messages.png\" alt=\"RPC \u5ba2\u6237\u7aef\u670d\u52a1\u5668\u6d88\u606f\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"access-matrix\">\u8bbf\u95ee\u77e9\u9635<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#access-matrix\"><\/a><\/h2>\n\n\n\n<p>\u597d\u5427\uff0c\u5982\u679c\u60a8\u4e86\u89e3\u4e86\u4e0a\u8ff0\u6240\u6709\u672f\u8bed\uff0c\u4e0b\u9762\u662f\u8bbf\u95ee\u77e9\u9635\uff0c\u5b83\u53ef\u89c6\u5316\u4e86\u54ea\u4e2a\u5ba2\u6237\u7aef\u53ef\u4ee5\u8fde\u63a5\u5230\u54ea\u4e2a\u670d\u52a1\u5668\u3002<br><em>\u6ce8\uff1a \u53ea\u80fd\u5c06\u9690\u5f0f\u5ba2\u6237\u673a\u8fde\u63a5\u5230\u9690\u5f0f\u670d\u52a1\u5668\uff0c\u5c06\u663e\u5f0f\u5ba2\u6237\u673a\u8fde\u63a5\u5230\u663e\u5f0f\u670d\u52a1\u5668\u3002\u5426\u5219\uff0c\u60a8\u4f1a\u6536\u5230\u9519\u8bef 1717 \uff08RPC_S_UNKNOWN_IF\uff09<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/csandker.io\/public\/img\/2021-02-21-Offensive-Windows-IPC-2-RPC\/RPC_AccessMatrix.png\" alt=\"RPC \u8bbf\u95ee\u77e9\u9635\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"attack-surface\">\u653b\u51fb\u9762<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#attack-surface\"><\/a><\/h2>\n\n\n\n<p>\u6700\u540e\u3002\u3002\u3002\u5728\u8c08\u5230RPC\u5185\u90e8\u4e4b\u540e\uff0c\u8ba9\u6211\u4eec\u8c08\u8c08RPC\u7684\u653b\u51fb\u9762\u3002<br>\u663e\u7136\uff0c\u5728RPC\u901a\u4fe1\u94fe\u7684\u4efb\u4f55\u5730\u65b9\u90fd\u53ef\u80fd\u5b58\u5728\u9519\u8bef\u548c0\u5929\uff0c\u8fd9\u603b\u662f\u5f52\u7ed3\u4e3a\u9010\u4e2a\u6848\u4f8b\u5206\u6790\u4ee5\u4e86\u89e3\u5176\u5229\u7528\u6f5c\u529b\uff0c\u4f46\u4e00\u822cRPC\u8bbe\u8ba1\u6982\u5ff5\u4e5f\u6709\u4e00\u4e9b\u5229\u7528\u6f5c\u529b\uff0c\u6211\u5c06\u5728\u4e0b\u9762\u91cd\u70b9\u4ecb\u7ecd\u3002<br><em>\u9644\u6ce8\uff1a\u5982\u679c\u60a8\u77e5\u9053\u6709\u8da3\u7684RPC CVE\uff0c\u8bf7\u5411\u6211\u53d1\u9001\u90ae\u4ef6\/<a href=\"https:\/\/twitter.com\/0xcsandker\">0xcsandker<\/a><\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"finding-interesting-targets\">\u5bfb\u627e\u6709\u8da3\u7684\u76ee\u6807<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#finding-interesting-targets\"><\/a><\/h3>\n\n\n\n<p>\u597d\u5427\uff0c\u5728\u6211\u4eec\u8003\u8651\u6211\u4eec\u53ef\u4ee5\u7528RPC\u73a9\u4ec0\u4e48\u8fdb\u653b\u6e38\u620f\u4e4b\u524d\uff0c\u6211\u4eec\u9700\u8981\u5148\u627e\u5230\u5408\u9002\u7684\u76ee\u6807\u3002<br>\u8ba9\u6211\u4eec\u6df1\u5165\u4e86\u89e3\u5982\u4f55\u5728\u60a8\u7684\u7cfb\u7edf\u4e0a\u627e\u5230 RPC \u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"rpc-servers\">RPC \u670d\u52a1\u5668<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-servers\"><\/a><\/h4>\n\n\n\n<p>\u56de\u987e\u4e00\u4e0b\uff0c\u670d\u52a1\u5668\u662f\u901a\u8fc7\u6307\u5b9a\u6240\u9700\u7684\u4fe1\u606f\uff08\u534f\u8bae\u5e8f\u5217\u548c\u7ec8\u7ed3\u70b9\u5730\u5740\uff09\u5e76\u8c03\u7528Windows API\u6765\u6784\u5efa\u5fc5\u8981\u7684\u5185\u90e8\u5bf9\u8c61\u5e76\u542f\u52a8\u670d\u52a1\u5668\u6765\u6784\u5efa\u7684\u3002\u8003\u8651\u5230\u8fd9\u4e00\u70b9\uff0c\u5728\u672c\u5730\u7cfb\u7edf\u4e0a\u67e5\u627eRPC\u670d\u52a1\u5668\u7684\u6700\u7b80\u5355\u65b9\u6cd5\u662f\u67e5\u627e\u5bfc\u5165\u8fd9\u4e9bRPC Windows API\u7684\u7a0b\u5e8f\u3002<br>\u4e00\u79cd\u7b80\u5355\u7684\u65b9\u6cd5\u662f\u4f7f\u7528\u73b0\u5728\u968fVisual Studio\u4e00\u8d77\u63d0\u4f9b\u7684<a href=\"https:\/\/docs.microsoft.com\/en-us\/cpp\/build\/reference\/dumpbin-reference?view=msvc-160\">DumpBin<\/a>\u5b9e\u7528\u7a0b\u5e8f\u3002<\/p>\n\n\n\n<p>\u5728\u4e0b\u9762\u53ef\u4ee5\u627e\u5230\u5728\u6700\u8fd1\u7684Windows10\u4e0a\u641c\u7d22\u7684\u793a\u4f8bPowershell\u4ee3\u7801\u6bb5\uff1a<code>C:\\Windows\\System32\\<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-ChildItem -Path \"C:\\Windows\\System32\\\" -Filter \"*.exe\" -Recurse -ErrorAction SilentlyContinue | % { $out=$(C:\\\"Program Files (x86)\"\\\"Microsoft Visual Studio 14.0\"\\VC\\bin\\dumpbin.exe \/IMPORTS:rpcrt4.dll $_.VersionInfo.FileName); If($out -like \"*RpcServerListen*\"){ Write-Host \"&#91;+] Exe starting RPC Server: $($_.VersionInfo.FileName)\"; Write-Output \"&#91;+] $($_.VersionInfo.FileName)`n`n $($out|%{\"$_`n\"})\" | Out-File -FilePath EXEs_RpcServerListen.txt -Append } }\n<\/code><\/pre>\n\n\n\n<p>\u6b64\u4ee3\u7801\u6bb5\u5c06\u53ef\u6267\u884c\u6587\u4ef6\u7684\u540d\u79f0\u6253\u5370\u5230\u63a7\u5236\u53f0\uff0c\u5e76\u5c06\u6574\u4e2a DumpBin \u8f93\u51fa\u8f93\u51fa\u5230<em>EXEs_RpcServerListen.txt<\/em>\u7684\u6587\u4ef6\uff08\u4ee5\u4fbf\u60a8\u53ef\u4ee5\u67e5\u770b DumpBin \u5b9e\u9645\u4e3a\u60a8\u63d0\u4f9b\u7684\u5185\u5bb9\uff09\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/csandker.io\/public\/img\/2021-02-21-Offensive-Windows-IPC-2-RPC\/RPC_List_Servers_By_Export.png\" alt=\"\u6309\u5bfc\u51fa\u7684 RPC \u670d\u52a1\u5668\"\/><\/figure>\n\n\n\n<p>\u67e5\u627e\u611f\u5174\u8da3\u7684 RPC \u670d\u52a1\u5668\u7684\u53e6\u4e00\u79cd\u65b9\u6cd5\u662f\u5728\u672c\u5730\u6216\u4efb\u4f55\u8fdc\u7a0b\u7cfb\u7edf\u4e0a\u67e5\u8be2 RPC \u7ec8\u7ed3\u70b9\u6620\u5c04\u7a0b\u5e8f\u3002<br>\u5fae\u8f6f\u6709\u4e00\u4e2a\u540d\u4e3a<a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=17148\">PortQry<\/a>\u7684\u6d4b\u8bd5\u5b9e\u7528\u7a0b\u5e8f\u6765\u505a\u5230\u8fd9\u4e00\u70b9\uff08\u8be5\u5de5\u5177\u8fd8\u6709\u4e00\u4e2aGUI\u7248\u672c\u53ef\u7528\uff09\uff0c\u4f60\u53ef\u4ee5\u50cf\u8fd9\u6837\u4f7f\u7528\u5b83\uff1a<code>C:\\PortQryV2\\PortQry.exe -n &lt;HostName&gt; -e 135<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/csandker.io\/public\/img\/2021-02-21-Offensive-Windows-IPC-2-RPC\/PortQryv2.png\" alt=\"PortQry v2\"\/><\/figure>\n\n\n\n<p>\u6b64\u5de5\u5177\u4e3a\u60a8\u63d0\u4f9b\u6709\u5173\u7ec8\u7ed3\u70b9\u6620\u5c04\u7a0b\u5e8f\u77e5\u9053\u7684\u8fdc\u7a0b RPC \u63a5\u53e3\u7684\u4e00\u4e9b\u4fe1\u606f\uff08\u8bf7\u8bb0\u4f4f\uff0c<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#well-known-vs-dynamic-endpoints\">\u5df2\u77e5\u7ec8\u7ed3\u70b9<\/a>\u4e0d\u5fc5\u901a\u77e5\u7ec8\u7ed3\u70b9\u6620\u5c04\u7a0b\u5e8f\u6709\u5173\u5176\u63a5\u53e3\u7684\u4fe1\u606f\uff09\u3002<\/p>\n\n\n\n<p>\u53e6\u4e00\u79cd\u9009\u62e9\u662f\u901a\u8fc7\u8c03\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcmgmtepeltinqbegin\">RpcMgmtEpEltInqBegin<\/a>&nbsp;\u5e76\u901a\u8fc7&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcmgmtepeltinqnext\">RpcMgmtEpEltInqNext<\/a>&nbsp;\u8fed\u4ee3\u63a5\u53e3\u6765\u76f4\u63a5\u67e5\u8be2\u7ec8\u7ed3\u70b9\u7ba1\u7406\u5668\u3002\u8fd9\u79cd\u65b9\u6cd5\u7684\u4e00\u4e2a\u540d\u4e3a<strong>RPCDump<\/strong>\u7684\u793a\u4f8b\u5b9e\u73b0\u5305\u542b\u5728Chris McNab\u7684\u60ca\u4eba\u4e66\u201c<em>\u7f51\u7edc\u5b89\u5168\u8bc4\u4f30<\/em>\u201d\u4e2d\uff0cO&#8217;Reilly<a href=\"https:\/\/resources.oreilly.com\/examples\/9780596510305\/blob\/master\/tools\/rpctools\/rpcdump\/rpcdump.c\">\u5728\u8fd9\u91cc<\/a>\u53d1\u5e03\u4e86\u7528C\u7f16\u5199\u7684\u5de5\u5177\uff08\u6839\u636e\u6ce8\u91ca\u6ce8\u91ca\uff0c\u6b64\u4ee3\u7801\u7684\u4fe1\u7528\u5e94\u8be5\u4ea4\u7ed9Todd Sabin\uff09\u3002<br>\u6211\u5df2\u5c06\u6b64\u5f88\u9177\u7684\u5de5\u5177\u79fb\u690d\u5230VC ++\uff0c\u5e76\u8fdb\u884c\u4e86\u4e00\u4e9b\u8f7b\u5fae\u7684\u53ef\u7528\u6027\u66f4\u6539\u3002\u6211\u5df2\u7ecf\u5728&nbsp;<a href=\"https:\/\/github.com\/csandker\/RPCDump\">https:\/\/github.com\/csandker\/RPCDump<\/a>&nbsp;\u4e0a\u53d1\u5e03\u4e86\u6211\u7684\u5206\u53c9\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/csandker.io\/public\/img\/2021-02-21-Offensive-Windows-IPC-2-RPC\/RPC_Dump.png\" alt=\"RPC \u8f6c\u50a8\"\/><\/figure>\n\n\n\n<p>\u5982\u56fe\u6240\u793a\uff0c\u6b64\u5de5\u5177\u8fd8\u5217\u51fa\u4e86\u627e\u5230\u7684 RPC \u7ec8\u7ed3\u70b9\u7684\u63a5\u53e3\u4ee5\u53ca\u5176\u4ed6\u4e00\u4e9b\u4fe1\u606f\u3002\u6211\u4e0d\u4f1a\u8be6\u7ec6\u4ecb\u7ecd\u6240\u6709\u8fd9\u4e9b\u5b57\u6bb5\uff0c\u4f46\u5982\u679c\u60a8\u6709\u5174\u8da3\uff0c\u8bf7\u67e5\u770b<a href=\"https:\/\/github.com\/csandker\/RPCDump\">\u4ee3\u7801<\/a>\u5e76\u9605\u8bfbWindows API\u6587\u6863\u3002\u4f8b\u5982\uff0c\u901a\u8fc7\u8c03\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcmgmtinqstats\">RpcMgmtInqStats<\/a>&nbsp;\u6765\u68c0\u7d22\u7edf\u8ba1\u4fe1\u606f\uff0c\u5176\u4e2d\u8fd4\u56de\u7684\u503c\u5728<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcmgmtinqstats#remarks\">\u201c\u5907\u6ce8<\/a>\u201d\u90e8\u5206\u4e2d\u5f15\u7528\u3002<\/p>\n\n\n\n<p>\u518d\u6b21\u8bb0\u4f4f\uff0c\u53ea\u6709 RPC \u63a5\u53e3\u6ce8\u518c\u5230\u76ee\u6807\u7684\u7ec8\u7ed3\u70b9\u6620\u5c04\u7a0b\u5e8f\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"rpc-clients\">RPC \u5ba2\u6237\u7aef<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-clients\"><\/a><\/h4>\n\n\n\n<p>\u67e5\u627e\u8fde\u63a5\u5230\u8fdc\u7a0b\u6216\u672c\u5730 RPC \u670d\u52a1\u5668\u7684\u5ba2\u6237\u7aef\u4e5f\u53ef\u80fd\u662f\u4e00\u4e2a\u6709\u8da3\u7684\u76ee\u6807\u3002<br>\u6ca1\u6709\u4e00\u4e2a\u5355\u4e00\u7684\u673a\u6784\u77e5\u9053\u54ea\u4e9b RPC \u5ba2\u6237\u7aef\u5f53\u524d\u6b63\u5728\u8fd0\u884c\uff0c\u56e0\u6b64\u60a8\u6709\u4e24\u4e2a\u9009\u62e9\u6765\u67e5\u627e\u5ba2\u6237\u7aef\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u67e5\u627e\u4f7f\u7528\u5ba2\u6237\u7aef RPC API \u7684\u53ef\u6267\u884c\u6587\u4ef6\/\u8fdb\u7a0b;\u6216<\/li><li>\u5728\u884c\u52a8\u4e2d\u6293\u4f4f\u5ba2\u6237<\/li><\/ul>\n\n\n\n<p>\u67e5\u627e\u5bfc\u5165\u5ba2\u6237\u7aef RPC API \u7684\u672c\u5730\u53ef\u6267\u884c\u6587\u4ef6\u7c7b\u4f3c\u4e8e\u6211\u4eec\u5df2\u7ecf\u4f7f\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/cpp\/build\/reference\/dumpbin-reference?view=msvc-160\">DumpBin<\/a>&nbsp;\u67e5\u627e\u670d\u52a1\u5668\u6240\u505a\u7684\u5de5\u4f5c\u3002\u4e00\u4e2a\u597d\u7684Windows API\u662f<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcstringbindingcompose\">RpcStringBindingCompose<\/a>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-ChildItem -Path \"C:\\Windows\\System32\\\" -Filter \"*.exe\" -Recurse -ErrorAction SilentlyContinue | % { $out=$(C:\\\"Program Files (x86)\"\\\"Microsoft Visual Studio 14.0\"\\VC\\bin\\dumpbin.exe \/IMPORTS:rpcrt4.dll $_.VersionInfo.FileName); If($out -like \"*RpcStringBindingCompose*\"){ Write-Host \"&#91;+] Exe creates RPC Binding (potential RPC Client) : $($_.VersionInfo.FileName)\"; Write-Output \"&#91;+] $($_.VersionInfo.FileName)`n`n $($out|%{\"$_`n\"})\" | Out-File -FilePath EXEs_RpcClients.txt -Append } }\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/csandker.io\/public\/img\/2021-02-21-Offensive-Windows-IPC-2-RPC\/RPC_List_Clients_By_Export.png\" alt=\"\u6309\u5bfc\u51fa\u7684 RPC \u5ba2\u6237\u7aef\"\/><\/figure>\n\n\n\n<p>\u67e5\u627e RPC \u5ba2\u6237\u7aef\u7684\u53e6\u4e00\u4e2a\u9009\u9879\u662f\u5728\u5b83\u4eec\u8fde\u63a5\u5230\u76ee\u6807\u65f6\u53d1\u73b0\u5b83\u4eec\u3002\u5982\u4f55\u53d1\u73b0\u5ba2\u6237\u7aef\u7684\u4e00\u4e2a\u793a\u4f8b\u662f\u901a\u8fc7\u68c0\u67e5\u901a\u8fc7\u4e24\u4e2a\u7cfb\u7edf\u4e4b\u95f4\u7684\u7f51\u7edc\u53d1\u9001\u7684\u6d41\u91cf\u3002Wireshark\u6709\u4e00\u4e2a\u201cDCERPC\u201d\u6ee4\u6ce2\u5668\uff0c\u53ef\u7528\u4e8e\u53d1\u73b0\u8fde\u63a5\u3002<br>\u5ba2\u6237\u7aef\u8fde\u63a5\u5230\u670d\u52a1\u5668\u7684\u793a\u4f8b\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/csandker.io\/public\/img\/2021-02-21-Offensive-Windows-IPC-2-RPC\/RPC_Client_DCERPC_Connection.png\" alt=\"\u6309\u5bfc\u51fa\u7684 RPC \u5ba2\u6237\u7aef\"\/><\/figure>\n\n\n\n<p>\u7ed1\u5b9a\u8bf7\u6c42\u662f\u6211\u4eec\u53ef\u4ee5\u67e5\u627e\u4ee5\u6807\u8bc6\u5ba2\u6237\u7aef\u7684\u5185\u5bb9\u4e4b\u4e00\u3002\u5728\u9009\u62e9\u5305\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u4e00\u4e2a\u5ba2\u6237\u7aef\u5c1d\u8bd5\u7ed1\u5b9a\u5230UUID\u4e3a\u201cd6b1ad2b-b550-4729-b6c2-1651f58480c3\u201d\u7684\u670d\u52a1\u5668\u63a5\u53e3\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"unauthorized-access\">\u672a\u7ecf\u6388\u6743\u7684\u8bbf\u95ee<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#unauthorized-access\"><\/a><\/h3>\n\n\n\n<p>\u4e00\u65e6\u60a8\u786e\u5b9a\u4e86\u4e00\u4e2a RPC \u670d\u52a1\u5668\uff0c\u8be5\u670d\u52a1\u5668\u516c\u5f00\u4e86\u53ef\u80fd\u5bf9\u60a8\u7684\u653b\u51fb\u94fe\u6709\u7528\u7684\u6709\u8da3\u529f\u80fd\uff0c\u90a3\u4e48\u6700\u660e\u663e\u7684\u68c0\u67e5\u5c31\u662f\u60a8\u662f\u5426\u53ef\u4ee5\u672a\u7ecf\u6388\u6743\u8bbf\u95ee\u8be5\u670d\u52a1\u5668\u3002<br>\u60a8\u53ef\u4ee5\u5b9e\u73b0\u81ea\u5df1\u7684\u5ba2\u6237\u7aef\uff0c\u4f8b\u5982\uff0c\u57fa\u4e8e\u6211\u7684<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#sample-implementation\">\u793a\u4f8b\u5b9e\u73b0<\/a>\uff0c\u4e5f\u53ef\u4ee5\u53c2\u8003<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#access-matrix\">\u8bbf\u95ee\u77e9\u9635<\/a>\u6765\u68c0\u67e5\u60a8\u7684\u5ba2\u6237\u7aef\u662f\u5426\u53ef\u4ee5\u8fde\u63a5\u5230\u670d\u52a1\u5668\u3002<\/p>\n\n\n\n<p>\u5982\u679c\u60a8\u5df2\u7ecf\u6df1\u5165\u7814\u7a76\u4e86 RPC \u670d\u52a1\u5668\u7684\u9006\u5411\u5de5\u7a0b\uff0c\u5e76\u53d1\u73b0\u670d\u52a1\u5668\u901a\u8fc7\u8c03\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverregisterauthinfo\">RpcServerRegisterAuthInfo<\/a>&nbsp;\u53ca\u5176 SPN \u548c\u6307\u5b9a\u7684\u670d\u52a1\u63d0\u4f9b\u7a0b\u5e8f\u6765\u8bbe\u7f6e\u8eab\u4efd\u9a8c\u8bc1\u4fe1\u606f\uff0c\u8bf7\u6ce8\u610f\uff0c<strong>\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u670d\u52a1\u5668\u7ed1\u5b9a\u4e0d\u4f1a\u5f3a\u5236\u5ba2\u6237\u7aef\u4f7f\u7528\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a<\/strong>\u3002\u6362\u53e5\u8bdd\u8bf4\uff1a\u4ec5\u4ec5\u56e0\u4e3a\u670d\u52a1\u5668\u8bbe\u7f6e\u4e86\u8eab\u4efd\u9a8c\u8bc1\u4fe1\u606f\u5e76\u4e0d\u610f\u5473\u7740\u5ba2\u6237\u7aef\u9700\u8981\u901a\u8fc7\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\u8fdb\u884c\u8fde\u63a5\u3002\u6b64\u5916\uff0c\u5728\u8fde\u63a5\u5230\u8bbe\u7f6e\u8eab\u4efd\u9a8c\u8bc1\u4fe1\u606f\u7684\u670d\u52a1\u5668\u65f6\uff0c\u8bf7\u6ce8\u610f<strong>\u8fd0\u884c\u65f6\u5e93 \uff08rpcrt4.dll \u4e0d\u4f1a\u8c03\u5ea6\u5177\u6709\u65e0\u6548\u51ed\u636e\u7684\u5ba2\u6237\u7aef\u8c03\u7528\uff0c\u4f46\u662f\uff0c\u5c06\u8c03\u5ea6\u6ca1\u6709\u51ed\u636e\u7684\u5ba2\u6237\u7aef\u8c03\u7528<\/strong>\u3002\u6216\u8005\u7528\u5fae\u8f6f\u7684\u8bdd\u6765\u8bf4\uff1a<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u8bf7\u8bb0\u4f4f\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u5b89\u5168\u6027\u662f\u53ef\u9009\u7684<br><em>\u6e90\uff1a<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverregisterifex\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverregisterifex<\/a><\/em><\/p><\/blockquote>\n\n\n\n<p>\u4e00\u65e6\u60a8\u8fde\u63a5\u5230\u670d\u52a1\u5668\uff0c\u5c31\u4f1a\u51fa\u73b0\u201c\u4e0b\u4e00\u6b65\u8be5\u505a\u4ec0\u4e48\u201d\u7684\u95ee\u9898&#8230;&#8230;<br>\u597d\u5427\uff0c\u7136\u540e\u60a8\u5c31\u53ef\u4ee5\u8c03\u7528\u63a5\u53e3\u51fd\u6570\uff0c\u574f\u6d88\u606f\u662f\uff1a\u60a8\u9700\u8981\u9996\u5148\u8bc6\u522b\u51fd\u6570\u540d\u79f0\u548c\u53c2\u6570\uff0c\u8fd9\u5f52\u7ed3\u4e3a\u5bf9\u76ee\u6807\u670d\u52a1\u5668\u8fdb\u884c\u9006\u5411\u5de5\u7a0b\u3002<br>\u5982\u679c\u4f60\u8fd0\u6c14\u597d\u7684\u8bdd\uff0c\u4f60\u770b\u5230\u7684\u4e0d\u662f\u7eaf\u7cb9\u7684RPC\u670d\u52a1\u5668\uff0c\u800c\u662fCOM\u670d\u52a1\u5668\uff08COM\uff0c\u7279\u522b\u662fDCOM\uff0c\u5728\u5f15\u64ce\u76d6\u4e0b\u4f7f\u7528RPC\uff09\uff0c\u90a3\u4e48\u670d\u52a1\u5668\u53ef\u80fd\u4f1a\u9644\u5e26\u4e00\u4e2a\u7c7b\u578b\u5e93\uff08.tlb\uff09\uff0c\u4f60\u53ef\u4ee5\u7528\u5b83\u6765\u67e5\u627e\u63a5\u53e3\u529f\u80fd\u3002<\/p>\n\n\n\n<p>\u6211\u4e0d\u4f1a\u5728\u8fd9\u91cc\u66f4\u6df1\u5165\u5730\u4ecb\u7ecd\u7c7b\u578b\u5e93\u6216\u5176\u4ed6\u4efb\u4f55\u5185\u5bb9\uff08\u535a\u5ba2\u6587\u7ae0\u5df2\u7ecf\u5f88\u957f\u4e86\uff09\uff0c\u4f46\u6211\u5bf9\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\u7684\u4eba\u7684\u4e00\u822c\u5efa\u8bae\u662f\uff1a\u83b7\u53d6\u6211\u7684\u793a\u4f8bRPC\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u4ee3\u7801\uff0c\u7f16\u8bd1\u5b83\u5e76\u4f7f\u7528\u60a8\u77e5\u9053\u7684\u793a\u4f8b\u4ee3\u7801\u5f00\u59cb\u60a8\u7684\u9006\u5411\u5de5\u7a0b\u4e4b\u65c5\u3002\u5728\u8fd9\u79cd\u7279\u5b9a\u60c5\u51b5\u4e0b\uff0c\u8ba9\u6211\u6dfb\u52a0\u53e6\u4e00\u4e2a\u7ebf\u7d22\uff1a\u6211\u7684\u793a\u4f8b\u63a5\u53e3\u5728IDL\u6587\u4ef6\u4e2d\u5b9a\u4e49\u4e86\u4e00\u4e2a\u201c\u8f93\u51fa\u201d\u51fd\u6570\uff0c\u8fd9\u4e2a\u201c\u8f93\u51fa\u201d\u51fd\u6570\u4ee5print\u8bed\u53e5\u5f00\u5934\uff0c\u4f8b\u5982\uff0c\u60a8\u53ef\u4ee5\u901a\u8fc7\u641c\u7d22\u5b50\u5b57\u7b26\u4e32\u5f00\u59cb\uff0c\u4ee5\u786e\u5b9a\u6b64\u7279\u5b9a\u63a5\u53e3\u51fd\u6570\u7684\u4f4d\u7f6e\u3002<code>printf(\"[~] Client Message: %s\\n\", pszOutput);<\/code><code>[~] Client Message<\/code><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"client-impersonation\">\u5ba2\u6237\u7aef\u6a21\u62df<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#client-impersonation\"><\/a><\/h3>\n\n\n\n<p>\u5ba2\u6237\u7aef\u6a21\u62df\u8fd8\u63d0\u4f9b\u4e86\u6709\u8da3\u7684\u653b\u51fb\u9762\u3002\u6211\u5df2\u7ecf\u5728\u672c\u7cfb\u5217\u7684\u6700\u540e\u4e00\u90e8\u5206\u5bf9\u4ec0\u4e48\u662f\u5192\u5145\u4ee5\u53ca\u5b83\u662f\u5982\u4f55\u5de5\u4f5c\u7684\u8fdb\u884c\u4e86\u4e00\u4e9b\u9610\u8ff0\uff0c\u5982\u679c\u60a8\u9519\u8fc7\u4e86\u8fd9\u4e00\u70b9\u5e76\u4e14\u9700\u8981\u5bf9\u5192\u5145\u8fdb\u884c\u91cd\u65b0\u4e86\u89e3\uff0c\u60a8\u4f1a\u53d1\u73b0<a href=\"https:\/\/csandker.io\/2021\/01\/10\/Offensive-Windows-IPC-1-NamedPipes.html#impersonation\">\u5728\u6211\u4e0a\u4e00\u7bc7\u6587\u7ae0\u7684\u6a21\u62df\u90e8\u5206\u4e2d<\/a>\u5bf9\u6b64\u8fdb\u884c\u4e86\u89e3\u91ca\u3002<\/p>\n\n\n\n<p>\u6a21\u62df\u5ba2\u6237\u7aef\u7684\u914d\u65b9\u5982\u4e0b\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u60a8\u9700\u8981\u4e00\u4e2a\u8fde\u63a5\u5230\u670d\u52a1\u5668\u7684 RPC \u5ba2\u6237\u7aef<\/li><li>\u5ba2\u6237\u7aef\u5fc5\u987b\u4f7f\u7528\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\uff08\u5426\u5219\uff0c\u60a8\u5c06\u6ca1\u6709\u53ef\u4ee5\u6a21\u62df\u7684\u5b89\u5168\u4fe1\u606f\uff09<\/li><li>\u5ba2\u6237\u7aef\u4e0d\u5f97\u5728\u201c\u5b89\u5168\u6a21\u62df\u201d\u4e0b\u8bbe\u7f6e\u201c\u6a21\u62df\u7ea7\u522b\u201d\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1<em>\u201c<\/em>\u7ed1\u5b9a<\/li><li>&#8230;\u5c31\u662f\u8fd9\u6837<\/li><\/ul>\n\n\n\n<p>\u5192\u5145\u8fc7\u7a0b\u5c31\u50cf\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u4ece\u670d\u52a1\u5668\u63a5\u53e3\u51fd\u6570<br>\u4e2d\u8c03\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcimpersonateclient\">RpcImpersonateClient<\/a>&nbsp;<em>\u8bf7\u6ce8\u610f\uff0c\u6b64\u51fd\u6570\u5c06\u7ed1\u5b9a\u53e5\u67c4\u4f5c\u4e3a\u8f93\u5165\uff0c\u56e0\u6b64\u60a8\u9700\u8981\u4e00\u4e2a\u663e\u5f0f\u7ed1\u5b9a\u670d\u52a1\u5668\u6765\u4f7f\u7528\u6a21\u62df\uff08\u8fd9\u6709\u610f\u4e49\uff09<\/em><\/li><li>\u5982\u679c\u8be5\u8c03\u7528\u6210\u529f\uff0c\u670d\u52a1\u5668\u7684\u7ebf\u7a0b\u4e0a\u4e0b\u6587\u5c06\u66f4\u6539\u4e3a\u5ba2\u6237\u7aef\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\uff0c\u60a8\u53ef\u4ee5\u8c03\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-getcurrentthread\">GetCurrentThread<\/a>&nbsp;&amp;&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-openthreadtoken\">OpenThreadToken<\/a>&nbsp;\u6765\u63a5\u6536\u5ba2\u6237\u7aef\u7684\u6a21\u62df\u4ee4\u724c\u3002<br><em>\u5982\u679c\u60a8\u73b0\u5728\u559c\u6b22\u201cWTF\u5b89\u5168\u4e0a\u4e0b\u6587\u66f4\u6539\uff1f\uff01\u201d\uff0c\u5982\u679c\u60a8\u66f4\u559c\u6b22\u201cWTF\u6a21\u62df\u4ee4\u724c\uff1f\u201d\uff0c\u60a8\u5c06\u5728<a href=\"https:\/\/csandker.io\/2021\/01\/10\/Offensive-Windows-IPC-1-NamedPipes.html#impersonating-a-named-pipe-client\">IPC\u547d\u540d\u7ba1\u9053\u5e16\u5b50<\/a><\/em><br><em>\u4e2d\u627e\u5230\u7b54\u6848\uff1f\uff01\u201c\u60a8\u4f1a\u5728\u6211\u7684<a href=\"https:\/\/csandker.io\/2018\/06\/14\/AWindowsAuthorizationGuide.html#access-tokens\">Windows\u6388\u6743\u6307\u5357<\/a>\u4e2d\u627e\u5230\u7b54\u6848<\/em><\/li><li>\u8c03\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/securitybaseapi\/nf-securitybaseapi-duplicatetokenex\">DuplicateTokenEx<\/a>&nbsp;\u5c06\u6a21\u62df\u4ee4\u724c\u8f6c\u6362\u4e3a\u4e3b\u4ee4\u724c\u540e\uff0c\u60a8\u53ef\u4ee5\u901a\u8fc7\u8c03\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcreverttoself\">RpcRevertToSelfEx<\/a>&nbsp;\u6109\u5feb\u5730\u8fd4\u56de\u5230\u539f\u59cb\u670d\u52a1\u5668\u7ebf\u7a0b\u4e0a\u4e0b\u6587<\/li><li>\u6700\u540e\uff0c\u60a8\u53ef\u4ee5\u8c03\u7528<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/winbase\/nf-winbase-createprocesswithtokenw\">CreateProcessWithTokenW<\/a>\u6765\u4f7f\u7528\u5ba2\u6237\u7aef\u7684\u4ee4\u724c\u521b\u5efa\u65b0\u8fdb\u7a0b\u3002<\/li><\/ul>\n\n\n\n<p>\u8bf7\u6ce8\u610f\uff0c\u8fd9\u53ea\u662f\u4f7f\u7528\u5ba2\u6237\u7aef\u4ee4\u724c\u521b\u5efa\u6d41\u7a0b\u7684\u4e00\u79cd\u65b9\u6cd5\uff0c\u4f46\u5728\u6211\u770b\u6765\uff0c\u5b83\u5f88\u597d\u5730\u63cf\u7ed8\u4e86\u6267\u884c\u8fd9\u4e9b\u4e8b\u60c5\u7684\u65b9\u5f0f\uff0c\u56e0\u6b64\u6211\u5728\u8fd9\u91cc\u4f7f\u7528\u8fd9\u79cd\u65b9\u6cd5\u3002\u53ef\u4ee5<a href=\"https:\/\/github.com\/csandker\/InterProcessCommunication-Samples\/blob\/master\/RPC\/CPP-RPC-Client-Server\/RPC-Util\/Command.cpp#L255\">\u5728\u6b64\u5904<\/a>\u627e\u5230\u6b64\u4ee3\u7801\u7684\u793a\u4f8b\u5b9e\u73b0\u3002<br>\u987a\u4fbf\u8bf4\u4e00\u53e5\uff0c\u8fd9\u4e0e\u6211\u5728\u4e0a\u4e00\u7bc7\u6587\u7ae0\u4e2d\u7528\u4e8e\u6a21\u62df\u547d\u540d\u7ba1\u9053\u5ba2\u6237\u7aef\u7684\u8fc7\u7a0b\u76f8\u540c\u3002<\/p>\n\n\n\n<p>\u5982\u4e0a\u9762\u7684\u914d\u65b9\u6b65\u9aa4\u4e2d\u6240\u8ff0\uff0c\u60a8\u53ea\u9700\u8981\u4e00\u4e2a\u8fde\u63a5\u5230\u670d\u52a1\u5668\u7684\u5ba2\u6237\u7aef\uff0c\u5e76\u4e14\u8be5\u5ba2\u6237\u7aef\u5fc5\u987b\u4f7f\u7528\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\u3002<br>\u5982\u679c\u5ba2\u6237\u7aef\u672a\u5bf9\u5176\u7ed1\u5b9a\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff0c\u5219\u5bf9&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcimpersonateclient\">RpcImpersonateClient<\/a>&nbsp;\u7684\u8c03\u7528\u5c06\u5bfc\u81f4\u9519\u8bef 1764 \uff08RPC_S_BINDING_HAS_NO_AUTH\uff09\u3002<br>\u67e5\u627e\u53ef\u4ee5\u8fde\u63a5\u5230\u670d\u52a1\u5668\u7684\u5408\u9002\u5ba2\u6237\u7aef\u5f52\u7ed3\u4e3a\u67e5\u627e RPC \u5ba2\u6237\u7aef\uff08\u8bf7\u53c2\u9605<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#rpc-clients\">\u67e5\u627e RPC \u5ba2\u6237\u7aef<\/a>\u4e00\u8282\uff09\u5e76\u627e\u5230\u53ef\u4ee5\u8fde\u63a5\u5230\u670d\u52a1\u5668\u7684\u5ba2\u6237\u7aef\u3002\u597d\u5427\uff0c\u540e\u8005\u53ef\u80fd\u662f\u8fd9\u4e2a\u6f0f\u6d1e\u5229\u7528\u94fe\u4e2d\u68d8\u624b\u7684\u90e8\u5206\uff0c\u6211\u4e0d\u80fd\u5728\u8fd9\u91cc\u7ed9\u51fa\u6709\u5173\u5982\u4f55\u627e\u5230\u8fd9\u4e9b\u8fde\u63a5\u7684\u4e00\u822c\u5efa\u8bae\u3002\u5176\u4e2d\u4e00\u4e2a\u539f\u56e0\u662f\u56e0\u4e3a\u5b83\u53d6\u51b3\u4e8e\u5ba2\u6237\u7aef\u4f7f\u7528\u7684\u534f\u8bae\u5e8f\u5217\uff0c\u5176\u4e2d\u672a\u5e94\u7b54\u7684TCP\u8c03\u7528\u5728\u7f51\u7edc\u4e0a\u55c5\u63a2\u65f6\u53ef\u80fd\u662f\u6700\u597d\u7684\u68c0\u6d4b\uff0c\u5176\u4e2d\u672a\u5e94\u7b54\u7684\u547d\u540d\u7ba1\u9053\u8fde\u63a5\u5c1d\u8bd5\u4e5f\u53ef\u80fd\u5728\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u4e3b\u673a\u7cfb\u7edf\u4e0a\u88ab\u53d1\u73b0\u3002<\/p>\n\n\n\n<p>\u5728\u672c\u7cfb\u5217\u7684\u7b2c\u4e00\u90e8\u5206\uff08\u5173\u4e8e\u547d\u540d\u7ba1\u9053\uff09\u4e2d\uff0c\u6211\u5bf9\u5ba2\u6237\u5192\u5145\u8fdb\u884c\u4e86\u66f4\u5927\u7684\u5173\u6ce8\uff0c\u56e0\u6b64\u6211\u5c06\u5728\u8fd9\u91cc\u4fdd\u62a4\u81ea\u5df1\u51e0\u53e5\u8bdd\u3002\u4f46\u662f\uff0c\u5982\u679c\u60a8\u8fd8\u6ca1\u6709\u8fd9\u6837\u505a\uff0c\u6211\u5efa\u8bae\u60a8\u9605\u8bfb<a href=\"https:\/\/csandker.io\/2021\/01\/10\/Offensive-Windows-IPC-1-NamedPipes.html#instance-creation-race-condition\">\u5b9e\u4f8b\u521b\u5efa\u7ade\u4e89\u6761\u4ef6<\/a>\u4ee5\u53ca<a href=\"https:\/\/csandker.io\/2021\/01\/10\/Offensive-Windows-IPC-1-NamedPipes.html#instance-creation-special-flavors\">\u5b9e\u4f8b\u521b\u5efa\u7279\u6b8a\u7c7b\u578b<\/a>\u3002\u540c\u6837\u7684\u539f\u5219\u4e5f\u9002\u7528\u4e8e\u6b64\u3002<\/p>\n\n\n\n<p>\u66f4\u6709\u8da3\u7684\u65b9\u9762\u662f\u6211\u6545\u610f\u5728\u4e0a\u9762\u5199\u7684\uff1a\u201c\u5ba2\u6237\u7aef\u4e0d\u5f97\u5728SecurityImpersonation* \u4e0b\u9762\u8bbe\u7f6e\u6a21\u62df\u7ea7\u522b\u8eab\u4efd\u9a8c\u8bc1\u7ed1\u5b9a&#8230;&#8230;\u8fd9\u542c\u8d77\u6765\u6709\u70b9\u50cf\u9009\u62e9\u9000\u51fa\u7684\u8fc7\u7a0b\uff0c\u8fd9\u6b63\u662f\u5b83\u3002<br>\u8bf7\u8bb0\u4f4f\uff0c\u5728\u521b\u5efa\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\u65f6\uff0c\u53ef\u4ee5\u5728\u5ba2\u6237\u7aef\u8bbe\u7f6e<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/winnt\/ns-winnt-security_quality_of_service\">\u670d\u52a1\u8d28\u91cf \uff08QOS\uff09<\/a>&nbsp;\u7ed3\u6784\u5417\uff1f\u5982<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#authenticated-bindings\">\u201c\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\u201d<\/a>\u4e00\u8282\u4e2d\u6240\u8ff0\uff0c\u5728\u8fde\u63a5\u5230\u670d\u52a1\u5668\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528\u8be5\u7ed3\u6784\u6765\u786e\u5b9a\u6a21\u62df\u7ea7\u522b\u3002<strong>\u6709\u8da3\u7684\u662f\uff0c\u5982\u679c\u60a8\u6ca1\u6709\u8bbe\u7f6e\u4efb\u4f55QOS\u7ed3\u6784\uff0c\u5219\u9ed8\u8ba4\u503c\u5c06\u662fSecurityImpersonation<\/strong>\uff0c\u53ea\u8981\u5ba2\u6237\u7aef\u6ca1\u6709\u5728<em>SecurityImpassion<\/em>\u4e0b\u663e\u5f0f\u8bbe\u7f6e\u6a21\u62df\u7ea7\u522b\uff0c\u5b83\u5c31\u5141\u8bb8\u4efb\u4f55\u670d\u52a1\u5668\u6a21\u62dfRPC\u5ba2\u6237\u7aef\u3002<\/p>\n\n\n\n<p>\u7136\u540e\uff0c\u6a21\u62df\u7684\u7ed3\u679c\u53ef\u80fd\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/csandker.io\/public\/img\/2021-02-21-Offensive-Windows-IPC-2-RPC\/RPC_Impersonating_Client.png\" alt=\"RPC \u6a21\u62df\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"server-non-impersonation\">\u670d\u52a1\u5668\u975e\u6a21\u62df<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#server-non-impersonation\"><\/a><\/h3>\n\n\n\n<p>\u5192\u5145\u7684\u53e6\u4e00\u9762\u7ecf\u5e38\u88ab\u9057\u6f0f\uff0c\u4f46\u4ece\u653b\u51fb\u8005\u7684\u89d2\u5ea6\u6765\u770b\uff0c\u8fd9\u540c\u6837\u6709\u8da3\u3002<br>\u5728\u672c<a href=\"https:\/\/csandker.io\/2021\/01\/10\/Offensive-Windows-IPC-1-NamedPipes.html#impersonating-a-named-pipe-client\">\u7cfb\u5217\u7684\u7b2c 1 \u90e8\u5206\u4e2d<\/a>\uff0c\u6211\u8be6\u7ec6\u4ecb\u7ecd\u4e86\u6a21\u62df\u5ba2\u6237\u7aef\u65f6\u6d89\u53ca\u7684\u6b65\u9aa4\uff0c\u8fd9\u4e9b\u6b65\u9aa4\u540c\u6837\u9002\u7528\u4e8e RPC \u6a21\u62df\uff08\u4ee5\u53ca\u6240\u6709\u5176\u4ed6\u7c7b\u4f3c\u6280\u672f\uff09\uff0c\u5176\u4e2d\u4ee5\u4e0b\u4e24\u4e2a\u6b65\u9aa4\u7279\u522b\u6709\u8da3\uff1a<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>&gt;&gt;\u6b65\u9aa4 8\uff1a\u7136\u540e\u5c06\u670d\u52a1\u5668\u7684\u7ebf\u7a0b\u4e0a\u4e0b\u6587\u66f4\u6539\u4e3a\u5ba2\u6237\u7aef\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u3002<br>&gt;&gt; \u6b65\u9aa4 9\uff1a\u670d\u52a1\u5668\u5728\u5ba2\u6237\u7aef\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u7684\u4efb\u4f55\u64cd\u4f5c\u548c\u670d\u52a1\u5668\u8c03\u7528\u7684\u4efb\u4f55\u529f\u80fd\u90fd\u662f\u4f7f\u7528\u5ba2\u6237\u7aef\u7684\u6807\u8bc6\u8fdb\u884c\u7684\uff0c\u4ece\u800c\u6a21\u62df\u5ba2\u6237\u7aef\u3002<br>\u6765\u6e90\uff1a&nbsp;<a href=\"https:\/\/csandker.io\/2021\/01\/10\/Offensive-Windows-IPC-1-NamedPipes.html#impersonating-a-named-pipe-client\">\u5192\u72af\u6027 Windows IPC \u5185\u90e8 1\uff1a \u547d\u540d\u7ba1\u9053<\/a><\/p><\/blockquote>\n\n\n\n<p>\u670d\u52a1\u5668\u7684\u7ebf\u7a0b\u4e0a\u4e0b\u6587\u88ab\u66f4\u6539\uff0c\u7136\u540e\u6267\u884c\u7684\u6240\u6709\u64cd\u4f5c\u90fd\u662f\u4f7f\u7528\u5ba2\u6237\u7aef\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u8fdb\u884c\u7684\u3002\u5728\u4e0a\u9762\u7684\u90e8\u5206\uff08\u4ee5\u53ca\u6211\u7684<a href=\"https:\/\/github.com\/csandker\/InterProcessCommunication-Samples\/blob\/master\/RPC\/CPP-RPC-Client-Server\/RPC-Util\/Command.cpp#L255\">\u793a\u4f8b\u4ee3\u7801<\/a>\u4e2d\uff09\uff0c\u6211\u7528\u5b83\u6765\u83b7\u53d6\u5f53\u524d\u7ebf\u7a0b\u4ee4\u724c\uff0c\u7136\u540e\u5b83\u662f\u5ba2\u6237\u7aef\u7684\u4ee4\u724c\uff0c\u5e76\u5c06\u5176\u8f6c\u6362\u4e3a\u4e3b\u4ee4\u724c\u4ee5\u4f7f\u7528\u8be5\u4ee4\u724c\u542f\u52a8\u65b0\u8fdb\u7a0b\u3002\u6211\u4e5f\u53ef\u4ee5\u76f4\u63a5\u8c03\u7528\u6211\u60f3\u6267\u884c\u7684\u4efb\u4f55\u64cd\u4f5c\uff0c\u56e0\u4e3a\u6211\u5df2\u51c6\u5907\u597d\u5728\u5ba2\u6237\u7aef\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u4e2d\u64cd\u4f5c\u3002\u6839\u636e\u7ae0\u8282\u6807\u9898\uff0c\u60a8\u73b0\u5728\u53ef\u80fd\u5df2\u7ecf\u731c\u5230\u4e86\u5b83\u7684\u53d1\u5c55\u65b9\u5411&#8230;&#8230;\u5982\u679c\u6a21\u62df\u5931\u8d25\u5e76\u4e14\u670d\u52a1\u5668\u672a\u68c0\u67e5\u8be5\u9519\u8bef\uff0c\u8be5\u600e\u4e48\u529e\uff1f<\/p>\n\n\n\n<p>\u5bf9&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcimpersonateclient\">RpcImpersonateClient<\/a>\uff08\u4e3a\u60a8\u6267\u884c\u6240\u6709\u6a21\u62df\u9b54\u672f\u7684 API \u51fd\u6570\uff09\u7684\u8c03\u7528\u5c06\u8fd4\u56de\u6a21\u62df\u64cd\u4f5c\u7684\u72b6\u6001\uff0c\u670d\u52a1\u5668\u5fc5\u987b\u68c0\u67e5\u8fd9\u4e00\u70b9\u3002<br>\u5982\u679c\u6a21\u62df\u6210\u529f\uff0c\u5219\u4e4b\u540e\u60a8\u5c06\u5904\u4e8e\u5ba2\u6237\u7aef\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u4e2d\uff0c\u4f46\u5982\u679c\u5931\u8d25\uff0c\u5219\u60a8\u5904\u4e8e\u8c03\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcimpersonateclient\">RpcImpersonateClient<\/a>&nbsp;\u7684\u540c\u4e00\u65e7\u5b89\u5168\u4e0a\u4e0b\u6587\u4e2d\u3002<br>\u73b0\u5728\uff0cRPC \u670d\u52a1\u5668\u53ef\u80fd\u4ee5\u5176\u4ed6\u7528\u6237\u8eab\u4efd\u8fd0\u884c\uff08\u901a\u5e38\u4e5f\u5728\u5b89\u5168\u6027\u8f83\u9ad8\u7684\u4e0a\u4e0b\u6587\u4e2d\uff09\uff0c\u5728\u8fd9\u4e9b\u60c5\u51b5\u4e0b\uff0c\u5b83\u53ef\u80fd\u4f1a\u5c1d\u8bd5\u6a21\u62df\u5176\u5ba2\u6237\u7aef\u4ee5\u5728\u8f83\u4f4e\u4e14\u53ef\u80fd\u66f4\u5b89\u5168\u7684\u5ba2\u6237\u7aef\u5b89\u5168\u4e0a\u4e0b\u6587\u4e2d\u8fd0\u884c\u5ba2\u6237\u7aef\u64cd\u4f5c\u3002\u4f5c\u4e3a\u653b\u51fb\u8005\uff0c\u60a8\u53ef\u4ee5\u901a\u8fc7\u5728\u670d\u52a1\u5668\u7aef\u5f3a\u5236\u6267\u884c\u5931\u8d25\u7684\u6a21\u62df\u5c1d\u8bd5\uff0c\u4ece\u800c\u5bfc\u81f4\u670d\u52a1\u5668\u6267\u884c\u5728\u670d\u52a1\u5668\u5b89\u5168\u6027\u8f83\u9ad8\u7684\u4e0a\u4e0b\u6587\u4e2d\u64cd\u4f5c\u7684\u5ba2\u6237\u7aef\uff0c\u4ece\u800c\u5c06\u8fd9\u4e9b\u60c5\u51b5\u7528\u4e8e\u6743\u9650\u63d0\u5347\u653b\u51fb\u5a92\u4ecb\u3002<\/p>\n\n\n\n<p>\u6b64\u653b\u51fb\u573a\u666f\u7684\u914d\u65b9\u5f88\u7b80\u5355\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u60a8\u9700\u8981\u4e00\u4e2a\u670d\u52a1\u5668\u6765\u6a21\u62df\u5176\u5ba2\u6237\u7aef\uff0c\u5e76\u4e14\u5728\u6267\u884c\u8fdb\u4e00\u6b65\u64cd\u4f5c\u4e4b\u524d\u4e0d\u4f1a\u4ed4\u7ec6\u68c0\u67e5&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcimpersonateclient\">RpcImpersonateClient<\/a>&nbsp;\u7684\u8fd4\u56de\u72b6\u6001\u3002<\/li><li>\u4ece\u5ba2\u6237\u7aef\u7684\u89d2\u5ea6\u6765\u770b\uff0c\u670d\u52a1\u5668\u5728\u6a21\u62df\u5c1d\u8bd5\u540e\u6267\u884c\u7684\u64cd\u4f5c\u5fc5\u987b\u662f\u53ef\u5229\u7528\u7684\u3002<\/li><li>\u60a8\u9700\u8981\u5f3a\u5236\u6a21\u62df\u5c1d\u8bd5\u5931\u8d25\u3002<\/li><\/ul>\n\n\n\n<p>\u5982\u679c\u60a8\u9605\u8bfb\u524d\u9762\u7684\u90e8\u5206\u5e76\u8bb0\u4e0b\u5982\u4f55\u4f7f\u7528&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/cpp\/build\/reference\/dumpbin-reference?view=msvc-160\">DumpBin<\/a>\uff0c\u5219\u67e5\u627e\u5c1d\u8bd5\u6a21\u62df\u5ba2\u6237\u7aef\u7684\u672c\u5730\u670d\u52a1\u5668\u662f\u4e00\u9879\u7b80\u5355\u7684\u4efb\u52a1\u3002<\/p>\n\n\n\n<p>\u627e\u5230\u4e00\u4e2a\u5728\u201c\u5047\u5b9a\u7684\u6a21\u62df\u201d\u4e0a\u4e0b\u6587\u4e2d\u8fd0\u884c\u64cd\u4f5c\u7684\u670d\u52a1\u5668\uff0c\u53ef\u4ee5\u4ece\u653b\u51fb\u8005\u7684\u89d2\u5ea6\u4f7f\u7528\uff0c\u8fd9\u51e0\u4e4e\u662f\u5bf9\u670d\u52a1\u5668\u529f\u80fd\u7684\u521b\u9020\u6027\u9010\u6848\u5206\u6790\u3002\u5206\u6790\u8fd9\u4e9b\u6848\u4f8b\u7684\u6700\u4f73\u5efa\u8bae\u662f\u8df3\u51fa\u6846\u6846\u601d\u8003\uff0c\u5e76\u53ef\u80fd\u51c6\u5907\u597d\u5c06\u591a\u4e2a\u4e8b\u4ef6\u548c\u64cd\u4f5c\u8054\u7cfb\u8d77\u6765\u3002\u4e00\u4e2a\u76f8\u5f53\u7b80\u5355\u4f46\u529f\u80fd\u5f3a\u5927\u7684\u793a\u4f8b\u53ef\u80fd\u662f\u670d\u52a1\u5668\u6267\u884c\u7684\u6587\u4ef6\u64cd\u4f5c;\u4e5f\u8bb8\u60a8\u53ef\u4ee5\u4f7f\u7528\u8054\u7ed3\u5728\u5199\u4fdd\u62a4\u7cfb\u7edf\u8def\u5f84\u4e2d\u521b\u5efa\u6587\u4ef6\uff0c\u6216\u8005\u60a8\u53ef\u4ee5\u4f7f\u670d\u52a1\u5668\u6253\u5f00\u547d\u540d\u7ba1\u9053\u800c\u4e0d\u662f\u6587\u4ef6\uff0c\u7136\u540e\u4f7f\u7528\u547d\u540d\u7ba1\u9053\u6a21\u62df\u6765\u6a21\u62df\u670d\u52a1\u5668&#8230;<\/p>\n\n\n\n<p>\u6e05\u5355\u4e0a\u7684\u6700\u540e\u4e00\u4e2a\u662f\u5bfc\u81f4\u670d\u52a1\u5668\u7684\u6a21\u62df\u5c1d\u8bd5\u5931\u8d25\uff0c\u8fd9\u662f\u5de5\u4f5c\u4e2d\u6700\u7b80\u5355\u7684\u90e8\u5206\u3002\u6709\u4e24\u79cd\u65b9\u6cd5\u53ef\u4ee5\u5b9e\u73b0\u6b64\u76ee\u7684\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u60a8\u53ef\u4ee5\u4ece\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\u8fdb\u884c\u8fde\u63a5;\u6216<\/li><li>\u60a8\u53ef\u4ee5\u4ece\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\u8fdb\u884c\u8fde\u63a5\uff0c\u5e76\u5c06 QOS \u7ed3\u6784\u7684\u6a21\u62df\u7ea7\u522b\u8bbe\u7f6e\u4e3a<em>\u5b89\u5168\u533f\u540d<\/em><\/li><\/ul>\n\n\n\n<p>\u6b64\u64cd\u4f5c\u4e2d\u7684\u4efb\u4f55\u4e00\u4e2a\u90fd\u5c06\u5b89\u5168\u5730\u5bfc\u81f4\u6a21\u62df\u5c1d\u8bd5\u5931\u8d25\u3002<br>\u987a\u4fbf\u8bf4\u4e00\u53e5\uff0c\u8fd9\u79cd\u6280\u672f\u5e76\u4e0d\u662f\u4e00\u4ef6\u65b0\u9c9c\u4e8b\uff0c\u5b83\u5e7f\u4e3a\u4eba\u77e5&#8230;&#8230;\u53ea\u662f\u6709\u65f6\u88ab\u9057\u5fd8\u4e86\u3002\u4e5f\u8bb8\u8fd8\u6709\u4e00\u4e2a\u66f4\u82b1\u54e8\u7684\u540d\u5b57\u6765\u5f62\u5bb9\u8fd9\u79cd\u6280\u672f\uff0c\u6211\u8fd8\u6ca1\u6709\u9047\u5230\u8fc7\u3002Microsoft\u751a\u81f3\u5728<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcimpersonateclient\">RpcImpersonateClient<\/a>\u51fd\u6570\u7684\u201c\u5907\u6ce8\u201d\u90e8\u5206\u7279\u522b\u63d0\u9192\u60a8\u8fd9\u4e00\u70b9\uff08\u4ed6\u4eec\u751a\u81f3\u7ed9\u4e86\u5b83\u4e00\u4e2a\u7279\u6b8a\u7684\u201cSecurtiy\u5907\u6ce8\u201d\u6807\u9898\uff09\uff1a<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u5982\u679c\u5bf9 RpcImpersonateClient \u7684\u8c03\u7528\u7531\u4e8e\u4efb\u4f55\u539f\u56e0\u800c\u5931\u8d25\uff0c\u5219\u4e0d\u4f1a\u6a21\u62df\u5ba2\u6237\u7aef\u8fde\u63a5\uff0c\u800c\u662f\u5728\u8fdb\u7a0b\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u4e2d\u53d1\u51fa\u5ba2\u6237\u7aef\u8bf7\u6c42\u3002\u5982\u679c\u8fdb\u7a0b\u4f5c\u4e3a\u9ad8\u7279\u6743\u5e10\u6237\uff08\u5982 LocalSystem\uff09\u6216\u7ba1\u7406\u7ec4\u7684\u6210\u5458\u8fd0\u884c\uff0c\u5219\u7528\u6237\u53ef\u80fd\u80fd\u591f\u6267\u884c\u5426\u5219\u5c06\u88ab\u7981\u6b62\u6267\u884c\u7684\u64cd\u4f5c\u3002\u56e0\u6b64\uff0c\u91cd\u8981\u7684\u662f\u8981\u59cb\u7ec8\u68c0\u67e5\u8c03\u7528\u7684\u8fd4\u56de\u503c\uff0c\u5982\u679c\u5931\u8d25\uff0c\u5219\u5f15\u53d1\u9519\u8bef;\u4e0d\u8981\u7ee7\u7eed\u6267\u884c\u5ba2\u6237\u7aef\u8bf7\u6c42\u3002<br>\u6765\u6e90\uff1a&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcimpersonateclient#security-remarks\">RpcImpersonateClient\uff1a Security \u5907\u6ce8<\/a><\/p><\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mitm-authenticated-ntlm-connections\">MITM \u8eab\u4efd\u9a8c\u8bc1\u7684 NTLM \u8fde\u63a5<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#mitm-authenticated-ntlm-connections\"><\/a><\/h3>\n\n\n\n<p>\u6700\u540e\u4e24\u8282\u4ecb\u7ecd\u4e86\u8fd9\u6837\u4e00\u4e2a\u4e8b\u5b9e\uff0c\u5373RPC\u53ef\u4ee5\u7528\u4f5c\u8fdc\u7a0b\u7f51\u7edc\u901a\u4fe1\u6280\u672f\uff0c\u56e0\u6b64\u5728\u7f51\u7edc\u7aef\u4e5f\u5e26\u6709\u4e00\u4e2a\u6709\u8da3\u7684\u653b\u51fb\u9762\u3002<br>\u9644\u6ce8\uff1a\u6211\u6545\u610f\u8fd9\u6837\u8bf4;\u4f60\u6700\u521d\u53ef\u80fd\u662f\u201c\u54ce\u5440\uff0c\u4f60\u8fd8\u6253\u7b97\u4f7f\u7528\u4e00\u79cd\u53eb\u505a\u8fdc\u7a0b\u7a0b\u5e8f\u8c03\u7528\u7684\u6280\u672f\u5417\uff1f\uff01\u201d\u4f46\u4e8b\u5b9e\u4e0a\uff0cRPC\u4e5f\u975e\u5e38\u9002\u5408\u7eaf\u7cb9\u5728\u672c\u5730\u7528\u4f5cALPC\u7684\u5305\u88c5\u5668\uff08\u4e00\u65e6\u6211\u5f04\u6e05\u695a\u4e86ALPC\u7684\u6240\u6709\u5965\u79d8\uff0c\u6211\u5c31\u5728\u672c\u7cfb\u5217\u7684\u7b2c3\u90e8\u5206\u4e2d\u56de\u5230\u8fd9\u4e00\u70b9\uff09\u3002<\/p>\n\n\n\n<p>\u65e0\u8bba\u5982\u4f55\uff0c\u5982\u679c\u60a8\u901a\u8fc7\u7f51\u7edc\u4f7f\u7528 RPC\uff0c\u5e76\u4e14\u5e0c\u671b\u5bf9\u7ed1\u5b9a\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff0c\u5219\u9700\u8981\u4e00\u4e2a\u4e3a\u60a8\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u7684\u7f51\u7edc\u534f\u8bae\u3002\u8fd9\u5c31\u662f\u4e3a\u4ec0\u4e48&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverregisterauthinfo\">RpcServerRegisterAuthInfo<\/a>&nbsp;\u7684\u7b2c\u4e8c\u4e2a\u53c2\u6570 \uff08<em>AuthnSvc<\/em>\uff09\uff0c\u5b83\u662f\u60a8\u5728\u670d\u52a1\u5668\u7aef\u8c03\u7528\u4ee5\u521b\u5efa\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7ed1\u5b9a\u7684 API \u51fd\u6570\uff0c\u8ba9\u60a8\u5b9a\u4e49\u8981\u4f7f\u7528\u7684\u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\u3002\u4f8b\u5982\uff0c\u60a8\u53ef\u4ee5\u6307\u5b9a Kerberos \u7684\u5e38\u91cf\u503c&nbsp;<em>RPC_C_AUTHN_GSS_KERBEROS<\/em>\uff0c\u4e5f\u53ef\u4ee5\u6307\u5b9a<em>RPC_C_AUTHN_DEFAULT<\/em>\u4f7f\u7528\u9ed8\u8ba4\u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\uff0c\u6709\u8da3\u7684\u662f\uff0cNTLM \uff08<em>RPC_C_AUTHN_WINNT<\/em>\uff09\u3002<br>\u81ea Windows 2000 \u4ee5\u6765\uff0cKerberos \u88ab\u8bbe\u7f6e\u4e3a\u9ed8\u8ba4\u8eab\u4efd\u9a8c\u8bc1\u65b9\u6848\uff0c\u4f46 RPC \u4ecd\u9ed8\u8ba4\u4e3a NTLM\u3002<\/p>\n\n\n\n<p>\u56e0\u6b64\uff0c\u5982\u679c\u60a8\u5728\u7f51\u7edc\u4e0a\u5904\u4e8e\u5408\u9002\u7684\u4f4d\u7f6e\uff0c\u5e76\u4e14\u770b\u5230NTLM\u8fde\u63a5\u901a\u8fc7\uff0c\u5219\u53ef\u4ee5\u6267\u884c\u4e24\u4ef6\u6709\u8da3\u7684\u4e8b\u60c5\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u60a8\u53ef\u4ee5\u4ece\u7f51\u7edc\u4e0a\u83b7\u53d6NTLM\uff08v2\uff09\u8d28\u8be2\u54cd\u5e94\u54c8\u5e0c\u503c\uff0c\u7136\u540e\u79bb\u7ebf\u66b4\u529b\u7834\u89e3\u7528\u6237\u7684\u5bc6\u7801;\u548c\/\u6216<\/li><li>\u60a8\u53ef\u4ee5\u622a\u83b7\u5e76\u4e2d\u7ee7 NTLM \u8fde\u63a5\uff0c\u4ee5\u8bbf\u95ee\u53e6\u4e00\u4e2a\u7cfb\u7edf\u3002<\/li><\/ul>\n\n\n\n<p>\u6211\u4e0d\u60f3\u6df1\u5165\u63a2\u8ba8\u8fd9\u4e24\u4e2a\u4e3b\u9898\uff08\u5982\u679c\u4f60\u76f4\u5230\u8fd9\u91cc\uff0c\u4f60\u80af\u5b9a\u5df2\u7ecf\u8bfb\u591f\u4e86\uff09\uff0c\u6240\u4ee5\u6211\u5728\u8fd9\u91cc\u53ea\u8865\u5145\u4e24\u70b9\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>NTLM\uff08v2\uff09 \u6311\u6218\u66b4\u529b\u7834\u89e3\u662f\u4f17\u6240\u5468\u77e5\u7684\uff0c \u6240\u4ee5\u4f60\u4e0d\u5e94\u8be5\u6709\u9ebb\u70e6\u627e\u5230\u5982\u4f55\u505a\u5230\u8fd9\u4e00\u70b9\u3002\u4f8b\u5982\uff0c\u8bf7\u67e5\u770b&nbsp;<a href=\"https:\/\/hashcat.net\/wiki\/doku.php?id=example_hashes\">https:\/\/hashcat.net\/wiki\/doku.php?id=example_hashes<\/a>&nbsp;\u4e0a\u7684\u54c8\u5e0c\u732b\u6a21\u5f0f5600\u3002<\/li><li>NTLM Relay\u88ab\u4f1f\u5927\u7684<a href=\"https:\/\/twitter.com\/HackAndDo\">Pixis<\/a>\u5728&nbsp;<a href=\"https:\/\/en.hackndo.com\/ntlm-relay\/\">https:\/\/en.hackndo.com\/ntlm-relay\/<\/a>&nbsp;\u5f88\u597d\u5730\u63cf\u8ff0\u3002\u6839\u636e\u6240\u4f7f\u7528\u7684\u534f\u8bae\uff0c\u6709\u51e0\u4ef6\u4e8b\u9700\u8981\u6ce8\u610f\uff0c\u56e0\u6b64\u5982\u679c\u60a8\u6709\u5174\u8da3\uff0c\u8bf7\u52a1\u5fc5\u67e5\u770b\u8be5\u5e16\u5b50\u3002<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mitm-authenticated-gss_negotiate-connections\">MITM \u8eab\u4efd\u9a8c\u8bc1GSS_NEGOTIATE\u8fde\u63a5<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#mitm-authenticated-gss_negotiate-connections\"><\/a><\/h3>\n\n\n\n<p>\u6700\u540e\u4f46\u540c\u6837\u91cd\u8981\u7684\u3002\u3002\u3002<br>\u9664\u4e86\u57fa\u4e8eNTLM\u7684\u7f51\u7edc\u8eab\u4efd\u9a8c\u8bc1\u65b9\u6848\uff0c\u5982\u679c\u60a8\u5728&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/rpcdce\/nf-rpcdce-rpcserverregisterauthinfo\">RpcServerRegisterAuthInfo<\/a>&nbsp;\u8c03\u7528\u4e2d\u9009\u62e9<em>RPC_C_AUTHN_WINNT<\/em>\u6216<em>RPC_C_AUTHN_DEFAULT<\/em>\u4f5c\u4e3a\u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\uff0c\u60a8\u5c06\u83b7\u5f97\u7684\uff0c\u7ecf\u5e38\u4f7f\u7528\u7684<em>RPC_C_AUTHN_GSS_NEGOTIATE<\/em>\u5e38\u91cf\u4e5f\u662f\u4e00\u4e2a\u6709\u8da3\u7684\u76ee\u6807\u3002<br>\u5982\u679c\u9009\u62e9\u4e86<em>RPC_C_AUTHN_GSS_NEGOTIATE<\/em>&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secauthn\/microsoft-negotiate\">Microsoft \u7684 Negotiate SSP<\/a>&nbsp;\u7528\u4e8e\u6307\u793a\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u81ea\u884c\u534f\u5546\u662f\u5426\u5e94\u4f7f\u7528 NTLM \u6216 Kerberos \u5bf9\u7528\u6237\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u3002\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u5982\u679c\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u652f\u6301\u6b64\u534f\u5546\uff0c\u5219\u59cb\u7ec8\u4f1a\u5bfc\u81f4 Kerberos\u3002<\/p>\n\n\n\n<p>\u53ef\u4ee5\u4ece\u62e6\u622a\u7f51\u7edc\u4f4d\u7f6e\u653b\u51fb\u6b64\u534f\u5546\uff0c\u4ee5\u5f3a\u5236\u5728 Kerberos \u4e0a\u4f7f\u7528 NTLM\uff0c\u4ece\u800c\u6709\u6548\u5730\u964d\u7ea7\u8eab\u4efd\u9a8c\u8bc1\u65b9\u6848\u3002\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u6b64\u653b\u51fb\u9700\u8981\u5408\u9002\u7684\u7f51\u7edc\u4f4d\u7f6e\u548c\u7f3a\u5c11\u7b7e\u540d\u3002\u5728\u8fd9\u4e00\u70b9\u4e0a\uff0c\u6211\u4e0d\u4f1a\u6df1\u5165\u7814\u7a76\u8fd9\u4e2a\u95ee\u9898\uff0c\u4e3b\u8981\u662f\u56e0\u4e3a\u6211\u5df2\u7ecf\u5728\u8fd9\u91cc\u7684\u65e7\u5e16\u5b50\u4e2d\u8be6\u7ec6\u4ecb\u7ecd\u4e86\u8be5\u8fc7\u7a0b\u548c\u653b\u51fb\uff1a<a href=\"https:\/\/csandker.io\/2018\/04\/04\/SPNEGODown.html\">\u964d\u7ea7SPNEGO\u8eab\u4efd\u9a8c\u8bc1<\/a>\u3002<\/p>\n\n\n\n<p>\u987a\u4fbf\u8bf4\u4e00\u53e5\uff0c\u8fd9\u91cc\u63d0\u5230\u7684\u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\u5e38\u91cf\u53ef\u4ee5\u5728\u8fd9\u91cc\u627e\u5230\uff1a<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/authentication-service-constants\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/authentication-service-constants<\/a>\u3002<\/p>\n\n\n\n<p>\u5c31\u662f\u8fd9\u6837\u3002\u3002\u4f60\u6210\u529f\u4e86\uff01<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"references\">\u5f15\u7528<a href=\"https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows-IPC-2-RPC.html#references\"><\/a><\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>\u5fae\u8f6f\u7684RPC\u6587\u6863\uff1a<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/overviews\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/overviews<\/a><\/li><li><a href=\"https:\/\/twitter.com\/jsecurity101\">\u4e54\u7eb3\u68ee\u00b7\u7ea6\u7ff0\u900a\uff08Jonathan Johnson\uff09\u5bf9<\/a>RPC\u7684\u8bc4\u8bba\uff1a<a href=\"https:\/\/ipc-research.readthedocs.io\/en\/latest\/subpages\/RPC.html\">https:\/\/ipc-research.readthedocs.io\/en\/latest\/subpages\/RPC.html<\/a><\/li><li><a href=\"https:\/\/twitter.com\/_xpn_\">\u4e9a\u5f53\u00b7\u5207\u65af\u7279<\/a>RPC\u7684\u5ba1\u67e5\uff1a<a href=\"https:\/\/blog.xpnsec.com\/analysing-rpc-with-ghidra-neo4j\/\">https:\/\/blog.xpnsec.com\/analysing-rpc-with-ghidra-neo4j\/<\/a><\/li><li>\u6709\u5173\u5982\u4f55\u5f00\u59cb\u4f7f\u7528 RPC \u7f16\u7a0b\u7684\u4ee3\u7801\u9879\u76ee\uff1a<a href=\"https:\/\/www.codeproject.com\/Articles\/4837\/Introduction-to-RPC-Part-1#Implicitandexplicithandles17\">https:\/\/www.codeproject.com\/Articles\/4837\/Introduction-to-RPC-Part-1#Implicitandexplicithandles17<\/a><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><\/h2>\n","protected":false},"excerpt":{"rendered":"<p>\u539f\u6587\u94fe\u63a5\uff1a https:\/\/csandker.io\/2021\/02\/21\/Offensive-Windows- [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[43],"tags":[],"class_list":["post-179","post","type-post","status-publish","format-standard","hentry","category-infoarticle"],"views":2024,"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=179"}],"version-history":[{"count":1,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/179\/revisions"}],"predecessor-version":[{"id":180,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/179\/revisions\/180"}],"wp:attachment":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}