Added GetAlpcServer to query server from an ALPC port.

Author: tyranid

NtApiDotNet/Win32/Rpc/Transport/RpcAlpcClientTransport.cs

@@ -49,11 +49,11 @@ private static AlpcPortAttributes CreatePortAttributes(SecurityQualityOfService
             };
         }
 
-        private static NtAlpcClient ConnectPort(string path, SecurityQualityOfService sqos)
+        private static NtAlpcClient ConnectPort(string path, SecurityQualityOfService sqos, NtWaitTimeout timeout)
         {
             AlpcReceiveMessageAttributes in_attr = new AlpcReceiveMessageAttributes();
             return NtAlpcClient.Connect(path, null,
-                CreatePortAttributes(sqos), AlpcMessageFlags.SyncRequest, null, null, null, in_attr, NtWaitTimeout.FromSeconds(5));
+                CreatePortAttributes(sqos), AlpcMessageFlags.SyncRequest, null, null, null, in_attr, timeout);
         }
 
         private static void CheckForFault(SafeHGlobalBuffer buffer, LRPC_MESSAGE_TYPE message_type)
@@ -229,22 +229,39 @@ private RpcClientResponse SendAndReceiveImmediate(int proc_num, Guid objuuid, by
         /// </summary>
         /// <param name="path">The path to connect. The format depends on the transport.</param>
         /// <param name="security_quality_of_service">The security quality of service for the connection.</param>
-        public RpcAlpcClientTransport(string path, SecurityQualityOfService security_quality_of_service)
+        public RpcAlpcClientTransport(string path, SecurityQualityOfService security_quality_of_service) 
+            : this(path, security_quality_of_service, NtWaitTimeout.FromSeconds(5))
+        {
+        }
+
+        /// <summary>
+        /// Constructor.
+        /// </summary>
+        /// <param name="path">The path to connect. The format depends on the transport.</param>
+        /// <param name="security_quality_of_service">The security quality of service for the connection.</param>
+        /// <param name="timeout">Timeout for connection.</param>
+        public RpcAlpcClientTransport(string path, SecurityQualityOfService security_quality_of_service, NtWaitTimeout timeout)
         {
             if (string.IsNullOrEmpty(path))
             {
                 throw new ArgumentException("Must specify a path to connect to");
             }
 
+            if (timeout is null)
+            {
+                throw new ArgumentNullException(nameof(timeout));
+            }
+
             if (!path.StartsWith(@"\"))
             {
                 path = $@"\RPC Control\{path}";
             }
 
-            _client = ConnectPort(path, security_quality_of_service);
+            _client = ConnectPort(path, security_quality_of_service, timeout);
             _sqos = security_quality_of_service;
             Endpoint = path;
         }
+
         #endregion
 
         #region Public Methods

NtApiDotNet/Win32/RpcAlpcServer.cs

@@ -12,6 +12,7 @@
 //  See the License for the specific language governing permissions and
 //  limitations under the License.
 
+using NtApiDotNet.Win32.Rpc.Transport;
 using System;
 using System.Collections.Generic;
 using System.Linq;
@@ -34,7 +35,7 @@ public class RpcAlpcServer
         /// <summary>
         /// List of known endpoints potentially accessible via this RPC server.
         /// </summary>
-        public IEnumerable<RpcEndpoint> Endpoints { get; }
+        public IReadOnlyCollection<RpcEndpoint> Endpoints { get; }
         /// <summary>
         /// The number of endpoints.
         /// </summary>
@@ -48,65 +49,93 @@ public class RpcAlpcServer
         /// </summary>
         public SecurityDescriptor SecurityDescriptor { get; }
 
-        private RpcAlpcServer(NtHandle handle, List<RpcEndpoint> endpoints)
+        private RpcAlpcServer(int process_id, string name, SecurityDescriptor sd, string process_name, IEnumerable<RpcEndpoint> endpoints)
+        {
+            ProcessId = process_id;
+            ProcessName = process_name;
+            Name = name;
+            SecurityDescriptor = sd;
+            Endpoints = new List<RpcEndpoint>(endpoints).AsReadOnly();
+            EndpointCount = Endpoints.Count;
+        }
+
+        private RpcAlpcServer(NtHandle handle, string process_name, IEnumerable<RpcEndpoint> endpoints) 
+            : this(handle.ProcessId, handle.Name, handle.SecurityDescriptor, process_name, endpoints)
         {
-            ProcessId = handle.ProcessId;
-            using (var proc = NtProcess.Open(handle.ProcessId, ProcessAccessRights.QueryLimitedInformation, false))
-            {
-                if (proc.IsSuccess)
-                {
-                    ProcessName = proc.Result.Name;
-                }
-                else
-                {
-                    ProcessName = string.Empty;
-                }
-            }
-            Name = handle.Name;
-            SecurityDescriptor = handle.SecurityDescriptor;
-            Endpoints = endpoints.AsReadOnly();
-            EndpointCount = endpoints.Count;
         }
 
         /// <summary>
         /// Get RPC ALPC servers for a specific process.
         /// </summary>
         /// <param name="process_id">The ID of the process.</param>
         /// <returns>The list of RPC ALPC servers.</returns>
+        /// <remarks>If the process is suspended or frozen this call can hang.</remarks>
         public static IEnumerable<RpcAlpcServer> GetAlpcServers(int process_id)
         {
-            return GetAlpcServersInternal(NtSystemInfo.GetHandles(process_id, true)).ToCached();
+            using (var proc = NtProcess.Open(process_id, ProcessAccessRights.QueryInformation | ProcessAccessRights.DupHandle))
+            {
+                List<RpcAlpcServer> ret = new List<RpcAlpcServer>();
+                GetAlpcServersInternal(proc.Duplicate(), NtObjectUtils.IsWindows7OrLess ? NtSystemInfo.GetHandles(process_id, true) :
+                    proc.GetHandles(true), ret);
+                if (ret.Count == 0)
+                    Win32Error.RPC_S_SERVER_UNAVAILABLE.ToNtException();
+                return ret.AsReadOnly();
+            }
         }
 
         /// <summary>
         /// Get a list of all RPC ALPC servers.
         /// </summary>
-        /// <remarks>This works by discovering any server ALPC ports owned by the process and querying for interfaces.</remarks>
+        /// <remarks>This works by discovering any server ALPC ports owned by the process and querying for interfaces.
+        /// This will ignore any frozen processes (primarily UWP) as they can't respond to the endpoint enumeration.</remarks>
         /// <returns>The list of RPC ALPC servers.</returns>
         public static IEnumerable<RpcAlpcServer> GetAlpcServers()
         {
-            return GetAlpcServersInternal(NtSystemInfo.GetHandles()).ToCached();
+            List<RpcAlpcServer> ret = new List<RpcAlpcServer>();
+
+            foreach (var group in NtSystemInfo.GetHandles().GroupBy(h => h.ProcessId))
+            {
+                using (var proc = NtProcess.Open(group.Key,
+                    ProcessAccessRights.QueryLimitedInformation | ProcessAccessRights.DupHandle, false))
+                {
+                    if (!proc.IsSuccess)
+                        continue;
+                    if (proc.Result.Frozen)
+                        continue;
+                    GetAlpcServersInternal(proc.Result, group, ret);
+                }
+            }
+            return ret.AsReadOnly();
+        }
+
+        /// <summary>
+        /// Get the RPC ALPC server for an ALPC port object path.
+        /// </summary>
+        /// <param name="path">The object manager path to the ALPC port.</param>
+        /// <returns>The ALPC RPC server.</returns>
+        /// <remarks>Needs an API which is only available from Windows 10 19H1.</remarks>
+        [SupportedVersion(SupportedVersion.Windows10_19H1)]
+        public static RpcAlpcServer GetAlpcServer(string path)
+        {
+            using (var transport = new RpcAlpcClientTransport(path, null))
+            {
+                var server = transport.ServerProcess;
+                return new RpcAlpcServer(server.ProcessId, path, null, server.Name,
+                    RpcEndpointMapper.QueryEndpointsForAlpcPort(path));
+            }
         }
 
-        private static IEnumerable<RpcAlpcServer> GetAlpcServersInternal(IEnumerable<NtHandle> handles)
+        private static void GetAlpcServersInternal(NtProcess process, IEnumerable<NtHandle> handles, List<RpcAlpcServer> servers)
         {
             NtType alpc_type = NtType.GetTypeByType<NtAlpc>();
-            
+            string process_name = process.Name;
             foreach (var handle in handles.Where(h => h.NtType == alpc_type
-                && h.Name.StartsWith(@"\RPC Control\", StringComparison.OrdinalIgnoreCase)))
+                && h.Name.IndexOf(@"\RPC Control\", StringComparison.OrdinalIgnoreCase) >= 0))
             {
-                List<RpcEndpoint> endpoints = new List<RpcEndpoint>();
-                try
-                {
-                    endpoints.AddRange(RpcEndpointMapper.QueryEndpointsForAlpcPort(handle.Name));
-                }
-                catch (SafeWin32Exception)
-                {
-                }
-
-                if (endpoints.Count > 0)
+                var eps = RpcEndpointMapper.QueryEndpointsForAlpcPort(handle.Name, false);
+                if (eps.IsSuccess)
                 {
-                    yield return new RpcAlpcServer(handle, endpoints);
+                    servers.Add(new RpcAlpcServer(handle, process_name, eps.Result));
                 }
             }
         }

NtApiDotNet/Win32/RpcEndpointMapper.cs

@@ -118,24 +118,25 @@ private static RpcEndpoint CreateEndpoint(SafeRpcBindingHandle binding_handle, R
 
         private const string RPC_CONTROL_PATH = @"\RPC Control\";
 
-        private static IEnumerable<RpcEndpoint> QueryEndpointsForBinding(SafeRpcBindingHandle binding_handle)
+        private static NtResult<RpcEndpoint[]> QueryEndpointsForBinding(SafeRpcBindingHandle binding_handle, bool throw_on_error)
         {
             using (binding_handle)
             {
-                int status = Win32NativeMethods.RpcMgmtInqIfIds(binding_handle, out SafeRpcIfIdVectorHandle if_id_vector);
+                Win32Error status = Win32NativeMethods.RpcMgmtInqIfIds(binding_handle, out SafeRpcIfIdVectorHandle if_id_vector);
                 // If the RPC server doesn't exist return an empty list.
-                if (status == 1722)
+                if (status == Win32Error.RPC_S_SERVER_UNAVAILABLE)
                 {
-                    return new RpcEndpoint[0];
+                    return new RpcEndpoint[0].CreateResult();
                 }
-                if (status != 0)
+                if (status != Win32Error.SUCCESS)
                 {
-                    throw new SafeWin32Exception(status);
+                    return status.CreateResultFromDosError<RpcEndpoint[]>(throw_on_error);
                 }
 
                 using (if_id_vector)
                 {
-                    return if_id_vector.GetIfIds().Select(if_id => CreateEndpoint(binding_handle, if_id)).ToArray();
+                    return if_id_vector.GetIfIds().Select(if_id => 
+                        CreateEndpoint(binding_handle, if_id)).ToArray().CreateResult();
                 }
             }
         }
@@ -280,15 +281,38 @@ public static IEnumerable<RpcEndpoint> QueryAlpcEndpoints(NdrRpcServerInterface
         /// Query for endpoints for a RPC binding. 
         /// </summary>
         /// <param name="alpc_port">The ALPC port to query. Can be a full path as long as it contains \RPC Control\ somewhere.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
         /// <returns>The list of endpoints on the RPC binding.</returns>
-        public static IEnumerable<RpcEndpoint> QueryEndpointsForAlpcPort(string alpc_port)
+        public static NtResult<IEnumerable<RpcEndpoint>> QueryEndpointsForAlpcPort(string alpc_port, bool throw_on_error)
         {
             int index = alpc_port.IndexOf(@"\RPC Control\", StringComparison.OrdinalIgnoreCase);
             if (index >= 0)
             {
                 alpc_port = alpc_port.Substring(0, index) + RPC_CONTROL_PATH + alpc_port.Substring(index + RPC_CONTROL_PATH.Length);
             }
-            return QueryEndpointsForBinding(SafeRpcBindingHandle.Create(null, "ncalrpc", null, alpc_port, null));
+            return QueryEndpointsForBinding(SafeRpcBindingHandle.Create(null, "ncalrpc", 
+                null, alpc_port, null), throw_on_error).Cast<IEnumerable<RpcEndpoint>>();
+        }
+
+        /// <summary>
+        /// Query for endpoints for a RPC binding. 
+        /// </summary>
+        /// <param name="alpc_port">The ALPC port to query. Can be a full path as long as it contains \RPC Control\ somewhere.</param>
+        /// <returns>The list of endpoints on the RPC binding.</returns>
+        public static IEnumerable<RpcEndpoint> QueryEndpointsForAlpcPort(string alpc_port)
+        {
+            return QueryEndpointsForAlpcPort(alpc_port, true).Result;
+        }
+
+        /// <summary>
+        /// Query for endpoints for a RPC binding. 
+        /// </summary>
+        /// <param name="string_binding">The RPC binding to query, e.g. ncalrpc:[PORT]</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The list of endpoints on the RPC binding.</returns>
+        public static NtResult<IEnumerable<RpcEndpoint>> QueryEndpointsForBinding(string string_binding, bool throw_on_error)
+        {
+            return QueryEndpointsForBinding(SafeRpcBindingHandle.Create(string_binding), throw_on_error).Cast<IEnumerable<RpcEndpoint>>();
         }
 
         /// <summary>
@@ -298,7 +322,7 @@ public static IEnumerable<RpcEndpoint> QueryEndpointsForAlpcPort(string alpc_por
         /// <returns>The list of endpoints on the RPC binding.</returns>
         public static IEnumerable<RpcEndpoint> QueryEndpointsForBinding(string string_binding)
         {
-            return QueryEndpointsForBinding(SafeRpcBindingHandle.Create(string_binding));
+            return QueryEndpointsForBinding(string_binding, true).Result;
         }
 
         /// <summary>

NtApiDotNet/Win32/Win32NativeMethods.cs

@@ -623,7 +623,7 @@ ref IntPtr InquiryContext
         );
 
         [DllImport("rpcrt4.dll", CharSet = CharSet.Unicode)]
-        internal static extern int RpcMgmtInqIfIds(
+        internal static extern Win32Error RpcMgmtInqIfIds(
             SafeRpcBindingHandle Binding,
             out SafeRpcIfIdVectorHandle IfIdVector
         );

NtObjectManager/Formatters.ps1xml

@@ -5554,5 +5554,49 @@
         </TableRowEntries>
       </TableControl>
     </View>
+    <View>
+      <Name>RpcAlpcServer</Name>
+      <ViewSelectedBy>
+        <TypeName>NtApiDotNet.Win32.RpcAlpcServer</TypeName>
+      </ViewSelectedBy>
+      <TableControl>
+        <TableHeaders>
+          <TableColumnHeader>
+            <Label>PID</Label>
+            <Alignment>left</Alignment>
+          </TableColumnHeader>
+          <TableColumnHeader>
+            <Label>ProcessName</Label>
+            <Alignment>left</Alignment>
+          </TableColumnHeader>
+          <TableColumnHeader>
+            <Label>Endpoints</Label>
+            <Alignment>left</Alignment>
+          </TableColumnHeader>
+          <TableColumnHeader>
+            <Label>Name</Label>
+            <Alignment>left</Alignment>
+          </TableColumnHeader>
+        </TableHeaders>
+        <TableRowEntries>
+          <TableRowEntry>
+            <TableColumnItems>
+              <TableColumnItem>
+                <PropertyName>ProcessId</PropertyName>
+              </TableColumnItem>
+              <TableColumnItem>
+                <PropertyName>ProcessName</PropertyName>
+              </TableColumnItem>
+              <TableColumnItem>
+                <PropertyName>EndpointCount</PropertyName>
+              </TableColumnItem>
+              <TableColumnItem>
+                <PropertyName>Name</PropertyName>
+              </TableColumnItem>
+            </TableColumnItems>
+          </TableRowEntry>
+        </TableRowEntries>
+      </TableControl>
+    </View>
   </ViewDefinitions>
 </Configuration>

NtObjectManager/RpcFunctions.ps1

@@ -415,6 +415,8 @@ Gets a list of ALPC RPC servers.
 This cmdlet gets a list of ALPC RPC servers. This relies on being able to access the list of ALPC ports in side a process so might need elevated privileges.
 .PARAMETER ProcessId
 The ID of a process to query for ALPC servers.
+.PARAMETER AlpcPort
+The path to the ALPC port to query.
 .INPUTS
 None
 .OUTPUTS
@@ -425,12 +427,17 @@ Get all ALPC RPC servers.
 .EXAMPLE
 Get-RpcAlpcServer -ProcessId 1234
 Get all ALPC RPC servers in process ID 1234.
+.EXAMPLE
+Get-RpcAlpcServer -AlpcPort srvsvc
+Get the ALPC RPC servers for the srvsvc ALPC port. Needs Windows 10 19H1 and above to work.
 #>
 function Get-RpcAlpcServer {
     [CmdletBinding(DefaultParameterSetName = "All")]
     Param(
         [parameter(Mandatory, Position = 0, ParameterSetName = "FromProcessId")]
-        [int]$ProcessId
+        [int]$ProcessId,
+        [parameter(Mandatory, ParameterSetName = "FromAlpc")]
+        [string]$AlpcPort
     )
 
     Set-NtTokenPrivilege SeDebugPrivilege | Out-Null
@@ -441,6 +448,9 @@ function Get-RpcAlpcServer {
         "FromProcessId" {
             [NtApiDotNet.Win32.RpcAlpcServer]::GetAlpcServers($ProcessId)
         }
+        "FromAlpc" {
+            [NtApiDotNet.Win32.RpcAlpcServer]::GetAlpcServer($AlpcPort)
+        }
     }
 }