1. Forum
  2. Usenet
  3. MICROSOFT.PUBLIC.WINDBG

  • How to find destination PID / TID for an rpc call with only user mo

    From xiaopotianhuang@gmail.com@21:1/5 to All on Thu Apr 11 19:38:58 2019
    hello, this url no find,,can you tell me how to find des PID and TID ? thanks!

    "i found this blog which explained how top do this http://blogs.technet.com/marcelofartura/archive/2007/07/13/how-to-identify-the-process-and-thread-being-called-in-a-com-call-from-a-thread-stack.aspx"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From xiaopotianhuang@gmail.com@21:1/5 to All on Thu Apr 11 19:47:21 2019
    在 2019年4月12日星期五 UTC+8上午10:38:59,xiaopot...@gmail.com写道:
    hello, this url no find,,can you tell me how to find des PID and TID ? thanks!

    "i found this blog which explained how top do this http://blogs.technet.com/marcelofartura/archive/2007/07/13/how-to-identify-the-process-and-thread-being-called-in-a-com-call-from-a-thread-stack.aspx"

    test is not PID & TID:
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 0 = 00000000
    Evaluate expression: 0 = 00000000
    Evaluate expression: 1155524051 = 44dfe5d3
    Evaluate expression: 298899562 = 11d0d86a
    Evaluate expression: 298899562 = 11d0d86a
    Evaluate expression: 0 = 00000000
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 0 = 00000000

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From xiaopotianhuang@gmail.com@21:1/5 to All on Thu Apr 11 20:16:42 2019
    在 2019年4月12日星期五 UTC+8上午10:47:23,xiaopot...@gmail.com写道:
    在 2019年4月12日星期五 UTC+8上午10:38:59,xiaopot...@gmail.com写道:
    hello, this url no find,,can you tell me how to find des PID and TID ? thanks!

    "i found this blog which explained how top do this http://blogs.technet.com/marcelofartura/archive/2007/07/13/how-to-identify-the-process-and-thread-being-called-in-a-com-call-from-a-thread-stack.aspx"

    test is not PID & TID:
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 0 = 00000000
    Evaluate expression: 0 = 00000000
    Evaluate expression: 1155524051 = 44dfe5d3
    Evaluate expression: 298899562 = 11d0d86a
    Evaluate expression: 298899562 = 11d0d86a
    Evaluate expression: 0 = 00000000
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 0 = 00000000
    --------------------------------------
    test:
    0:000> dt CRpcChannelBuffer 00568030
    ole32!CRpcChannelBuffer
    +0x000 lpVtbl : 0x76bd7c08 IRpcChannelBufferVtbl
    +0x004 lpVtbl : 0x76bb92c0 IRpcChannelBufferVtbl
    +0x008 _cRefs : 4
    +0x00c state : 2
    +0x010 _pRpcDefault : (null)
    +0x014 _pRpcCustom : 0x0054e810 CChannelHandle
    +0x018 _pOXIDEntry : 0x00559e68 OXIDEntry
    +0x01c _pIPIDEntry : 0x0055b0e8 tagIPIDEntry
    +0x020 _pInterfaceInfo : 0x00554780 Void
    +0x024 _pStdId : 0x00568590 CStdIdentity
    +0x028 _destObj : CDestObject
    0:000> dt OXIDEntry 0x00559e68
    ole32!OXIDEntry
    +0x000 _pNext : 0x76cc68f8 OXIDEntry
    +0x004 _pPrev : 0x00559de8 OXIDEntry
    +0x008 _dwPid : 0x3e0
    +0x00c _dwTid : 0
    +0x010 _moxid : _GUID {629ccdea-5f91-1bc2-1fd7-85b418005454}
    +0x020 _mid : 0x54540018`b485d71f
    +0x028 _ipidRundown : _GUID {0000d800-03e0-0000-8ea9-5038c3148d7c}
    +0x038 _dwFlags : 0x42
    +0x03c _hServerSTA : (null)
    +0x040 _pParentApt : (null)
    +0x044 _pRpc : 0x0054e630 CChannelHandle
    +0x048 _pAuthId : (null)
    +0x04c _pBinding : 0x00522998 tagDUALSTRINGARRAY
    +0x050 _dwAuthnHint : 4
    +0x054 _dwAuthnSvc : 0xffffffff
    +0x058 _pMIDEntry : 0x00559c40 MIDEntry
    +0x05c _pRUSTA : 0x00563dac IRemUnknown
    +0x060 _cRefs : 0n3
    +0x064 _hComplete : (null)
    +0x068 _cCalls : 0n0
    +0x06c _cResolverRef : 0n7
    +0x070 _dwExpiredTime : 0
    +0x074 _version : tagCOMVERSION
    +0x078 _ulMarshaledTargetInfoLength : 0
    +0x07c _pMarshaledTargetInfo : (null)
    =76cc7128 OXIDEntry::_palloc : CPageAllocator
    0:000> ? 0x3e0
    Evaluate expression: 992 = 000003e0
    0:000> dd esp
    002feb24 76bb9d01 00568030 002fec30 002fec18

    now 992--->svchost /k netsvcs.exe

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Abdullah Mushtaq@21:1/5 to xiaopot...@gmail.com on Mon Aug 7 04:23:08 2023
    On Friday, April 12, 2019 at 8:16:43 AM UTC+5, xiaopot...@gmail.com wrote:
    在 2019年4月12日星期五 UTC+8上午10:47:23,xiaopot...@gmail.com写道:
    在 2019年4月12日星期五 UTC+8上午10:38:59,xiaopot...@gmail.com写道:
    hello, this url no find,,can you tell me how to find des PID and TID ? thanks!

    "i found this blog which explained how top do this http://blogs.technet.com/marcelofartura/archive/2007/07/13/how-to-identify-the-process-and-thread-being-called-in-a-com-call-from-a-thread-stack.aspx"

    test is not PID & TID:
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 0 = 00000000
    Evaluate expression: 0 = 00000000
    Evaluate expression: 1155524051 = 44dfe5d3
    Evaluate expression: 298899562 = 11d0d86a
    Evaluate expression: 298899562 = 11d0d86a
    Evaluate expression: 0 = 00000000
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 298812044 = 11cf828c
    Evaluate expression: 0 = 00000000
    --------------------------------------
    test:
    0:000> dt CRpcChannelBuffer 00568030
    ole32!CRpcChannelBuffer
    +0x000 lpVtbl : 0x76bd7c08 IRpcChannelBufferVtbl
    +0x004 lpVtbl : 0x76bb92c0 IRpcChannelBufferVtbl
    +0x008 _cRefs : 4
    +0x00c state : 2
    +0x010 _pRpcDefault : (null)
    +0x014 _pRpcCustom : 0x0054e810 CChannelHandle
    +0x018 _pOXIDEntry : 0x00559e68 OXIDEntry
    +0x01c _pIPIDEntry : 0x0055b0e8 tagIPIDEntry
    +0x020 _pInterfaceInfo : 0x00554780 Void
    +0x024 _pStdId : 0x00568590 CStdIdentity
    +0x028 _destObj : CDestObject
    0:000> dt OXIDEntry 0x00559e68
    ole32!OXIDEntry
    +0x000 _pNext : 0x76cc68f8 OXIDEntry
    +0x004 _pPrev : 0x00559de8 OXIDEntry
    +0x008 _dwPid : 0x3e0
    +0x00c _dwTid : 0
    +0x010 _moxid : _GUID {629ccdea-5f91-1bc2-1fd7-85b418005454}
    +0x020 _mid : 0x54540018`b485d71f
    +0x028 _ipidRundown : _GUID {0000d800-03e0-0000-8ea9-5038c3148d7c}
    +0x038 _dwFlags : 0x42
    +0x03c _hServerSTA : (null)
    +0x040 _pParentApt : (null)
    +0x044 _pRpc : 0x0054e630 CChannelHandle
    +0x048 _pAuthId : (null)
    +0x04c _pBinding : 0x00522998 tagDUALSTRINGARRAY
    +0x050 _dwAuthnHint : 4
    +0x054 _dwAuthnSvc : 0xffffffff
    +0x058 _pMIDEntry : 0x00559c40 MIDEntry
    +0x05c _pRUSTA : 0x00563dac IRemUnknown
    +0x060 _cRefs : 0n3
    +0x064 _hComplete : (null)
    +0x068 _cCalls : 0n0
    +0x06c _cResolverRef : 0n7
    +0x070 _dwExpiredTime : 0
    +0x074 _version : tagCOMVERSION
    +0x078 _ulMarshaledTargetInfoLength : 0
    +0x07c _pMarshaledTargetInfo : (null)
    =76cc7128 OXIDEntry::_palloc : CPageAllocator
    0:000> ? 0x3e0
    Evaluate expression: 992 = 000003e0
    0:000> dd esp
    002feb24 76bb9d01 00568030 002fec30 002fec18

    now 992--->svchost /k netsvcs.exe
    If you're analyzing a user-mode memory dump and want to find the destination Process ID (PID) or Thread ID (TID) for an RPC (Remote Procedure Call) call, and you don't have access to the rpcexts.dll extension, you might need to use alternative debugging
    techniques and tools. Here's a general approach you can follow:

    Identify RPC Call Context: Review the memory dump to identify the context of the RPC call. Look for any relevant call stacks or threads that might be involved in the RPC communication. Tools like WinDbg (Windows Debugger) or other memory analysis tools
    can help you analyze the call stacks.

    Analyze Call Stacks: Use WinDbg or another debugging tool to analyze the call stacks of relevant threads. Look for any functions or modules that are indicative of RPC activity. This might involve functions related to networking, RPC runtime libraries, or
    other relevant APIs.

    Look for RPC Context Data: Once you've identified potential call stacks related to RPC, search for any data structures or variables that might contain information about the RPC call context. This could include information about the source and destination
    PIDs or TIDs, as well as other relevant details.

    Analyze Memory Content: If you suspect that the destination PID or TID is stored in memory, you can use the debugging tools to inspect the memory content at specific addresses. Look for any patterns or values that might correspond to PIDs or TIDs.

    Manual Inspection: In the absence of specific debugging extensions, you might need to manually inspect memory regions, disassemble code, and analyze data structures to extract the required information.

    Reverse Engineering: If necessary, you might need to reverse engineer the relevant portions of the application's code to understand how RPC calls are made and where the destination PID or TID is determined.

    Please note that this process can be quite complex and time-consuming, especially without access to specialized debugging extensions like rpcexts.dll. If possible, consider obtaining the necessary debugging tools or extensions to make the analysis more
    efficient and accurate. Additionally, consulting with experienced reverse engineers or debugging experts might help you navigate through the challenges of extracting RPC call context information from a user-mode memory dump.
    Posted by: https://habibicapcut.net

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)