http://forum.eviloctal.com/thread-2724-1-40.html
4.9 Windows services running RPC services over TCP/IP
4.9.1 Messenger service
The messenger service runs two RPC services, available on two endpoints:
msgsvc named pipe
a dynamic UDP port
Y:>ifids -p ncacn_np -e pipemsgsvc /.
Interfaces: 42
[...]
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
Y:>ifids -p ncadg_ip_udp -e 4870 127.0.0.1
Interfaces: 42
[...]
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
The UDP transport of these services has been recently exploited to massively send popup windows containing advertisement messages [55].
The two RPC services run by the messenger service have the following interfaces identifiers:
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0: msgsvc
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0: msgsvcsend
The msgsvc RPC service supports 4 operations that manipulate NetBIOS names on a local or remote system:
--------------------------------------------------------------------------------
Interface Operation number Operation name
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0: msgsvc
0x00 NetrMessageNameAdd
0x01 NetrMessageNameEnum
0x02 NetrMessageNameGetInfo
0x03 NetrMessageNameDel
--------------------------------------------------------------------------------
The msgsvcsend RPC service supports one operation, to send a message to a registered NetBIOS name using MSRPC:
--------------------------------------------------------------------------------
Interface Operation number Operation name
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0: msgsvcsend
0x00 NetrSendMessage
--------------------------------------------------------------------------------
The msgsvcsend interface has been used to send advertisement messages, using the NetrSendMessage operation.
A vulnerability affecting the msgsvcsend interface was recently published by the LSD research group [56]. The MS03-043 ([57]) Microsoft security bulletin contains a patch that completely removes support for the msgsvcsend interface of the Messenger service (both server-side function in msgsvc.dll and client-side function in wkssvc.dll are removed in patched versions of these two DLL).
Note: if the messenger service receives a message using the UDP port, a new (dynamic) UDP port is opened by the process hosting the messenger service (services.exe). This UDP port is used to send a conv_who_are_you request, which is necessary when the original request containing the message was sent to UDP port 135 instead of the dynamic UDP port opened by the RPC service.
4.9.2 Scheduler service
The scheduler service runs RPC services allowing remote configuration of scheduled tasks. These RPC services are available on two endpoints:
atsvc named pipe
A dynamic TCP port
Before Windows XP the Scheduler service was implemented in a single process, mstask.exe. Starting with Windows XP, the Scheduler service runs in a svchost.exe instance process (schedsvc.dll) and runs an additional RPC service (the third one in the list below).
The interfaces identifiers of these RPC services are:
X:>ifids -p ncacn_np -e pipeatsvc /.
Interfaces: 51
[...]
1ff70682-0a51-30e8-076d-740be8cee98b v1.0
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
X:>ifids -p ncacn_ip_tcp -e 3136 127.0.0.1
Interfaces: 51
[...]
1ff70682-0a51-30e8-076d-740be8cee98b v1.0
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
X:>
--------------------------------------------------------------------------------
Interface Operation number Operation name
1ff70682-0a51-30e8-076d-740be8cee98b v1.0: atsvc
0x00 NetrJobAdd
0x01 NetrJobDel
0x02 NetrJobEnum
0x03 NetrJobGetInfo
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0: sasec
0x00 SASetAccountInformation
0x01 SASetNSAccountInformation
0x02 SAGetNSAccountInformation
0x03 SAGetAccountInformation
--------------------------------------------------------------------------------
The following RPC service has been added in Windows XP:
--------------------------------------------------------------------------------
Interface Operation number Operation name
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
0x00 ItSrvRegisterIdleTask
0x01 ItSrvUnregisterIdleTask
0x02 ItSrvProcessIdleTasks
0x03 ItSrvSetDetectionParameters
--------------------------------------------------------------------------------
4.9.3 WINS service
The WINS service (wins.exe process) runs two RPC services, available on two endpoints:
A dynamic TCP port
WinsPipe named pipe
The two RPC services identifiers are:
45f52c28-7f9f-101a-b52b-08002b2efabe v1.0
811109bf-a4e1-11d1-ab54-00a0c91e9b45 v1.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
45f52c28-7f9f-101a-b52b-08002b2efabe v1.0
0x00 R_WinsRecordAction
0x01 R_WinsStatus
0x02 R_WinsTrigger
0x03 R_WinsDoStaticInit
0x04 R_WinsDoScavenging
0x05 R_WinsGetDbRecs
0x06 R_WinsTerm
0x07 R_WinsBackup
0x08 R_WinsDelDbRecs
0x09 R_WinsPullRange
0x0a R_WinsSetPriorityClass
0x0b R_WinsResetCounters
0x0c R_WinsWorkerThdUpd
0x0d R_WinsGetNameAndAdd
0x0e R_WinsGetBrowserNames_Old
0x0f R_WinsDeleteWins
0x10 R_WinsSetFlags
0x11 R_WinsGetDbRecsByName
0x12 R_WinsStatusWHdl
0x13 R_WinsDoScavengingNew
--------------------------------------------------------------------------------
The WINS service also opens a dynamic UDP port, which does not seem to be used by a RPC service.
4.9.4 IIS 5 services
In Windows 2000, IIS (Internet Information Server) 5 services (HTTP, SMTP, FTP, NNTP) run in a single process, inetinfo.exe.
The inetinfo.exe (IIS 5) process runs RPC services on the following endpoints:
INETINFO_LPC LPC port
INETINFO named pipe
one dynamic TCP port and one dynamic UDP port
The following RPC service is registered by the IISAdmin service (infocomm.dll):
82ad4280-036b-11cf-972c-00aa006887b0 v2.0: inetinfo
--------------------------------------------------------------------------------
Interface Operation number Operation name
82ad4280-036b-11cf-972c-00aa006887b0 v2.0: inetinfo
0x00 _R_InetInfoGetVersion
0x01 _R_InetInfoGetAdminInformation
0x02 _R_InetInfoGetSites
0x03 _R_InetInfoSetAdminInformation
0x04 _R_InetInfoGetGlobalAdminInformation
0x05 _R_InetInfoSetGlobalAdminInformation
0x06 _R_InetInfoQueryStatistics
0x07 _R_InetInfoClearStatistics
0x08 _R_InetInfoFlushMemoryCache
0x09 _R_InetInfoGetServerCapabilities
0x0a _R_W3QueryStatistics2
0x0b _R_W3ClearStatistics2
0x0c _R_FtpQueryStatistics2
0x0d _R_FtpClearStatistics2
0x10 _R_IISEnumerateUsers
0x11 _R_IISDisconnectUser
0x12 _R_InitW3CounterStructure
0x13 _R_CollectW3PerfData
--------------------------------------------------------------------------------
The SMTP service (smtpsvc.dll) runs the following RPC service:
8cfb5d70-31a4-11cf-a7d8-00805f48a135 v3.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
8cfb5d70-31a4-11cf-a7d8-00805f48a135 v3.0
0x00 SmtprGetAdminInformation
0x01 SmtprSetAdminInformation
0x02 SmtprQueryStatistics
0x03 SmtprClearStatistics
0x04 SmtprGetConnectedUserList
0x05 SmtprDisconnectUser
0x06 SmtprCreateUser
0x07 SmtprDeleteUser
0x08 SmtprGetUserProps
0x09 SmtprSetUserProps
0x0a SmtprCreateDistList
0x0b SmtprDeleteDistList
0x0c SmtprCreateDistListMember
0x0d SmtprDeleteDistListMember
0x0e SmtprGetNameList
0x0f SmtprGetNameListFromList
0x10 SmtprGetVRootSize
0x11 SmtprBackupRoutingTable
--------------------------------------------------------------------------------
The NNTP service (nntpsvc.dll) runs the following RPC service:
4f82f460-0e21-11cf-909e-00805f48a135 v4.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
4f82f460-0e21-11cf-909e-00805f48a135 v4.0
0x00 NntprQueryStatistic
0x01 NntprClearStatistics
0x02 NntprEnumerateFeeds
0x03 NntprGetFeedInformation
0x04 NntprSetFeedInformation
0x05 NntprAddFeed
0x06 NntprDeleteFeed
0x07 NntprEnableFeed
0x08 NntprEnumerateSessions
0x09 NntprTerminateSession
0x0a NntprEnumerateExpires
0x0b NntprAddExpire
0x0c NntprDeleteExpire
0x0d NntprGetExpireInformation
0x0e NntprSetExpireInformation
0x0f NntprGetNewsgroup
0x10 NntprSetNewsgroup
0x11 NntprCreateNewsgroup
0x12 NntprDeleteNewsgroup
0x13 NntprFindNewsgroup
0x14 NntprGetAdminInformation
0x15 NntprSetAdminInformation
0x16 NntprStartRebuild
0x17 NntprGetBuildStatus
0x18 NntprCancelMessageID
0x19 NntprGetVRootWin32Error
--------------------------------------------------------------------------------
The IMAP4 service (imap4svc.dll), installed by Exchange, runs the following RPC service:
2465e9e0-a873-11d0-930b-00a0c90ab17c v3.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
2465e9e0-a873-11d0-930b-00a0c90ab17c v3.0
0x00 ImaprQueryStatistics
0x01 ImaprClearStatistics
0x02 ImaprGetConnectedUserList
0x03 ImaprDisconnectUser
--------------------------------------------------------------------------------
The POP3 service (pop3svc.dll), installed by Exchange, runs the following RPC service:
1be617c0-31a5-11cf-a7d8-00805f48a135 v3.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
1be617c0-31a5-11cf-a7d8-00805f48a135 v3.0
0x00 Pop3rQueryStatistics
0x01 Pop3rClearStatistics
0x02 Pop3rGetConnectedUserList
0x03 Pop3rDisconnectUser
--------------------------------------------------------------------------------
The following interface identifiers correspond to the GUID of the COM components activated to handle IIS management :
70b51430-b6ca-11d0-b9b9-00a0c922e750 v0.0: IMSAdminBaseW
a9e69612-b80d-11d0-b9b9-00a0c922e750 v0.0
4.9.5 Message Queuing and Distributed Transaction Coordinator services
This service runs RPC services, listening on the ncacn_ip_tcp transport. On a Windows 2000 Server system, 4 TCP ports were opened by the mqsvc.exe process.
The mqqm.dll (Windows NT MQ Queue Manager) DLL, loaded in the mqsvc.exe process, contains the following RPC services:
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0
1088a980-eae5-11d0-8d9b-00a02453c337 v1.0
5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0
41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
0x00 QMOpenQueue
0x01 QMGetRemoteQueueName
0x02 QMOpenRemoteQueue
0x03 QMCloseRemoteQueueContext
0x04 QMCreateRemoteCursor
0x05 QMSendMessageInternal
0x06 QMCreateObjectInternal
0x07 QMSetObjectSecurityInternal
0x08 QMGetObjectSecurityInternal
0x09 QMDeleteObject
0x0a QMGetObjectProperties
0x0b QMSetObjectProperties
0x0c QMObjectPathToObjectFormat
0x0d QMAttachProcess
0x0e QMGetTmWhereabouts
0x0f QMEnlistTransation
0x10 QMEnlistInternalTransaction
0x11 QMCommitTransaction
0x12 QMAbortTransaction
0x13 QMOpenQueueInternal
0x14 ACCloseHandle
0x15 ACCreateCursor
0x16 ACCloseCursor
0x17 ACSetCursorProperties
0x18 ACSendMessage
0x19 ACReceiveMessage
0x1a ACHandleToFormatName
0x1b ACPurgeQueue
0x1c QMQueryQMRegistryInternal
0x1d QMListInternalQueues
0x1e QMCorrectOutSequence
0x1f QMGetRemoteQMServerPort
0x20 QMGetMsmqServiceName
0x21 QMCreateDSObjectInternal
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0
0x00 QMSendMessageInternalEx
0x01 ACSendMessageEx
0x02 ACReceiveMessageEx
0x03 ACCreateCursorEx
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
1088a980-eae5-11d0-8d9b-00a02453c337 v1.0
0x00 RemoteQMStartReceive
0x01 RemoteQMEndReceive
0x02 RemoteQMOpenQueue
0x03 RemoteQMCloseQueue
0x04 RemoteQMCloseCursor
0x05 RemoteQMCancelReceive
0x06 RemoteQMPurgeQueue
0x07 RemoteQMGetQMQMServerPort
0x08 RemoteQmGetVersion
0x09 RemoteQMStartReceive2
0x0a RemoteQMStartReceiveByLookupId
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0
0x00 QMSendReplMsg
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0
0x00 QMMgmtGetInfo
0x01 QMMgmtAction
--------------------------------------------------------------------------------
The msdtcprx.dll (MS DTC OLE Transactions interface proxy) DLL, also loaded in the mqsvc.exe process, also contains one RPC service:
906b0ce0-c70b-1067-b317-00dd010662da v1.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
906b0ce0-c70b-1067-b317-00dd010662da v1.0
0x00 Poke
0x01 BuildContext
0x02 NegotiateResources
0x03 SendReceive
0x04 TearDownContext
0x05 BeginTearDown
0x06 PokeW
0x07 BuildContextW
--------------------------------------------------------------------------------
This RPC service also runs in the Distributed Transaction Coordinator service process (msdtc.exe), which opens a dynamic port, as well as TCP port 3372 (at least on Windows 2000)
4.9.6 Active Directory related RPC services
The first important RPC service of Active Directory is the drsuapi interface, identified as follows:
Active Directory replication interface: e3514235-4b06-11d1-ab04-00c04fc2dcd2 v4.0
It supports the following operations:
--------------------------------------------------------------------------------
Interface Operation number Operation name
e3514235-4b06-11d1-ab04-00c04fc2dcd2 v4.0: drsuapi
0x00 DRSBind
0x01 DRSUnbind
0x02 DRSReplicaSync
0x03 DRSGetNCChanges
0x04 DRSUpdateRefs
0x05 DRSReplicaAdd
0x06 DRSReplicaDel
0x07 DRSReplicaModify
0x08 DRSVerifyNames
0x09 DRSGetMemberships
0x0a DRSInterDomainMove
0x0b DRSGetNT4ChangeLog
0x0c DRSCrackNames
0x0d DRSWriteSPN
0x0e DRSRemoveDsServer
0x0f DRSRemoveDsDomain
0x10 DRSDomainControllerInfo
0x11 DRSAddEntry
0x12 DRSExecuteKCC
0x13 DRSGetReplInfo
0x14 DRSAddSidHistory
0x15 DRSGetMemberships2
0x16 DRSReplicaVerifyObjects
0x17 DRSGetObjectExistence
0x18 DRSQuerySitesByCost
--------------------------------------------------------------------------------
Ethereal has a dissector for this interface [58] but currently, it only displays the operation names, as all these operations are encrypted.
The dssetup RPC interface, which contain only one operation, is used in Active Directory domains:
--------------------------------------------------------------------------------
Interface Operation number Operation name
3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0: dssetup
0x00 DsRolerGetPrimaryDomainInformation
--------------------------------------------------------------------------------
The following RPC interfaces are supported on a Windows 2000 domain controller to handle backup and restore of Active Directory:
Active Directory backup interface: ecec0d70-a603-11d0-96b1-00a0c91ece30 v1.0
Active Directory restore interface: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 v1.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
ecec0d70-a603-11d0-96b1-00a0c91ece30 v1.0
0x00 HrRBackupPrepare
0x01 HrRBackupEnd
0x02 HrRBackupGetAttachmentInformation
0x03 HrRBackupOpenFile
0x04 HrRBackupRead
0x05 HrRBackupClose
0x06 HrRBackupGetBackupLogs
0x07 HrRBackupTruncateLogs
0x08 HrRBackupPing
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
16e0cf3a-a604-11d0-96b1-00a0c91ece30 v1.0
0x00 HrRIsNTDSOnline
0x01 HrRRestorePrepare
0x02 HrRRestoreRegister
0x03 HrRRestoreRegisterComplete
0x04 HrRRestoreGetDatabaseLocations
0x05 HrRRestoreEnd
0x06 HrRRestoreSetCurrentLogNumber
0x07 HrRRestoreCheckLogsForBackup
--------------------------------------------------------------------------------
By default, these RPC services are registered in the endpoint mapper database on a dynamic TCP port. However, it is possible to set a registry value to configure these services to listen on a fixed port [59]. Once this value is configured, the portmapper service will always return this fixed port when asked for one of these interfaces.
Windows Server 2003 supports the dsrole interface, available on the following endpoint:
dsrole LPC port
Y:>ifids -p ncalrpc -e dsrole serveur
Interfaces: 18
[...]
1cbcad78-df0b-4934-b558-87839ea501c9 v0.0
[...]
--------------------------------------------------------------------------------
Interface Operation number Operation name
1cbcad78-df0b-4934-b558-87839ea501c9 v0.0: dsrole
0x00 DsRolerDnsNameToFlatName
0x01 DsRolerDcAsDc
0x02 DsRolerDcAsReplica
0x03 DsRolerDemoteDc
0x04 DsRolerGetDcOperationProgress
0x05 DsRolerGetDcOperationResults
0x06 DsRolerCancel
0x07 DsRolerIfmHandleFree
0x08 DsRolerServerSaveStateForUpgrade
0x09 DsRolerUpgradeDownlevelServer
0x0a DsRolerAbortDownlevelServerUpgrade
0x0b DsRolerGetDatabaseFacts
--------------------------------------------------------------------------------
This interface can only be used locally (it is registered using the RpcServerRegisterIfEx() API, specifying a security-callback function that verifies that the protocol sequence used is ncalrpc and that the LPC port is the dsrole LPC port).
There is another interface in the ntdsa.dll DLL, which contains only two operations:
--------------------------------------------------------------------------------
Interface Operation number Operation name
7c44d7d4-31d5-424c-bd5e-2b3e1f323d22 v1.0 0x00 DSAPrepareScript
0x01 DSAExecuteScript
------------------------------
4.9.1 Messenger service
The messenger service runs two RPC services, available on two endpoints:
msgsvc named pipe
a dynamic UDP port
Y:>ifids -p ncacn_np -e pipemsgsvc /.
Interfaces: 42
[...]
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
Y:>ifids -p ncadg_ip_udp -e 4870 127.0.0.1
Interfaces: 42
[...]
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
The UDP transport of these services has been recently exploited to massively send popup windows containing advertisement messages [55].
The two RPC services run by the messenger service have the following interfaces identifiers:
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0: msgsvc
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0: msgsvcsend
The msgsvc RPC service supports 4 operations that manipulate NetBIOS names on a local or remote system:
--------------------------------------------------------------------------------
Interface Operation number Operation name
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0: msgsvc
0x00 NetrMessageNameAdd
0x01 NetrMessageNameEnum
0x02 NetrMessageNameGetInfo
0x03 NetrMessageNameDel
--------------------------------------------------------------------------------
The msgsvcsend RPC service supports one operation, to send a message to a registered NetBIOS name using MSRPC:
--------------------------------------------------------------------------------
Interface Operation number Operation name
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0: msgsvcsend
0x00 NetrSendMessage
--------------------------------------------------------------------------------
The msgsvcsend interface has been used to send advertisement messages, using the NetrSendMessage operation.
A vulnerability affecting the msgsvcsend interface was recently published by the LSD research group [56]. The MS03-043 ([57]) Microsoft security bulletin contains a patch that completely removes support for the msgsvcsend interface of the Messenger service (both server-side function in msgsvc.dll and client-side function in wkssvc.dll are removed in patched versions of these two DLL).
Note: if the messenger service receives a message using the UDP port, a new (dynamic) UDP port is opened by the process hosting the messenger service (services.exe). This UDP port is used to send a conv_who_are_you request, which is necessary when the original request containing the message was sent to UDP port 135 instead of the dynamic UDP port opened by the RPC service.
4.9.2 Scheduler service
The scheduler service runs RPC services allowing remote configuration of scheduled tasks. These RPC services are available on two endpoints:
atsvc named pipe
A dynamic TCP port
Before Windows XP the Scheduler service was implemented in a single process, mstask.exe. Starting with Windows XP, the Scheduler service runs in a svchost.exe instance process (schedsvc.dll) and runs an additional RPC service (the third one in the list below).
The interfaces identifiers of these RPC services are:
X:>ifids -p ncacn_np -e pipeatsvc /.
Interfaces: 51
[...]
1ff70682-0a51-30e8-076d-740be8cee98b v1.0
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
X:>ifids -p ncacn_ip_tcp -e 3136 127.0.0.1
Interfaces: 51
[...]
1ff70682-0a51-30e8-076d-740be8cee98b v1.0
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
X:>
--------------------------------------------------------------------------------
Interface Operation number Operation name
1ff70682-0a51-30e8-076d-740be8cee98b v1.0: atsvc
0x00 NetrJobAdd
0x01 NetrJobDel
0x02 NetrJobEnum
0x03 NetrJobGetInfo
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0: sasec
0x00 SASetAccountInformation
0x01 SASetNSAccountInformation
0x02 SAGetNSAccountInformation
0x03 SAGetAccountInformation
--------------------------------------------------------------------------------
The following RPC service has been added in Windows XP:
--------------------------------------------------------------------------------
Interface Operation number Operation name
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
0x00 ItSrvRegisterIdleTask
0x01 ItSrvUnregisterIdleTask
0x02 ItSrvProcessIdleTasks
0x03 ItSrvSetDetectionParameters
--------------------------------------------------------------------------------
4.9.3 WINS service
The WINS service (wins.exe process) runs two RPC services, available on two endpoints:
A dynamic TCP port
WinsPipe named pipe
The two RPC services identifiers are:
45f52c28-7f9f-101a-b52b-08002b2efabe v1.0
811109bf-a4e1-11d1-ab54-00a0c91e9b45 v1.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
45f52c28-7f9f-101a-b52b-08002b2efabe v1.0
0x00 R_WinsRecordAction
0x01 R_WinsStatus
0x02 R_WinsTrigger
0x03 R_WinsDoStaticInit
0x04 R_WinsDoScavenging
0x05 R_WinsGetDbRecs
0x06 R_WinsTerm
0x07 R_WinsBackup
0x08 R_WinsDelDbRecs
0x09 R_WinsPullRange
0x0a R_WinsSetPriorityClass
0x0b R_WinsResetCounters
0x0c R_WinsWorkerThdUpd
0x0d R_WinsGetNameAndAdd
0x0e R_WinsGetBrowserNames_Old
0x0f R_WinsDeleteWins
0x10 R_WinsSetFlags
0x11 R_WinsGetDbRecsByName
0x12 R_WinsStatusWHdl
0x13 R_WinsDoScavengingNew
--------------------------------------------------------------------------------
The WINS service also opens a dynamic UDP port, which does not seem to be used by a RPC service.
4.9.4 IIS 5 services
In Windows 2000, IIS (Internet Information Server) 5 services (HTTP, SMTP, FTP, NNTP) run in a single process, inetinfo.exe.
The inetinfo.exe (IIS 5) process runs RPC services on the following endpoints:
INETINFO_LPC LPC port
INETINFO named pipe
one dynamic TCP port and one dynamic UDP port
The following RPC service is registered by the IISAdmin service (infocomm.dll):
82ad4280-036b-11cf-972c-00aa006887b0 v2.0: inetinfo
--------------------------------------------------------------------------------
Interface Operation number Operation name
82ad4280-036b-11cf-972c-00aa006887b0 v2.0: inetinfo
0x00 _R_InetInfoGetVersion
0x01 _R_InetInfoGetAdminInformation
0x02 _R_InetInfoGetSites
0x03 _R_InetInfoSetAdminInformation
0x04 _R_InetInfoGetGlobalAdminInformation
0x05 _R_InetInfoSetGlobalAdminInformation
0x06 _R_InetInfoQueryStatistics
0x07 _R_InetInfoClearStatistics
0x08 _R_InetInfoFlushMemoryCache
0x09 _R_InetInfoGetServerCapabilities
0x0a _R_W3QueryStatistics2
0x0b _R_W3ClearStatistics2
0x0c _R_FtpQueryStatistics2
0x0d _R_FtpClearStatistics2
0x10 _R_IISEnumerateUsers
0x11 _R_IISDisconnectUser
0x12 _R_InitW3CounterStructure
0x13 _R_CollectW3PerfData
--------------------------------------------------------------------------------
The SMTP service (smtpsvc.dll) runs the following RPC service:
8cfb5d70-31a4-11cf-a7d8-00805f48a135 v3.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
8cfb5d70-31a4-11cf-a7d8-00805f48a135 v3.0
0x00 SmtprGetAdminInformation
0x01 SmtprSetAdminInformation
0x02 SmtprQueryStatistics
0x03 SmtprClearStatistics
0x04 SmtprGetConnectedUserList
0x05 SmtprDisconnectUser
0x06 SmtprCreateUser
0x07 SmtprDeleteUser
0x08 SmtprGetUserProps
0x09 SmtprSetUserProps
0x0a SmtprCreateDistList
0x0b SmtprDeleteDistList
0x0c SmtprCreateDistListMember
0x0d SmtprDeleteDistListMember
0x0e SmtprGetNameList
0x0f SmtprGetNameListFromList
0x10 SmtprGetVRootSize
0x11 SmtprBackupRoutingTable
--------------------------------------------------------------------------------
The NNTP service (nntpsvc.dll) runs the following RPC service:
4f82f460-0e21-11cf-909e-00805f48a135 v4.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
4f82f460-0e21-11cf-909e-00805f48a135 v4.0
0x00 NntprQueryStatistic
0x01 NntprClearStatistics
0x02 NntprEnumerateFeeds
0x03 NntprGetFeedInformation
0x04 NntprSetFeedInformation
0x05 NntprAddFeed
0x06 NntprDeleteFeed
0x07 NntprEnableFeed
0x08 NntprEnumerateSessions
0x09 NntprTerminateSession
0x0a NntprEnumerateExpires
0x0b NntprAddExpire
0x0c NntprDeleteExpire
0x0d NntprGetExpireInformation
0x0e NntprSetExpireInformation
0x0f NntprGetNewsgroup
0x10 NntprSetNewsgroup
0x11 NntprCreateNewsgroup
0x12 NntprDeleteNewsgroup
0x13 NntprFindNewsgroup
0x14 NntprGetAdminInformation
0x15 NntprSetAdminInformation
0x16 NntprStartRebuild
0x17 NntprGetBuildStatus
0x18 NntprCancelMessageID
0x19 NntprGetVRootWin32Error
--------------------------------------------------------------------------------
The IMAP4 service (imap4svc.dll), installed by Exchange, runs the following RPC service:
2465e9e0-a873-11d0-930b-00a0c90ab17c v3.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
2465e9e0-a873-11d0-930b-00a0c90ab17c v3.0
0x00 ImaprQueryStatistics
0x01 ImaprClearStatistics
0x02 ImaprGetConnectedUserList
0x03 ImaprDisconnectUser
--------------------------------------------------------------------------------
The POP3 service (pop3svc.dll), installed by Exchange, runs the following RPC service:
1be617c0-31a5-11cf-a7d8-00805f48a135 v3.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
1be617c0-31a5-11cf-a7d8-00805f48a135 v3.0
0x00 Pop3rQueryStatistics
0x01 Pop3rClearStatistics
0x02 Pop3rGetConnectedUserList
0x03 Pop3rDisconnectUser
--------------------------------------------------------------------------------
The following interface identifiers correspond to the GUID of the COM components activated to handle IIS management :
70b51430-b6ca-11d0-b9b9-00a0c922e750 v0.0: IMSAdminBaseW
a9e69612-b80d-11d0-b9b9-00a0c922e750 v0.0
4.9.5 Message Queuing and Distributed Transaction Coordinator services
This service runs RPC services, listening on the ncacn_ip_tcp transport. On a Windows 2000 Server system, 4 TCP ports were opened by the mqsvc.exe process.
The mqqm.dll (Windows NT MQ Queue Manager) DLL, loaded in the mqsvc.exe process, contains the following RPC services:
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0
1088a980-eae5-11d0-8d9b-00a02453c337 v1.0
5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0
41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
0x00 QMOpenQueue
0x01 QMGetRemoteQueueName
0x02 QMOpenRemoteQueue
0x03 QMCloseRemoteQueueContext
0x04 QMCreateRemoteCursor
0x05 QMSendMessageInternal
0x06 QMCreateObjectInternal
0x07 QMSetObjectSecurityInternal
0x08 QMGetObjectSecurityInternal
0x09 QMDeleteObject
0x0a QMGetObjectProperties
0x0b QMSetObjectProperties
0x0c QMObjectPathToObjectFormat
0x0d QMAttachProcess
0x0e QMGetTmWhereabouts
0x0f QMEnlistTransation
0x10 QMEnlistInternalTransaction
0x11 QMCommitTransaction
0x12 QMAbortTransaction
0x13 QMOpenQueueInternal
0x14 ACCloseHandle
0x15 ACCreateCursor
0x16 ACCloseCursor
0x17 ACSetCursorProperties
0x18 ACSendMessage
0x19 ACReceiveMessage
0x1a ACHandleToFormatName
0x1b ACPurgeQueue
0x1c QMQueryQMRegistryInternal
0x1d QMListInternalQueues
0x1e QMCorrectOutSequence
0x1f QMGetRemoteQMServerPort
0x20 QMGetMsmqServiceName
0x21 QMCreateDSObjectInternal
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0
0x00 QMSendMessageInternalEx
0x01 ACSendMessageEx
0x02 ACReceiveMessageEx
0x03 ACCreateCursorEx
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
1088a980-eae5-11d0-8d9b-00a02453c337 v1.0
0x00 RemoteQMStartReceive
0x01 RemoteQMEndReceive
0x02 RemoteQMOpenQueue
0x03 RemoteQMCloseQueue
0x04 RemoteQMCloseCursor
0x05 RemoteQMCancelReceive
0x06 RemoteQMPurgeQueue
0x07 RemoteQMGetQMQMServerPort
0x08 RemoteQmGetVersion
0x09 RemoteQMStartReceive2
0x0a RemoteQMStartReceiveByLookupId
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0
0x00 QMSendReplMsg
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0
0x00 QMMgmtGetInfo
0x01 QMMgmtAction
--------------------------------------------------------------------------------
The msdtcprx.dll (MS DTC OLE Transactions interface proxy) DLL, also loaded in the mqsvc.exe process, also contains one RPC service:
906b0ce0-c70b-1067-b317-00dd010662da v1.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
906b0ce0-c70b-1067-b317-00dd010662da v1.0
0x00 Poke
0x01 BuildContext
0x02 NegotiateResources
0x03 SendReceive
0x04 TearDownContext
0x05 BeginTearDown
0x06 PokeW
0x07 BuildContextW
--------------------------------------------------------------------------------
This RPC service also runs in the Distributed Transaction Coordinator service process (msdtc.exe), which opens a dynamic port, as well as TCP port 3372 (at least on Windows 2000)
4.9.6 Active Directory related RPC services
The first important RPC service of Active Directory is the drsuapi interface, identified as follows:
Active Directory replication interface: e3514235-4b06-11d1-ab04-00c04fc2dcd2 v4.0
It supports the following operations:
--------------------------------------------------------------------------------
Interface Operation number Operation name
e3514235-4b06-11d1-ab04-00c04fc2dcd2 v4.0: drsuapi
0x00 DRSBind
0x01 DRSUnbind
0x02 DRSReplicaSync
0x03 DRSGetNCChanges
0x04 DRSUpdateRefs
0x05 DRSReplicaAdd
0x06 DRSReplicaDel
0x07 DRSReplicaModify
0x08 DRSVerifyNames
0x09 DRSGetMemberships
0x0a DRSInterDomainMove
0x0b DRSGetNT4ChangeLog
0x0c DRSCrackNames
0x0d DRSWriteSPN
0x0e DRSRemoveDsServer
0x0f DRSRemoveDsDomain
0x10 DRSDomainControllerInfo
0x11 DRSAddEntry
0x12 DRSExecuteKCC
0x13 DRSGetReplInfo
0x14 DRSAddSidHistory
0x15 DRSGetMemberships2
0x16 DRSReplicaVerifyObjects
0x17 DRSGetObjectExistence
0x18 DRSQuerySitesByCost
--------------------------------------------------------------------------------
Ethereal has a dissector for this interface [58] but currently, it only displays the operation names, as all these operations are encrypted.
The dssetup RPC interface, which contain only one operation, is used in Active Directory domains:
--------------------------------------------------------------------------------
Interface Operation number Operation name
3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0: dssetup
0x00 DsRolerGetPrimaryDomainInformation
--------------------------------------------------------------------------------
The following RPC interfaces are supported on a Windows 2000 domain controller to handle backup and restore of Active Directory:
Active Directory backup interface: ecec0d70-a603-11d0-96b1-00a0c91ece30 v1.0
Active Directory restore interface: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 v1.0
--------------------------------------------------------------------------------
Interface Operation number Operation name
ecec0d70-a603-11d0-96b1-00a0c91ece30 v1.0
0x00 HrRBackupPrepare
0x01 HrRBackupEnd
0x02 HrRBackupGetAttachmentInformation
0x03 HrRBackupOpenFile
0x04 HrRBackupRead
0x05 HrRBackupClose
0x06 HrRBackupGetBackupLogs
0x07 HrRBackupTruncateLogs
0x08 HrRBackupPing
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Interface Operation number Operation name
16e0cf3a-a604-11d0-96b1-00a0c91ece30 v1.0
0x00 HrRIsNTDSOnline
0x01 HrRRestorePrepare
0x02 HrRRestoreRegister
0x03 HrRRestoreRegisterComplete
0x04 HrRRestoreGetDatabaseLocations
0x05 HrRRestoreEnd
0x06 HrRRestoreSetCurrentLogNumber
0x07 HrRRestoreCheckLogsForBackup
--------------------------------------------------------------------------------
By default, these RPC services are registered in the endpoint mapper database on a dynamic TCP port. However, it is possible to set a registry value to configure these services to listen on a fixed port [59]. Once this value is configured, the portmapper service will always return this fixed port when asked for one of these interfaces.
Windows Server 2003 supports the dsrole interface, available on the following endpoint:
dsrole LPC port
Y:>ifids -p ncalrpc -e dsrole serveur
Interfaces: 18
[...]
1cbcad78-df0b-4934-b558-87839ea501c9 v0.0
[...]
--------------------------------------------------------------------------------
Interface Operation number Operation name
1cbcad78-df0b-4934-b558-87839ea501c9 v0.0: dsrole
0x00 DsRolerDnsNameToFlatName
0x01 DsRolerDcAsDc
0x02 DsRolerDcAsReplica
0x03 DsRolerDemoteDc
0x04 DsRolerGetDcOperationProgress
0x05 DsRolerGetDcOperationResults
0x06 DsRolerCancel
0x07 DsRolerIfmHandleFree
0x08 DsRolerServerSaveStateForUpgrade
0x09 DsRolerUpgradeDownlevelServer
0x0a DsRolerAbortDownlevelServerUpgrade
0x0b DsRolerGetDatabaseFacts
--------------------------------------------------------------------------------
This interface can only be used locally (it is registered using the RpcServerRegisterIfEx() API, specifying a security-callback function that verifies that the protocol sequence used is ncalrpc and that the LPC port is the dsrole LPC port).
There is another interface in the ntdsa.dll DLL, which contains only two operations:
--------------------------------------------------------------------------------
Interface Operation number Operation name
7c44d7d4-31d5-424c-bd5e-2b3e1f323d22 v1.0 0x00 DSAPrepareScript
0x01 DSAExecuteScript
------------------------------
最低0.47元/天 解锁文章
3742
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
