From 8858cb7027546d5843b083970ec9425933debf50 Mon Sep 17 00:00:00 2001 From: James Forshaw Date: Thu, 16 Dec 2021 14:20:48 +0000 Subject: [PATCH] Added ProcessId to Get-RpcEndpoint. --- NtObjectManager/RpcFunctions.ps1 | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/NtObjectManager/RpcFunctions.ps1 b/NtObjectManager/RpcFunctions.ps1 index 31f980b0..31cdd0a2 100644 --- a/NtObjectManager/RpcFunctions.ps1 +++ b/NtObjectManager/RpcFunctions.ps1 @@ -83,6 +83,8 @@ A RPC binding string to query all endpoints from. An ALPC port name. Can contain a full path as long as the string contains \RPC Control\ (case sensitive). .PARAMETER FindAlpcPort Use brute force to find a valid ALPC endpoint for the interface. +.PARAMETER ProcessId +Used to find all ALPC ports in a process and get the supported interfaces. .INPUTS None or NtApiDotNet.Ndr.NdrRpcServerInterface .OUTPUTS @@ -108,6 +110,9 @@ Get RPC endpoints for exposed over ncalrpc with name RPC_PORT. .EXAMPLE Get-RpcEndpoint -AlpcPort "RPC_PORT" Get RPC endpoints for exposed over ALPC with name RPC_PORT. +.EXAMPLE +Get-RpcEndpoint -ProcessId 1234 +Get RPC endpoints for exposed over ALPC for the process 1234. #> function Get-RpcEndpoint { [CmdletBinding(DefaultParameterSetName = "All")] @@ -123,6 +128,9 @@ function Get-RpcEndpoint { [string]$Binding, [parameter(Mandatory, ParameterSetName = "FromAlpc")] [string]$AlpcPort, + [parameter(Mandatory, ParameterSetName = "FromProcessId")] + [alias("pid")] + [int]$ProcessId, [parameter(ParameterSetName = "FromIdAndVersion")] [parameter(ParameterSetName = "FromServer")] [switch]$FindAlpcPort, @@ -173,6 +181,9 @@ function Get-RpcEndpoint { "FromRpcClient" { [NtApiDotNet.Win32.RpcEndpointMapper]::QueryEndpoints($SearchBinding, $Client.InterfaceId, $Client.InterfaceVersion) } + "FromProcessId" { + (Get-RpcAlpcServer -ProcessId $ProcessId).Endpoints + } } if ($ProtocolSequence.Count -gt 0) {