From fc9bc6abe81bd28be0a46a1db88187e7a7595773 Mon Sep 17 00:00:00 2001
From: dekelpaz <dekel@zeronetworks.com>
Date: Mon, 16 Dec 2024 07:17:53 -0800
Subject: [PATCH] remove uuid prefix from protocol on anonymous binds

---
 rpcFirewall/dllmain.cpp | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/rpcFirewall/dllmain.cpp b/rpcFirewall/dllmain.cpp
index d3fe5f3..0598614 100644
--- a/rpcFirewall/dllmain.cpp
+++ b/rpcFirewall/dllmain.cpp
@@ -1411,6 +1411,7 @@ bool processRPCCallInternal(wchar_t* functionName, PRPC_MESSAGE pRpcMsg)
 			WRITE_DEBUG_MSG_WITH_STATUS(_T("RpcBindingServerFromClient failed"), status);
 			return true;
 		}
+		
 
 		RpcStringWrapper szStringBinding;
 		status = RpcBindingToStringBinding(serverBinding.binding, szStringBinding.getRpcPtr());
@@ -1472,7 +1473,16 @@ bool processRPCCallInternal(wchar_t* functionName, PRPC_MESSAGE pRpcMsg)
 			dstPort = getAddressAndPortFromBuffer(dstAddrFromConnection, buffDst);
 		}
 
-		const RpcEventParameters eventParams = populateEventParameters(pRpcMsg, szStringBindingServer.str, szStringBinding.str, functionName, srcAddrFromConnection, srcPort, dstAddrFromConnection, dstPort);
+		// Remove uuid prefix from protocol in anonymous binds
+		std::wstring protocol = szStringBinding.str;
+
+		const size_t protocolDelimiterPosition = protocol.find('@');
+		if (protocolDelimiterPosition != std::wstring::npos)
+		{
+			protocol = protocol.substr(protocolDelimiterPosition + 1);
+		}
+
+		const RpcEventParameters eventParams = populateEventParameters(pRpcMsg, szStringBindingServer.str, &protocol[0], functionName, srcAddrFromConnection, srcPort, dstAddrFromConnection, dstPort);
 		
 		policy = getMatchingPolicy(eventParams);