Class: TurboRex::MSRPC::RPCFinder::ImageFinder::InterfaceModel

Inherits:

Object

• Object
• TurboRex::MSRPC::RPCFinder::ImageFinder::InterfaceModel

Defined in:

lib/turborex/msrpc/rpcfinder.rb

Instance Attribute Summary

• #dasm ⇒ Object

  Returns the value of attribute dasm.

• #decompiler ⇒ Object

  Returns the value of attribute decompiler.

• #endpoints ⇒ Object

  Returns the value of attribute endpoints.

• #finder ⇒ Object readonly

  Returns the value of attribute finder.

• #interface_id ⇒ Object readonly

  Returns the value of attribute interface_id.

• #interface_ver ⇒ Object readonly

  Returns the value of attribute interface_ver.

• #midl_switches ⇒ Object readonly

  Returns the value of attribute midl_switches.

• #offset_table ⇒ Object

  Returns the value of attribute offset_table.

• #pproc_fs ⇒ Object

  Returns the value of attribute pproc_fs.

• #protocol ⇒ Object

  Returns the value of attribute protocol.

• #ptype_fs ⇒ Object

  Returns the value of attribute ptype_fs.

• #routines ⇒ Object

  Returns the value of attribute routines.

• #struct ⇒ Object readonly

  Returns the value of attribute struct.

• #uuid ⇒ Object readonly

  Returns the value of attribute uuid.

• #xrefs_from ⇒ Object

  Returns the value of attribute xrefs_from.

• #xrefs_to ⇒ Object

  Returns the value of attribute xrefs_to.

Instance Method Summary

• #analysis_midl_switches ⇒ Object
• #client? ⇒ Boolean
• #decompile ⇒ Object
• #func_in_server_routines(addr) ⇒ Object
• #func_in_server_routines?(addr) ⇒ Boolean
• #initialize(struct, finder, dasm = nil) ⇒ InterfaceModel constructor

  A new instance of InterfaceModel.

• #method_missing(m, *args) ⇒ Object
• #server? ⇒ Boolean
• #set_fs ⇒ Object

Constructor Details

#initialize(struct, finder, dasm = nil) ⇒ InterfaceModel

Returns a new instance of InterfaceModel.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 188

def initialize(struct, finder, dasm = nil)
  @struct = struct # RPC_SERVER_INTERFACE_Klass
  @protocol = get_protocol
  @interface_id = @uuid = TurboRex::MSRPC::Utils.raw_to_guid_str(struct.InterfaceId_Value)
  @interface_ver = get_interface_ver
  @transfer_syntax = TurboRex::MSRPC::Utils.raw_to_guid_str(struct.TransferSyntax_Value)
  @transfer_syntax_ver = get_trans_syntax_ver
  @midl_switches = RPCBase::MIDL_SWITCHES.new
  @dasm = dasm || finder.dasm
  @endpoints = []
  @finder = finder
  @routines = []
  @xrefs_to = []
  @xrefs_from = []
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method

#method_missing(m, *args) ⇒ Object

# File 'lib/turborex/msrpc/rpcfinder.rb', line 316

def method_missing(m, *args)
  if m.to_s.start_with?('raw_')
    camelcase_name = camelcase(m.to_s.sub('raw_', ''))
    if @struct.respond_to? camelcase_name
      @struct.public_send camelcase_name, *args
    end
  elsif @struct.respond_to? m
    @struct.public_send m, *args
  else
    begin
      @struct.public_send m, *args
    rescue StandardError
      super(m, *args)
    end
  end
end

Instance Attribute Details

#dasm ⇒ Object

Returns the value of attribute dasm.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 168

def dasm
  @dasm
end

#decompiler ⇒ Object

Returns the value of attribute decompiler.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 177

def decompiler
  @decompiler
end

#endpoints ⇒ Object

Returns the value of attribute endpoints.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 181

def endpoints
  @endpoints
end

#finder ⇒ Object (readonly)

Returns the value of attribute finder.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 175

def finder
  @finder
end

#interface_id ⇒ Object (readonly)

Returns the value of attribute interface_id.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 171

def interface_id
  @interface_id
end

#interface_ver ⇒ Object (readonly)

Returns the value of attribute interface_ver.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 173

def interface_ver
  @interface_ver
end

#midl_switches ⇒ Object (readonly)

Returns the value of attribute midl_switches.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 174

def midl_switches
  @midl_switches
end

#offset_table ⇒ Object

Returns the value of attribute offset_table.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 184

def offset_table
  @offset_table
end

#pproc_fs ⇒ Object

Returns the value of attribute pproc_fs.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 183

def pproc_fs
  @pproc_fs
end

#protocol ⇒ Object

Returns the value of attribute protocol.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 170

def protocol
  @protocol
end

#ptype_fs ⇒ Object

Returns the value of attribute ptype_fs.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 185

def ptype_fs
  @ptype_fs
end

#routines ⇒ Object

Returns the value of attribute routines.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 178

def routines
  @routines
end

#struct ⇒ Object (readonly)

Returns the value of attribute struct.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 169

def struct
  @struct
end

#uuid ⇒ Object (readonly)

Returns the value of attribute uuid.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 172

def uuid
  @uuid
end

#xrefs_from ⇒ Object

Returns the value of attribute xrefs_from.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 180

def xrefs_from
  @xrefs_from
end

#xrefs_to ⇒ Object

Returns the value of attribute xrefs_to.

# File 'lib/turborex/msrpc/rpcfinder.rb', line 179

def xrefs_to
  @xrefs_to
end

Instance Method Details

#analysis_midl_switches ⇒ Object

# File 'lib/turborex/msrpc/rpcfinder.rb', line 256

def analysis_midl_switches
  # Don't analyze the client interfaces. It is performed when parsing the client dispatch functions.
  if server?
    dispatch_funcs = @struct.DispatchTable.DispatchTable

    # TODO: Refine the parse methods with format string
    # Oi/Oicf/ndr64
    unless dispatch_funcs.empty?
      begin
        @dasm.disassemble dispatch_funcs[0]
      rescue StandardError
        return false
      end

      label = @dasm.get_label_at dispatch_funcs[0]
      case label
      when /NdrServerCall2/i
        @midl_switches << %w[Oif Oicf]
      when /NdrServerCall/i
        @midl_switches << %w[Oi Oic]
      when /NdrServerCallNdr64/i
        if @struct.ndr64?
          @midl_switches << 'ndr64'
          @midl_switches << %w[win64 amd64 ia64]
        end
      end
    end

    if (@struct.Flags & 0x6000000) == 0x6000000 # test /Oicf /protocol all /win64(amd64/ia64)
      interpreter_info = @struct.InterpreterInfo
      unless interpreter_info == 0
        if interpreter_info.nCount >= 2 && interpreter_info.ProcString != 0
          begin
            interpreter_info.pSyntaxInfo.each do |syntax_info|
              disp_funcs = syntax_info.DispatchTable.DispatchFunctions
              @dasm.disassemble disp_funcs.first
              label = @dasm.get_label_at disp_funcs.first

              next unless label =~ /NdrServerCallAll/

              @midl_switches << 'all'
              @midl_switches << %w[win64 amd64 ia64]
              @protocol = :all
            end
          rescue StandardError
            # TODO: exception handle
          end
        end
      end
    end

    # Os is contradictory with '/protocol ndr64/all'
    unless @midl_switches.has_one_of_switches?(%w[Oi Oic Oif Oicf ndr64 all])
      if @struct.interpreter_info_nullptr? && @struct.Flags == 0
        @midl_switches << 'Os'
      end
    end
  end
end

#client? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/turborex/msrpc/rpcfinder.rb', line 208

def client?
  !server?
end

#decompile ⇒ Object

# File 'lib/turborex/msrpc/rpcfinder.rb', line 232

def decompile
  return false unless set_fs

  @finder.ndr_decompiler.decompile(self)
end

#func_in_server_routines(addr) ⇒ Object

# File 'lib/turborex/msrpc/rpcfinder.rb', line 242

def func_in_server_routines(addr)
  return false unless server?

  @finder.disassemble_executable_sections
  res = []

  routines = @routines
  routines.each do |r|
    res << r if @finder.has_path?(dasm, r.addr, addr)
  end

  res
end

#func_in_server_routines?(addr) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/turborex/msrpc/rpcfinder.rb', line 238

def func_in_server_routines?(addr)
  func_in_server_routines(addr).empty? ? false : true
end

#server? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/turborex/msrpc/rpcfinder.rb', line 204

def server?
  !@struct.dispatch_table_nullptr?
end

#set_fs ⇒ Object

# File 'lib/turborex/msrpc/rpcfinder.rb', line 212

def set_fs
  return false if client?
  analysis_midl_switches

  pe = finder.pe
  @poffset_table = pe.vma_to_file_offset(self.InterpreterInfo.FormatStringOffset_Value)
  @pproc_fs = pe.vma_to_file_offset(self.InterpreterInfo.ProcFormatString_Value)

  if @midl_switches.has_switch?('Oi')
    @ptype_fs = pe.vma_to_file_offset(self.InterpreterInfo.pStubDesc.pFormatTypes_Value)
    mode = :Oi
  elsif @midl_switches.has_switch?('all') && @midl_switches.arch_64?
    return false # TODO: Implement
  elsif @midl_switches.has_switch?('Oicf')
    @ptype_fs = pe.vma_to_file_offset(self.InterpreterInfo.pStubDesc.pFormatTypes_Value)
  end

  true
end