Reimplementing Local RPC in .Net

Explore the intricacies of reimplementing local RPC in .NET through this comprehensive conference talk from HITB CyberWeek. Delve into the challenges of finding privilege escalation in local Windows RPC servers and learn about the innovative approaches to implement RPC clients in .NET languages like C# and PowerShell. Discover the process of reverse engineering APIs, implementing NDR parsing and serialization, and integrating with PowerShell. Gain insights into assessing implementation approaches, identifying low-level ALPC implementation, and uncovering new bugs using custom tooling. Benefit from the speaker's expertise in computer hardware and software security, including their recognition as a top MSRC researcher and Pwn2Own winner. Follow along as the presentation covers topics such as Interface Definition Language, MIDL Compiler, NDR Format Strings, structure marshalling, client implementation, and finding RPC server interfaces. Explore undocumented byte codes, standards, and techniques for dealing with arrays of structures with pointers. Learn about fuzzing, possible future work, and gain access to the tooling developed for this research.

Intro
Architectural Overview
Interface Definition Language (IDL.)
MIDL Compiler
Auto-generated Server Definition Information
Example NDR Format String
Structure Marshalling
Client Implementation (32 bit)
Managed Implementation
Finding RPC Server Interfaces
iterative Approach
Undocumented Byte Codes
Going to the Standards
Arrays of Structures with Pointers
A Simple Alex Ionescu Trick
Finding the ALPC Port
Mapping Types
Simple Example
Dealing with Out Parameters in PowerShell
Find New Windows RPC Apis
Fuzzing
Possible Future Work