4.3. MSRPC transports

The RPC mechanism was designed to be transport-independant: different protocols can be used to transport remote procedure parameters and execution results.

In DCE-RPC (and thus MSRPC), transport protocols are identified with protocol sequences identifiers. Windows systems typically use the following protocol sequences:

An endpoint is the entity used at the transport level to invoke remotely a RPC service. Endpoint nature is specific to each protocol sequences:

Most LPC ports are MSRPC endpoints. Using the Winobj tool [36], you can see a list of LPC ports used as MSRPC endpoints on a running system, under the RPC Control subdirectory of the NT kernel Object Manager namespace.

However, not all TCP or UDP ports are MSRPC endpoints, as well as not all named pipes.

One method to identify if a TCP port, UDP port or named pipe is a MSRPC endpoint is to try to bind to the RPC service supposedly listening on the supposed endpoint. If the bind operation fails or blocks, then the tested endpoint is probably not a MSRPC endpoint.

The ifids tool, part of Todd Sabin's RPC Tools [37] can be used to identify RPC services endpoints. A demonstration of this tool is given in [41].