RPC static analysis script
- PowerShell
- IDA with IDAPython plugin
- Windows SDK(for debuggie support)
- Visual Studio(if you want to build NtApiDotNet.dll by yourself)
- Set symbol path in enviroment variables(_NT_SYMBOL_PATH), or you need to use symchk.exe to download symbols(in my script I comment it)
- Copy IDA directory to my script directory and rename it to "IDA", or you can add IDA path to enviroment variables.
- Confirm that NtApiDotNet.dll and NtObjectManager.dll in my script directory
- NtApiDotNet is a open source project which developed by James Forshaw, you can build and custom it by yourself(https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtApiDotNet)
- Config $DbgHelpPath and $SymbolPath
- Config sensitive functions in TargetList.txt, these function names need to be the same as those shown in IDA
- Config IDAPython script recursion depth in LogicAnalyze.py(default 10 and 7)
- Run ksRPC_analysis_script.ps1 in Powershell
You will get "RPC Servers idb\Server's RPC interfaces\sensitive function code path file" in Path\to\script\RPCServerDB[RPCServerName], sensitive function code path is stored in SpecialFinals.txt