Uncovering RPC Servers through Windows API Analysis
<p>Have you ever tried to reverse a simple Win32 API? If not, let’s look at one together today! This article serves as a hand-holding walkthrough and documents in detail how I analyzed a simple Win32 API: <code>LogonUserA</code>. Throughout the article, we’ll go over how to use some of IDA’s most common features and look for some “poorly-documented” Microsoft structures.</p>
<p>Are you ready? If so, then grab your IDA or Ghidra and a cup of coffee, and let’s get started!</p>
<p><img alt="" src="https://miro.medium.com/v2/resize:fit:700/1*vMRDSQehB3BOvgtPcvSyFg.png" style="height:393px; width:700px" /></p>
<h1><strong>Advapi32!LogonUser</strong></h1>
<p>Per the<a href="https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera" rel="noopener ugc nofollow" target="_blank"> official Microsoft MSDN documentation</a>, The <strong>LogonUser</strong> function attempts to log a user on to the local computer and returns a handle to a token that represents the logged-on user.” The function declaration is (note the<a href="https://learn.microsoft.com/en-us/windows/win32/stg/coding-style-conventions" rel="noopener ugc nofollow" target="_blank"> Hungarian notation</a>):</p>
<pre>
BOOL LogonUserA(
[in] LPCSTR lpszUsername,
[in, optional] LPCSTR lpszDomain,
[in, optional] LPCSTR lpszPassword,
[in] DWORD dwLogonType,
[in] DWORD dwLogonProvider,
[out] PHANDLE phToken
);</pre>
<p>From the parameters, we can assume that if we supply valid credentials, we will receive a valid token handle in return. That is the whole purpose of LogonUserA and red teamers can use the token handle to impersonate the specified user.</p>
<p><a href="https://posts.specterops.io/uncovering-rpc-servers-through-windows-api-analysis-5d23c0459db6"><strong>Website</strong></a></p>