include raw headers

[bnagy]

Great idea to push to wireshark via a named pipe!

I've written a few ALPC tools recently, including a basic monitor, and I'm trying to match your RPC layer with the contents of the ALPC messages and my LRPC reversing. If you could include the raw headers you used ( the C struct definitions ) that would be helpful for people that don't python.

I'll be updating my ALPC repos leading up to / just after HITBKUL, so I can share more ALPC stuff with you then if you want to integrate ALPC sniffing ( most of it's there and public )

I definitely hope you go ahead with the midl parsing and further breakdown. Nice project :)

[AdiKo]

Hi Ben, Thanks! The main struct I used is called PRPC_MESSAGE and is actually an argument in all the hooks i put in rpcrt4.dll. Its undocumented header is found in REACTOS project - http://doxygen.reactos.org/df/d91/structRPC__MESSAGE-members.html Also, you can see all actions of rpcrt4 on this struct in http://doxygen.reactos.org/dir_7991519ef5962ec29b6d50d5451e3f33.html

Your ALPC project sounds very interesting! It will be very nice if you could share this :)

On Mon, Sep 15, 2014 at 12:33 AM, Ben Nagy notifications@github.com wrote:

Great idea to push to wireshark via a named pipe!

I've written a few ALPC tools recently, including a basic monitor, and I'm trying to match your RPC layer with the contents of the ALPC messages and my LRPC reversing. If you could include the raw headers you used ( the C struct definitions ) that would be helpful for people that don't python.

I'll be updating my ALPC repos leading up to / just after HITBKUL, so I can share more ALPC stuff with you then if you want to integrate ALPC sniffing ( most of it's there and public )

I definitely hope you go ahead with the midl parsing and further breakdown. Nice project :)

— Reply to this email directly or view it on GitHub https://github.com/AdiKo/RPCSniffer/issues/1.