How to get RPC procedures from the Endpoints

[g3rzi]

I am not sure if this is possible but I have a svchost.exe process that I want to see its procedures.
I used the following commands to get all the servers:

$a = Get-RpcAlpcServer | where-object {$_.ProcessName -eq "svchost.exe"}

I see the endpoints of each process but is there a way to find what procedures it has?
For example, in RPCView, I can see svchost.exe with PID 2288 and it has two endpoints and two interfaces that shows the procedures:

I tried to check of the Endpoints object has a way to get it but didn't see something:

[tyranid]

Hi. RpcView works by parsing the internals of the RPC runtime to extract the interfaces, this isn't something my code does at the moment mainly because it's not documented and I've not got around to it. However, you can do some mixing of commands to get more or less what you need:

Assuming you want to get the details of the servers in PID 1234, first get the ALPC servers.

$alpc = Get-RpcAlpcServer -ProcessId 1234

Then, as you mentioned in the last issue you closed, get the RPC servers in all modules in the process:

$rpc = (Get-Process -PID 1234).Modules | % { Get-RpcServer -Path $_.FileName }

Finally you can filter the RPC interfaces by the ones that were returned from Get-RpcAlpcServer.

$ifs = $alpc.InterfaceId
$rpc | ? { $_.InterfaceId -in $ifs }

That should give you a list of the RPC servers which are hosted in the service. I might look at making this simpler at some point. Hope that helps.

[g3rzi]

Yes, good enough, thank you James :)