I looked through sources of rpcview and found that they used some kind of brute-force in file RpcCore.c in function GetRpcServerAddressInProcess. It looks very strange and slow - they already has some code for pdb reading, so why not just ask address of ?GlobalRpcServer@@3PEAVRPC_SERVER@@EA ?
Anyway there is better way. Lets run my exref.pl in IDA Pro on rpcrt4.dll from windows 10 build 16278:
wow, it seems that this will be easy
Lets look at exported function I_RpcServerRegisterForwardFunction:
With simple disasm of this function you can get GlobalRpcServer, flag RpcHasBeenInitialized and offset to RPC_SERVER_T.pRpcForwardFunction
Anyway there is better way. Lets run my exref.pl in IDA Pro on rpcrt4.dll from windows 10 build 16278:
_I_RpcServerUseProtseq2W@20: 4EFACEB0 addr 4EFACEED
_RpcServerInqBindings@4: 4EFADA90 addr 4EFADAAC
_RpcServerRegisterIfEx@24: 4EFADCB0 addr 4EFADCCC
_RpcMgmtIsServerListening@4: 4EFAE470 addr 4EFAE48D
_RpcServerInterfaceGroupActivate@4: 4EFAE5B0 addr 4EFAE5C2
_RpcServerInterfaceGroupDeactivate@8: 4EFAE5E0 addr 4EFAE5F2
_I_RpcServerUseProtseqEp2W@24: 4EFB33E0 addr 4EFB33FF
_RpcServerUnregisterIf@12: 4EFB50B0 addr 4EFB50C5
_RpcServerRegisterIf3@32: 4EFB51F0 addr 4EFB5222
_RpcServerRegisterIf2@28: 4EFDFF40 addr 4EFDFF5C
_RpcServerInqBindingsEx@8: 4EFE0080 addr 4EFE0098
_RpcServerRegisterIf@12: 4EFE02E0 addr 4EFE02F5
_I_RpcServerRegisterForwardFunction@4: 4EFE03E0 addr 4EFE03F2
_RpcServerInterfaceGroupInqBindings@8: 4F0070D0 addr 4F0070E7
_RpcServerUseAllProtseqsEx@12: 4F007150 addr 4F00722C
wow, it seems that this will be easy
Lets look at exported function I_RpcServerRegisterForwardFunction:
_I_RpcServerRegisterForwardFunction@4 proc near
pForwardFunction= dword ptr 8
mov edi, edi
push ebp
mov ebp, esp
cmp ?RpcHasBeenInitialized@@3HA, 0 ; int RpcHasBeenInitialized
jz loc_4F002811
loc_4EFE03F2:
mov eax, ?GlobalRpcServer@@3PAVRPC_SERVER@@A ; RPC_SERVER * GlobalRpcServer
mov ecx, [ebp+pForwardFunction]
mov [eax+0F4h], ecx
xor eax, eax
loc_4EFE0402: ; CODE XREF: I_RpcServerRegisterForwardFunction(x)+22438 j
pop ebp
retn 4
With simple disasm of this function you can get GlobalRpcServer, flag RpcHasBeenInitialized and offset to RPC_SERVER_T.pRpcForwardFunction