Endpoint Mapper

Research

General/FreeDCE

EPM Server

Init

The endpoint mapper loads or creates a database (file). With the information it creates a in-memory structure. Then it starts a ping service to detect if an rpc service is alive. The ping services modifies the in-memory structure and the file database if one of the services died. The reason of this is that you can restart the daemon.

Insert and Delete

These function check if the entry handle is allowed to insert or delete a rpc service. Else it would be possible for unprivileged user to add or remove services.


http://www.opengroup.org/onlinepubs/9629399/apdxo.htm

Map and Lookup

RPC Server

The rpc services are using rpc_ep_register or rpc_ep_register_no_replace to tell the endpoint mapper that they are up an running now. On shutdown rpc_ep_unregister is called to remove the entry from the enpoint mapper.

http://www.opengroup.org/onlinepubs/9629399/rpc_ep_register.htm

rpc_ep_register is calling the rpc client function dceprc_epm_insert over ncalrpc (local interprocess communication).

Microsoft

This is a epmlookup for lsarpc against a win2k8 with ipv6:

12345778-1234-abcd-ef00-0123456789ac@ncacn_http:0.0.0.0[49157]:
12345778-1234-abcd-ef00-0123456789ac@ncacn_ip_tcp:0.0.0.0[49158]:
12345678-1234-abcd-ef00-01234567cffb@ncacn_np:\\WIN-80VUET7UE3R[\pipe\lsass]: