System.AccessViolationException using RpcEndpointMapper against Windows Server 2022 Host

[jameswestgate]

Code to Reproduce:

foreach (var computer in computers)
{
    var potentialString = $"ncacn_ip_tcp:{computer}";
    var results = RpcEndpointMapper.QueryEndpoints(potentialString);

    foreach (var result in results)
    {
        if (result.ProtocolSequence == "ncacn_ip_tcp")
        {
            Console.WriteLine($"Got result: {result}");
        }
    }
}

Result:

Multiple results are returned but fails when pinvoking RpcMgmtEpEltInqNext. authlogics02.authlogics.com is running Windows Server 2022, we don't see this behavior on other machines.

Got result: [50abc2a4-574d-40b3-9d66-ee4fd5fba076, 5.0] ncacn_ip_tcp:authlogics02.authlogics.com[58522] Got result: [6bffd098-a112-3610-9833-46c3f874532d, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[58502] Got result: [5b821720-f63b-11d0-aad2-00c04fc324db, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[58502] Got result: [897e2e5f-93f3-4376-9c9c-fd2277495c27, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[58483] Got result: [367abb81-9844-35f1-ad32-98f038001003, 2.0] ncacn_ip_tcp:authlogics02.authlogics.com[58464] Got result: [12345678-1234-abcd-ef00-0123456789ab, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49676] Got result: [0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49676] Got result: [ae33069b-a2a8-46ee-a235-ddfd339be281, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49676] Got result: [4a452661-8290-4b36-8fbe-7f4093a94978, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49676] Got result: [76f03f96-cdfd-44fc-a22c-64950a001209, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49676] Got result: [29770a8f-829b-4158-90a2-78cd488501f7, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49671] Got result: [86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49668] Got result: [3a9ef155-691d-4449-8d05-09ad57031823, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49668] Got result: [f6beaff7-1e19-4fbb-9f8f-b89e2018337c, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49666]

Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. at NtApiDotNet.Win32.Win32NativeMethods.RpcMgmtEpEltInqNext(SafeRpcInquiryHandle InquiryContext, RPC_IF_ID IfId, SafeRpcBindingHandle& Binding, UUID ObjectUuid, SafeRpcStringHandle& Annotation) at NtApiDotNet.Win32.RpcEndpointMapper.<QueryEndpoints>d__0.MoveNext() in D:\Github\sandbox-attacksurface-analysis-tools\NtApiDotNet\Win32\RpcEndpointMapper.cs:line 88

[leechristensen]

I've had this happen sporadically as well (I have not been able to dive into the cause). In my experience, it's not limited to NtObjectManager either. Both Seatbelt's RPCMappedEndpoints and a trimmed down C application I wrote to isolate/test the issue were failing.