A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #21832  by Stylo
 Wed Jan 01, 2014 1:57 pm
i came across with a dll file that has a .orpc section
could it be packed dll? if so, any1 of u familiar with that type of packing and can tell me which packer is used to pack it?

 #21834  by Stylo
 Wed Jan 01, 2014 3:24 pm
I think i have found the answer in here

* Taken from here: http://www.opengroup.org/comsource/tech ... P19CHP.HTM
Code: Select all
"The COM Library system DLLs have code in specially named segments (sections in COFF terminology) to aid debuggers. The remoting code in the COM interface proxy and interface stub DLLs and other appropriate parts of the runtime are put in segments whose name begins with ``.orpc'' [Footnote 70]. These segments are henceforth referred to as .orpc segments. A transition of the instruction pointer from a non .orpc segment to a .orpc segment indicates that the program control is entering the RPC layer. On the client side such a transition implies that a RPC call is about to happen. [Footnote 71] On the server side if a function is returning back to a .orpc segment it implies that the call is going to return back to the client side. Application writers who write their own remoting code can also avail of this feature by putting their remoting specific code in a .orpc segment.

Debuggers can use this naming convention regarding which code lies in COM RPC to aid in their user interface as to what code they choose to show the user and what code they do not. When the debugger reaches the code address after handling the DebugOrpcServerNotify exception it should check if it is still in a .orpc segment. This implies that the instruction pointer is still in code that to the programmer is part of the local-remote transparency magic provided by COM, and so should be skipped by the debugger.

Similar behavior on the client side after the DebugOrpcClientNotify exception is also desirable."
Correct me if i'm wrong.
 #21849  by EP_X0FF
 Fri Jan 03, 2014 1:49 pm
Yes .orpc stands for OLE RPC -> name explain itself. You can find it for example in win2k source code of urlmon if you wish.