search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
epan/dissectors/pidl/samr/samr.cnf cnf_dissect_lsa_BinaryString => lsarpc_dissect_str...
[wireshark-sm.git] / epan / dissectors / packet-windows-common.c
blobd198a98467d223ac0f79433aa09e1c37e8a50de5
1 /* packet-windows-common.c
2 * Routines for dissecting various Windows data types
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
10
11 #include "config.h"
12
13
14 #include <epan/packet.h>
15 #include <epan/expert.h>
16 #include <epan/exceptions.h>
17 #include "packet-smb-sidsnooping.h"
18 #include "packet-windows-common.h"
19 #include <epan/tfs.h>
20 #include <wsutil/array.h>
21 #include "packet-smb.h" /* for "sid_name_snooping" */
22
23 /* The types used in [MS-DTYP] v20180912 should be interpreted as
24 * follows (all multi-byte integer types are little endian):
25 * typedef uint8_t MS_BYTE;
26 * typedef uint16_t MS_WORD;
27 * typedef uint32_t MS_DWORD;
28 * typedef uint64_t MS_QWORD;
29 * typedef uint64_t MS_ULONG64;
30 * typedef uint64_t MS_DWORD64;
31 * typedef int64_t MS_LONG64;
32 */
33
34 enum cond_ace_token {
35 #define DEF_COND_ACE_TOKEN(VAL, VAR, STR) COND_ACE_TOKEN_ ## VAR = VAL,
36 #define DEF_COND_ACE_TOKEN_WITH_DATA DEF_COND_ACE_TOKEN
37 #include "cond_ace_token_enum.h"
38 COND_ACE_TOKEN_UNKNOWN = -1
39 };
40
41 static const value_string ace_cond_token_vals[] = {
42 #define DEF_COND_ACE_TOKEN(VAL, VAR, STR) {VAL, STR},
43 #define DEF_COND_ACE_TOKEN_WITH_DATA DEF_COND_ACE_TOKEN
44 #include "cond_ace_token_enum.h"
45 { 0, NULL }
46 };
47
48 static bool
49 ace_cond_token_has_data(uint8_t token) {
50 switch (token) {
51 #define DEF_COND_ACE_TOKEN(VAL, VAR, STR)
52 #define DEF_COND_ACE_TOKEN_WITH_DATA(VAL, VAR, STR) case VAL:
53 #include "cond_ace_token_enum.h"
54 return true;
55 }
56 return false;
57 }
58
59 static const value_string ace_cond_base_vals[] = {
60 { 0x01, "OCT" },
61 { 0x02, "DEC" },
62 { 0x03, "HEX" },
63 { 0, NULL }
64 };
65
66 static const value_string ace_cond_sign_vals[] = {
67 { 0x01, "PLUS" },
68 { 0x02, "MINUS" },
69 { 0x03, "NONE" },
70 { 0, NULL }
71 };
72
73
74 #define CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64 0x0001
75 #define CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64 0x0002
76 #define CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING 0x0003
77 #define CLAIM_SECURITY_ATTRIBUTE_TYPE_SID 0x0005
78 #define CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x0006
79 #define CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x0010
80
81 static const value_string ace_sra_type_vals[] = {
82 { CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64, "INT64" },
83 { CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64, "UINT64" },
84 { CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING, "STRING" },
85 { CLAIM_SECURITY_ATTRIBUTE_TYPE_SID, "SID"},
86 { CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN, "BOOLEAN" },
87 { CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING, "OCTET_STRING" },
88 { 0, NULL }
89 };
90
91 static int hf_nt_sec_desc_revision;
92 static int hf_nt_sec_desc_type_owner_defaulted;
93 static int hf_nt_sec_desc_type_group_defaulted;
94 static int hf_nt_sec_desc_type_dacl_present;
95 static int hf_nt_sec_desc_type_dacl_defaulted;
96 static int hf_nt_sec_desc_type_sacl_present;
97 static int hf_nt_sec_desc_type_sacl_defaulted;
98 static int hf_nt_sec_desc_type_dacl_trusted;
99 static int hf_nt_sec_desc_type_server_security;
100 static int hf_nt_sec_desc_type_dacl_auto_inherit_req;
101 static int hf_nt_sec_desc_type_sacl_auto_inherit_req;
102 static int hf_nt_sec_desc_type_dacl_auto_inherited;
103 static int hf_nt_sec_desc_type_sacl_auto_inherited;
104 static int hf_nt_sec_desc_type_dacl_protected;
105 static int hf_nt_sec_desc_type_sacl_protected;
106 static int hf_nt_sec_desc_type_rm_control_valid;
107 static int hf_nt_sec_desc_type_self_relative;
108 static int hf_nt_sid;
109 static int hf_nt_sid_revision;
110 static int hf_nt_sid_num_auth;
111 static int hf_nt_sid_auth_dec;
112 static int hf_nt_sid_auth_hex;
113 static int hf_nt_sid_subauth;
114 static int hf_nt_sid_rid_dec;
115 static int hf_nt_sid_rid_hex;
116 static int hf_nt_sid_wkwn;
117 static int hf_nt_sid_domain;
118 static int hf_nt_acl_revision;
119 static int hf_nt_acl_size;
120 static int hf_nt_acl_num_aces;
121 static int hf_nt_ace_flags_object_inherit;
122 static int hf_nt_ace_flags_container_inherit;
123 static int hf_nt_ace_flags_non_propagate_inherit;
124 static int hf_nt_ace_flags_inherit_only;
125 static int hf_nt_ace_flags_inherited_ace;
126 static int hf_nt_ace_flags_successful_access;
127 static int hf_nt_ace_flags_failed_access;
128 static int hf_nt_ace_type;
129 static int hf_nt_ace_size;
130 static int hf_nt_ace_flags_object_type_present;
131 static int hf_nt_ace_flags_inherited_object_type_present;
132 static int hf_nt_ace_guid;
133 static int hf_nt_ace_inherited_guid;
134
135 /* Conditional ACE dissect */
136 static int hf_nt_ace_cond;
137 static int hf_nt_ace_cond_token;
138 static int hf_nt_ace_cond_sign;
139 static int hf_nt_ace_cond_base;
140 static int hf_nt_ace_cond_value_int8;
141 static int hf_nt_ace_cond_value_int16;
142 static int hf_nt_ace_cond_value_int32;
143 static int hf_nt_ace_cond_value_int64;
144 static int hf_nt_ace_cond_value_string;
145 static int hf_nt_ace_cond_value_octet_string;
146 static int hf_nt_ace_cond_local_attr;
147 static int hf_nt_ace_cond_user_attr;
148 static int hf_nt_ace_cond_resource_attr;
149 static int hf_nt_ace_cond_device_attr;
150
151 /* System Resource Attribute ACE dissect */
152 static int hf_nt_ace_sra;
153 static int hf_nt_ace_sra_name_offset;
154 static int hf_nt_ace_sra_name;
155 static int hf_nt_ace_sra_type;
156 static int hf_nt_ace_sra_reserved;
157 static int hf_nt_ace_sra_flags;
158 static int hf_nt_ace_sra_flags_manual;
159 static int hf_nt_ace_sra_flags_policy_derived;
160 static int hf_nt_ace_sra_flags_non_inheritable;
161 static int hf_nt_ace_sra_flags_case_sensitive;
162 static int hf_nt_ace_sra_flags_deny_only;
163 static int hf_nt_ace_sra_flags_disabled_by_default;
164 static int hf_nt_ace_sra_flags_disabled;
165 static int hf_nt_ace_sra_flags_mandatory;
166 static int hf_nt_ace_sra_value_count;
167 static int hf_nt_ace_sra_value_offset;
168 static int hf_nt_ace_sra_value_int64;
169 static int hf_nt_ace_sra_value_uint64;
170 static int hf_nt_ace_sra_value_string;
171 static int hf_nt_ace_sra_value_sid;
172 static int hf_nt_ace_sra_value_boolean;
173 static int hf_nt_ace_sra_value_octet_string;
174
175 static int hf_nt_security_information_sacl;
176 static int hf_nt_security_information_dacl;
177 static int hf_nt_security_information_group;
178 static int hf_nt_security_information_owner;
179
180 /* Generated from convert_proto_tree_add_text.pl */
181 static int hf_nt_security_information;
182 static int hf_nt_sec_desc_type;
183 static int hf_nt_offset_to_dacl;
184 static int hf_nt_offset_to_owner_sid;
185 static int hf_nt_ace_flags_object;
186 static int hf_nt_offset_to_group_sid;
187 static int hf_nt_ace_flags;
188 static int hf_nt_offset_to_sacl;
189
190 static int ett_nt_sec_desc;
191 static int ett_nt_sec_desc_type;
192 static int ett_nt_sid;
193 static int ett_nt_acl;
194 static int ett_nt_ace;
195 static int ett_nt_ace_flags;
196 static int ett_nt_ace_object;
197 static int ett_nt_ace_object_flags;
198 static int ett_nt_security_information;
199 static int ett_nt_ace_cond;
200 static int ett_nt_ace_cond_data;
201 static int ett_nt_ace_sra;
202 static int ett_nt_ace_sra_flags;
203 static int ett_nt_ace_sra_value_offsets;
204 static int ett_nt_ace_sra_values;
205
206 static expert_field ei_nt_owner_sid_beyond_data;
207 static expert_field ei_nt_owner_sid_beyond_reassembled_data;
208 static expert_field ei_nt_ace_extends_beyond_data;
209 static expert_field ei_nt_ace_extends_beyond_reassembled_data;
210 static expert_field ei_nt_group_sid_beyond_data;
211 static expert_field ei_nt_group_sid_beyond_reassembled_data;
212 static expert_field ei_nt_item_offs_out_of_range;
213
214
215 /* WERR error codes */
216
217 VALUE_STRING_ARRAY2(WERR_errors);
218 value_string_ext WERR_errors_ext = VALUE_STRING_EXT_INIT(WERR_errors);
219
220 /*
221 * HRES error codes.
222 */
223
224 VALUE_STRING_ARRAY2(HRES_errors);
225 value_string_ext HRES_errors_ext = VALUE_STRING_EXT_INIT(HRES_errors);
226
227
228 /*
229 * DOS error codes.
230 */
231
232 VALUE_STRING_ARRAY(DOS_errors);
233 value_string_ext DOS_errors_ext = VALUE_STRING_EXT_INIT(DOS_errors);
234
235 /*
236 * NT error codes.
237 *
238 * From
239 *
240 * https://web.archive.org/web/20100503121824/http://www.wildpackets.com/elements/misc/SMB_NT_Status_Codes.txt
241 *
242 * See also MS-ERREF section 2.3.1 "NTSTATUS Values":
243 *
244 * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
245 */
246 static const value_string NT_errors[] = {
247 { 0x00000000, "STATUS_SUCCESS" },
248 /*{ 0x00000000, "STATUS_WAIT_0" }, */
249 { 0x00000001, "STATUS_WAIT_1" },
250 { 0x00000002, "STATUS_WAIT_2" },
251 { 0x00000003, "STATUS_WAIT_3" },
252 { 0x0000003F, "STATUS_WAIT_63" },
253 { 0x00000080, "STATUS_ABANDONED" },
254 /*{ 0x00000080, "STATUS_ABANDONED_WAIT_0" },*/
255 { 0x000000BF, "STATUS_ABANDONED_WAIT_63" },
256 { 0x000000C0, "STATUS_USER_APC" },
257 { 0x00000100, "STATUS_KERNEL_APC" },
258 { 0x00000101, "STATUS_ALERTED" },
259 { 0x00000102, "STATUS_TIMEOUT" },
260 { 0x00000103, "STATUS_PENDING" },
261 { 0x00000104, "STATUS_REPARSE" },
262 { 0x00000105, "STATUS_MORE_ENTRIES" },
263 { 0x00000106, "STATUS_NOT_ALL_ASSIGNED" },
264 { 0x00000107, "STATUS_SOME_NOT_MAPPED" },
265 { 0x00000108, "STATUS_OPLOCK_BREAK_IN_PROGRESS" },
266 { 0x00000109, "STATUS_VOLUME_MOUNTED" },
267 { 0x0000010A, "STATUS_RXACT_COMMITTED" },
268 { 0x0000010B, "STATUS_NOTIFY_CLEANUP" },
269 { 0x0000010C, "STATUS_NOTIFY_ENUM_DIR" },
270 { 0x0000010D, "STATUS_NO_QUOTAS_FOR_ACCOUNT" },
271 { 0x0000010E, "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" },
272 { 0x00000110, "STATUS_PAGE_FAULT_TRANSITION" },
273 { 0x00000111, "STATUS_PAGE_FAULT_DEMAND_ZERO" },
274 { 0x00000112, "STATUS_PAGE_FAULT_COPY_ON_WRITE" },
275 { 0x00000113, "STATUS_PAGE_FAULT_GUARD_PAGE" },
276 { 0x00000114, "STATUS_PAGE_FAULT_PAGING_FILE" },
277 { 0x00000115, "STATUS_CACHE_PAGE_LOCKED" },
278 { 0x00000116, "STATUS_CRASH_DUMP" },
279 { 0x00000117, "STATUS_BUFFER_ALL_ZEROS" },
280 { 0x00000118, "STATUS_REPARSE_OBJECT" },
281 { 0x0000045C, "STATUS_NO_SHUTDOWN_IN_PROGRESS" },
282 { 0x40000000, "STATUS_OBJECT_NAME_EXISTS" },
283 { 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" },
284 { 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" },
285 { 0x40000003, "STATUS_IMAGE_NOT_AT_BASE" },
286 { 0x40000004, "STATUS_RXACT_STATE_CREATED" },
287 { 0x40000005, "STATUS_SEGMENT_NOTIFICATION" },
288 { 0x40000006, "STATUS_LOCAL_USER_SESSION_KEY" },
289 { 0x40000007, "STATUS_BAD_CURRENT_DIRECTORY" },
290 { 0x40000008, "STATUS_SERIAL_MORE_WRITES" },
291 { 0x40000009, "STATUS_REGISTRY_RECOVERED" },
292 { 0x4000000A, "STATUS_FT_READ_RECOVERY_FROM_BACKUP" },
293 { 0x4000000B, "STATUS_FT_WRITE_RECOVERY" },
294 { 0x4000000C, "STATUS_SERIAL_COUNTER_TIMEOUT" },
295 { 0x4000000D, "STATUS_NULL_LM_PASSWORD" },
296 { 0x4000000E, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" },
297 { 0x4000000F, "STATUS_RECEIVE_PARTIAL" },
298 { 0x40000010, "STATUS_RECEIVE_EXPEDITED" },
299 { 0x40000011, "STATUS_RECEIVE_PARTIAL_EXPEDITED" },
300 { 0x40000012, "STATUS_EVENT_DONE" },
301 { 0x40000013, "STATUS_EVENT_PENDING" },
302 { 0x40000014, "STATUS_CHECKING_FILE_SYSTEM" },
303 { 0x40000015, "STATUS_FATAL_APP_EXIT" },
304 { 0x40000016, "STATUS_PREDEFINED_HANDLE" },
305 { 0x40000017, "STATUS_WAS_UNLOCKED" },
306 { 0x40000018, "STATUS_SERVICE_NOTIFICATION" },
307 { 0x40000019, "STATUS_WAS_LOCKED" },
308 { 0x4000001A, "STATUS_LOG_HARD_ERROR" },
309 { 0x4000001B, "STATUS_ALREADY_WIN32" },
310 { 0x4000001C, "STATUS_WX86_UNSIMULATE" },
311 { 0x4000001D, "STATUS_WX86_CONTINUE" },
312 { 0x4000001E, "STATUS_WX86_SINGLE_STEP" },
313 { 0x4000001F, "STATUS_WX86_BREAKPOINT" },
314 { 0x40000020, "STATUS_WX86_EXCEPTION_CONTINUE" },
315 { 0x40000021, "STATUS_WX86_EXCEPTION_LASTCHANCE" },
316 { 0x40000022, "STATUS_WX86_EXCEPTION_CHAIN" },
317 { 0x40000023, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE" },
318 { 0x40000024, "STATUS_NO_YIELD_PERFORMED" },
319 { 0x40000025, "STATUS_TIMER_RESUME_IGNORED" },
320 { 0x40000294, "STATUS_WAKE_SYSTEM" },
321 { 0x40020056, "RPC_NT_UUID_LOCAL_ONLY" },
322 { 0x400200AF, "RPC_NT_SEND_INCOMPLETE" },
323 { 0x80000001, "STATUS_GUARD_PAGE_VIOLATION" },
324 { 0x80000002, "STATUS_DATATYPE_MISALIGNMENT" },
325 { 0x80000003, "STATUS_BREAKPOINT" },
326 { 0x80000004, "STATUS_SINGLE_STEP" },
327 { 0x80000005, "STATUS_BUFFER_OVERFLOW" },
328 { 0x80000006, "STATUS_NO_MORE_FILES" },
329 { 0x80000007, "STATUS_WAKE_SYSTEM_DEBUGGER" },
330 { 0x8000000A, "STATUS_HANDLES_CLOSED" },
331 { 0x8000000B, "STATUS_NO_INHERITANCE" },
332 { 0x8000000C, "STATUS_GUID_SUBSTITUTION_MADE" },
333 { 0x8000000D, "STATUS_PARTIAL_COPY" },
334 { 0x8000000E, "STATUS_DEVICE_PAPER_EMPTY" },
335 { 0x8000000F, "STATUS_DEVICE_POWERED_OFF" },
336 { 0x80000010, "STATUS_DEVICE_OFF_LINE" },
337 { 0x80000011, "STATUS_DEVICE_BUSY" },
338 { 0x80000012, "STATUS_NO_MORE_EAS" },
339 { 0x80000013, "STATUS_INVALID_EA_NAME" },
340 { 0x80000014, "STATUS_EA_LIST_INCONSISTENT" },
341 { 0x80000015, "STATUS_INVALID_EA_FLAG" },
342 { 0x80000016, "STATUS_VERIFY_REQUIRED" },
343 { 0x80000017, "STATUS_EXTRANEOUS_INFORMATION" },
344 { 0x80000018, "STATUS_RXACT_COMMIT_NECESSARY" },
345 { 0x8000001A, "STATUS_NO_MORE_ENTRIES" },
346 { 0x8000001B, "STATUS_FILEMARK_DETECTED" },
347 { 0x8000001C, "STATUS_MEDIA_CHANGED" },
348 { 0x8000001D, "STATUS_BUS_RESET" },
349 { 0x8000001E, "STATUS_END_OF_MEDIA" },
350 { 0x8000001F, "STATUS_BEGINNING_OF_MEDIA" },
351 { 0x80000020, "STATUS_MEDIA_CHECK" },
352 { 0x80000021, "STATUS_SETMARK_DETECTED" },
353 { 0x80000022, "STATUS_NO_DATA_DETECTED" },
354 { 0x80000023, "STATUS_REDIRECTOR_HAS_OPEN_HANDLES" },
355 { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" },
356 { 0x80000025, "STATUS_ALREADY_DISCONNECTED" },
357 { 0x80000026, "STATUS_LONGJUMP" },
358 { 0x8000002D, "STATUS_STOPPED_ON_SYMLINK" },
359 { 0x80000288, "STATUS_DEVICE_REQUIRES_CLEANING" },
360 { 0x80000289, "STATUS_DEVICE_DOOR_OPEN" },
361 { 0x80040111, "MAPI_E_LOGON_FAILED" },
362 { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" },
363 { 0x80090301, "SEC_E_INVALID_HANDLE" },
364 { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" },
365 { 0x8009030B, "SEC_E_NO_IMPERSONATION" },
366 { 0x8009030D, "SEC_E_UNKNOWN_CREDENTIALS" },
367 { 0x8009030E, "SEC_E_NO_CREDENTIALS" },
368 { 0x8009030F, "SEC_E_MESSAGE_ALTERED" },
369 { 0x80090310, "SEC_E_OUT_OF_SEQUENCE" },
370 { 0x80090311, "SEC_E_NO_AUTHENTICATING_AUTHORITY" },
371 { 0xC0000001, "STATUS_UNSUCCESSFUL" },
372 { 0xC0000002, "STATUS_NOT_IMPLEMENTED" },
373 { 0xC0000003, "STATUS_INVALID_INFO_CLASS" },
374 { 0xC0000004, "STATUS_INFO_LENGTH_MISMATCH" },
375 { 0xC0000005, "STATUS_ACCESS_VIOLATION" },
376 { 0xC0000006, "STATUS_IN_PAGE_ERROR" },
377 { 0xC0000007, "STATUS_PAGEFILE_QUOTA" },
378 { 0xC0000008, "STATUS_INVALID_HANDLE" },
379 { 0xC0000009, "STATUS_BAD_INITIAL_STACK" },
380 { 0xC000000A, "STATUS_BAD_INITIAL_PC" },
381 { 0xC000000B, "STATUS_INVALID_CID" },
382 { 0xC000000C, "STATUS_TIMER_NOT_CANCELED" },
383 { 0xC000000D, "STATUS_INVALID_PARAMETER" },
384 { 0xC000000E, "STATUS_NO_SUCH_DEVICE" },
385 { 0xC000000F, "STATUS_NO_SUCH_FILE" },
386 { 0xC0000010, "STATUS_INVALID_DEVICE_REQUEST" },
387 { 0xC0000011, "STATUS_END_OF_FILE" },
388 { 0xC0000012, "STATUS_WRONG_VOLUME" },
389 { 0xC0000013, "STATUS_NO_MEDIA_IN_DEVICE" },
390 { 0xC0000014, "STATUS_UNRECOGNIZED_MEDIA" },
391 { 0xC0000015, "STATUS_NONEXISTENT_SECTOR" },
392 { 0xC0000016, "STATUS_MORE_PROCESSING_REQUIRED" },
393 { 0xC0000017, "STATUS_NO_MEMORY" },
394 { 0xC0000018, "STATUS_CONFLICTING_ADDRESSES" },
395 { 0xC0000019, "STATUS_NOT_MAPPED_VIEW" },
396 { 0xC000001A, "STATUS_UNABLE_TO_FREE_VM" },
397 { 0xC000001B, "STATUS_UNABLE_TO_DELETE_SECTION" },
398 { 0xC000001C, "STATUS_INVALID_SYSTEM_SERVICE" },
399 { 0xC000001D, "STATUS_ILLEGAL_INSTRUCTION" },
400 { 0xC000001E, "STATUS_INVALID_LOCK_SEQUENCE" },
401 { 0xC000001F, "STATUS_INVALID_VIEW_SIZE" },
402 { 0xC0000020, "STATUS_INVALID_FILE_FOR_SECTION" },
403 { 0xC0000021, "STATUS_ALREADY_COMMITTED" },
404 { 0xC0000022, "STATUS_ACCESS_DENIED" },
405 { 0xC0000023, "STATUS_BUFFER_TOO_SMALL" },
406 { 0xC0000024, "STATUS_OBJECT_TYPE_MISMATCH" },
407 { 0xC0000025, "STATUS_NONCONTINUABLE_EXCEPTION" },
408 { 0xC0000026, "STATUS_INVALID_DISPOSITION" },
409 { 0xC0000027, "STATUS_UNWIND" },
410 { 0xC0000028, "STATUS_BAD_STACK" },
411 { 0xC0000029, "STATUS_INVALID_UNWIND_TARGET" },
412 { 0xC000002A, "STATUS_NOT_LOCKED" },
413 { 0xC000002B, "STATUS_PARITY_ERROR" },
414 { 0xC000002C, "STATUS_UNABLE_TO_DECOMMIT_VM" },
415 { 0xC000002D, "STATUS_NOT_COMMITTED" },
416 { 0xC000002E, "STATUS_INVALID_PORT_ATTRIBUTES" },
417 { 0xC000002F, "STATUS_PORT_MESSAGE_TOO_LONG" },
418 { 0xC0000030, "STATUS_INVALID_PARAMETER_MIX" },
419 { 0xC0000031, "STATUS_INVALID_QUOTA_LOWER" },
420 { 0xC0000032, "STATUS_DISK_CORRUPT_ERROR" },
421 { 0xC0000033, "STATUS_OBJECT_NAME_INVALID" },
422 { 0xC0000034, "STATUS_OBJECT_NAME_NOT_FOUND" },
423 { 0xC0000035, "STATUS_OBJECT_NAME_COLLISION" },
424 { 0xC0000037, "STATUS_PORT_DISCONNECTED" },
425 { 0xC0000038, "STATUS_DEVICE_ALREADY_ATTACHED" },
426 { 0xC0000039, "STATUS_OBJECT_PATH_INVALID" },
427 { 0xC000003A, "STATUS_OBJECT_PATH_NOT_FOUND" },
428 { 0xC000003B, "STATUS_OBJECT_PATH_SYNTAX_BAD" },
429 { 0xC000003C, "STATUS_DATA_OVERRUN" },
430 { 0xC000003D, "STATUS_DATA_LATE_ERROR" },
431 { 0xC000003E, "STATUS_DATA_ERROR" },
432 { 0xC000003F, "STATUS_CRC_ERROR" },
433 { 0xC0000040, "STATUS_SECTION_TOO_BIG" },
434 { 0xC0000041, "STATUS_PORT_CONNECTION_REFUSED" },
435 { 0xC0000042, "STATUS_INVALID_PORT_HANDLE" },
436 { 0xC0000043, "STATUS_SHARING_VIOLATION" },
437 { 0xC0000044, "STATUS_QUOTA_EXCEEDED" },
438 { 0xC0000045, "STATUS_INVALID_PAGE_PROTECTION" },
439 { 0xC0000046, "STATUS_MUTANT_NOT_OWNED" },
440 { 0xC0000047, "STATUS_SEMAPHORE_LIMIT_EXCEEDED" },
441 { 0xC0000048, "STATUS_PORT_ALREADY_SET" },
442 { 0xC0000049, "STATUS_SECTION_NOT_IMAGE" },
443 { 0xC000004A, "STATUS_SUSPEND_COUNT_EXCEEDED" },
444 { 0xC000004B, "STATUS_THREAD_IS_TERMINATING" },
445 { 0xC000004C, "STATUS_BAD_WORKING_SET_LIMIT" },
446 { 0xC000004D, "STATUS_INCOMPATIBLE_FILE_MAP" },
447 { 0xC000004E, "STATUS_SECTION_PROTECTION" },
448 { 0xC000004F, "STATUS_EAS_NOT_SUPPORTED" },
449 { 0xC0000050, "STATUS_EA_TOO_LARGE" },
450 { 0xC0000051, "STATUS_NONEXISTENT_EA_ENTRY" },
451 { 0xC0000052, "STATUS_NO_EAS_ON_FILE" },
452 { 0xC0000053, "STATUS_EA_CORRUPT_ERROR" },
453 { 0xC0000054, "STATUS_FILE_LOCK_CONFLICT" },
454 { 0xC0000055, "STATUS_LOCK_NOT_GRANTED" },
455 { 0xC0000056, "STATUS_DELETE_PENDING" },
456 { 0xC0000057, "STATUS_CTL_FILE_NOT_SUPPORTED" },
457 { 0xC0000058, "STATUS_UNKNOWN_REVISION" },
458 { 0xC0000059, "STATUS_REVISION_MISMATCH" },
459 { 0xC000005A, "STATUS_INVALID_OWNER" },
460 { 0xC000005B, "STATUS_INVALID_PRIMARY_GROUP" },
461 { 0xC000005C, "STATUS_NO_IMPERSONATION_TOKEN" },
462 { 0xC000005D, "STATUS_CANT_DISABLE_MANDATORY" },
463 { 0xC000005E, "STATUS_NO_LOGON_SERVERS" },
464 { 0xC000005F, "STATUS_NO_SUCH_LOGON_SESSION" },
465 { 0xC0000060, "STATUS_NO_SUCH_PRIVILEGE" },
466 { 0xC0000061, "STATUS_PRIVILEGE_NOT_HELD" },
467 { 0xC0000062, "STATUS_INVALID_ACCOUNT_NAME" },
468 { 0xC0000063, "STATUS_USER_EXISTS" },
469 { 0xC0000064, "STATUS_NO_SUCH_USER" },
470 { 0xC0000065, "STATUS_GROUP_EXISTS" },
471 { 0xC0000066, "STATUS_NO_SUCH_GROUP" },
472 { 0xC0000067, "STATUS_MEMBER_IN_GROUP" },
473 { 0xC0000068, "STATUS_MEMBER_NOT_IN_GROUP" },
474 { 0xC0000069, "STATUS_LAST_ADMIN" },
475 { 0xC000006A, "STATUS_WRONG_PASSWORD" },
476 { 0xC000006B, "STATUS_ILL_FORMED_PASSWORD" },
477 { 0xC000006C, "STATUS_PASSWORD_RESTRICTION" },
478 { 0xC000006D, "STATUS_LOGON_FAILURE" },
479 { 0xC000006E, "STATUS_ACCOUNT_RESTRICTION" },
480 { 0xC000006F, "STATUS_INVALID_LOGON_HOURS" },
481 { 0xC0000070, "STATUS_INVALID_WORKSTATION" },
482 { 0xC0000071, "STATUS_PASSWORD_EXPIRED" },
483 { 0xC0000072, "STATUS_ACCOUNT_DISABLED" },
484 { 0xC0000073, "STATUS_NONE_MAPPED" },
485 { 0xC0000074, "STATUS_TOO_MANY_LUIDS_REQUESTED" },
486 { 0xC0000075, "STATUS_LUIDS_EXHAUSTED" },
487 { 0xC0000076, "STATUS_INVALID_SUB_AUTHORITY" },
488 { 0xC0000077, "STATUS_INVALID_ACL" },
489 { 0xC0000078, "STATUS_INVALID_SID" },
490 { 0xC0000079, "STATUS_INVALID_SECURITY_DESCR" },
491 { 0xC000007A, "STATUS_PROCEDURE_NOT_FOUND" },
492 { 0xC000007B, "STATUS_INVALID_IMAGE_FORMAT" },
493 { 0xC000007C, "STATUS_NO_TOKEN" },
494 { 0xC000007D, "STATUS_BAD_INHERITANCE_ACL" },
495 { 0xC000007E, "STATUS_RANGE_NOT_LOCKED" },
496 { 0xC000007F, "STATUS_DISK_FULL" },
497 { 0xC0000080, "STATUS_SERVER_DISABLED" },
498 { 0xC0000081, "STATUS_SERVER_NOT_DISABLED" },
499 { 0xC0000082, "STATUS_TOO_MANY_GUIDS_REQUESTED" },
500 { 0xC0000083, "STATUS_GUIDS_EXHAUSTED" },
501 { 0xC0000084, "STATUS_INVALID_ID_AUTHORITY" },
502 { 0xC0000085, "STATUS_AGENTS_EXHAUSTED" },
503 { 0xC0000086, "STATUS_INVALID_VOLUME_LABEL" },
504 { 0xC0000087, "STATUS_SECTION_NOT_EXTENDED" },
505 { 0xC0000088, "STATUS_NOT_MAPPED_DATA" },
506 { 0xC0000089, "STATUS_RESOURCE_DATA_NOT_FOUND" },
507 { 0xC000008A, "STATUS_RESOURCE_TYPE_NOT_FOUND" },
508 { 0xC000008B, "STATUS_RESOURCE_NAME_NOT_FOUND" },
509 { 0xC000008C, "STATUS_ARRAY_BOUNDS_EXCEEDED" },
510 { 0xC000008D, "STATUS_FLOAT_DENORMAL_OPERAND" },
511 { 0xC000008E, "STATUS_FLOAT_DIVIDE_BY_ZERO" },
512 { 0xC000008F, "STATUS_FLOAT_INEXACT_RESULT" },
513 { 0xC0000090, "STATUS_FLOAT_INVALID_OPERATION" },
514 { 0xC0000091, "STATUS_FLOAT_OVERFLOW" },
515 { 0xC0000092, "STATUS_FLOAT_STACK_CHECK" },
516 { 0xC0000093, "STATUS_FLOAT_UNDERFLOW" },
517 { 0xC0000094, "STATUS_INTEGER_DIVIDE_BY_ZERO" },
518 { 0xC0000095, "STATUS_INTEGER_OVERFLOW" },
519 { 0xC0000096, "STATUS_PRIVILEGED_INSTRUCTION" },
520 { 0xC0000097, "STATUS_TOO_MANY_PAGING_FILES" },
521 { 0xC0000098, "STATUS_FILE_INVALID" },
522 { 0xC0000099, "STATUS_ALLOTTED_SPACE_EXCEEDED" },
523 { 0xC000009A, "STATUS_INSUFFICIENT_RESOURCES" },
524 { 0xC000009B, "STATUS_DFS_EXIT_PATH_FOUND" },
525 { 0xC000009C, "STATUS_DEVICE_DATA_ERROR" },
526 { 0xC000009D, "STATUS_DEVICE_NOT_CONNECTED" },
527 { 0xC000009E, "STATUS_DEVICE_POWER_FAILURE" },
528 { 0xC000009F, "STATUS_FREE_VM_NOT_AT_BASE" },
529 { 0xC00000A0, "STATUS_MEMORY_NOT_ALLOCATED" },
530 { 0xC00000A1, "STATUS_WORKING_SET_QUOTA" },
531 { 0xC00000A2, "STATUS_MEDIA_WRITE_PROTECTED" },
532 { 0xC00000A3, "STATUS_DEVICE_NOT_READY" },
533 { 0xC00000A4, "STATUS_INVALID_GROUP_ATTRIBUTES" },
534 { 0xC00000A5, "STATUS_BAD_IMPERSONATION_LEVEL" },
535 { 0xC00000A6, "STATUS_CANT_OPEN_ANONYMOUS" },
536 { 0xC00000A7, "STATUS_BAD_VALIDATION_CLASS" },
537 { 0xC00000A8, "STATUS_BAD_TOKEN_TYPE" },
538 { 0xC00000A9, "STATUS_BAD_MASTER_BOOT_RECORD" },
539 { 0xC00000AA, "STATUS_INSTRUCTION_MISALIGNMENT" },
540 { 0xC00000AB, "STATUS_INSTANCE_NOT_AVAILABLE" },
541 { 0xC00000AC, "STATUS_PIPE_NOT_AVAILABLE" },
542 { 0xC00000AD, "STATUS_INVALID_PIPE_STATE" },
543 { 0xC00000AE, "STATUS_PIPE_BUSY" },
544 { 0xC00000AF, "STATUS_ILLEGAL_FUNCTION" },
545 { 0xC00000B0, "STATUS_PIPE_DISCONNECTED" },
546 { 0xC00000B1, "STATUS_PIPE_CLOSING" },
547 { 0xC00000B2, "STATUS_PIPE_CONNECTED" },
548 { 0xC00000B3, "STATUS_PIPE_LISTENING" },
549 { 0xC00000B4, "STATUS_INVALID_READ_MODE" },
550 { 0xC00000B5, "STATUS_IO_TIMEOUT" },
551 { 0xC00000B6, "STATUS_FILE_FORCED_CLOSED" },
552 { 0xC00000B7, "STATUS_PROFILING_NOT_STARTED" },
553 { 0xC00000B8, "STATUS_PROFILING_NOT_STOPPED" },
554 { 0xC00000B9, "STATUS_COULD_NOT_INTERPRET" },
555 { 0xC00000BA, "STATUS_FILE_IS_A_DIRECTORY" },
556 { 0xC00000BB, "STATUS_NOT_SUPPORTED" },
557 { 0xC00000BC, "STATUS_REMOTE_NOT_LISTENING" },
558 { 0xC00000BD, "STATUS_DUPLICATE_NAME" },
559 { 0xC00000BE, "STATUS_BAD_NETWORK_PATH" },
560 { 0xC00000BF, "STATUS_NETWORK_BUSY" },
561 { 0xC00000C0, "STATUS_DEVICE_DOES_NOT_EXIST" },
562 { 0xC00000C1, "STATUS_TOO_MANY_COMMANDS" },
563 { 0xC00000C2, "STATUS_ADAPTER_HARDWARE_ERROR" },
564 { 0xC00000C3, "STATUS_INVALID_NETWORK_RESPONSE" },
565 { 0xC00000C4, "STATUS_UNEXPECTED_NETWORK_ERROR" },
566 { 0xC00000C5, "STATUS_BAD_REMOTE_ADAPTER" },
567 { 0xC00000C6, "STATUS_PRINT_QUEUE_FULL" },
568 { 0xC00000C7, "STATUS_NO_SPOOL_SPACE" },
569 { 0xC00000C8, "STATUS_PRINT_CANCELLED" },
570 { 0xC00000C9, "STATUS_NETWORK_NAME_DELETED" },
571 { 0xC00000CA, "STATUS_NETWORK_ACCESS_DENIED" },
572 { 0xC00000CB, "STATUS_BAD_DEVICE_TYPE" },
573 { 0xC00000CC, "STATUS_BAD_NETWORK_NAME" },
574 { 0xC00000CD, "STATUS_TOO_MANY_NAMES" },
575 { 0xC00000CE, "STATUS_TOO_MANY_SESSIONS" },
576 { 0xC00000CF, "STATUS_SHARING_PAUSED" },
577 { 0xC00000D0, "STATUS_REQUEST_NOT_ACCEPTED" },
578 { 0xC00000D1, "STATUS_REDIRECTOR_PAUSED" },
579 { 0xC00000D2, "STATUS_NET_WRITE_FAULT" },
580 { 0xC00000D3, "STATUS_PROFILING_AT_LIMIT" },
581 { 0xC00000D4, "STATUS_NOT_SAME_DEVICE" },
582 { 0xC00000D5, "STATUS_FILE_RENAMED" },
583 { 0xC00000D6, "STATUS_VIRTUAL_CIRCUIT_CLOSED" },
584 { 0xC00000D7, "STATUS_NO_SECURITY_ON_OBJECT" },
585 { 0xC00000D8, "STATUS_CANT_WAIT" },
586 { 0xC00000D9, "STATUS_PIPE_EMPTY" },
587 { 0xC00000DA, "STATUS_CANT_ACCESS_DOMAIN_INFO" },
588 { 0xC00000DB, "STATUS_CANT_TERMINATE_SELF" },
589 { 0xC00000DC, "STATUS_INVALID_SERVER_STATE" },
590 { 0xC00000DD, "STATUS_INVALID_DOMAIN_STATE" },
591 { 0xC00000DE, "STATUS_INVALID_DOMAIN_ROLE" },
592 { 0xC00000DF, "STATUS_NO_SUCH_DOMAIN" },
593 { 0xC00000E0, "STATUS_DOMAIN_EXISTS" },
594 { 0xC00000E1, "STATUS_DOMAIN_LIMIT_EXCEEDED" },
595 { 0xC00000E2, "STATUS_OPLOCK_NOT_GRANTED" },
596 { 0xC00000E3, "STATUS_INVALID_OPLOCK_PROTOCOL" },
597 { 0xC00000E4, "STATUS_INTERNAL_DB_CORRUPTION" },
598 { 0xC00000E5, "STATUS_INTERNAL_ERROR" },
599 { 0xC00000E6, "STATUS_GENERIC_NOT_MAPPED" },
600 { 0xC00000E7, "STATUS_BAD_DESCRIPTOR_FORMAT" },
601 { 0xC00000E8, "STATUS_INVALID_USER_BUFFER" },
602 { 0xC00000E9, "STATUS_UNEXPECTED_IO_ERROR" },
603 { 0xC00000EA, "STATUS_UNEXPECTED_MM_CREATE_ERR" },
604 { 0xC00000EB, "STATUS_UNEXPECTED_MM_MAP_ERROR" },
605 { 0xC00000EC, "STATUS_UNEXPECTED_MM_EXTEND_ERR" },
606 { 0xC00000ED, "STATUS_NOT_LOGON_PROCESS" },
607 { 0xC00000EE, "STATUS_LOGON_SESSION_EXISTS" },
608 { 0xC00000EF, "STATUS_INVALID_PARAMETER_1" },
609 { 0xC00000F0, "STATUS_INVALID_PARAMETER_2" },
610 { 0xC00000F1, "STATUS_INVALID_PARAMETER_3" },
611 { 0xC00000F2, "STATUS_INVALID_PARAMETER_4" },
612 { 0xC00000F3, "STATUS_INVALID_PARAMETER_5" },
613 { 0xC00000F4, "STATUS_INVALID_PARAMETER_6" },
614 { 0xC00000F5, "STATUS_INVALID_PARAMETER_7" },
615 { 0xC00000F6, "STATUS_INVALID_PARAMETER_8" },
616 { 0xC00000F7, "STATUS_INVALID_PARAMETER_9" },
617 { 0xC00000F8, "STATUS_INVALID_PARAMETER_10" },
618 { 0xC00000F9, "STATUS_INVALID_PARAMETER_11" },
619 { 0xC00000FA, "STATUS_INVALID_PARAMETER_12" },
620 { 0xC00000FB, "STATUS_REDIRECTOR_NOT_STARTED" },
621 { 0xC00000FC, "STATUS_REDIRECTOR_STARTED" },
622 { 0xC00000FD, "STATUS_STACK_OVERFLOW" },
623 { 0xC00000FE, "STATUS_NO_SUCH_PACKAGE" },
624 { 0xC00000FF, "STATUS_BAD_FUNCTION_TABLE" },
625 { 0xC0000100, "STATUS_VARIABLE_NOT_FOUND" },
626 { 0xC0000101, "STATUS_DIRECTORY_NOT_EMPTY" },
627 { 0xC0000102, "STATUS_FILE_CORRUPT_ERROR" },
628 { 0xC0000103, "STATUS_NOT_A_DIRECTORY" },
629 { 0xC0000104, "STATUS_BAD_LOGON_SESSION_STATE" },
630 { 0xC0000105, "STATUS_LOGON_SESSION_COLLISION" },
631 { 0xC0000106, "STATUS_NAME_TOO_LONG" },
632 { 0xC0000107, "STATUS_FILES_OPEN" },
633 { 0xC0000108, "STATUS_CONNECTION_IN_USE" },
634 { 0xC0000109, "STATUS_MESSAGE_NOT_FOUND" },
635 { 0xC000010A, "STATUS_PROCESS_IS_TERMINATING" },
636 { 0xC000010B, "STATUS_INVALID_LOGON_TYPE" },
637 { 0xC000010C, "STATUS_NO_GUID_TRANSLATION" },
638 { 0xC000010D, "STATUS_CANNOT_IMPERSONATE" },
639 { 0xC000010E, "STATUS_IMAGE_ALREADY_LOADED" },
640 { 0xC000010F, "STATUS_ABIOS_NOT_PRESENT" },
641 { 0xC0000110, "STATUS_ABIOS_LID_NOT_EXIST" },
642 { 0xC0000111, "STATUS_ABIOS_LID_ALREADY_OWNED" },
643 { 0xC0000112, "STATUS_ABIOS_NOT_LID_OWNER" },
644 { 0xC0000113, "STATUS_ABIOS_INVALID_COMMAND" },
645 { 0xC0000114, "STATUS_ABIOS_INVALID_LID" },
646 { 0xC0000115, "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE" },
647 { 0xC0000116, "STATUS_ABIOS_INVALID_SELECTOR" },
648 { 0xC0000117, "STATUS_NO_LDT" },
649 { 0xC0000118, "STATUS_INVALID_LDT_SIZE" },
650 { 0xC0000119, "STATUS_INVALID_LDT_OFFSET" },
651 { 0xC000011A, "STATUS_INVALID_LDT_DESCRIPTOR" },
652 { 0xC000011B, "STATUS_INVALID_IMAGE_NE_FORMAT" },
653 { 0xC000011C, "STATUS_RXACT_INVALID_STATE" },
654 { 0xC000011D, "STATUS_RXACT_COMMIT_FAILURE" },
655 { 0xC000011E, "STATUS_MAPPED_FILE_SIZE_ZERO" },
656 { 0xC000011F, "STATUS_TOO_MANY_OPENED_FILES" },
657 { 0xC0000120, "STATUS_CANCELLED" },
658 { 0xC0000121, "STATUS_CANNOT_DELETE" },
659 { 0xC0000122, "STATUS_INVALID_COMPUTER_NAME" },
660 { 0xC0000123, "STATUS_FILE_DELETED" },
661 { 0xC0000124, "STATUS_SPECIAL_ACCOUNT" },
662 { 0xC0000125, "STATUS_SPECIAL_GROUP" },
663 { 0xC0000126, "STATUS_SPECIAL_USER" },
664 { 0xC0000127, "STATUS_MEMBERS_PRIMARY_GROUP" },
665 { 0xC0000128, "STATUS_FILE_CLOSED" },
666 { 0xC0000129, "STATUS_TOO_MANY_THREADS" },
667 { 0xC000012A, "STATUS_THREAD_NOT_IN_PROCESS" },
668 { 0xC000012B, "STATUS_TOKEN_ALREADY_IN_USE" },
669 { 0xC000012C, "STATUS_PAGEFILE_QUOTA_EXCEEDED" },
670 { 0xC000012D, "STATUS_COMMITMENT_LIMIT" },
671 { 0xC000012E, "STATUS_INVALID_IMAGE_LE_FORMAT" },
672 { 0xC000012F, "STATUS_INVALID_IMAGE_NOT_MZ" },
673 { 0xC0000130, "STATUS_INVALID_IMAGE_PROTECT" },
674 { 0xC0000131, "STATUS_INVALID_IMAGE_WIN_16" },
675 { 0xC0000132, "STATUS_LOGON_SERVER_CONFLICT" },
676 { 0xC0000133, "STATUS_TIME_DIFFERENCE_AT_DC" },
677 { 0xC0000134, "STATUS_SYNCHRONIZATION_REQUIRED" },
678 { 0xC0000135, "STATUS_DLL_NOT_FOUND" },
679 { 0xC0000136, "STATUS_OPEN_FAILED" },
680 { 0xC0000137, "STATUS_IO_PRIVILEGE_FAILED" },
681 { 0xC0000138, "STATUS_ORDINAL_NOT_FOUND" },
682 { 0xC0000139, "STATUS_ENTRYPOINT_NOT_FOUND" },
683 { 0xC000013A, "STATUS_CONTROL_C_EXIT" },
684 { 0xC000013B, "STATUS_LOCAL_DISCONNECT" },
685 { 0xC000013C, "STATUS_REMOTE_DISCONNECT" },
686 { 0xC000013D, "STATUS_REMOTE_RESOURCES" },
687 { 0xC000013E, "STATUS_LINK_FAILED" },
688 { 0xC000013F, "STATUS_LINK_TIMEOUT" },
689 { 0xC0000140, "STATUS_INVALID_CONNECTION" },
690 { 0xC0000141, "STATUS_INVALID_ADDRESS" },
691 { 0xC0000142, "STATUS_DLL_INIT_FAILED" },
692 { 0xC0000143, "STATUS_MISSING_SYSTEMFILE" },
693 { 0xC0000144, "STATUS_UNHANDLED_EXCEPTION" },
694 { 0xC0000145, "STATUS_APP_INIT_FAILURE" },
695 { 0xC0000146, "STATUS_PAGEFILE_CREATE_FAILED" },
696 { 0xC0000147, "STATUS_NO_PAGEFILE" },
697 { 0xC0000148, "STATUS_INVALID_LEVEL" },
698 { 0xC0000149, "STATUS_WRONG_PASSWORD_CORE" },
699 { 0xC000014A, "STATUS_ILLEGAL_FLOAT_CONTEXT" },
700 { 0xC000014B, "STATUS_PIPE_BROKEN" },
701 { 0xC000014C, "STATUS_REGISTRY_CORRUPT" },
702 { 0xC000014D, "STATUS_REGISTRY_IO_FAILED" },
703 { 0xC000014E, "STATUS_NO_EVENT_PAIR" },
704 { 0xC000014F, "STATUS_UNRECOGNIZED_VOLUME" },
705 { 0xC0000150, "STATUS_SERIAL_NO_DEVICE_INITED" },
706 { 0xC0000151, "STATUS_NO_SUCH_ALIAS" },
707 { 0xC0000152, "STATUS_MEMBER_NOT_IN_ALIAS" },
708 { 0xC0000153, "STATUS_MEMBER_IN_ALIAS" },
709 { 0xC0000154, "STATUS_ALIAS_EXISTS" },
710 { 0xC0000155, "STATUS_LOGON_NOT_GRANTED" },
711 { 0xC0000156, "STATUS_TOO_MANY_SECRETS" },
712 { 0xC0000157, "STATUS_SECRET_TOO_LONG" },
713 { 0xC0000158, "STATUS_INTERNAL_DB_ERROR" },
714 { 0xC0000159, "STATUS_FULLSCREEN_MODE" },
715 { 0xC000015A, "STATUS_TOO_MANY_CONTEXT_IDS" },
716 { 0xC000015B, "STATUS_LOGON_TYPE_NOT_GRANTED" },
717 { 0xC000015C, "STATUS_NOT_REGISTRY_FILE" },
718 { 0xC000015D, "STATUS_NT_CROSS_ENCRYPTION_REQUIRED" },
719 { 0xC000015E, "STATUS_DOMAIN_CTRLR_CONFIG_ERROR" },
720 { 0xC000015F, "STATUS_FT_MISSING_MEMBER" },
721 { 0xC0000160, "STATUS_ILL_FORMED_SERVICE_ENTRY" },
722 { 0xC0000161, "STATUS_ILLEGAL_CHARACTER" },
723 { 0xC0000162, "STATUS_UNMAPPABLE_CHARACTER" },
724 { 0xC0000163, "STATUS_UNDEFINED_CHARACTER" },
725 { 0xC0000164, "STATUS_FLOPPY_VOLUME" },
726 { 0xC0000165, "STATUS_FLOPPY_ID_MARK_NOT_FOUND" },
727 { 0xC0000166, "STATUS_FLOPPY_WRONG_CYLINDER" },
728 { 0xC0000167, "STATUS_FLOPPY_UNKNOWN_ERROR" },
729 { 0xC0000168, "STATUS_FLOPPY_BAD_REGISTERS" },
730 { 0xC0000169, "STATUS_DISK_RECALIBRATE_FAILED" },
731 { 0xC000016A, "STATUS_DISK_OPERATION_FAILED" },
732 { 0xC000016B, "STATUS_DISK_RESET_FAILED" },
733 { 0xC000016C, "STATUS_SHARED_IRQ_BUSY" },
734 { 0xC000016D, "STATUS_FT_ORPHANING" },
735 { 0xC000016E, "STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT" },
736 { 0xC0000172, "STATUS_PARTITION_FAILURE" },
737 { 0xC0000173, "STATUS_INVALID_BLOCK_LENGTH" },
738 { 0xC0000174, "STATUS_DEVICE_NOT_PARTITIONED" },
739 { 0xC0000175, "STATUS_UNABLE_TO_LOCK_MEDIA" },
740 { 0xC0000176, "STATUS_UNABLE_TO_UNLOAD_MEDIA" },
741 { 0xC0000177, "STATUS_EOM_OVERFLOW" },
742 { 0xC0000178, "STATUS_NO_MEDIA" },
743 { 0xC000017A, "STATUS_NO_SUCH_MEMBER" },
744 { 0xC000017B, "STATUS_INVALID_MEMBER" },
745 { 0xC000017C, "STATUS_KEY_DELETED" },
746 { 0xC000017D, "STATUS_NO_LOG_SPACE" },
747 { 0xC000017E, "STATUS_TOO_MANY_SIDS" },
748 { 0xC000017F, "STATUS_LM_CROSS_ENCRYPTION_REQUIRED" },
749 { 0xC0000180, "STATUS_KEY_HAS_CHILDREN" },
750 { 0xC0000181, "STATUS_CHILD_MUST_BE_VOLATILE" },
751 { 0xC0000182, "STATUS_DEVICE_CONFIGURATION_ERROR" },
752 { 0xC0000183, "STATUS_DRIVER_INTERNAL_ERROR" },
753 { 0xC0000184, "STATUS_INVALID_DEVICE_STATE" },
754 { 0xC0000185, "STATUS_IO_DEVICE_ERROR" },
755 { 0xC0000186, "STATUS_DEVICE_PROTOCOL_ERROR" },
756 { 0xC0000187, "STATUS_BACKUP_CONTROLLER" },
757 { 0xC0000188, "STATUS_LOG_FILE_FULL" },
758 { 0xC0000189, "STATUS_TOO_LATE" },
759 { 0xC000018A, "STATUS_NO_TRUST_LSA_SECRET" },
760 { 0xC000018B, "STATUS_NO_TRUST_SAM_ACCOUNT" },
761 { 0xC000018C, "STATUS_TRUSTED_DOMAIN_FAILURE" },
762 { 0xC000018D, "STATUS_TRUSTED_RELATIONSHIP_FAILURE" },
763 { 0xC000018E, "STATUS_EVENTLOG_FILE_CORRUPT" },
764 { 0xC000018F, "STATUS_EVENTLOG_CANT_START" },
765 { 0xC0000190, "STATUS_TRUST_FAILURE" },
766 { 0xC0000191, "STATUS_MUTANT_LIMIT_EXCEEDED" },
767 { 0xC0000192, "STATUS_NETLOGON_NOT_STARTED" },
768 { 0xC0000193, "STATUS_ACCOUNT_EXPIRED" },
769 { 0xC0000194, "STATUS_POSSIBLE_DEADLOCK" },
770 { 0xC0000195, "STATUS_NETWORK_CREDENTIAL_CONFLICT" },
771 { 0xC0000196, "STATUS_REMOTE_SESSION_LIMIT" },
772 { 0xC0000197, "STATUS_EVENTLOG_FILE_CHANGED" },
773 { 0xC0000198, "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT" },
774 { 0xC0000199, "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT" },
775 { 0xC000019A, "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT" },
776 { 0xC000019B, "STATUS_DOMAIN_TRUST_INCONSISTENT" },
777 { 0xC000019C, "STATUS_FS_DRIVER_REQUIRED" },
778 { 0xC0000202, "STATUS_NO_USER_SESSION_KEY" },
779 { 0xC0000203, "STATUS_USER_SESSION_DELETED" },
780 { 0xC0000204, "STATUS_RESOURCE_LANG_NOT_FOUND" },
781 { 0xC0000205, "STATUS_INSUFF_SERVER_RESOURCES" },
782 { 0xC0000206, "STATUS_INVALID_BUFFER_SIZE" },
783 { 0xC0000207, "STATUS_INVALID_ADDRESS_COMPONENT" },
784 { 0xC0000208, "STATUS_INVALID_ADDRESS_WILDCARD" },
785 { 0xC0000209, "STATUS_TOO_MANY_ADDRESSES" },
786 { 0xC000020A, "STATUS_ADDRESS_ALREADY_EXISTS" },
787 { 0xC000020B, "STATUS_ADDRESS_CLOSED" },
788 { 0xC000020C, "STATUS_CONNECTION_DISCONNECTED" },
789 { 0xC000020D, "STATUS_CONNECTION_RESET" },
790 { 0xC000020E, "STATUS_TOO_MANY_NODES" },
791 { 0xC000020F, "STATUS_TRANSACTION_ABORTED" },
792 { 0xC0000210, "STATUS_TRANSACTION_TIMED_OUT" },
793 { 0xC0000211, "STATUS_TRANSACTION_NO_RELEASE" },
794 { 0xC0000212, "STATUS_TRANSACTION_NO_MATCH" },
795 { 0xC0000213, "STATUS_TRANSACTION_RESPONDED" },
796 { 0xC0000214, "STATUS_TRANSACTION_INVALID_ID" },
797 { 0xC0000215, "STATUS_TRANSACTION_INVALID_TYPE" },
798 { 0xC0000216, "STATUS_NOT_SERVER_SESSION" },
799 { 0xC0000217, "STATUS_NOT_CLIENT_SESSION" },
800 { 0xC0000218, "STATUS_CANNOT_LOAD_REGISTRY_FILE" },
801 { 0xC0000219, "STATUS_DEBUG_ATTACH_FAILED" },
802 { 0xC000021A, "STATUS_SYSTEM_PROCESS_TERMINATED" },
803 { 0xC000021B, "STATUS_DATA_NOT_ACCEPTED" },
804 { 0xC000021C, "STATUS_NO_BROWSER_SERVERS_FOUND" },
805 { 0xC000021D, "STATUS_VDM_HARD_ERROR" },
806 { 0xC000021E, "STATUS_DRIVER_CANCEL_TIMEOUT" },
807 { 0xC000021F, "STATUS_REPLY_MESSAGE_MISMATCH" },
808 { 0xC0000220, "STATUS_MAPPED_ALIGNMENT" },
809 { 0xC0000221, "STATUS_IMAGE_CHECKSUM_MISMATCH" },
810 { 0xC0000222, "STATUS_LOST_WRITEBEHIND_DATA" },
811 { 0xC0000223, "STATUS_CLIENT_SERVER_PARAMETERS_INVALID" },
812 { 0xC0000224, "STATUS_PASSWORD_MUST_CHANGE" },
813 { 0xC0000225, "STATUS_NOT_FOUND" },
814 { 0xC0000226, "STATUS_NOT_TINY_STREAM" },
815 { 0xC0000227, "STATUS_RECOVERY_FAILURE" },
816 { 0xC0000228, "STATUS_STACK_OVERFLOW_READ" },
817 { 0xC0000229, "STATUS_FAIL_CHECK" },
818 { 0xC000022A, "STATUS_DUPLICATE_OBJECTID" },
819 { 0xC000022B, "STATUS_OBJECTID_EXISTS" },
820 { 0xC000022C, "STATUS_CONVERT_TO_LARGE" },
821 { 0xC000022D, "STATUS_RETRY" },
822 { 0xC000022E, "STATUS_FOUND_OUT_OF_SCOPE" },
823 { 0xC000022F, "STATUS_ALLOCATE_BUCKET" },
824 { 0xC0000230, "STATUS_PROPSET_NOT_FOUND" },
825 { 0xC0000231, "STATUS_MARSHALL_OVERFLOW" },
826 { 0xC0000232, "STATUS_INVALID_VARIANT" },
827 { 0xC0000233, "STATUS_DOMAIN_CONTROLLER_NOT_FOUND" },
828 { 0xC0000234, "STATUS_ACCOUNT_LOCKED_OUT" },
829 { 0xC0000235, "STATUS_HANDLE_NOT_CLOSABLE" },
830 { 0xC0000236, "STATUS_CONNECTION_REFUSED" },
831 { 0xC0000237, "STATUS_GRACEFUL_DISCONNECT" },
832 { 0xC0000238, "STATUS_ADDRESS_ALREADY_ASSOCIATED" },
833 { 0xC0000239, "STATUS_ADDRESS_NOT_ASSOCIATED" },
834 { 0xC000023A, "STATUS_CONNECTION_INVALID" },
835 { 0xC000023B, "STATUS_CONNECTION_ACTIVE" },
836 { 0xC000023C, "STATUS_NETWORK_UNREACHABLE" },
837 { 0xC000023D, "STATUS_HOST_UNREACHABLE" },
838 { 0xC000023E, "STATUS_PROTOCOL_UNREACHABLE" },
839 { 0xC000023F, "STATUS_PORT_UNREACHABLE" },
840 { 0xC0000240, "STATUS_REQUEST_ABORTED" },
841 { 0xC0000241, "STATUS_CONNECTION_ABORTED" },
842 { 0xC0000242, "STATUS_BAD_COMPRESSION_BUFFER" },
843 { 0xC0000243, "STATUS_USER_MAPPED_FILE" },
844 { 0xC0000244, "STATUS_AUDIT_FAILED" },
845 { 0xC0000245, "STATUS_TIMER_RESOLUTION_NOT_SET" },
846 { 0xC0000246, "STATUS_CONNECTION_COUNT_LIMIT" },
847 { 0xC0000247, "STATUS_LOGIN_TIME_RESTRICTION" },
848 { 0xC0000248, "STATUS_LOGIN_WKSTA_RESTRICTION" },
849 { 0xC0000249, "STATUS_IMAGE_MP_UP_MISMATCH" },
850 { 0xC0000250, "STATUS_INSUFFICIENT_LOGON_INFO" },
851 { 0xC0000251, "STATUS_BAD_DLL_ENTRYPOINT" },
852 { 0xC0000252, "STATUS_BAD_SERVICE_ENTRYPOINT" },
853 { 0xC0000253, "STATUS_LPC_REPLY_LOST" },
854 { 0xC0000254, "STATUS_IP_ADDRESS_CONFLICT1" },
855 { 0xC0000255, "STATUS_IP_ADDRESS_CONFLICT2" },
856 { 0xC0000256, "STATUS_REGISTRY_QUOTA_LIMIT" },
857 { 0xC0000257, "STATUS_PATH_NOT_COVERED" },
858 { 0xC0000258, "STATUS_NO_CALLBACK_ACTIVE" },
859 { 0xC0000259, "STATUS_LICENSE_QUOTA_EXCEEDED" },
860 { 0xC000025A, "STATUS_PWD_TOO_SHORT" },
861 { 0xC000025B, "STATUS_PWD_TOO_RECENT" },
862 { 0xC000025C, "STATUS_PWD_HISTORY_CONFLICT" },
863 { 0xC000025E, "STATUS_PLUGPLAY_NO_DEVICE" },
864 { 0xC000025F, "STATUS_UNSUPPORTED_COMPRESSION" },
865 { 0xC0000260, "STATUS_INVALID_HW_PROFILE" },
866 { 0xC0000261, "STATUS_INVALID_PLUGPLAY_DEVICE_PATH" },
867 { 0xC0000262, "STATUS_DRIVER_ORDINAL_NOT_FOUND" },
868 { 0xC0000263, "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND" },
869 { 0xC0000264, "STATUS_RESOURCE_NOT_OWNED" },
870 { 0xC0000265, "STATUS_TOO_MANY_LINKS" },
871 { 0xC0000266, "STATUS_QUOTA_LIST_INCONSISTENT" },
872 { 0xC0000267, "STATUS_FILE_IS_OFFLINE" },
873 { 0xC0000268, "STATUS_EVALUATION_EXPIRATION" },
874 { 0xC0000269, "STATUS_ILLEGAL_DLL_RELOCATION" },
875 { 0xC000026A, "STATUS_LICENSE_VIOLATION" },
876 { 0xC000026B, "STATUS_DLL_INIT_FAILED_LOGOFF" },
877 { 0xC000026C, "STATUS_DRIVER_UNABLE_TO_LOAD" },
878 { 0xC000026D, "STATUS_DFS_UNAVAILABLE" },
879 { 0xC000026E, "STATUS_VOLUME_DISMOUNTED" },
880 { 0xC000026F, "STATUS_WX86_INTERNAL_ERROR" },
881 { 0xC0000270, "STATUS_WX86_FLOAT_STACK_CHECK" },
882 { 0xC0000271, "STATUS_VALIDATE_CONTINUE" },
883 { 0xC0000272, "STATUS_NO_MATCH" },
884 { 0xC0000273, "STATUS_NO_MORE_MATCHES" },
885 { 0xC0000275, "STATUS_NOT_A_REPARSE_POINT" },
886 { 0xC0000276, "STATUS_IO_REPARSE_TAG_INVALID" },
887 { 0xC0000277, "STATUS_IO_REPARSE_TAG_MISMATCH" },
888 { 0xC0000278, "STATUS_IO_REPARSE_DATA_INVALID" },
889 { 0xC0000279, "STATUS_IO_REPARSE_TAG_NOT_HANDLED" },
890 { 0xC0000280, "STATUS_REPARSE_POINT_NOT_RESOLVED" },
891 { 0xC0000281, "STATUS_DIRECTORY_IS_A_REPARSE_POINT" },
892 { 0xC0000282, "STATUS_RANGE_LIST_CONFLICT" },
893 { 0xC0000283, "STATUS_SOURCE_ELEMENT_EMPTY" },
894 { 0xC0000284, "STATUS_DESTINATION_ELEMENT_FULL" },
895 { 0xC0000285, "STATUS_ILLEGAL_ELEMENT_ADDRESS" },
896 { 0xC0000286, "STATUS_MAGAZINE_NOT_PRESENT" },
897 { 0xC0000287, "STATUS_REINITIALIZATION_NEEDED" },
898 { 0xC000028A, "STATUS_ENCRYPTION_FAILED" },
899 { 0xC000028B, "STATUS_DECRYPTION_FAILED" },
900 { 0xC000028C, "STATUS_RANGE_NOT_FOUND" },
901 { 0xC000028D, "STATUS_NO_RECOVERY_POLICY" },
902 { 0xC000028E, "STATUS_NO_EFS" },
903 { 0xC000028F, "STATUS_WRONG_EFS" },
904 { 0xC0000290, "STATUS_NO_USER_KEYS" },
905 { 0xC0000291, "STATUS_FILE_NOT_ENCRYPTED" },
906 { 0xC0000292, "STATUS_NOT_EXPORT_FORMAT" },
907 { 0xC0000293, "STATUS_FILE_ENCRYPTED" },
908 { 0xC0000295, "STATUS_WMI_GUID_NOT_FOUND" },
909 { 0xC0000296, "STATUS_WMI_INSTANCE_NOT_FOUND" },
910 { 0xC0000297, "STATUS_WMI_ITEMID_NOT_FOUND" },
911 { 0xC0000298, "STATUS_WMI_TRY_AGAIN" },
912 { 0xC0000299, "STATUS_SHARED_POLICY" },
913 { 0xC000029A, "STATUS_POLICY_OBJECT_NOT_FOUND" },
914 { 0xC000029B, "STATUS_POLICY_ONLY_IN_DS" },
915 { 0xC000029C, "STATUS_VOLUME_NOT_UPGRADED" },
916 { 0xC000029D, "STATUS_REMOTE_STORAGE_NOT_ACTIVE" },
917 { 0xC000029E, "STATUS_REMOTE_STORAGE_MEDIA_ERROR" },
918 { 0xC000029F, "STATUS_NO_TRACKING_SERVICE" },
919 { 0xC00002A0, "STATUS_SERVER_SID_MISMATCH" },
920 { 0xC00002A1, "STATUS_DS_NO_ATTRIBUTE_OR_VALUE" },
921 { 0xC00002A2, "STATUS_DS_INVALID_ATTRIBUTE_SYNTAX" },
922 { 0xC00002A3, "STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED" },
923 { 0xC00002A4, "STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS" },
924 { 0xC00002A5, "STATUS_DS_BUSY" },
925 { 0xC00002A6, "STATUS_DS_UNAVAILABLE" },
926 { 0xC00002A7, "STATUS_DS_NO_RIDS_ALLOCATED" },
927 { 0xC00002A8, "STATUS_DS_NO_MORE_RIDS" },
928 { 0xC00002A9, "STATUS_DS_INCORRECT_ROLE_OWNER" },
929 { 0xC00002AA, "STATUS_DS_RIDMGR_INIT_ERROR" },
930 { 0xC00002AB, "STATUS_DS_OBJ_CLASS_VIOLATION" },
931 { 0xC00002AC, "STATUS_DS_CANT_ON_NON_LEAF" },
932 { 0xC00002AD, "STATUS_DS_CANT_ON_RDN" },
933 { 0xC00002AE, "STATUS_DS_CANT_MOD_OBJ_CLASS" },
934 { 0xC00002AF, "STATUS_DS_CROSS_DOM_MOVE_FAILED" },
935 { 0xC00002B0, "STATUS_DS_GC_NOT_AVAILABLE" },
936 { 0xC00002B1, "STATUS_DIRECTORY_SERVICE_REQUIRED" },
937 { 0xC00002B2, "STATUS_REPARSE_ATTRIBUTE_CONFLICT" },
938 { 0xC00002B3, "STATUS_CANT_ENABLE_DENY_ONLY" },
939 { 0xC00002B4, "STATUS_FLOAT_MULTIPLE_FAULTS" },
940 { 0xC00002B5, "STATUS_FLOAT_MULTIPLE_TRAPS" },
941 { 0xC00002B6, "STATUS_DEVICE_REMOVED" },
942 { 0xC00002B7, "STATUS_JOURNAL_DELETE_IN_PROGRESS" },
943 { 0xC00002B8, "STATUS_JOURNAL_NOT_ACTIVE" },
944 { 0xC00002B9, "STATUS_NOINTERFACE" },
945 { 0xC00002C1, "STATUS_DS_ADMIN_LIMIT_EXCEEDED" },
946 { 0xC00002C2, "STATUS_DRIVER_FAILED_SLEEP" },
947 { 0xC00002C3, "STATUS_MUTUAL_AUTHENTICATION_FAILED" },
948 { 0xC00002C4, "STATUS_CORRUPT_SYSTEM_FILE" },
949 { 0xC00002C5, "STATUS_DATATYPE_MISALIGNMENT_ERROR" },
950 { 0xC00002C6, "STATUS_WMI_READ_ONLY" },
951 { 0xC00002C7, "STATUS_WMI_SET_FAILURE" },
952 { 0xC00002C8, "STATUS_COMMITMENT_MINIMUM" },
953 { 0xC00002C9, "STATUS_REG_NAT_CONSUMPTION" },
954 { 0xC00002CA, "STATUS_TRANSPORT_FULL" },
955 { 0xC00002CB, "STATUS_DS_SAM_INIT_FAILURE" },
956 { 0xC00002CC, "STATUS_ONLY_IF_CONNECTED" },
957 { 0xC00002CD, "STATUS_DS_SENSITIVE_GROUP_VIOLATION" },
958 { 0xC00002CE, "STATUS_PNP_RESTART_ENUMERATION" },
959 { 0xC00002CF, "STATUS_JOURNAL_ENTRY_DELETED" },
960 { 0xC00002D0, "STATUS_DS_CANT_MOD_PRIMARYGROUPID" },
961 { 0xC00002D1, "STATUS_SYSTEM_IMAGE_BAD_SIGNATURE" },
962 { 0xC00002D2, "STATUS_PNP_REBOOT_REQUIRED" },
963 { 0xC00002D3, "STATUS_POWER_STATE_INVALID" },
964 { 0xC00002D4, "STATUS_DS_INVALID_GROUP_TYPE" },
965 { 0xC00002D5, "STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN" },
966 { 0xC00002D6, "STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN" },
967 { 0xC00002D7, "STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER" },
968 { 0xC00002D8, "STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER" },
969 { 0xC00002D9, "STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER" },
970 { 0xC00002DA, "STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER" },
971 { 0xC00002DB, "STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER" },
972 { 0xC00002DC, "STATUS_DS_HAVE_PRIMARY_MEMBERS" },
973 { 0xC00002DD, "STATUS_WMI_NOT_SUPPORTED" },
974 { 0xC00002DE, "STATUS_INSUFFICIENT_POWER" },
975 { 0xC00002DF, "STATUS_SAM_NEED_BOOTKEY_PASSWORD" },
976 { 0xC00002E0, "STATUS_SAM_NEED_BOOTKEY_FLOPPY" },
977 { 0xC00002E1, "STATUS_DS_CANT_START" },
978 { 0xC00002E2, "STATUS_DS_INIT_FAILURE" },
979 { 0xC00002E3, "STATUS_SAM_INIT_FAILURE" },
980 { 0xC00002E4, "STATUS_DS_GC_REQUIRED" },
981 { 0xC00002E5, "STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY" },
982 { 0xC00002E6, "STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS" },
983 { 0xC00002E7, "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" },
984 { 0xC00002E8, "STATUS_MULTIPLE_FAULT_VIOLATION" },
985 { 0xC0000300, "STATUS_NOT_SUPPORTED_ON_SBS" },
986 { 0xC000035C, "STATUS_NETWORK_SESSION_EXPIRED" },
987 { 0xC0000463, "STATUS_DEVICE_FEATURE_NOT_SUPPORTED" },
988 { 0xC0000464, "STATUS_DEVICE_UNREACHABLE" },
989 { 0xC0000465, "STATUS_INVALID_TOKEN" },
990 { 0xC0009898, "STATUS_WOW_ASSERTION" },
991 { 0xC0020001, "RPC_NT_INVALID_STRING_BINDING" },
992 { 0xC0020002, "RPC_NT_WRONG_KIND_OF_BINDING" },
993 { 0xC0020003, "RPC_NT_INVALID_BINDING" },
994 { 0xC0020004, "RPC_NT_PROTSEQ_NOT_SUPPORTED" },
995 { 0xC0020005, "RPC_NT_INVALID_RPC_PROTSEQ" },
996 { 0xC0020006, "RPC_NT_INVALID_STRING_UUID" },
997 { 0xC0020007, "RPC_NT_INVALID_ENDPOINT_FORMAT" },
998 { 0xC0020008, "RPC_NT_INVALID_NET_ADDR" },
999 { 0xC0020009, "RPC_NT_NO_ENDPOINT_FOUND" },
1000 { 0xC002000A, "RPC_NT_INVALID_TIMEOUT" },
1001 { 0xC002000B, "RPC_NT_OBJECT_NOT_FOUND" },
1002 { 0xC002000C, "RPC_NT_ALREADY_REGISTERED" },
1003 { 0xC002000D, "RPC_NT_TYPE_ALREADY_REGISTERED" },
1004 { 0xC002000E, "RPC_NT_ALREADY_LISTENING" },
1005 { 0xC002000F, "RPC_NT_NO_PROTSEQS_REGISTERED" },
1006 { 0xC0020010, "RPC_NT_NOT_LISTENING" },
1007 { 0xC0020011, "RPC_NT_UNKNOWN_MGR_TYPE" },
1008 { 0xC0020012, "RPC_NT_UNKNOWN_IF" },
1009 { 0xC0020013, "RPC_NT_NO_BINDINGS" },
1010 { 0xC0020014, "RPC_NT_NO_PROTSEQS" },
1011 { 0xC0020015, "RPC_NT_CANT_CREATE_ENDPOINT" },
1012 { 0xC0020016, "RPC_NT_OUT_OF_RESOURCES" },
1013 { 0xC0020017, "RPC_NT_SERVER_UNAVAILABLE" },
1014 { 0xC0020018, "RPC_NT_SERVER_TOO_BUSY" },
1015 { 0xC0020019, "RPC_NT_INVALID_NETWORK_OPTIONS" },
1016 { 0xC002001A, "RPC_NT_NO_CALL_ACTIVE" },
1017 { 0xC002001B, "RPC_NT_CALL_FAILED" },
1018 { 0xC002001C, "RPC_NT_CALL_FAILED_DNE" },
1019 { 0xC002001D, "RPC_NT_PROTOCOL_ERROR" },
1020 { 0xC002001F, "RPC_NT_UNSUPPORTED_TRANS_SYN" },
1021 { 0xC0020021, "RPC_NT_UNSUPPORTED_TYPE" },
1022 { 0xC0020022, "RPC_NT_INVALID_TAG" },
1023 { 0xC0020023, "RPC_NT_INVALID_BOUND" },
1024 { 0xC0020024, "RPC_NT_NO_ENTRY_NAME" },
1025 { 0xC0020025, "RPC_NT_INVALID_NAME_SYNTAX" },
1026 { 0xC0020026, "RPC_NT_UNSUPPORTED_NAME_SYNTAX" },
1027 { 0xC0020028, "RPC_NT_UUID_NO_ADDRESS" },
1028 { 0xC0020029, "RPC_NT_DUPLICATE_ENDPOINT" },
1029 { 0xC002002A, "RPC_NT_UNKNOWN_AUTHN_TYPE" },
1030 { 0xC002002B, "RPC_NT_MAX_CALLS_TOO_SMALL" },
1031 { 0xC002002C, "RPC_NT_STRING_TOO_LONG" },
1032 { 0xC002002D, "RPC_NT_PROTSEQ_NOT_FOUND" },
1033 { 0xC002002E, "RPC_NT_PROCNUM_OUT_OF_RANGE" },
1034 { 0xC002002F, "RPC_NT_BINDING_HAS_NO_AUTH" },
1035 { 0xC0020030, "RPC_NT_UNKNOWN_AUTHN_SERVICE" },
1036 { 0xC0020031, "RPC_NT_UNKNOWN_AUTHN_LEVEL" },
1037 { 0xC0020032, "RPC_NT_INVALID_AUTH_IDENTITY" },
1038 { 0xC0020033, "RPC_NT_UNKNOWN_AUTHZ_SERVICE" },
1039 { 0xC0020034, "EPT_NT_INVALID_ENTRY" },
1040 { 0xC0020035, "EPT_NT_CANT_PERFORM_OP" },
1041 { 0xC0020036, "EPT_NT_NOT_REGISTERED" },
1042 { 0xC0020037, "RPC_NT_NOTHING_TO_EXPORT" },
1043 { 0xC0020038, "RPC_NT_INCOMPLETE_NAME" },
1044 { 0xC0020039, "RPC_NT_INVALID_VERS_OPTION" },
1045 { 0xC002003A, "RPC_NT_NO_MORE_MEMBERS" },
1046 { 0xC002003B, "RPC_NT_NOT_ALL_OBJS_UNEXPORTED" },
1047 { 0xC002003C, "RPC_NT_INTERFACE_NOT_FOUND" },
1048 { 0xC002003D, "RPC_NT_ENTRY_ALREADY_EXISTS" },
1049 { 0xC002003E, "RPC_NT_ENTRY_NOT_FOUND" },
1050 { 0xC002003F, "RPC_NT_NAME_SERVICE_UNAVAILABLE" },
1051 { 0xC0020040, "RPC_NT_INVALID_NAF_ID" },
1052 { 0xC0020041, "RPC_NT_CANNOT_SUPPORT" },
1053 { 0xC0020042, "RPC_NT_NO_CONTEXT_AVAILABLE" },
1054 { 0xC0020043, "RPC_NT_INTERNAL_ERROR" },
1055 { 0xC0020044, "RPC_NT_ZERO_DIVIDE" },
1056 { 0xC0020045, "RPC_NT_ADDRESS_ERROR" },
1057 { 0xC0020046, "RPC_NT_FP_DIV_ZERO" },
1058 { 0xC0020047, "RPC_NT_FP_UNDERFLOW" },
1059 { 0xC0020048, "RPC_NT_FP_OVERFLOW" },
1060 { 0xC0020049, "RPC_NT_CALL_IN_PROGRESS" },
1061 { 0xC002004A, "RPC_NT_NO_MORE_BINDINGS" },
1062 { 0xC002004B, "RPC_NT_GROUP_MEMBER_NOT_FOUND" },
1063 { 0xC002004C, "EPT_NT_CANT_CREATE" },
1064 { 0xC002004D, "RPC_NT_INVALID_OBJECT" },
1065 { 0xC002004F, "RPC_NT_NO_INTERFACES" },
1066 { 0xC0020050, "RPC_NT_CALL_CANCELLED" },
1067 { 0xC0020051, "RPC_NT_BINDING_INCOMPLETE" },
1068 { 0xC0020052, "RPC_NT_COMM_FAILURE" },
1069 { 0xC0020053, "RPC_NT_UNSUPPORTED_AUTHN_LEVEL" },
1070 { 0xC0020054, "RPC_NT_NO_PRINC_NAME" },
1071 { 0xC0020055, "RPC_NT_NOT_RPC_ERROR" },
1072 { 0xC0020057, "RPC_NT_SEC_PKG_ERROR" },
1073 { 0xC0020058, "RPC_NT_NOT_CANCELLED" },
1074 { 0xC0021007, "RPC_P_RECEIVE_ALERTED" },
1075 { 0xC0021008, "RPC_P_CONNECTION_CLOSED" },
1076 { 0xC0021009, "RPC_P_RECEIVE_FAILED" },
1077 { 0xC002100A, "RPC_P_SEND_FAILED" },
1078 { 0xC002100B, "RPC_P_TIMEOUT" },
1079 { 0xC002100C, "RPC_P_SERVER_TRANSPORT_ERROR" },
1080 { 0xC002100E, "RPC_P_EXCEPTION_OCCURRED" },
1081 { 0xC0021012, "RPC_P_CONNECTION_SHUTDOWN" },
1082 { 0xC0021015, "RPC_P_THREAD_LISTENING" },
1083 { 0xC0030001, "RPC_NT_NO_MORE_ENTRIES" },
1084 { 0xC0030002, "RPC_NT_SS_CHAR_TRANS_OPEN_FAIL" },
1085 { 0xC0030003, "RPC_NT_SS_CHAR_TRANS_SHORT_FILE" },
1086 { 0xC0030004, "RPC_NT_SS_IN_NULL_CONTEXT" },
1087 { 0xC0030005, "RPC_NT_SS_CONTEXT_MISMATCH" },
1088 { 0xC0030006, "RPC_NT_SS_CONTEXT_DAMAGED" },
1089 { 0xC0030007, "RPC_NT_SS_HANDLES_MISMATCH" },
1090 { 0xC0030008, "RPC_NT_SS_CANNOT_GET_CALL_HANDLE" },
1091 { 0xC0030009, "RPC_NT_NULL_REF_POINTER" },
1092 { 0xC003000A, "RPC_NT_ENUM_VALUE_OUT_OF_RANGE" },
1093 { 0xC003000B, "RPC_NT_BYTE_COUNT_TOO_SMALL" },
1094 { 0xC003000C, "RPC_NT_BAD_STUB_DATA" },
1095 { 0xC0030059, "RPC_NT_INVALID_ES_ACTION" },
1096 { 0xC003005A, "RPC_NT_WRONG_ES_VERSION" },
1097 { 0xC003005B, "RPC_NT_WRONG_STUB_VERSION" },
1098 { 0xC003005C, "RPC_NT_INVALID_PIPE_OBJECT" },
1099 { 0xC003005D, "RPC_NT_INVALID_PIPE_OPERATION" },
1100 { 0xC003005E, "RPC_NT_WRONG_PIPE_VERSION" },
1101 { 0xC05C0000, "STATUS_SVHDX_ERROR_STORED" },
1102 { 0xC05CFF00, "STATUS_SVHDX_ERROR_NOT_AVAILABLE" },
1103 { 0xC05CFF01, "STATUS_SVHDX_UNIT_ATTENTION_AVAILABLE" },
1104 { 0xC05CFF02, "STATUS_SVHDX_UNIT_ATTENTION_CAPACITY_DATA_CHANGED" },
1105 { 0xC05CFF03, "STATUS_SVHDX_UNIT_ATTENTION_RESERVATIONS_PREEMPTED" },
1106 { 0xC05CFF04, "STATUS_SVHDX_UNIT_ATTENTION_RESERVATIONS_RELEASED" },
1107 { 0xC05CFF05, "STATUS_SVHDX_UNIT_ATTENTION_REGISTRATIONS_PREEMPTED" },
1108 { 0xC05CFF06, "STATUS_SVHDX_UNIT_ATTENTION_OPERATING_DEFINITION_CHANGED" },
1109 { 0xC05CFF07, "STATUS_SVHDX_RESERVATION_CONFLICT" },
1110 { 0xC05CFF08, "STATUS_SVHDX_WRONG_FILE_TYPE" },
1111 { 0xC05CFF09, "STATUS_SVHDX_VERSION_MISMATCH" },
1112 { 0xC05CFF0A, "STATUS_VHD_SHARED" },
1113 { 0xC05D0000, "STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP" },
1114 { 0xC05D0001, "STATUS_SMB_BAD_CLUSTER_DIALECT" },
1115 { 0, NULL }
1116 };
1117 value_string_ext NT_errors_ext = VALUE_STRING_EXT_INIT(NT_errors);
1118
1119 /* These are the MS country codes from
1120
1121 https://web.archive.org/web/20081224015707/http://www.unicode.org/unicode/onlinedat/countries.html
1122
1123 For countries that share the same number, I choose to use only the
1124 name of the largest country. Apologies for this. If this offends you,
1125 here is the table to change that.
1126
1127 This also includes the code of 0 for "Default", which isn't in
1128 that list, but is in Microsoft's SDKs and the Cygnus "winnls.h"
1129 header file. Presumably it means "don't override the setting
1130 on the user's machine".
1131
1132 Future versions of Microsoft's "winnls.h" header file might include
1133 additional codes; the current version matches the Unicode Consortium's
1134 table.
1135 */
1136 static const value_string ms_country_codes[] = {
1137 { 0, "Default"},
1138 { 1, "USA"},
1139 { 2, "Canada"},
1140 { 7, "Russia"},
1141 { 20, "Egypt"},
1142 { 27, "South Africa"},
1143 { 30, "Greece"},
1144 { 31, "Netherlands"},
1145 { 32, "Belgium"},
1146 { 33, "France"},
1147 { 34, "Spain"},
1148 { 36, "Hungary"},
1149 { 39, "Italy"},
1150 { 40, "Romania"},
1151 { 41, "Switzerland"},
1152 { 43, "Austria"},
1153 { 44, "United Kingdom"},
1154 { 45, "Denmark"},
1155 { 46, "Sweden"},
1156 { 47, "Norway"},
1157 { 48, "Poland"},
1158 { 49, "Germany"},
1159 { 51, "Peru"},
1160 { 52, "Mexico"},
1161 { 54, "Argentina"},
1162 { 55, "Brazil"},
1163 { 56, "Chile"},
1164 { 57, "Colombia"},
1165 { 58, "Venezuela"},
1166 { 60, "Malaysia"},
1167 { 61, "Australia"},
1168 { 62, "Indonesia"},
1169 { 63, "Philippines"},
1170 { 64, "New Zealand"},
1171 { 65, "Singapore"},
1172 { 66, "Thailand"},
1173 { 81, "Japan"},
1174 { 82, "South Korea"},
1175 { 84, "Viet Nam"},
1176 { 86, "China"},
1177 { 90, "Turkey"},
1178 { 91, "India"},
1179 { 92, "Pakistan"},
1180 {212, "Morocco"},
1181 {213, "Algeria"},
1182 {216, "Tunisia"},
1183 {218, "Libya"},
1184 {254, "Kenya"},
1185 {263, "Zimbabwe"},
1186 {298, "Faroe Islands"},
1187 {351, "Portugal"},
1188 {352, "Luxembourg"},
1189 {353, "Ireland"},
1190 {354, "Iceland"},
1191 {355, "Albania"},
1192 {358, "Finland"},
1193 {359, "Bulgaria"},
1194 {370, "Lithuania"},
1195 {371, "Latvia"},
1196 {372, "Estonia"},
1197 {374, "Armenia"},
1198 {375, "Belarus"},
1199 {380, "Ukraine"},
1200 {381, "Serbia"},
1201 {385, "Croatia"},
1202 {386, "Slovenia"},
1203 {389, "Macedonia"},
1204 {420, "Czech Republic"},
1205 {421, "Slovak Republic"},
1206 {501, "Belize"},
1207 {502, "Guatemala"},
1208 {503, "El Salvador"},
1209 {504, "Honduras"},
1210 {505, "Nicaragua"},
1211 {506, "Costa Rica"},
1212 {507, "Panama"},
1213 {591, "Bolivia"},
1214 {593, "Ecuador"},
1215 {595, "Paraguay"},
1216 {598, "Uruguay"},
1217 {673, "Brunei Darussalam"},
1218 {852, "Hong Kong"},
1219 {853, "Macau"},
1220 {886, "Taiwan"},
1221 {960, "Maldives"},
1222 {961, "Lebanon"},
1223 {962, "Jordan"},
1224 {963, "Syria"},
1225 {964, "Iraq"},
1226 {965, "Kuwait"},
1227 {966, "Saudi Arabia"},
1228 {967, "Yemen"},
1229 {968, "Oman"},
1230 {971, "United Arab Emirates"},
1231 {972, "Israel"},
1232 {973, "Bahrain"},
1233 {974, "Qatar"},
1234 {976, "Mongolia"},
1235 {981, "Iran"},
1236 {994, "Azerbaijan"},
1237 {995, "Georgia"},
1238 {996, "Kyrgyzstan"},
1239
1240 {0, NULL}
1241 };
1242 value_string_ext ms_country_codes_ext = VALUE_STRING_EXT_INIT(ms_country_codes);
1243
1244 /*module_t* module;*/
1245 /*pref_t* sid_display_hex;*/
1246
1247 static proto_item *
1248 add_nttime(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date,
1249 uint64_t filetime)
1250 {
1251 proto_item *item;
1252 nstime_t ts;
1253
1254 if (filetime == 0) {
1255 ts.secs = 0;
1256 ts.nsecs = 0;
1257 item = proto_tree_add_time_format_value(tree, hf_date, tvb, offset, 8,
1258 &ts, "No time specified (0)");
1259 } else if (filetime == UINT64_C(0x8000000000000000)) {
1260 ts.secs = 0;
1261 ts.nsecs = 0x80000000;
1262 item = proto_tree_add_time_format_value(tree, hf_date, tvb, offset, 8,
1263 &ts, "Infinity (relative time)");
1264 } else if (filetime == UINT64_C(0x7fffffffffffffff)) {
1265 ts.secs = 0xffffffff;
1266 ts.nsecs = 0x7fffffff;
1267 item = proto_tree_add_time_format_value(tree, hf_date, tvb, offset, 8,
1268 &ts, "Infinity (absolute time)");
1269 } else {
1270 if (filetime_to_nstime(&ts, filetime)) {
1271 item = proto_tree_add_time(tree, hf_date, tvb,
1272 offset, 8, &ts);
1273 } else {
1274 item = proto_tree_add_time_format_value(tree, hf_date, tvb, offset, 8,
1275 &ts, "Time can't be converted");
1276 }
1277 }
1278 return item;
1279 }
1280
1281 proto_item *
1282 dissect_nttime(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, const unsigned encoding)
1283 {
1284 if (tree) {
1285 uint32_t filetime_high, filetime_low;
1286 uint64_t filetime;
1287
1288 filetime_low = tvb_get_uint32(tvb, offset, encoding);
1289 filetime_high = tvb_get_uint32(tvb, offset + 4, encoding);
1290 filetime = ((uint64_t)filetime_high << 32) | filetime_low;
1291 return add_nttime(tvb, tree, offset, hf_date, filetime);
1292 }
1293 return NULL;
1294 }
1295
1296 proto_item *
1297 dissect_nttime_hyper(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, const unsigned encoding)
1298 {
1299 if (tree) {
1300 uint64_t filetime;
1301
1302 filetime = tvb_get_uint64(tvb, offset, encoding);
1303 return add_nttime(tvb, tree, offset, hf_date, filetime);
1304 }
1305 return NULL;
1306 }
1307
1308 proto_item *
1309 dissect_nttime_hyper_1sec(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, const unsigned encoding)
1310 {
1311 if (tree) {
1312 uint64_t ftsecs;
1313 nstime_t ts;
1314
1315 ftsecs = tvb_get_uint64(tvb, offset, encoding);
1316 if (filetime_1sec_to_nstime(&ts, ftsecs)) {
1317 return proto_tree_add_time(tree, hf_date, tvb,
1318 offset, 8, &ts);
1319 } else {
1320 ts.secs = ftsecs;
1321 ts.nsecs = 0;
1322 return proto_tree_add_time_format_value(tree, hf_date, tvb, offset, 8,
1323 &ts, "Time can't be converted");
1324 }
1325 }
1326 return NULL;
1327 }
1328
1329 /* Well-known SIDs defined in
1330
1331 https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
1332 */
1333 static const sid_strings well_known_sids[] = {
1334 {"S-1-0", "Null Authority"},
1335 {"S-1-0-0", "Nobody"},
1336 {"S-1-1", "World Authority"},
1337 {"S-1-1-0", "Everyone"},
1338 {"S-1-2", "Local Authority"},
1339 {"S-1-2-0", "Local"},
1340 {"S-1-2-1", "Console Logon"},
1341 {"S-1-3", "Creator Authority"},
1342 {"S-1-3-0", "Creator Owner"},
1343 {"S-1-3-1", "Creator Group"},
1344 {"S-1-3-2", "Creator Owner Server"},
1345 {"S-1-3-3", "Creator Group Server"},
1346 {"S-1-3-4", "Owner Rights"},
1347 {"S-1-4", "Non-unique Authority"},
1348
1349 {"S-1-5", "NT Authority"},
1350 {"S-1-5-1", "Dialup"},
1351 {"S-1-5-2", "Network"},
1352 {"S-1-5-3", "Batch"},
1353 {"S-1-5-4", "Interactive"},
1354 {"S-1-5-5", "Logon Session"}, /* S-1-5-5-X-Y has 6 fields */
1355 {"S-1-5-6", "Service"},
1356 {"S-1-5-7", "Anonymous"},
1357 {"S-1-5-8", "Proxy"},
1358 {"S-1-5-9", "Enterprise Domain Controllers"},
1359 {"S-1-5-10", "Principal Self"},
1360 {"S-1-5-11", "Authenticated Users"},
1361 {"S-1-5-12", "Restricted Code"},
1362 {"S-1-5-13", "Terminal Server Users"},
1363 {"S-1-5-14", "Remote Interactive Logon"},
1364 {"S-1-5-15", "All users in this organization"},
1365 {"S-1-5-17", "Default IIS user account"},
1366 {"S-1-5-18", "Local System"},
1367 {"S-1-5-19", "Local Service"},
1368 {"S-1-5-20", "Network Service"},
1369
1370 {"S-1-5-21-0-0-0-496", "Compounded Authentication"},
1371 {"S-1-5-21-0-0-0-497", "Claims Valid"},
1372
1373 /*
1374 * S-1-5-21-<d1>-<d2>-<d3>-<RID> where "<d1>-<d2>-<d3>" is the NT domain
1375 * RIDs are defined in 'wkwn_S_1_5_21_rids' */
1376 {"S-1-5-21", "Domain SID"},
1377
1378 /* S-1-5-32-<RID>: Builtin local group SIDs */
1379 {"S-1-5-32", "Local Group"},
1380 {"S-1-5-32-544", "Administrators"},
1381 {"S-1-5-32-545", "Users"},
1382 {"S-1-5-32-546", "Guests"},
1383 {"S-1-5-32-547", "Power Users"},
1384 {"S-1-5-32-548", "Account Operators"},
1385 {"S-1-5-32-549", "Server Operators"},
1386 {"S-1-5-32-550", "Print Operators"},
1387 {"S-1-5-32-551", "Backup Operators"},
1388 {"S-1-5-32-552", "Replicators"},
1389 {"S-1-5-32-554", "Pre-Windows 2000 Compatible Access"},
1390 {"S-1-5-32-555", "Remote Desktop Users"},
1391 {"S-1-5-32-556", "Network Configuration Operators"},
1392 {"S-1-5-32-557", "Incoming Forest Trust Builders"},
1393 {"S-1-5-32-558", "Performance Monitor Users"},
1394 {"S-1-5-32-559", "Performance Log Users"},
1395 {"S-1-5-32-560", "Windows Authorization Access Group"},
1396 {"S-1-5-32-561", "Terminal Server License Servers"},
1397 {"S-1-5-32-562", "Distributed COM Users"},
1398 {"S-1-5-32-568", "IIS Users"},
1399 {"S-1-5-32-569", "Cryptographic Operators"},
1400 {"S-1-5-32-573", "Event Log Readers"},
1401 {"S-1-5-32-574", "Certificate Service DCOM Access"},
1402 {"S-1-5-32-575", "RDS Remote Access Servers"},
1403 {"S-1-5-32-576", "RDS Endpoint Servers"},
1404 {"S-1-5-32-577", "RDS Management Servers"},
1405 {"S-1-5-32-578", "Hyper-V Admins"},
1406 {"S-1-5-32-579", "Access Control Assistance Operators"},
1407 {"S-1-5-32-580", "Remote Management Users"},
1408
1409 {"S-1-5-33", "Write Restricted Code"},
1410
1411 {"S-1-5-64", "Authentication"},
1412 {"S-1-5-64-10", "NTLM"},
1413 {"S-1-5-64-14", "SChannel"},
1414 {"S-1-5-64-21", "Digest"},
1415
1416 {"S-1-5-80", "NT Service"},
1417
1418 {"S-1-5-84-0-0-0-0-0", "User Mode Drivers"},
1419
1420 {"S-1-5-113", "Local Account"},
1421 {"S-1-5-114", "Local Administrator Account"},
1422
1423 {"S-1-5-1000", "Other Organisation"},
1424
1425 {"S-1-15-2-1", "All App Packages"},
1426
1427 {"S-1-16", "Mandatory Level"},
1428 {"S-1-16-0", "Untrusted"},
1429 {"S-1-16-4096", "Low"},
1430 {"S-1-16-8192", "Medium"},
1431 {"S-1-16-8448", "Medium Plus"},
1432 {"S-1-16-12288", "High"},
1433 {"S-1-16-16384", "System"},
1434 {"S-1-16-20480", "Protected Process"},
1435 {"S-1-16-28672", "Secure Process"},
1436
1437 {"S-1-18-1", "Authentication Authority Asserted Identity"},
1438 {"S-1-18-2", "Service Asserted Identity"},
1439 {"S-1-18-3", "Fresh Public Key Identity"},
1440 {"S-1-18-4", "Key Trust Identity"},
1441 {"S-1-18-5", "Key Property Multifactor Authentication"},
1442 {"S-1-18-6", "Key Property Attestation"},
1443
1444 {NULL, NULL}
1445 };
1446
1447 static const char*
1448 match_wkwn_sids(const char* sid) {
1449 int i = 0;
1450 while (well_known_sids[i].name) {
1451 if (strcmp(well_known_sids[i].sid, sid)==0) {
1452 return well_known_sids[i].name;
1453 }
1454 i++;
1455 }
1456 return NULL;
1457 }
1458
1459 /* For SIDs in the form 'S-1-5-21-X-Y-Z-<RID>', '21-X-Y-Z' is referred to
1460 as the "domain SID" (NT domain) or "machine SID" (local machine).
1461 The following are well-known RIDs which are appended to domain/machine SIDs
1462 as defined in
1463
1464 https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
1465 */
1466 static const value_string wkwn_S_1_5_21_rids[] = {
1467 {496, "Compounded Authentication"},
1468 {497, "Claims Valid"},
1469 {498, "Enterprise Read-only Domain Controllers"},
1470 {500, "Administrator"},
1471 {501, "Guest"},
1472 {502, "KRBTGT"},
1473 {512, "Domain Admins"},
1474 {513, "Domain Users"},
1475 {514, "Domain Guests"},
1476 {515, "Domain Computers"},
1477 {516, "Domain Controllers"},
1478 {517, "Cert Publishers"},
1479 {518, "Schema Administrators"},
1480 {519, "Enterprise Admins"},
1481 {520, "Group Policy Creator Owners"},
1482 {521, "Read-only Domain Controllers"},
1483 {522, "Cloneable Controllers"},
1484 {525, "Protected Users"},
1485 {526, "Key Admins"},
1486 {527, "Enterprise Key Admins"},
1487 {553, "RAS and IAS Servers"},
1488 {571, "Allowed RODC Password Replication Group"},
1489 {572, "Denied RODC Password Replication Group"},
1490 {0, NULL}
1491 };
1492 static value_string_ext wkwn_S_1_5_21_rids_ext = VALUE_STRING_EXT_INIT(wkwn_S_1_5_21_rids);
1493
1494 /* Dissect an NT SID. Label it with 'name' and return a string version
1495 * of the SID in the 'sid_str' parameter which has a packet lifetime
1496 * scope and should NOT be freed by the caller. hf_sid can be -1 if
1497 * the caller doesn't care what name is used and then "nt.sid" will be
1498 * the default instead. If the caller wants a more appropriate hf
1499 * field, it will just pass a FT_STRING hf field here
1500 */
1501 int
1502 dissect_nt_sid(tvbuff_t *tvb, int offset, proto_tree *parent_tree,
1503 const char *name, char **sid_str, int hf_sid)
1504 {
1505 int offset_sid_start = offset, sa_offset, rid_offset=0, wkwn_sid1_len=0,
1506 wkwn_sid2_len = 0, i;
1507 uint8_t revision, num_auth;
1508 uint32_t sa_field, rid=0;
1509 uint64_t authority=0;
1510 wmem_strbuf_t *sa_str = NULL, *sid_in_dec_str = NULL, *sid_in_hex_str = NULL, *label_str = NULL,
1511 *domain_str = NULL, *wkwn_sid1_str = NULL, *wkwn_sid2_str = NULL;
1512 const char *mapped_name = NULL, *mapped_rid = NULL;
1513 bool domain_sid = false, s_1_5_32 = false, s_1_5_64 = false, locally_defined = false,
1514 S_1_16 = false;
1515 proto_item *item = NULL, *hidden_item;
1516 proto_tree *subtree = NULL;
1517
1518 /* Revision of SID */
1519 revision = tvb_get_uint8(tvb, offset);
1520 offset++;
1521
1522 /* Number of subauthority fields */
1523 num_auth = tvb_get_uint8(tvb, offset);
1524 offset++;
1525
1526 if(sid_str)
1527 *sid_str=NULL;
1528
1529 if(hf_sid <= 0){
1530 /* if no tree, just return the offset of the end_of_SID+1 */
1531 if (!parent_tree)
1532 return offset+(6+(num_auth*4));
1533
1534 hf_sid=hf_nt_sid;
1535 }
1536
1537 /* Identifier Authority */
1538 for(i=0; i<6; i++){
1539 authority = (authority << 8) + tvb_get_uint8(tvb, offset);
1540 offset++;
1541 }
1542
1543 sid_in_dec_str = wmem_strbuf_create(wmem_packet_scope());
1544 wmem_strbuf_append_printf (sid_in_dec_str, "S-%u-%" PRIu64, revision, authority);
1545
1546 /* If sid_display_hex is set, sid_in_dec_str is still needed for
1547 looking up well-known SIDs*/
1548 if (sid_display_hex) {
1549 sid_in_hex_str = wmem_strbuf_create(wmem_packet_scope());
1550 wmem_strbuf_append_printf (sid_in_hex_str, "S-%x-%" PRIx64, revision, authority);
1551 }
1552
1553 wkwn_sid1_str = wmem_strbuf_create(wmem_packet_scope());
1554 label_str = wmem_strbuf_create(wmem_packet_scope());
1555
1556 if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-16")==0)
1557 S_1_16 = true;
1558
1559 /* Check for Scoped Policy ID (S-1-17-<subauth1>...) */
1560 if (authority == 17) {
1561 mapped_name = "Central Access Policy";
1562 }
1563
1564 /* Look for well-known SIDs in format 'S-1-<Identifier Authority>' (i.e., exactly 3 fields) */
1565 if (num_auth==0 || S_1_16 || mapped_name) {
1566 if (!mapped_name)
1567 mapped_name = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str));
1568
1569 if (mapped_name) {
1570 wmem_strbuf_append(label_str, mapped_name);
1571 wmem_strbuf_append(wkwn_sid1_str,
1572 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)));
1573 wkwn_sid1_len = 8;
1574 }
1575 }
1576
1577
1578 sa_offset = offset;
1579 sa_str = wmem_strbuf_create(wmem_packet_scope());
1580 wkwn_sid2_str = wmem_strbuf_create(wmem_packet_scope());
1581 domain_str = wmem_strbuf_create(wmem_packet_scope());
1582
1583 /* Build the sub-authorities and full SID strings */
1584 for(i=1; i<num_auth+1; i++) {
1585 /*
1586 * XXX should not be letohl but native byteorder according to
1587 * Samba header files.
1588 *
1589 * However, considering that there were never any NT ports
1590 * to big-endian platforms (PowerPC and MIPS ran little-endian,
1591 * and IA-64 runs little-endian, as does x86-64), we can (?)
1592 * assume that non le byte encodings will be "uncommon"?
1593 */
1594 sa_field = tvb_get_letohl(tvb, offset);
1595 wmem_strbuf_append_printf(sid_in_dec_str, "-%u", sa_field);
1596 wmem_strbuf_append_printf(sa_str,
1597 (i==1 ? (sid_display_hex ? "%x" : "%u") : (sid_display_hex ? "-%x" : "-%u")),
1598 sa_field);
1599 if (sid_display_hex)
1600 wmem_strbuf_append_printf(sid_in_hex_str, "-%x", sa_field);
1601
1602 if (i==1) {
1603 /* Look for well-known SIDs at level one ("S-1-<authority>-<value>") */
1604 if (S_1_16) {
1605 /* Mandatory Level (S-1-16) */
1606 mapped_rid = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str));
1607 if (mapped_rid) {
1608 /* Get the RID */
1609 wmem_strbuf_append_printf(label_str, "%s-%s", mapped_name, mapped_rid);
1610 rid = sa_field;
1611 rid_offset = offset;
1612 wmem_strbuf_append(wkwn_sid2_str,
1613 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)));
1614 wkwn_sid1_len=12; }
1615 } else {
1616 mapped_name = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str));
1617 if (mapped_name) {
1618 wmem_strbuf_append(label_str, mapped_name);
1619 wmem_strbuf_append(wkwn_sid1_str,
1620 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)));
1621 wkwn_sid1_len = 12;
1622 }
1623 /* The following three SID types have (unique) RIDs */
1624 if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-5-21")==0) {
1625 /* Domain SID */
1626 domain_sid = true;
1627 } else if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-5-32")==0) {
1628 /* Local Group (S-1-5-32) SID */
1629 s_1_5_32 = true;
1630 } else if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-5-64")==0) {
1631 /* Authentication (S-1-5-64) SID */
1632 s_1_5_64 = true;
1633 }
1634 }
1635 } else if (i==2 && !domain_sid) {
1636 /* The only well-known SIDS with two subauthority fields ("level 2 SIDs") are
1637 Local Group (S-1-5-32), and Authentication (S-1-5-64). */
1638 if (s_1_5_32 || s_1_5_64) {
1639 mapped_rid = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str));
1640 if (mapped_rid) {
1641 /* Get the RID */
1642 wmem_strbuf_append_printf(label_str, "-%s", mapped_rid);
1643 rid = sa_field;
1644 rid_offset = offset;
1645 wmem_strbuf_append(wkwn_sid2_str,
1646 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)));
1647 wkwn_sid2_len=16;
1648 } else {
1649 /* The RID not well-known. */
1650 locally_defined = true;
1651 }
1652 } else {
1653 if (mapped_name) {
1654 /* A level 1 well-known SID appended with locally defined value */
1655 locally_defined = true;
1656 }
1657 }
1658 } else {
1659 /* 3 or more sub-auth fields - NOTE: Except for domain SIDs, there are no wkwn SIDs with 3 or more
1660 sub-auth fields so we don't lookup SIDs here. Logon Session SIDs have 3 sub-auth fields but the
1661 last two are locally defined. */
1662 if (domain_sid) {
1663 if (num_auth >= 4) {
1664 if (i >= 2 && i <=4 ) {
1665 /* Add the field to the domain string (d1-d2-d3) */
1666 wmem_strbuf_append_printf(domain_str,
1667 (i==2 ? (sid_display_hex ? "%x" : "%u") : (sid_display_hex ? "-%x" : "-%u")), sa_field);
1668
1669 } else if (i==5) {
1670 rid = sa_field;
1671 rid_offset = offset;
1672 mapped_rid = val_to_str_ext_const(rid, &wkwn_S_1_5_21_rids_ext, "Domain RID");
1673 wmem_strbuf_append_printf(label_str, "-%s", mapped_rid);
1674
1675 } else {
1676 locally_defined = true;
1677 }
1678 } else {
1679 mapped_name = "Corrupt domain SID";
1680 }
1681 } else {
1682 if (mapped_name) {
1683 /* A locally defined value appended to a level 2 well-known SID*/
1684 locally_defined = true;
1685 }
1686 }
1687 }
1688 offset+=4;
1689 } /* End of for loop */
1690
1691 if ( !(mapped_name || domain_sid || s_1_5_32 || s_1_5_64) ) {
1692 /* If requested, try to map the NON-well-known SID to an object name discovered in this capture */
1693 if (sid_name_snooping) {
1694 mapped_name = find_sid_name(wmem_strbuf_get_str(sid_in_dec_str));
1695 } else {
1696 mapped_name = "<Unknown SID type>";
1697 }
1698 }
1699
1700 if (locally_defined) {
1701 wmem_strbuf_append_printf(label_str, "-<locally defined>");
1702 }
1703
1704 /* It's tree time
1705 Display the full SID string in hex or dec */
1706 item = proto_tree_add_string_format(
1707 parent_tree, hf_sid, tvb, offset_sid_start, (offset - offset_sid_start),
1708 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)),
1709 "%s: %s", name, (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str))
1710 );
1711
1712 if (wmem_strbuf_get_len(label_str) > 0) {
1713 proto_item_append_text(item, " (%s)", wmem_strbuf_get_str(label_str));
1714 }
1715
1716 subtree = proto_item_add_subtree(item, ett_nt_sid);
1717
1718 /* Add revision, num_auth, and authority */
1719 proto_tree_add_item(subtree, hf_nt_sid_revision, tvb, offset_sid_start, 1, ENC_LITTLE_ENDIAN);
1720 proto_tree_add_item(subtree, hf_nt_sid_num_auth, tvb, offset_sid_start+1, 1, ENC_LITTLE_ENDIAN);
1721 proto_tree_add_uint64(subtree,
1722 (sid_display_hex ? hf_nt_sid_auth_hex : hf_nt_sid_auth_dec),
1723 tvb, offset_sid_start+2, 6, authority);
1724
1725 /* Add subauthorities */
1726 proto_tree_add_string_format_value(subtree, hf_nt_sid_subauth, tvb, sa_offset,
1727 num_auth*4, wmem_strbuf_get_str(sa_str), "%s", wmem_strbuf_get_str(sa_str));
1728
1729 if (rid) {
1730 item = proto_tree_add_item (subtree,
1731 (sid_display_hex ? hf_nt_sid_rid_hex : hf_nt_sid_rid_dec), tvb, rid_offset, 4, ENC_LITTLE_ENDIAN);
1732
1733 if (mapped_rid)
1734 proto_item_append_text(item, " (%s)", mapped_rid);
1735 }
1736
1737 /* Add well-known SID and domain strings if present */
1738 if (wmem_strbuf_get_len(wkwn_sid1_str) > 0) {
1739 hidden_item = proto_tree_add_string_format_value(
1740 subtree, hf_nt_sid_wkwn, tvb, offset_sid_start, wkwn_sid1_len,
1741 wmem_strbuf_get_str(wkwn_sid1_str), "%s", wmem_strbuf_get_str(wkwn_sid1_str));
1742
1743 if (mapped_name) {
1744 proto_item_append_text(hidden_item, " (%s)", mapped_name);
1745 }
1746 proto_item_set_hidden(hidden_item);
1747 }
1748 if (wmem_strbuf_get_len(wkwn_sid2_str) > 0) {
1749 hidden_item = proto_tree_add_string_format_value(
1750 subtree, hf_nt_sid_wkwn, tvb, offset_sid_start, wkwn_sid2_len,
1751 wmem_strbuf_get_str(wkwn_sid2_str), "%s", wmem_strbuf_get_str(wkwn_sid2_str));
1752 if (wmem_strbuf_get_len(label_str) > 0) {
1753 proto_item_append_text(hidden_item, " (%s)", wmem_strbuf_get_str(label_str));
1754 }
1755 proto_item_set_hidden(hidden_item);
1756 }
1757 if (domain_sid && wmem_strbuf_get_len(domain_str) > 0) {
1758 hidden_item = proto_tree_add_string_format_value(
1759 subtree, hf_nt_sid_domain, tvb, offset_sid_start + 12, 12,
1760 wmem_strbuf_get_str(domain_str), "%s", wmem_strbuf_get_str(domain_str));
1761 proto_item_set_hidden(hidden_item);
1762 }
1763
1764 /* If requested, return SID string with mapped name */
1765 if(sid_str){
1766 if(wmem_strbuf_get_len(label_str) > 0){
1767 *sid_str = wmem_strdup_printf(wmem_packet_scope(), "%s (%s)",
1768 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)), wmem_strbuf_get_str(label_str));
1769 } else {
1770 *sid_str = wmem_strdup(wmem_packet_scope(), sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str));
1771 }
1772 if(!(*sid_str)){
1773 *sid_str=wmem_strdup(wmem_packet_scope(), "corrupted SID");
1774 }
1775 }
1776 return offset;
1777 }
1778
1779 /* Dissect SYSTEM_RESOURCE_ATTRIBUTE_ACE Value, see [MS-DTYP] v20180912 section 2.4.4.15 */
1780 static int
1781 dissect_nt_ace_system_resource_attribute_value(tvbuff_t *tvb, int value_offset, proto_tree *tree,
1782 uint16_t value_type, proto_item *sra_item)
1783 {
1784 unsigned value_len;
1785 uint32_t blob_len;
1786 proto_item *value_item = NULL;
1787 char *value_str = NULL; /* packet scope, do not free */
1788 bool quote = false;
1789 switch (value_type) {
1790 case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64:
1791 value_len = sizeof(int64_t);
1792 value_item = proto_tree_add_item(tree, hf_nt_ace_sra_value_int64,
1793 tvb, value_offset, value_len,
1794 ENC_LITTLE_ENDIAN);
1795 value_offset += value_len;
1796 break;
1797
1798 case CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64:
1799 value_len = sizeof(uint64_t);
1800 value_item = proto_tree_add_item(tree, hf_nt_ace_sra_value_uint64,
1801 tvb, value_offset, value_len,
1802 ENC_LITTLE_ENDIAN);
1803 value_offset += value_len;
1804 break;
1805
1806 case CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING:
1807 value_len = tvb_unicode_strsize(tvb, value_offset);
1808 value_item = proto_tree_add_item(tree, hf_nt_ace_sra_value_string,
1809 tvb, value_offset, value_len,
1810 ENC_UTF_16 | ENC_LITTLE_ENDIAN);
1811 quote = true;
1812 value_offset += value_len;
1813 break;
1814
1815 case CLAIM_SECURITY_ATTRIBUTE_TYPE_SID:
1816 value_offset = dissect_nt_sid(tvb, value_offset, tree,
1817 "SID", &value_str, hf_nt_ace_sra_value_sid);
1818 break;
1819
1820 case CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN:
1821 value_len = sizeof(uint64_t);
1822 value_item = proto_tree_add_item(tree, hf_nt_ace_sra_value_boolean,
1823 tvb, value_offset, value_len,
1824 ENC_LITTLE_ENDIAN);
1825 value_offset += value_len;
1826 break;
1827
1828 case CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING:
1829 blob_len = tvb_get_letohl(tvb, value_offset);
1830 value_offset += sizeof(blob_len);
1831 value_item = proto_tree_add_item(tree, hf_nt_ace_sra_value_octet_string,
1832 tvb, value_offset, blob_len, ENC_NA);
1833 /* do not append binary to sra_item */
1834 value_str = "<bin>";
1835 value_offset += blob_len;
1836 break;
1837
1838 default:
1839 break;
1840 }
1841
1842 if (sra_item) {
1843 if ((value_str == NULL) && value_item) {
1844 value_str = proto_item_get_display_repr(wmem_packet_scope(), value_item);
1845 }
1846
1847 if (value_str == NULL) {
1848 /* missing system resource attribute value */
1849 value_str = "???";
1850 }
1851
1852 if (value_str) {
1853 proto_item_append_text(sra_item,
1854 (quote) ? "\"%s\"" : "%s",
1855 value_str);
1856 }
1857 }
1858
1859 return value_offset;
1860 }
1861
1862 /* Dissect SYSTEM_RESOURCE_ATTRIBUTE_ACE, see [MS-DTYP] v20180912 section 2.4.4.15 */
1863 static int
1864 dissect_nt_ace_system_resource_attribute(tvbuff_t *tvb, int offset, uint16_t size, proto_tree *parent_tree)
1865 {
1866 /* The caller has already dissected Header, Mask and Sid. Therefore
1867 this function only dissects Attribute Data. This data takes
1868 the form of a CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1. The
1869 following code dissects the structure piecemeal */
1870 int start_offset = offset;
1871 uint32_t name; /* offset, relative to start_offset */
1872 uint16_t value_type;
1873 uint32_t value_count;
1874
1875 /* Add a subtree to hold the system resource attribute details */
1876 proto_item *sra_item;
1877 proto_tree *sra_tree;
1878 sra_item = proto_tree_add_item(parent_tree, hf_nt_ace_sra, tvb, offset, size, ENC_NA);
1879 sra_tree = proto_item_add_subtree(sra_item, ett_nt_ace_sra);
1880
1881 /* Name offset */
1882 name = tvb_get_letohl(tvb, offset);
1883 proto_tree_add_uint(sra_tree, hf_nt_ace_sra_name_offset,
1884 tvb, offset, sizeof(name), name);
1885
1886 int name_offset = (start_offset + name);
1887 unsigned name_len = tvb_unicode_strsize(tvb, name_offset);
1888 proto_item *name_item;
1889 name_item = proto_tree_add_item(sra_tree, hf_nt_ace_sra_name,
1890 tvb, name_offset, name_len,
1891 ENC_UTF_16 | ENC_LITTLE_ENDIAN);
1892 proto_item_append_text(sra_item, ": %s=",
1893 proto_item_get_display_repr(wmem_packet_scope(), name_item));
1894 offset += sizeof(name);
1895
1896 /* ValueType */
1897 value_type = tvb_get_letohs(tvb, offset);
1898 proto_tree_add_uint(sra_tree, hf_nt_ace_sra_type,
1899 tvb, offset, sizeof(value_type), value_type);
1900 offset += sizeof(value_type);
1901
1902 /* Reserved */
1903 proto_tree_add_item(sra_tree, hf_nt_ace_sra_reserved,
1904 tvb, offset, sizeof(uint16_t),
1905 ENC_LITTLE_ENDIAN);
1906 offset += sizeof(uint16_t);
1907
1908 /* Flags */
1909 static int * const flags[] = {
1910 &hf_nt_ace_sra_flags_policy_derived,
1911 &hf_nt_ace_sra_flags_manual,
1912 &hf_nt_ace_sra_flags_mandatory,
1913 &hf_nt_ace_sra_flags_disabled,
1914 &hf_nt_ace_sra_flags_disabled_by_default,
1915 &hf_nt_ace_sra_flags_deny_only,
1916 &hf_nt_ace_sra_flags_case_sensitive,
1917 &hf_nt_ace_sra_flags_non_inheritable,
1918 NULL
1919 };
1920
1921 proto_tree_add_bitmask(sra_tree, tvb, offset, hf_nt_ace_sra_flags,
1922 ett_nt_ace_sra_flags, flags, ENC_LITTLE_ENDIAN);
1923 offset += sizeof(uint32_t);
1924
1925 /* ValueCount */
1926 value_count = tvb_get_letohl(tvb, offset);
1927 proto_tree_add_uint(sra_tree, hf_nt_ace_sra_value_count,
1928 tvb, offset, sizeof(value_count), value_count);
1929 offset += sizeof(value_count);
1930
1931 /* Value Offsets and Values */
1932 uint32_t value_offset;
1933 proto_tree *value_offset_tree = sra_tree;
1934 proto_tree *value_tree = sra_tree;
1935 if (value_count > 1) {
1936 /* Use independent value offset and value trees when
1937 there are multiple values. */
1938 int value_offset_tree_offset = offset;
1939 int value_offset_tree_len = value_count * sizeof(value_offset);
1940 value_offset_tree = proto_tree_add_subtree(sra_tree, tvb,
1941 value_offset_tree_offset,
1942 value_offset_tree_len,
1943 ett_nt_ace_sra_value_offsets,
1944 NULL, "Value Offsets");
1945
1946 /* The range associated with the value tree will
1947 include some non-value data (but that's fine as the
1948 value items it contains will have accurate ranges) */
1949 int value_tree_offset = value_offset_tree_offset + value_offset_tree_len;
1950 int value_tree_len = (start_offset + size) - value_tree_offset;
1951 value_tree = proto_tree_add_subtree(sra_tree, tvb,
1952 value_tree_offset,
1953 value_tree_len,
1954 ett_nt_ace_sra_values,
1955 NULL, "Values");
1956 }
1957
1958 proto_item_append_text(sra_item, "{");
1959 for (uint32_t i = 0; i < value_count; ++i) {
1960 if (i) {
1961 proto_item_append_text(sra_item, ", ");
1962 }
1963 value_offset = tvb_get_letohl(tvb, offset);
1964 proto_tree_add_uint(value_offset_tree, hf_nt_ace_sra_value_offset,
1965 tvb, offset, sizeof(value_offset), value_offset);
1966 dissect_nt_ace_system_resource_attribute_value(tvb, start_offset + value_offset,
1967 value_tree, value_type, sra_item);
1968 offset += sizeof(value_offset);
1969 }
1970 proto_item_append_text(sra_item, "}");
1971
1972 return start_offset + size;
1973 }
1974
1975 /* Dissect Condition ACE token, see [MS-DTYP] v20180912 section 2.4.4.17.4 */
1976 static int
1977 // NOLINTNEXTLINE(misc-no-recursion)
1978 dissect_nt_conditional_ace_token(tvbuff_t *tvb, packet_info *pinfo, int offset, uint16_t size, proto_tree *parent_tree)
1979 {
1980 int start_offset = offset;
1981 proto_tree *tree = parent_tree;
1982 proto_item *item = NULL;
1983 uint8_t token = tvb_get_uint8(tvb, offset);
1984 uint32_t len;
1985
1986 item = proto_tree_add_uint(tree, hf_nt_ace_cond_token,
1987 tvb, offset, sizeof(token), token);
1988
1989 if (ace_cond_token_has_data(token)) {
1990 tree = proto_item_add_subtree(item, ett_nt_ace_cond_data);
1991 }
1992 offset += sizeof(token);
1993
1994 switch (token) {
1995 case COND_ACE_TOKEN_INT8:
1996 proto_tree_add_item(tree, hf_nt_ace_cond_value_int8,
1997 tvb, offset, sizeof(uint64_t),
1998 ENC_LITTLE_ENDIAN);
1999 offset += sizeof(uint64_t);
2000
2001 proto_tree_add_item(tree, hf_nt_ace_cond_sign,
2002 tvb, offset, sizeof(uint8_t),
2003 ENC_LITTLE_ENDIAN);
2004 offset += sizeof(uint8_t);
2005
2006 proto_tree_add_item(tree, hf_nt_ace_cond_base,
2007 tvb, offset, sizeof(uint8_t),
2008 ENC_LITTLE_ENDIAN);
2009 offset += sizeof(uint8_t);
2010 break;
2011
2012 case COND_ACE_TOKEN_INT16:
2013 proto_tree_add_item(tree, hf_nt_ace_cond_value_int16,
2014 tvb, offset, sizeof(uint64_t),
2015 ENC_LITTLE_ENDIAN);
2016 offset += sizeof(uint64_t);
2017
2018 proto_tree_add_item(tree, hf_nt_ace_cond_sign,
2019 tvb, offset, sizeof(uint8_t),
2020 ENC_LITTLE_ENDIAN);
2021 offset += sizeof(uint8_t);
2022
2023 proto_tree_add_item(tree, hf_nt_ace_cond_base,
2024 tvb, offset, sizeof(uint8_t),
2025 ENC_LITTLE_ENDIAN);
2026 offset += sizeof(uint8_t);
2027 break;
2028
2029 case COND_ACE_TOKEN_INT32:
2030 proto_tree_add_item(tree, hf_nt_ace_cond_value_int32,
2031 tvb, offset, sizeof(uint64_t),
2032 ENC_LITTLE_ENDIAN);
2033 offset += sizeof(uint64_t);
2034
2035 proto_tree_add_item(tree, hf_nt_ace_cond_sign,
2036 tvb, offset, sizeof(uint8_t),
2037 ENC_LITTLE_ENDIAN);
2038 offset += sizeof(uint8_t);
2039
2040 proto_tree_add_item(tree, hf_nt_ace_cond_base,
2041 tvb, offset, sizeof(uint8_t),
2042 ENC_LITTLE_ENDIAN);
2043 offset += sizeof(uint8_t);
2044 break;
2045
2046 case COND_ACE_TOKEN_INT64:
2047 proto_tree_add_item(tree, hf_nt_ace_cond_value_int64,
2048 tvb, offset, sizeof(uint64_t),
2049 ENC_LITTLE_ENDIAN);
2050 offset += sizeof(uint64_t);
2051
2052 proto_tree_add_item(tree, hf_nt_ace_cond_sign,
2053 tvb, offset, sizeof(uint8_t),
2054 ENC_LITTLE_ENDIAN);
2055 offset += sizeof(uint8_t);
2056
2057 proto_tree_add_item(tree, hf_nt_ace_cond_base,
2058 tvb, offset, sizeof(uint8_t),
2059 ENC_LITTLE_ENDIAN);
2060 offset += sizeof(uint8_t);
2061 break;
2062
2063 case COND_ACE_TOKEN_UNICODE_STRING:
2064 len = tvb_get_letohl(tvb, offset); /* in bytes */
2065 offset += sizeof(len);
2066
2067 proto_tree_add_item(tree, hf_nt_ace_cond_value_string,
2068 tvb, offset, len,
2069 ENC_UTF_16 | ENC_LITTLE_ENDIAN);
2070 offset += len;
2071 break;
2072
2073 case COND_ACE_TOKEN_OCTET_STRING:
2074 len = tvb_get_letohl(tvb, offset); /* in bytes */
2075 offset += sizeof(len);
2076
2077 proto_tree_add_item(tree, hf_nt_ace_cond_value_octet_string,
2078 tvb, offset, len, ENC_NA);
2079 offset += len;
2080 break;
2081
2082 case COND_ACE_TOKEN_COMPOSITE:
2083 /* Create another tree for composite */
2084 len = tvb_get_letohl(tvb, offset); /* in bytes */
2085 offset += sizeof(len);
2086 if (len) {
2087 int remaining = size - (offset - start_offset);
2088 if (remaining >= (int)len) {
2089 int end_offset = offset + len;
2090 increment_dissection_depth(pinfo);
2091 while (offset < end_offset) {
2092 offset = dissect_nt_conditional_ace_token(tvb, pinfo, offset, remaining, tree);
2093 }
2094 decrement_dissection_depth(pinfo);
2095 } else {
2096 /* malformed: composite len is longer
2097 * than the remaining data in the ace
2098 */
2099 offset += remaining;
2100 }
2101 }
2102 break;
2103
2104 case COND_ACE_TOKEN_SID:
2105 offset += sizeof(len);
2106
2107 offset = dissect_nt_sid(tvb, offset, tree, "SID", NULL, -1);
2108 break;
2109
2110 case COND_ACE_TOKEN_LOCAL_ATTRIBUTE:
2111 len = tvb_get_letohl(tvb, offset); /* in bytes */
2112 offset += sizeof(len);
2113
2114 proto_tree_add_item(tree, hf_nt_ace_cond_local_attr,
2115 tvb, offset, len,
2116 ENC_UTF_16 | ENC_LITTLE_ENDIAN);
2117 offset += len;
2118 break;
2119
2120 case COND_ACE_TOKEN_USER_ATTRIBUTE:
2121 len = tvb_get_letohl(tvb, offset); /* in bytes */
2122 offset += sizeof(len);
2123
2124 proto_tree_add_item(tree, hf_nt_ace_cond_user_attr,
2125 tvb, offset, len,
2126 ENC_UTF_16 | ENC_LITTLE_ENDIAN);
2127 offset += len;
2128 break;
2129
2130 case COND_ACE_TOKEN_RESOURCE_ATTRIBUTE:
2131 len = tvb_get_letohl(tvb, offset); /* in bytes */
2132 offset += sizeof(len);
2133
2134 proto_tree_add_item(tree, hf_nt_ace_cond_resource_attr,
2135 tvb, offset, len,
2136 ENC_UTF_16 | ENC_LITTLE_ENDIAN);
2137 offset += len;
2138 break;
2139
2140 case COND_ACE_TOKEN_DEVICE_ATTRIBUTE:
2141 len = tvb_get_letohl(tvb, offset); /* in bytes */
2142 offset += sizeof(len);
2143
2144 proto_tree_add_item(tree, hf_nt_ace_cond_device_attr,
2145 tvb, offset, len,
2146 ENC_UTF_16 | ENC_LITTLE_ENDIAN);
2147 offset += len;
2148 break;
2149
2150 default:
2151 DISSECTOR_ASSERT(!ace_cond_token_has_data(token));
2152 break;
2153 }
2154
2155 proto_item_set_len(item, offset - start_offset);
2156 return offset;
2157 }
2158
2159
2160 /* Dissect Conditional ACE (if present), see [MS-DTYP] v20180912 section 2.4.4.17.4 */
2161 static int
2162 dissect_nt_conditional_ace(tvbuff_t *tvb, packet_info *pinfo, int offset, uint16_t size, proto_tree *parent_tree)
2163 {
2164 int start_offset = offset;
2165
2166 /* Conditional ACE Application Data starts with "artx" */
2167 if (size >= 4) {
2168 const uint32_t artx = 0x78747261; /* "xtra" (LE) */
2169 uint32_t prefix = tvb_get_letohl(tvb, offset);
2170 offset += sizeof(prefix);
2171
2172 if (prefix == artx) {
2173 /* Add a subtree to hold the condition expression tokens */
2174 proto_item *item = NULL;
2175 item = proto_tree_add_item(parent_tree, hf_nt_ace_cond, tvb, start_offset, size, ENC_NA);
2176 parent_tree = proto_item_add_subtree(item, ett_nt_ace_cond);
2177
2178 /* Add the tokens to the subtree */
2179 int remaining;
2180 while (true) {
2181 remaining = size - (offset - start_offset);
2182 if (remaining <= 0)
2183 break;
2184 offset = dissect_nt_conditional_ace_token(tvb, pinfo, offset, remaining, parent_tree);
2185 }
2186 }
2187 }
2188 return start_offset + size;
2189 }
2190
2191 /* Dissect an access mask. All this stuff is kind of explained at
2192
2193 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
2194
2195 */
2196 static int ett_nt_access_mask;
2197 static int ett_nt_access_mask_generic;
2198 static int ett_nt_access_mask_standard;
2199 static int ett_nt_access_mask_specific;
2200
2201 static int hf_access_sacl;
2202 static int hf_access_maximum_allowed;
2203 static int hf_access_generic_read;
2204 static int hf_access_generic_write;
2205 static int hf_access_generic_execute;
2206 static int hf_access_generic_all;
2207 static int hf_access_standard_delete;
2208 static int hf_access_standard_read_control;
2209 static int hf_access_standard_synchronise;
2210 static int hf_access_standard_write_dac;
2211 static int hf_access_standard_write_owner;
2212 static int hf_access_specific_15;
2213 static int hf_access_specific_14;
2214 static int hf_access_specific_13;
2215 static int hf_access_specific_12;
2216 static int hf_access_specific_11;
2217 static int hf_access_specific_10;
2218 static int hf_access_specific_9;
2219 static int hf_access_specific_8;
2220 static int hf_access_specific_7;
2221 static int hf_access_specific_6;
2222 static int hf_access_specific_5;
2223 static int hf_access_specific_4;
2224 static int hf_access_specific_3;
2225 static int hf_access_specific_2;
2226 static int hf_access_specific_1;
2227 static int hf_access_specific_0;
2228
2229 /* Map generic permissions to specific permissions */
2230
2231 static void map_generic_access(uint32_t *access_mask,
2232 struct generic_mapping *mapping)
2233 {
2234 if (*access_mask & GENERIC_READ_ACCESS) {
2235 *access_mask &= ~GENERIC_READ_ACCESS;
2236 *access_mask |= mapping->generic_read;
2237 }
2238
2239 if (*access_mask & GENERIC_WRITE_ACCESS) {
2240 *access_mask &= ~GENERIC_WRITE_ACCESS;
2241 *access_mask |= mapping->generic_write;
2242 }
2243
2244 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
2245 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
2246 *access_mask |= mapping->generic_execute;
2247 }
2248
2249 if (*access_mask & GENERIC_ALL_ACCESS) {
2250 *access_mask &= ~GENERIC_ALL_ACCESS;
2251 *access_mask |= mapping->generic_all;
2252 }
2253 }
2254
2255 /* Map standard permissions to specific permissions */
2256
2257 static void map_standard_access(uint32_t *access_mask,
2258 struct standard_mapping *mapping)
2259 {
2260 if (*access_mask & READ_CONTROL_ACCESS) {
2261 *access_mask &= ~READ_CONTROL_ACCESS;
2262 *access_mask |= mapping->std_read;
2263 }
2264
2265 if (*access_mask & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|
2266 SYNCHRONIZE_ACCESS)) {
2267 *access_mask &= ~(DELETE_ACCESS|WRITE_DAC_ACCESS|
2268 WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS);
2269 *access_mask |= mapping->std_all;
2270 }
2271
2272 }
2273
2274 int
2275 dissect_nt_access_mask(tvbuff_t *tvb, int offset, packet_info *pinfo,
2276 proto_tree *tree, dcerpc_info *di, uint8_t *drep, int hfindex,
2277 struct access_mask_info *ami, uint32_t *perms)
2278 {
2279 proto_item *item;
2280 proto_tree *subtree, *generic_tree, *standard_tree, *specific_tree;
2281 uint32_t access;
2282
2283 static int * const generic_access_flags[] = {
2284 &hf_access_generic_read,
2285 &hf_access_generic_write,
2286 &hf_access_generic_execute,
2287 &hf_access_generic_all,
2288 &hf_access_maximum_allowed,
2289 &hf_access_sacl,
2290 NULL
2291 };
2292
2293 static int * const standard_access_flags[] = {
2294 &hf_access_standard_synchronise,
2295 &hf_access_standard_write_owner,
2296 &hf_access_standard_write_dac,
2297 &hf_access_standard_read_control,
2298 &hf_access_standard_delete,
2299 NULL
2300 };
2301
2302 static int * const access_specific_flags[] = {
2303 &hf_access_specific_15,
2304 &hf_access_specific_14,
2305 &hf_access_specific_13,
2306 &hf_access_specific_12,
2307 &hf_access_specific_11,
2308 &hf_access_specific_10,
2309 &hf_access_specific_9,
2310 &hf_access_specific_8,
2311 &hf_access_specific_7,
2312 &hf_access_specific_6,
2313 &hf_access_specific_5,
2314 &hf_access_specific_4,
2315 &hf_access_specific_3,
2316 &hf_access_specific_2,
2317 &hf_access_specific_1,
2318 &hf_access_specific_0,
2319 NULL
2320 };
2321
2322 if (drep != NULL) {
2323 /*
2324 * Called from a DCE RPC protocol dissector, for a
2325 * protocol where a 32-bit NDR integer contains
2326 * an NT access mask; extract the access mask
2327 * with an NDR call.
2328 */
2329 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
2330 hfindex, &access);
2331 } else {
2332 /*
2333 * Called from SMB, where the access mask is just a
2334 * 4-byte little-endian quantity with no special
2335 * NDR alignment requirement; extract it with
2336 * "tvb_get_letohl()".
2337 */
2338 access = tvb_get_letohl(tvb, offset);
2339 offset += 4;
2340 }
2341
2342 if (perms) {
2343 *perms = access;
2344 }
2345
2346 item = proto_tree_add_uint(tree, hfindex, tvb, offset - 4, 4, access);
2347
2348 subtree = proto_item_add_subtree(item, ett_nt_access_mask);
2349
2350 /* Generic access rights */
2351
2352 generic_tree = proto_tree_add_subtree_format(subtree, tvb, offset - 4, 4,
2353 ett_nt_access_mask_generic, NULL, "Generic rights: 0x%08x",
2354 access & GENERIC_RIGHTS_MASK);
2355
2356 proto_tree_add_bitmask_list_value(generic_tree, tvb, offset - 4, 4, generic_access_flags, access);
2357
2358 /* Standard access rights */
2359
2360 standard_tree = proto_tree_add_subtree_format(subtree, tvb, offset - 4, 4,
2361 ett_nt_access_mask_standard, NULL, "Standard rights: 0x%08x",
2362 access & STANDARD_RIGHTS_MASK);
2363
2364 proto_tree_add_bitmask_list_value(standard_tree, tvb, offset - 4, 4, standard_access_flags, access);
2365
2366 /* Specific access rights. Call the specific_rights_fn
2367 pointer if we have one, otherwise just display bits 0-15 in
2368 boring fashion. */
2369
2370 if (ami && ami->specific_rights_name)
2371 specific_tree = proto_tree_add_subtree_format(subtree, tvb, offset - 4, 4,
2372 ett_nt_access_mask_specific, &item, "%s specific rights: 0x%08x",
2373 ami->specific_rights_name,
2374 access & SPECIFIC_RIGHTS_MASK);
2375 else
2376 specific_tree = proto_tree_add_subtree_format(subtree, tvb, offset - 4, 4,
2377 ett_nt_access_mask_specific, &item, "Specific rights: 0x%08x",
2378 access & SPECIFIC_RIGHTS_MASK);
2379
2380 if (ami && ami->specific_rights_fn) {
2381 uint32_t mapped_access = access;
2382 proto_tree *specific_mapped;
2383
2384 specific_mapped = proto_item_add_subtree(
2385 item, ett_nt_access_mask_specific);
2386
2387 ami->specific_rights_fn(
2388 tvb, offset - 4, specific_tree, access);
2389
2390 if (ami->generic_mapping)
2391 map_generic_access(&access, ami->generic_mapping);
2392
2393 if (ami->standard_mapping)
2394 map_standard_access(&access, ami->standard_mapping);
2395
2396 if (access != mapped_access) {
2397 ami->specific_rights_fn(
2398 tvb, offset - 4, specific_mapped,
2399 mapped_access);
2400 }
2401
2402 return offset;
2403 }
2404
2405 proto_tree_add_bitmask_list_value(specific_tree, tvb, offset - 4, 4, access_specific_flags, access);
2406
2407 return offset;
2408 }
2409
2410 static int hf_nt_access_mask;
2411
2412 #define ACL_REVISION_NT4 2
2413 #define ACL_REVISION_ADS 4
2414 static const value_string acl_revision_vals[] = {
2415 { ACL_REVISION_NT4, "NT4"},
2416 { ACL_REVISION_ADS, "AD"},
2417 {0,NULL}
2418 };
2419
2420 #define ACE_TYPE_ACCESS_ALLOWED 0
2421 #define ACE_TYPE_ACCESS_DENIED 1
2422 #define ACE_TYPE_SYSTEM_AUDIT 2
2423 #define ACE_TYPE_SYSTEM_ALARM 3
2424 #define ACE_TYPE_ALLOWED_COMPOUND 4
2425 #define ACE_TYPE_ACCESS_ALLOWED_OBJECT 5
2426 #define ACE_TYPE_ACCESS_DENIED_OBJECT 6
2427 #define ACE_TYPE_SYSTEM_AUDIT_OBJECT 7
2428 #define ACE_TYPE_SYSTEM_ALARM_OBJECT 8
2429 #define ACE_TYPE_ACCESS_ALLOWED_CALLBACK 9
2430 #define ACE_TYPE_ACCESS_DENIED_CALLBACK 10
2431 #define ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT 11
2432 #define ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT 12
2433 #define ACE_TYPE_SYSTEM_AUDIT_CALLBACK 13
2434 #define ACE_TYPE_SYSTEM_ALARM_CALLBACK 14
2435 #define ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT 15
2436 #define ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT 16
2437 #define ACE_TYPE_SYSTEM_MANDATORY_LABEL 17
2438 #define ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE 18
2439 #define ACE_TYPE_SYSTEM_SCOPED_POLICY_ID 19
2440
2441 static const value_string ace_type_vals[] = {
2442 { ACE_TYPE_ACCESS_ALLOWED, "Access Allowed"},
2443 { ACE_TYPE_ACCESS_DENIED, "Access Denied"},
2444 { ACE_TYPE_SYSTEM_AUDIT, "System Audit"},
2445 { ACE_TYPE_SYSTEM_ALARM, "System Alarm"},
2446 { ACE_TYPE_ALLOWED_COMPOUND, "Allowed Compound"},
2447 { ACE_TYPE_ACCESS_ALLOWED_OBJECT, "Allowed Object"},
2448 { ACE_TYPE_ACCESS_DENIED_OBJECT, "Denied Object"},
2449 { ACE_TYPE_SYSTEM_AUDIT_OBJECT, "Audit Object"},
2450 { ACE_TYPE_SYSTEM_ALARM_OBJECT, "Alarm Object"},
2451 { ACE_TYPE_ACCESS_ALLOWED_CALLBACK, "Allowed Callback"},
2452 { ACE_TYPE_ACCESS_DENIED_CALLBACK, "Denied Callback"},
2453 { ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT, "Allowed Callback Object"},
2454 { ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT, "Denied Callback Object"},
2455 { ACE_TYPE_SYSTEM_AUDIT_CALLBACK, "Audit Callback"},
2456 { ACE_TYPE_SYSTEM_ALARM_CALLBACK, "Alarm Callback"},
2457 { ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT, "Audit Callback Object"},
2458 { ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT, "Alarm Callback Object"},
2459 { ACE_TYPE_SYSTEM_MANDATORY_LABEL, "Mandatory label"},
2460 { ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE, "Resource Attribute"},
2461 { ACE_TYPE_SYSTEM_SCOPED_POLICY_ID, "Scoped Policy ID" },
2462 { 0, NULL}
2463 };
2464 static const true_false_string tfs_ace_flags_object_inherit = {
2465 "Subordinate files will inherit this ACE",
2466 "Subordinate files will not inherit this ACE"
2467 };
2468 static const true_false_string tfs_ace_flags_container_inherit = {
2469 "Subordinate containers will inherit this ACE",
2470 "Subordinate containers will not inherit this ACE"
2471 };
2472 static const true_false_string tfs_ace_flags_non_propagate_inherit = {
2473 "Subordinate object will not propagate the inherited ACE further",
2474 "Subordinate object will propagate the inherited ACE further"
2475 };
2476 static const true_false_string tfs_ace_flags_inherit_only = {
2477 "This ACE does not apply to the current object",
2478 "This ACE applies to the current object"
2479 };
2480 static const true_false_string tfs_ace_flags_inherited_ace = {
2481 "This ACE was inherited from its parent object",
2482 "This ACE was not inherited from its parent object"
2483 };
2484 static const true_false_string tfs_ace_flags_successful_access = {
2485 "Successful accesses will be audited",
2486 "Successful accesses will not be audited"
2487 };
2488 static const true_false_string tfs_ace_flags_failed_access = {
2489 "Failed accesses will be audited",
2490 "Failed accesses will not be audited"
2491 };
2492
2493 static const true_false_string flags_sec_info_sacl = {
2494 "Request SACL",
2495 "Do NOT request SACL"
2496 };
2497 static const true_false_string flags_sec_info_dacl = {
2498 "Request DACL",
2499 "Do NOT request DACL"
2500 };
2501 static const true_false_string flags_sec_info_group = {
2502 "Request GROUP",
2503 "Do NOT request group"
2504 };
2505 static const true_false_string flags_sec_info_owner = {
2506 "Request OWNER",
2507 "Do NOT request owner"
2508 };
2509
2510 static const true_false_string flags_ace_sra_info_manual = {
2511 "Manually Assigned",
2512 "NOT Manually Assigned"
2513 };
2514
2515
2516 static const true_false_string flags_ace_sra_info_policy_derived = {
2517 "Policy Derived",
2518 "NOT Policy Derived"
2519 };
2520
2521 static const true_false_string flags_ace_sra_info_non_inheritable = {
2522 "Non-Inheritable",
2523 "Inheritable"
2524 };
2525
2526 static const true_false_string flags_ace_sra_info_case_sensitive = {
2527 "Case Sensitive",
2528 "NOT Case Sensitive"
2529 };
2530
2531 static const true_false_string flags_ace_sra_info_deny_only = {
2532 "Deny Only",
2533 "NOT Deny Only"
2534 };
2535
2536 static const true_false_string flags_ace_sra_info_disabled_by_default = {
2537 "Disabled By Default",
2538 "NOT Disabled By Default"
2539 };
2540
2541 static const true_false_string flags_ace_sra_info_disabled = {
2542 "Disabled",
2543 "NOT Disabled"
2544 };
2545
2546 static const true_false_string flags_ace_sra_info_mandatory = {
2547 "Mandatory",
2548 "NOT Mandatory"
2549 };
2550
2551 #define APPEND_ACE_TEXT(flag, item, string) \
2552 if(flag){ \
2553 if(item) \
2554 proto_item_append_text(item, string, sep); \
2555 sep = ", "; \
2556 }
2557
2558
2559 static int
2560 dissect_nt_ace_object(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
2561 {
2562 proto_item *item;
2563 proto_tree *tree;
2564 proto_item *flags_item;
2565 uint32_t flags;
2566 int old_offset=offset;
2567 const char *sep = " ";
2568 static int * const ace_flags[] = {
2569 &hf_nt_ace_flags_object_type_present,
2570 &hf_nt_ace_flags_inherited_object_type_present,
2571 NULL
2572 };
2573
2574 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
2575 ett_nt_ace_object, &item, "ACE Object");
2576
2577 /* flags */
2578 flags=tvb_get_letohl(tvb, offset);
2579 flags_item = proto_tree_add_bitmask(tree, tvb, offset, hf_nt_ace_flags_object,
2580 ett_nt_ace_object_flags, ace_flags, ENC_LITTLE_ENDIAN);
2581
2582 APPEND_ACE_TEXT(flags&0x00000001, flags_item, "%sObject Type Present");
2583 APPEND_ACE_TEXT(flags&0x00000002, flags_item, "%sInherited Object Type Present");
2584 offset+=4;
2585
2586
2587 /* is there a GUID ? */
2588 if(flags&0x00000001){
2589 proto_tree_add_item(tree, hf_nt_ace_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
2590 offset+=16;
2591 }
2592
2593 /* is there an inherited GUID ? */
2594 if(flags&0x00000002){
2595 proto_tree_add_item(tree, hf_nt_ace_inherited_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
2596 offset+=16;
2597 }
2598
2599 proto_item_set_len(item, offset-old_offset);
2600 return offset;
2601 }
2602
2603 static int
2604 dissect_nt_v2_ace_flags(tvbuff_t *tvb, int offset, proto_tree *parent_tree,
2605 uint8_t *data)
2606 {
2607 proto_item *item = NULL;
2608 uint8_t mask;
2609 const char *sep = " ";
2610 static int * const ace_flags[] = {
2611 &hf_nt_ace_flags_failed_access,
2612 &hf_nt_ace_flags_successful_access,
2613 &hf_nt_ace_flags_inherited_ace,
2614 &hf_nt_ace_flags_inherit_only,
2615 &hf_nt_ace_flags_non_propagate_inherit,
2616 &hf_nt_ace_flags_container_inherit,
2617 &hf_nt_ace_flags_object_inherit,
2618 NULL
2619 };
2620
2621 mask = tvb_get_uint8(tvb, offset);
2622
2623 if (data)
2624 *data = mask;
2625
2626 item = proto_tree_add_bitmask(parent_tree, tvb, offset, hf_nt_ace_flags,
2627 ett_nt_ace_flags, ace_flags, ENC_NA);
2628
2629 APPEND_ACE_TEXT(mask&0x80, item, "%sFailed Access");
2630 APPEND_ACE_TEXT(mask&0x40, item, "%sSuccessful Access");
2631 APPEND_ACE_TEXT(mask&0x10, item, "%sInherited ACE");
2632 APPEND_ACE_TEXT(mask&0x08, item, "%sInherit Only");
2633 APPEND_ACE_TEXT(mask&0x04, item, "%sNo Propagate Inherit");
2634 APPEND_ACE_TEXT(mask&0x02, item, "%sContainer Inherit");
2635 APPEND_ACE_TEXT(mask&0x01, item, "%sObject Inherit");
2636
2637
2638 offset += 1;
2639 return offset;
2640 }
2641
2642 static int
2643 dissect_nt_v2_ace(tvbuff_t *tvb, int offset, packet_info *pinfo,
2644 proto_tree *parent_tree, uint8_t *drep,
2645 struct access_mask_info *ami)
2646 {
2647 proto_item *item;
2648 proto_tree *tree;
2649 int old_offset = offset;
2650 char *sid_str = NULL;
2651 uint16_t size;
2652 uint16_t data_size;
2653 uint8_t type;
2654 uint8_t flags;
2655 uint32_t perms = 0;
2656
2657 tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1,
2658 ett_nt_ace, &item, "NT ACE: ");
2659
2660 /* type */
2661 type = tvb_get_uint8(tvb, offset);
2662 proto_tree_add_uint(tree, hf_nt_ace_type, tvb, offset, 1, type);
2663 offset += 1;
2664
2665 /* flags */
2666 offset = dissect_nt_v2_ace_flags(tvb, offset, tree, &flags);
2667
2668 /* size */
2669 size = tvb_get_letohs(tvb, offset);
2670 if (size < 4) {
2671 /*
2672 * BOGUS - the size includes the ACE header length,
2673 * which is 4.
2674 */
2675 proto_tree_add_uint_format_value(tree, hf_nt_ace_size, tvb, offset, 2,
2676 size, "%u (bogus, must be >= 4)", size);
2677 return old_offset; /* our caller quits in this case */
2678 }
2679 proto_tree_add_uint(tree, hf_nt_ace_size, tvb, offset, 2, size);
2680 offset += 2;
2681
2682 /* some ACE types we not yet handle store other things than access mask
2683 * and SID in here.
2684 * sometimes things that are not related at all to access control.
2685 * naughty naughty. -- ronnie
2686 */
2687 switch(type){
2688 case ACE_TYPE_ACCESS_ALLOWED:
2689 case ACE_TYPE_ACCESS_DENIED:
2690 case ACE_TYPE_SYSTEM_AUDIT:
2691 case ACE_TYPE_SYSTEM_ALARM:
2692 case ACE_TYPE_ALLOWED_COMPOUND:
2693 case ACE_TYPE_ACCESS_ALLOWED_OBJECT:
2694 case ACE_TYPE_ACCESS_DENIED_OBJECT:
2695 case ACE_TYPE_SYSTEM_AUDIT_OBJECT:
2696 case ACE_TYPE_SYSTEM_ALARM_OBJECT:
2697 case ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
2698 case ACE_TYPE_ACCESS_DENIED_CALLBACK:
2699 case ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT:
2700 case ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
2701 case ACE_TYPE_SYSTEM_AUDIT_CALLBACK:
2702 case ACE_TYPE_SYSTEM_ALARM_CALLBACK:
2703 case ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT:
2704 case ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT:
2705 case ACE_TYPE_SYSTEM_MANDATORY_LABEL:
2706 case ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE:
2707 case ACE_TYPE_SYSTEM_SCOPED_POLICY_ID:
2708 /* access mask */
2709 offset = dissect_nt_access_mask(
2710 tvb, offset, pinfo, tree, NULL, drep,
2711 hf_nt_access_mask, ami, &perms);
2712
2713 /* these aces contain an extra object */
2714 switch(type){
2715 case ACE_TYPE_ACCESS_ALLOWED_OBJECT:
2716 case ACE_TYPE_ACCESS_DENIED_OBJECT:
2717 case ACE_TYPE_SYSTEM_AUDIT_OBJECT:
2718 case ACE_TYPE_SYSTEM_ALARM_OBJECT:
2719 case ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT:
2720 case ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
2721 case ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT:
2722 case ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT:
2723 offset=dissect_nt_ace_object(tvb, offset, tree);
2724 }
2725
2726 /* SID */
2727 offset = dissect_nt_sid(tvb, offset, tree, "SID", &sid_str, -1);
2728
2729 if (item)
2730 proto_item_append_text(
2731 item, "%s, flags 0x%02x, %s, mask 0x%08x", sid_str, flags,
2732 val_to_str(type, ace_type_vals, "Unknown ACE type (0x%02x)"),
2733 perms);
2734
2735 data_size = size - (offset - old_offset);
2736
2737 /* Dissect Dynamic Access Control related ACE types
2738 (if present). That is, Conditional ACE and Resource
2739 Attributes. See [MS-DTYP] v20180912 section 2.4.4.17 */
2740 switch (type) {
2741 case ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
2742 case ACE_TYPE_ACCESS_DENIED_CALLBACK:
2743 case ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT:
2744 case ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
2745 case ACE_TYPE_SYSTEM_AUDIT_CALLBACK:
2746 case ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT:
2747 dissect_nt_conditional_ace(tvb, pinfo, offset, data_size, tree);
2748 break;
2749
2750 case ACE_TYPE_SYSTEM_RESOURCE_ATTRIBUTE:
2751 dissect_nt_ace_system_resource_attribute(tvb, offset, data_size, tree);
2752 break;
2753 }
2754 break;
2755 };
2756
2757 proto_item_set_len(item, offset-old_offset);
2758
2759 /* Sometimes there is some spare space at the end of the ACE so use
2760 the size field to work out where the end is. */
2761
2762 return old_offset + size;
2763 }
2764
2765 static int
2766 dissect_nt_acl(tvbuff_t *tvb, int offset_a, packet_info *pinfo,
2767 proto_tree *parent_tree, uint8_t *drep, const char *name,
2768 struct access_mask_info *ami)
2769 {
2770 proto_item *item;
2771 proto_tree *tree;
2772 int old_offset = offset_a;
2773 int pre_ace_offset;
2774 uint16_t revision;
2775 uint32_t num_aces;
2776 volatile int offset_v = offset_a;
2777 volatile bool missing_data = false;
2778 volatile bool bad_ace = false;
2779
2780 tree = proto_tree_add_subtree_format(parent_tree, tvb, offset_v, -1,
2781 ett_nt_acl, &item, "NT %s ACL", name);
2782
2783 /* revision */
2784 /*
2785 * XXX - is this *really* 2 bytes? The page at
2786 *
2787 * https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-_acl
2788 *
2789 * indicates that it's one byte of revision and one byte of
2790 * zero padding, which means the code that used to be here
2791 * was correct - and this code would give the same results
2792 * as long as the padding is zero, so if this dissects it
2793 * correctly when the padding is zero, and the padding is
2794 * always zero, the old code would dissect it correctly
2795 * also.
2796 */
2797 revision = tvb_get_letohs(tvb, offset_v);
2798 proto_tree_add_uint(tree, hf_nt_acl_revision,
2799 tvb, offset_v, 2, revision);
2800 offset_v += 2;
2801
2802 switch(revision){
2803 case ACL_REVISION_NT4:
2804 case ACL_REVISION_ADS:
2805 case 3: /* weirdo type */
2806 /* size */
2807 proto_tree_add_item(tree, hf_nt_acl_size, tvb, offset_v, 2, ENC_LITTLE_ENDIAN);
2808 offset_v += 2;
2809
2810 /* number of ace structures */
2811 /*
2812 * XXX - is this *really* 4 bytes? The page referred to above
2813 * says it's 2 bytes of count followed by two bytes of
2814 * zero padding.
2815 */
2816 num_aces = tvb_get_letohl(tvb, offset_v);
2817 proto_tree_add_uint(tree, hf_nt_acl_num_aces,
2818 tvb, offset_v, 4, num_aces);
2819 offset_v += 4;
2820
2821 while(num_aces-- && !missing_data && !bad_ace) {
2822 pre_ace_offset = offset_v;
2823
2824 /*
2825 * These are at an offset_v later in the packet; don't
2826 * fail if we can't fetch them, just note the problem
2827 * and dissect the stuff before it.
2828 */
2829 TRY {
2830 offset_v = dissect_nt_v2_ace(tvb, offset_v, pinfo, tree, drep, ami);
2831 if (pre_ace_offset == offset_v) {
2832 /*
2833 * Bogus ACE, with a length < 4.
2834 */
2835 bad_ace = true;
2836 }
2837 }
2838
2839 CATCH(ContainedBoundsError) {
2840 proto_tree_add_expert(tree, pinfo, &ei_nt_ace_extends_beyond_data, tvb, offset_v, 0);
2841 missing_data = true;
2842 }
2843
2844 CATCH(ReportedBoundsError) {
2845 proto_tree_add_expert(tree, pinfo, &ei_nt_ace_extends_beyond_reassembled_data, tvb, offset_v, 0);
2846 missing_data = true;
2847 }
2848
2849 ENDTRY;
2850 }
2851 }
2852
2853 proto_item_set_len(item, offset_v-old_offset);
2854 return offset_v;
2855 }
2856
2857 static const true_false_string tfs_sec_desc_type_owner_defaulted = {
2858 "OWNER is DEFAULTED",
2859 "Owner is NOT defaulted"
2860 };
2861 static const true_false_string tfs_sec_desc_type_group_defaulted = {
2862 "GROUP is DEFAULTED",
2863 "Group is NOT defaulted"
2864 };
2865 static const true_false_string tfs_sec_desc_type_dacl_present = {
2866 "DACL is PRESENT",
2867 "DACL is NOT present"
2868 };
2869 static const true_false_string tfs_sec_desc_type_dacl_defaulted = {
2870 "DACL is DEFAULTED",
2871 "DACL is NOT defaulted"
2872 };
2873 static const true_false_string tfs_sec_desc_type_sacl_present = {
2874 "SACL is PRESENT",
2875 "SACL is NOT present"
2876 };
2877 static const true_false_string tfs_sec_desc_type_sacl_defaulted = {
2878 "SACL is DEFAULTED",
2879 "SACL is NOT defaulted"
2880 };
2881 static const true_false_string tfs_sec_desc_type_dacl_trusted = {
2882 "DACL TRUSTED is TRUE",
2883 "Dacl trusted is FALSE"
2884 };
2885 static const true_false_string tfs_sec_desc_type_server_security = {
2886 "SERVER SECURITY is TRUE",
2887 "Server security is FALSE"
2888 };
2889 static const true_false_string tfs_sec_desc_type_dacl_auto_inherit_req = {
2890 "DACL has AUTO INHERIT REQUIRED",
2891 "DACL does NOT require auto inherit"
2892 };
2893 static const true_false_string tfs_sec_desc_type_sacl_auto_inherit_req = {
2894 "SACL has AUTO INHERIT REQUIRED",
2895 "SACL does NOT require auto inherit"
2896 };
2897 static const true_false_string tfs_sec_desc_type_dacl_auto_inherited = {
2898 "DACL is AUTO INHERITED",
2899 "DACL is NOT auto inherited"
2900 };
2901 static const true_false_string tfs_sec_desc_type_sacl_auto_inherited = {
2902 "SACL is AUTO INHERITED",
2903 "SACL is NOT auto inherited"
2904 };
2905 static const true_false_string tfs_sec_desc_type_dacl_protected = {
2906 "The DACL is PROTECTED",
2907 "The DACL is NOT protected"
2908 };
2909 static const true_false_string tfs_sec_desc_type_sacl_protected = {
2910 "The SACL is PROTECTED",
2911 "The SACL is NOT protected"
2912 };
2913 static const true_false_string tfs_sec_desc_type_rm_control_valid = {
2914 "Rm control valid is TRUE",
2915 "Rm control valid is FALSE"
2916 };
2917 static const true_false_string tfs_sec_desc_type_self_relative = {
2918 "This SecDesc is SELF RELATIVE",
2919 "This SecDesc is NOT self relative"
2920 };
2921
2922
2923 static int
2924 dissect_nt_sec_desc_type(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
2925 {
2926 static int * const flags[] = {
2927 &hf_nt_sec_desc_type_self_relative,
2928 &hf_nt_sec_desc_type_rm_control_valid,
2929 &hf_nt_sec_desc_type_sacl_protected,
2930 &hf_nt_sec_desc_type_dacl_protected,
2931 &hf_nt_sec_desc_type_sacl_auto_inherited,
2932 &hf_nt_sec_desc_type_dacl_auto_inherited,
2933 &hf_nt_sec_desc_type_sacl_auto_inherit_req,
2934 &hf_nt_sec_desc_type_dacl_auto_inherit_req,
2935 &hf_nt_sec_desc_type_server_security,
2936 &hf_nt_sec_desc_type_dacl_trusted,
2937 &hf_nt_sec_desc_type_sacl_defaulted,
2938 &hf_nt_sec_desc_type_sacl_present,
2939 &hf_nt_sec_desc_type_dacl_defaulted,
2940 &hf_nt_sec_desc_type_dacl_present,
2941 &hf_nt_sec_desc_type_group_defaulted,
2942 &hf_nt_sec_desc_type_owner_defaulted,
2943 NULL
2944 };
2945
2946 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_nt_sec_desc_type,
2947 ett_nt_sec_desc_type, flags, ENC_LITTLE_ENDIAN);
2948
2949 offset += 2;
2950 return offset;
2951 }
2952
2953 int
2954 dissect_nt_security_information(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
2955 {
2956 proto_item *item = NULL;
2957 uint32_t mask;
2958 static int * const flags[] = {
2959 &hf_nt_security_information_sacl,
2960 &hf_nt_security_information_dacl,
2961 &hf_nt_security_information_group,
2962 &hf_nt_security_information_owner,
2963 NULL
2964 };
2965
2966 mask = tvb_get_letohl(tvb, offset);
2967 item = proto_tree_add_bitmask(parent_tree, tvb, offset, hf_nt_security_information,
2968 ett_nt_security_information, flags, ENC_LITTLE_ENDIAN);
2969
2970 if (mask & 0x00000008) {
2971 proto_item_append_text(item, " SACL");
2972 }
2973 if (mask & 0x00000004) {
2974 proto_item_append_text(item, " DACL");
2975 }
2976 if (mask & 0x00000002) {
2977 proto_item_append_text(item, " GROUP");
2978 }
2979 if (mask & 0x00000001) {
2980 proto_item_append_text(item, " OWNER");
2981 }
2982
2983 offset += 4;
2984
2985 return offset;
2986 }
2987
2988 int
2989 dissect_nt_sec_desc(tvbuff_t *tvb, int offset_a, packet_info *pinfo,
2990 proto_tree *parent_tree, uint8_t *drep,
2991 bool len_supplied _U_, int len,
2992 struct access_mask_info *ami)
2993 {
2994 proto_item *item = NULL;
2995 proto_tree * volatile tree = NULL;
2996 uint16_t revision;
2997 int start_offset = offset_a;
2998 volatile int offset_v=offset_a;
2999 volatile int end_offset;
3000 volatile int item_offset;
3001 uint32_t owner_sid_offset;
3002 proto_item *it_owner_sid_offs = NULL;
3003 volatile uint32_t group_sid_offset;
3004 proto_item * volatile it_gr_sid_offs = NULL;
3005 volatile uint32_t sacl_offset;
3006 proto_item * volatile it_sacl_offs = NULL;
3007 volatile uint32_t dacl_offset;
3008 proto_item * volatile it_dacl_offs = NULL;
3009
3010 tree = proto_tree_add_subtree(parent_tree, tvb, offset_v, -1,
3011 ett_nt_sec_desc, &item, "NT Security Descriptor");
3012
3013 /* revision */
3014 revision = tvb_get_letohs(tvb, offset_v);
3015 proto_tree_add_uint(tree, hf_nt_sec_desc_revision,
3016 tvb, offset_v, 2, revision);
3017 offset_v += 2;
3018
3019 switch(revision){
3020 case 1: /* only version we will ever see of this structure?*/
3021 /* type */
3022 offset_v = dissect_nt_sec_desc_type(tvb, offset_v, tree);
3023
3024 /* offset_v to owner sid */
3025 owner_sid_offset = tvb_get_letohl(tvb, offset_v);
3026 if(owner_sid_offset != 0 && owner_sid_offset < 20){
3027 /* Bogus value - points into fixed portion of descriptor */
3028 proto_tree_add_uint_format_value(tree, hf_nt_offset_to_owner_sid, tvb, offset_v, 4, owner_sid_offset, "%u (bogus, must be >= 20)", owner_sid_offset);
3029 owner_sid_offset = 0;
3030 } else
3031 it_owner_sid_offs = proto_tree_add_item(tree, hf_nt_offset_to_owner_sid, tvb, offset_v, 4, ENC_LITTLE_ENDIAN);
3032 offset_v += 4;
3033
3034 /* offset to group sid */
3035 group_sid_offset = tvb_get_letohl(tvb, offset_v);
3036 if(group_sid_offset != 0 && group_sid_offset < 20){
3037 /* Bogus value - points into fixed portion of descriptor */
3038 proto_tree_add_uint_format_value(tree, hf_nt_offset_to_group_sid, tvb, offset_v, 4, group_sid_offset, "%u (bogus, must be >= 20)", group_sid_offset);
3039 group_sid_offset = 0;
3040 } else
3041 it_gr_sid_offs = proto_tree_add_item(tree, hf_nt_offset_to_group_sid, tvb, offset_v, 4, ENC_LITTLE_ENDIAN);
3042 offset_v += 4;
3043
3044 /* offset to sacl */
3045 sacl_offset = tvb_get_letohl(tvb, offset_v);
3046 if(sacl_offset != 0 && sacl_offset < 20){
3047 /* Bogus value - points into fixed portion of descriptor */
3048 proto_tree_add_uint_format_value(tree, hf_nt_offset_to_sacl, tvb, offset_v, 4, sacl_offset, "%u (bogus, must be >= 20)", sacl_offset);
3049 sacl_offset = 0;
3050 } else
3051 it_sacl_offs = proto_tree_add_item(tree, hf_nt_offset_to_sacl, tvb, offset_v, 4, ENC_LITTLE_ENDIAN);
3052 offset_v += 4;
3053
3054 /* offset to dacl */
3055 dacl_offset = tvb_get_letohl(tvb, offset_v);
3056 if(dacl_offset != 0 && dacl_offset < 20){
3057 /* Bogus value - points into fixed portion of descriptor */
3058 proto_tree_add_uint_format_value(tree, hf_nt_offset_to_dacl, tvb, offset_v, 4, dacl_offset, "%u (bogus, must be >= 20)", dacl_offset);
3059 dacl_offset = 0;
3060 } else
3061 it_dacl_offs = proto_tree_add_item(tree, hf_nt_offset_to_dacl, tvb, offset_v, 4, ENC_LITTLE_ENDIAN);
3062 offset_v += 4;
3063
3064 end_offset = offset_v;
3065
3066 /*owner SID*/
3067 if(owner_sid_offset){
3068 item_offset = start_offset+owner_sid_offset;
3069 if (item_offset < start_offset) {
3070 expert_add_info(pinfo, it_owner_sid_offs,
3071 &ei_nt_item_offs_out_of_range);
3072 break;
3073 }
3074 TRY{
3075 offset_v = dissect_nt_sid(tvb, item_offset, tree, "Owner", NULL, -1);
3076 if (offset_v > end_offset)
3077 end_offset = offset_v;
3078 }
3079
3080 CATCH(ContainedBoundsError) {
3081 proto_tree_add_expert(tree, pinfo, &ei_nt_owner_sid_beyond_data, tvb, item_offset, 0);
3082 }
3083
3084 CATCH(ReportedBoundsError) {
3085 proto_tree_add_expert(tree, pinfo, &ei_nt_owner_sid_beyond_reassembled_data, tvb, item_offset, 0);
3086 }
3087
3088 ENDTRY;
3089 }
3090
3091 /*group SID*/
3092 if(group_sid_offset){
3093 item_offset = start_offset+group_sid_offset;
3094 if (item_offset < start_offset) {
3095 expert_add_info(pinfo, it_gr_sid_offs,
3096 &ei_nt_item_offs_out_of_range);
3097 break;
3098 }
3099 TRY {
3100 offset_v = dissect_nt_sid(tvb, item_offset, tree, "Group", NULL, -1);
3101 if (offset_v > end_offset)
3102 end_offset = offset_v;
3103 }
3104
3105 CATCH(ContainedBoundsError) {
3106 proto_tree_add_expert(tree, pinfo, &ei_nt_group_sid_beyond_data, tvb, item_offset, 0);
3107 }
3108
3109 CATCH(ReportedBoundsError) {
3110 proto_tree_add_expert(tree, pinfo, &ei_nt_group_sid_beyond_reassembled_data, tvb, item_offset, 0);
3111 }
3112
3113 ENDTRY;
3114 }
3115
3116 /* sacl */
3117 if(sacl_offset){
3118 item_offset = start_offset+sacl_offset;
3119 if (item_offset < start_offset) {
3120 expert_add_info(pinfo, it_sacl_offs,
3121 &ei_nt_item_offs_out_of_range);
3122 break;
3123 }
3124 offset_v = dissect_nt_acl(tvb, item_offset, pinfo, tree,
3125 drep, "System (SACL)", ami);
3126 if (offset_v > end_offset)
3127 end_offset = offset_v;
3128 }
3129
3130 /* dacl */
3131 if(dacl_offset){
3132 item_offset = start_offset+dacl_offset;
3133 if (item_offset < start_offset) {
3134 expert_add_info(pinfo, it_dacl_offs,
3135 &ei_nt_item_offs_out_of_range);
3136 break;
3137 }
3138 offset_v = dissect_nt_acl(tvb, item_offset, pinfo, tree,
3139 drep, "User (DACL)", ami);
3140 if (offset_v > end_offset)
3141 end_offset = offset_v;
3142 }
3143
3144 break;
3145
3146 default:
3147 end_offset = offset_v;
3148 break;
3149 }
3150
3151 len = end_offset - start_offset;
3152 proto_item_set_len(item, len);
3153
3154 return offset_v;
3155 }
3156
3157 /*
3158 * XXX - we should have a way to register fields not associated with a
3159 * protocol.
3160 *
3161 * XXX - make-reg-dotc.py doesn't check for an argument list of "(void)",
3162 * so we have to give this a name other than "proto_register_..." so that
3163 * it doesn't end up being called from "register.c".
3164 */
3165 void
3166 proto_do_register_windows_common(int proto_smb)
3167 {
3168 static hf_register_info hf[] = {
3169 /* Security descriptors */
3170
3171 { &hf_nt_sec_desc_revision,
3172 { "Revision", "nt.sec_desc.revision", FT_UINT16, BASE_DEC,
3173 NULL, 0, "Version of NT Security Descriptor structure", HFILL }},
3174
3175 { &hf_nt_sec_desc_type_owner_defaulted,
3176 { "Owner Defaulted", "nt.sec_desc.type.owner_defaulted", FT_BOOLEAN, 16,
3177 TFS(&tfs_sec_desc_type_owner_defaulted), 0x0001, "Is Owner Defaulted set?", HFILL }},
3178
3179 { &hf_nt_sec_desc_type_group_defaulted,
3180 { "Group Defaulted", "nt.sec_desc.type.group_defaulted", FT_BOOLEAN, 16,
3181 TFS(&tfs_sec_desc_type_group_defaulted), 0x0002, "Is Group Defaulted?", HFILL }},
3182
3183 { &hf_nt_sec_desc_type_dacl_present,
3184 { "DACL Present", "nt.sec_desc.type.dacl_present", FT_BOOLEAN, 16,
3185 TFS(&tfs_sec_desc_type_dacl_present), 0x0004, "Does this SecDesc have DACL present?", HFILL }},
3186
3187 { &hf_nt_sec_desc_type_dacl_defaulted,
3188 { "DACL Defaulted", "nt.sec_desc.type.dacl_defaulted", FT_BOOLEAN, 16,
3189 TFS(&tfs_sec_desc_type_dacl_defaulted), 0x0008, "Does this SecDesc have DACL Defaulted?", HFILL }},
3190
3191 { &hf_nt_sec_desc_type_sacl_present,
3192 { "SACL Present", "nt.sec_desc.type.sacl_present", FT_BOOLEAN, 16,
3193 TFS(&tfs_sec_desc_type_sacl_present), 0x0010, "Is the SACL present?", HFILL }},
3194
3195 { &hf_nt_sec_desc_type_sacl_defaulted,
3196 { "SACL Defaulted", "nt.sec_desc.type.sacl_defaulted", FT_BOOLEAN, 16,
3197 TFS(&tfs_sec_desc_type_sacl_defaulted), 0x0020, "Does this SecDesc have SACL Defaulted?", HFILL }},
3198
3199 { &hf_nt_sec_desc_type_dacl_auto_inherit_req,
3200 { "DACL Auto Inherit Required", "nt.sec_desc.type.dacl_auto_inherit_req", FT_BOOLEAN, 16,
3201 TFS(&tfs_sec_desc_type_dacl_auto_inherit_req), 0x0100, "Does this SecDesc have DACL Auto Inherit Required set?", HFILL }},
3202
3203 { &hf_nt_sec_desc_type_dacl_trusted,
3204 { "DACL Trusted", "nt.sec_desc.type.dacl_trusted", FT_BOOLEAN, 16,
3205 TFS(&tfs_sec_desc_type_dacl_trusted), 0x0040, "Does this SecDesc have DACL TRUSTED set?", HFILL }},
3206
3207 { &hf_nt_sec_desc_type_server_security,
3208 { "Server Security", "nt.sec_desc.type.server_security", FT_BOOLEAN, 16,
3209 TFS(&tfs_sec_desc_type_server_security), 0x0080, "Does this SecDesc have SERVER SECURITY set?", HFILL }},
3210
3211 { &hf_nt_sec_desc_type_sacl_auto_inherit_req,
3212 { "SACL Auto Inherit Required", "nt.sec_desc.type.sacl_auto_inherit_req", FT_BOOLEAN, 16,
3213 TFS(&tfs_sec_desc_type_sacl_auto_inherit_req), 0x0200, "Does this SecDesc have SACL Auto Inherit Required set?", HFILL }},
3214
3215 { &hf_nt_sec_desc_type_dacl_auto_inherited,
3216 { "DACL Auto Inherited", "nt.sec_desc.type.dacl_auto_inherited", FT_BOOLEAN, 16,
3217 TFS(&tfs_sec_desc_type_dacl_auto_inherited), 0x0400, "Is this DACL auto inherited", HFILL }},
3218
3219 { &hf_nt_sec_desc_type_sacl_auto_inherited,
3220 { "SACL Auto Inherited", "nt.sec_desc.type.sacl_auto_inherited", FT_BOOLEAN, 16,
3221 TFS(&tfs_sec_desc_type_sacl_auto_inherited), 0x0800, "Is this SACL auto inherited", HFILL }},
3222
3223 { &hf_nt_sec_desc_type_dacl_protected,
3224 { "DACL Protected", "nt.sec_desc.type.dacl_protected", FT_BOOLEAN, 16,
3225 TFS(&tfs_sec_desc_type_dacl_protected), 0x1000, "Is the DACL structure protected?", HFILL }},
3226
3227 { &hf_nt_sec_desc_type_sacl_protected,
3228 { "SACL Protected", "nt.sec_desc.type.sacl_protected", FT_BOOLEAN, 16,
3229 TFS(&tfs_sec_desc_type_sacl_protected), 0x2000, "Is the SACL structure protected?", HFILL }},
3230
3231 { &hf_nt_sec_desc_type_self_relative,
3232 { "Self Relative", "nt.sec_desc.type.self_relative", FT_BOOLEAN, 16,
3233 TFS(&tfs_sec_desc_type_self_relative), 0x8000, "Is this SecDesc self relative?", HFILL }},
3234
3235 { &hf_nt_sec_desc_type_rm_control_valid,
3236 { "RM Control Valid", "nt.sec_desc.type.rm_control_valid", FT_BOOLEAN, 16,
3237 TFS(&tfs_sec_desc_type_rm_control_valid), 0x4000, "Is RM Control Valid set?", HFILL }},
3238
3239 /* SIDs */
3240
3241 { &hf_nt_sid,
3242 { "SID", "nt.sid", FT_STRING, BASE_NONE,
3243 NULL, 0, "SID: Security Identifier", HFILL }},
3244
3245 { &hf_nt_sid_revision,
3246 { "Revision", "nt.sid.revision", FT_UINT8, BASE_DEC,
3247 NULL, 0, "Version of SID structure", HFILL }},
3248
3249 { &hf_nt_sid_num_auth,
3250 { "Num Auth", "nt.sid.num_auth", FT_UINT8, BASE_DEC,
3251 NULL, 0, "Number of authorities for this SID", HFILL }},
3252
3253 { &hf_nt_sid_auth_dec,
3254 { "Authority", "nt.sid.auth", FT_UINT64, BASE_DEC,
3255 NULL, 0, "Identifier Authority", HFILL }},
3256
3257 { &hf_nt_sid_auth_hex,
3258 { "Authority", "nt.sid.auth", FT_UINT64, BASE_HEX,
3259 NULL, 0, "Identifier Authority", HFILL }},
3260
3261 { &hf_nt_sid_subauth,
3262 { "Subauthorities", "nt.sid.subauth", FT_STRING, BASE_NONE,
3263 NULL, 0, "Subauthorities fields", HFILL }},
3264
3265 { &hf_nt_sid_rid_dec,
3266 { "RID", "nt.sid.rid", FT_UINT32, BASE_DEC,
3267 NULL, 0, "Relative IDentifier: identifies a user or group", HFILL }},
3268
3269 { &hf_nt_sid_rid_hex,
3270 { "RID", "nt.sid.rid", FT_UINT32, BASE_HEX,
3271 NULL, 0, "Relative IDentifier: identifies a user or group", HFILL }},
3272
3273 { &hf_nt_sid_wkwn,
3274 { "Well-known SID", "nt.sid.wkwn", FT_STRING, BASE_NONE,
3275 NULL, 0, NULL, HFILL }},
3276
3277 { &hf_nt_sid_domain,
3278 { "Domain", "nt.sid.domain", FT_STRING, BASE_NONE,
3279 NULL, 0, NULL, HFILL }},
3280
3281 /* ACLs */
3282
3283 { &hf_nt_acl_revision,
3284 { "Revision", "nt.acl.revision", FT_UINT16, BASE_DEC,
3285 VALS(acl_revision_vals), 0, "Version of NT ACL structure", HFILL }},
3286
3287 { &hf_nt_acl_size,
3288 { "Size", "nt.acl.size", FT_UINT16, BASE_DEC,
3289 NULL, 0, "Size of NT ACL structure", HFILL }},
3290
3291 { &hf_nt_acl_num_aces,
3292 { "Num ACEs", "nt.acl.num_aces", FT_UINT32, BASE_DEC,
3293 NULL, 0, "Number of ACE structures for this ACL", HFILL }},
3294
3295 /* ACEs */
3296
3297 { &hf_nt_ace_type,
3298 { "Type", "nt.ace.type",
3299 FT_UINT8, BASE_DEC, VALS(ace_type_vals), 0, "Type of ACE",
3300 HFILL }},
3301
3302 { &hf_nt_ace_size,
3303 { "Size", "nt.ace.size", FT_UINT16, BASE_DEC, NULL, 0,
3304 "Size of this ACE", HFILL }},
3305
3306 { &hf_nt_ace_flags_object_inherit,
3307 { "Object Inherit", "nt.ace.flags.object_inherit", FT_BOOLEAN, 8,
3308 TFS(&tfs_ace_flags_object_inherit), 0x01, "Will subordinate files inherit this ACE?", HFILL }},
3309
3310 { &hf_nt_ace_flags_container_inherit,
3311 { "Container Inherit", "nt.ace.flags.container_inherit", FT_BOOLEAN, 8,
3312 TFS(&tfs_ace_flags_container_inherit), 0x02, "Will subordinate containers inherit this ACE?", HFILL }},
3313
3314 { &hf_nt_ace_flags_non_propagate_inherit,
3315 { "Non-Propagate Inherit", "nt.ace.flags.non_propagate_inherit", FT_BOOLEAN, 8,
3316 TFS(&tfs_ace_flags_non_propagate_inherit), 0x04, "Will subordinate object propagate this ACE further?", HFILL }},
3317
3318 { &hf_nt_ace_flags_inherit_only,
3319 { "Inherit Only", "nt.ace.flags.inherit_only", FT_BOOLEAN, 8,
3320 TFS(&tfs_ace_flags_inherit_only), 0x08, "Does this ACE apply to the current object?", HFILL }},
3321
3322 { &hf_nt_ace_flags_inherited_ace,
3323 { "Inherited ACE", "nt.ace.flags.inherited_ace", FT_BOOLEAN, 8,
3324 TFS(&tfs_ace_flags_inherited_ace), 0x10, "Was this ACE inherited from its parent object?", HFILL }},
3325
3326 { &hf_nt_ace_flags_successful_access,
3327 { "Audit Successful Accesses", "nt.ace.flags.successful_access", FT_BOOLEAN, 8,
3328 TFS(&tfs_ace_flags_successful_access), 0x40, "Should successful accesses be audited?", HFILL }},
3329
3330 { &hf_nt_ace_flags_failed_access,
3331 { "Audit Failed Accesses", "nt.ace.flags.failed_access", FT_BOOLEAN, 8,
3332 TFS(&tfs_ace_flags_failed_access), 0x80, "Should failed accesses be audited?", HFILL }},
3333
3334 /* Access masks */
3335
3336 { &hf_nt_access_mask,
3337 { "Access required", "nt.access_mask",
3338 FT_UINT32, BASE_HEX, NULL, 0x0, "Access mask",
3339 HFILL }},
3340
3341 { &hf_access_generic_read,
3342 { "Generic read", "nt.access_mask.generic_read",
3343 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3344 GENERIC_READ_ACCESS, NULL, HFILL }},
3345
3346 { &hf_access_generic_write,
3347 { "Generic write", "nt.access_mask.generic_write",
3348 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3349 GENERIC_WRITE_ACCESS, NULL, HFILL }},
3350
3351 { &hf_access_generic_execute,
3352 { "Generic execute", "nt.access_mask.generic_execute",
3353 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3354 GENERIC_EXECUTE_ACCESS, NULL, HFILL }},
3355
3356 { &hf_access_generic_all,
3357 { "Generic all", "nt.access_mask.generic_all",
3358 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3359 GENERIC_ALL_ACCESS, NULL, HFILL }},
3360
3361 { &hf_access_maximum_allowed,
3362 { "Maximum allowed", "nt.access_mask.maximum_allowed",
3363 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3364 MAXIMUM_ALLOWED_ACCESS, NULL, HFILL }},
3365
3366 { &hf_access_sacl,
3367 { "Access SACL", "nt.access_mask.access_sacl",
3368 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3369 ACCESS_SACL_ACCESS, NULL, HFILL }},
3370
3371 { &hf_access_standard_read_control,
3372 { "Read control", "nt.access_mask.read_control",
3373 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3374 READ_CONTROL_ACCESS, NULL, HFILL }},
3375
3376 { &hf_access_standard_delete,
3377 { "Delete", "nt.access_mask.delete",
3378 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3379 DELETE_ACCESS, NULL, HFILL }},
3380
3381 { &hf_access_standard_synchronise,
3382 { "Synchronise", "nt.access_mask.synchronise",
3383 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3384 SYNCHRONIZE_ACCESS, NULL, HFILL }},
3385
3386 { &hf_access_standard_write_dac,
3387 { "Write DAC", "nt.access_mask.write_dac",
3388 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3389 WRITE_DAC_ACCESS, NULL, HFILL }},
3390
3391 { &hf_access_standard_write_owner,
3392 { "Write owner", "nt.access_mask.write_owner",
3393 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3394 WRITE_OWNER_ACCESS, NULL, HFILL }},
3395
3396 { &hf_access_specific_15,
3397 { "Specific access, bit 15", "nt.access_mask.specific_15",
3398 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3399 0x00008000, NULL, HFILL }},
3400
3401 { &hf_access_specific_14,
3402 { "Specific access, bit 14", "nt.access_mask.specific_14",
3403 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3404 0x00004000, NULL, HFILL }},
3405
3406 { &hf_access_specific_13,
3407 { "Specific access, bit 13", "nt.access_mask.specific_13",
3408 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3409 0x00002000, NULL, HFILL }},
3410
3411 { &hf_access_specific_12,
3412 { "Specific access, bit 12", "nt.access_mask.specific_12",
3413 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3414 0x00001000, NULL, HFILL }},
3415
3416 { &hf_access_specific_11,
3417 { "Specific access, bit 11", "nt.access_mask.specific_11",
3418 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3419 0x00000800, NULL, HFILL }},
3420
3421 { &hf_access_specific_10,
3422 { "Specific access, bit 10", "nt.access_mask.specific_10",
3423 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3424 0x00000400, NULL, HFILL }},
3425
3426 { &hf_access_specific_9,
3427 { "Specific access, bit 9", "nt.access_mask.specific_9",
3428 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3429 0x00000200, NULL, HFILL }},
3430
3431 { &hf_access_specific_8,
3432 { "Specific access, bit 8", "nt.access_mask.specific_8",
3433 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3434 0x00000100, NULL, HFILL }},
3435
3436 { &hf_access_specific_7,
3437 { "Specific access, bit 7", "nt.access_mask.specific_7",
3438 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3439 0x00000080, NULL, HFILL }},
3440
3441 { &hf_access_specific_6,
3442 { "Specific access, bit 6", "nt.access_mask.specific_6",
3443 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3444 0x00000040, NULL, HFILL }},
3445
3446 { &hf_access_specific_5,
3447 { "Specific access, bit 5", "nt.access_mask.specific_5",
3448 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3449 0x00000020, NULL, HFILL }},
3450
3451 { &hf_access_specific_4,
3452 { "Specific access, bit 4", "nt.access_mask.specific_4",
3453 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3454 0x00000010, NULL, HFILL }},
3455
3456 { &hf_access_specific_3,
3457 { "Specific access, bit 3", "nt.access_mask.specific_3",
3458 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3459 0x00000008, NULL, HFILL }},
3460
3461 { &hf_access_specific_2,
3462 { "Specific access, bit 2", "nt.access_mask.specific_2",
3463 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3464 0x00000004, NULL, HFILL }},
3465
3466 { &hf_access_specific_1,
3467 { "Specific access, bit 1", "nt.access_mask.specific_1",
3468 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3469 0x00000002, NULL, HFILL }},
3470
3471 { &hf_access_specific_0,
3472 { "Specific access, bit 0", "nt.access_mask.specific_0",
3473 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3474 0x00000001, NULL, HFILL }},
3475
3476 { &hf_nt_ace_flags_object_type_present,
3477 { "Object Type Present", "nt.ace.object.flags.object_type_present",
3478 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3479 0x00000001, NULL, HFILL }},
3480
3481 { &hf_nt_ace_flags_inherited_object_type_present,
3482 { "Inherited Object Type Present", "nt.ace.object.flags.inherited_object_type_present",
3483 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3484 0x00000002, NULL, HFILL }},
3485
3486 { &hf_nt_ace_guid,
3487 { "GUID", "nt.ace.object.guid", FT_GUID, BASE_NONE,
3488 NULL, 0, NULL, HFILL }},
3489
3490 { &hf_nt_ace_inherited_guid,
3491 { "Inherited GUID", "nt.ace.object.inherited_guid", FT_GUID, BASE_NONE,
3492 NULL, 0, NULL, HFILL }},
3493
3494 { &hf_nt_ace_cond,
3495 { "Conditional Expression", "nt.ace.cond", FT_NONE, BASE_NONE,
3496 NULL, 0, NULL, HFILL }},
3497
3498 { &hf_nt_ace_cond_token,
3499 { "Token", "nt.ace.cond.token",
3500 FT_UINT8, BASE_HEX, VALS(ace_cond_token_vals), 0, "Type of Token",
3501 HFILL }},
3502
3503 { &hf_nt_ace_cond_sign,
3504 { "SIGN", "nt.ace.cond.sign",
3505 FT_UINT8, BASE_HEX, VALS(ace_cond_sign_vals), 0,
3506 NULL, HFILL }},
3507
3508 { &hf_nt_ace_cond_base,
3509 { "BASE", "nt.ace.cond.base",
3510 FT_UINT8, BASE_HEX, VALS(ace_cond_base_vals), 0,
3511 NULL, HFILL }},
3512
3513 { &hf_nt_ace_cond_value_int8,
3514 { "INT8", "nt.ace.cond.value_int8", FT_INT8, BASE_DEC,
3515 NULL, 0, NULL, HFILL }},
3516
3517 { &hf_nt_ace_cond_value_int16,
3518 { "INT16", "nt.ace.cond.value_int16", FT_INT16, BASE_DEC,
3519 NULL, 0, NULL, HFILL }},
3520
3521 { &hf_nt_ace_cond_value_int32,
3522 { "INT32", "nt.ace.cond.value_int32", FT_INT32, BASE_DEC,
3523 NULL, 0, NULL, HFILL }},
3524
3525 { &hf_nt_ace_cond_value_int64,
3526 { "INT64", "nt.ace.cond.value_int64", FT_INT64, BASE_DEC,
3527 NULL, 0, NULL, HFILL }},
3528
3529 { &hf_nt_ace_cond_value_string,
3530 { "UNICODE_STRING", "nt.ace.cond.value_string", FT_STRING, BASE_NONE,
3531 NULL, 0, NULL, HFILL }},
3532
3533 { &hf_nt_ace_cond_value_octet_string,
3534 { "OCTET_STRING", "nt.ace.cond.value_octet_string", FT_BYTES, BASE_NONE,
3535 NULL, 0x0, NULL, HFILL }},
3536
3537 { &hf_nt_ace_cond_local_attr,
3538 { "LOCAL_ATTRIBUTE", "nt.ace.cond.local_attr", FT_STRING, BASE_NONE,
3539 NULL, 0, NULL, HFILL }},
3540
3541 { &hf_nt_ace_cond_user_attr,
3542 { "USER_ATTRIBUTE", "nt.ace.cond.user_attr", FT_STRING, BASE_NONE,
3543 NULL, 0, NULL, HFILL }},
3544
3545 { &hf_nt_ace_cond_resource_attr,
3546 { "RESOURCE_ATTRIBUTE", "nt.ace.cond.resource_attr", FT_STRING, BASE_NONE,
3547 NULL, 0, NULL, HFILL }},
3548
3549 { &hf_nt_ace_cond_device_attr,
3550 { "DEVICE_ATTRIBUTE", "nt.ace.cond.device_attr", FT_STRING, BASE_NONE,
3551 NULL, 0, NULL, HFILL }},
3552
3553 { &hf_nt_ace_sra,
3554 { "Resource Attribute", "nt.ace.sra", FT_NONE, BASE_NONE,
3555 NULL, 0, NULL, HFILL }},
3556
3557 { &hf_nt_ace_sra_name_offset,
3558 { "Name Offset", "nt.ace.sra.name_offset", FT_UINT32, BASE_DEC, NULL, 0,
3559 "Offset to Name of Resource Attribute", HFILL }},
3560
3561 { &hf_nt_ace_sra_name,
3562 { "Name", "nt.ace.sra.name", FT_STRING, BASE_NONE, NULL, 0,
3563 "Name of Resource Attribute", HFILL }},
3564
3565 { &hf_nt_ace_sra_type,
3566 { "Type", "nt.ace.sra.type",
3567 FT_UINT16, BASE_DEC, VALS(ace_sra_type_vals), 0,
3568 "Type of Resource Attribute", HFILL }},
3569
3570 { &hf_nt_ace_sra_reserved,
3571 { "Reserved", "nt.ace.sra.reserved", FT_UINT16, BASE_HEX, NULL, 0,
3572 "Reserved of Resource Attribute", HFILL }},
3573
3574 { &hf_nt_ace_sra_flags,
3575 { "Flags", "nt.ace.sra.flags", FT_UINT32, BASE_HEX, NULL, 0,
3576 "Flags of Resource Attribute", HFILL }},
3577
3578 { &hf_nt_ace_sra_flags_manual,
3579 { "Manual", "nt.ace.sra.flags.manual", FT_BOOLEAN, 32,
3580 TFS(&flags_ace_sra_info_manual), 0x00010000, NULL, HFILL }},
3581
3582 { &hf_nt_ace_sra_flags_policy_derived,
3583 { "Policy Derived", "nt.ace.sra.flags.policy_derived", FT_BOOLEAN, 32,
3584 TFS(&flags_ace_sra_info_policy_derived), 0x00020000, NULL, HFILL }},
3585
3586 { &hf_nt_ace_sra_flags_non_inheritable,
3587 { "Non-Inheritable", "nt.ace.sra.flags.non_inheritable", FT_BOOLEAN, 32,
3588 TFS(&flags_ace_sra_info_non_inheritable), 0x00000001, NULL, HFILL }},
3589
3590 { &hf_nt_ace_sra_flags_case_sensitive,
3591 { "Case Sensitive", "nt.ace.sra.flags.case_sensitive", FT_BOOLEAN, 32,
3592 TFS(&flags_ace_sra_info_case_sensitive), 0x00000002, NULL, HFILL }},
3593
3594 { &hf_nt_ace_sra_flags_deny_only,
3595 { "Deny Only", "nt.ace.sra.flags.deny_only", FT_BOOLEAN, 32,
3596 TFS(&flags_ace_sra_info_deny_only), 0x00000004, NULL, HFILL }},
3597
3598 { &hf_nt_ace_sra_flags_disabled_by_default,
3599 { "Disabled By Default", "nt.ace.sra.flags.disabled_by_default", FT_BOOLEAN, 32,
3600 TFS(&flags_ace_sra_info_disabled_by_default), 0x00000008, NULL, HFILL }},
3601
3602 { &hf_nt_ace_sra_flags_disabled,
3603 { "Disabled", "nt.ace.sra.flags.disabled", FT_BOOLEAN, 32,
3604 TFS(&flags_ace_sra_info_disabled), 0x00000010, NULL, HFILL }},
3605
3606 { &hf_nt_ace_sra_flags_mandatory,
3607 { "Mandatory", "nt.ace.sra.flags.mandatory", FT_BOOLEAN, 32,
3608 TFS(&flags_ace_sra_info_mandatory), 0x00000020, NULL, HFILL }},
3609
3610 { &hf_nt_ace_sra_value_count,
3611 { "Value Count", "nt.ace.sra.value_count", FT_UINT32, BASE_DEC, NULL, 0,
3612 "Value Count of Resource Attribute", HFILL }},
3613
3614 { &hf_nt_ace_sra_value_offset,
3615 { "Value Offset", "nt.ace.sra.name_offset", FT_UINT32, BASE_DEC, NULL, 0,
3616 "Offset to a Resource Attribute Value", HFILL }},
3617
3618 { &hf_nt_ace_sra_value_int64,
3619 { "INT64", "nt.ace.sra.value_int64", FT_INT64, BASE_DEC, NULL, 0,
3620 NULL, HFILL }},
3621
3622 { &hf_nt_ace_sra_value_uint64,
3623 { "UINT64", "nt.ace.sra.value_uint64", FT_UINT64, BASE_DEC, NULL, 0,
3624 NULL, HFILL }},
3625
3626 { &hf_nt_ace_sra_value_string,
3627 { "STRING", "nt.ace.sra.value_string", FT_STRING, BASE_NONE,
3628 NULL, 0, NULL, HFILL }},
3629
3630 { &hf_nt_ace_sra_value_sid,
3631 { "SID", "nt.ace.sra.value_sid", FT_STRING, BASE_NONE,
3632 NULL, 0, NULL, HFILL }},
3633
3634 { &hf_nt_ace_sra_value_boolean,
3635 { "BOOLEAN", "nt.ace.sra.value_boolean", FT_UINT64, BASE_DEC,
3636 NULL, 0, NULL, HFILL }},
3637
3638 { &hf_nt_ace_sra_value_octet_string,
3639 { "OCTET_STRING", "nt.ace.sra.value_octet_string", FT_BYTES, BASE_NONE,
3640 NULL, 0x0, NULL, HFILL }},
3641
3642 { &hf_nt_security_information_sacl,
3643 { "SACL", "nt.sec_info.sacl", FT_BOOLEAN, 32,
3644 TFS(&flags_sec_info_sacl), 0x00000008, NULL, HFILL }},
3645
3646 { &hf_nt_security_information_dacl,
3647 { "DACL", "nt.sec_info.dacl", FT_BOOLEAN, 32,
3648 TFS(&flags_sec_info_dacl), 0x00000004, NULL, HFILL }},
3649
3650 { &hf_nt_security_information_group,
3651 { "Group", "nt.sec_info.group", FT_BOOLEAN, 32,
3652 TFS(&flags_sec_info_group), 0x00000002, NULL, HFILL }},
3653
3654 { &hf_nt_security_information_owner,
3655 { "Owner", "nt.sec_info.owner", FT_BOOLEAN, 32,
3656 TFS(&flags_sec_info_owner), 0x00000001, NULL, HFILL }},
3657
3658 /* Generated from convert_proto_tree_add_text.pl */
3659 { &hf_nt_ace_flags_object, { "ACE Object Flags", "nt.ace.object.flags", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
3660 { &hf_nt_ace_flags, { "NT ACE Flags", "nt.ace.flags", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }},
3661 { &hf_nt_sec_desc_type, { "Type", "nt.sec_desc.type", FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }},
3662 { &hf_nt_security_information, { "SEC INFO", "nt.sec_info", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
3663 { &hf_nt_offset_to_owner_sid, { "Offset to owner SID", "nt.offset_to_owner_sid", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
3664 { &hf_nt_offset_to_group_sid, { "Offset to group SID", "nt.offset_to_group_sid", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
3665 { &hf_nt_offset_to_sacl, { "Offset to SACL", "nt.offset_to_sacl", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
3666 { &hf_nt_offset_to_dacl, { "Offset to DACL", "nt.offset_to_dacl", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
3667 };
3668
3669 static int *ett[] = {
3670 &ett_nt_sec_desc,
3671 &ett_nt_sec_desc_type,
3672 &ett_nt_sid,
3673 &ett_nt_acl,
3674 &ett_nt_ace,
3675 &ett_nt_ace_flags,
3676 &ett_nt_ace_object,
3677 &ett_nt_ace_object_flags,
3678 &ett_nt_access_mask,
3679 &ett_nt_access_mask_generic,
3680 &ett_nt_access_mask_standard,
3681 &ett_nt_access_mask_specific,
3682 &ett_nt_security_information,
3683 &ett_nt_ace_cond,
3684 &ett_nt_ace_cond_data,
3685 &ett_nt_ace_sra,
3686 &ett_nt_ace_sra_flags,
3687 &ett_nt_ace_sra_value_offsets,
3688 &ett_nt_ace_sra_values,
3689 };
3690
3691 static ei_register_info ei[] = {
3692 { &ei_nt_ace_extends_beyond_data, { "nt.ace_extends_beyond_data", PI_MALFORMED, PI_ERROR, "ACE Extends beyond end of data", EXPFILL }},
3693 { &ei_nt_ace_extends_beyond_reassembled_data, { "nt.ace_extends_beyond_reassembled_data", PI_MALFORMED, PI_ERROR, "ACE Extends beyond end of reassembled data", EXPFILL }},
3694 { &ei_nt_owner_sid_beyond_data, { "nt.owner_sid.beyond_data", PI_MALFORMED, PI_ERROR, "Owner SID beyond end of data", EXPFILL }},
3695 { &ei_nt_owner_sid_beyond_reassembled_data, { "nt.owner_sid.beyond_reassembled_data", PI_MALFORMED, PI_ERROR, "Owner SID beyond end of reassembled data", EXPFILL }},
3696 { &ei_nt_group_sid_beyond_data, { "nt.group_sid.beyond_data", PI_MALFORMED, PI_ERROR, "Group SID beyond end of data", EXPFILL }},
3697 { &ei_nt_group_sid_beyond_reassembled_data, { "nt.group_sid.beyond_reassembled_data", PI_MALFORMED, PI_ERROR, "Group SID beyond end of reassembled data", EXPFILL }},
3698 { &ei_nt_item_offs_out_of_range, { "nt.item_offset.out_of_range", PI_MALFORMED, PI_ERROR, "Item offset is out of range", EXPFILL }},
3699 };
3700
3701 expert_module_t* expert_nt;
3702
3703 proto_register_subtree_array(ett, array_length(ett));
3704 proto_register_field_array(proto_smb, hf, array_length(hf));
3705 expert_nt = expert_register_protocol(proto_smb);
3706 expert_register_field_array(expert_nt, ei, array_length(ei));
3707 }
3708
3709 /*
3710 * Editor modelines - https://www.wireshark.org/tools/modelines.html
3711 *
3712 * Local variables:
3713 * c-basic-offset: 8
3714 * tab-width: 8
3715 * indent-tabs-mode: t
3716 * End:
3717 *
3718 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
3719 * :indentSize=8:tabSize=8:noTabs=false:
3720 */
Metzes wireshark repo