epan/dissectors/packet-dcerpc-efs.c

   1 /* DO NOT EDIT
   2         This file was automatically generated by Pidl
   3         from efs.idl and efs.cnf.
   4
   5         Pidl is a perl based IDL compiler for DCE/RPC idl files.
   6         It is maintained by the Samba team, not the Wireshark team.
   7         Instructions on how to download and install Pidl can be
   8         found at https://wiki.wireshark.org/Pidl
   9 */
  10
  11
  12 #include "config.h"
  13 #include <string.h>
  14 #include <wsutil/array.h>
  15 #include <epan/packet.h>
  16 #include <epan/tfs.h>
  17
  18 #include "packet-dcerpc.h"
  19 #include "packet-dcerpc-nt.h"
  20 #include "packet-windows-common.h"
  21 #include "packet-dcerpc-efs.h"
  22 void proto_register_dcerpc_efs(void);
  23 void proto_reg_handoff_dcerpc_efs(void);
  24
  25 /* Ett declarations */
  26 static int ett_dcerpc_efs;
  27 static int ett_efs_EFS_HASH_BLOB;
  28 static int ett_efs_ENCRYPTION_CERTIFICATE_HASH;
  29 static int ett_efs_ENCRYPTION_CERTIFICATE_HASH_LIST;
  30 static int ett_efs_EFS_CERTIFICATE_BLOB;
  31 static int ett_efs_ENCRYPTION_CERTIFICATE;
  32
  33
  34 /* Header field declarations */
  35 static int hf_efs_EFS_CERTIFICATE_BLOB_cbData;
  36 static int hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType;
  37 static int hf_efs_EFS_CERTIFICATE_BLOB_pbData;
  38 static int hf_efs_EFS_HASH_BLOB_cbData;
  39 static int hf_efs_EFS_HASH_BLOB_pbData;
  40 static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash;
  41 static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers;
  42 static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength;
  43 static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation;
  44 static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash;
  45 static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid;
  46 static int hf_efs_ENCRYPTION_CERTIFICATE_TotalLength;
  47 static int hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob;
  48 static int hf_efs_ENCRYPTION_CERTIFICATE_pUserSid;
  49 static int hf_efs_EfsRpcAddUsersToFile_FileName;
  50 static int hf_efs_EfsRpcCloseRaw_pvContext;
  51 static int hf_efs_EfsRpcDecryptFileSrv_FileName;
  52 static int hf_efs_EfsRpcDecryptFileSrv_Reserved;
  53 static int hf_efs_EfsRpcEncryptFileSrv_Filename;
  54 static int hf_efs_EfsRpcOpenFileRaw_FileName;
  55 static int hf_efs_EfsRpcOpenFileRaw_Flags;
  56 static int hf_efs_EfsRpcOpenFileRaw_pvContext;
  57 static int hf_efs_EfsRpcQueryRecoveryAgents_FileName;
  58 static int hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents;
  59 static int hf_efs_EfsRpcQueryUsersOnFile_FileName;
  60 static int hf_efs_EfsRpcQueryUsersOnFile_pUsers;
  61 static int hf_efs_EfsRpcReadFileRaw_pvContext;
  62 static int hf_efs_EfsRpcRemoveUsersFromFile_FileName;
  63 static int hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate;
  64 static int hf_efs_EfsRpcWriteFileRaw_pvContext;
  65 static int hf_efs_opnum;
  66 static int hf_efs_werror;
  67
  68 static int proto_dcerpc_efs;
  69 /* Version information */
  70
  71
  72 static e_guid_t uuid_dcerpc_efs = {
  73         0xc681d488, 0xd850, 0x11d0,
  74         { 0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e }
  75 };
  76 static uint16_t ver_dcerpc_efs = 1;
  77
  78 static int efs_dissect_element_EFS_HASH_BLOB_cbData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  79 static int efs_dissect_element_EFS_HASH_BLOB_pbData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  80 static int efs_dissect_element_EFS_HASH_BLOB_pbData_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  81 static int efs_dissect_element_EFS_HASH_BLOB_pbData__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  82 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  83 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pUserSid(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  84 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pUserSid_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  85 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pHash(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  86 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pHash_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  87 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  88 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  89 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  90 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, struct ndr_generic_array *nga);
  91 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  92 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  93 static int efs_dissect_conformant_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, struct ndr_generic_array *nga);
  94 static int efs_dissect_element_EFS_CERTIFICATE_BLOB_dwCertEncodingType(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  95 static int efs_dissect_element_EFS_CERTIFICATE_BLOB_cbData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  96 static int efs_dissect_element_EFS_CERTIFICATE_BLOB_pbData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  97 static int efs_dissect_element_EFS_CERTIFICATE_BLOB_pbData_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  98 static int efs_dissect_element_EFS_CERTIFICATE_BLOB_pbData__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
  99 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_TotalLength(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 100 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_pUserSid(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 101 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_pUserSid_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 102 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_pCertBlob(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 103 static int efs_dissect_element_ENCRYPTION_CERTIFICATE_pCertBlob_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 104 static int efs_dissect_element_EfsRpcOpenFileRaw_pvContext(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 105 static int efs_dissect_element_EfsRpcOpenFileRaw_pvContext_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 106 static int efs_dissect_element_EfsRpcOpenFileRaw_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 107 static int efs_dissect_element_EfsRpcOpenFileRaw_Flags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 108 static int efs_dissect_element_EfsRpcReadFileRaw_pvContext(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 109 static int efs_dissect_element_EfsRpcReadFileRaw_pvContext_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 110 static int efs_dissect_element_EfsRpcWriteFileRaw_pvContext(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 111 static int efs_dissect_element_EfsRpcWriteFileRaw_pvContext_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 112 static int efs_dissect_element_EfsRpcCloseRaw_pvContext(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 113 static int efs_dissect_element_EfsRpcCloseRaw_pvContext_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 114 static int efs_dissect_element_EfsRpcEncryptFileSrv_Filename(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 115 static int efs_dissect_element_EfsRpcDecryptFileSrv_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 116 static int efs_dissect_element_EfsRpcDecryptFileSrv_Reserved(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 117 static int efs_dissect_element_EfsRpcQueryUsersOnFile_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 118 static int efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 119 static int efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 120 static int efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 121 static int efs_dissect_element_EfsRpcQueryRecoveryAgents_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 122 static int efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 123 static int efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 124 static int efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 125 static int efs_dissect_element_EfsRpcRemoveUsersFromFile_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 126 static int efs_dissect_element_EfsRpcAddUsersToFile_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 127 static int efs_dissect_element_EfsRpcSetFileEncryptionKey_pEncryptionCertificate(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 128 static int efs_dissect_element_EfsRpcSetFileEncryptionKey_pEncryptionCertificate_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_);
 129 static int
 130 efs_dissect_struct_dom_sid(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, dcerpc_info* di, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
 131 {
 132         if(di->conformant_run){
 133                 /* just a run to handle conformant arrays, no scalars to dissect */
 134                 return offset;
 135         }
 136         offset=dissect_nt_sid(tvb, offset, tree, "SID", NULL, -1);
 137         return offset;
 138 }
 139
 140
 141 /* IDL: struct { */
 142 /* IDL:         uint32 cbData; */
 143 /* IDL:         [size_is(cbData)] [unique(1)] uint8 *pbData; */
 144 /* IDL: } */
 145
 146 static int
 147 efs_dissect_element_EFS_HASH_BLOB_cbData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 148 {
 149         offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_EFS_HASH_BLOB_cbData, 0);
 150
 151         return offset;
 152 }
 153
 154 static int
 155 efs_dissect_element_EFS_HASH_BLOB_pbData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 156 {
 157         offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_EFS_HASH_BLOB_pbData_, NDR_POINTER_UNIQUE, "Pointer to PbData (uint8)",hf_efs_EFS_HASH_BLOB_pbData);
 158
 159         return offset;
 160 }
 161
 162 static int
 163 efs_dissect_element_EFS_HASH_BLOB_pbData_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 164 {
 165         struct ndr_generic_array nga = { .is_conformant = false, };
 166
 167         offset = dissect_ndr_conformant_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 168
 169         offset = dissect_ndr_generic_array_bytes(tvb, offset, pinfo, tree, di, drep, &nga, efs_dissect_element_EFS_HASH_BLOB_pbData__);
 170
 171         return offset;
 172 }
 173
 174 static int
 175 efs_dissect_element_EFS_HASH_BLOB_pbData__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 176 {
 177         offset = PIDL_dissect_uint8(tvb, offset, pinfo, tree, di, drep, hf_efs_EFS_HASH_BLOB_pbData, 0);
 178
 179         return offset;
 180 }
 181
 182 int
 183 efs_dissect_struct_EFS_HASH_BLOB(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
 184 {
 185         proto_item *item = NULL;
 186         proto_tree *tree = NULL;
 187         int old_offset;
 188
 189         ALIGN_TO_5_BYTES;
 190
 191         old_offset = offset;
 192
 193         if (parent_tree) {
 194                 item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
 195                 tree = proto_item_add_subtree(item, ett_efs_EFS_HASH_BLOB);
 196         }
 197
 198         offset = efs_dissect_element_EFS_HASH_BLOB_cbData(tvb, offset, pinfo, tree, di, drep);
 199
 200         offset = efs_dissect_element_EFS_HASH_BLOB_pbData(tvb, offset, pinfo, tree, di, drep);
 201
 202
 203         proto_item_set_len(item, offset-old_offset);
 204
 205
 206         if (di->call_data->flags & DCERPC_IS_NDR64) {
 207                 ALIGN_TO_5_BYTES;
 208         }
 209
 210         return offset;
 211 }
 212
 213
 214 /* IDL: struct { */
 215 /* IDL:         uint32 cbTotalLength; */
 216 /* IDL:         [unique(1)] dom_sid *pUserSid; */
 217 /* IDL:         [unique(1)] EFS_HASH_BLOB *pHash; */
 218 /* IDL:         [charset(UTF16)] [unique(1)] uint16 *lpDisplayInformation; */
 219 /* IDL: } */
 220
 221 static int
 222 efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 223 {
 224         offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength, 0);
 225
 226         return offset;
 227 }
 228
 229 static int
 230 efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pUserSid(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 231 {
 232         offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pUserSid_, NDR_POINTER_UNIQUE, "Pointer to PUserSid (dom_sid)",hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid);
 233
 234         return offset;
 235 }
 236
 237 static int
 238 efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pUserSid_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 239 {
 240         offset = efs_dissect_struct_dom_sid(tvb,offset,pinfo,tree,di,drep,hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid,0);
 241
 242         return offset;
 243 }
 244
 245 static int
 246 efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pHash(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 247 {
 248         offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pHash_, NDR_POINTER_UNIQUE, "Pointer to PHash (EFS_HASH_BLOB)",hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash);
 249
 250         return offset;
 251 }
 252
 253 static int
 254 efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pHash_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 255 {
 256         offset = efs_dissect_struct_EFS_HASH_BLOB(tvb,offset,pinfo,tree,di,drep,hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash,0);
 257
 258         return offset;
 259 }
 260
 261 static int
 262 efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 263 {
 264         offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation_, NDR_POINTER_UNIQUE, "Pointer to LpDisplayInformation (uint16)",hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation);
 265
 266         return offset;
 267 }
 268
 269 static int
 270 efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 271 {
 272         char *data = NULL;
 273         struct ndr_generic_array nga = { .is_conformant = false, };
 274
 275         offset = dissect_ndr_conformant_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 276
 277         offset = dissect_ndr_varying_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 278         offset = dissect_ndr_generic_array_string(tvb, offset, pinfo, tree, di, drep, sizeof(uint16_t), hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation, false, &nga, &data);
 279         proto_item_append_text(tree, ": %s", data);
 280
 281         return offset;
 282 }
 283
 284 int
 285 efs_dissect_struct_ENCRYPTION_CERTIFICATE_HASH(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
 286 {
 287         proto_item *item = NULL;
 288         proto_tree *tree = NULL;
 289         int old_offset;
 290
 291         ALIGN_TO_5_BYTES;
 292
 293         old_offset = offset;
 294
 295         if (parent_tree) {
 296                 item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
 297                 tree = proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE_HASH);
 298         }
 299
 300         offset = efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength(tvb, offset, pinfo, tree, di, drep);
 301
 302         offset = efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pUserSid(tvb, offset, pinfo, tree, di, drep);
 303
 304         offset = efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_pHash(tvb, offset, pinfo, tree, di, drep);
 305
 306         offset = efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation(tvb, offset, pinfo, tree, di, drep);
 307
 308
 309         proto_item_set_len(item, offset-old_offset);
 310
 311
 312         if (di->call_data->flags & DCERPC_IS_NDR64) {
 313                 ALIGN_TO_5_BYTES;
 314         }
 315
 316         return offset;
 317 }
 318
 319
 320 /* IDL: struct { */
 321 /* IDL:         uint32 nCert_Hash; */
 322 /* IDL:         [size_is(nCert_Hash)] [unique(1)] ENCRYPTION_CERTIFICATE_HASH *pUsers[*]; */
 323 /* IDL: } */
 324
 325 static int
 326 efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 327 {
 328         offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash, 0);
 329
 330         return offset;
 331 }
 332
 333 static int
 334 efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, struct ndr_generic_array *nga)
 335 {
 336
 337         offset = dissect_ndr_generic_array_bytes(tvb, offset, pinfo, tree, di, drep, nga, efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers_);
 338
 339         return offset;
 340 }
 341
 342 static int
 343 efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 344 {
 345         offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers__, NDR_POINTER_UNIQUE, "Pointer to PUsers (ENCRYPTION_CERTIFICATE_HASH)",hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers);
 346
 347         return offset;
 348 }
 349
 350 static int
 351 efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 352 {
 353         offset = efs_dissect_struct_ENCRYPTION_CERTIFICATE_HASH(tvb,offset,pinfo,tree,di,drep,hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers,0);
 354
 355         return offset;
 356 }
 357
 358 static int
 359 efs_dissect_conformant_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, struct ndr_generic_array *nga)
 360 {
 361         offset = dissect_ndr_conformant_array_hdr(tvb, offset, pinfo, tree, di, drep, nga);
 362
 363         return offset;
 364 }
 365
 366 int
 367 efs_dissect_struct_ENCRYPTION_CERTIFICATE_HASH_LIST(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
 368 {
 369         struct ndr_generic_array nga_pUsers = { .is_conformant = false, };
 370         proto_item *item = NULL;
 371         proto_tree *tree = NULL;
 372         int old_offset;
 373
 374         offset = efs_dissect_conformant_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvb, offset, pinfo, parent_tree, di, drep, &nga_pUsers);
 375
 376         ALIGN_TO_5_BYTES;
 377
 378         old_offset = offset;
 379
 380         if (parent_tree) {
 381                 item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
 382                 tree = proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE_HASH_LIST);
 383         }
 384
 385         offset = efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash(tvb, offset, pinfo, tree, di, drep);
 386
 387         offset = efs_dissect_element_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvb, offset, pinfo, tree, di, drep, &nga_pUsers);
 388
 389
 390         proto_item_set_len(item, offset-old_offset);
 391
 392
 393         return offset;
 394 }
 395
 396
 397 /* IDL: struct { */
 398 /* IDL:         uint32 dwCertEncodingType; */
 399 /* IDL:         uint32 cbData; */
 400 /* IDL:         [size_is(cbData)] [unique(1)] uint8 *pbData; */
 401 /* IDL: } */
 402
 403 static int
 404 efs_dissect_element_EFS_CERTIFICATE_BLOB_dwCertEncodingType(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 405 {
 406         offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType, 0);
 407
 408         return offset;
 409 }
 410
 411 static int
 412 efs_dissect_element_EFS_CERTIFICATE_BLOB_cbData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 413 {
 414         offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_EFS_CERTIFICATE_BLOB_cbData, 0);
 415
 416         return offset;
 417 }
 418
 419 static int
 420 efs_dissect_element_EFS_CERTIFICATE_BLOB_pbData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 421 {
 422         offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_EFS_CERTIFICATE_BLOB_pbData_, NDR_POINTER_UNIQUE, "Pointer to PbData (uint8)",hf_efs_EFS_CERTIFICATE_BLOB_pbData);
 423
 424         return offset;
 425 }
 426
 427 static int
 428 efs_dissect_element_EFS_CERTIFICATE_BLOB_pbData_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 429 {
 430         struct ndr_generic_array nga = { .is_conformant = false, };
 431
 432         offset = dissect_ndr_conformant_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 433
 434         offset = dissect_ndr_generic_array_bytes(tvb, offset, pinfo, tree, di, drep, &nga, efs_dissect_element_EFS_CERTIFICATE_BLOB_pbData__);
 435
 436         return offset;
 437 }
 438
 439 static int
 440 efs_dissect_element_EFS_CERTIFICATE_BLOB_pbData__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 441 {
 442         offset = PIDL_dissect_uint8(tvb, offset, pinfo, tree, di, drep, hf_efs_EFS_CERTIFICATE_BLOB_pbData, 0);
 443
 444         return offset;
 445 }
 446
 447 int
 448 efs_dissect_struct_EFS_CERTIFICATE_BLOB(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
 449 {
 450         proto_item *item = NULL;
 451         proto_tree *tree = NULL;
 452         int old_offset;
 453
 454         ALIGN_TO_5_BYTES;
 455
 456         old_offset = offset;
 457
 458         if (parent_tree) {
 459                 item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
 460                 tree = proto_item_add_subtree(item, ett_efs_EFS_CERTIFICATE_BLOB);
 461         }
 462
 463         offset = efs_dissect_element_EFS_CERTIFICATE_BLOB_dwCertEncodingType(tvb, offset, pinfo, tree, di, drep);
 464
 465         offset = efs_dissect_element_EFS_CERTIFICATE_BLOB_cbData(tvb, offset, pinfo, tree, di, drep);
 466
 467         offset = efs_dissect_element_EFS_CERTIFICATE_BLOB_pbData(tvb, offset, pinfo, tree, di, drep);
 468
 469
 470         proto_item_set_len(item, offset-old_offset);
 471
 472
 473         if (di->call_data->flags & DCERPC_IS_NDR64) {
 474                 ALIGN_TO_5_BYTES;
 475         }
 476
 477         return offset;
 478 }
 479
 480
 481 /* IDL: struct { */
 482 /* IDL:         uint32 TotalLength; */
 483 /* IDL:         [unique(1)] dom_sid *pUserSid; */
 484 /* IDL:         [unique(1)] EFS_CERTIFICATE_BLOB *pCertBlob; */
 485 /* IDL: } */
 486
 487 static int
 488 efs_dissect_element_ENCRYPTION_CERTIFICATE_TotalLength(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 489 {
 490         offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_ENCRYPTION_CERTIFICATE_TotalLength, 0);
 491
 492         return offset;
 493 }
 494
 495 static int
 496 efs_dissect_element_ENCRYPTION_CERTIFICATE_pUserSid(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 497 {
 498         offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_ENCRYPTION_CERTIFICATE_pUserSid_, NDR_POINTER_UNIQUE, "Pointer to PUserSid (dom_sid)",hf_efs_ENCRYPTION_CERTIFICATE_pUserSid);
 499
 500         return offset;
 501 }
 502
 503 static int
 504 efs_dissect_element_ENCRYPTION_CERTIFICATE_pUserSid_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 505 {
 506         offset = efs_dissect_struct_dom_sid(tvb,offset,pinfo,tree,di,drep,hf_efs_ENCRYPTION_CERTIFICATE_pUserSid,0);
 507
 508         return offset;
 509 }
 510
 511 static int
 512 efs_dissect_element_ENCRYPTION_CERTIFICATE_pCertBlob(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 513 {
 514         offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_ENCRYPTION_CERTIFICATE_pCertBlob_, NDR_POINTER_UNIQUE, "Pointer to PCertBlob (EFS_CERTIFICATE_BLOB)",hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob);
 515
 516         return offset;
 517 }
 518
 519 static int
 520 efs_dissect_element_ENCRYPTION_CERTIFICATE_pCertBlob_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 521 {
 522         offset = efs_dissect_struct_EFS_CERTIFICATE_BLOB(tvb,offset,pinfo,tree,di,drep,hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob,0);
 523
 524         return offset;
 525 }
 526
 527 int
 528 efs_dissect_struct_ENCRYPTION_CERTIFICATE(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
 529 {
 530         proto_item *item = NULL;
 531         proto_tree *tree = NULL;
 532         int old_offset;
 533
 534         ALIGN_TO_5_BYTES;
 535
 536         old_offset = offset;
 537
 538         if (parent_tree) {
 539                 item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
 540                 tree = proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE);
 541         }
 542
 543         offset = efs_dissect_element_ENCRYPTION_CERTIFICATE_TotalLength(tvb, offset, pinfo, tree, di, drep);
 544
 545         offset = efs_dissect_element_ENCRYPTION_CERTIFICATE_pUserSid(tvb, offset, pinfo, tree, di, drep);
 546
 547         offset = efs_dissect_element_ENCRYPTION_CERTIFICATE_pCertBlob(tvb, offset, pinfo, tree, di, drep);
 548
 549
 550         proto_item_set_len(item, offset-old_offset);
 551
 552
 553         if (di->call_data->flags & DCERPC_IS_NDR64) {
 554                 ALIGN_TO_5_BYTES;
 555         }
 556
 557         return offset;
 558 }
 559
 560 static int
 561 efs_dissect_element_EfsRpcOpenFileRaw_pvContext(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 562 {
 563         offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_EfsRpcOpenFileRaw_pvContext_, NDR_POINTER_REF, "Pointer to PvContext (policy_handle)",hf_efs_EfsRpcOpenFileRaw_pvContext);
 564
 565         return offset;
 566 }
 567
 568 static int
 569 efs_dissect_element_EfsRpcOpenFileRaw_pvContext_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 570 {
 571         offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, di, drep, hf_efs_EfsRpcOpenFileRaw_pvContext, PIDL_POLHND_OPEN);
 572
 573         return offset;
 574 }
 575
 576 static int
 577 efs_dissect_element_EfsRpcOpenFileRaw_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 578 {
 579         char *data = NULL;
 580         struct ndr_generic_array nga = { .is_conformant = false, };
 581
 582         offset = dissect_ndr_conformant_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 583
 584         offset = dissect_ndr_varying_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 585         offset = dissect_ndr_generic_array_string(tvb, offset, pinfo, tree, di, drep, sizeof(uint16_t), hf_efs_EfsRpcOpenFileRaw_FileName, false, &nga, &data);
 586         proto_item_append_text(tree, ": %s", data);
 587
 588         return offset;
 589 }
 590
 591 static int
 592 efs_dissect_element_EfsRpcOpenFileRaw_Flags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 593 {
 594         offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_EfsRpcOpenFileRaw_Flags, 0);
 595
 596         return offset;
 597 }
 598
 599 /* IDL: WERROR EfsRpcOpenFileRaw( */
 600 /* IDL: [out] [ref] policy_handle *pvContext, */
 601 /* IDL: [charset(UTF16)] [in] uint16 FileName[*], */
 602 /* IDL: [in] uint32 Flags */
 603 /* IDL: ); */
 604
 605 static int
 606 efs_dissect_EfsRpcOpenFileRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 607 {
 608         uint32_t status;
 609
 610         di->dcerpc_procedure_name="EfsRpcOpenFileRaw";
 611         offset = efs_dissect_element_EfsRpcOpenFileRaw_pvContext(tvb, offset, pinfo, tree, di, drep);
 612         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 613
 614         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
 615
 616         if (status != 0)
 617                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
 618
 619         return offset;
 620 }
 621
 622 static int
 623 efs_dissect_EfsRpcOpenFileRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 624 {
 625         di->dcerpc_procedure_name="EfsRpcOpenFileRaw";
 626         offset = efs_dissect_element_EfsRpcOpenFileRaw_FileName(tvb, offset, pinfo, tree, di, drep);
 627         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 628         offset = efs_dissect_element_EfsRpcOpenFileRaw_Flags(tvb, offset, pinfo, tree, di, drep);
 629         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 630         return offset;
 631 }
 632
 633 static int
 634 efs_dissect_element_EfsRpcReadFileRaw_pvContext(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 635 {
 636         offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_EfsRpcReadFileRaw_pvContext_, NDR_POINTER_REF, "Pointer to PvContext (policy_handle)",hf_efs_EfsRpcReadFileRaw_pvContext);
 637
 638         return offset;
 639 }
 640
 641 static int
 642 efs_dissect_element_EfsRpcReadFileRaw_pvContext_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 643 {
 644         offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, di, drep, hf_efs_EfsRpcReadFileRaw_pvContext, 0);
 645
 646         return offset;
 647 }
 648
 649 /* IDL: WERROR EfsRpcReadFileRaw( */
 650 /* IDL: [in] [ref] policy_handle *pvContext */
 651 /* IDL: ); */
 652
 653 static int
 654 efs_dissect_EfsRpcReadFileRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 655 {
 656         uint32_t status;
 657
 658         di->dcerpc_procedure_name="EfsRpcReadFileRaw";
 659         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
 660
 661         if (status != 0)
 662                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
 663
 664         return offset;
 665 }
 666
 667 static int
 668 efs_dissect_EfsRpcReadFileRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 669 {
 670         di->dcerpc_procedure_name="EfsRpcReadFileRaw";
 671         offset = efs_dissect_element_EfsRpcReadFileRaw_pvContext(tvb, offset, pinfo, tree, di, drep);
 672         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 673         return offset;
 674 }
 675
 676 static int
 677 efs_dissect_element_EfsRpcWriteFileRaw_pvContext(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 678 {
 679         offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_EfsRpcWriteFileRaw_pvContext_, NDR_POINTER_REF, "Pointer to PvContext (policy_handle)",hf_efs_EfsRpcWriteFileRaw_pvContext);
 680
 681         return offset;
 682 }
 683
 684 static int
 685 efs_dissect_element_EfsRpcWriteFileRaw_pvContext_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 686 {
 687         offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, di, drep, hf_efs_EfsRpcWriteFileRaw_pvContext, 0);
 688
 689         return offset;
 690 }
 691
 692 /* IDL: WERROR EfsRpcWriteFileRaw( */
 693 /* IDL: [in] [ref] policy_handle *pvContext */
 694 /* IDL: ); */
 695
 696 static int
 697 efs_dissect_EfsRpcWriteFileRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 698 {
 699         uint32_t status;
 700
 701         di->dcerpc_procedure_name="EfsRpcWriteFileRaw";
 702         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
 703
 704         if (status != 0)
 705                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
 706
 707         return offset;
 708 }
 709
 710 static int
 711 efs_dissect_EfsRpcWriteFileRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 712 {
 713         di->dcerpc_procedure_name="EfsRpcWriteFileRaw";
 714         offset = efs_dissect_element_EfsRpcWriteFileRaw_pvContext(tvb, offset, pinfo, tree, di, drep);
 715         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 716         return offset;
 717 }
 718
 719 static int
 720 efs_dissect_element_EfsRpcCloseRaw_pvContext(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 721 {
 722         offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_EfsRpcCloseRaw_pvContext_, NDR_POINTER_REF, "Pointer to PvContext (policy_handle)",hf_efs_EfsRpcCloseRaw_pvContext);
 723
 724         return offset;
 725 }
 726
 727 static int
 728 efs_dissect_element_EfsRpcCloseRaw_pvContext_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 729 {
 730         offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, di, drep, hf_efs_EfsRpcCloseRaw_pvContext, PIDL_POLHND_CLOSE);
 731
 732         return offset;
 733 }
 734
 735 /* IDL: void EfsRpcCloseRaw( */
 736 /* IDL: [in] [out] [ref] policy_handle *pvContext */
 737 /* IDL: ); */
 738
 739 static int
 740 efs_dissect_EfsRpcCloseRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 741 {
 742         di->dcerpc_procedure_name="EfsRpcCloseRaw";
 743         offset = efs_dissect_element_EfsRpcCloseRaw_pvContext(tvb, offset, pinfo, tree, di, drep);
 744         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 745
 746         return offset;
 747 }
 748
 749 static int
 750 efs_dissect_EfsRpcCloseRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 751 {
 752         di->dcerpc_procedure_name="EfsRpcCloseRaw";
 753         offset = efs_dissect_element_EfsRpcCloseRaw_pvContext(tvb, offset, pinfo, tree, di, drep);
 754         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 755         return offset;
 756 }
 757
 758 static int
 759 efs_dissect_element_EfsRpcEncryptFileSrv_Filename(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 760 {
 761         char *data = NULL;
 762         struct ndr_generic_array nga = { .is_conformant = false, };
 763
 764         offset = dissect_ndr_conformant_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 765
 766         offset = dissect_ndr_varying_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 767         offset = dissect_ndr_generic_array_string(tvb, offset, pinfo, tree, di, drep, sizeof(uint16_t), hf_efs_EfsRpcEncryptFileSrv_Filename, false, &nga, &data);
 768         proto_item_append_text(tree, ": %s", data);
 769
 770         return offset;
 771 }
 772
 773 /* IDL: WERROR EfsRpcEncryptFileSrv( */
 774 /* IDL: [charset(UTF16)] [in] uint16 Filename[*] */
 775 /* IDL: ); */
 776
 777 static int
 778 efs_dissect_EfsRpcEncryptFileSrv_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 779 {
 780         uint32_t status;
 781
 782         di->dcerpc_procedure_name="EfsRpcEncryptFileSrv";
 783         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
 784
 785         if (status != 0)
 786                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
 787
 788         return offset;
 789 }
 790
 791 static int
 792 efs_dissect_EfsRpcEncryptFileSrv_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 793 {
 794         di->dcerpc_procedure_name="EfsRpcEncryptFileSrv";
 795         offset = efs_dissect_element_EfsRpcEncryptFileSrv_Filename(tvb, offset, pinfo, tree, di, drep);
 796         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 797         return offset;
 798 }
 799
 800 static int
 801 efs_dissect_element_EfsRpcDecryptFileSrv_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 802 {
 803         char *data = NULL;
 804         struct ndr_generic_array nga = { .is_conformant = false, };
 805
 806         offset = dissect_ndr_conformant_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 807
 808         offset = dissect_ndr_varying_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 809         offset = dissect_ndr_generic_array_string(tvb, offset, pinfo, tree, di, drep, sizeof(uint16_t), hf_efs_EfsRpcDecryptFileSrv_FileName, false, &nga, &data);
 810         proto_item_append_text(tree, ": %s", data);
 811
 812         return offset;
 813 }
 814
 815 static int
 816 efs_dissect_element_EfsRpcDecryptFileSrv_Reserved(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 817 {
 818         offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_EfsRpcDecryptFileSrv_Reserved, 0);
 819
 820         return offset;
 821 }
 822
 823 /* IDL: WERROR EfsRpcDecryptFileSrv( */
 824 /* IDL: [charset(UTF16)] [in] uint16 FileName[*], */
 825 /* IDL: [in] uint32 Reserved */
 826 /* IDL: ); */
 827
 828 static int
 829 efs_dissect_EfsRpcDecryptFileSrv_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 830 {
 831         uint32_t status;
 832
 833         di->dcerpc_procedure_name="EfsRpcDecryptFileSrv";
 834         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
 835
 836         if (status != 0)
 837                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
 838
 839         return offset;
 840 }
 841
 842 static int
 843 efs_dissect_EfsRpcDecryptFileSrv_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 844 {
 845         di->dcerpc_procedure_name="EfsRpcDecryptFileSrv";
 846         offset = efs_dissect_element_EfsRpcDecryptFileSrv_FileName(tvb, offset, pinfo, tree, di, drep);
 847         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 848         offset = efs_dissect_element_EfsRpcDecryptFileSrv_Reserved(tvb, offset, pinfo, tree, di, drep);
 849         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 850         return offset;
 851 }
 852
 853 static int
 854 efs_dissect_element_EfsRpcQueryUsersOnFile_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 855 {
 856         char *data = NULL;
 857         struct ndr_generic_array nga = { .is_conformant = false, };
 858
 859         offset = dissect_ndr_conformant_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 860
 861         offset = dissect_ndr_varying_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 862         offset = dissect_ndr_generic_array_string(tvb, offset, pinfo, tree, di, drep, sizeof(uint16_t), hf_efs_EfsRpcQueryUsersOnFile_FileName, false, &nga, &data);
 863         proto_item_append_text(tree, ": %s", data);
 864
 865         return offset;
 866 }
 867
 868 static int
 869 efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 870 {
 871         offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers_, NDR_POINTER_REF, "Pointer to PUsers (ENCRYPTION_CERTIFICATE_HASH_LIST)",hf_efs_EfsRpcQueryUsersOnFile_pUsers);
 872
 873         return offset;
 874 }
 875
 876 static int
 877 efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 878 {
 879         offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers__, NDR_POINTER_UNIQUE, "Pointer to PUsers (ENCRYPTION_CERTIFICATE_HASH_LIST)",hf_efs_EfsRpcQueryUsersOnFile_pUsers);
 880
 881         return offset;
 882 }
 883
 884 static int
 885 efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 886 {
 887         offset = efs_dissect_struct_ENCRYPTION_CERTIFICATE_HASH_LIST(tvb,offset,pinfo,tree,di,drep,hf_efs_EfsRpcQueryUsersOnFile_pUsers,0);
 888
 889         return offset;
 890 }
 891
 892 /* IDL: WERROR EfsRpcQueryUsersOnFile( */
 893 /* IDL: [charset(UTF16)] [in] uint16 FileName[*], */
 894 /* IDL: [out] [ref] [unique(1)] ENCRYPTION_CERTIFICATE_HASH_LIST **pUsers */
 895 /* IDL: ); */
 896
 897 static int
 898 efs_dissect_EfsRpcQueryUsersOnFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 899 {
 900         uint32_t status;
 901
 902         di->dcerpc_procedure_name="EfsRpcQueryUsersOnFile";
 903         offset = efs_dissect_element_EfsRpcQueryUsersOnFile_pUsers(tvb, offset, pinfo, tree, di, drep);
 904         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 905
 906         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
 907
 908         if (status != 0)
 909                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
 910
 911         return offset;
 912 }
 913
 914 static int
 915 efs_dissect_EfsRpcQueryUsersOnFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 916 {
 917         di->dcerpc_procedure_name="EfsRpcQueryUsersOnFile";
 918         offset = efs_dissect_element_EfsRpcQueryUsersOnFile_FileName(tvb, offset, pinfo, tree, di, drep);
 919         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 920         return offset;
 921 }
 922
 923 static int
 924 efs_dissect_element_EfsRpcQueryRecoveryAgents_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 925 {
 926         char *data = NULL;
 927         struct ndr_generic_array nga = { .is_conformant = false, };
 928
 929         offset = dissect_ndr_conformant_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 930
 931         offset = dissect_ndr_varying_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
 932         offset = dissect_ndr_generic_array_string(tvb, offset, pinfo, tree, di, drep, sizeof(uint16_t), hf_efs_EfsRpcQueryRecoveryAgents_FileName, false, &nga, &data);
 933         proto_item_append_text(tree, ": %s", data);
 934
 935         return offset;
 936 }
 937
 938 static int
 939 efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 940 {
 941         offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents_, NDR_POINTER_REF, "Pointer to PRecoveryAgents (ENCRYPTION_CERTIFICATE_HASH_LIST)",hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents);
 942
 943         return offset;
 944 }
 945
 946 static int
 947 efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 948 {
 949         offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents__, NDR_POINTER_UNIQUE, "Pointer to PRecoveryAgents (ENCRYPTION_CERTIFICATE_HASH_LIST)",hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents);
 950
 951         return offset;
 952 }
 953
 954 static int
 955 efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 956 {
 957         offset = efs_dissect_struct_ENCRYPTION_CERTIFICATE_HASH_LIST(tvb,offset,pinfo,tree,di,drep,hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents,0);
 958
 959         return offset;
 960 }
 961
 962 /* IDL: WERROR EfsRpcQueryRecoveryAgents( */
 963 /* IDL: [charset(UTF16)] [in] uint16 FileName[*], */
 964 /* IDL: [out] [ref] [unique(1)] ENCRYPTION_CERTIFICATE_HASH_LIST **pRecoveryAgents */
 965 /* IDL: ); */
 966
 967 static int
 968 efs_dissect_EfsRpcQueryRecoveryAgents_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 969 {
 970         uint32_t status;
 971
 972         di->dcerpc_procedure_name="EfsRpcQueryRecoveryAgents";
 973         offset = efs_dissect_element_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvb, offset, pinfo, tree, di, drep);
 974         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 975
 976         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
 977
 978         if (status != 0)
 979                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
 980
 981         return offset;
 982 }
 983
 984 static int
 985 efs_dissect_EfsRpcQueryRecoveryAgents_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 986 {
 987         di->dcerpc_procedure_name="EfsRpcQueryRecoveryAgents";
 988         offset = efs_dissect_element_EfsRpcQueryRecoveryAgents_FileName(tvb, offset, pinfo, tree, di, drep);
 989         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
 990         return offset;
 991 }
 992
 993 static int
 994 efs_dissect_element_EfsRpcRemoveUsersFromFile_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
 995 {
 996         char *data = NULL;
 997         struct ndr_generic_array nga = { .is_conformant = false, };
 998
 999         offset = dissect_ndr_conformant_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
1000
1001         offset = dissect_ndr_varying_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
1002         offset = dissect_ndr_generic_array_string(tvb, offset, pinfo, tree, di, drep, sizeof(uint16_t), hf_efs_EfsRpcRemoveUsersFromFile_FileName, false, &nga, &data);
1003         proto_item_append_text(tree, ": %s", data);
1004
1005         return offset;
1006 }
1007
1008 /* IDL: WERROR EfsRpcRemoveUsersFromFile( */
1009 /* IDL: [charset(UTF16)] [in] uint16 FileName[*] */
1010 /* IDL: ); */
1011
1012 static int
1013 efs_dissect_EfsRpcRemoveUsersFromFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1014 {
1015         uint32_t status;
1016
1017         di->dcerpc_procedure_name="EfsRpcRemoveUsersFromFile";
1018         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
1019
1020         if (status != 0)
1021                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
1022
1023         return offset;
1024 }
1025
1026 static int
1027 efs_dissect_EfsRpcRemoveUsersFromFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1028 {
1029         di->dcerpc_procedure_name="EfsRpcRemoveUsersFromFile";
1030         offset = efs_dissect_element_EfsRpcRemoveUsersFromFile_FileName(tvb, offset, pinfo, tree, di, drep);
1031         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
1032         return offset;
1033 }
1034
1035 static int
1036 efs_dissect_element_EfsRpcAddUsersToFile_FileName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1037 {
1038         char *data = NULL;
1039         struct ndr_generic_array nga = { .is_conformant = false, };
1040
1041         offset = dissect_ndr_conformant_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
1042
1043         offset = dissect_ndr_varying_array_hdr(tvb, offset, pinfo, tree, di, drep, &nga);
1044         offset = dissect_ndr_generic_array_string(tvb, offset, pinfo, tree, di, drep, sizeof(uint16_t), hf_efs_EfsRpcAddUsersToFile_FileName, false, &nga, &data);
1045         proto_item_append_text(tree, ": %s", data);
1046
1047         return offset;
1048 }
1049
1050 /* IDL: WERROR EfsRpcAddUsersToFile( */
1051 /* IDL: [charset(UTF16)] [in] uint16 FileName[*] */
1052 /* IDL: ); */
1053
1054 static int
1055 efs_dissect_EfsRpcAddUsersToFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1056 {
1057         uint32_t status;
1058
1059         di->dcerpc_procedure_name="EfsRpcAddUsersToFile";
1060         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
1061
1062         if (status != 0)
1063                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
1064
1065         return offset;
1066 }
1067
1068 static int
1069 efs_dissect_EfsRpcAddUsersToFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1070 {
1071         di->dcerpc_procedure_name="EfsRpcAddUsersToFile";
1072         offset = efs_dissect_element_EfsRpcAddUsersToFile_FileName(tvb, offset, pinfo, tree, di, drep);
1073         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
1074         return offset;
1075 }
1076
1077 static int
1078 efs_dissect_element_EfsRpcSetFileEncryptionKey_pEncryptionCertificate(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1079 {
1080         offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, efs_dissect_element_EfsRpcSetFileEncryptionKey_pEncryptionCertificate_, NDR_POINTER_UNIQUE, "Pointer to PEncryptionCertificate (ENCRYPTION_CERTIFICATE)",hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate);
1081
1082         return offset;
1083 }
1084
1085 static int
1086 efs_dissect_element_EfsRpcSetFileEncryptionKey_pEncryptionCertificate_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1087 {
1088         offset = efs_dissect_struct_ENCRYPTION_CERTIFICATE(tvb,offset,pinfo,tree,di,drep,hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate,0);
1089
1090         return offset;
1091 }
1092
1093 /* IDL: WERROR EfsRpcSetFileEncryptionKey( */
1094 /* IDL: [in] [unique(1)] ENCRYPTION_CERTIFICATE *pEncryptionCertificate */
1095 /* IDL: ); */
1096
1097 static int
1098 efs_dissect_EfsRpcSetFileEncryptionKey_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1099 {
1100         uint32_t status;
1101
1102         di->dcerpc_procedure_name="EfsRpcSetFileEncryptionKey";
1103         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
1104
1105         if (status != 0)
1106                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
1107
1108         return offset;
1109 }
1110
1111 static int
1112 efs_dissect_EfsRpcSetFileEncryptionKey_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1113 {
1114         di->dcerpc_procedure_name="EfsRpcSetFileEncryptionKey";
1115         offset = efs_dissect_element_EfsRpcSetFileEncryptionKey_pEncryptionCertificate(tvb, offset, pinfo, tree, di, drep);
1116         offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep);
1117         return offset;
1118 }
1119
1120 /* IDL: WERROR EfsRpcNotSupported( */
1121 /* IDL:  */
1122 /* IDL: ); */
1123
1124 static int
1125 efs_dissect_EfsRpcNotSupported_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1126 {
1127         uint32_t status;
1128
1129         di->dcerpc_procedure_name="EfsRpcNotSupported";
1130         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
1131
1132         if (status != 0)
1133                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
1134
1135         return offset;
1136 }
1137
1138 static int
1139 efs_dissect_EfsRpcNotSupported_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1140 {
1141         di->dcerpc_procedure_name="EfsRpcNotSupported";
1142         return offset;
1143 }
1144
1145 /* IDL: WERROR EfsRpcFileKeyInfo( */
1146 /* IDL:  */
1147 /* IDL: ); */
1148
1149 static int
1150 efs_dissect_EfsRpcFileKeyInfo_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1151 {
1152         uint32_t status;
1153
1154         di->dcerpc_procedure_name="EfsRpcFileKeyInfo";
1155         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
1156
1157         if (status != 0)
1158                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
1159
1160         return offset;
1161 }
1162
1163 static int
1164 efs_dissect_EfsRpcFileKeyInfo_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1165 {
1166         di->dcerpc_procedure_name="EfsRpcFileKeyInfo";
1167         return offset;
1168 }
1169
1170 /* IDL: WERROR EfsRpcDuplicateEncryptionInfoFile( */
1171 /* IDL:  */
1172 /* IDL: ); */
1173
1174 static int
1175 efs_dissect_EfsRpcDuplicateEncryptionInfoFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1176 {
1177         uint32_t status;
1178
1179         di->dcerpc_procedure_name="EfsRpcDuplicateEncryptionInfoFile";
1180         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_efs_werror, &status);
1181
1182         if (status != 0)
1183                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown DOS error 0x%08x"));
1184
1185         return offset;
1186 }
1187
1188 static int
1189 efs_dissect_EfsRpcDuplicateEncryptionInfoFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
1190 {
1191         di->dcerpc_procedure_name="EfsRpcDuplicateEncryptionInfoFile";
1192         return offset;
1193 }
1194
1195
1196 static const dcerpc_sub_dissector efs_dissectors[] = {
1197         { 0, "EfsRpcOpenFileRaw",
1198            efs_dissect_EfsRpcOpenFileRaw_request, efs_dissect_EfsRpcOpenFileRaw_response},
1199         { 1, "EfsRpcReadFileRaw",
1200            efs_dissect_EfsRpcReadFileRaw_request, efs_dissect_EfsRpcReadFileRaw_response},
1201         { 2, "EfsRpcWriteFileRaw",
1202            efs_dissect_EfsRpcWriteFileRaw_request, efs_dissect_EfsRpcWriteFileRaw_response},
1203         { 3, "EfsRpcCloseRaw",
1204            efs_dissect_EfsRpcCloseRaw_request, efs_dissect_EfsRpcCloseRaw_response},
1205         { 4, "EfsRpcEncryptFileSrv",
1206            efs_dissect_EfsRpcEncryptFileSrv_request, efs_dissect_EfsRpcEncryptFileSrv_response},
1207         { 5, "EfsRpcDecryptFileSrv",
1208            efs_dissect_EfsRpcDecryptFileSrv_request, efs_dissect_EfsRpcDecryptFileSrv_response},
1209         { 6, "EfsRpcQueryUsersOnFile",
1210            efs_dissect_EfsRpcQueryUsersOnFile_request, efs_dissect_EfsRpcQueryUsersOnFile_response},
1211         { 7, "EfsRpcQueryRecoveryAgents",
1212            efs_dissect_EfsRpcQueryRecoveryAgents_request, efs_dissect_EfsRpcQueryRecoveryAgents_response},
1213         { 8, "EfsRpcRemoveUsersFromFile",
1214            efs_dissect_EfsRpcRemoveUsersFromFile_request, efs_dissect_EfsRpcRemoveUsersFromFile_response},
1215         { 9, "EfsRpcAddUsersToFile",
1216            efs_dissect_EfsRpcAddUsersToFile_request, efs_dissect_EfsRpcAddUsersToFile_response},
1217         { 10, "EfsRpcSetFileEncryptionKey",
1218            efs_dissect_EfsRpcSetFileEncryptionKey_request, efs_dissect_EfsRpcSetFileEncryptionKey_response},
1219         { 11, "EfsRpcNotSupported",
1220            efs_dissect_EfsRpcNotSupported_request, efs_dissect_EfsRpcNotSupported_response},
1221         { 12, "EfsRpcFileKeyInfo",
1222            efs_dissect_EfsRpcFileKeyInfo_request, efs_dissect_EfsRpcFileKeyInfo_response},
1223         { 13, "EfsRpcDuplicateEncryptionInfoFile",
1224            efs_dissect_EfsRpcDuplicateEncryptionInfoFile_request, efs_dissect_EfsRpcDuplicateEncryptionInfoFile_response},
1225         { 0, NULL, NULL, NULL }
1226 };
1227
1228 void proto_register_dcerpc_efs(void)
1229 {
1230         static hf_register_info hf[] = {
1231         { &hf_efs_EFS_CERTIFICATE_BLOB_cbData,
1232           { "CbData", "efs.EFS_CERTIFICATE_BLOB.cbData", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
1233         { &hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType,
1234           { "DwCertEncodingType", "efs.EFS_CERTIFICATE_BLOB.dwCertEncodingType", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
1235         { &hf_efs_EFS_CERTIFICATE_BLOB_pbData,
1236           { "PbData", "efs.EFS_CERTIFICATE_BLOB.pbData", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL }},
1237         { &hf_efs_EFS_HASH_BLOB_cbData,
1238           { "CbData", "efs.EFS_HASH_BLOB.cbData", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
1239         { &hf_efs_EFS_HASH_BLOB_pbData,
1240           { "PbData", "efs.EFS_HASH_BLOB.pbData", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL }},
1241         { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash,
1242           { "NCert Hash", "efs.ENCRYPTION_CERTIFICATE_HASH_LIST.nCert_Hash", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
1243         { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers,
1244           { "PUsers", "efs.ENCRYPTION_CERTIFICATE_HASH_LIST.pUsers", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
1245         { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength,
1246           { "CbTotalLength", "efs.ENCRYPTION_CERTIFICATE_HASH.cbTotalLength", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
1247         { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation,
1248           { "LpDisplayInformation", "efs.ENCRYPTION_CERTIFICATE_HASH.lpDisplayInformation", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
1249         { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash,
1250           { "PHash", "efs.ENCRYPTION_CERTIFICATE_HASH.pHash", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
1251         { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid,
1252           { "PUserSid", "efs.ENCRYPTION_CERTIFICATE_HASH.pUserSid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
1253         { &hf_efs_ENCRYPTION_CERTIFICATE_TotalLength,
1254           { "TotalLength", "efs.ENCRYPTION_CERTIFICATE.TotalLength", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
1255         { &hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob,
1256           { "PCertBlob", "efs.ENCRYPTION_CERTIFICATE.pCertBlob", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
1257         { &hf_efs_ENCRYPTION_CERTIFICATE_pUserSid,
1258           { "PUserSid", "efs.ENCRYPTION_CERTIFICATE.pUserSid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
1259         { &hf_efs_EfsRpcAddUsersToFile_FileName,
1260           { "FileName", "efs.EfsRpcAddUsersToFile.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
1261         { &hf_efs_EfsRpcCloseRaw_pvContext,
1262           { "PvContext", "efs.EfsRpcCloseRaw.pvContext", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }},
1263         { &hf_efs_EfsRpcDecryptFileSrv_FileName,
1264           { "FileName", "efs.EfsRpcDecryptFileSrv.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
1265         { &hf_efs_EfsRpcDecryptFileSrv_Reserved,
1266           { "Reserved", "efs.EfsRpcDecryptFileSrv.Reserved", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
1267         { &hf_efs_EfsRpcEncryptFileSrv_Filename,
1268           { "Filename", "efs.EfsRpcEncryptFileSrv.Filename", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
1269         { &hf_efs_EfsRpcOpenFileRaw_FileName,
1270           { "FileName", "efs.EfsRpcOpenFileRaw.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
1271         { &hf_efs_EfsRpcOpenFileRaw_Flags,
1272           { "Flags", "efs.EfsRpcOpenFileRaw.Flags", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
1273         { &hf_efs_EfsRpcOpenFileRaw_pvContext,
1274           { "PvContext", "efs.EfsRpcOpenFileRaw.pvContext", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }},
1275         { &hf_efs_EfsRpcQueryRecoveryAgents_FileName,
1276           { "FileName", "efs.EfsRpcQueryRecoveryAgents.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
1277         { &hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents,
1278           { "PRecoveryAgents", "efs.EfsRpcQueryRecoveryAgents.pRecoveryAgents", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
1279         { &hf_efs_EfsRpcQueryUsersOnFile_FileName,
1280           { "FileName", "efs.EfsRpcQueryUsersOnFile.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
1281         { &hf_efs_EfsRpcQueryUsersOnFile_pUsers,
1282           { "PUsers", "efs.EfsRpcQueryUsersOnFile.pUsers", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
1283         { &hf_efs_EfsRpcReadFileRaw_pvContext,
1284           { "PvContext", "efs.EfsRpcReadFileRaw.pvContext", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }},
1285         { &hf_efs_EfsRpcRemoveUsersFromFile_FileName,
1286           { "FileName", "efs.EfsRpcRemoveUsersFromFile.FileName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
1287         { &hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate,
1288           { "PEncryptionCertificate", "efs.EfsRpcSetFileEncryptionKey.pEncryptionCertificate", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
1289         { &hf_efs_EfsRpcWriteFileRaw_pvContext,
1290           { "PvContext", "efs.EfsRpcWriteFileRaw.pvContext", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }},
1291         { &hf_efs_opnum,
1292           { "Operation", "efs.opnum", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }},
1293         { &hf_efs_werror,
1294           { "Windows Error", "efs.werror", FT_UINT32, BASE_HEX|BASE_EXT_STRING, &WERR_errors_ext, 0, NULL, HFILL }},
1295         };
1296
1297
1298         static int *ett[] = {
1299                 &ett_dcerpc_efs,
1300                 &ett_efs_EFS_HASH_BLOB,
1301                 &ett_efs_ENCRYPTION_CERTIFICATE_HASH,
1302                 &ett_efs_ENCRYPTION_CERTIFICATE_HASH_LIST,
1303                 &ett_efs_EFS_CERTIFICATE_BLOB,
1304                 &ett_efs_ENCRYPTION_CERTIFICATE,
1305         };
1306
1307         proto_dcerpc_efs = proto_register_protocol("EFS (pidl)", "EFS", "efs");
1308         proto_register_field_array(proto_dcerpc_efs, hf, array_length (hf));
1309         proto_register_subtree_array(ett, array_length(ett));
1310 }
1311
1312 void proto_reg_handoff_dcerpc_efs(void)
1313 {
1314         dcerpc_init_uuid(proto_dcerpc_efs, ett_dcerpc_efs,
1315                 &uuid_dcerpc_efs, ver_dcerpc_efs,
1316                 efs_dissectors, hf_efs_opnum);
1317 }