epan/dissectors/packet-smb2.h

   1 /* packet-smb2.h
   2  * Defines for SMB2 packet dissection
   3  *
   4  * Wireshark - Network traffic analyzer
   5  * By Gerald Combs <gerald@wireshark.org>
   6  * Copyright 1998, 1999 Gerald Combs
   7  *
   8  * SPDX-License-Identifier: GPL-2.0-or-later
   9  */
  10
  11 #ifndef __PACKET_SMB2_H__
  12 #define __PACKET_SMB2_H__
  13
  14 #include "packet-dcerpc.h"
  15 #include "packet-smb.h"
  16 #include "packet-ntlmssp.h"
  17
  18 /* SMB2 command codes. With MSVC and a
  19  * libwireshark.dll, we need a special declaration.
  20  */
  21 WS_DLL_PUBLIC value_string_ext smb2_cmd_vals_ext;
  22
  23 /* Structure to keep track of information specific to a single
  24  * SMB2 transaction. Here we store things we need to remember between
  25  * a specific request and a specific response.
  26  *
  27  * There is no guarantee we will have this structure available for all
  28  * SMB2 packets so a dissector must check this pointer for NULL
  29  * before dereferencing it.
  30  *
  31  * private data is set to NULL when the structure is created.  It is used
  32  * for communications between the Request and the Response packets.
  33  */
  34
  35 /* extra info needed by export object smb */
  36 typedef struct _smb2_eo_file_info_t {
  37         uint32_t        attr_mask;
  38         int64_t         end_of_file;
  39 } smb2_eo_file_info_t;
  40
  41 typedef struct _smb2_fid_info_t {
  42         uint64_t fid_persistent;
  43         uint64_t fid_volatile;
  44         uint64_t sesid;         /* *host* byte order - not necessarily little-endian! */
  45         uint32_t tid;
  46         /* only used for key lookup in equal func, must be zero when inserting */
  47         uint32_t frame_key;
  48         /* first and last frame nums this FID is valid */
  49         uint32_t frame_beg;
  50         uint32_t frame_end;
  51         /* file name used to open this FID */
  52         char *name;
  53 } smb2_fid_info_t;
  54
  55 typedef enum {
  56         SMB2_EI_NONE,           /* Unassigned / NULL */
  57         SMB2_EI_TREENAME,       /* tid tracking  char * */
  58         SMB2_EI_FILENAME,       /* fid tracking  char * */
  59         SMB2_EI_FINDPATTERN     /* find tracking  char * */
  60 } smb2_extra_info_t;
  61 typedef struct _smb2_saved_info_t {
  62         uint8_t smb2_class;
  63         uint8_t infolevel;
  64         uint64_t msg_id;
  65         uint32_t frame_req, frame_res;
  66         nstime_t req_time;
  67         uint8_t *preauth_hash_req, *preauth_hash_res;
  68         smb2_fid_info_t *file;
  69         e_ctx_hnd policy_hnd;           /* for eo_smb tracking */
  70         smb_eo_t        *eo_info_t;     /* for storing eo_smb infos */
  71         uint64_t                file_offset;    /* needed file_offset for eo_smb */
  72         uint32_t                bytes_moved;    /* needed for eo_smb */
  73         void *extra_info;
  74         smb2_extra_info_t extra_info_type;
  75         uint32_t fid_hash;
  76         uint16_t num_matched;
  77 } smb2_saved_info_t;
  78
  79 typedef struct _smb2_tid_info_t {
  80         uint32_t tid;
  81         uint32_t connect_frame;
  82         uint32_t disconnect_frame;
  83         uint8_t share_type;
  84         char *name;
  85 } smb2_tid_info_t;
  86
  87 #define SMB2_PREAUTH_HASH_SIZE 64
  88 #define AES_KEY_SIZE 16
  89
  90 typedef struct _smb2_sesid_info_t {
  91         uint64_t sesid;         /* *host* byte order - not necessarily little-endian! */
  92         uint32_t auth_frame;
  93         char *acct_name;
  94         char *domain_name;
  95         char *host_name;
  96         uint16_t server_port;
  97         uint32_t session_key_frame;
  98         unsigned session_key_len;
  99         uint8_t session_key[NTLMSSP_KEY_LEN*2];
 100         uint8_t signing_key[NTLMSSP_KEY_LEN];
 101         uint8_t client_decryption_key16[AES_KEY_SIZE];
 102         uint8_t server_decryption_key16[AES_KEY_SIZE];
 103         uint8_t client_decryption_key32[AES_KEY_SIZE*2];
 104         uint8_t server_decryption_key32[AES_KEY_SIZE*2];
 105
 106         wmem_map_t *tids;
 107         wmem_map_t *fids;
 108         /* table to store some infos for smb export object */
 109         wmem_map_t *files;
 110
 111         uint8_t preauth_hash[SMB2_PREAUTH_HASH_SIZE];
 112 } smb2_sesid_info_t;
 113
 114 /* Structure to keep track of conversations and the hash tables.
 115  * There is one such structure for each conversation.
 116  */
 117 typedef struct _smb2_conv_info_t {
 118         /* these two tables are used to match requests with responses */
 119         GHashTable *unmatched;
 120         GHashTable *matched;
 121         uint16_t dialect;
 122         uint16_t sign_alg;
 123         uint16_t enc_alg;
 124
 125         /* preauth hash before session setup */
 126         uint8_t *preauth_hash_current;
 127         uint8_t preauth_hash_con[SMB2_PREAUTH_HASH_SIZE];
 128         uint8_t preauth_hash_ses[SMB2_PREAUTH_HASH_SIZE];
 129 } smb2_conv_info_t;
 130
 131
 132 /* This structure contains information from the SMB2 header
 133  * as well as pointers to the conversation and the transaction specific
 134  * structures.
 135  */
 136 #define SMB2_FLAGS_RESPONSE     0x00000001
 137 #define SMB2_FLAGS_ASYNC_CMD    0x00000002
 138 #define SMB2_FLAGS_CHAINED      0x00000004
 139 #define SMB2_FLAGS_SIGNATURE    0x00000008
 140 #define SMB2_FLAGS_PRIORITY_MASK        0x00000070
 141 #define SMB2_FLAGS_DFS_OP       0x10000000
 142 #define SMB2_FLAGS_REPLAY_OPERATION     0x20000000
 143
 144 #define SMB2_FLAGS_PRIORITY1    0x00000010
 145 #define SMB2_FLAGS_PRIORITY2    0x00000020
 146 #define SMB2_FLAGS_PRIORITY3    0x00000030
 147 #define SMB2_FLAGS_PRIORITY4    0x00000040
 148 #define SMB2_FLAGS_PRIORITY5    0x00000050
 149 #define SMB2_FLAGS_PRIORITY6    0x00000060
 150 #define SMB2_FLAGS_PRIORITY7    0x00000070
 151
 152 /* SMB2 FLAG MASKS */
 153 #define SMB2_FLAGS_ATTR_ENCRYPTED       0x00004000
 154 #define SMB2_FLAGS_ATTR_INDEXED         0x00002000
 155 #define SMB2_FLAGS_ATTR_OFFLINE         0x00001000
 156 #define SMB2_FLAGS_ATTR_COMPRESSED      0x00000800
 157 #define SMB2_FLAGS_ATTR_REPARSEPOINT    0x00000400
 158 #define SMB2_FLAGS_ATTR_SPARSE          0x00000200
 159 #define SMB2_FLAGS_ATTR_TEMPORARY       0x00000100
 160 #define SMB2_FLAGS_ATTR_NORMAL          0x00000080
 161 #define SMB2_FLAGS_ATTR_DEVICE          0x00000040
 162 #define SMB2_FLAGS_ATTR_ARCHIVE         0x00000020
 163 #define SMB2_FLAGS_ATTR_DIRECTORY       0x00000010
 164 #define SMB2_FLAGS_ATTR_VOLUMEID        0x00000008
 165 #define SMB2_FLAGS_ATTR_SYSTEM          0x00000004
 166 #define SMB2_FLAGS_ATTR_HIDDEN          0x00000002
 167 #define SMB2_FLAGS_ATTR_READONLY        0x00000001
 168
 169 /* SMB2 FILE TYPES ASSIGNED TO EXPORT OBJECTS */
 170 #define SMB2_FID_TYPE_UNKNOWN                   0
 171 #define SMB2_FID_TYPE_FILE                      1
 172 #define SMB2_FID_TYPE_DIR                       2
 173 #define SMB2_FID_TYPE_PIPE                      3
 174 #define SMB2_FID_TYPE_OTHER                     4
 175
 176 /* SMB2 COMMAND CODES */
 177 #define SMB2_COM_NEGOTIATE_PROTOCOL     0x00
 178 #define SMB2_COM_SESSION_SETUP          0x01
 179 #define SMB2_COM_SESSION_LOGOFF         0x02
 180 #define SMB2_COM_TREE_CONNECT           0x03
 181 #define SMB2_COM_TREE_DISCONNECT        0x04
 182 #define SMB2_COM_CREATE                 0x05
 183 #define SMB2_COM_CLOSE                  0x06
 184 #define SMB2_COM_FLUSH                  0x07
 185 #define SMB2_COM_READ                   0x08
 186 #define SMB2_COM_WRITE                  0x09
 187 #define SMB2_COM_LOCK                   0x0A
 188 #define SMB2_COM_IOCTL                  0x0B
 189 #define SMB2_COM_CANCEL                 0x0C
 190 #define SMB2_COM_KEEPALIVE              0x0D
 191 #define SMB2_COM_FIND                   0x0E
 192 #define SMB2_COM_NOTIFY                 0x0F
 193 #define SMB2_COM_GETINFO                0x10
 194 #define SMB2_COM_SETINFO                0x11
 195 #define SMB2_COM_BREAK                  0x12
 196
 197 typedef struct _smb2_info_t {
 198         uint16_t opcode;
 199         uint32_t ioctl_function;
 200         uint32_t status;
 201         uint32_t tid;
 202         uint64_t sesid;         /* *host* byte order - not necessarily little-endian! */
 203         uint64_t msg_id;
 204         uint32_t flags;
 205         smb2_eo_file_info_t     *eo_file_info; /* eo_smb extra info */
 206         smb2_conv_info_t        *conv;
 207         smb2_saved_info_t       *saved;
 208         smb2_tid_info_t         *tree;
 209         smb2_sesid_info_t       *session;
 210         smb2_fid_info_t         *file;
 211         proto_tree *top_tree;
 212 } smb2_info_t;
 213
 214 /* for transform content information */
 215
 216 typedef struct _smb2_transform_info_t {
 217         uint8_t nonce[16];
 218         uint32_t size;
 219         uint16_t flags;
 220         uint64_t sesid;         /* *host* byte order - not necessarily little-endian! */
 221         smb2_conv_info_t *conv;
 222         smb2_sesid_info_t *session;
 223 } smb2_transform_info_t;
 224
 225 typedef struct _smb2_comp_transform_info_t {
 226         unsigned orig_size;
 227         unsigned alg;
 228         unsigned comp_offset;
 229         smb2_conv_info_t *conv;
 230         smb2_sesid_info_t *session;
 231 } smb2_comp_transform_info_t;
 232
 233
 234 int dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset);
 235 int dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, uint32_t *ioctl_function);
 236 void dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, uint32_t ioctl_function, bool data_in, void *private_data);
 237
 238 #endif
 239
 240 /*
 241  * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
 242  *
 243  * Local variables:
 244  * c-basic-offset: 8
 245  * tab-width: 8
 246  * indent-tabs-mode: t
 247  * End:
 248  *
 249  * vi: set shiftwidth=8 tabstop=8 noexpandtab:
 250  * :indentSize=8:tabSize=8:noTabs=false:
 251  */