| blob | 5f5e2a81f76d2fd80853306dfb301545028f1598 |
1 #
2 # policyhandle tracking
3 # This block is to specify where a policyhandle is opened and where it is
4 # closed so that policyhandles when dissected contain nice info such as
5 # [opened in xxx] [closed in yyy]
6 #
7 # Policyhandles are opened in these functions
8 PARAM_VALUE lsarpc_dissect_element_lsa_OpenPolicy_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_POLICY
9 PARAM_VALUE lsarpc_dissect_element_lsa_OpenPolicy2_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_POLICY
10 PARAM_VALUE lsarpc_dissect_element_lsa_CreateAccount_acct_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_ACCOUNT
11 PARAM_VALUE lsarpc_dissect_element_lsa_OpenAccount_acct_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_ACCOUNT
12 PARAM_VALUE lsarpc_dissect_element_lsa_CreateTrustedDomain_trustdom_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_DOMAIN
13 PARAM_VALUE lsarpc_dissect_element_lsa_OpenTrustedDomain_trustdom_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_DOMAIN
14 PARAM_VALUE lsarpc_dissect_element_lsa_OpenTrustedDomainByName_trustdom_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_DOMAIN
15 PARAM_VALUE lsarpc_dissect_element_lsa_CreateSecret_sec_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_SECRET
16 PARAM_VALUE lsarpc_dissect_element_lsa_OpenSecret_sec_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_SECRET
17 # Policyhandles are closed in these functions
18 PARAM_VALUE lsarpc_dissect_element_lsa_Close_handle_ PIDL_POLHND_CLOSE
19 PARAM_VALUE lsarpc_dissect_element_lsa_Delete_handle_ PIDL_POLHND_CLOSE
20 PARAM_VALUE lsarpc_dissect_element_lsa_CloseTrustedDomainEx_handle_ PIDL_POLHND_CLOSE
24 TYPE hyper "offset=cnf_dissect_hyper(tvb, offset, pinfo, tree, di, drep, @PARAM@, @HF@);" FT_UINT64 BASE_DEC 0 NULL 8
26 TYPE sec_desc_buf "offset=cnf_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);" FT_NONE BASE_NONE 0 NULL 4
27 HF_FIELD hf_lsarpc_sec_desc_buf_len "Sec Desc Buf Len" "lsarpc.sec_desc_buf_len" FT_UINT32 BASE_DEC NULL 0 "" "" ""
30 MANUAL lsarpc_dissect_bitmap_lsa_PolicyAccessMask
31 MANUAL lsarpc_dissect_bitmap_lsa_AccountAccessMask
32 MANUAL lsarpc_dissect_bitmap_lsa_SecretAccessMask
33 MANUAL lsarpc_dissect_bitmap_lsa_DomainAccessMask
34 HF_FIELD hf_lsarpc_policy_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" ""
35 HF_FIELD hf_lsarpc_account_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" ""
36 HF_FIELD hf_lsarpc_secret_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" ""
37 HF_FIELD hf_lsarpc_domain_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" ""
39 HF_FIELD hf_lsarpc_String_name "String" "lsarpc.lsa.string" FT_STRING BASE_NONE NULL 0 "" "" ""
41 MANUAL lsarpc_dissect_element_lsa_LookupNames_names
42 MANUAL lsarpc_dissect_element_lsa_LookupNames2_names
43 MANUAL lsarpc_dissect_element_lsa_LookupNames3_names
44 MANUAL lsarpc_dissect_element_lsa_LookupNames4_names
45 MANUAL lsarpc_dissect_element_lsa_String_string_
46 MANUAL lsarpc_dissect_element_lsa_StringLarge_string_
48 NOEMIT lsarpc_dissect_element_lsa_String_string__
49 NOEMIT lsarpc_dissect_element_lsa_StringLarge_string__
50 NOEMIT lsarpc_dissect_element_lsa_DomainInfoEfs_efs_blob__
51 NOEMIT lsarpc_dissect_element_lsa_LookupNames_names_
52 NOEMIT lsarpc_dissect_element_lsa_LookupNames2_names_
53 NOEMIT lsarpc_dissect_element_lsa_LookupNames4_names_
55 ETT_FIELD ett_lsarpc_names
56 HF_FIELD hf_lsarpc_names "Names" "lsarpc.lookup.names" FT_NONE BASE_NONE NULL 0 "" "" ""
59 MANUAL lsarpc_dissect_element_lsa_DomainInfoEfs_efs_blob_
60 HF_FIELD hf_lsarpc_efs_blob_len "EFS blob size" "lsarpc.efs.blob_size" FT_UINT32 BASE_DEC NULL 0 "" "" ""
62 CODE START
65 static void
66 lsarpc_policy_specific_rights(tvbuff_t *tvb, int offset, proto_tree *tree, uint32_t access)
67 {
68 static int* const access_flags[] = {
69 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_NOTIFICATION,
70 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_LOOKUP_NAMES,
71 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_SERVER_ADMIN,
72 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_AUDIT_LOG_ADMIN,
73 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_SET_AUDIT_REQUIREMENTS,
74 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS,
75 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_CREATE_PRIVILEGE,
76 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_CREATE_SECRET,
77 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_CREATE_ACCOUNT,
78 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_TRUST_ADMIN,
79 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_GET_PRIVATE_INFORMATION,
80 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_VIEW_AUDIT_INFORMATION,
81 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_VIEW_LOCAL_INFORMATION,
82 NULL
83 };
85 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access);
86 }
88 static void
89 lsarpc_account_specific_rights(tvbuff_t *tvb, int offset, proto_tree *tree, uint32_t access)
90 {
91 static int* const access_flags[] = {
92 &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS,
93 &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_ADJUST_QUOTAS,
94 &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_ADJUST_PRIVILEGES,
95 &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_VIEW,
96 NULL
97 };
99 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access);
100 }
102 static void
103 lsarpc_secret_specific_rights(tvbuff_t *tvb, int offset, proto_tree *tree, uint32_t access)
104 {
105 static int* const access_flags[] = {
106 &hf_lsarpc_lsa_SecretAccessMask_LSA_SECRET_QUERY_VALUE,
107 &hf_lsarpc_lsa_SecretAccessMask_LSA_SECRET_SET_VALUE,
108 NULL
109 };
111 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access);
112 }
114 static void
115 lsarpc_domain_specific_rights(tvbuff_t *tvb, int offset, proto_tree *tree, uint32_t access)
116 {
117 static int* const access_flags[] = {
118 &hf_lsarpc_lsa_TrustedAccessMask_LSA_TRUSTED_QUERY_AUTH,
119 &hf_lsarpc_lsa_TrustedAccessMask_LSA_TRUSTED_SET_AUTH,
120 &hf_lsarpc_lsa_TrustedAccessMask_LSA_TRUSTED_SET_POSIX,
121 &hf_lsarpc_lsa_TrustedAccessMask_LSA_TRUSTED_QUERY_POSIX,
122 &hf_lsarpc_lsa_TrustedAccessMask_LSA_TRUSTED_SET_CONTROLLERS,
123 &hf_lsarpc_lsa_TrustedAccessMask_LSA_TRUSTED_QUERY_CONTROLLERS,
124 &hf_lsarpc_lsa_TrustedAccessMask_LSA_TRUSTED_QUERY_DOMAIN_NAME,
125 NULL
126 };
128 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access);
129 }
132 static struct access_mask_info lsarpc_policy_access_mask_info = {
133 "LSA Policy", /* Name of specific rights */
134 lsarpc_policy_specific_rights, /* Dissection function */
135 NULL, /* Generic mapping table */
136 NULL /* Standard mapping table */
137 };
139 static struct access_mask_info lsarpc_account_access_mask_info = {
140 "LSA Account", /* Name of specific rights */
141 lsarpc_account_specific_rights, /* Dissection function */
142 NULL, /* Generic mapping table */
143 NULL /* Standard mapping table */
144 };
146 static struct access_mask_info lsarpc_secret_access_mask_info = {
147 "LSA Secret", /* Name of specific rights */
148 lsarpc_secret_specific_rights, /* Dissection function */
149 NULL, /* Generic mapping table */
150 NULL /* Standard mapping table */
151 };
153 static struct access_mask_info lsarpc_domain_access_mask_info = {
154 "LSA Domain", /* Name of specific rights */
155 lsarpc_domain_specific_rights, /* Dissection function */
156 NULL, /* Generic mapping table */
157 NULL /* Standard mapping table */
158 };
160 int
161 lsarpc_dissect_bitmap_lsa_PolicyAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep, int hf_index _U_, uint32_t param _U_)
162 {
163 offset = dissect_nt_access_mask(
164 tvb, offset, pinfo, tree, di, drep, hf_lsarpc_policy_access_mask,
165 &lsarpc_policy_access_mask_info, NULL);
166 return offset;
167 }
169 int
170 lsarpc_dissect_bitmap_lsa_AccountAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep, int hf_index _U_, uint32_t param _U_)
171 {
172 offset = dissect_nt_access_mask(
173 tvb, offset, pinfo, tree, di, drep, hf_lsarpc_account_access_mask,
174 &lsarpc_account_access_mask_info, NULL);
175 return offset;
176 }
178 int
179 lsarpc_dissect_bitmap_lsa_SecretAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep, int hf_index _U_, uint32_t param _U_)
180 {
181 offset = dissect_nt_access_mask(
182 tvb, offset, pinfo, tree, di, drep, hf_lsarpc_secret_access_mask,
183 &lsarpc_secret_access_mask_info, NULL);
184 return offset;
185 }
187 /* TODO: not called... Delete? */
188 static int _U_
189 lsarpc_dissect_bitmap_lsa_DomainAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep, int hf_index _U_, uint32_t param _U_)
190 {
191 offset = dissect_nt_access_mask(
192 tvb, offset, pinfo, tree, di, drep, hf_lsarpc_domain_access_mask,
193 &lsarpc_domain_access_mask_info, NULL);
194 return offset;
195 }
197 static int
198 cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep)
199 {
200 uint32_t len;
201 e_ctx_hnd *polhnd = NULL;
202 dcerpc_call_value *dcv = NULL;
203 uint32_t type=0;
204 struct access_mask_info *ami=NULL;
206 if(di->conformant_run){
207 /*just a run to handle conformant arrays, nothing to dissect */
208 return offset;
209 }
211 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
212 hf_lsarpc_sec_desc_buf_len, &len);
214 dcv = (dcerpc_call_value *)di->call_data;
215 if(dcv){
216 polhnd = dcv->pol;
217 }
218 if(polhnd){
219 dcerpc_fetch_polhnd_data(polhnd, NULL, &type, NULL, NULL,
220 pinfo->num);
221 }
222 switch(type){
223 case PIDL_POLHND_TYPE_LSA_POLICY:
224 ami=&lsarpc_policy_access_mask_info;
225 break;
226 case PIDL_POLHND_TYPE_LSA_ACCOUNT:
227 ami=&lsarpc_account_access_mask_info;
228 break;
229 case PIDL_POLHND_TYPE_LSA_SECRET:
230 ami=&lsarpc_secret_access_mask_info;
231 break;
232 case PIDL_POLHND_TYPE_LSA_DOMAIN:
233 ami=&lsarpc_domain_access_mask_info;
234 break;
235 }
237 dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, true, len, ami);
239 offset += len;
241 return offset;
242 }
244 static int
245 cnf_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep)
246 {
247 uint32_t len;
249 if(di->conformant_run){
250 /*just a run to handle conformant arrays, nothing to dissect */
251 return offset;
252 }
254 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
255 hf_lsarpc_sec_desc_buf_len, &len);
257 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
258 cnf_dissect_sec_desc_buf_, NDR_POINTER_UNIQUE,
259 "LSA SECURITY DESCRIPTOR data:", -1);
261 return offset;
262 }
265 int
266 lsarpc_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep){
267 return cnf_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
268 }
270 static int
271 lsarpc_dissect_struct_security_descriptor(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, uint8_t *drep _U_, int unused1 _U_, int unused2 _U_){
272 return cnf_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
273 }
276 int
277 lsarpc_dissect_struct_dom_sid2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, uint8_t *drep _U_, int unused1 _U_, int unused2 _U_) {
278 /* sid */
279 return dissect_ndr_nt_SID(tvb, offset, pinfo, tree, di, drep);
281 }
283 static int
284 cnf_dissect_hyper(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep, uint32_t param _U_, int hfindex)
285 {
286 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, di, drep, hfindex, NULL);
288 return offset;
289 }
291 # PIDL cant handle top level arrays so we must explicitely go through a
292 # ref pointer here
293 static int
294 lsarpc_dissect_element_lsa_LookupNames3_names_X(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di, uint8_t *drep _U_)
295 {
296 proto_item *item = NULL;
297 proto_tree *tree = NULL;
298 int old_offset = offset;
300 if (parent_tree) {
301 item = proto_tree_add_item(parent_tree, hf_lsarpc_names, tvb, offset, -1, ENC_NA);
302 tree = proto_item_add_subtree(item, ett_lsarpc_names);
303 }
305 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_);
307 proto_item_set_len(item, offset-old_offset);
308 return offset;
309 }
311 static int
312 lsarpc_dissect_element_lsa_LookupNames_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, uint8_t *drep _U_)
313 {
314 offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names);
316 return offset;
317 }
318 static int
319 lsarpc_dissect_element_lsa_LookupNames2_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, uint8_t *drep _U_)
320 {
321 offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names);
323 return offset;
324 }
325 static int
326 lsarpc_dissect_element_lsa_LookupNames3_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, uint8_t *drep _U_)
327 {
328 offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names);
330 return offset;
331 }
332 static int
333 lsarpc_dissect_element_lsa_LookupNames4_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, uint8_t *drep _U_)
334 {
335 offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names);
337 return offset;
338 }
342 static int
343 lsarpc_dissect_element_lsa_String_string_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, uint8_t *drep _U_)
344 {
345 char *data;
347 offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(uint16_t), hf_lsarpc_String_name, false, &data);
348 proto_item_append_text(tree, ": %s", data);
350 return offset;
351 }
353 static int
354 lsarpc_dissect_element_lsa_StringLarge_string_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, uint8_t *drep _U_)
355 {
356 char *data;
358 offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(uint16_t), hf_lsarpc_String_name, false, &data);
359 proto_item_append_text(tree, ": %s", data);
361 return offset;
362 }
366 static int
367 lsarpc_dissect_element_lsa_DomainInfoEfs_efs_blob_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, uint8_t *drep _U_)
368 {
369 tvbuff_t *next_tvb;
370 int len, reported_len;
371 dissector_handle_t efsblob_handle;
373 if(di->conformant_run){
374 /*just a run to handle conformant arrays, nothing to dissect */
375 return offset;
376 }
379 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
380 hf_lsarpc_efs_blob_len, &reported_len);
382 len = reported_len;
383 if (len > tvb_captured_length_remaining(tvb, offset)) {
384 len = tvb_captured_length_remaining(tvb, offset);
385 }
387 next_tvb = tvb_new_subset_length_caplen(tvb, offset, len, reported_len);
389 efsblob_handle = find_dissector("efsblob");
390 if (efsblob_handle) {
391 call_dissector(efsblob_handle, next_tvb, pinfo, tree);
392 }
394 offset += reported_len;
396 return offset;
397 }
399 CODE END
401 HEADER START
403 extern int
404 lsarpc_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep);
405 extern int
406 lsarpc_dissect_struct_dom_sid2(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep, int unused1, int unused2);
408 HEADER END