search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MSWSP: add two more Property Sets
[wireshark-wip.git] / epan / dissectors / packet-windows-common.c
blob5fd63084fab366b40acd381674b74a3d2be3cee8
1 /* packet-windows-common.c
2 * Routines for dissecting various Windows data types
3 *
4 * $Id$
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
24
25 #include "config.h"
26
27 #include <glib.h>
28 #include <string.h>
29
30 #include <epan/packet.h>
31 #include <epan/exceptions.h>
32 #include <epan/wmem/wmem.h>
33 #include "packet-dcerpc.h"
34 #include "packet-smb-sidsnooping.h"
35 #include "packet-windows-common.h"
36 #include <epan/dissectors/packet-smb.h> /* for "sid_name_snooping" */
37
38 static int hf_nt_sec_desc_revision = -1;
39 static int hf_nt_sec_desc_type_owner_defaulted = -1;
40 static int hf_nt_sec_desc_type_group_defaulted = -1;
41 static int hf_nt_sec_desc_type_dacl_present = -1;
42 static int hf_nt_sec_desc_type_dacl_defaulted = -1;
43 static int hf_nt_sec_desc_type_sacl_present = -1;
44 static int hf_nt_sec_desc_type_sacl_defaulted = -1;
45 static int hf_nt_sec_desc_type_dacl_trusted = -1;
46 static int hf_nt_sec_desc_type_server_security = -1;
47 static int hf_nt_sec_desc_type_dacl_auto_inherit_req = -1;
48 static int hf_nt_sec_desc_type_sacl_auto_inherit_req = -1;
49 static int hf_nt_sec_desc_type_dacl_auto_inherited = -1;
50 static int hf_nt_sec_desc_type_sacl_auto_inherited = -1;
51 static int hf_nt_sec_desc_type_dacl_protected = -1;
52 static int hf_nt_sec_desc_type_sacl_protected = -1;
53 static int hf_nt_sec_desc_type_rm_control_valid = -1;
54 static int hf_nt_sec_desc_type_self_relative = -1;
55 static int hf_nt_sid = -1;
56 static int hf_nt_sid_revision = -1;
57 static int hf_nt_sid_num_auth = -1;
58 static int hf_nt_sid_auth_dec = -1;
59 static int hf_nt_sid_auth_hex = -1;
60 static int hf_nt_sid_subauth = -1;
61 static int hf_nt_sid_rid_dec = -1;
62 static int hf_nt_sid_rid_hex = -1;
63 static int hf_nt_sid_wkwn = -1;
64 static int hf_nt_sid_domain = -1;
65 static int hf_nt_acl_revision = -1;
66 static int hf_nt_acl_size = -1;
67 static int hf_nt_acl_num_aces = -1;
68 static int hf_nt_ace_flags_object_inherit = -1;
69 static int hf_nt_ace_flags_container_inherit = -1;
70 static int hf_nt_ace_flags_non_propagate_inherit = -1;
71 static int hf_nt_ace_flags_inherit_only = -1;
72 static int hf_nt_ace_flags_inherited_ace = -1;
73 static int hf_nt_ace_flags_successful_access = -1;
74 static int hf_nt_ace_flags_failed_access = -1;
75 static int hf_nt_ace_type = -1;
76 static int hf_nt_ace_size = -1;
77 static int hf_nt_ace_flags_object_type_present = -1;
78 static int hf_nt_ace_flags_inherited_object_type_present = -1;
79 static int hf_nt_ace_guid = -1;
80 static int hf_nt_ace_inherited_guid = -1;
81 static int hf_nt_security_information_sacl = -1;
82 static int hf_nt_security_information_dacl = -1;
83 static int hf_nt_security_information_group = -1;
84 static int hf_nt_security_information_owner = -1;
85
86 static gint ett_nt_sec_desc = -1;
87 static gint ett_nt_sec_desc_type = -1;
88 static gint ett_nt_sid = -1;
89 static gint ett_nt_acl = -1;
90 static gint ett_nt_ace = -1;
91 static gint ett_nt_ace_flags = -1;
92 static gint ett_nt_ace_object = -1;
93 static gint ett_nt_ace_object_flags = -1;
94 static gint ett_nt_security_information = -1;
95
96 /* WERR error codes
97 * This list is based on the samba doserr.h file and was generated by running
98 cat doserr.h | grep "^#define WERR" | grep -v "FOOBAR"| sed -e "s/^#define[ \t]//" | while read WERR junk;do echo " {"${WERR}, \"${WERR}\""}," ; done
99 */
100 const value_string WERR_errors[] = {
101 {WERR_OK, "WERR_OK"},
102 {WERR_BADFUNC, "WERR_BADFUNC"},
103 {WERR_BADFILE, "WERR_BADFILE"},
104 {WERR_ACCESS_DENIED, "WERR_ACCESS_DENIED"},
105 {WERR_BADFID, "WERR_BADFID"},
106 {WERR_NOMEM, "WERR_NOMEM"},
107 {WERR_GENERAL_FAILURE, "WERR_GENERAL_FAILURE"},
108 {WERR_NOT_SUPPORTED, "WERR_NOT_SUPPORTED"},
109 {WERR_BAD_NETPATH, "WERR_BAD_NETPATH"},
110 {WERR_UNEXP_NET_ERR, "WERR_UNEXP_NET_ERR"},
111 {WERR_PRINTQ_FULL, "WERR_PRINTQ_FULL"},
112 {WERR_NO_SPOOL_SPACE, "WERR_NO_SPOOL_SPACE"},
113 {WERR_NO_SUCH_SHARE, "WERR_NO_SUCH_SHARE"},
114 {WERR_FILE_EXISTS, "WERR_FILE_EXISTS"},
115 {WERR_BAD_PASSWORD, "WERR_BAD_PASSWORD"},
116 {WERR_INVALID_PARAM, "WERR_INVALID_PARAM"},
117 {WERR_INSUFFICIENT_BUFFER, "WERR_INSUFFICIENT_BUFFER"},
118 {WERR_INVALID_NAME, "WERR_INVALID_NAME"},
119 {WERR_UNKNOWN_LEVEL, "WERR_UNKNOWN_LEVEL"},
120 {WERR_OBJECT_PATH_INVALID, "WERR_OBJECT_PATH_INVALID"},
121 {WERR_ALREADY_EXISTS, "WERR_ALREADY_EXISTS"},
122 {WERR_NO_MORE_ITEMS, "WERR_NO_MORE_ITEMS"},
123 {WERR_MORE_DATA, "WERR_MORE_DATA"},
124 {WERR_CAN_NOT_COMPLETE, "WERR_CAN_NOT_COMPLETE"},
125 {WERR_NOT_FOUND, "WERR_NOT_FOUND"},
126 {WERR_INVALID_COMPUTERNAME, "WERR_INVALID_COMPUTERNAME"},
127 {WERR_INVALID_DOMAINNAME, "WERR_INVALID_DOMAINNAME"},
128 {WERR_UNKNOWN_REVISION, "WERR_UNKNOWN_REVISION"},
129 {WERR_REVISION_MISMATCH, "WERR_REVISION_MISMATCH"},
130 {WERR_INVALID_OWNER, "WERR_INVALID_OWNER"},
131 {WERR_NO_SUCH_PRIVILEGE, "WERR_NO_SUCH_PRIVILEGE"},
132 {WERR_PRIVILEGE_NOT_HELD, "WERR_PRIVILEGE_NOT_HELD"},
133 {WERR_NO_SUCH_USER, "WERR_NO_SUCH_USER"},
134 {WERR_INVALID_SECURITY_DESCRIPTOR, "WERR_INVALID_SECURITY_DESCRIPTOR"},
135 {WERR_NO_SUCH_DOMAIN, "WERR_NO_SUCH_DOMAIN"},
136 {WERR_NO_SYSTEM_RESOURCES, "WERR_NO_SYSTEM_RESOURCES"},
137 {WERR_SERVER_UNAVAILABLE, "WERR_SERVER_UNAVAILABLE"},
138 {WERR_INVALID_FORM_NAME, "WERR_INVALID_FORM_NAME"},
139 {WERR_INVALID_FORM_SIZE, "WERR_INVALID_FORM_SIZE"},
140 {WERR_ALREADY_SHARED, "WERR_ALREADY_SHARED"},
141 {WERR_BUF_TOO_SMALL, "WERR_BUF_TOO_SMALL"},
142 {WERR_JOB_NOT_FOUND, "WERR_JOB_NOT_FOUND"},
143 {WERR_DEST_NOT_FOUND, "WERR_DEST_NOT_FOUND"},
144 {WERR_NOT_LOCAL_DOMAIN, "WERR_NOT_LOCAL_DOMAIN"},
145 {WERR_DEVICE_NOT_AVAILABLE, "WERR_DEVICE_NOT_AVAILABLE"},
146 {WERR_STATUS_MORE_ENTRIES, "WERR_STATUS_MORE_ENTRIES"},
147 {WERR_PRINTER_DRIVER_ALREADY_INSTALLED, "WERR_PRINTER_DRIVER_ALREADY_INSTALLED"},
148 {WERR_UNKNOWN_PORT, "WERR_UNKNOWN_PORT"},
149 {WERR_UNKNOWN_PRINTER_DRIVER, "WERR_UNKNOWN_PRINTER_DRIVER"},
150 {WERR_UNKNOWN_PRINTPROCESSOR, "WERR_UNKNOWN_PRINTPROCESSOR"},
151 {WERR_INVALID_SEPARATOR_FILE, "WERR_INVALID_SEPARATOR_FILE"},
152 {WERR_INVALID_PRIORITY, "WERR_INVALID_PRIORITY"},
153 {WERR_INVALID_PRINTER_NAME, "WERR_INVALID_PRINTER_NAME"},
154 {WERR_PRINTER_ALREADY_EXISTS, "WERR_PRINTER_ALREADY_EXISTS"},
155 {WERR_INVALID_PRINTER_COMMAND, "WERR_INVALID_PRINTER_COMMAND"},
156 {WERR_INVALID_DATATYPE, "WERR_INVALID_DATATYPE"},
157 {WERR_INVALID_ENVIRONMENT, "WERR_INVALID_ENVIRONMENT"},
158 {WERR_SESSION_NOT_FOUND, "WERR_SESSION_NOT_FOUND"},
159 {WERR_FID_NOT_FOUND, "WERR_FID_NOT_FOUND"},
160 {WERR_UNKNOWN_PRINT_MONITOR, "WERR_UNKNOWN_PRINT_MONITOR"},
161 {WERR_PRINTER_DRIVER_IN_USE, "WERR_PRINTER_DRIVER_IN_USE"},
162 {WERR_SPOOL_FILE_NOT_FOUND, "WERR_SPOOL_FILE_NOT_FOUND"},
163 {WERR_SPL_NO_STARTDOC, "WERR_SPL_NO_STARTDOC"},
164 {WERR_SPL_NO_ADDJOB, "WERR_SPL_NO_ADDJOB"},
165 {WERR_PRINT_PROCESSOR_ALREADY_INSTALLED, "WERR_PRINT_PROCESSOR_ALREADY_INSTALLED"},
166 {WERR_PRINT_MONITOR_ALREADY_INSTALLED, "WERR_PRINT_MONITOR_ALREADY_INSTALLED"},
167 {WERR_INVALID_PRINT_MONITOR, "WERR_INVALID_PRINT_MONITOR"},
168 {WERR_PRINT_MONITOR_IN_USE, "WERR_PRINT_MONITOR_IN_USE"},
169 {WERR_PRINTER_HAS_JOBS_QUEUED, "WERR_PRINTER_HAS_JOBS_QUEUED"},
170 {WERR_CLASS_NOT_REGISTERED, "WERR_CLASS_NOT_REGISTERED"},
171 {WERR_NO_SHUTDOWN_IN_PROGRESS, "WERR_NO_SHUTDOWN_IN_PROGRESS"},
172 {WERR_SHUTDOWN_ALREADY_IN_PROGRESS, "WERR_SHUTDOWN_ALREADY_IN_PROGRESS"},
173 {WERR_NET_NAME_NOT_FOUND, "WERR_NET_NAME_NOT_FOUND"},
174 {WERR_DEVICE_NOT_SHARED, "WERR_DEVICE_NOT_SHARED"},
175 {WERR_DFS_NO_SUCH_VOL, "WERR_DFS_NO_SUCH_VOL"},
176 {WERR_DFS_NO_SUCH_SHARE, "WERR_DFS_NO_SUCH_SHARE"},
177 {WERR_DFS_NO_SUCH_SERVER, "WERR_DFS_NO_SUCH_SERVER"},
178 {WERR_DFS_INTERNAL_ERROR, "WERR_DFS_INTERNAL_ERROR"},
179 {WERR_DFS_CANT_CREATE_JUNCT, "WERR_DFS_CANT_CREATE_JUNCT"},
180 {WERR_DS_SERVICE_BUSY, "WERR_DS_SERVICE_BUSY"},
181 {WERR_DS_SERVICE_UNAVAILABLE, "WERR_DS_SERVICE_UNAVAILABLE"},
182 {WERR_DS_NO_SUCH_OBJECT, "WERR_DS_NO_SUCH_OBJECT"},
183 {WERR_DS_OBJ_NOT_FOUND, "WERR_DS_OBJ_NOT_FOUND"},
184 {WERR_DS_DRA_INVALID_PARAMETER, "WERR_DS_DRA_INVALID_PARAMETER"},
185 {WERR_DS_DRA_BAD_DN, "WERR_DS_DRA_BAD_DN"},
186 {WERR_DS_DRA_BAD_NC, "WERR_DS_DRA_BAD_NC"},
187 {WERR_DS_DRA_INTERNAL_ERROR, "WERR_DS_DRA_INTERNAL_ERROR"},
188 {WERR_DS_DRA_OUT_OF_MEM, "WERR_DS_DRA_OUT_OF_MEM"},
189 {WERR_DS_SINGLE_VALUE_CONSTRAINT, "WERR_DS_SINGLE_VALUE_CONSTRAINT"},
190 {WERR_DS_DRA_DB_ERROR, "WERR_DS_DRA_DB_ERROR"},
191 {WERR_DS_DRA_NO_REPLICA, "WERR_DS_DRA_NO_REPLICA"},
192 {WERR_DS_DRA_ACCESS_DENIED, "WERR_DS_DRA_ACCESS_DENIED"},
193 {WERR_DS_DNS_LOOKUP_FAILURE, "WERR_DS_DNS_LOOKUP_FAILURE"},
194 {WERR_DS_WRONG_LINKED_ATTRIBUTE_SYNTAX, "WERR_DS_WRONG_LINKED_ATTRIBUTE_SYNTAX"},
195 {WERR_SEC_E_ALGORITHM_MISMATCH, "WERR_SEC_E_ALGORITHM_MISMATCH"},
196 {0, NULL}
197 };
198
199
200
201 /*
202 * DOS error codes.
203 */
204 const value_string DOS_errors[] = {
205 {0, "Success"},
206 {SMBE_insufficientbuffer, "Insufficient buffer"},
207 {SMBE_badfunc, "Invalid function (or system call)"},
208 {SMBE_badfile, "File not found (pathname error)"},
209 {SMBE_badpath, "Directory not found"},
210 {SMBE_nofids, "Too many open files"},
211 {SMBE_noaccess, "Access denied"},
212 {SMBE_badfid, "Invalid fid"},
213 {SMBE_nomem, "Out of memory"},
214 {SMBE_badmem, "Invalid memory block address"},
215 {SMBE_badenv, "Invalid environment"},
216 {SMBE_badaccess, "Invalid open mode"},
217 {SMBE_baddata, "Invalid data (only from ioctl call)"},
218 {SMBE_res, "Reserved error code?"},
219 {SMBE_baddrive, "Invalid drive"},
220 {SMBE_remcd, "Attempt to delete current directory"},
221 {SMBE_diffdevice, "Rename/move across different filesystems"},
222 {SMBE_nofiles, "No more files found in file search"},
223 {SMBE_badshare, "Share mode on file conflict with open mode"},
224 {SMBE_lock, "Lock request conflicts with existing lock"},
225 {SMBE_unsup, "Request unsupported, returned by Win 95"},
226 {SMBE_nosuchshare, "Requested share does not exist"},
227 {SMBE_filexists, "File in operation already exists"},
228 {SMBE_cannotopen, "Cannot open the file specified"},
229 {SMBE_unknownlevel, "Unknown info level"},
230 {SMBE_invalidname, "Invalid name"},
231 {SMBE_badpipe, "Named pipe invalid"},
232 {SMBE_pipebusy, "All instances of pipe are busy"},
233 {SMBE_pipeclosing, "Named pipe close in progress"},
234 {SMBE_notconnected, "No process on other end of named pipe"},
235 {SMBE_moredata, "More data to be returned"},
236 {SMBE_baddirectory, "Invalid directory name in a path."},
237 {SMBE_eas_didnt_fit, "Extended attributes didn't fit"},
238 {SMBE_eas_nsup, "Extended attributes not supported"},
239 {SMBE_notify_buf_small, "Buffer too small to return change notify."},
240 {SMBE_unknownipc, "Unknown IPC Operation"},
241 {SMBE_noipc, "Don't support ipc"},
242 {SMBE_alreadyexists, "File already exists"},
243 {SMBE_unknownprinterdriver, "Unknown printer driver"},
244 {SMBE_invalidprintername, "Invalid printer name"},
245 {SMBE_printeralreadyexists, "Printer already exists"},
246 {SMBE_invaliddatatype, "Invalid data type"},
247 {SMBE_invalidenvironment, "Invalid environment"},
248 {SMBE_printerdriverinuse, "Printer driver in use"},
249 {SMBE_invalidparam, "Invalid parameter"},
250 {SMBE_invalidformsize, "Invalid form size"},
251 {SMBE_invalidsecuritydescriptor, "Invalid security descriptor"},
252 {SMBE_invalidowner, "Invalid owner"},
253 {SMBE_nomoreitems, "No more items"},
254 {SMBE_serverunavailable, "Server unavailable"},
255 {0, NULL}
256 };
257
258 /*
259 * NT error codes.
260 *
261 * From
262 *
263 * http://www.wildpackets.com/elements/misc/SMB_NT_Status_Codes.txt
264 */
265 const value_string NT_errors[] = {
266 { 0x00000000, "STATUS_SUCCESS" },
267 /*{ 0x00000000, "STATUS_WAIT_0" }, */
268 { 0x00000001, "STATUS_WAIT_1" },
269 { 0x00000002, "STATUS_WAIT_2" },
270 { 0x00000003, "STATUS_WAIT_3" },
271 { 0x0000003F, "STATUS_WAIT_63" },
272 { 0x00000080, "STATUS_ABANDONED" },
273 /*{ 0x00000080, "STATUS_ABANDONED_WAIT_0" },*/
274 { 0x000000BF, "STATUS_ABANDONED_WAIT_63" },
275 { 0x000000C0, "STATUS_USER_APC" },
276 { 0x00000100, "STATUS_KERNEL_APC" },
277 { 0x00000101, "STATUS_ALERTED" },
278 { 0x00000102, "STATUS_TIMEOUT" },
279 { 0x00000103, "STATUS_PENDING" },
280 { 0x00000104, "STATUS_REPARSE" },
281 { 0x00000105, "STATUS_MORE_ENTRIES" },
282 { 0x00000106, "STATUS_NOT_ALL_ASSIGNED" },
283 { 0x00000107, "STATUS_SOME_NOT_MAPPED" },
284 { 0x00000108, "STATUS_OPLOCK_BREAK_IN_PROGRESS" },
285 { 0x00000109, "STATUS_VOLUME_MOUNTED" },
286 { 0x0000010A, "STATUS_RXACT_COMMITTED" },
287 { 0x0000010B, "STATUS_NOTIFY_CLEANUP" },
288 { 0x0000010C, "STATUS_NOTIFY_ENUM_DIR" },
289 { 0x0000010D, "STATUS_NO_QUOTAS_FOR_ACCOUNT" },
290 { 0x0000010E, "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" },
291 { 0x00000110, "STATUS_PAGE_FAULT_TRANSITION" },
292 { 0x00000111, "STATUS_PAGE_FAULT_DEMAND_ZERO" },
293 { 0x00000112, "STATUS_PAGE_FAULT_COPY_ON_WRITE" },
294 { 0x00000113, "STATUS_PAGE_FAULT_GUARD_PAGE" },
295 { 0x00000114, "STATUS_PAGE_FAULT_PAGING_FILE" },
296 { 0x00000115, "STATUS_CACHE_PAGE_LOCKED" },
297 { 0x00000116, "STATUS_CRASH_DUMP" },
298 { 0x00000117, "STATUS_BUFFER_ALL_ZEROS" },
299 { 0x00000118, "STATUS_REPARSE_OBJECT" },
300 { 0x0000045C, "STATUS_NO_SHUTDOWN_IN_PROGRESS" },
301 { 0x40000000, "STATUS_OBJECT_NAME_EXISTS" },
302 { 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" },
303 { 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" },
304 { 0x40000003, "STATUS_IMAGE_NOT_AT_BASE" },
305 { 0x40000004, "STATUS_RXACT_STATE_CREATED" },
306 { 0x40000005, "STATUS_SEGMENT_NOTIFICATION" },
307 { 0x40000006, "STATUS_LOCAL_USER_SESSION_KEY" },
308 { 0x40000007, "STATUS_BAD_CURRENT_DIRECTORY" },
309 { 0x40000008, "STATUS_SERIAL_MORE_WRITES" },
310 { 0x40000009, "STATUS_REGISTRY_RECOVERED" },
311 { 0x4000000A, "STATUS_FT_READ_RECOVERY_FROM_BACKUP" },
312 { 0x4000000B, "STATUS_FT_WRITE_RECOVERY" },
313 { 0x4000000C, "STATUS_SERIAL_COUNTER_TIMEOUT" },
314 { 0x4000000D, "STATUS_NULL_LM_PASSWORD" },
315 { 0x4000000E, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" },
316 { 0x4000000F, "STATUS_RECEIVE_PARTIAL" },
317 { 0x40000010, "STATUS_RECEIVE_EXPEDITED" },
318 { 0x40000011, "STATUS_RECEIVE_PARTIAL_EXPEDITED" },
319 { 0x40000012, "STATUS_EVENT_DONE" },
320 { 0x40000013, "STATUS_EVENT_PENDING" },
321 { 0x40000014, "STATUS_CHECKING_FILE_SYSTEM" },
322 { 0x40000015, "STATUS_FATAL_APP_EXIT" },
323 { 0x40000016, "STATUS_PREDEFINED_HANDLE" },
324 { 0x40000017, "STATUS_WAS_UNLOCKED" },
325 { 0x40000018, "STATUS_SERVICE_NOTIFICATION" },
326 { 0x40000019, "STATUS_WAS_LOCKED" },
327 { 0x4000001A, "STATUS_LOG_HARD_ERROR" },
328 { 0x4000001B, "STATUS_ALREADY_WIN32" },
329 { 0x4000001C, "STATUS_WX86_UNSIMULATE" },
330 { 0x4000001D, "STATUS_WX86_CONTINUE" },
331 { 0x4000001E, "STATUS_WX86_SINGLE_STEP" },
332 { 0x4000001F, "STATUS_WX86_BREAKPOINT" },
333 { 0x40000020, "STATUS_WX86_EXCEPTION_CONTINUE" },
334 { 0x40000021, "STATUS_WX86_EXCEPTION_LASTCHANCE" },
335 { 0x40000022, "STATUS_WX86_EXCEPTION_CHAIN" },
336 { 0x40000023, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE" },
337 { 0x40000024, "STATUS_NO_YIELD_PERFORMED" },
338 { 0x40000025, "STATUS_TIMER_RESUME_IGNORED" },
339 { 0x80000001, "STATUS_GUARD_PAGE_VIOLATION" },
340 { 0x80000002, "STATUS_DATATYPE_MISALIGNMENT" },
341 { 0x80000003, "STATUS_BREAKPOINT" },
342 { 0x80000004, "STATUS_SINGLE_STEP" },
343 { 0x80000005, "STATUS_BUFFER_OVERFLOW" },
344 { 0x80000006, "STATUS_NO_MORE_FILES" },
345 { 0x80000007, "STATUS_WAKE_SYSTEM_DEBUGGER" },
346 { 0x8000000A, "STATUS_HANDLES_CLOSED" },
347 { 0x8000000B, "STATUS_NO_INHERITANCE" },
348 { 0x8000000C, "STATUS_GUID_SUBSTITUTION_MADE" },
349 { 0x8000000D, "STATUS_PARTIAL_COPY" },
350 { 0x8000000E, "STATUS_DEVICE_PAPER_EMPTY" },
351 { 0x8000000F, "STATUS_DEVICE_POWERED_OFF" },
352 { 0x80000010, "STATUS_DEVICE_OFF_LINE" },
353 { 0x80000011, "STATUS_DEVICE_BUSY" },
354 { 0x80000012, "STATUS_NO_MORE_EAS" },
355 { 0x80000013, "STATUS_INVALID_EA_NAME" },
356 { 0x80000014, "STATUS_EA_LIST_INCONSISTENT" },
357 { 0x80000015, "STATUS_INVALID_EA_FLAG" },
358 { 0x80000016, "STATUS_VERIFY_REQUIRED" },
359 { 0x80000017, "STATUS_EXTRANEOUS_INFORMATION" },
360 { 0x80000018, "STATUS_RXACT_COMMIT_NECESSARY" },
361 { 0x8000001A, "STATUS_NO_MORE_ENTRIES" },
362 { 0x8000001B, "STATUS_FILEMARK_DETECTED" },
363 { 0x8000001C, "STATUS_MEDIA_CHANGED" },
364 { 0x8000001D, "STATUS_BUS_RESET" },
365 { 0x8000001E, "STATUS_END_OF_MEDIA" },
366 { 0x8000001F, "STATUS_BEGINNING_OF_MEDIA" },
367 { 0x80000020, "STATUS_MEDIA_CHECK" },
368 { 0x80000021, "STATUS_SETMARK_DETECTED" },
369 { 0x80000022, "STATUS_NO_DATA_DETECTED" },
370 { 0x80000023, "STATUS_REDIRECTOR_HAS_OPEN_HANDLES" },
371 { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" },
372 { 0x80000025, "STATUS_ALREADY_DISCONNECTED" },
373 { 0x80000026, "STATUS_LONGJUMP" },
374 { 0x80040111, "MAPI_E_LOGON_FAILED" },
375 { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" },
376 { 0x80090301, "SEC_E_INVALID_HANDLE" },
377 { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" },
378 { 0x8009030B, "SEC_E_NO_IMPERSONATION" },
379 { 0x8009030D, "SEC_E_UNKNOWN_CREDENTIALS" },
380 { 0x8009030E, "SEC_E_NO_CREDENTIALS" },
381 { 0x8009030F, "SEC_E_MESSAGE_ALTERED" },
382 { 0x80090310, "SEC_E_OUT_OF_SEQUENCE" },
383 { 0x80090311, "SEC_E_NO_AUTHENTICATING_AUTHORITY" },
384 { 0xC0000001, "STATUS_UNSUCCESSFUL" },
385 { 0xC0000002, "STATUS_NOT_IMPLEMENTED" },
386 { 0xC0000003, "STATUS_INVALID_INFO_CLASS" },
387 { 0xC0000004, "STATUS_INFO_LENGTH_MISMATCH" },
388 { 0xC0000005, "STATUS_ACCESS_VIOLATION" },
389 { 0xC0000006, "STATUS_IN_PAGE_ERROR" },
390 { 0xC0000007, "STATUS_PAGEFILE_QUOTA" },
391 { 0xC0000008, "STATUS_INVALID_HANDLE" },
392 { 0xC0000009, "STATUS_BAD_INITIAL_STACK" },
393 { 0xC000000A, "STATUS_BAD_INITIAL_PC" },
394 { 0xC000000B, "STATUS_INVALID_CID" },
395 { 0xC000000C, "STATUS_TIMER_NOT_CANCELED" },
396 { 0xC000000D, "STATUS_INVALID_PARAMETER" },
397 { 0xC000000E, "STATUS_NO_SUCH_DEVICE" },
398 { 0xC000000F, "STATUS_NO_SUCH_FILE" },
399 { 0xC0000010, "STATUS_INVALID_DEVICE_REQUEST" },
400 { 0xC0000011, "STATUS_END_OF_FILE" },
401 { 0xC0000012, "STATUS_WRONG_VOLUME" },
402 { 0xC0000013, "STATUS_NO_MEDIA_IN_DEVICE" },
403 { 0xC0000014, "STATUS_UNRECOGNIZED_MEDIA" },
404 { 0xC0000015, "STATUS_NONEXISTENT_SECTOR" },
405 { 0xC0000016, "STATUS_MORE_PROCESSING_REQUIRED" },
406 { 0xC0000017, "STATUS_NO_MEMORY" },
407 { 0xC0000018, "STATUS_CONFLICTING_ADDRESSES" },
408 { 0xC0000019, "STATUS_NOT_MAPPED_VIEW" },
409 { 0xC000001A, "STATUS_UNABLE_TO_FREE_VM" },
410 { 0xC000001B, "STATUS_UNABLE_TO_DELETE_SECTION" },
411 { 0xC000001C, "STATUS_INVALID_SYSTEM_SERVICE" },
412 { 0xC000001D, "STATUS_ILLEGAL_INSTRUCTION" },
413 { 0xC000001E, "STATUS_INVALID_LOCK_SEQUENCE" },
414 { 0xC000001F, "STATUS_INVALID_VIEW_SIZE" },
415 { 0xC0000020, "STATUS_INVALID_FILE_FOR_SECTION" },
416 { 0xC0000021, "STATUS_ALREADY_COMMITTED" },
417 { 0xC0000022, "STATUS_ACCESS_DENIED" },
418 { 0xC0000023, "STATUS_BUFFER_TOO_SMALL" },
419 { 0xC0000024, "STATUS_OBJECT_TYPE_MISMATCH" },
420 { 0xC0000025, "STATUS_NONCONTINUABLE_EXCEPTION" },
421 { 0xC0000026, "STATUS_INVALID_DISPOSITION" },
422 { 0xC0000027, "STATUS_UNWIND" },
423 { 0xC0000028, "STATUS_BAD_STACK" },
424 { 0xC0000029, "STATUS_INVALID_UNWIND_TARGET" },
425 { 0xC000002A, "STATUS_NOT_LOCKED" },
426 { 0xC000002B, "STATUS_PARITY_ERROR" },
427 { 0xC000002C, "STATUS_UNABLE_TO_DECOMMIT_VM" },
428 { 0xC000002D, "STATUS_NOT_COMMITTED" },
429 { 0xC000002E, "STATUS_INVALID_PORT_ATTRIBUTES" },
430 { 0xC000002F, "STATUS_PORT_MESSAGE_TOO_LONG" },
431 { 0xC0000030, "STATUS_INVALID_PARAMETER_MIX" },
432 { 0xC0000031, "STATUS_INVALID_QUOTA_LOWER" },
433 { 0xC0000032, "STATUS_DISK_CORRUPT_ERROR" },
434 { 0xC0000033, "STATUS_OBJECT_NAME_INVALID" },
435 { 0xC0000034, "STATUS_OBJECT_NAME_NOT_FOUND" },
436 { 0xC0000035, "STATUS_OBJECT_NAME_COLLISION" },
437 { 0xC0000037, "STATUS_PORT_DISCONNECTED" },
438 { 0xC0000038, "STATUS_DEVICE_ALREADY_ATTACHED" },
439 { 0xC0000039, "STATUS_OBJECT_PATH_INVALID" },
440 { 0xC000003A, "STATUS_OBJECT_PATH_NOT_FOUND" },
441 { 0xC000003B, "STATUS_OBJECT_PATH_SYNTAX_BAD" },
442 { 0xC000003C, "STATUS_DATA_OVERRUN" },
443 { 0xC000003D, "STATUS_DATA_LATE_ERROR" },
444 { 0xC000003E, "STATUS_DATA_ERROR" },
445 { 0xC000003F, "STATUS_CRC_ERROR" },
446 { 0xC0000040, "STATUS_SECTION_TOO_BIG" },
447 { 0xC0000041, "STATUS_PORT_CONNECTION_REFUSED" },
448 { 0xC0000042, "STATUS_INVALID_PORT_HANDLE" },
449 { 0xC0000043, "STATUS_SHARING_VIOLATION" },
450 { 0xC0000044, "STATUS_QUOTA_EXCEEDED" },
451 { 0xC0000045, "STATUS_INVALID_PAGE_PROTECTION" },
452 { 0xC0000046, "STATUS_MUTANT_NOT_OWNED" },
453 { 0xC0000047, "STATUS_SEMAPHORE_LIMIT_EXCEEDED" },
454 { 0xC0000048, "STATUS_PORT_ALREADY_SET" },
455 { 0xC0000049, "STATUS_SECTION_NOT_IMAGE" },
456 { 0xC000004A, "STATUS_SUSPEND_COUNT_EXCEEDED" },
457 { 0xC000004B, "STATUS_THREAD_IS_TERMINATING" },
458 { 0xC000004C, "STATUS_BAD_WORKING_SET_LIMIT" },
459 { 0xC000004D, "STATUS_INCOMPATIBLE_FILE_MAP" },
460 { 0xC000004E, "STATUS_SECTION_PROTECTION" },
461 { 0xC000004F, "STATUS_EAS_NOT_SUPPORTED" },
462 { 0xC0000050, "STATUS_EA_TOO_LARGE" },
463 { 0xC0000051, "STATUS_NONEXISTENT_EA_ENTRY" },
464 { 0xC0000052, "STATUS_NO_EAS_ON_FILE" },
465 { 0xC0000053, "STATUS_EA_CORRUPT_ERROR" },
466 { 0xC0000054, "STATUS_FILE_LOCK_CONFLICT" },
467 { 0xC0000055, "STATUS_LOCK_NOT_GRANTED" },
468 { 0xC0000056, "STATUS_DELETE_PENDING" },
469 { 0xC0000057, "STATUS_CTL_FILE_NOT_SUPPORTED" },
470 { 0xC0000058, "STATUS_UNKNOWN_REVISION" },
471 { 0xC0000059, "STATUS_REVISION_MISMATCH" },
472 { 0xC000005A, "STATUS_INVALID_OWNER" },
473 { 0xC000005B, "STATUS_INVALID_PRIMARY_GROUP" },
474 { 0xC000005C, "STATUS_NO_IMPERSONATION_TOKEN" },
475 { 0xC000005D, "STATUS_CANT_DISABLE_MANDATORY" },
476 { 0xC000005E, "STATUS_NO_LOGON_SERVERS" },
477 { 0xC000005F, "STATUS_NO_SUCH_LOGON_SESSION" },
478 { 0xC0000060, "STATUS_NO_SUCH_PRIVILEGE" },
479 { 0xC0000061, "STATUS_PRIVILEGE_NOT_HELD" },
480 { 0xC0000062, "STATUS_INVALID_ACCOUNT_NAME" },
481 { 0xC0000063, "STATUS_USER_EXISTS" },
482 { 0xC0000064, "STATUS_NO_SUCH_USER" },
483 { 0xC0000065, "STATUS_GROUP_EXISTS" },
484 { 0xC0000066, "STATUS_NO_SUCH_GROUP" },
485 { 0xC0000067, "STATUS_MEMBER_IN_GROUP" },
486 { 0xC0000068, "STATUS_MEMBER_NOT_IN_GROUP" },
487 { 0xC0000069, "STATUS_LAST_ADMIN" },
488 { 0xC000006A, "STATUS_WRONG_PASSWORD" },
489 { 0xC000006B, "STATUS_ILL_FORMED_PASSWORD" },
490 { 0xC000006C, "STATUS_PASSWORD_RESTRICTION" },
491 { 0xC000006D, "STATUS_LOGON_FAILURE" },
492 { 0xC000006E, "STATUS_ACCOUNT_RESTRICTION" },
493 { 0xC000006F, "STATUS_INVALID_LOGON_HOURS" },
494 { 0xC0000070, "STATUS_INVALID_WORKSTATION" },
495 { 0xC0000071, "STATUS_PASSWORD_EXPIRED" },
496 { 0xC0000072, "STATUS_ACCOUNT_DISABLED" },
497 { 0xC0000073, "STATUS_NONE_MAPPED" },
498 { 0xC0000074, "STATUS_TOO_MANY_LUIDS_REQUESTED" },
499 { 0xC0000075, "STATUS_LUIDS_EXHAUSTED" },
500 { 0xC0000076, "STATUS_INVALID_SUB_AUTHORITY" },
501 { 0xC0000077, "STATUS_INVALID_ACL" },
502 { 0xC0000078, "STATUS_INVALID_SID" },
503 { 0xC0000079, "STATUS_INVALID_SECURITY_DESCR" },
504 { 0xC000007A, "STATUS_PROCEDURE_NOT_FOUND" },
505 { 0xC000007B, "STATUS_INVALID_IMAGE_FORMAT" },
506 { 0xC000007C, "STATUS_NO_TOKEN" },
507 { 0xC000007D, "STATUS_BAD_INHERITANCE_ACL" },
508 { 0xC000007E, "STATUS_RANGE_NOT_LOCKED" },
509 { 0xC000007F, "STATUS_DISK_FULL" },
510 { 0xC0000080, "STATUS_SERVER_DISABLED" },
511 { 0xC0000081, "STATUS_SERVER_NOT_DISABLED" },
512 { 0xC0000082, "STATUS_TOO_MANY_GUIDS_REQUESTED" },
513 { 0xC0000083, "STATUS_GUIDS_EXHAUSTED" },
514 { 0xC0000084, "STATUS_INVALID_ID_AUTHORITY" },
515 { 0xC0000085, "STATUS_AGENTS_EXHAUSTED" },
516 { 0xC0000086, "STATUS_INVALID_VOLUME_LABEL" },
517 { 0xC0000087, "STATUS_SECTION_NOT_EXTENDED" },
518 { 0xC0000088, "STATUS_NOT_MAPPED_DATA" },
519 { 0xC0000089, "STATUS_RESOURCE_DATA_NOT_FOUND" },
520 { 0xC000008A, "STATUS_RESOURCE_TYPE_NOT_FOUND" },
521 { 0xC000008B, "STATUS_RESOURCE_NAME_NOT_FOUND" },
522 { 0xC000008C, "STATUS_ARRAY_BOUNDS_EXCEEDED" },
523 { 0xC000008D, "STATUS_FLOAT_DENORMAL_OPERAND" },
524 { 0xC000008E, "STATUS_FLOAT_DIVIDE_BY_ZERO" },
525 { 0xC000008F, "STATUS_FLOAT_INEXACT_RESULT" },
526 { 0xC0000090, "STATUS_FLOAT_INVALID_OPERATION" },
527 { 0xC0000091, "STATUS_FLOAT_OVERFLOW" },
528 { 0xC0000092, "STATUS_FLOAT_STACK_CHECK" },
529 { 0xC0000093, "STATUS_FLOAT_UNDERFLOW" },
530 { 0xC0000094, "STATUS_INTEGER_DIVIDE_BY_ZERO" },
531 { 0xC0000095, "STATUS_INTEGER_OVERFLOW" },
532 { 0xC0000096, "STATUS_PRIVILEGED_INSTRUCTION" },
533 { 0xC0000097, "STATUS_TOO_MANY_PAGING_FILES" },
534 { 0xC0000098, "STATUS_FILE_INVALID" },
535 { 0xC0000099, "STATUS_ALLOTTED_SPACE_EXCEEDED" },
536 { 0xC000009A, "STATUS_INSUFFICIENT_RESOURCES" },
537 { 0xC000009B, "STATUS_DFS_EXIT_PATH_FOUND" },
538 { 0xC000009C, "STATUS_DEVICE_DATA_ERROR" },
539 { 0xC000009D, "STATUS_DEVICE_NOT_CONNECTED" },
540 { 0xC000009E, "STATUS_DEVICE_POWER_FAILURE" },
541 { 0xC000009F, "STATUS_FREE_VM_NOT_AT_BASE" },
542 { 0xC00000A0, "STATUS_MEMORY_NOT_ALLOCATED" },
543 { 0xC00000A1, "STATUS_WORKING_SET_QUOTA" },
544 { 0xC00000A2, "STATUS_MEDIA_WRITE_PROTECTED" },
545 { 0xC00000A3, "STATUS_DEVICE_NOT_READY" },
546 { 0xC00000A4, "STATUS_INVALID_GROUP_ATTRIBUTES" },
547 { 0xC00000A5, "STATUS_BAD_IMPERSONATION_LEVEL" },
548 { 0xC00000A6, "STATUS_CANT_OPEN_ANONYMOUS" },
549 { 0xC00000A7, "STATUS_BAD_VALIDATION_CLASS" },
550 { 0xC00000A8, "STATUS_BAD_TOKEN_TYPE" },
551 { 0xC00000A9, "STATUS_BAD_MASTER_BOOT_RECORD" },
552 { 0xC00000AA, "STATUS_INSTRUCTION_MISALIGNMENT" },
553 { 0xC00000AB, "STATUS_INSTANCE_NOT_AVAILABLE" },
554 { 0xC00000AC, "STATUS_PIPE_NOT_AVAILABLE" },
555 { 0xC00000AD, "STATUS_INVALID_PIPE_STATE" },
556 { 0xC00000AE, "STATUS_PIPE_BUSY" },
557 { 0xC00000AF, "STATUS_ILLEGAL_FUNCTION" },
558 { 0xC00000B0, "STATUS_PIPE_DISCONNECTED" },
559 { 0xC00000B1, "STATUS_PIPE_CLOSING" },
560 { 0xC00000B2, "STATUS_PIPE_CONNECTED" },
561 { 0xC00000B3, "STATUS_PIPE_LISTENING" },
562 { 0xC00000B4, "STATUS_INVALID_READ_MODE" },
563 { 0xC00000B5, "STATUS_IO_TIMEOUT" },
564 { 0xC00000B6, "STATUS_FILE_FORCED_CLOSED" },
565 { 0xC00000B7, "STATUS_PROFILING_NOT_STARTED" },
566 { 0xC00000B8, "STATUS_PROFILING_NOT_STOPPED" },
567 { 0xC00000B9, "STATUS_COULD_NOT_INTERPRET" },
568 { 0xC00000BA, "STATUS_FILE_IS_A_DIRECTORY" },
569 { 0xC00000BB, "STATUS_NOT_SUPPORTED" },
570 { 0xC00000BC, "STATUS_REMOTE_NOT_LISTENING" },
571 { 0xC00000BD, "STATUS_DUPLICATE_NAME" },
572 { 0xC00000BE, "STATUS_BAD_NETWORK_PATH" },
573 { 0xC00000BF, "STATUS_NETWORK_BUSY" },
574 { 0xC00000C0, "STATUS_DEVICE_DOES_NOT_EXIST" },
575 { 0xC00000C1, "STATUS_TOO_MANY_COMMANDS" },
576 { 0xC00000C2, "STATUS_ADAPTER_HARDWARE_ERROR" },
577 { 0xC00000C3, "STATUS_INVALID_NETWORK_RESPONSE" },
578 { 0xC00000C4, "STATUS_UNEXPECTED_NETWORK_ERROR" },
579 { 0xC00000C5, "STATUS_BAD_REMOTE_ADAPTER" },
580 { 0xC00000C6, "STATUS_PRINT_QUEUE_FULL" },
581 { 0xC00000C7, "STATUS_NO_SPOOL_SPACE" },
582 { 0xC00000C8, "STATUS_PRINT_CANCELLED" },
583 { 0xC00000C9, "STATUS_NETWORK_NAME_DELETED" },
584 { 0xC00000CA, "STATUS_NETWORK_ACCESS_DENIED" },
585 { 0xC00000CB, "STATUS_BAD_DEVICE_TYPE" },
586 { 0xC00000CC, "STATUS_BAD_NETWORK_NAME" },
587 { 0xC00000CD, "STATUS_TOO_MANY_NAMES" },
588 { 0xC00000CE, "STATUS_TOO_MANY_SESSIONS" },
589 { 0xC00000CF, "STATUS_SHARING_PAUSED" },
590 { 0xC00000D0, "STATUS_REQUEST_NOT_ACCEPTED" },
591 { 0xC00000D1, "STATUS_REDIRECTOR_PAUSED" },
592 { 0xC00000D2, "STATUS_NET_WRITE_FAULT" },
593 { 0xC00000D3, "STATUS_PROFILING_AT_LIMIT" },
594 { 0xC00000D4, "STATUS_NOT_SAME_DEVICE" },
595 { 0xC00000D5, "STATUS_FILE_RENAMED" },
596 { 0xC00000D6, "STATUS_VIRTUAL_CIRCUIT_CLOSED" },
597 { 0xC00000D7, "STATUS_NO_SECURITY_ON_OBJECT" },
598 { 0xC00000D8, "STATUS_CANT_WAIT" },
599 { 0xC00000D9, "STATUS_PIPE_EMPTY" },
600 { 0xC00000DA, "STATUS_CANT_ACCESS_DOMAIN_INFO" },
601 { 0xC00000DB, "STATUS_CANT_TERMINATE_SELF" },
602 { 0xC00000DC, "STATUS_INVALID_SERVER_STATE" },
603 { 0xC00000DD, "STATUS_INVALID_DOMAIN_STATE" },
604 { 0xC00000DE, "STATUS_INVALID_DOMAIN_ROLE" },
605 { 0xC00000DF, "STATUS_NO_SUCH_DOMAIN" },
606 { 0xC00000E0, "STATUS_DOMAIN_EXISTS" },
607 { 0xC00000E1, "STATUS_DOMAIN_LIMIT_EXCEEDED" },
608 { 0xC00000E2, "STATUS_OPLOCK_NOT_GRANTED" },
609 { 0xC00000E3, "STATUS_INVALID_OPLOCK_PROTOCOL" },
610 { 0xC00000E4, "STATUS_INTERNAL_DB_CORRUPTION" },
611 { 0xC00000E5, "STATUS_INTERNAL_ERROR" },
612 { 0xC00000E6, "STATUS_GENERIC_NOT_MAPPED" },
613 { 0xC00000E7, "STATUS_BAD_DESCRIPTOR_FORMAT" },
614 { 0xC00000E8, "STATUS_INVALID_USER_BUFFER" },
615 { 0xC00000E9, "STATUS_UNEXPECTED_IO_ERROR" },
616 { 0xC00000EA, "STATUS_UNEXPECTED_MM_CREATE_ERR" },
617 { 0xC00000EB, "STATUS_UNEXPECTED_MM_MAP_ERROR" },
618 { 0xC00000EC, "STATUS_UNEXPECTED_MM_EXTEND_ERR" },
619 { 0xC00000ED, "STATUS_NOT_LOGON_PROCESS" },
620 { 0xC00000EE, "STATUS_LOGON_SESSION_EXISTS" },
621 { 0xC00000EF, "STATUS_INVALID_PARAMETER_1" },
622 { 0xC00000F0, "STATUS_INVALID_PARAMETER_2" },
623 { 0xC00000F1, "STATUS_INVALID_PARAMETER_3" },
624 { 0xC00000F2, "STATUS_INVALID_PARAMETER_4" },
625 { 0xC00000F3, "STATUS_INVALID_PARAMETER_5" },
626 { 0xC00000F4, "STATUS_INVALID_PARAMETER_6" },
627 { 0xC00000F5, "STATUS_INVALID_PARAMETER_7" },
628 { 0xC00000F6, "STATUS_INVALID_PARAMETER_8" },
629 { 0xC00000F7, "STATUS_INVALID_PARAMETER_9" },
630 { 0xC00000F8, "STATUS_INVALID_PARAMETER_10" },
631 { 0xC00000F9, "STATUS_INVALID_PARAMETER_11" },
632 { 0xC00000FA, "STATUS_INVALID_PARAMETER_12" },
633 { 0xC00000FB, "STATUS_REDIRECTOR_NOT_STARTED" },
634 { 0xC00000FC, "STATUS_REDIRECTOR_STARTED" },
635 { 0xC00000FD, "STATUS_STACK_OVERFLOW" },
636 { 0xC00000FE, "STATUS_NO_SUCH_PACKAGE" },
637 { 0xC00000FF, "STATUS_BAD_FUNCTION_TABLE" },
638 { 0xC0000100, "STATUS_VARIABLE_NOT_FOUND" },
639 { 0xC0000101, "STATUS_DIRECTORY_NOT_EMPTY" },
640 { 0xC0000102, "STATUS_FILE_CORRUPT_ERROR" },
641 { 0xC0000103, "STATUS_NOT_A_DIRECTORY" },
642 { 0xC0000104, "STATUS_BAD_LOGON_SESSION_STATE" },
643 { 0xC0000105, "STATUS_LOGON_SESSION_COLLISION" },
644 { 0xC0000106, "STATUS_NAME_TOO_LONG" },
645 { 0xC0000107, "STATUS_FILES_OPEN" },
646 { 0xC0000108, "STATUS_CONNECTION_IN_USE" },
647 { 0xC0000109, "STATUS_MESSAGE_NOT_FOUND" },
648 { 0xC000010A, "STATUS_PROCESS_IS_TERMINATING" },
649 { 0xC000010B, "STATUS_INVALID_LOGON_TYPE" },
650 { 0xC000010C, "STATUS_NO_GUID_TRANSLATION" },
651 { 0xC000010D, "STATUS_CANNOT_IMPERSONATE" },
652 { 0xC000010E, "STATUS_IMAGE_ALREADY_LOADED" },
653 { 0xC000010F, "STATUS_ABIOS_NOT_PRESENT" },
654 { 0xC0000110, "STATUS_ABIOS_LID_NOT_EXIST" },
655 { 0xC0000111, "STATUS_ABIOS_LID_ALREADY_OWNED" },
656 { 0xC0000112, "STATUS_ABIOS_NOT_LID_OWNER" },
657 { 0xC0000113, "STATUS_ABIOS_INVALID_COMMAND" },
658 { 0xC0000114, "STATUS_ABIOS_INVALID_LID" },
659 { 0xC0000115, "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE" },
660 { 0xC0000116, "STATUS_ABIOS_INVALID_SELECTOR" },
661 { 0xC0000117, "STATUS_NO_LDT" },
662 { 0xC0000118, "STATUS_INVALID_LDT_SIZE" },
663 { 0xC0000119, "STATUS_INVALID_LDT_OFFSET" },
664 { 0xC000011A, "STATUS_INVALID_LDT_DESCRIPTOR" },
665 { 0xC000011B, "STATUS_INVALID_IMAGE_NE_FORMAT" },
666 { 0xC000011C, "STATUS_RXACT_INVALID_STATE" },
667 { 0xC000011D, "STATUS_RXACT_COMMIT_FAILURE" },
668 { 0xC000011E, "STATUS_MAPPED_FILE_SIZE_ZERO" },
669 { 0xC000011F, "STATUS_TOO_MANY_OPENED_FILES" },
670 { 0xC0000120, "STATUS_CANCELLED" },
671 { 0xC0000121, "STATUS_CANNOT_DELETE" },
672 { 0xC0000122, "STATUS_INVALID_COMPUTER_NAME" },
673 { 0xC0000123, "STATUS_FILE_DELETED" },
674 { 0xC0000124, "STATUS_SPECIAL_ACCOUNT" },
675 { 0xC0000125, "STATUS_SPECIAL_GROUP" },
676 { 0xC0000126, "STATUS_SPECIAL_USER" },
677 { 0xC0000127, "STATUS_MEMBERS_PRIMARY_GROUP" },
678 { 0xC0000128, "STATUS_FILE_CLOSED" },
679 { 0xC0000129, "STATUS_TOO_MANY_THREADS" },
680 { 0xC000012A, "STATUS_THREAD_NOT_IN_PROCESS" },
681 { 0xC000012B, "STATUS_TOKEN_ALREADY_IN_USE" },
682 { 0xC000012C, "STATUS_PAGEFILE_QUOTA_EXCEEDED" },
683 { 0xC000012D, "STATUS_COMMITMENT_LIMIT" },
684 { 0xC000012E, "STATUS_INVALID_IMAGE_LE_FORMAT" },
685 { 0xC000012F, "STATUS_INVALID_IMAGE_NOT_MZ" },
686 { 0xC0000130, "STATUS_INVALID_IMAGE_PROTECT" },
687 { 0xC0000131, "STATUS_INVALID_IMAGE_WIN_16" },
688 { 0xC0000132, "STATUS_LOGON_SERVER_CONFLICT" },
689 { 0xC0000133, "STATUS_TIME_DIFFERENCE_AT_DC" },
690 { 0xC0000134, "STATUS_SYNCHRONIZATION_REQUIRED" },
691 { 0xC0000135, "STATUS_DLL_NOT_FOUND" },
692 { 0xC0000136, "STATUS_OPEN_FAILED" },
693 { 0xC0000137, "STATUS_IO_PRIVILEGE_FAILED" },
694 { 0xC0000138, "STATUS_ORDINAL_NOT_FOUND" },
695 { 0xC0000139, "STATUS_ENTRYPOINT_NOT_FOUND" },
696 { 0xC000013A, "STATUS_CONTROL_C_EXIT" },
697 { 0xC000013B, "STATUS_LOCAL_DISCONNECT" },
698 { 0xC000013C, "STATUS_REMOTE_DISCONNECT" },
699 { 0xC000013D, "STATUS_REMOTE_RESOURCES" },
700 { 0xC000013E, "STATUS_LINK_FAILED" },
701 { 0xC000013F, "STATUS_LINK_TIMEOUT" },
702 { 0xC0000140, "STATUS_INVALID_CONNECTION" },
703 { 0xC0000141, "STATUS_INVALID_ADDRESS" },
704 { 0xC0000142, "STATUS_DLL_INIT_FAILED" },
705 { 0xC0000143, "STATUS_MISSING_SYSTEMFILE" },
706 { 0xC0000144, "STATUS_UNHANDLED_EXCEPTION" },
707 { 0xC0000145, "STATUS_APP_INIT_FAILURE" },
708 { 0xC0000146, "STATUS_PAGEFILE_CREATE_FAILED" },
709 { 0xC0000147, "STATUS_NO_PAGEFILE" },
710 { 0xC0000148, "STATUS_INVALID_LEVEL" },
711 { 0xC0000149, "STATUS_WRONG_PASSWORD_CORE" },
712 { 0xC000014A, "STATUS_ILLEGAL_FLOAT_CONTEXT" },
713 { 0xC000014B, "STATUS_PIPE_BROKEN" },
714 { 0xC000014C, "STATUS_REGISTRY_CORRUPT" },
715 { 0xC000014D, "STATUS_REGISTRY_IO_FAILED" },
716 { 0xC000014E, "STATUS_NO_EVENT_PAIR" },
717 { 0xC000014F, "STATUS_UNRECOGNIZED_VOLUME" },
718 { 0xC0000150, "STATUS_SERIAL_NO_DEVICE_INITED" },
719 { 0xC0000151, "STATUS_NO_SUCH_ALIAS" },
720 { 0xC0000152, "STATUS_MEMBER_NOT_IN_ALIAS" },
721 { 0xC0000153, "STATUS_MEMBER_IN_ALIAS" },
722 { 0xC0000154, "STATUS_ALIAS_EXISTS" },
723 { 0xC0000155, "STATUS_LOGON_NOT_GRANTED" },
724 { 0xC0000156, "STATUS_TOO_MANY_SECRETS" },
725 { 0xC0000157, "STATUS_SECRET_TOO_LONG" },
726 { 0xC0000158, "STATUS_INTERNAL_DB_ERROR" },
727 { 0xC0000159, "STATUS_FULLSCREEN_MODE" },
728 { 0xC000015A, "STATUS_TOO_MANY_CONTEXT_IDS" },
729 { 0xC000015B, "STATUS_LOGON_TYPE_NOT_GRANTED" },
730 { 0xC000015C, "STATUS_NOT_REGISTRY_FILE" },
731 { 0xC000015D, "STATUS_NT_CROSS_ENCRYPTION_REQUIRED" },
732 { 0xC000015E, "STATUS_DOMAIN_CTRLR_CONFIG_ERROR" },
733 { 0xC000015F, "STATUS_FT_MISSING_MEMBER" },
734 { 0xC0000160, "STATUS_ILL_FORMED_SERVICE_ENTRY" },
735 { 0xC0000161, "STATUS_ILLEGAL_CHARACTER" },
736 { 0xC0000162, "STATUS_UNMAPPABLE_CHARACTER" },
737 { 0xC0000163, "STATUS_UNDEFINED_CHARACTER" },
738 { 0xC0000164, "STATUS_FLOPPY_VOLUME" },
739 { 0xC0000165, "STATUS_FLOPPY_ID_MARK_NOT_FOUND" },
740 { 0xC0000166, "STATUS_FLOPPY_WRONG_CYLINDER" },
741 { 0xC0000167, "STATUS_FLOPPY_UNKNOWN_ERROR" },
742 { 0xC0000168, "STATUS_FLOPPY_BAD_REGISTERS" },
743 { 0xC0000169, "STATUS_DISK_RECALIBRATE_FAILED" },
744 { 0xC000016A, "STATUS_DISK_OPERATION_FAILED" },
745 { 0xC000016B, "STATUS_DISK_RESET_FAILED" },
746 { 0xC000016C, "STATUS_SHARED_IRQ_BUSY" },
747 { 0xC000016D, "STATUS_FT_ORPHANING" },
748 { 0xC000016E, "STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT" },
749 { 0xC0000172, "STATUS_PARTITION_FAILURE" },
750 { 0xC0000173, "STATUS_INVALID_BLOCK_LENGTH" },
751 { 0xC0000174, "STATUS_DEVICE_NOT_PARTITIONED" },
752 { 0xC0000175, "STATUS_UNABLE_TO_LOCK_MEDIA" },
753 { 0xC0000176, "STATUS_UNABLE_TO_UNLOAD_MEDIA" },
754 { 0xC0000177, "STATUS_EOM_OVERFLOW" },
755 { 0xC0000178, "STATUS_NO_MEDIA" },
756 { 0xC000017A, "STATUS_NO_SUCH_MEMBER" },
757 { 0xC000017B, "STATUS_INVALID_MEMBER" },
758 { 0xC000017C, "STATUS_KEY_DELETED" },
759 { 0xC000017D, "STATUS_NO_LOG_SPACE" },
760 { 0xC000017E, "STATUS_TOO_MANY_SIDS" },
761 { 0xC000017F, "STATUS_LM_CROSS_ENCRYPTION_REQUIRED" },
762 { 0xC0000180, "STATUS_KEY_HAS_CHILDREN" },
763 { 0xC0000181, "STATUS_CHILD_MUST_BE_VOLATILE" },
764 { 0xC0000182, "STATUS_DEVICE_CONFIGURATION_ERROR" },
765 { 0xC0000183, "STATUS_DRIVER_INTERNAL_ERROR" },
766 { 0xC0000184, "STATUS_INVALID_DEVICE_STATE" },
767 { 0xC0000185, "STATUS_IO_DEVICE_ERROR" },
768 { 0xC0000186, "STATUS_DEVICE_PROTOCOL_ERROR" },
769 { 0xC0000187, "STATUS_BACKUP_CONTROLLER" },
770 { 0xC0000188, "STATUS_LOG_FILE_FULL" },
771 { 0xC0000189, "STATUS_TOO_LATE" },
772 { 0xC000018A, "STATUS_NO_TRUST_LSA_SECRET" },
773 { 0xC000018B, "STATUS_NO_TRUST_SAM_ACCOUNT" },
774 { 0xC000018C, "STATUS_TRUSTED_DOMAIN_FAILURE" },
775 { 0xC000018D, "STATUS_TRUSTED_RELATIONSHIP_FAILURE" },
776 { 0xC000018E, "STATUS_EVENTLOG_FILE_CORRUPT" },
777 { 0xC000018F, "STATUS_EVENTLOG_CANT_START" },
778 { 0xC0000190, "STATUS_TRUST_FAILURE" },
779 { 0xC0000191, "STATUS_MUTANT_LIMIT_EXCEEDED" },
780 { 0xC0000192, "STATUS_NETLOGON_NOT_STARTED" },
781 { 0xC0000193, "STATUS_ACCOUNT_EXPIRED" },
782 { 0xC0000194, "STATUS_POSSIBLE_DEADLOCK" },
783 { 0xC0000195, "STATUS_NETWORK_CREDENTIAL_CONFLICT" },
784 { 0xC0000196, "STATUS_REMOTE_SESSION_LIMIT" },
785 { 0xC0000197, "STATUS_EVENTLOG_FILE_CHANGED" },
786 { 0xC0000198, "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT" },
787 { 0xC0000199, "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT" },
788 { 0xC000019A, "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT" },
789 { 0xC000019B, "STATUS_DOMAIN_TRUST_INCONSISTENT" },
790 { 0xC000019C, "STATUS_FS_DRIVER_REQUIRED" },
791 { 0xC0000202, "STATUS_NO_USER_SESSION_KEY" },
792 { 0xC0000203, "STATUS_USER_SESSION_DELETED" },
793 { 0xC0000204, "STATUS_RESOURCE_LANG_NOT_FOUND" },
794 { 0xC0000205, "STATUS_INSUFF_SERVER_RESOURCES" },
795 { 0xC0000206, "STATUS_INVALID_BUFFER_SIZE" },
796 { 0xC0000207, "STATUS_INVALID_ADDRESS_COMPONENT" },
797 { 0xC0000208, "STATUS_INVALID_ADDRESS_WILDCARD" },
798 { 0xC0000209, "STATUS_TOO_MANY_ADDRESSES" },
799 { 0xC000020A, "STATUS_ADDRESS_ALREADY_EXISTS" },
800 { 0xC000020B, "STATUS_ADDRESS_CLOSED" },
801 { 0xC000020C, "STATUS_CONNECTION_DISCONNECTED" },
802 { 0xC000020D, "STATUS_CONNECTION_RESET" },
803 { 0xC000020E, "STATUS_TOO_MANY_NODES" },
804 { 0xC000020F, "STATUS_TRANSACTION_ABORTED" },
805 { 0xC0000210, "STATUS_TRANSACTION_TIMED_OUT" },
806 { 0xC0000211, "STATUS_TRANSACTION_NO_RELEASE" },
807 { 0xC0000212, "STATUS_TRANSACTION_NO_MATCH" },
808 { 0xC0000213, "STATUS_TRANSACTION_RESPONDED" },
809 { 0xC0000214, "STATUS_TRANSACTION_INVALID_ID" },
810 { 0xC0000215, "STATUS_TRANSACTION_INVALID_TYPE" },
811 { 0xC0000216, "STATUS_NOT_SERVER_SESSION" },
812 { 0xC0000217, "STATUS_NOT_CLIENT_SESSION" },
813 { 0xC0000218, "STATUS_CANNOT_LOAD_REGISTRY_FILE" },
814 { 0xC0000219, "STATUS_DEBUG_ATTACH_FAILED" },
815 { 0xC000021A, "STATUS_SYSTEM_PROCESS_TERMINATED" },
816 { 0xC000021B, "STATUS_DATA_NOT_ACCEPTED" },
817 { 0xC000021C, "STATUS_NO_BROWSER_SERVERS_FOUND" },
818 { 0xC000021D, "STATUS_VDM_HARD_ERROR" },
819 { 0xC000021E, "STATUS_DRIVER_CANCEL_TIMEOUT" },
820 { 0xC000021F, "STATUS_REPLY_MESSAGE_MISMATCH" },
821 { 0xC0000220, "STATUS_MAPPED_ALIGNMENT" },
822 { 0xC0000221, "STATUS_IMAGE_CHECKSUM_MISMATCH" },
823 { 0xC0000222, "STATUS_LOST_WRITEBEHIND_DATA" },
824 { 0xC0000223, "STATUS_CLIENT_SERVER_PARAMETERS_INVALID" },
825 { 0xC0000224, "STATUS_PASSWORD_MUST_CHANGE" },
826 { 0xC0000225, "STATUS_NOT_FOUND" },
827 { 0xC0000226, "STATUS_NOT_TINY_STREAM" },
828 { 0xC0000227, "STATUS_RECOVERY_FAILURE" },
829 { 0xC0000228, "STATUS_STACK_OVERFLOW_READ" },
830 { 0xC0000229, "STATUS_FAIL_CHECK" },
831 { 0xC000022A, "STATUS_DUPLICATE_OBJECTID" },
832 { 0xC000022B, "STATUS_OBJECTID_EXISTS" },
833 { 0xC000022C, "STATUS_CONVERT_TO_LARGE" },
834 { 0xC000022D, "STATUS_RETRY" },
835 { 0xC000022E, "STATUS_FOUND_OUT_OF_SCOPE" },
836 { 0xC000022F, "STATUS_ALLOCATE_BUCKET" },
837 { 0xC0000230, "STATUS_PROPSET_NOT_FOUND" },
838 { 0xC0000231, "STATUS_MARSHALL_OVERFLOW" },
839 { 0xC0000232, "STATUS_INVALID_VARIANT" },
840 { 0xC0000233, "STATUS_DOMAIN_CONTROLLER_NOT_FOUND" },
841 { 0xC0000234, "STATUS_ACCOUNT_LOCKED_OUT" },
842 { 0xC0000235, "STATUS_HANDLE_NOT_CLOSABLE" },
843 { 0xC0000236, "STATUS_CONNECTION_REFUSED" },
844 { 0xC0000237, "STATUS_GRACEFUL_DISCONNECT" },
845 { 0xC0000238, "STATUS_ADDRESS_ALREADY_ASSOCIATED" },
846 { 0xC0000239, "STATUS_ADDRESS_NOT_ASSOCIATED" },
847 { 0xC000023A, "STATUS_CONNECTION_INVALID" },
848 { 0xC000023B, "STATUS_CONNECTION_ACTIVE" },
849 { 0xC000023C, "STATUS_NETWORK_UNREACHABLE" },
850 { 0xC000023D, "STATUS_HOST_UNREACHABLE" },
851 { 0xC000023E, "STATUS_PROTOCOL_UNREACHABLE" },
852 { 0xC000023F, "STATUS_PORT_UNREACHABLE" },
853 { 0xC0000240, "STATUS_REQUEST_ABORTED" },
854 { 0xC0000241, "STATUS_CONNECTION_ABORTED" },
855 { 0xC0000242, "STATUS_BAD_COMPRESSION_BUFFER" },
856 { 0xC0000243, "STATUS_USER_MAPPED_FILE" },
857 { 0xC0000244, "STATUS_AUDIT_FAILED" },
858 { 0xC0000245, "STATUS_TIMER_RESOLUTION_NOT_SET" },
859 { 0xC0000246, "STATUS_CONNECTION_COUNT_LIMIT" },
860 { 0xC0000247, "STATUS_LOGIN_TIME_RESTRICTION" },
861 { 0xC0000248, "STATUS_LOGIN_WKSTA_RESTRICTION" },
862 { 0xC0000249, "STATUS_IMAGE_MP_UP_MISMATCH" },
863 { 0xC0000250, "STATUS_INSUFFICIENT_LOGON_INFO" },
864 { 0xC0000251, "STATUS_BAD_DLL_ENTRYPOINT" },
865 { 0xC0000252, "STATUS_BAD_SERVICE_ENTRYPOINT" },
866 { 0xC0000253, "STATUS_LPC_REPLY_LOST" },
867 { 0xC0000254, "STATUS_IP_ADDRESS_CONFLICT1" },
868 { 0xC0000255, "STATUS_IP_ADDRESS_CONFLICT2" },
869 { 0xC0000256, "STATUS_REGISTRY_QUOTA_LIMIT" },
870 { 0xC0000257, "STATUS_PATH_NOT_COVERED" },
871 { 0xC0000258, "STATUS_NO_CALLBACK_ACTIVE" },
872 { 0xC0000259, "STATUS_LICENSE_QUOTA_EXCEEDED" },
873 { 0xC000025A, "STATUS_PWD_TOO_SHORT" },
874 { 0xC000025B, "STATUS_PWD_TOO_RECENT" },
875 { 0xC000025C, "STATUS_PWD_HISTORY_CONFLICT" },
876 { 0xC000025E, "STATUS_PLUGPLAY_NO_DEVICE" },
877 { 0xC000025F, "STATUS_UNSUPPORTED_COMPRESSION" },
878 { 0xC0000260, "STATUS_INVALID_HW_PROFILE" },
879 { 0xC0000261, "STATUS_INVALID_PLUGPLAY_DEVICE_PATH" },
880 { 0xC0000262, "STATUS_DRIVER_ORDINAL_NOT_FOUND" },
881 { 0xC0000263, "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND" },
882 { 0xC0000264, "STATUS_RESOURCE_NOT_OWNED" },
883 { 0xC0000265, "STATUS_TOO_MANY_LINKS" },
884 { 0xC0000266, "STATUS_QUOTA_LIST_INCONSISTENT" },
885 { 0xC0000267, "STATUS_FILE_IS_OFFLINE" },
886 { 0xC0000268, "STATUS_EVALUATION_EXPIRATION" },
887 { 0xC0000269, "STATUS_ILLEGAL_DLL_RELOCATION" },
888 { 0xC000026A, "STATUS_LICENSE_VIOLATION" },
889 { 0xC000026B, "STATUS_DLL_INIT_FAILED_LOGOFF" },
890 { 0xC000026C, "STATUS_DRIVER_UNABLE_TO_LOAD" },
891 { 0xC000026D, "STATUS_DFS_UNAVAILABLE" },
892 { 0xC000026E, "STATUS_VOLUME_DISMOUNTED" },
893 { 0xC000026F, "STATUS_WX86_INTERNAL_ERROR" },
894 { 0xC0000270, "STATUS_WX86_FLOAT_STACK_CHECK" },
895 { 0xC0000271, "STATUS_VALIDATE_CONTINUE" },
896 { 0xC0000272, "STATUS_NO_MATCH" },
897 { 0xC0000273, "STATUS_NO_MORE_MATCHES" },
898 { 0xC0000275, "STATUS_NOT_A_REPARSE_POINT" },
899 { 0xC0000276, "STATUS_IO_REPARSE_TAG_INVALID" },
900 { 0xC0000277, "STATUS_IO_REPARSE_TAG_MISMATCH" },
901 { 0xC0000278, "STATUS_IO_REPARSE_DATA_INVALID" },
902 { 0xC0000279, "STATUS_IO_REPARSE_TAG_NOT_HANDLED" },
903 { 0xC0000280, "STATUS_REPARSE_POINT_NOT_RESOLVED" },
904 { 0xC0000281, "STATUS_DIRECTORY_IS_A_REPARSE_POINT" },
905 { 0xC0000282, "STATUS_RANGE_LIST_CONFLICT" },
906 { 0xC0000283, "STATUS_SOURCE_ELEMENT_EMPTY" },
907 { 0xC0000284, "STATUS_DESTINATION_ELEMENT_FULL" },
908 { 0xC0000285, "STATUS_ILLEGAL_ELEMENT_ADDRESS" },
909 { 0xC0000286, "STATUS_MAGAZINE_NOT_PRESENT" },
910 { 0xC0000287, "STATUS_REINITIALIZATION_NEEDED" },
911 { 0x80000288, "STATUS_DEVICE_REQUIRES_CLEANING" },
912 { 0x80000289, "STATUS_DEVICE_DOOR_OPEN" },
913 { 0xC000028A, "STATUS_ENCRYPTION_FAILED" },
914 { 0xC000028B, "STATUS_DECRYPTION_FAILED" },
915 { 0xC000028C, "STATUS_RANGE_NOT_FOUND" },
916 { 0xC000028D, "STATUS_NO_RECOVERY_POLICY" },
917 { 0xC000028E, "STATUS_NO_EFS" },
918 { 0xC000028F, "STATUS_WRONG_EFS" },
919 { 0xC0000290, "STATUS_NO_USER_KEYS" },
920 { 0xC0000291, "STATUS_FILE_NOT_ENCRYPTED" },
921 { 0xC0000292, "STATUS_NOT_EXPORT_FORMAT" },
922 { 0xC0000293, "STATUS_FILE_ENCRYPTED" },
923 { 0x40000294, "STATUS_WAKE_SYSTEM" },
924 { 0xC0000295, "STATUS_WMI_GUID_NOT_FOUND" },
925 { 0xC0000296, "STATUS_WMI_INSTANCE_NOT_FOUND" },
926 { 0xC0000297, "STATUS_WMI_ITEMID_NOT_FOUND" },
927 { 0xC0000298, "STATUS_WMI_TRY_AGAIN" },
928 { 0xC0000299, "STATUS_SHARED_POLICY" },
929 { 0xC000029A, "STATUS_POLICY_OBJECT_NOT_FOUND" },
930 { 0xC000029B, "STATUS_POLICY_ONLY_IN_DS" },
931 { 0xC000029C, "STATUS_VOLUME_NOT_UPGRADED" },
932 { 0xC000029D, "STATUS_REMOTE_STORAGE_NOT_ACTIVE" },
933 { 0xC000029E, "STATUS_REMOTE_STORAGE_MEDIA_ERROR" },
934 { 0xC000029F, "STATUS_NO_TRACKING_SERVICE" },
935 { 0xC00002A0, "STATUS_SERVER_SID_MISMATCH" },
936 { 0xC00002A1, "STATUS_DS_NO_ATTRIBUTE_OR_VALUE" },
937 { 0xC00002A2, "STATUS_DS_INVALID_ATTRIBUTE_SYNTAX" },
938 { 0xC00002A3, "STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED" },
939 { 0xC00002A4, "STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS" },
940 { 0xC00002A5, "STATUS_DS_BUSY" },
941 { 0xC00002A6, "STATUS_DS_UNAVAILABLE" },
942 { 0xC00002A7, "STATUS_DS_NO_RIDS_ALLOCATED" },
943 { 0xC00002A8, "STATUS_DS_NO_MORE_RIDS" },
944 { 0xC00002A9, "STATUS_DS_INCORRECT_ROLE_OWNER" },
945 { 0xC00002AA, "STATUS_DS_RIDMGR_INIT_ERROR" },
946 { 0xC00002AB, "STATUS_DS_OBJ_CLASS_VIOLATION" },
947 { 0xC00002AC, "STATUS_DS_CANT_ON_NON_LEAF" },
948 { 0xC00002AD, "STATUS_DS_CANT_ON_RDN" },
949 { 0xC00002AE, "STATUS_DS_CANT_MOD_OBJ_CLASS" },
950 { 0xC00002AF, "STATUS_DS_CROSS_DOM_MOVE_FAILED" },
951 { 0xC00002B0, "STATUS_DS_GC_NOT_AVAILABLE" },
952 { 0xC00002B1, "STATUS_DIRECTORY_SERVICE_REQUIRED" },
953 { 0xC00002B2, "STATUS_REPARSE_ATTRIBUTE_CONFLICT" },
954 { 0xC00002B3, "STATUS_CANT_ENABLE_DENY_ONLY" },
955 { 0xC00002B4, "STATUS_FLOAT_MULTIPLE_FAULTS" },
956 { 0xC00002B5, "STATUS_FLOAT_MULTIPLE_TRAPS" },
957 { 0xC00002B6, "STATUS_DEVICE_REMOVED" },
958 { 0xC00002B7, "STATUS_JOURNAL_DELETE_IN_PROGRESS" },
959 { 0xC00002B8, "STATUS_JOURNAL_NOT_ACTIVE" },
960 { 0xC00002B9, "STATUS_NOINTERFACE" },
961 { 0xC00002C1, "STATUS_DS_ADMIN_LIMIT_EXCEEDED" },
962 { 0xC00002C2, "STATUS_DRIVER_FAILED_SLEEP" },
963 { 0xC00002C3, "STATUS_MUTUAL_AUTHENTICATION_FAILED" },
964 { 0xC00002C4, "STATUS_CORRUPT_SYSTEM_FILE" },
965 { 0xC00002C5, "STATUS_DATATYPE_MISALIGNMENT_ERROR" },
966 { 0xC00002C6, "STATUS_WMI_READ_ONLY" },
967 { 0xC00002C7, "STATUS_WMI_SET_FAILURE" },
968 { 0xC00002C8, "STATUS_COMMITMENT_MINIMUM" },
969 { 0xC00002C9, "STATUS_REG_NAT_CONSUMPTION" },
970 { 0xC00002CA, "STATUS_TRANSPORT_FULL" },
971 { 0xC00002CB, "STATUS_DS_SAM_INIT_FAILURE" },
972 { 0xC00002CC, "STATUS_ONLY_IF_CONNECTED" },
973 { 0xC00002CD, "STATUS_DS_SENSITIVE_GROUP_VIOLATION" },
974 { 0xC00002CE, "STATUS_PNP_RESTART_ENUMERATION" },
975 { 0xC00002CF, "STATUS_JOURNAL_ENTRY_DELETED" },
976 { 0xC00002D0, "STATUS_DS_CANT_MOD_PRIMARYGROUPID" },
977 { 0xC00002D1, "STATUS_SYSTEM_IMAGE_BAD_SIGNATURE" },
978 { 0xC00002D2, "STATUS_PNP_REBOOT_REQUIRED" },
979 { 0xC00002D3, "STATUS_POWER_STATE_INVALID" },
980 { 0xC00002D4, "STATUS_DS_INVALID_GROUP_TYPE" },
981 { 0xC00002D5, "STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN" },
982 { 0xC00002D6, "STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN" },
983 { 0xC00002D7, "STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER" },
984 { 0xC00002D8, "STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER" },
985 { 0xC00002D9, "STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER" },
986 { 0xC00002DA, "STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER" },
987 { 0xC00002DB, "STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER" },
988 { 0xC00002DC, "STATUS_DS_HAVE_PRIMARY_MEMBERS" },
989 { 0xC00002DD, "STATUS_WMI_NOT_SUPPORTED" },
990 { 0xC00002DE, "STATUS_INSUFFICIENT_POWER" },
991 { 0xC00002DF, "STATUS_SAM_NEED_BOOTKEY_PASSWORD" },
992 { 0xC00002E0, "STATUS_SAM_NEED_BOOTKEY_FLOPPY" },
993 { 0xC00002E1, "STATUS_DS_CANT_START" },
994 { 0xC00002E2, "STATUS_DS_INIT_FAILURE" },
995 { 0xC00002E3, "STATUS_SAM_INIT_FAILURE" },
996 { 0xC00002E4, "STATUS_DS_GC_REQUIRED" },
997 { 0xC00002E5, "STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY" },
998 { 0xC00002E6, "STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS" },
999 { 0xC00002E7, "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" },
1000 { 0xC00002E8, "STATUS_MULTIPLE_FAULT_VIOLATION" },
1001 { 0xC0000300, "STATUS_NOT_SUPPORTED_ON_SBS" },
1002 { 0xC000035C, "STATUS_NETWORK_SESSION_EXPIRED" },
1003 { 0xC0009898, "STATUS_WOW_ASSERTION" },
1004 { 0xC0020001, "RPC_NT_INVALID_STRING_BINDING" },
1005 { 0xC0020002, "RPC_NT_WRONG_KIND_OF_BINDING" },
1006 { 0xC0020003, "RPC_NT_INVALID_BINDING" },
1007 { 0xC0020004, "RPC_NT_PROTSEQ_NOT_SUPPORTED" },
1008 { 0xC0020005, "RPC_NT_INVALID_RPC_PROTSEQ" },
1009 { 0xC0020006, "RPC_NT_INVALID_STRING_UUID" },
1010 { 0xC0020007, "RPC_NT_INVALID_ENDPOINT_FORMAT" },
1011 { 0xC0020008, "RPC_NT_INVALID_NET_ADDR" },
1012 { 0xC0020009, "RPC_NT_NO_ENDPOINT_FOUND" },
1013 { 0xC002000A, "RPC_NT_INVALID_TIMEOUT" },
1014 { 0xC002000B, "RPC_NT_OBJECT_NOT_FOUND" },
1015 { 0xC002000C, "RPC_NT_ALREADY_REGISTERED" },
1016 { 0xC002000D, "RPC_NT_TYPE_ALREADY_REGISTERED" },
1017 { 0xC002000E, "RPC_NT_ALREADY_LISTENING" },
1018 { 0xC002000F, "RPC_NT_NO_PROTSEQS_REGISTERED" },
1019 { 0xC0020010, "RPC_NT_NOT_LISTENING" },
1020 { 0xC0020011, "RPC_NT_UNKNOWN_MGR_TYPE" },
1021 { 0xC0020012, "RPC_NT_UNKNOWN_IF" },
1022 { 0xC0020013, "RPC_NT_NO_BINDINGS" },
1023 { 0xC0020014, "RPC_NT_NO_PROTSEQS" },
1024 { 0xC0020015, "RPC_NT_CANT_CREATE_ENDPOINT" },
1025 { 0xC0020016, "RPC_NT_OUT_OF_RESOURCES" },
1026 { 0xC0020017, "RPC_NT_SERVER_UNAVAILABLE" },
1027 { 0xC0020018, "RPC_NT_SERVER_TOO_BUSY" },
1028 { 0xC0020019, "RPC_NT_INVALID_NETWORK_OPTIONS" },
1029 { 0xC002001A, "RPC_NT_NO_CALL_ACTIVE" },
1030 { 0xC002001B, "RPC_NT_CALL_FAILED" },
1031 { 0xC002001C, "RPC_NT_CALL_FAILED_DNE" },
1032 { 0xC002001D, "RPC_NT_PROTOCOL_ERROR" },
1033 { 0xC002001F, "RPC_NT_UNSUPPORTED_TRANS_SYN" },
1034 { 0xC0020021, "RPC_NT_UNSUPPORTED_TYPE" },
1035 { 0xC0020022, "RPC_NT_INVALID_TAG" },
1036 { 0xC0020023, "RPC_NT_INVALID_BOUND" },
1037 { 0xC0020024, "RPC_NT_NO_ENTRY_NAME" },
1038 { 0xC0020025, "RPC_NT_INVALID_NAME_SYNTAX" },
1039 { 0xC0020026, "RPC_NT_UNSUPPORTED_NAME_SYNTAX" },
1040 { 0xC0020028, "RPC_NT_UUID_NO_ADDRESS" },
1041 { 0xC0020029, "RPC_NT_DUPLICATE_ENDPOINT" },
1042 { 0xC002002A, "RPC_NT_UNKNOWN_AUTHN_TYPE" },
1043 { 0xC002002B, "RPC_NT_MAX_CALLS_TOO_SMALL" },
1044 { 0xC002002C, "RPC_NT_STRING_TOO_LONG" },
1045 { 0xC002002D, "RPC_NT_PROTSEQ_NOT_FOUND" },
1046 { 0xC002002E, "RPC_NT_PROCNUM_OUT_OF_RANGE" },
1047 { 0xC002002F, "RPC_NT_BINDING_HAS_NO_AUTH" },
1048 { 0xC0020030, "RPC_NT_UNKNOWN_AUTHN_SERVICE" },
1049 { 0xC0020031, "RPC_NT_UNKNOWN_AUTHN_LEVEL" },
1050 { 0xC0020032, "RPC_NT_INVALID_AUTH_IDENTITY" },
1051 { 0xC0020033, "RPC_NT_UNKNOWN_AUTHZ_SERVICE" },
1052 { 0xC0020034, "EPT_NT_INVALID_ENTRY" },
1053 { 0xC0020035, "EPT_NT_CANT_PERFORM_OP" },
1054 { 0xC0020036, "EPT_NT_NOT_REGISTERED" },
1055 { 0xC0020037, "RPC_NT_NOTHING_TO_EXPORT" },
1056 { 0xC0020038, "RPC_NT_INCOMPLETE_NAME" },
1057 { 0xC0020039, "RPC_NT_INVALID_VERS_OPTION" },
1058 { 0xC002003A, "RPC_NT_NO_MORE_MEMBERS" },
1059 { 0xC002003B, "RPC_NT_NOT_ALL_OBJS_UNEXPORTED" },
1060 { 0xC002003C, "RPC_NT_INTERFACE_NOT_FOUND" },
1061 { 0xC002003D, "RPC_NT_ENTRY_ALREADY_EXISTS" },
1062 { 0xC002003E, "RPC_NT_ENTRY_NOT_FOUND" },
1063 { 0xC002003F, "RPC_NT_NAME_SERVICE_UNAVAILABLE" },
1064 { 0xC0020040, "RPC_NT_INVALID_NAF_ID" },
1065 { 0xC0020041, "RPC_NT_CANNOT_SUPPORT" },
1066 { 0xC0020042, "RPC_NT_NO_CONTEXT_AVAILABLE" },
1067 { 0xC0020043, "RPC_NT_INTERNAL_ERROR" },
1068 { 0xC0020044, "RPC_NT_ZERO_DIVIDE" },
1069 { 0xC0020045, "RPC_NT_ADDRESS_ERROR" },
1070 { 0xC0020046, "RPC_NT_FP_DIV_ZERO" },
1071 { 0xC0020047, "RPC_NT_FP_UNDERFLOW" },
1072 { 0xC0020048, "RPC_NT_FP_OVERFLOW" },
1073 { 0xC0021007, "RPC_P_RECEIVE_ALERTED" },
1074 { 0xC0021008, "RPC_P_CONNECTION_CLOSED" },
1075 { 0xC0021009, "RPC_P_RECEIVE_FAILED" },
1076 { 0xC002100A, "RPC_P_SEND_FAILED" },
1077 { 0xC002100B, "RPC_P_TIMEOUT" },
1078 { 0xC002100C, "RPC_P_SERVER_TRANSPORT_ERROR" },
1079 { 0xC002100E, "RPC_P_EXCEPTION_OCCURED" },
1080 { 0xC0021012, "RPC_P_CONNECTION_SHUTDOWN" },
1081 { 0xC0021015, "RPC_P_THREAD_LISTENING" },
1082 { 0xC0030001, "RPC_NT_NO_MORE_ENTRIES" },
1083 { 0xC0030002, "RPC_NT_SS_CHAR_TRANS_OPEN_FAIL" },
1084 { 0xC0030003, "RPC_NT_SS_CHAR_TRANS_SHORT_FILE" },
1085 { 0xC0030004, "RPC_NT_SS_IN_NULL_CONTEXT" },
1086 { 0xC0030005, "RPC_NT_SS_CONTEXT_MISMATCH" },
1087 { 0xC0030006, "RPC_NT_SS_CONTEXT_DAMAGED" },
1088 { 0xC0030007, "RPC_NT_SS_HANDLES_MISMATCH" },
1089 { 0xC0030008, "RPC_NT_SS_CANNOT_GET_CALL_HANDLE" },
1090 { 0xC0030009, "RPC_NT_NULL_REF_POINTER" },
1091 { 0xC003000A, "RPC_NT_ENUM_VALUE_OUT_OF_RANGE" },
1092 { 0xC003000B, "RPC_NT_BYTE_COUNT_TOO_SMALL" },
1093 { 0xC003000C, "RPC_NT_BAD_STUB_DATA" },
1094 { 0xC0020049, "RPC_NT_CALL_IN_PROGRESS" },
1095 { 0xC002004A, "RPC_NT_NO_MORE_BINDINGS" },
1096 { 0xC002004B, "RPC_NT_GROUP_MEMBER_NOT_FOUND" },
1097 { 0xC002004C, "EPT_NT_CANT_CREATE" },
1098 { 0xC002004D, "RPC_NT_INVALID_OBJECT" },
1099 { 0xC002004F, "RPC_NT_NO_INTERFACES" },
1100 { 0xC0020050, "RPC_NT_CALL_CANCELLED" },
1101 { 0xC0020051, "RPC_NT_BINDING_INCOMPLETE" },
1102 { 0xC0020052, "RPC_NT_COMM_FAILURE" },
1103 { 0xC0020053, "RPC_NT_UNSUPPORTED_AUTHN_LEVEL" },
1104 { 0xC0020054, "RPC_NT_NO_PRINC_NAME" },
1105 { 0xC0020055, "RPC_NT_NOT_RPC_ERROR" },
1106 { 0x40020056, "RPC_NT_UUID_LOCAL_ONLY" },
1107 { 0xC0020057, "RPC_NT_SEC_PKG_ERROR" },
1108 { 0xC0020058, "RPC_NT_NOT_CANCELLED" },
1109 { 0xC0030059, "RPC_NT_INVALID_ES_ACTION" },
1110 { 0xC003005A, "RPC_NT_WRONG_ES_VERSION" },
1111 { 0xC003005B, "RPC_NT_WRONG_STUB_VERSION" },
1112 { 0xC003005C, "RPC_NT_INVALID_PIPE_OBJECT" },
1113 { 0xC003005D, "RPC_NT_INVALID_PIPE_OPERATION" },
1114 { 0xC003005E, "RPC_NT_WRONG_PIPE_VERSION" },
1115 { 0x400200AF, "RPC_NT_SEND_INCOMPLETE" },
1116 { 0, NULL }
1117 };
1118
1119 /* These are the MS country codes from
1120
1121 http://www.unicode.org/unicode/onlinedat/countries.html
1122
1123 For countries that share the same number, I choose to use only the
1124 name of the largest country. Apologies for this. If this offends you,
1125 here is the table to change that.
1126
1127 This also includes the code of 0 for "Default", which isn't in
1128 that list, but is in Microsoft's SDKs and the Cygnus "winnls.h"
1129 header file. Presumably it means "don't override the setting
1130 on the user's machine".
1131
1132 Future versions of Microsoft's "winnls.h" header file might include
1133 additional codes; the current version matches the Unicode Consortium's
1134 table.
1135 */
1136 const value_string ms_country_codes[] = {
1137 { 0, "Default"},
1138 { 1, "USA"},
1139 { 2, "Canada"},
1140 { 7, "Russia"},
1141 { 20, "Egypt"},
1142 { 27, "South Africa"},
1143 { 30, "Greece"},
1144 { 31, "Netherlands"},
1145 { 32, "Belgium"},
1146 { 33, "France"},
1147 { 34, "Spain"},
1148 { 36, "Hungary"},
1149 { 39, "Italy"},
1150 { 40, "Romania"},
1151 { 41, "Switzerland"},
1152 { 43, "Austria"},
1153 { 44, "United Kingdom"},
1154 { 45, "Denmark"},
1155 { 46, "Sweden"},
1156 { 47, "Norway"},
1157 { 48, "Poland"},
1158 { 49, "Germany"},
1159 { 51, "Peru"},
1160 { 52, "Mexico"},
1161 { 54, "Argentina"},
1162 { 55, "Brazil"},
1163 { 56, "Chile"},
1164 { 57, "Colombia"},
1165 { 58, "Venezuela"},
1166 { 60, "Malaysia"},
1167 { 61, "Australia"},
1168 { 62, "Indonesia"},
1169 { 63, "Philippines"},
1170 { 64, "New Zealand"},
1171 { 65, "Singapore"},
1172 { 66, "Thailand"},
1173 { 81, "Japan"},
1174 { 82, "South Korea"},
1175 { 84, "Viet Nam"},
1176 { 86, "China"},
1177 { 90, "Turkey"},
1178 { 91, "India"},
1179 { 92, "Pakistan"},
1180 {212, "Morocco"},
1181 {213, "Algeria"},
1182 {216, "Tunisia"},
1183 {218, "Libya"},
1184 {254, "Kenya"},
1185 {263, "Zimbabwe"},
1186 {298, "Faroe Islands"},
1187 {351, "Portugal"},
1188 {352, "Luxembourg"},
1189 {353, "Ireland"},
1190 {354, "Iceland"},
1191 {355, "Albania"},
1192 {358, "Finland"},
1193 {359, "Bulgaria"},
1194 {370, "Lithuania"},
1195 {371, "Latvia"},
1196 {372, "Estonia"},
1197 {374, "Armenia"},
1198 {375, "Belarus"},
1199 {380, "Ukraine"},
1200 {381, "Serbia"},
1201 {385, "Croatia"},
1202 {386, "Slovenia"},
1203 {389, "Macedonia"},
1204 {420, "Czech Republic"},
1205 {421, "Slovak Republic"},
1206 {501, "Belize"},
1207 {502, "Guatemala"},
1208 {503, "El Salvador"},
1209 {504, "Honduras"},
1210 {505, "Nicaragua"},
1211 {506, "Costa Rica"},
1212 {507, "Panama"},
1213 {591, "Bolivia"},
1214 {593, "Ecuador"},
1215 {595, "Paraguay"},
1216 {598, "Uruguay"},
1217 {673, "Brunei Darussalam"},
1218 {852, "Hong Kong"},
1219 {853, "Macau"},
1220 {886, "Taiwan"},
1221 {960, "Maldives"},
1222 {961, "Lebanon"},
1223 {962, "Jordan"},
1224 {963, "Syria"},
1225 {964, "Iraq"},
1226 {965, "Kuwait"},
1227 {966, "Saudi Arabia"},
1228 {967, "Yemen"},
1229 {968, "Oman"},
1230 {971, "United Arab Emirates"},
1231 {972, "Israel"},
1232 {973, "Bahrain"},
1233 {974, "Qatar"},
1234 {976, "Mongolia"},
1235 {981, "Iran"},
1236 {994, "Azerbaijan"},
1237 {995, "Georgia"},
1238 {996, "Kyrgyzstan"},
1239
1240 {0, NULL}
1241 };
1242
1243 /*module_t* module;*/
1244 /*pref_t* sid_display_hex;*/
1245
1246 #ifndef TIME_T_MIN
1247 #define TIME_T_MIN ((time_t) ((time_t)0 < (time_t) -1 ? (time_t) 0 \
1248 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1)))
1249 #endif
1250 #ifndef TIME_T_MAX
1251 #define TIME_T_MAX ((time_t) (~ (time_t) 0 - TIME_T_MIN))
1252 #endif
1253
1254 /*
1255 * Number of seconds between the UN*X epoch (January 1, 1970, 00:00:00 GMT)
1256 * and the Windows NT epoch (January 1, 1601, 00:00:00 "GMT").
1257 */
1258 #define TIME_FIXUP_CONSTANT G_GINT64_CONSTANT(11644473600U)
1259
1260 /*
1261 * Translate an 8-byte FILETIME value, given as the upper and lower 32 bits,
1262 * to an "nstime_t".
1263 * A FILETIME is a 64-bit integer, giving the time since Jan 1, 1601,
1264 * midnight "UTC", in 100ns units.
1265 * Return TRUE if the conversion succeeds, FALSE otherwise.
1266 *
1267 * According to the Samba code, it appears to be kludge-GMT (at least for
1268 * file listings). This means it's the GMT you get by taking a local time
1269 * and adding the server time zone offset. This is NOT the same as GMT in
1270 * some cases. However, we don't know the server time zone, so we don't
1271 * do that adjustment.
1272 *
1273 * This code is based on the Samba code:
1274 *
1275 * Unix SMB/Netbios implementation.
1276 * Version 1.9.
1277 * time handling functions
1278 * Copyright (C) Andrew Tridgell 1992-1998
1279 */
1280 static gboolean
1281 nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv)
1282 {
1283 guint64 d;
1284 gint64 secs;
1285 int nsecs;
1286 /* The next two lines are a fix needed for the
1287 broken SCO compiler. JRA. */
1288 time_t l_time_min = TIME_T_MIN;
1289 time_t l_time_max = TIME_T_MAX;
1290
1291 if (filetime_high == 0)
1292 return FALSE;
1293
1294 d = ((guint64)filetime_high << 32) | filetime_low;
1295
1296 /* Split into seconds and nanoseconds. */
1297 secs = d / 10000000;
1298 nsecs = (int)((d % 10000000)*100);
1299
1300 /* Now adjust the seconds. */
1301 secs -= TIME_FIXUP_CONSTANT;
1302
1303 if (!(l_time_min <= secs && secs <= l_time_max))
1304 return FALSE;
1305
1306 /*
1307 * Get the time as seconds and nanoseconds.
1308 */
1309 tv->secs = (time_t) secs;
1310 tv->nsecs = nsecs;
1311
1312 return TRUE;
1313 }
1314
1315 int
1316 dissect_nt_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date)
1317 {
1318 guint32 filetime_high, filetime_low;
1319 nstime_t ts;
1320
1321 /* XXX there seems also to be another special time value which is fairly common :
1322 0x40000000 00000000
1323 the meaning of this one is yet unknown
1324 */
1325 if (tree) {
1326 filetime_low = tvb_get_letohl(tvb, offset);
1327 filetime_high = tvb_get_letohl(tvb, offset + 4);
1328 if (filetime_low == 0 && filetime_high == 0) {
1329 proto_tree_add_text(tree, tvb, offset, 8,
1330 "%s: No time specified (0)",
1331 proto_registrar_get_name(hf_date));
1332 } else if(filetime_low==0 && filetime_high==0x80000000){
1333 proto_tree_add_text(tree, tvb, offset, 8,
1334 "%s: Infinity (relative time)",
1335 proto_registrar_get_name(hf_date));
1336 } else if(filetime_low==0xffffffff && filetime_high==0x7fffffff){
1337 proto_tree_add_text(tree, tvb, offset, 8,
1338 "%s: Infinity (absolute time)",
1339 proto_registrar_get_name(hf_date));
1340 } else {
1341 if (nt_time_to_nstime(filetime_high, filetime_low, &ts)) {
1342 proto_tree_add_time(tree, hf_date, tvb,
1343 offset, 8, &ts);
1344 } else {
1345 proto_tree_add_text(tree, tvb, offset, 8,
1346 "%s: Time can't be converted",
1347 proto_registrar_get_name(hf_date));
1348 }
1349 }
1350 }
1351
1352 offset += 8;
1353 return offset;
1354 }
1355
1356
1357 /* Well-known SIDs defined in http://support.microsoft.com/kb/243330 */
1358
1359 static const sid_strings well_known_sids[] = {
1360 {"S-1-0", "Null Authority"},
1361 {"S-1-0-0", "Nobody"},
1362 {"S-1-1", "World Authority"},
1363 {"S-1-1-0", "Everyone"},
1364 {"S-1-2", "Local Authority"},
1365 {"S-1-2-0", "Local"},
1366 {"S-1-2-1", "Console Logon"},
1367 {"S-1-3", "Creator Authority"},
1368 {"S-1-3-0", "Creator Owner"},
1369 {"S-1-3-1", "Creator Group"},
1370 {"S-1-3-2", "Creator Owner Server"},
1371 {"S-1-3-3", "Creator Group Server"},
1372 {"S-1-3-4", "Owner Rights"},
1373 {"S-1-4", "Non-unique Authority"},
1374
1375 {"S-1-5-1", "Dialup"},
1376 {"S-1-5-2", "Network"},
1377 {"S-1-5-3", "Batch"},
1378 {"S-1-5-4", "Interactive"},
1379 {"S-1-5-5", "Logon Session"}, /* S-1-5-5-X-Y has 6 fields */
1380 {"S-1-5-6", "Service"},
1381 {"S-1-5-7", "Anonymous"},
1382 {"S-1-5-8", "Proxy"},
1383 {"S-1-5-9", "Enterprise Domain Controllers"},
1384 {"S-1-5-10", "Principal Self"},
1385 {"S-1-5-11", "Authenticated Users"},
1386 {"S-1-5-12", "Reserved"},
1387 {"S-1-5-13", "Terminal Server Users"},
1388 {"S-1-5-14", "Remote Interactive Logon"},
1389 {"S-1-5-15", "All users in this organization"},
1390 {"S-1-5-17", "Default IIS user account"},
1391 {"S-1-5-18", "Local System"},
1392 {"S-1-5-19", "Local Service"},
1393 {"S-1-5-20", "Network Service"},
1394 /*
1395 * S-1-5-21-<d1>-<d2>-<d3>-<RID> where "<d1>-<d2>-<d3>" is the NT domain
1396 * RIDs are defined in 'wkwn_S_1_5_21_rids' */
1397 {"S-1-5-21", "Domain SID"},
1398
1399 /* S-1-5-32-<RID>: Builtin local group SIDs */
1400 {"S-1-5-32", "Local Group"},
1401 {"S-1-5-32-544", "Administrators"},
1402 {"S-1-5-32-545", "Users"},
1403 {"S-1-5-32-546", "Guests"},
1404 {"S-1-5-32-547", "Power Users"},
1405 {"S-1-5-32-548", "Account Operators"},
1406 {"S-1-5-32-549", "Server Operators"},
1407 {"S-1-5-32-550", "Print Operators"},
1408 {"S-1-5-32-551", "Backup Operators"},
1409 {"S-1-5-32-552", "Replicators"},
1410 {"S-1-5-32-554", "Pre-Windows 2000 Compatible Access"},
1411 {"S-1-5-32-555", "Remote Desktop Users"},
1412 {"S-1-5-32-556", "Network Configuration Operators"},
1413 {"S-1-5-32-557", "Incoming Forest Trust Builders"},
1414 {"S-1-5-32-558", "Performance Monitor Users"},
1415 {"S-1-5-32-559", "Performance Log Users"},
1416 {"S-1-5-32-560", "Windows Authorization Access Group"},
1417 {"S-1-5-32-561", "Terminal Server License Servers"},
1418 {"S-1-5-32-562", "Distributed COM Users"},
1419 {"S-1-5-32-569", "Cryptographic Operators"},
1420 {"S-1-5-32-573", "Event Log Readers"},
1421 {"S-1-5-32-574", "Certificate Service DCOM Access"},
1422
1423 {"S-1-5-64", "Authentication"},
1424 {"S-1-5-64-10", "NTLM"},
1425 {"S-1-5-64-14", "SChannel"},
1426 {"S-1-5-64-21", "Digest"},
1427
1428 {"S-1-5-80", "NT Service"},
1429
1430 {"S-1-16", "Mandatory Level"},
1431 {"S-1-16-0", "Untrusted"},
1432 {"S-1-16-4096", "Low"},
1433 {"S-1-16-8192", "Medium"},
1434 {"S-1-16-8448", "Medium Plus"},
1435 {"S-1-16-12288", "High"},
1436 {"S-1-16-16384", "System"},
1437 {"S-1-16-20480", "Protected Process"},
1438 {"S-1-16-28672", "Secure Process"},
1439 {NULL, NULL}
1440 };
1441
1442 static const char*
1443 match_wkwn_sids(const char* sid) {
1444 int i = 0;
1445 while (well_known_sids[i].name) {
1446 if (strcmp(well_known_sids[i].sid, sid)==0) {
1447 return(well_known_sids[i].name);
1448 }
1449 i++;
1450 }
1451 return NULL;
1452 }
1453
1454 /* For SIDs in the form 'S-1-5-21-X-Y-Z-<RID>', '21-X-Y-Z' is referred to
1455 as the "domain SID" (NT domain) or "machine SID" (local machine).
1456 The following are well-known RIDs which are appended to domain/machine SIDs
1457 as defined in http://support.microsoft.com/kb/243330. */
1458
1459 static const value_string wkwn_S_1_5_21_rids[] = {
1460 {498, "Enterprise Read-only Domain Controllers"},
1461 {500, "Administrator"},
1462 {501, "Guest"},
1463 {502, "KRBTGT"},
1464 {512, "Domain Admins"},
1465 {513, "Domain Users"},
1466 {514, "Domain Guests"},
1467 {515, "Domain Computers"},
1468 {516, "Domain Controllers"},
1469 {517, "Cert Publishers"},
1470 {518, "Schema Administrators"},
1471 {519, "Enterprise Admins"},
1472 {520, "Group Policy Creator Owners"},
1473 {521, "Read-only Domain Controllers"},
1474 {553, "RAS and IAS Servers"},
1475 {571, "Allowed RODC Password Replication Group"},
1476 {572, "Denied RODC Password Replication Group"},
1477 {0, NULL}
1478 };
1479
1480 /* Dissect an NT SID. Label it with 'name' and return a string version
1481 * of the SID in the 'sid_str' parameter which has a packet lifetime
1482 * scope and should NOT be freed by the caller. hf_sid can be -1 if
1483 * the caller doesnt care what name is used and then "nt.sid" will be
1484 * the default instead. If the caller wants a more appropriate hf
1485 * field, it will just pass a FT_STRING hf field here
1486 */
1487 int
1488 dissect_nt_sid(tvbuff_t *tvb, int offset, proto_tree *parent_tree,
1489 const char *name, char **sid_str, int hf_sid)
1490 {
1491 int offset_sid_start = offset, sa_offset, rid_offset=0, wkwn_sid1_len=0,
1492 wkwn_sid2_len = 0, i;
1493 guint8 revision, num_auth;
1494 guint32 sa_field, rid=0;
1495 guint64 authority=0;
1496 wmem_strbuf_t *sa_str = NULL, *sid_in_dec_str = NULL, *sid_in_hex_str = NULL, *label_str = NULL,
1497 *domain_str = NULL, *wkwn_sid1_str = NULL, *wkwn_sid2_str = NULL;
1498 const char *mapped_name = NULL, *mapped_rid = NULL;
1499 gboolean domain_sid = FALSE, s_1_5_32 = FALSE, s_1_5_64 = FALSE, locally_defined = FALSE,
1500 S_1_16 = FALSE;
1501 proto_item *item = NULL, *hidden_item;
1502 proto_tree *subtree = NULL;
1503
1504 /* Revision of SID */
1505 revision = tvb_get_guint8(tvb, offset);
1506 offset++;
1507
1508 /* Number of subauthority fields */
1509 num_auth = tvb_get_guint8(tvb, offset);
1510 offset++;
1511
1512 if(sid_str)
1513 *sid_str=NULL;
1514
1515 if(hf_sid==-1){
1516 /* if no tree, just return the offset of the end_of_SID+1 */
1517 if (!parent_tree)
1518 return(offset+(6+(num_auth*4)));
1519
1520 hf_sid=hf_nt_sid;
1521 }
1522
1523 /* Identifier Authority */
1524 for(i=0; i<6; i++){
1525 authority = (authority << 8) + tvb_get_guint8(tvb, offset);
1526 offset++;
1527 }
1528
1529 sid_in_dec_str = wmem_strbuf_new_label(wmem_packet_scope());
1530 wmem_strbuf_append_printf (sid_in_dec_str, "S-%u-%" G_GINT64_MODIFIER "u", revision, authority);
1531
1532 /* If sid_display_hex is set, sid_in_dec_str is still needed for
1533 looking up well-known SIDs*/
1534 if (sid_display_hex) {
1535 sid_in_hex_str = wmem_strbuf_new_label(wmem_packet_scope());
1536 wmem_strbuf_append_printf (sid_in_hex_str, "S-%x-%" G_GINT64_MODIFIER "x", revision, authority);
1537 }
1538
1539 wkwn_sid1_str = wmem_strbuf_new_label(wmem_packet_scope());
1540 label_str = wmem_strbuf_new_label(wmem_packet_scope());
1541
1542 if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-16")==0)
1543 S_1_16 = TRUE;
1544
1545 /* Look for well-known SIDs in format 'S-1-<Identifier Authority>' (i.e., exactly 3 fields) */
1546 if (num_auth==0 || S_1_16) {
1547 mapped_name = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str));
1548 if (mapped_name) {
1549 wmem_strbuf_append(label_str, mapped_name);
1550 wmem_strbuf_append(wkwn_sid1_str,
1551 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)));
1552 wkwn_sid1_len = 8;
1553 }
1554 }
1555
1556 sa_offset = offset;
1557 sa_str = wmem_strbuf_new_label(wmem_packet_scope());
1558 wkwn_sid2_str = wmem_strbuf_new_label(wmem_packet_scope());
1559 domain_str = wmem_strbuf_new_label(wmem_packet_scope());
1560
1561 /* Build the sub-authorities and full SID strings */
1562 for(i=1; i<num_auth+1; i++) {
1563 /*
1564 * XXX should not be letohl but native byteorder according to
1565 * Samba header files.
1566 *
1567 * However, considering that there were never any NT ports
1568 * to big-endian platforms (PowerPC and MIPS ran little-endian,
1569 * and IA-64 runs little-endian, as does x86-64), we can (?)
1570 * assume that non le byte encodings will be "uncommon"?
1571 */
1572 sa_field = tvb_get_letohl(tvb, offset);
1573 wmem_strbuf_append_printf(sid_in_dec_str, "-%u", sa_field);
1574 wmem_strbuf_append_printf(sa_str,
1575 (i==1 ? (sid_display_hex ? "%x" : "%u") : (sid_display_hex ? "-%x" : "-%u")),
1576 sa_field);
1577 if (sid_display_hex)
1578 wmem_strbuf_append_printf(sid_in_hex_str, "-%x", sa_field);
1579
1580 if (i==1) {
1581 /* Look for well-known SIDs at level one ("S-1-<authority>-<value>") */
1582 if (S_1_16) {
1583 /* Mandatory Level (S-1-16) */
1584 mapped_rid = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str));
1585 if (mapped_rid) {
1586 /* Get the RID */
1587 wmem_strbuf_append_printf(label_str, "%s-%s", mapped_name, mapped_rid);
1588 rid = sa_field;
1589 rid_offset = offset;
1590 wmem_strbuf_append(wkwn_sid2_str,
1591 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)));
1592 wkwn_sid1_len=12; }
1593 } else {
1594 mapped_name = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str));
1595 if (mapped_name) {
1596 wmem_strbuf_append(label_str, mapped_name);
1597 wmem_strbuf_append(wkwn_sid1_str,
1598 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)));
1599 wkwn_sid1_len = 12;
1600 }
1601 /* The following three SID types have (unique) RIDs */
1602 if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-5-21")==0) {
1603 /* Domain SID */
1604 domain_sid = TRUE;
1605 } else if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-5-32")==0) {
1606 /* Local Group (S-1-5-32) SID */
1607 s_1_5_32 = TRUE;
1608 } else if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-5-64")==0) {
1609 /* Authentication (S-1-5-64) SID */
1610 s_1_5_64 = TRUE;
1611 }
1612 }
1613 } else if (i==2 && !domain_sid) {
1614 /* The only well-known SIDS with two subauthority fields ("level 2 SIDs") are
1615 Local Group (S-1-5-32), and Authentication (S-1-5-64). */
1616 if (s_1_5_32 || s_1_5_64) {
1617 mapped_rid = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str));
1618 if (mapped_rid) {
1619 /* Get the RID */
1620 wmem_strbuf_append_printf(label_str, "-%s", mapped_rid);
1621 rid = sa_field;
1622 rid_offset = offset;
1623 wmem_strbuf_append(wkwn_sid2_str,
1624 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)));
1625 wkwn_sid2_len=16;
1626 } else {
1627 /* The RID not well-known. */
1628 locally_defined = TRUE;
1629 }
1630 } else {
1631 if (mapped_name) {
1632 /* A level 1 well-known SID appended with locally defined value */
1633 locally_defined = TRUE;
1634 }
1635 }
1636 } else {
1637 /* 3 or more sub-auth fields - NOTE: Except for domain SIDs, there are no wkwn SIDs with 3 or more
1638 sub-auth fields so we don't lookup SIDs here. Logon Session SIDs have 3 sub-auth fields but the
1639 last two are locally defined. */
1640 if (domain_sid) {
1641 if (num_auth >= 4) {
1642 if (i >= 2 && i <=4 ) {
1643 /* Add the field to the domain string (d1-d2-d3) */
1644 wmem_strbuf_append_printf(domain_str,
1645 (i==2 ? (sid_display_hex ? "%x" : "%u") : (sid_display_hex ? "-%x" : "-%u")), sa_field);
1646
1647 } else if (i==5) {
1648 rid = sa_field;
1649 rid_offset = offset;
1650 mapped_rid = val_to_str_const(rid, wkwn_S_1_5_21_rids, "Domain RID");
1651 wmem_strbuf_append_printf(label_str, "-%s", mapped_rid);
1652
1653 } else {
1654 locally_defined = TRUE;
1655 }
1656 } else {
1657 mapped_name = "Corrupt domain SID";
1658 }
1659 } else {
1660 if (mapped_name) {
1661 /* A locally defined value appended to a level 2 well-known SID*/
1662 locally_defined = TRUE;
1663 }
1664 }
1665 }
1666 offset+=4;
1667 } /* End of for loop */
1668
1669 if ( !(mapped_name || domain_sid || s_1_5_32 || s_1_5_64) ) {
1670 /* If requested, try to map the NON-well-known SID to an object name discovered in this capture */
1671 if (sid_name_snooping) {
1672 mapped_name = find_sid_name(wmem_strbuf_get_str(sid_in_dec_str));
1673 } else {
1674 mapped_name = "<Unknown SID type>";
1675 }
1676 }
1677
1678 if (locally_defined) {
1679 wmem_strbuf_append_printf(label_str, "-<locally defined>");
1680 }
1681
1682 /* It's tree time
1683 Display the full SID string in hex or dec */
1684 item = proto_tree_add_string_format(
1685 parent_tree, hf_sid, tvb, offset_sid_start, (offset - offset_sid_start),
1686 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)),
1687 "%s: %s", name, (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str))
1688 );
1689 proto_item_append_text(item, " (%s)", wmem_strbuf_get_str(label_str));
1690
1691
1692 subtree = proto_item_add_subtree(item, ett_nt_sid);
1693
1694 /* Add revision, num_auth, and authority */
1695 proto_tree_add_item(subtree, hf_nt_sid_revision, tvb, offset_sid_start, 1, ENC_LITTLE_ENDIAN);
1696 proto_tree_add_item(subtree, hf_nt_sid_num_auth, tvb, offset_sid_start+1, 1, ENC_LITTLE_ENDIAN);
1697 proto_tree_add_uint64_format_value(subtree,
1698 (sid_display_hex ? hf_nt_sid_auth_hex : hf_nt_sid_auth_dec),
1699 tvb, offset_sid_start+2, 6, authority, "%" G_GINT64_MODIFIER "u", authority);
1700
1701 /* Add subauthorities */
1702 proto_tree_add_string_format_value(subtree, hf_nt_sid_subauth, tvb, sa_offset,
1703 num_auth*4, wmem_strbuf_get_str(sa_str), "%s", wmem_strbuf_get_str(sa_str));
1704
1705 if (rid) {
1706 item = proto_tree_add_item (subtree,
1707 (sid_display_hex ? hf_nt_sid_rid_hex : hf_nt_sid_rid_dec), tvb, rid_offset, 4, ENC_LITTLE_ENDIAN);
1708 proto_item_append_text(item, " (%s)", mapped_rid);
1709 }
1710
1711 /* Add well-known SID and domain strings if present */
1712 if (wmem_strbuf_get_len(wkwn_sid1_str) > 0) {
1713 hidden_item = proto_tree_add_string_format_value(
1714 subtree, hf_nt_sid_wkwn, tvb, offset_sid_start, wkwn_sid1_len,
1715 wmem_strbuf_get_str(wkwn_sid1_str), "%s", wmem_strbuf_get_str(wkwn_sid1_str));
1716 proto_item_append_text(hidden_item, " (%s)", mapped_name);
1717 PROTO_ITEM_SET_HIDDEN(hidden_item);
1718 }
1719 if (wmem_strbuf_get_len(wkwn_sid2_str) > 0) {
1720 hidden_item = proto_tree_add_string_format_value(
1721 subtree, hf_nt_sid_wkwn, tvb, offset_sid_start, wkwn_sid2_len,
1722 wmem_strbuf_get_str(wkwn_sid2_str), "%s", wmem_strbuf_get_str(wkwn_sid2_str));
1723 proto_item_append_text(hidden_item, " (%s)", wmem_strbuf_get_str(label_str));
1724 PROTO_ITEM_SET_HIDDEN(hidden_item);
1725 }
1726 if (domain_sid && wmem_strbuf_get_len(domain_str) > 0) {
1727 hidden_item = proto_tree_add_string_format_value(
1728 subtree, hf_nt_sid_domain, tvb, offset_sid_start + 12, 12,
1729 wmem_strbuf_get_str(domain_str), "%s", wmem_strbuf_get_str(domain_str));
1730 PROTO_ITEM_SET_HIDDEN(hidden_item);
1731 }
1732
1733 /* If requested, return SID string with mapped name */
1734 if(sid_str){
1735 if(mapped_name){
1736 *sid_str = wmem_strdup_printf(wmem_packet_scope(), "%s (%s)",
1737 (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)), wmem_strbuf_get_str(label_str));
1738 } else {
1739 *sid_str = wmem_strdup(wmem_packet_scope(), sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str));
1740 }
1741 if(!(*sid_str)){
1742 *sid_str=wmem_strdup(wmem_packet_scope(), "corrupted SID");
1743 }
1744 }
1745 return offset;
1746 }
1747
1748 /* Dissect an access mask. All this stuff is kind of explained at MSDN:
1749
1750 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/windows_2000_windows_nt_access_mask_format.asp
1751
1752 */
1753
1754 static gint ett_nt_access_mask = -1;
1755 static gint ett_nt_access_mask_generic = -1;
1756 static gint ett_nt_access_mask_standard = -1;
1757 static gint ett_nt_access_mask_specific = -1;
1758
1759 static int hf_access_sacl = -1;
1760 static int hf_access_maximum_allowed = -1;
1761 static int hf_access_generic_read = -1;
1762 static int hf_access_generic_write = -1;
1763 static int hf_access_generic_execute = -1;
1764 static int hf_access_generic_all = -1;
1765 static int hf_access_standard_delete = -1;
1766 static int hf_access_standard_read_control = -1;
1767 static int hf_access_standard_synchronise = -1;
1768 static int hf_access_standard_write_dac = -1;
1769 static int hf_access_standard_write_owner = -1;
1770 static int hf_access_specific_15 = -1;
1771 static int hf_access_specific_14 = -1;
1772 static int hf_access_specific_13 = -1;
1773 static int hf_access_specific_12 = -1;
1774 static int hf_access_specific_11 = -1;
1775 static int hf_access_specific_10 = -1;
1776 static int hf_access_specific_9 = -1;
1777 static int hf_access_specific_8 = -1;
1778 static int hf_access_specific_7 = -1;
1779 static int hf_access_specific_6 = -1;
1780 static int hf_access_specific_5 = -1;
1781 static int hf_access_specific_4 = -1;
1782 static int hf_access_specific_3 = -1;
1783 static int hf_access_specific_2 = -1;
1784 static int hf_access_specific_1 = -1;
1785 static int hf_access_specific_0 = -1;
1786
1787 /* Map generic permissions to specific permissions */
1788
1789 static void map_generic_access(guint32 *access_mask,
1790 struct generic_mapping *mapping)
1791 {
1792 if (*access_mask & GENERIC_READ_ACCESS) {
1793 *access_mask &= ~GENERIC_READ_ACCESS;
1794 *access_mask |= mapping->generic_read;
1795 }
1796
1797 if (*access_mask & GENERIC_WRITE_ACCESS) {
1798 *access_mask &= ~GENERIC_WRITE_ACCESS;
1799 *access_mask |= mapping->generic_write;
1800 }
1801
1802 if (*access_mask & GENERIC_EXECUTE_ACCESS) {
1803 *access_mask &= ~GENERIC_EXECUTE_ACCESS;
1804 *access_mask |= mapping->generic_execute;
1805 }
1806
1807 if (*access_mask & GENERIC_ALL_ACCESS) {
1808 *access_mask &= ~GENERIC_ALL_ACCESS;
1809 *access_mask |= mapping->generic_all;
1810 }
1811 }
1812
1813 /* Map standard permissions to specific permissions */
1814
1815 static void map_standard_access(guint32 *access_mask,
1816 struct standard_mapping *mapping)
1817 {
1818 if (*access_mask & READ_CONTROL_ACCESS) {
1819 *access_mask &= ~READ_CONTROL_ACCESS;
1820 *access_mask |= mapping->std_read;
1821 }
1822
1823 if (*access_mask & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|
1824 SYNCHRONIZE_ACCESS)) {
1825 *access_mask &= ~(DELETE_ACCESS|WRITE_DAC_ACCESS|
1826 WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS);
1827 *access_mask |= mapping->std_all;
1828 }
1829
1830 }
1831
1832 int
1833 dissect_nt_access_mask(tvbuff_t *tvb, gint offset, packet_info *pinfo,
1834 proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex,
1835 struct access_mask_info *ami, guint32 *perms)
1836 {
1837 proto_item *item;
1838 proto_tree *subtree, *generic_tree, *standard_tree, *specific_tree;
1839 guint32 access;
1840
1841 if (drep != NULL) {
1842 /*
1843 * Called from a DCE RPC protocol dissector, for a
1844 * protocol where a 32-bit NDR integer contains
1845 * an NT access mask; extract the access mask
1846 * with an NDR call.
1847 */
1848 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
1849 hfindex, &access);
1850 } else {
1851 /*
1852 * Called from SMB, where the access mask is just a
1853 * 4-byte little-endian quantity with no special
1854 * NDR alignment requirement; extract it with
1855 * "tvb_get_letohl()".
1856 */
1857 access = tvb_get_letohl(tvb, offset);
1858 offset += 4;
1859 }
1860
1861 if (perms) {
1862 *perms = access;
1863 }
1864
1865 item = proto_tree_add_uint(tree, hfindex, tvb, offset - 4, 4, access);
1866
1867 subtree = proto_item_add_subtree(item, ett_nt_access_mask);
1868
1869 /* Generic access rights */
1870
1871 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
1872 "Generic rights: 0x%08x",
1873 access & GENERIC_RIGHTS_MASK);
1874
1875 generic_tree = proto_item_add_subtree(
1876 item, ett_nt_access_mask_generic);
1877
1878 proto_tree_add_boolean(
1879 generic_tree, hf_access_generic_read, tvb, offset - 4, 4,
1880 access);
1881
1882 proto_tree_add_boolean(
1883 generic_tree, hf_access_generic_write, tvb, offset - 4, 4,
1884 access);
1885
1886 proto_tree_add_boolean(
1887 generic_tree, hf_access_generic_execute, tvb, offset - 4, 4,
1888 access);
1889
1890 proto_tree_add_boolean(
1891 generic_tree, hf_access_generic_all, tvb, offset - 4, 4,
1892 access);
1893
1894 /* Reserved (??) */
1895
1896 proto_tree_add_boolean(
1897 subtree, hf_access_maximum_allowed, tvb, offset - 4, 4,
1898 access);
1899
1900 /* Access system security */
1901
1902 proto_tree_add_boolean(
1903 subtree, hf_access_sacl, tvb, offset - 4, 4,
1904 access);
1905
1906 /* Standard access rights */
1907
1908 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
1909 "Standard rights: 0x%08x",
1910 access & STANDARD_RIGHTS_MASK);
1911
1912 standard_tree = proto_item_add_subtree(
1913 item, ett_nt_access_mask_standard);
1914
1915 proto_tree_add_boolean(
1916 standard_tree, hf_access_standard_synchronise, tvb,
1917 offset - 4, 4, access);
1918
1919 proto_tree_add_boolean(
1920 standard_tree, hf_access_standard_write_owner, tvb,
1921 offset - 4, 4, access);
1922
1923 proto_tree_add_boolean(
1924 standard_tree, hf_access_standard_write_dac, tvb,
1925 offset - 4, 4, access);
1926
1927 proto_tree_add_boolean(
1928 standard_tree, hf_access_standard_read_control, tvb,
1929 offset - 4, 4, access);
1930
1931 proto_tree_add_boolean(
1932 standard_tree, hf_access_standard_delete, tvb, offset - 4, 4,
1933 access);
1934
1935 /* Specific access rights. Call the specific_rights_fn
1936 pointer if we have one, otherwise just display bits 0-15 in
1937 boring fashion. */
1938
1939 if (ami && ami->specific_rights_name)
1940 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
1941 "%s specific rights: 0x%08x",
1942 ami->specific_rights_name,
1943 access & SPECIFIC_RIGHTS_MASK);
1944 else
1945 item = proto_tree_add_text(subtree, tvb, offset - 4, 4,
1946 "Specific rights: 0x%08x",
1947 access & SPECIFIC_RIGHTS_MASK);
1948
1949 specific_tree = proto_item_add_subtree(
1950 item, ett_nt_access_mask_specific);
1951
1952 if (ami && ami->specific_rights_fn) {
1953 guint32 mapped_access = access;
1954 proto_tree *specific_mapped;
1955
1956 specific_mapped = proto_item_add_subtree(
1957 item, ett_nt_access_mask_specific);
1958
1959 ami->specific_rights_fn(
1960 tvb, offset - 4, specific_tree, access);
1961
1962 if (ami->generic_mapping)
1963 map_generic_access(&access, ami->generic_mapping);
1964
1965 if (ami->standard_mapping)
1966 map_standard_access(&access, ami->standard_mapping);
1967
1968 if (access != mapped_access) {
1969 ami->specific_rights_fn(
1970 tvb, offset - 4, specific_mapped,
1971 mapped_access);
1972 }
1973
1974 return offset;
1975 }
1976
1977 proto_tree_add_boolean(
1978 specific_tree, hf_access_specific_15, tvb, offset - 4, 4,
1979 access);
1980
1981 proto_tree_add_boolean(
1982 specific_tree, hf_access_specific_14, tvb, offset - 4, 4,
1983 access);
1984
1985 proto_tree_add_boolean(
1986 specific_tree, hf_access_specific_13, tvb, offset - 4, 4,
1987 access);
1988
1989 proto_tree_add_boolean(
1990 specific_tree, hf_access_specific_12, tvb, offset - 4, 4,
1991 access);
1992
1993 proto_tree_add_boolean(
1994 specific_tree, hf_access_specific_11, tvb, offset - 4, 4,
1995 access);
1996
1997 proto_tree_add_boolean(
1998 specific_tree, hf_access_specific_10, tvb, offset - 4, 4,
1999 access);
2000
2001 proto_tree_add_boolean(
2002 specific_tree, hf_access_specific_9, tvb, offset - 4, 4,
2003 access);
2004
2005 proto_tree_add_boolean(
2006 specific_tree, hf_access_specific_8, tvb, offset - 4, 4,
2007 access);
2008
2009 proto_tree_add_boolean(
2010 specific_tree, hf_access_specific_7, tvb, offset - 4, 4,
2011 access);
2012
2013 proto_tree_add_boolean(
2014 specific_tree, hf_access_specific_6, tvb, offset - 4, 4,
2015 access);
2016
2017 proto_tree_add_boolean(
2018 specific_tree, hf_access_specific_5, tvb, offset - 4, 4,
2019 access);
2020
2021 proto_tree_add_boolean(
2022 specific_tree, hf_access_specific_4, tvb, offset - 4, 4,
2023 access);
2024
2025 proto_tree_add_boolean(
2026 specific_tree, hf_access_specific_3, tvb, offset - 4, 4,
2027 access);
2028
2029 proto_tree_add_boolean(
2030 specific_tree, hf_access_specific_2, tvb, offset - 4, 4,
2031 access);
2032
2033 proto_tree_add_boolean(
2034 specific_tree, hf_access_specific_1, tvb, offset - 4, 4,
2035 access);
2036
2037 proto_tree_add_boolean(
2038 specific_tree, hf_access_specific_0, tvb, offset - 4, 4,
2039 access);
2040
2041 return offset;
2042 }
2043
2044 static int hf_nt_access_mask = -1;
2045
2046 #define ACL_REVISION_NT4 2
2047 #define ACL_REVISION_ADS 4
2048 static const value_string acl_revision_vals[] = {
2049 { ACL_REVISION_NT4, "NT4"},
2050 { ACL_REVISION_ADS, "AD"},
2051 {0,NULL}
2052 };
2053
2054 #define ACE_TYPE_ACCESS_ALLOWED 0
2055 #define ACE_TYPE_ACCESS_DENIED 1
2056 #define ACE_TYPE_SYSTEM_AUDIT 2
2057 #define ACE_TYPE_SYSTEM_ALARM 3
2058 #define ACE_TYPE_ALLOWED_COMPOUND 4
2059 #define ACE_TYPE_ACCESS_ALLOWED_OBJECT 5
2060 #define ACE_TYPE_ACCESS_DENIED_OBJECT 6
2061 #define ACE_TYPE_SYSTEM_AUDIT_OBJECT 7
2062 #define ACE_TYPE_SYSTEM_ALARM_OBJECT 8
2063 #define ACE_TYPE_ACCESS_ALLOWED_CALLBACK 9
2064 #define ACE_TYPE_ACCESS_DENIED_CALLBACK 10
2065 #define ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT 11
2066 #define ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT 12
2067 #define ACE_TYPE_SYSTEM_AUDIT_CALLBACK 13
2068 #define ACE_TYPE_SYSTEM_ALARM_CALLBACK 14
2069 #define ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT 15
2070 #define ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT 16
2071 #define ACE_TYPE_SYSTEM_MANDATORY_LABEL 17
2072 static const value_string ace_type_vals[] = {
2073 { ACE_TYPE_ACCESS_ALLOWED, "Access Allowed"},
2074 { ACE_TYPE_ACCESS_DENIED, "Access Denied"},
2075 { ACE_TYPE_SYSTEM_AUDIT, "System Audit"},
2076 { ACE_TYPE_SYSTEM_ALARM, "System Alarm"},
2077 { ACE_TYPE_ALLOWED_COMPOUND, "Allowed Compound"},
2078 { ACE_TYPE_ACCESS_ALLOWED_OBJECT, "Allowed Object"},
2079 { ACE_TYPE_ACCESS_DENIED_OBJECT, "Denied Object"},
2080 { ACE_TYPE_SYSTEM_AUDIT_OBJECT, "Audit Object"},
2081 { ACE_TYPE_SYSTEM_ALARM_OBJECT, "Alarm Object"},
2082 { ACE_TYPE_ACCESS_ALLOWED_CALLBACK, "Allowed Callback"},
2083 { ACE_TYPE_ACCESS_DENIED_CALLBACK, "Denied Callback"},
2084 { ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT, "Allowed Callback Object"},
2085 { ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT, "Denied Callback Object"},
2086 { ACE_TYPE_SYSTEM_AUDIT_CALLBACK, "Audit Callback"},
2087 { ACE_TYPE_SYSTEM_ALARM_CALLBACK, "Alarm Callback"},
2088 { ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT, "Audit Callback Object"},
2089 { ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT, "Alarm Callback Object"},
2090 { ACE_TYPE_SYSTEM_MANDATORY_LABEL, "Mandatory label"},
2091 { 0, NULL}
2092 };
2093 static const true_false_string tfs_ace_flags_object_inherit = {
2094 "Subordinate files will inherit this ACE",
2095 "Subordinate files will not inherit this ACE"
2096 };
2097 static const true_false_string tfs_ace_flags_container_inherit = {
2098 "Subordinate containers will inherit this ACE",
2099 "Subordinate containers will not inherit this ACE"
2100 };
2101 static const true_false_string tfs_ace_flags_non_propagate_inherit = {
2102 "Subordinate object will not propagate the inherited ACE further",
2103 "Subordinate object will propagate the inherited ACE further"
2104 };
2105 static const true_false_string tfs_ace_flags_inherit_only = {
2106 "This ACE does not apply to the current object",
2107 "This ACE applies to the current object"
2108 };
2109 static const true_false_string tfs_ace_flags_inherited_ace = {
2110 "This ACE was inherited from its parent object",
2111 "This ACE was not inherited from its parent object"
2112 };
2113 static const true_false_string tfs_ace_flags_successful_access = {
2114 "Successful accesses will be audited",
2115 "Successful accesses will not be audited"
2116 };
2117 static const true_false_string tfs_ace_flags_failed_access = {
2118 "Failed accesses will be audited",
2119 "Failed accesses will not be audited"
2120 };
2121
2122 static const true_false_string flags_sec_info_sacl = {
2123 "Request SACL",
2124 "Do NOT request SACL"
2125 };
2126 static const true_false_string flags_sec_info_dacl = {
2127 "Request DACL",
2128 "Do NOT request DACL"
2129 };
2130 static const true_false_string flags_sec_info_group = {
2131 "Request GROUP",
2132 "Do NOT request group"
2133 };
2134 static const true_false_string flags_sec_info_owner = {
2135 "Request OWNER",
2136 "Do NOT request owner"
2137 };
2138
2139 #define APPEND_ACE_TEXT(flag, item, string) \
2140 if(flag){ \
2141 if(item) \
2142 proto_item_append_text(item, string, sep); \
2143 sep = ", "; \
2144 }
2145
2146
2147 static int
2148 dissect_nt_ace_object(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
2149 {
2150 proto_item *item = NULL;
2151 proto_tree *tree = NULL;
2152 proto_item *flags_item = NULL;
2153 proto_tree *flags_tree = NULL;
2154 guint32 flags;
2155 int old_offset=offset;
2156 const char *sep = " ";
2157
2158 if(parent_tree){
2159 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2160 "ACE Object");
2161 tree = proto_item_add_subtree(item, ett_nt_ace_object);
2162 }
2163
2164 /* flags */
2165 flags=tvb_get_letohl(tvb, offset);
2166 if(tree){
2167 flags_item = proto_tree_add_text(tree, tvb, offset, 4,
2168 "ACE Object Flags (0x%08x)", flags);
2169 flags_tree = proto_item_add_subtree(flags_item, ett_nt_ace_object_flags);
2170 }
2171 proto_tree_add_boolean(flags_tree, hf_nt_ace_flags_object_type_present,
2172 tvb, offset, 4, flags);
2173 APPEND_ACE_TEXT(flags&0x00000001, flags_item, "%sObject Type Present");
2174
2175 proto_tree_add_boolean(flags_tree, hf_nt_ace_flags_inherited_object_type_present,
2176 tvb, offset, 4, flags);
2177 APPEND_ACE_TEXT(flags&0x00000002, flags_item, "%sInherited Object Type Present");
2178 offset+=4;
2179
2180
2181 /* is there a GUID ? */
2182 if(flags&0x00000001){
2183 proto_tree_add_item(tree, hf_nt_ace_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
2184 offset+=16;
2185 }
2186
2187 /* is there an inherited GUID ? */
2188 if(flags&0x00000002){
2189 proto_tree_add_item(tree, hf_nt_ace_inherited_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
2190 offset+=16;
2191 }
2192
2193 proto_item_set_len(item, offset-old_offset);
2194 return offset;
2195 }
2196
2197 static int
2198 dissect_nt_v2_ace_flags(tvbuff_t *tvb, int offset, proto_tree *parent_tree,
2199 guint8 *data)
2200 {
2201 proto_item *item = NULL;
2202 proto_tree *tree = NULL;
2203 guint8 mask;
2204 const char *sep = " ";
2205
2206 mask = tvb_get_guint8(tvb, offset);
2207
2208 if (data)
2209 *data = mask;
2210
2211
2212 if(parent_tree){
2213 item = proto_tree_add_text(parent_tree, tvb, offset, 1,
2214 "NT ACE Flags: 0x%02x", mask);
2215 tree = proto_item_add_subtree(item, ett_nt_ace_flags);
2216 }
2217
2218 proto_tree_add_boolean(tree, hf_nt_ace_flags_failed_access,
2219 tvb, offset, 1, mask);
2220 APPEND_ACE_TEXT(mask&0x80, item, "%sFailed Access");
2221
2222 proto_tree_add_boolean(tree, hf_nt_ace_flags_successful_access,
2223 tvb, offset, 1, mask);
2224 APPEND_ACE_TEXT(mask&0x40, item, "%sSuccessful Access");
2225
2226 proto_tree_add_boolean(tree, hf_nt_ace_flags_inherited_ace,
2227 tvb, offset, 1, mask);
2228 APPEND_ACE_TEXT(mask&0x10, item, "%sInherited ACE");
2229
2230 proto_tree_add_boolean(tree, hf_nt_ace_flags_inherit_only,
2231 tvb, offset, 1, mask);
2232 APPEND_ACE_TEXT(mask&0x08, item, "%sInherit Only");
2233
2234 proto_tree_add_boolean(tree, hf_nt_ace_flags_non_propagate_inherit,
2235 tvb, offset, 1, mask);
2236 APPEND_ACE_TEXT(mask&0x04, item, "%sNo Propagate Inherit");
2237
2238 proto_tree_add_boolean(tree, hf_nt_ace_flags_container_inherit,
2239 tvb, offset, 1, mask);
2240 APPEND_ACE_TEXT(mask&0x02, item, "%sContainer Inherit");
2241
2242 proto_tree_add_boolean(tree, hf_nt_ace_flags_object_inherit,
2243 tvb, offset, 1, mask);
2244 APPEND_ACE_TEXT(mask&0x01, item, "%sObject Inherit");
2245
2246
2247 offset += 1;
2248 return offset;
2249 }
2250
2251 static int
2252 dissect_nt_v2_ace(tvbuff_t *tvb, int offset, packet_info *pinfo,
2253 proto_tree *parent_tree, guint8 *drep,
2254 struct access_mask_info *ami)
2255 {
2256 proto_item *item = NULL;
2257 proto_tree *tree = NULL;
2258 int old_offset = offset;
2259 char *sid_str = NULL;
2260 guint16 size;
2261 guint8 type;
2262 guint8 flags;
2263 guint32 perms = 0;
2264
2265 if(parent_tree){
2266 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2267 "NT ACE: ");
2268 tree = proto_item_add_subtree(item, ett_nt_ace);
2269 }
2270
2271 /* type */
2272 type = tvb_get_guint8(tvb, offset);
2273 proto_tree_add_uint(tree, hf_nt_ace_type, tvb, offset, 1, type);
2274 offset += 1;
2275
2276 /* flags */
2277 offset = dissect_nt_v2_ace_flags(tvb, offset, tree, &flags);
2278
2279 /* size */
2280 size = tvb_get_letohs(tvb, offset);
2281 if (size < 4) {
2282 /*
2283 * BOGUS - the size includes the ACE header length,
2284 * which is 4.
2285 */
2286 proto_tree_add_uint_format_value(tree, hf_nt_ace_size, tvb, offset, 2,
2287 size, "%u (bogus, must be >= 4)", size);
2288 return old_offset; /* our caller quits in this case */
2289 }
2290 proto_tree_add_uint(tree, hf_nt_ace_size, tvb, offset, 2, size);
2291 offset += 2;
2292
2293 /* some ACE types we not yet handle store other things than access mask
2294 * and SID in here.
2295 * sometimes things that are not related at all to access control.
2296 * naughty naughty. -- ronnie
2297 */
2298 switch(type){
2299 case ACE_TYPE_ACCESS_ALLOWED:
2300 case ACE_TYPE_ACCESS_DENIED:
2301 case ACE_TYPE_SYSTEM_AUDIT:
2302 case ACE_TYPE_SYSTEM_ALARM:
2303 case ACE_TYPE_ALLOWED_COMPOUND:
2304 case ACE_TYPE_ACCESS_ALLOWED_OBJECT:
2305 case ACE_TYPE_ACCESS_DENIED_OBJECT:
2306 case ACE_TYPE_SYSTEM_AUDIT_OBJECT:
2307 case ACE_TYPE_SYSTEM_ALARM_OBJECT:
2308 case ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
2309 case ACE_TYPE_ACCESS_DENIED_CALLBACK:
2310 case ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT:
2311 case ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
2312 case ACE_TYPE_SYSTEM_AUDIT_CALLBACK:
2313 case ACE_TYPE_SYSTEM_ALARM_CALLBACK:
2314 case ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT:
2315 case ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT:
2316 case ACE_TYPE_SYSTEM_MANDATORY_LABEL:
2317 /* access mask */
2318 offset = dissect_nt_access_mask(
2319 tvb, offset, pinfo, tree, NULL, drep,
2320 hf_nt_access_mask, ami, &perms);
2321
2322 /* these aces contain an extra object */
2323 switch(type){
2324 case ACE_TYPE_ACCESS_ALLOWED_OBJECT:
2325 case ACE_TYPE_ACCESS_DENIED_OBJECT:
2326 case ACE_TYPE_SYSTEM_AUDIT_OBJECT:
2327 case ACE_TYPE_SYSTEM_ALARM_OBJECT:
2328 case ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT:
2329 case ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
2330 case ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT:
2331 case ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT:
2332 offset=dissect_nt_ace_object(tvb, offset, tree);
2333 }
2334
2335 /* SID */
2336 offset = dissect_nt_sid(tvb, offset, tree, "SID", &sid_str, -1);
2337
2338 if (item)
2339 proto_item_append_text(
2340 item, "%s, flags 0x%02x, %s, mask 0x%08x", sid_str, flags,
2341 val_to_str(type, ace_type_vals, "Unknown ACE type (0x%02x)"),
2342 perms);
2343 break;
2344 };
2345
2346 proto_item_set_len(item, offset-old_offset);
2347
2348 /* Sometimes there is some spare space at the end of the ACE so use
2349 the size field to work out where the end is. */
2350
2351 return old_offset + size;
2352 }
2353
2354 static int
2355 dissect_nt_acl(tvbuff_t *tvb, int offset, packet_info *pinfo,
2356 proto_tree *parent_tree, guint8 *drep, const char *name,
2357 struct access_mask_info *ami)
2358 {
2359 proto_item *volatile item = NULL;
2360 proto_tree *volatile tree = NULL;
2361 int old_offset = offset;
2362 int pre_ace_offset;
2363 guint16 revision;
2364 guint32 volatile num_aces;
2365 gboolean volatile missing_data = FALSE;
2366 gboolean volatile bad_ace = FALSE;
2367
2368 if(parent_tree) {
2369 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2370 "NT %s ACL", name);
2371 tree = proto_item_add_subtree(item, ett_nt_acl);
2372 }
2373
2374 /* revision */
2375 /*
2376 * XXX - is this *really* 2 bytes? The page at
2377 *
2378 * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/acl.asp
2379 *
2380 * indicates that it's one byte of revision and one byte of
2381 * zero padding, which means the code that used to be here
2382 * was correct - and this code would give the same results
2383 * as long as the padding is zero, so if this dissects it
2384 * correctly when the padding is zero, and the padding is
2385 * always zero, the old code would dissect it correctly
2386 * also.
2387 */
2388 revision = tvb_get_letohs(tvb, offset);
2389 proto_tree_add_uint(tree, hf_nt_acl_revision,
2390 tvb, offset, 2, revision);
2391 offset += 2;
2392
2393 switch(revision){
2394 case ACL_REVISION_NT4:
2395 case ACL_REVISION_ADS:
2396 case 3: /* weirdo type */
2397 /* size */
2398 proto_tree_add_item(tree, hf_nt_acl_size, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2399 offset += 2;
2400
2401 /* number of ace structures */
2402 /*
2403 * XXX - is this *really* 4 bytes? The page referred to above
2404 * says it's 2 bytes of count followed by two bytes of
2405 * zero padding.
2406 */
2407 num_aces = tvb_get_letohl(tvb, offset);
2408 proto_tree_add_uint(tree, hf_nt_acl_num_aces,
2409 tvb, offset, 4, num_aces);
2410 offset += 4;
2411
2412 while(num_aces-- && !missing_data && !bad_ace) {
2413 pre_ace_offset = offset;
2414
2415 /*
2416 * These are at an offset later in the packet; don't
2417 * fail if we can't fetch them, just note the problem
2418 * and dissect the stuff before it.
2419 */
2420 TRY {
2421 offset = dissect_nt_v2_ace(tvb, offset, pinfo, tree, drep, ami);
2422 if (pre_ace_offset == offset) {
2423 /*
2424 * Bogus ACE, with a length < 4.
2425 */
2426 bad_ace = TRUE;
2427 }
2428 }
2429
2430 CATCH(BoundsError) {
2431 proto_tree_add_text(tree, tvb, offset, 0, "ACE Extends beyond end of captured data");
2432 missing_data = TRUE;
2433 }
2434
2435 CATCH(ReportedBoundsError) {
2436 proto_tree_add_text(tree, tvb, offset, 0, "ACE Extends beyond end of reassembled data");
2437 missing_data = TRUE;
2438 }
2439
2440 ENDTRY;
2441 }
2442 }
2443
2444 proto_item_set_len(item, offset-old_offset);
2445 return offset;
2446 }
2447
2448 static const true_false_string tfs_sec_desc_type_owner_defaulted = {
2449 "OWNER is DEFAULTED",
2450 "Owner is NOT defaulted"
2451 };
2452 static const true_false_string tfs_sec_desc_type_group_defaulted = {
2453 "GROUP is DEFAULTED",
2454 "Group is NOT defaulted"
2455 };
2456 static const true_false_string tfs_sec_desc_type_dacl_present = {
2457 "DACL is PRESENT",
2458 "DACL is NOT present"
2459 };
2460 static const true_false_string tfs_sec_desc_type_dacl_defaulted = {
2461 "DACL is DEFAULTED",
2462 "DACL is NOT defaulted"
2463 };
2464 static const true_false_string tfs_sec_desc_type_sacl_present = {
2465 "SACL is PRESENT",
2466 "SACL is NOT present"
2467 };
2468 static const true_false_string tfs_sec_desc_type_sacl_defaulted = {
2469 "SACL is DEFAULTED",
2470 "SACL is NOT defaulted"
2471 };
2472 static const true_false_string tfs_sec_desc_type_dacl_trusted = {
2473 "DACL TRUSTED is TRUE",
2474 "Dacl trusted is FALSE"
2475 };
2476 static const true_false_string tfs_sec_desc_type_server_security = {
2477 "SERVER SECURITY is TRUE",
2478 "Server security is FALSE"
2479 };
2480 static const true_false_string tfs_sec_desc_type_dacl_auto_inherit_req = {
2481 "DACL has AUTO INHERIT REQUIRED",
2482 "DACL does NOT require auto inherit"
2483 };
2484 static const true_false_string tfs_sec_desc_type_sacl_auto_inherit_req = {
2485 "SACL has AUTO INHERIT REQUIRED",
2486 "SACL does NOT require auto inherit"
2487 };
2488 static const true_false_string tfs_sec_desc_type_dacl_auto_inherited = {
2489 "DACL is AUTO INHERITED",
2490 "DACL is NOT auto inherited"
2491 };
2492 static const true_false_string tfs_sec_desc_type_sacl_auto_inherited = {
2493 "SACL is AUTO INHERITED",
2494 "SACL is NOT auto inherited"
2495 };
2496 static const true_false_string tfs_sec_desc_type_dacl_protected = {
2497 "The DACL is PROTECTED",
2498 "The DACL is NOT protected"
2499 };
2500 static const true_false_string tfs_sec_desc_type_sacl_protected = {
2501 "The SACL is PROTECTED",
2502 "The SACL is NOT protected"
2503 };
2504 static const true_false_string tfs_sec_desc_type_rm_control_valid = {
2505 "Rm control valid is TRUE",
2506 "Rm control valid is FALSE"
2507 };
2508 static const true_false_string tfs_sec_desc_type_self_relative = {
2509 "This SecDesc is SELF RELATIVE",
2510 "This SecDesc is NOT self relative"
2511 };
2512
2513
2514 static int
2515 dissect_nt_sec_desc_type(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
2516 {
2517 proto_item *item = NULL;
2518 proto_tree *tree = NULL;
2519 guint16 mask;
2520
2521 mask = tvb_get_letohs(tvb, offset);
2522 if(parent_tree){
2523 item = proto_tree_add_text(parent_tree, tvb, offset, 2,
2524 "Type: 0x%04x", mask);
2525 tree = proto_item_add_subtree(item, ett_nt_sec_desc_type);
2526 }
2527
2528 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_self_relative,
2529 tvb, offset, 2, mask);
2530 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_rm_control_valid,
2531 tvb, offset, 2, mask);
2532 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_sacl_protected,
2533 tvb, offset, 2, mask);
2534 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_dacl_protected,
2535 tvb, offset, 2, mask);
2536 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_sacl_auto_inherited,
2537 tvb, offset, 2, mask);
2538 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_dacl_auto_inherited,
2539 tvb, offset, 2, mask);
2540 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_sacl_auto_inherit_req,
2541 tvb, offset, 2, mask);
2542 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_dacl_auto_inherit_req,
2543 tvb, offset, 2, mask);
2544 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_server_security,
2545 tvb, offset, 2, mask);
2546 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_dacl_trusted,
2547 tvb, offset, 2, mask);
2548 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_sacl_defaulted,
2549 tvb, offset, 2, mask);
2550 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_sacl_present,
2551 tvb, offset, 2, mask);
2552 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_dacl_defaulted,
2553 tvb, offset, 2, mask);
2554 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_dacl_present,
2555 tvb, offset, 2, mask);
2556 proto_tree_add_boolean(tree,hf_nt_sec_desc_type_group_defaulted,
2557 tvb, offset, 2, mask);
2558 proto_tree_add_boolean(tree, hf_nt_sec_desc_type_owner_defaulted,
2559 tvb, offset, 2, mask);
2560
2561
2562 offset += 2;
2563 return offset;
2564 }
2565
2566 int
2567 dissect_nt_security_information(tvbuff_t *tvb, int offset, proto_tree *parent_tree)
2568 {
2569 proto_item *item = NULL;
2570 proto_tree *tree = NULL;
2571 guint32 mask;
2572
2573 mask = tvb_get_letohl(tvb, offset);
2574 if(parent_tree){
2575 item = proto_tree_add_text(parent_tree, tvb, offset, 4,
2576 "SEC INFO: 0x%08x", mask);
2577 tree = proto_item_add_subtree(item, ett_nt_security_information);
2578 }
2579
2580 proto_tree_add_boolean(tree,hf_nt_security_information_sacl,
2581 tvb, offset, 4, mask);
2582 if (mask & 0x00000008) {
2583 proto_item_append_text(item, " SACL");
2584 }
2585 proto_tree_add_boolean(tree,hf_nt_security_information_dacl,
2586 tvb, offset, 4, mask);
2587 if (mask & 0x00000004) {
2588 proto_item_append_text(item, " DACL");
2589 }
2590 proto_tree_add_boolean(tree,hf_nt_security_information_group,
2591 tvb, offset, 4, mask);
2592 if (mask & 0x00000002) {
2593 proto_item_append_text(item, " GROUP");
2594 }
2595 proto_tree_add_boolean(tree,hf_nt_security_information_owner,
2596 tvb, offset, 4, mask);
2597 if (mask & 0x00000001) {
2598 proto_item_append_text(item, " OWNER");
2599 }
2600
2601 offset += 4;
2602
2603 return offset;
2604 }
2605
2606 int
2607 dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo,
2608 proto_tree *parent_tree, guint8 *drep,
2609 gboolean len_supplied _U_, int len,
2610 struct access_mask_info *ami)
2611 {
2612 proto_item *item = NULL;
2613 proto_tree *tree = NULL;
2614 guint16 revision;
2615 int start_offset = offset;
2616 int volatile end_offset;
2617 int item_offset;
2618 guint32 owner_sid_offset;
2619 guint32 volatile group_sid_offset;
2620 guint32 volatile sacl_offset;
2621 guint32 volatile dacl_offset;
2622
2623 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2624 "NT Security Descriptor");
2625 tree = proto_item_add_subtree(item, ett_nt_sec_desc);
2626
2627 /* revision */
2628 revision = tvb_get_letohs(tvb, offset);
2629 proto_tree_add_uint(tree, hf_nt_sec_desc_revision,
2630 tvb, offset, 2, revision);
2631 offset += 2;
2632
2633 switch(revision){
2634 case 1: /* only version we will ever see of this structure?*/
2635 /* type */
2636 offset = dissect_nt_sec_desc_type(tvb, offset, tree);
2637
2638 /* offset to owner sid */
2639 owner_sid_offset = tvb_get_letohl(tvb, offset);
2640 if(owner_sid_offset != 0 && owner_sid_offset < 20){
2641 /* Bogus value - points into fixed portion of descriptor */
2642 proto_tree_add_text(tree, tvb, offset, 4, "Offset to owner SID: %u (bogus, must be >= 20)", owner_sid_offset);
2643 owner_sid_offset = 0;
2644 } else
2645 proto_tree_add_text(tree, tvb, offset, 4, "Offset to owner SID: %u", owner_sid_offset);
2646 offset += 4;
2647
2648 /* offset to group sid */
2649 group_sid_offset = tvb_get_letohl(tvb, offset);
2650 if(group_sid_offset != 0 && group_sid_offset < 20){
2651 /* Bogus value - points into fixed portion of descriptor */
2652 proto_tree_add_text(tree, tvb, offset, 4, "Offset to group SID: %u (bogus, must be >= 20)", group_sid_offset);
2653 group_sid_offset = 0;
2654 } else
2655 proto_tree_add_text(tree, tvb, offset, 4, "Offset to group SID: %u", group_sid_offset);
2656 offset += 4;
2657
2658 /* offset to sacl */
2659 sacl_offset = tvb_get_letohl(tvb, offset);
2660 if(sacl_offset != 0 && sacl_offset < 20){
2661 /* Bogus value - points into fixed portion of descriptor */
2662 proto_tree_add_text(tree, tvb, offset, 4, "Offset to SACL: %u (bogus, must be >= 20)", sacl_offset);
2663 sacl_offset = 0;
2664 } else
2665 proto_tree_add_text(tree, tvb, offset, 4, "Offset to SACL: %u", sacl_offset);
2666 offset += 4;
2667
2668 /* offset to dacl */
2669 dacl_offset = tvb_get_letohl(tvb, offset);
2670 if(dacl_offset != 0 && dacl_offset < 20){
2671 /* Bogus value - points into fixed portion of descriptor */
2672 proto_tree_add_text(tree, tvb, offset, 4, "Offset to DACL: %u (bogus, must be >= 20)", dacl_offset);
2673 dacl_offset = 0;
2674 } else
2675 proto_tree_add_text(tree, tvb, offset, 4, "Offset to DACL: %u", dacl_offset);
2676 offset += 4;
2677
2678 end_offset = offset;
2679
2680 /*owner SID*/
2681 if(owner_sid_offset){
2682 item_offset = start_offset+owner_sid_offset;
2683 if (item_offset < start_offset) {
2684 /*
2685 * Overflow - throw an exception.
2686 */
2687 THROW(ReportedBoundsError);
2688 }
2689 TRY{
2690 offset = dissect_nt_sid(tvb, item_offset, tree, "Owner", NULL, -1);
2691 if (offset > end_offset)
2692 end_offset = offset;
2693 }
2694
2695 CATCH(BoundsError) {
2696 proto_tree_add_text(tree, tvb, item_offset, 0, "Owner SID beyond end of captured data");
2697 }
2698
2699 CATCH(ReportedBoundsError) {
2700 proto_tree_add_text(tree, tvb, item_offset, 0, "Owner SID beyond end of reassembled data");
2701 }
2702
2703 ENDTRY;
2704 }
2705
2706 /*group SID*/
2707 if(group_sid_offset){
2708 item_offset = start_offset+group_sid_offset;
2709 if (item_offset < start_offset) {
2710 /*
2711 * Overflow - throw an exception.
2712 */
2713 THROW(ReportedBoundsError);
2714 }
2715 TRY {
2716 offset = dissect_nt_sid(tvb, item_offset, tree, "Group", NULL, -1);
2717 if (offset > end_offset)
2718 end_offset = offset;
2719 }
2720
2721 CATCH(BoundsError) {
2722 proto_tree_add_text(tree, tvb, item_offset, 0, "Group SID beyond end of captured data");
2723 }
2724
2725 CATCH(ReportedBoundsError) {
2726 proto_tree_add_text(tree, tvb, item_offset, 0, "Group SID beyond end of reassembled data");
2727 }
2728
2729 ENDTRY;
2730 }
2731
2732 /* sacl */
2733 if(sacl_offset){
2734 item_offset = start_offset+sacl_offset;
2735 if (item_offset < start_offset) {
2736 /*
2737 * Overflow - throw an exception.
2738 */
2739 THROW(ReportedBoundsError);
2740 }
2741 offset = dissect_nt_acl(tvb, item_offset, pinfo, tree,
2742 drep, "System (SACL)", ami);
2743 if (offset > end_offset)
2744 end_offset = offset;
2745 }
2746
2747 /* dacl */
2748 if(dacl_offset){
2749 item_offset = start_offset+dacl_offset;
2750 if (item_offset < start_offset) {
2751 /*
2752 * Overflow - throw an exception.
2753 */
2754 THROW(ReportedBoundsError);
2755 }
2756 offset = dissect_nt_acl(tvb, item_offset, pinfo, tree,
2757 drep, "User (DACL)", ami);
2758 if (offset > end_offset)
2759 end_offset = offset;
2760 }
2761
2762 break;
2763
2764 default:
2765 end_offset = offset;
2766 break;
2767 }
2768
2769 len = end_offset - start_offset;
2770 proto_item_set_len(item, len);
2771
2772 return offset;
2773 }
2774
2775 /*
2776 * XXX - we should have a way to register fields not associated with a
2777 * protocol.
2778 *
2779 * XXX - make-reg-dotc.py doesn't check for an argument list of "(void)",
2780 * so we have to give this a name other than "proto_register_..." so that
2781 * it doesn't end up being called from "register.c".
2782 */
2783 void
2784 proto_do_register_windows_common(int proto_smb)
2785 {
2786 static hf_register_info hf[] = {
2787 /* Security descriptors */
2788
2789 { &hf_nt_sec_desc_revision,
2790 { "Revision", "nt.sec_desc.revision", FT_UINT16, BASE_DEC,
2791 NULL, 0, "Version of NT Security Descriptor structure", HFILL }},
2792
2793 { &hf_nt_sec_desc_type_owner_defaulted,
2794 { "Owner Defaulted", "nt.sec_desc.type.owner_defaulted", FT_BOOLEAN, 16,
2795 TFS(&tfs_sec_desc_type_owner_defaulted), 0x0001, "Is Owner Defaulted set?", HFILL }},
2796
2797 { &hf_nt_sec_desc_type_group_defaulted,
2798 { "Group Defaulted", "nt.sec_desc.type.group_defaulted", FT_BOOLEAN, 16,
2799 TFS(&tfs_sec_desc_type_group_defaulted), 0x0002, "Is Group Defaulted?", HFILL }},
2800
2801 { &hf_nt_sec_desc_type_dacl_present,
2802 { "DACL Present", "nt.sec_desc.type.dacl_present", FT_BOOLEAN, 16,
2803 TFS(&tfs_sec_desc_type_dacl_present), 0x0004, "Does this SecDesc have DACL present?", HFILL }},
2804
2805 { &hf_nt_sec_desc_type_dacl_defaulted,
2806 { "DACL Defaulted", "nt.sec_desc.type.dacl_defaulted", FT_BOOLEAN, 16,
2807 TFS(&tfs_sec_desc_type_dacl_defaulted), 0x0008, "Does this SecDesc have DACL Defaulted?", HFILL }},
2808
2809 { &hf_nt_sec_desc_type_sacl_present,
2810 { "SACL Present", "nt.sec_desc.type.sacl_present", FT_BOOLEAN, 16,
2811 TFS(&tfs_sec_desc_type_sacl_present), 0x0010, "Is the SACL present?", HFILL }},
2812
2813 { &hf_nt_sec_desc_type_sacl_defaulted,
2814 { "SACL Defaulted", "nt.sec_desc.type.sacl_defaulted", FT_BOOLEAN, 16,
2815 TFS(&tfs_sec_desc_type_sacl_defaulted), 0x0020, "Does this SecDesc have SACL Defaulted?", HFILL }},
2816
2817 { &hf_nt_sec_desc_type_dacl_auto_inherit_req,
2818 { "DACL Auto Inherit Required", "nt.sec_desc.type.dacl_auto_inherit_req", FT_BOOLEAN, 16,
2819 TFS(&tfs_sec_desc_type_dacl_auto_inherit_req), 0x0100, "Does this SecDesc have DACL Auto Inherit Required set?", HFILL }},
2820
2821 { &hf_nt_sec_desc_type_dacl_trusted,
2822 { "DACL Trusted", "nt.sec_desc.type.dacl_trusted", FT_BOOLEAN, 16,
2823 TFS(&tfs_sec_desc_type_dacl_trusted), 0x0040, "Does this SecDesc have DACL TRUSTED set?", HFILL }},
2824
2825 { &hf_nt_sec_desc_type_server_security,
2826 { "Server Security", "nt.sec_desc.type.server_security", FT_BOOLEAN, 16,
2827 TFS(&tfs_sec_desc_type_server_security), 0x0080, "Does this SecDesc have SERVER SECURITY set?", HFILL }},
2828
2829 { &hf_nt_sec_desc_type_sacl_auto_inherit_req,
2830 { "SACL Auto Inherit Required", "nt.sec_desc.type.sacl_auto_inherit_req", FT_BOOLEAN, 16,
2831 TFS(&tfs_sec_desc_type_sacl_auto_inherit_req), 0x0200, "Does this SecDesc have SACL Auto Inherit Required set?", HFILL }},
2832
2833 { &hf_nt_sec_desc_type_dacl_auto_inherited,
2834 { "DACL Auto Inherited", "nt.sec_desc.type.dacl_auto_inherited", FT_BOOLEAN, 16,
2835 TFS(&tfs_sec_desc_type_dacl_auto_inherited), 0x0400, "Is this DACL auto inherited", HFILL }},
2836
2837 { &hf_nt_sec_desc_type_sacl_auto_inherited,
2838 { "SACL Auto Inherited", "nt.sec_desc.type.sacl_auto_inherited", FT_BOOLEAN, 16,
2839 TFS(&tfs_sec_desc_type_sacl_auto_inherited), 0x0800, "Is this SACL auto inherited", HFILL }},
2840
2841 { &hf_nt_sec_desc_type_dacl_protected,
2842 { "DACL Protected", "nt.sec_desc.type.dacl_protected", FT_BOOLEAN, 16,
2843 TFS(&tfs_sec_desc_type_dacl_protected), 0x1000, "Is the DACL structure protected?", HFILL }},
2844
2845 { &hf_nt_sec_desc_type_sacl_protected,
2846 { "SACL Protected", "nt.sec_desc.type.sacl_protected", FT_BOOLEAN, 16,
2847 TFS(&tfs_sec_desc_type_sacl_protected), 0x2000, "Is the SACL structure protected?", HFILL }},
2848
2849 { &hf_nt_sec_desc_type_self_relative,
2850 { "Self Relative", "nt.sec_desc.type.self_relative", FT_BOOLEAN, 16,
2851 TFS(&tfs_sec_desc_type_self_relative), 0x8000, "Is this SecDesc self relative?", HFILL }},
2852
2853 { &hf_nt_sec_desc_type_rm_control_valid,
2854 { "RM Control Valid", "nt.sec_desc.type.rm_control_valid", FT_BOOLEAN, 16,
2855 TFS(&tfs_sec_desc_type_rm_control_valid), 0x4000, "Is RM Control Valid set?", HFILL }},
2856
2857 /* SIDs */
2858
2859 { &hf_nt_sid,
2860 { "SID", "nt.sid", FT_STRING, BASE_NONE,
2861 NULL, 0, "SID: Security Identifier", HFILL }},
2862
2863 { &hf_nt_sid_revision,
2864 { "Revision", "nt.sid.revision", FT_UINT8, BASE_DEC,
2865 NULL, 0, "Version of SID structure", HFILL }},
2866
2867 { &hf_nt_sid_num_auth,
2868 { "Num Auth", "nt.sid.num_auth", FT_UINT8, BASE_DEC,
2869 NULL, 0, "Number of authorities for this SID", HFILL }},
2870
2871 { &hf_nt_sid_auth_dec,
2872 { "Authority", "nt.sid.auth", FT_UINT64, BASE_DEC,
2873 NULL, 0, "Identifier Authority", HFILL }},
2874
2875 { &hf_nt_sid_auth_hex,
2876 { "Authority", "nt.sid.auth", FT_UINT64, BASE_HEX,
2877 NULL, 0, "Identifier Authority", HFILL }},
2878
2879 { &hf_nt_sid_subauth,
2880 { "Subauthorities", "nt.sid.subauth", FT_STRING, BASE_NONE,
2881 NULL, 0, "Subauthorities fields", HFILL }},
2882
2883 { &hf_nt_sid_rid_dec,
2884 { "RID", "nt.sid.rid", FT_UINT32, BASE_DEC,
2885 NULL, 0, "Relative IDentifier: identifies a user or group", HFILL }},
2886
2887 { &hf_nt_sid_rid_hex,
2888 { "RID", "nt.sid.rid", FT_UINT32, BASE_HEX,
2889 NULL, 0, "Relative IDentifier: identifies a user or group", HFILL }},
2890
2891 { &hf_nt_sid_wkwn,
2892 { "Well-known SID", "nt.sid.wkwn", FT_STRING, BASE_NONE,
2893 NULL, 0, NULL, HFILL }},
2894
2895 { &hf_nt_sid_domain,
2896 { "Domain", "nt.sid.domain", FT_STRING, BASE_NONE,
2897 NULL, 0, NULL, HFILL }},
2898
2899 /* ACLs */
2900
2901 { &hf_nt_acl_revision,
2902 { "Revision", "nt.acl.revision", FT_UINT16, BASE_DEC,
2903 VALS(acl_revision_vals), 0, "Version of NT ACL structure", HFILL }},
2904
2905 { &hf_nt_acl_size,
2906 { "Size", "nt.acl.size", FT_UINT16, BASE_DEC,
2907 NULL, 0, "Size of NT ACL structure", HFILL }},
2908
2909 { &hf_nt_acl_num_aces,
2910 { "Num ACEs", "nt.acl.num_aces", FT_UINT32, BASE_DEC,
2911 NULL, 0, "Number of ACE structures for this ACL", HFILL }},
2912
2913 /* ACEs */
2914
2915 { &hf_nt_ace_type,
2916 { "Type", "nt.ace.type",
2917 FT_UINT8, BASE_DEC, VALS(ace_type_vals), 0, "Type of ACE",
2918 HFILL }},
2919
2920 { &hf_nt_ace_size,
2921 { "Size", "nt.ace.size", FT_UINT16, BASE_DEC, NULL, 0,
2922 "Size of this ACE", HFILL }},
2923
2924 { &hf_nt_ace_flags_object_inherit,
2925 { "Object Inherit", "nt.ace.flags.object_inherit", FT_BOOLEAN, 8,
2926 TFS(&tfs_ace_flags_object_inherit), 0x01, "Will subordinate files inherit this ACE?", HFILL }},
2927
2928 { &hf_nt_ace_flags_container_inherit,
2929 { "Container Inherit", "nt.ace.flags.container_inherit", FT_BOOLEAN, 8,
2930 TFS(&tfs_ace_flags_container_inherit), 0x02, "Will subordinate containers inherit this ACE?", HFILL }},
2931
2932 { &hf_nt_ace_flags_non_propagate_inherit,
2933 { "Non-Propagate Inherit", "nt.ace.flags.non_propagate_inherit", FT_BOOLEAN, 8,
2934 TFS(&tfs_ace_flags_non_propagate_inherit), 0x04, "Will subordinate object propagate this ACE further?", HFILL }},
2935
2936 { &hf_nt_ace_flags_inherit_only,
2937 { "Inherit Only", "nt.ace.flags.inherit_only", FT_BOOLEAN, 8,
2938 TFS(&tfs_ace_flags_inherit_only), 0x08, "Does this ACE apply to the current object?", HFILL }},
2939
2940 { &hf_nt_ace_flags_inherited_ace,
2941 { "Inherited ACE", "nt.ace.flags.inherited_ace", FT_BOOLEAN, 8,
2942 TFS(&tfs_ace_flags_inherited_ace), 0x10, "Was this ACE inherited from its parent object?", HFILL }},
2943
2944 { &hf_nt_ace_flags_successful_access,
2945 { "Audit Successful Accesses", "nt.ace.flags.successful_access", FT_BOOLEAN, 8,
2946 TFS(&tfs_ace_flags_successful_access), 0x40, "Should successful accesses be audited?", HFILL }},
2947
2948 { &hf_nt_ace_flags_failed_access,
2949 { "Audit Failed Accesses", "nt.ace.flags.failed_access", FT_BOOLEAN, 8,
2950 TFS(&tfs_ace_flags_failed_access), 0x80, "Should failed accesses be audited?", HFILL }},
2951
2952 /* Access masks */
2953
2954 { &hf_nt_access_mask,
2955 { "Access required", "nt.access_mask",
2956 FT_UINT32, BASE_HEX, NULL, 0x0, "Access mask",
2957 HFILL }},
2958
2959 { &hf_access_generic_read,
2960 { "Generic read", "nt.access_mask.generic_read",
2961 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
2962 GENERIC_READ_ACCESS, NULL, HFILL }},
2963
2964 { &hf_access_generic_write,
2965 { "Generic write", "nt.access_mask.generic_write",
2966 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
2967 GENERIC_WRITE_ACCESS, NULL, HFILL }},
2968
2969 { &hf_access_generic_execute,
2970 { "Generic execute", "nt.access_mask.generic_execute",
2971 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
2972 GENERIC_EXECUTE_ACCESS, NULL, HFILL }},
2973
2974 { &hf_access_generic_all,
2975 { "Generic all", "nt.access_mask.generic_all",
2976 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
2977 GENERIC_ALL_ACCESS, NULL, HFILL }},
2978
2979 { &hf_access_maximum_allowed,
2980 { "Maximum allowed", "nt.access_mask.maximum_allowed",
2981 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
2982 MAXIMUM_ALLOWED_ACCESS, NULL, HFILL }},
2983
2984 { &hf_access_sacl,
2985 { "Access SACL", "nt.access_mask.access_sacl",
2986 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
2987 ACCESS_SACL_ACCESS, NULL, HFILL }},
2988
2989 { &hf_access_standard_read_control,
2990 { "Read control", "nt.access_mask.read_control",
2991 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
2992 READ_CONTROL_ACCESS, NULL, HFILL }},
2993
2994 { &hf_access_standard_delete,
2995 { "Delete", "nt.access_mask.delete",
2996 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
2997 DELETE_ACCESS, NULL, HFILL }},
2998
2999 { &hf_access_standard_synchronise,
3000 { "Synchronise", "nt.access_mask.synchronise",
3001 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3002 SYNCHRONIZE_ACCESS, NULL, HFILL }},
3003
3004 { &hf_access_standard_write_dac,
3005 { "Write DAC", "nt.access_mask.write_dac",
3006 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3007 WRITE_DAC_ACCESS, NULL, HFILL }},
3008
3009 { &hf_access_standard_write_owner,
3010 { "Write owner", "nt.access_mask.write_owner",
3011 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3012 WRITE_OWNER_ACCESS, NULL, HFILL }},
3013
3014 { &hf_access_specific_15,
3015 { "Specific access, bit 15", "nt.access_mask.specific_15",
3016 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3017 0x8000, NULL, HFILL }},
3018
3019 { &hf_access_specific_14,
3020 { "Specific access, bit 14", "nt.access_mask.specific_14",
3021 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3022 0x4000, NULL, HFILL }},
3023
3024 { &hf_access_specific_13,
3025 { "Specific access, bit 13", "nt.access_mask.specific_13",
3026 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3027 0x2000, NULL, HFILL }},
3028
3029 { &hf_access_specific_12,
3030 { "Specific access, bit 12", "nt.access_mask.specific_12",
3031 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3032 0x1000, NULL, HFILL }},
3033
3034 { &hf_access_specific_11,
3035 { "Specific access, bit 11", "nt.access_mask.specific_11",
3036 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3037 0x0800, NULL, HFILL }},
3038
3039 { &hf_access_specific_10,
3040 { "Specific access, bit 10", "nt.access_mask.specific_10",
3041 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3042 0x0400, NULL, HFILL }},
3043
3044 { &hf_access_specific_9,
3045 { "Specific access, bit 9", "nt.access_mask.specific_9",
3046 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3047 0x0200, NULL, HFILL }},
3048
3049 { &hf_access_specific_8,
3050 { "Specific access, bit 8", "nt.access_mask.specific_8",
3051 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3052 0x0100, NULL, HFILL }},
3053
3054 { &hf_access_specific_7,
3055 { "Specific access, bit 7", "nt.access_mask.specific_7",
3056 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3057 0x0080, NULL, HFILL }},
3058
3059 { &hf_access_specific_6,
3060 { "Specific access, bit 6", "nt.access_mask.specific_6",
3061 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3062 0x0040, NULL, HFILL }},
3063
3064 { &hf_access_specific_5,
3065 { "Specific access, bit 5", "nt.access_mask.specific_5",
3066 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3067 0x0020, NULL, HFILL }},
3068
3069 { &hf_access_specific_4,
3070 { "Specific access, bit 4", "nt.access_mask.specific_4",
3071 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3072 0x0010, NULL, HFILL }},
3073
3074 { &hf_access_specific_3,
3075 { "Specific access, bit 3", "nt.access_mask.specific_3",
3076 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3077 0x0008, NULL, HFILL }},
3078
3079 { &hf_access_specific_2,
3080 { "Specific access, bit 2", "nt.access_mask.specific_2",
3081 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3082 0x0004, NULL, HFILL }},
3083
3084 { &hf_access_specific_1,
3085 { "Specific access, bit 1", "nt.access_mask.specific_1",
3086 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3087 0x0002, NULL, HFILL }},
3088
3089 { &hf_access_specific_0,
3090 { "Specific access, bit 0", "nt.access_mask.specific_0",
3091 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3092 0x0001, NULL, HFILL }},
3093
3094 { &hf_nt_ace_flags_object_type_present,
3095 { "Object Type Present", "nt.ace.object.flags.object_type_present",
3096 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3097 0x00000001, NULL, HFILL }},
3098
3099 { &hf_nt_ace_flags_inherited_object_type_present,
3100 { "Inherited Object Type Present", "nt.ace.object.flags.inherited_object_type_present",
3101 FT_BOOLEAN, 32, TFS(&tfs_set_notset),
3102 0x00000002, NULL, HFILL }},
3103
3104 { &hf_nt_ace_guid,
3105 { "GUID", "nt.ace.object.guid", FT_GUID, BASE_NONE,
3106 NULL, 0, NULL, HFILL }},
3107
3108 { &hf_nt_ace_inherited_guid,
3109 { "Inherited GUID", "nt.ace.object.inherited_guid", FT_GUID, BASE_NONE,
3110 NULL, 0, NULL, HFILL }},
3111
3112 { &hf_nt_security_information_sacl,
3113 { "SACL", "nt.sec_info.sacl", FT_BOOLEAN, 32,
3114 TFS(&flags_sec_info_sacl), 0x00000008, NULL, HFILL }},
3115
3116 { &hf_nt_security_information_dacl,
3117 { "DACL", "nt.sec_info.dacl", FT_BOOLEAN, 32,
3118 TFS(&flags_sec_info_dacl), 0x00000004, NULL, HFILL }},
3119
3120 { &hf_nt_security_information_group,
3121 { "Group", "nt.sec_info.group", FT_BOOLEAN, 32,
3122 TFS(&flags_sec_info_group), 0x00000002, NULL, HFILL }},
3123
3124 { &hf_nt_security_information_owner,
3125 { "Owner", "nt.sec_info.owner", FT_BOOLEAN, 32,
3126 TFS(&flags_sec_info_owner), 0x00000001, NULL, HFILL }},
3127
3128 };
3129
3130 static gint *ett[] = {
3131 &ett_nt_sec_desc,
3132 &ett_nt_sec_desc_type,
3133 &ett_nt_sid,
3134 &ett_nt_acl,
3135 &ett_nt_ace,
3136 &ett_nt_ace_flags,
3137 &ett_nt_ace_object,
3138 &ett_nt_ace_object_flags,
3139 &ett_nt_access_mask,
3140 &ett_nt_access_mask_generic,
3141 &ett_nt_access_mask_standard,
3142 &ett_nt_access_mask_specific,
3143 &ett_nt_security_information,
3144 };
3145
3146 proto_register_subtree_array(ett, array_length(ett));
3147 proto_register_field_array(proto_smb, hf, array_length(hf));
3148 }