1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
# handle
HF_FIELD hf_mapi_handle "Handle" "mapi.handle" FT_BYTES BASE_NONE NULL 0 NULL HFILL
HF_RENAME hf_mapi_EcDoConnect_handle hf_mapi_handle
HF_RENAME hf_mapi_EcDoDisconnect_handle hf_mapi_handle
HF_RENAME hf_mapi_EcDoRpc_handle hf_mapi_handle
HF_RENAME hf_mapi_EcRRegisterPushNotification_handle hf_mapi_handle
HF_RENAME hf_mapi_EcRUnregisterPushNotification_handle hf_mapi_handle
#
# policyhandle tracking
# This block is to specify where a policyhandle is opened and where it is
# closed so that policyhandles when dissected contain nice info such as
# [opened in xxx] [closed in yyy]
#
# Policyhandles are opened in these functions (open == 0x0001)
PARAM_VALUE mapi_dissect_element_EcDoConnect_handle_ 0x0001
# Policyhandles are closed in these functions (close == 0x0002)
PARAM_VALUE mapi_dissect_element_EcDoDisconnect_handle_ 0x0002
HF_FIELD hf_mapi_property_types "Value" "mapi.SPropValue.value" FT_UINT32 BASE_HEX VALS(mapi_property_types_vals) 0 NULL HFILL
HF_RENAME hf_mapi_SPropValue_value hf_mapi_property_types
HF_FIELD hf_mapi_recipient_type "Recipient Type" "mapi.recipients_headers.type" FT_UINT16 BASE_HEX VALS(mapi_OM_recipient_type_vals) 0 NULL HFILL
HF_RENAME hf_mapi_recipients_headers_type hf_mapi_recipient_type
HF_FIELD hf_mapi_MAPI_OPNUM "Opnum" "mapi.EcDoRpc_MAPI_REQ.opnum" FT_UINT8 BASE_HEX VALS(mapi_MAPI_OPNUM_vals) 0 NULL HFILL
HF_RENAME hf_mapi_EcDoRpc_MAPI_REQ_opnum hf_mapi_MAPI_OPNUM
HF_FIELD hf_mapi_pdu_len "Length" "mapi.pdu.len" FT_UINT16 BASE_HEX NULL 0x0 "Size of the command PDU" HFILL
HF_FIELD hf_mapi_decrypted_data "Decrypted data" "mapi.decrypted.data" FT_BYTES BASE_NONE NULL 0 NULL HFILL
HF_FIELD hf_mapi_MAPI_handle "MAPI handle" "mapi.mapi_handle" FT_UINT32 BASE_HEX NULL 0 NULL HFILL
NOEMIT SBinary_short
NOEMIT MV_LONG_STRUCT
NOEMIT SLPSTRArray
NOEMIT SBinaryArray
NOEMIT SGuidArray
NOEMIT SPropValue_array
NOEMIT SPropTagArray
NOEMIT SRowList
NOEMIT OpenMessage_repl
NOEMIT GetPropList_repl
NOEMIT DeleteProps_req
NOEMIT ModifyRecipients_req
NOEMIT SetColumns_req
NOEMIT SSortOrderSet
NOEMIT SAndRestriction
NOEMIT SOrRestriction
NOEMIT SNotRestriction
NOEMIT SSubRestriction
NOEMIT SCommentRestriction
NOEMIT DeleteMessages_req
NOEMIT SetSearchCriteria_req
NOEMIT GetSearchCriteria_repl
NOEMIT CopyMessages_req
NOEMIT QueryColumns_repl
NOEMIT AddressTypes_repl
NOEMIT GetNamesFromIDs_repl
NOEMIT GetIDsFromNames_req
NOEMIT GetIDsFromNames_repl
NOEMIT QueryNamesFromIDs_repl
NOEMIT GetReceiveFolderTable_repl
NOEMIT NOTIFKEY
TYPE hyper "offset=cnf_dissect_hyper(tvb, offset, pinfo, tree, di, drep, @PARAM@, @HF@);" FT_UINT64 BASE_DEC 0 NULL 8
CODE START
static int
cnf_dissect_hyper(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, guint32 param, int hfindex)
{
offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, di, drep, hfindex, NULL);
return offset;
}
/**
* Analyze mapi_request MAPI Handles
*/
static int mapi_dissect_element_request_handles_cnf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep)
{
gint reported_len;
gint i;
gint handles_cnt = 0;
guint32 value;
proto_tree *tr = NULL;
reported_len = tvb_reported_length_remaining(tvb, offset);
handles_cnt = reported_len / 4;
tr = proto_tree_add_subtree_format(tree, tvb, offset, reported_len, ett_mapi_mapi_request, NULL, "MAPI Handles: %d", handles_cnt);
for (i = 0; i < handles_cnt; i++) {
value = tvb_get_letohl(tvb, offset);
proto_tree_add_uint_format(tr, hf_mapi_MAPI_handle, tvb, offset, 4, value, "[%.2d] MAPI handle: 0x%.8x", i, value);
offset += 4;
}
return offset;
}
CODE END
#
# MAPI Request and Response
#
INCLUDE request.cnf.c
INCLUDE response.cnf.c
|
