1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
|
#
# policyhandle tracking
# This block is to specify where a policyhandle is opened and where it is
# closed so that policyhandles when dissected contain nice info such as
# [opened in xxx] [closed in yyy]
#
# Policyhandles are opened in these functions
PARAM_VALUE samr_dissect_element_Connect_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT
PARAM_VALUE samr_dissect_element_OpenDomain_domain_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_DOMAIN
PARAM_VALUE samr_dissect_element_CreateDomainGroup_group_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_GROUP
PARAM_VALUE samr_dissect_element_CreateUser_user_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER
PARAM_VALUE samr_dissect_element_CreateDomAlias_alias_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_ALIAS
PARAM_VALUE samr_dissect_element_OpenGroup_group_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_GROUP
PARAM_VALUE samr_dissect_element_OpenAlias_alias_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_ALIAS
PARAM_VALUE samr_dissect_element_OpenUser_user_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER
PARAM_VALUE samr_dissect_element_CreateUser2_user_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER
PARAM_VALUE samr_dissect_element_Connect2_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT
PARAM_VALUE samr_dissect_element_Connect3_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT
PARAM_VALUE samr_dissect_element_Connect4_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT
PARAM_VALUE samr_dissect_element_Connect5_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT
# Policyhandles are closed in these functions
PARAM_VALUE samr_dissect_element_Close_handle_ PIDL_POLHND_CLOSE
PARAM_VALUE samr_dissect_element_Shutdown_connect_handle_ PIDL_POLHND_CLOSE
PARAM_VALUE samr_dissect_element_DeleteDomainGroup_group_handle_ PIDL_POLHND_CLOSE
PARAM_VALUE samr_dissect_element_DeleteDomAlias_alias_handle_ PIDL_POLHND_CLOSE
PARAM_VALUE samr_dissect_element_DeleteUser_user_handle_ PIDL_POLHND_CLOSE
#
# make sure all policy handles of the same type use the same filter name
#
HF_FIELD hf_samr_handle "Handle" "samr.handle" FT_BYTES BASE_NONE NULL 0 "" "" ""
HF_RENAME hf_samr_samr_Close_handle hf_samr_handle
HF_RENAME hf_samr_samr_SetSecurity_handle hf_samr_handle
HF_RENAME hf_samr_samr_QuerySecurity_handle hf_samr_handle
HF_FIELD hf_samr_connect_handle "Connect Handle" "samr.connect_handle" FT_BYTES BASE_NONE NULL 0 "" "" ""
HF_RENAME hf_samr_samr_Connect_connect_handle hf_samr_connect_handle
HF_RENAME hf_samr_samr_LookupDomain_connect_handle hf_samr_connect_handle
HF_RENAME hf_samr_samr_EnumDomain_connect_handle hf_samr_connect_handle
HF_RENAME hf_samr_samr_OpenDomain_connect_handle hf_samr_connect_handle
HF_RENAME hf_samr_samr_Shutdown_handle hf_samr_connect_handle
HF_RENAME hf_samr_samr_Connect2_connect_handle hf_samr_connect_handle
HF_RENAME hf_samr_samr_SetBootKeyInformation_connect_handle hf_samr_connect_handle
HF_RENAME hf_samr_samr_GetBootKeyInformation_connect_handle hf_samr_connect_handle
HF_RENAME hf_samr_samr_Connect3_connect_handle hf_samr_connect_handle
HF_RENAME hf_samr_samr_Connect4_connect_handle hf_samr_connect_handle
HF_RENAME hf_samr_samr_Connect5_connect_handle hf_samr_connect_handle
HF_FIELD hf_samr_domain_handle "Domain Handle" "samr.domain_handle" FT_BYTES BASE_NONE NULL 0 "" "" ""
HF_RENAME hf_samr_samr_OpenDomain_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_QueryDomainInfo_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_SetDomainInfo_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_CreateDomainGroup_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_EnumDomainGroups_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_CreateUser_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_EnumDomainUsers_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_CreateDomAlias_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_EnumDomainAliases_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_GetAliasMembership_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_LookupNames_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_LookupRids_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_OpenGroup_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_OpenAlias_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_OpenUser_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_QueryDisplayInfo_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_GetDisplayEnumerationIndex_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_TestPrivateFunctionsDomain_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_RemoveMemberFromForeignDomain_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_QueryDomainInfo2_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_QueryDisplayInfo2_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_GetDisplayEnumerationIndex2_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_CreateUser2_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_QueryDisplayInfo3_domain_handle hf_samr_domain_handle
HF_RENAME hf_samr_samr_RidToSid_domain_handle hf_samr_domain_handle
HF_FIELD hf_samr_group_handle "Group Handle" "samr.group_handle" FT_BYTES BASE_NONE NULL 0 "" "" ""
HF_RENAME hf_samr_samr_CreateDomainGroup_group_handle hf_samr_group_handle
HF_RENAME hf_samr_samr_OpenGroup_group_handle hf_samr_group_handle
HF_RENAME hf_samr_samr_QueryGroupInfo_group_handle hf_samr_group_handle
HF_RENAME hf_samr_samr_SetGroupInfo_group_handle hf_samr_group_handle
HF_RENAME hf_samr_samr_AddGroupMember_group_handle hf_samr_group_handle
HF_RENAME hf_samr_samr_DeleteDomainGroup_group_handle hf_samr_group_handle
HF_RENAME hf_samr_samr_DeleteGroupMember_group_handle hf_samr_group_handle
HF_RENAME hf_samr_samr_QueryGroupMember_group_handle hf_samr_group_handle
HF_RENAME hf_samr_samr_SetMemberAttributesOfGroup_group_handle hf_samr_group_handle
HF_FIELD hf_samr_user_handle "User Handle" "samr.user_handle" FT_BYTES BASE_NONE NULL 0 "" "" ""
HF_RENAME hf_samr_samr_CreateUser_user_handle hf_samr_user_handle
HF_RENAME hf_samr_samr_OpenUser_user_handle hf_samr_user_handle
HF_RENAME hf_samr_samr_DeleteUser_user_handle hf_samr_user_handle
HF_RENAME hf_samr_samr_QueryUserInfo_user_handle hf_samr_user_handle
HF_RENAME hf_samr_samr_SetUserInfo_user_handle hf_samr_user_handle
HF_RENAME hf_samr_samr_ChangePasswordUser_user_handle hf_samr_user_handle
HF_RENAME hf_samr_samr_GetGroupsForUser_user_handle hf_samr_user_handle
HF_RENAME hf_samr_samr_TestPrivateFunctionsUser_user_handle hf_samr_user_handle
HF_RENAME hf_samr_samr_GetUserPwInfo_user_handle hf_samr_user_handle
HF_RENAME hf_samr_samr_QueryUserInfo2_user_handle hf_samr_user_handle
HF_RENAME hf_samr_samr_CreateUser2_user_handle hf_samr_user_handle
HF_RENAME hf_samr_samr_SetUserInfo2_user_handle hf_samr_user_handle
HF_FIELD hf_samr_alias_handle "Alias Handle" "samr.alias_handle" FT_BYTES BASE_NONE NULL 0 "" "" ""
HF_RENAME hf_samr_samr_CreateDomAlias_alias_handle hf_samr_alias_handle
HF_RENAME hf_samr_samr_OpenAlias_alias_handle hf_samr_alias_handle
HF_RENAME hf_samr_samr_QueryAliasInfo_alias_handle hf_samr_alias_handle
HF_RENAME hf_samr_samr_SetAliasInfo_alias_handle hf_samr_alias_handle
HF_RENAME hf_samr_samr_DeleteDomAlias_alias_handle hf_samr_alias_handle
HF_RENAME hf_samr_samr_AddAliasMember_alias_handle hf_samr_alias_handle
HF_RENAME hf_samr_samr_DeleteAliasMember_alias_handle hf_samr_alias_handle
HF_RENAME hf_samr_samr_GetMembersInAlias_alias_handle hf_samr_alias_handle
HF_RENAME hf_samr_samr_AddMultipleMembersToAlias_alias_handle hf_samr_alias_handle
HF_RENAME hf_samr_samr_RemoveMultipleMembersFromAlias_alias_handle hf_samr_alias_handle
#
# make all rids use the same hf field
#
HF_FIELD hf_samr_rid "RID" "samr.rid" FT_UINT32 BASE_DEC NULL 0 "" "" ""
HF_RENAME hf_samr_samr_CreateDomainGroup_rid hf_samr_rid
HF_RENAME hf_samr_samr_CreateUser_rid hf_samr_rid
HF_RENAME hf_samr_samr_CreateDomAlias_rid hf_samr_rid
HF_RENAME hf_samr_samr_Ids_ids hf_samr_rid
HF_RENAME hf_samr_samr_LookupRids_rids hf_samr_rid
HF_RENAME hf_samr_samr_OpenGroup_rid hf_samr_rid
HF_RENAME hf_samr_samr_AddGroupMember_rid hf_samr_rid
HF_RENAME hf_samr_samr_DeleteGroupMember_rid hf_samr_rid
HF_RENAME hf_samr_samr_RidTypeArray_rids hf_samr_rid
HF_RENAME hf_samr_samr_OpenAlias_rid hf_samr_rid
HF_RENAME hf_samr_samr_OpenUser_rid hf_samr_rid
HF_RENAME hf_samr_samr_UserInfo3_rid hf_samr_rid
HF_RENAME hf_samr_samr_UserInfo5_rid hf_samr_rid
HF_RENAME hf_samr_samr_UserInfo21_rid hf_samr_rid
HF_RENAME hf_samr_samr_RidWithAttribute_rid hf_samr_rid
HF_RENAME hf_samr_samr_DispEntryGeneral_rid hf_samr_rid
HF_RENAME hf_samr_samr_DispEntryFull_rid hf_samr_rid
HF_RENAME hf_samr_samr_DispEntryFullGroup_rid hf_samr_rid
HF_RENAME hf_samr_samr_CreateUser2_rid hf_samr_rid
HF_RENAME hf_samr_samr_RidToSid_rid hf_samr_rid
#
# Prettification the summary line and the dissection tree
#
PARAM_VALUE samr_dissect_element_SamArray_entries__ 3|PIDL_SET_COL_INFO
PARAM_VALUE samr_dissect_element_LookupDomain_domain_name_ 3|PIDL_SET_COL_INFO
PARAM_VALUE samr_dissect_element_GetDomPwInfo_domain_name_ 3|PIDL_SET_COL_INFO
PARAM_VALUE samr_dissect_element_CreateUser_account_name_ 3|PIDL_SET_COL_INFO|PIDL_STR_SAVE
PARAM_VALUE samr_dissect_element_CreateUser2_account_name_ 3|PIDL_SET_COL_INFO|PIDL_STR_SAVE
TYPE lsa_String "offset=dissect_ndr_lsa_String(tvb, offset, pinfo, tree, drep, @PARAM@, @HF@);" FT_STRING BASE_NONE 0 NULL 5
TYPE lsa_AsciiString "offset=cnf_dissect_lsa_AsciiString(tvb, offset, pinfo, tree, drep, @PARAM@, @HF@);" FT_STRING BASE_NONE 0 NULL 5
TYPE lsa_StringLarge "offset=dissect_ndr_lsa_String(tvb, offset, pinfo, tree, drep, @PARAM@, @HF@);" FT_STRING BASE_NONE 0 NULL 5
TYPE lsa_AsciiStringLarge "offset=cnf_dissect_lsa_AsciiString(tvb, offset, pinfo, tree, drep, @PARAM@, @HF@);" FT_STRING BASE_NONE 0 NULL 5
TYPE hyper "offset=cnf_dissect_hyper(tvb, offset, pinfo, tree, drep, @PARAM@, @HF@);" FT_UINT64 BASE_DEC 0 NULL 8
TYPE sec_desc_buf "offset=cnf_dissect_sec_desc_buf(tvb, offset, pinfo, tree, drep);" FT_NONE BASE_NONE 0 NULL 4
HF_FIELD hf_samr_sec_desc_buf_len "Sec Desc Buf Len" "samr.sec_desc_buf_len" FT_UINT32 BASE_DEC NULL 0 "" "" ""
TYPE dom_sid2 "offset=cnf_dissect_dom_sid2(tvb, offset, pinfo, tree, drep);" FT_NONE BASE_NONE 0 NULL 4
TYPE lsa_SidArray "offset=cnf_dissect_lsa_SidArray(tvb, offset, pinfo, tree, drep);" FT_NONE BASE_NONE 0 NULL 4
TYPE security_secinfo "offset=cnf_dissect_samr_security_secinfo(tvb, offset, pinfo, tree, drep);" FT_NONE BASE_NONE 0 NULL 4
#
# ConnectX access masks
#
MANUAL samr_dissect_bitmap_ConnectAccessMask
HF_FIELD hf_samr_connect_access_mask "Access Mask" "samr.connect.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" ""
HF_RENAME hf_samr_samr_Connect_access_mask hf_samr_connect_access_mask
HF_RENAME hf_samr_samr_Connect2_access_mask hf_samr_connect_access_mask
HF_RENAME hf_samr_samr_Connect3_access_mask hf_samr_connect_access_mask
HF_RENAME hf_samr_samr_Connect4_access_mask hf_samr_connect_access_mask
HF_RENAME hf_samr_samr_Connect5_access_mask hf_samr_connect_access_mask
#
# User access masks
#
MANUAL samr_dissect_bitmap_UserAccessMask
HF_FIELD hf_samr_user_access_mask "Access Mask" "samr.user.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" ""
HF_RENAME hf_samr_samr_CreateUser_access_mask hf_samr_user_access_mask
HF_RENAME hf_samr_samr_OpenUser_access_mask hf_samr_user_access_mask
HF_RENAME hf_samr_samr_CreateUser2_access_mask hf_samr_user_access_mask
#
# Domain access masks
#
MANUAL samr_dissect_bitmap_DomainAccessMask
HF_FIELD hf_samr_domain_access_mask "Access Mask" "samr.domain.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" ""
HF_RENAME hf_samr_samr_OpenDomain_access_mask hf_samr_domain_access_mask
#
# Group access masks
#
MANUAL samr_dissect_bitmap_GroupAccessMask
HF_FIELD hf_samr_group_access_mask "Access Mask" "samr.group.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" ""
HF_RENAME hf_samr_samr_CreateDomainGroup_access_mask hf_samr_group_access_mask
HF_RENAME hf_samr_samr_OpenGroup_access_mask hf_samr_group_access_mask
#
# Alias access masks
#
MANUAL samr_dissect_bitmap_AliasAccessMask
HF_FIELD hf_samr_alias_access_mask "Access Mask" "samr.alias.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" ""
HF_RENAME hf_samr_samr_CreateDomAlias_access_mask hf_samr_alias_access_mask
HF_RENAME hf_samr_samr_OpenAlias_access_mask hf_samr_alias_access_mask
CODE START
static void
samr_connect_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access)
{
proto_tree_add_boolean(tree, hf_samr_samr_ConnectAccessMask_SAMR_ACCESS_LOOKUP_DOMAIN, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_ConnectAccessMask_SAMR_ACCESS_ENUM_DOMAINS, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_ConnectAccessMask_SAMR_ACCESS_CREATE_DOMAIN, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_ConnectAccessMask_SAMR_ACCESS_INITIALIZE_SERVER, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_ConnectAccessMask_SAMR_ACCESS_SHUTDOWN_SERVER, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_ConnectAccessMask_SAMR_ACCESS_CONNECT_TO_SERVER, tvb, offset, 4, access);
}
struct access_mask_info samr_connect_access_mask_info = {
"SAMR Connect", /* Name of specific rights */
samr_connect_specific_rights, /* Dissection function */
NULL, /* Generic mapping table */
NULL /* Standard mapping table */
};
int
samr_dissect_bitmap_ConnectAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index _U_, guint32 param _U_)
{
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_connect_access_mask,
&samr_connect_access_mask_info, NULL);
return offset;
}
static void
samr_alias_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access)
{
proto_tree_add_boolean(tree, hf_samr_samr_AliasAccessMask_SAMR_ALIAS_ACCESS_ADD_MEMBER, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_AliasAccessMask_SAMR_ALIAS_ACCESS_REMOVE_MEMBER, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_AliasAccessMask_SAMR_ALIAS_ACCESS_GET_MEMBERS, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_AliasAccessMask_SAMR_ALIAS_ACCESS_LOOKUP_INFO, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_AliasAccessMask_SAMR_ALIAS_ACCESS_SET_INFO, tvb, offset, 4, access);
}
struct access_mask_info samr_alias_access_mask_info = {
"SAMR Alias", /* Name of specific rights */
samr_alias_specific_rights, /* Dissection function */
NULL, /* Generic mapping table */
NULL /* Standard mapping table */
};
int
samr_dissect_bitmap_AliasAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index _U_, guint32 param _U_)
{
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_alias_access_mask,
&samr_alias_access_mask_info, NULL);
return offset;
}
static void
samr_group_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access)
{
proto_tree_add_boolean(tree, hf_samr_samr_GroupAccessMask_SAMR_GROUP_ACCESS_GET_MEMBERS, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_GroupAccessMask_SAMR_GROUP_ACCESS_REMOVE_MEMBER, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_GroupAccessMask_SAMR_GROUP_ACCESS_ADD_MEMBER, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_GroupAccessMask_SAMR_GROUP_ACCESS_SET_INFO, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_GroupAccessMask_SAMR_GROUP_ACCESS_LOOKUP_INFO, tvb, offset, 4, access);
}
struct access_mask_info samr_group_access_mask_info = {
"SAMR Group", /* Name of specific rights */
samr_group_specific_rights, /* Dissection function */
NULL, /* Generic mapping table */
NULL /* Standard mapping table */
};
int
samr_dissect_bitmap_GroupAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index _U_, guint32 param _U_)
{
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_group_access_mask,
&samr_group_access_mask_info, NULL);
return offset;
}
static void
samr_domain_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access)
{
proto_tree_add_boolean(tree, hf_samr_samr_DomainAccessMask_SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_DomainAccessMask_SAMR_DOMAIN_ACCESS_SET_INFO_1, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_DomainAccessMask_SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_DomainAccessMask_SAMR_DOMAIN_ACCESS_SET_INFO_2, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_DomainAccessMask_SAMR_DOMAIN_ACCESS_CREATE_USER, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_DomainAccessMask_SAMR_DOMAIN_ACCESS_CREATE_GROUP, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_DomainAccessMask_SAMR_DOMAIN_ACCESS_CREATE_ALIAS, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_DomainAccessMask_SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_DomainAccessMask_SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_DomainAccessMask_SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_DomainAccessMask_SAMR_DOMAIN_ACCESS_SET_INFO_3, tvb, offset, 4, access);
}
struct access_mask_info samr_domain_access_mask_info = {
"SAMR Domain", /* Name of specific rights */
samr_domain_specific_rights, /* Dissection function */
NULL, /* Generic mapping table */
NULL /* Standard mapping table */
};
int
samr_dissect_bitmap_DomainAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index _U_, guint32 param _U_)
{
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_domain_access_mask,
&samr_domain_access_mask_info, NULL);
return offset;
}
static void
samr_user_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access)
{
proto_tree_add_boolean(tree, hf_samr_samr_UserAccessMask_SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_UserAccessMask_SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_UserAccessMask_SAMR_USER_ACCESS_GET_GROUPS, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_UserAccessMask_SAMR_USER_ACCESS_SET_PASSWORD, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_UserAccessMask_SAMR_USER_ACCESS_CHANGE_PASSWORD, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_UserAccessMask_SAMR_USER_ACCESS_SET_ATTRIBUTES, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_UserAccessMask_SAMR_USER_ACCESS_GET_ATTRIBUTES, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_UserAccessMask_SAMR_USER_ACCESS_GET_LOGONINFO, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_UserAccessMask_SAMR_USER_ACCESS_SET_LOC_COM, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_UserAccessMask_SAMR_USER_ACCESS_GET_LOCALE, tvb, offset, 4, access);
proto_tree_add_boolean(tree, hf_samr_samr_UserAccessMask_SAMR_USER_ACCESS_GET_NAME_ETC, tvb, offset, 4, access);
}
struct access_mask_info samr_user_access_mask_info = {
"SAMR User", /* Name of specific rights */
samr_user_specific_rights, /* Dissection function */
NULL, /* Generic mapping table */
NULL /* Standard mapping table */
};
int
samr_dissect_bitmap_UserAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index _U_, guint32 param _U_)
{
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_user_access_mask,
&samr_user_access_mask_info, NULL);
return offset;
}
static int
cnf_dissect_lsa_AsciiString(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, guint32 param _U_, int hfindex)
{
offset = dissect_ndr_counted_ascii_string(tvb, offset, pinfo, tree, drep,
hfindex, 0);
return offset;
}
static int
cnf_dissect_hyper(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, guint32 param _U_, int hfindex)
{
offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep, hfindex, NULL);
return offset;
}
static int
cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep)
{
guint64 len;
dcerpc_info *di = NULL;
e_ctx_hnd *polhnd = NULL;
dcerpc_call_value *dcv = NULL;
guint32 type=0;
struct access_mask_info *ami=NULL;
di=pinfo->private_data;
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset = dissect_ndr_uint3264 (tvb, offset, pinfo, tree, drep,
hf_samr_sec_desc_buf_len, &len);
dcv = (dcerpc_call_value *)di->call_data;
if(dcv){
polhnd = dcv->pol;
}
if(polhnd){
dcerpc_fetch_polhnd_data(polhnd, NULL, &type, NULL, NULL,
pinfo->fd->num);
}
switch(type){
case PIDL_POLHND_TYPE_SAMR_USER:
ami=&samr_user_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_CONNECT:
ami=&samr_connect_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_DOMAIN:
ami=&samr_domain_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_GROUP:
ami=&samr_group_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_ALIAS:
ami=&samr_alias_access_mask_info;
break;
}
dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, (int)len, ami);
offset += (int)len;
return offset;
}
static int
cnf_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep)
{
guint64 len;
dcerpc_info *di;
di=pinfo->private_data;
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset = dissect_ndr_uint3264 (tvb, offset, pinfo, tree, drep,
hf_samr_sec_desc_buf_len, &len);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
cnf_dissect_sec_desc_buf_, NDR_POINTER_UNIQUE,
"SAM SECURITY DESCRIPTOR data:", -1);
return offset;
}
static int
cnf_dissect_dom_sid2(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep)
{
offset = dissect_ndr_nt_SID(tvb, offset, pinfo, tree, drep);
return offset;
}
static int
cnf_dissect_lsa_SidArray(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep)
{
offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
return offset;
}
static int
cnf_dissect_samr_security_secinfo(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, guint8 *drep _U_)
{
offset = dissect_nt_security_information(tvb, offset, tree);
return offset;
}
CODE END
|
