diff options
| author | Hiddencodes Sec <hidd3ncod3s@gmail.com> | 2024-01-01 17:16:28 -0800 |
|---|---|---|
| committer | John Thacker <johnthacker@gmail.com> | 2024-01-07 16:48:40 +0000 |
| commit | 5b87714ec81288e5f999f082653bf106200185e6 (patch) | |
| tree | 4b553e9938d1bb81d60b36403934e3b829e4927c | |
| parent | 4feb30a85eb4fb190ba624f0170254170aa79f04 (diff) | |
Add parsing support for IWbemServices and WMIO
| -rw-r--r-- | epan/dissectors/CMakeLists.txt | 2 | ||||
| -rw-r--r-- | epan/dissectors/packet-dcerpc-iwbemservices.c | 1338 | ||||
| -rw-r--r-- | epan/dissectors/packet-dcerpc-iwbemservices.h | 20 | ||||
| -rw-r--r-- | epan/dissectors/packet-dcom.c | 2 | ||||
| -rw-r--r-- | epan/dissectors/packet-wmio.c | 1242 | ||||
| -rw-r--r-- | epan/dissectors/pidl/CMakeLists.txt | 4 | ||||
| -rw-r--r-- | epan/dissectors/pidl/Makefile.pidl | 7 | ||||
| -rw-r--r-- | epan/dissectors/pidl/README | 1 | ||||
| -rw-r--r-- | epan/dissectors/pidl/iwbemservices/iwbemservices.cnf | 111 | ||||
| -rw-r--r-- | epan/dissectors/pidl/iwbemservices/iwbemservices.idl | 158 |
10 files changed, 2884 insertions, 1 deletions
diff --git a/epan/dissectors/CMakeLists.txt b/epan/dissectors/CMakeLists.txt index f21456f9b5..5cf461cddb 100644 --- a/epan/dissectors/CMakeLists.txt +++ b/epan/dissectors/CMakeLists.txt @@ -56,6 +56,7 @@ set(PIDL_DISSECTOR_SRC ${CMAKE_CURRENT_SOURCE_DIR}/packet-dcerpc-iwbemlevel1login.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-dcerpc-iwbemloginclientid.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-dcerpc-iwbemloginclientidex.c + ${CMAKE_CURRENT_SOURCE_DIR}/packet-dcerpc-iwbemservices.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-dcerpc-lsa.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-dcerpc-mapi.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-dcerpc-mdssvc.c @@ -2077,6 +2078,7 @@ set(DISSECTOR_SRC ${CMAKE_CURRENT_SOURCE_DIR}/packet-winsrepl.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-wisun.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-wlccp.c + ${CMAKE_CURRENT_SOURCE_DIR}/packet-wmio.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-wol.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-wow.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-woww.c diff --git a/epan/dissectors/packet-dcerpc-iwbemservices.c b/epan/dissectors/packet-dcerpc-iwbemservices.c new file mode 100644 index 0000000000..1c4e9ae091 --- /dev/null +++ b/epan/dissectors/packet-dcerpc-iwbemservices.c @@ -0,0 +1,1338 @@ +/* DO NOT EDIT + This file was automatically generated by Pidl + from iwbemservices.idl and iwbemservices.cnf. + + Pidl is a perl based IDL compiler for DCE/RPC idl files. + It is maintained by the Samba team, not the Wireshark team. + Instructions on how to download and install Pidl can be + found at https://gitlab.com/wireshark/wireshark/-/wikis/Pidl +*/ + + +#include "config.h" +#include <glib.h> +#include <string.h> +#include <epan/packet.h> + +#include "packet-dcerpc.h" +#include "packet-dcerpc-nt.h" +#include "packet-windows-common.h" +#include "packet-dcerpc-iwbemservices.h" +void proto_register_dcerpc_IWbemServices(void); +void proto_reg_handoff_dcerpc_IWbemServices(void); + +/* Ett declarations */ +static gint ett_IWbemServices_GetObject_orpcthis = -1; +static gint ett_IWbemServices_GetObject_orpcthat = -1; +static gint ett_IWbemServices_ExecMethod_orpcthis = -1; +static gint ett_IWbemServices_ExecMethod_orpcthat = -1; +static gint ett_dcerpc_IWbemServices = -1; +static gint ett_IWbemServices_ORPCTHIS = -1; +static gint ett_IWbemServices_ORPCTHAT = -1; +static gint ett_IWbemServices_IWbemCallResult = -1; +static gint ett_IWbemServices_IWbemClassObject = -1; +static gint ett_IWbemServices_MInterfacePointer = -1; +static gint ett_IWbemServices_IWbemContext = -1; + + +/* Header field declarations */ +static gint hf_IWbemServices_ExecMethod_lFlags = -1; +static gint hf_IWbemServices_ExecMethod_orpcthat = -1; +static gint hf_IWbemServices_ExecMethod_orpcthis = -1; +static gint hf_IWbemServices_ExecMethod_strMethodName = -1; +static gint hf_IWbemServices_ExecMethod_strObjectPath = -1; +static gint hf_IWbemServices_GetObject_lFlags = -1; +static gint hf_IWbemServices_GetObject_orpcthat = -1; +static gint hf_IWbemServices_GetObject_orpcthis = -1; +static gint hf_IWbemServices_GetObject_pCtx = -1; +static gint hf_IWbemServices_GetObject_ppCallResult = -1; +static gint hf_IWbemServices_GetObject_ppObject = -1; +static gint hf_IWbemServices_GetObject_strObjectPath = -1; +static gint hf_IWbemServices_IWbemClassObject_count = -1; +static gint hf_IWbemServices_IWbemClassObject_objects = -1; +static gint hf_IWbemServices_IWbemContext_intPtr = -1; +static gint hf_IWbemServices_IWbemContext_u = -1; +static gint hf_IWbemServices_MInterfacePointer_abData = -1; +static gint hf_IWbemServices_MInterfacePointer_ulCntData = -1; +static gint hf_IWbemServices_opnum = -1; +static gint hf_IWbemServices_werror = -1; + +static gint proto_dcerpc_IWbemServices = -1; +/* Version information */ + + +static e_guid_t uuid_dcerpc_IWbemServices = { + 0x9556dc99, 0x828c, 0x11cf, + { 0xa3, 0x7e, 0x00, 0xaa, 0x00, 0x32, 0x40, 0xc7 } +}; +static guint16 ver_dcerpc_IWbemServices = 0; + +static int IWbemServices_dissect_element_IWbemClassObject_count(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_IWbemClassObject_objects(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_MInterfacePointer_ulCntData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_MInterfacePointer_abData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_MInterfacePointer_abData_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_IWbemContext_u(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_IWbemContext_intPtr(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_IWbemContext_intPtr_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_orpcthis(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_strObjectPath(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_lFlags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_pCtx(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_pCtx_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_orpcthat(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_orpcthat_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_ppObject(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_ppObject_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_ppObject__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_ppCallResult(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_ppCallResult_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_GetObject_ppCallResult__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_ExecMethod_orpcthis(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_ExecMethod_strObjectPath(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_ExecMethod_strObjectPath_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_ExecMethod_strMethodName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_ExecMethod_strMethodName_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_ExecMethod_lFlags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_ExecMethod_orpcthat(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); +static int IWbemServices_dissect_element_ExecMethod_orpcthat_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_); + #include "packet-dcom.h" +static int +IWbemServices_dissect_element_IWbemClassObject_objects_(tvbuff_t *tvb, int offset, int length, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep); +static int +IWbemServices_dissect_element_GetObject_strObjectPath_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep); +extern void register_dcom_wmio (void); +/* GetObject */ +static int +IWbemServices_dissect_element_GetObject_orpcthis(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + proto_item *sub_item; + proto_tree *sub_tree; + sub_item = proto_tree_add_item(tree, hf_IWbemServices_GetObject_orpcthis, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_IWbemServices_GetObject_orpcthis); + return dissect_dcom_this(tvb, offset, pinfo, sub_tree, di, drep); +} +static int +IWbemServices_dissect_element_GetObject_orpcthat_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + proto_item *sub_item; + proto_tree *sub_tree; + register_dcom_wmio(); + sub_item = proto_tree_add_item(tree, hf_IWbemServices_GetObject_orpcthat, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_IWbemServices_GetObject_orpcthat); + return dissect_dcom_that(tvb, offset, pinfo, sub_tree, di, drep); +} +/* ExecMethod */ +static int +IWbemServices_dissect_element_ExecMethod_orpcthis(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + proto_item *sub_item; + proto_tree *sub_tree; + sub_item = proto_tree_add_item(tree, hf_IWbemServices_ExecMethod_orpcthis, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_IWbemServices_ExecMethod_orpcthis); + return dissect_dcom_this(tvb, offset, pinfo, sub_tree, di, drep); +} +static int +IWbemServices_dissect_element_ExecMethod_orpcthat_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + proto_item *sub_item; + proto_tree *sub_tree; + register_dcom_wmio(); + sub_item = proto_tree_add_item(tree, hf_IWbemServices_ExecMethod_orpcthat, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_IWbemServices_ExecMethod_orpcthat); + return dissect_dcom_that(tvb, offset, pinfo, sub_tree, di, drep); +} +static int +IWbemServices_dissect_element_IWbemClassObject_objects(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + return dissect_ndr_ucarray_block(tvb, offset, pinfo, tree, di, drep, &IWbemServices_dissect_element_IWbemClassObject_objects_); +} +static int +IWbemServices_dissect_element_IWbemClassObject_objects_(tvbuff_t *tvb, int offset, int length, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) +{ + dissect_dcom_OBJREF(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_IWbemClassObject_objects, NULL); + return offset + length; +} +static int +IWbemServices_dissect_element_GetObject_strObjectPath_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + char *data = NULL; + offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint16), hf_IWbemServices_GetObject_strObjectPath, FALSE, &data); + if (data){ + proto_item_append_text(tree, ": %s", data); + col_append_fstr(pinfo->cinfo, COL_INFO, " Object=%s", data); + } + return offset; +} + + +/* IDL: struct { */ +/* IDL: } */ + +int +IWbemServices_dissect_struct_ORPCTHIS(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_) +{ + proto_item *item = NULL; + int old_offset; + + old_offset = offset; + + if (parent_tree) { + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); + } + + + proto_item_set_len(item, offset-old_offset); + + + return offset; +} + + +/* IDL: struct { */ +/* IDL: } */ + +int +IWbemServices_dissect_struct_ORPCTHAT(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_) +{ + proto_item *item = NULL; + int old_offset; + + old_offset = offset; + + if (parent_tree) { + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); + } + + + proto_item_set_len(item, offset-old_offset); + + + return offset; +} + + +/* IDL: struct { */ +/* IDL: } */ + +int +IWbemServices_dissect_struct_IWbemCallResult(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_) +{ + proto_item *item = NULL; + int old_offset; + + old_offset = offset; + + if (parent_tree) { + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); + } + + + proto_item_set_len(item, offset-old_offset); + + + return offset; +} + + +/* IDL: struct { */ +/* IDL: uint32 count; */ +/* IDL: [size_is(count)] uint8 objects[*]; */ +/* IDL: } */ + +static int +IWbemServices_dissect_element_IWbemClassObject_count(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_IWbemClassObject_count, 0); + + return offset; +} + +int +IWbemServices_dissect_struct_IWbemClassObject(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + int old_offset; + + ALIGN_TO_4_BYTES; + + old_offset = offset; + + if (parent_tree) { + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_IWbemServices_IWbemClassObject); + } + + offset = IWbemServices_dissect_element_IWbemClassObject_count(tvb, offset, pinfo, tree, di, drep); + + offset = IWbemServices_dissect_element_IWbemClassObject_objects(tvb, offset, pinfo, tree, di, drep); + + + proto_item_set_len(item, offset-old_offset); + + + if (di->call_data->flags & DCERPC_IS_NDR64) { + ALIGN_TO_4_BYTES; + } + + return offset; +} + + +/* IDL: struct { */ +/* IDL: uint32 ulCntData; */ +/* IDL: [size_is(count)] uint8 abData[*]; */ +/* IDL: } */ + +static int +IWbemServices_dissect_element_MInterfacePointer_ulCntData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_MInterfacePointer_ulCntData, 0); + + return offset; +} + +static int +IWbemServices_dissect_element_MInterfacePointer_abData(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_MInterfacePointer_abData_); + + return offset; +} + +static int +IWbemServices_dissect_element_MInterfacePointer_abData_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = PIDL_dissect_uint8(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_MInterfacePointer_abData, 0); + + return offset; +} + +int +IWbemServices_dissect_struct_MInterfacePointer(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + int old_offset; + + ALIGN_TO_4_BYTES; + + old_offset = offset; + + if (parent_tree) { + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_IWbemServices_MInterfacePointer); + } + + offset = IWbemServices_dissect_element_MInterfacePointer_ulCntData(tvb, offset, pinfo, tree, di, drep); + + offset = IWbemServices_dissect_element_MInterfacePointer_abData(tvb, offset, pinfo, tree, di, drep); + + + proto_item_set_len(item, offset-old_offset); + + + if (di->call_data->flags & DCERPC_IS_NDR64) { + ALIGN_TO_4_BYTES; + } + + return offset; +} + + +/* IDL: struct { */ +/* IDL: uint32 u; */ +/* IDL: [unique(1)] MInterfacePointer *intPtr; */ +/* IDL: } */ + +static int +IWbemServices_dissect_element_IWbemContext_u(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_IWbemContext_u, 0); + + return offset; +} + +static int +IWbemServices_dissect_element_IWbemContext_intPtr(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_IWbemContext_intPtr_, NDR_POINTER_UNIQUE, "Pointer to IntPtr (MInterfacePointer)",hf_IWbemServices_IWbemContext_intPtr); + + return offset; +} + +static int +IWbemServices_dissect_element_IWbemContext_intPtr_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = IWbemServices_dissect_struct_MInterfacePointer(tvb,offset,pinfo,tree,di,drep,hf_IWbemServices_IWbemContext_intPtr,0); + + return offset; +} + +int +IWbemServices_dissect_struct_IWbemContext(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + int old_offset; + + ALIGN_TO_5_BYTES; + + old_offset = offset; + + if (parent_tree) { + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_IWbemServices_IWbemContext); + } + + offset = IWbemServices_dissect_element_IWbemContext_u(tvb, offset, pinfo, tree, di, drep); + + offset = IWbemServices_dissect_element_IWbemContext_intPtr(tvb, offset, pinfo, tree, di, drep); + + + proto_item_set_len(item, offset-old_offset); + + + if (di->call_data->flags & DCERPC_IS_NDR64) { + ALIGN_TO_5_BYTES; + } + + return offset; +} + +/* IDL: WERROR iwbemservices_opnum0( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum0_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum0"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum0_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum0"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum1( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum1_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum1"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum1_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum1"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum2( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum2_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum2"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum2_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum2"; + return offset; +} + +/* IDL: WERROR iwbemservices_OpenNamespace( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_OpenNamespace_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_OpenNamespace"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_OpenNamespace_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_OpenNamespace"; + return offset; +} + +/* IDL: WERROR iwbemservices_CancelAsyncCall( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_CancelAsyncCall_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_CancelAsyncCall"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_CancelAsyncCall_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_CancelAsyncCall"; + return offset; +} + +/* IDL: WERROR iwbemservices_QueryObjectSink( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_QueryObjectSink_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_QueryObjectSink"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_QueryObjectSink_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_QueryObjectSink"; + return offset; +} + +static int +IWbemServices_dissect_element_GetObject_strObjectPath(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_GetObject_strObjectPath_, NDR_POINTER_UNIQUE, "Pointer to StrObjectPath (uint16)",hf_IWbemServices_GetObject_strObjectPath); + + return offset; +} + +static int +IWbemServices_dissect_element_GetObject_lFlags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_GetObject_lFlags, 0); + + return offset; +} + +static int +IWbemServices_dissect_element_GetObject_pCtx(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_GetObject_pCtx_, NDR_POINTER_REF, "Pointer to PCtx (IWbemContext)",hf_IWbemServices_GetObject_pCtx); + + return offset; +} + +static int +IWbemServices_dissect_element_GetObject_pCtx_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = IWbemServices_dissect_struct_IWbemContext(tvb,offset,pinfo,tree,di,drep,hf_IWbemServices_GetObject_pCtx,0); + + return offset; +} + +static int +IWbemServices_dissect_element_GetObject_orpcthat(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_GetObject_orpcthat_, NDR_POINTER_REF, "Pointer to Orpcthat (ORPCTHAT)",hf_IWbemServices_GetObject_orpcthat); + + return offset; +} + +static int +IWbemServices_dissect_element_GetObject_ppObject(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_GetObject_ppObject_, NDR_POINTER_UNIQUE, "Pointer to PpObject (IWbemClassObject)",hf_IWbemServices_GetObject_ppObject); + + return offset; +} + +static int +IWbemServices_dissect_element_GetObject_ppObject_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_GetObject_ppObject__, NDR_POINTER_UNIQUE, "Pointer to PpObject (IWbemClassObject)",hf_IWbemServices_GetObject_ppObject); + + return offset; +} + +static int +IWbemServices_dissect_element_GetObject_ppObject__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = IWbemServices_dissect_struct_IWbemClassObject(tvb,offset,pinfo,tree,di,drep,hf_IWbemServices_GetObject_ppObject,0); + + return offset; +} + +static int +IWbemServices_dissect_element_GetObject_ppCallResult(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_GetObject_ppCallResult_, NDR_POINTER_UNIQUE, "Pointer to PpCallResult (IWbemCallResult)",hf_IWbemServices_GetObject_ppCallResult); + + return offset; +} + +static int +IWbemServices_dissect_element_GetObject_ppCallResult_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_GetObject_ppCallResult__, NDR_POINTER_UNIQUE, "Pointer to PpCallResult (IWbemCallResult)",hf_IWbemServices_GetObject_ppCallResult); + + return offset; +} + +static int +IWbemServices_dissect_element_GetObject_ppCallResult__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = IWbemServices_dissect_struct_IWbemCallResult(tvb,offset,pinfo,tree,di,drep,hf_IWbemServices_GetObject_ppCallResult,0); + + return offset; +} + +/* IDL: WERROR GetObject( */ +/* IDL: [in] ORPCTHIS orpcthis, */ +/* IDL: [charset(UTF16)] [in] [unique(1)] uint16 *strObjectPath, */ +/* IDL: [in] uint32 lFlags, */ +/* IDL: [in] [ref] IWbemContext *pCtx, */ +/* IDL: [out] [ref] ORPCTHAT *orpcthat, */ +/* IDL: [in] [out] [unique(1)] IWbemClassObject **ppObject, */ +/* IDL: [in] [out] [unique(1)] IWbemCallResult **ppCallResult */ +/* IDL: ); */ + +static int +IWbemServices_dissect_GetObject_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="GetObject"; + offset = IWbemServices_dissect_element_GetObject_orpcthat(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + + offset = IWbemServices_dissect_element_GetObject_ppObject(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + + offset = IWbemServices_dissect_element_GetObject_ppCallResult(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_GetObject_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="GetObject"; + offset = IWbemServices_dissect_element_GetObject_orpcthis(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + offset = IWbemServices_dissect_element_GetObject_strObjectPath(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + offset = IWbemServices_dissect_element_GetObject_lFlags(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + offset = IWbemServices_dissect_element_GetObject_pCtx(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + offset = IWbemServices_dissect_element_GetObject_ppObject(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + offset = IWbemServices_dissect_element_GetObject_ppCallResult(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + return offset; +} + +/* IDL: WERROR iwbemservices_opnum7( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum7_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum7"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum7_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum7"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum8( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum8_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum8"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum8_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum8"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum9( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum9_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum9"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum9_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum9"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum10( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum10_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum10"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum10_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum10"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum11( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum11_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum11"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum11_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum11"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum12( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum12_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum12"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum12_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum12"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum13( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum13_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum13"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum13_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum13"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum14( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum14_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum14"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum14_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum14"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum15( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum15_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum15"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum15_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum15"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum16( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum16_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum16"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum16_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum16"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum17( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum17_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum17"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum17_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum17"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum18( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum18_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum18"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum18_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum18"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum19( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum19_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum19"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum19_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum19"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum20( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum20_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum20"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum20_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum20"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum21( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum21_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum21"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum21_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum21"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum22( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum22_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum22"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum22_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum22"; + return offset; +} + +/* IDL: WERROR iwbemservices_opnum23( */ +/* IDL: */ +/* IDL: ); */ + +static int +IWbemServices_dissect_iwbemservices_opnum23_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="iwbemservices_opnum23"; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_iwbemservices_opnum23_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="iwbemservices_opnum23"; + return offset; +} + +static int +IWbemServices_dissect_element_ExecMethod_strObjectPath(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_ExecMethod_strObjectPath_, NDR_POINTER_UNIQUE, "Pointer to StrObjectPath (uint16)",hf_IWbemServices_ExecMethod_strObjectPath); + + return offset; +} + +static int +IWbemServices_dissect_element_ExecMethod_strObjectPath_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + char *data; + + offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint16), hf_IWbemServices_ExecMethod_strObjectPath, FALSE, &data); + proto_item_append_text(tree, ": %s", data); + + return offset; +} + +static int +IWbemServices_dissect_element_ExecMethod_strMethodName(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_ExecMethod_strMethodName_, NDR_POINTER_UNIQUE, "Pointer to StrMethodName (uint16)",hf_IWbemServices_ExecMethod_strMethodName); + + return offset; +} + +static int +IWbemServices_dissect_element_ExecMethod_strMethodName_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + char *data; + + offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint16), hf_IWbemServices_ExecMethod_strMethodName, FALSE, &data); + proto_item_append_text(tree, ": %s", data); + + return offset; +} + +static int +IWbemServices_dissect_element_ExecMethod_lFlags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_ExecMethod_lFlags, 0); + + return offset; +} + +static int +IWbemServices_dissect_element_ExecMethod_orpcthat(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, IWbemServices_dissect_element_ExecMethod_orpcthat_, NDR_POINTER_REF, "Pointer to Orpcthat (ORPCTHAT)",hf_IWbemServices_ExecMethod_orpcthat); + + return offset; +} + +/* IDL: WERROR ExecMethod( */ +/* IDL: [in] ORPCTHIS orpcthis, */ +/* IDL: [charset(UTF16)] [in] [unique(1)] uint16 *strObjectPath, */ +/* IDL: [charset(UTF16)] [in] [unique(1)] uint16 *strMethodName, */ +/* IDL: [in] uint32 lFlags, */ +/* IDL: [out] [ref] ORPCTHAT *orpcthat */ +/* IDL: ); */ + +static int +IWbemServices_dissect_ExecMethod_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + guint32 status; + + di->dcerpc_procedure_name="ExecMethod"; + offset = IWbemServices_dissect_element_ExecMethod_orpcthat(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_werror, &status); + + if (status != 0) + col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown DOS error 0x%08x")); + + return offset; +} + +static int +IWbemServices_dissect_ExecMethod_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + di->dcerpc_procedure_name="ExecMethod"; + offset = IWbemServices_dissect_element_ExecMethod_orpcthis(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + offset = IWbemServices_dissect_element_ExecMethod_strObjectPath(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + offset = IWbemServices_dissect_element_ExecMethod_strMethodName(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + offset = IWbemServices_dissect_element_ExecMethod_lFlags(tvb, offset, pinfo, tree, di, drep); + offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); + return offset; +} + + +static dcerpc_sub_dissector IWbemServices_dissectors[] = { + { 0, "iwbemservices_opnum0", + IWbemServices_dissect_iwbemservices_opnum0_request, IWbemServices_dissect_iwbemservices_opnum0_response}, + { 1, "iwbemservices_opnum1", + IWbemServices_dissect_iwbemservices_opnum1_request, IWbemServices_dissect_iwbemservices_opnum1_response}, + { 2, "iwbemservices_opnum2", + IWbemServices_dissect_iwbemservices_opnum2_request, IWbemServices_dissect_iwbemservices_opnum2_response}, + { 3, "iwbemservices_OpenNamespace", + IWbemServices_dissect_iwbemservices_OpenNamespace_request, IWbemServices_dissect_iwbemservices_OpenNamespace_response}, + { 4, "iwbemservices_CancelAsyncCall", + IWbemServices_dissect_iwbemservices_CancelAsyncCall_request, IWbemServices_dissect_iwbemservices_CancelAsyncCall_response}, + { 5, "iwbemservices_QueryObjectSink", + IWbemServices_dissect_iwbemservices_QueryObjectSink_request, IWbemServices_dissect_iwbemservices_QueryObjectSink_response}, + { 6, "GetObject", + IWbemServices_dissect_GetObject_request, IWbemServices_dissect_GetObject_response}, + { 7, "iwbemservices_opnum7", + IWbemServices_dissect_iwbemservices_opnum7_request, IWbemServices_dissect_iwbemservices_opnum7_response}, + { 8, "iwbemservices_opnum8", + IWbemServices_dissect_iwbemservices_opnum8_request, IWbemServices_dissect_iwbemservices_opnum8_response}, + { 9, "iwbemservices_opnum9", + IWbemServices_dissect_iwbemservices_opnum9_request, IWbemServices_dissect_iwbemservices_opnum9_response}, + { 10, "iwbemservices_opnum10", + IWbemServices_dissect_iwbemservices_opnum10_request, IWbemServices_dissect_iwbemservices_opnum10_response}, + { 11, "iwbemservices_opnum11", + IWbemServices_dissect_iwbemservices_opnum11_request, IWbemServices_dissect_iwbemservices_opnum11_response}, + { 12, "iwbemservices_opnum12", + IWbemServices_dissect_iwbemservices_opnum12_request, IWbemServices_dissect_iwbemservices_opnum12_response}, + { 13, "iwbemservices_opnum13", + IWbemServices_dissect_iwbemservices_opnum13_request, IWbemServices_dissect_iwbemservices_opnum13_response}, + { 14, "iwbemservices_opnum14", + IWbemServices_dissect_iwbemservices_opnum14_request, IWbemServices_dissect_iwbemservices_opnum14_response}, + { 15, "iwbemservices_opnum15", + IWbemServices_dissect_iwbemservices_opnum15_request, IWbemServices_dissect_iwbemservices_opnum15_response}, + { 16, "iwbemservices_opnum16", + IWbemServices_dissect_iwbemservices_opnum16_request, IWbemServices_dissect_iwbemservices_opnum16_response}, + { 17, "iwbemservices_opnum17", + IWbemServices_dissect_iwbemservices_opnum17_request, IWbemServices_dissect_iwbemservices_opnum17_response}, + { 18, "iwbemservices_opnum18", + IWbemServices_dissect_iwbemservices_opnum18_request, IWbemServices_dissect_iwbemservices_opnum18_response}, + { 19, "iwbemservices_opnum19", + IWbemServices_dissect_iwbemservices_opnum19_request, IWbemServices_dissect_iwbemservices_opnum19_response}, + { 20, "iwbemservices_opnum20", + IWbemServices_dissect_iwbemservices_opnum20_request, IWbemServices_dissect_iwbemservices_opnum20_response}, + { 21, "iwbemservices_opnum21", + IWbemServices_dissect_iwbemservices_opnum21_request, IWbemServices_dissect_iwbemservices_opnum21_response}, + { 22, "iwbemservices_opnum22", + IWbemServices_dissect_iwbemservices_opnum22_request, IWbemServices_dissect_iwbemservices_opnum22_response}, + { 23, "iwbemservices_opnum23", + IWbemServices_dissect_iwbemservices_opnum23_request, IWbemServices_dissect_iwbemservices_opnum23_response}, + { 24, "ExecMethod", + IWbemServices_dissect_ExecMethod_request, IWbemServices_dissect_ExecMethod_response}, + { 0, NULL, NULL, NULL } +}; + +void proto_register_dcerpc_IWbemServices(void) +{ + static hf_register_info hf[] = { + { &hf_IWbemServices_ExecMethod_lFlags, + { "LFlags", "IWbemServices.ExecMethod.lFlags", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_ExecMethod_orpcthat, + { "Orpcthat", "IWbemServices.ExecMethod.orpcthat", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_ExecMethod_orpcthis, + { "Orpcthis", "IWbemServices.ExecMethod.orpcthis", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_ExecMethod_strMethodName, + { "StrMethodName", "IWbemServices.ExecMethod.strMethodName", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_ExecMethod_strObjectPath, + { "StrObjectPath", "IWbemServices.ExecMethod.strObjectPath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_GetObject_lFlags, + { "LFlags", "IWbemServices.GetObject.lFlags", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_GetObject_orpcthat, + { "Orpcthat", "IWbemServices.GetObject.orpcthat", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_GetObject_orpcthis, + { "Orpcthis", "IWbemServices.GetObject.orpcthis", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_GetObject_pCtx, + { "PCtx", "IWbemServices.GetObject.pCtx", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_GetObject_ppCallResult, + { "PpCallResult", "IWbemServices.GetObject.ppCallResult", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_GetObject_ppObject, + { "PpObject", "IWbemServices.GetObject.ppObject", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_GetObject_strObjectPath, + { "StrObjectPath", "IWbemServices.GetObject.strObjectPath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_IWbemClassObject_count, + { "Count", "IWbemServices.IWbemClassObject.count", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_IWbemClassObject_objects, + { "Objects", "IWbemServices.IWbemClassObject.objects", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_IWbemContext_intPtr, + { "IntPtr", "IWbemServices.IWbemContext.intPtr", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_IWbemContext_u, + { "U", "IWbemServices.IWbemContext.u", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_MInterfacePointer_abData, + { "AbData", "IWbemServices.MInterfacePointer.abData", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_MInterfacePointer_ulCntData, + { "UlCntData", "IWbemServices.MInterfacePointer.ulCntData", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_opnum, + { "Operation", "IWbemServices.opnum", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_IWbemServices_werror, + { "Windows Error", "IWbemServices.werror", FT_UINT32, BASE_HEX, VALS(WERR_errors), 0, NULL, HFILL }}, + }; + + + static gint *ett[] = { + &ett_IWbemServices_GetObject_orpcthis, + &ett_IWbemServices_GetObject_orpcthat, + &ett_IWbemServices_ExecMethod_orpcthis, + &ett_IWbemServices_ExecMethod_orpcthat, + &ett_dcerpc_IWbemServices, + &ett_IWbemServices_ORPCTHIS, + &ett_IWbemServices_ORPCTHAT, + &ett_IWbemServices_IWbemCallResult, + &ett_IWbemServices_IWbemClassObject, + &ett_IWbemServices_MInterfacePointer, + &ett_IWbemServices_IWbemContext, + }; + + proto_dcerpc_IWbemServices = proto_register_protocol("IWBEMSERVICES (pidl)", "IWBEMSERVICES", "IWbemServices"); + proto_register_field_array(proto_dcerpc_IWbemServices, hf, array_length (hf)); + proto_register_subtree_array(ett, array_length(ett)); +} + +void proto_reg_handoff_dcerpc_IWbemServices(void) +{ + dcerpc_init_uuid(proto_dcerpc_IWbemServices, ett_dcerpc_IWbemServices, + &uuid_dcerpc_IWbemServices, ver_dcerpc_IWbemServices, + IWbemServices_dissectors, hf_IWbemServices_opnum); +} diff --git a/epan/dissectors/packet-dcerpc-iwbemservices.h b/epan/dissectors/packet-dcerpc-iwbemservices.h new file mode 100644 index 0000000000..5f332bc99f --- /dev/null +++ b/epan/dissectors/packet-dcerpc-iwbemservices.h @@ -0,0 +1,20 @@ +/* DO NOT EDIT + This file was automatically generated by Pidl + from iwbemservices.idl and iwbemservices.cnf. + + Pidl is a perl based IDL compiler for DCE/RPC idl files. + It is maintained by the Samba team, not the Wireshark team. + Instructions on how to download and install Pidl can be + found at https://gitlab.com/wireshark/wireshark/-/wikis/Pidl +*/ + +#ifndef __PACKET_DCERPC_IWBEMSERVICES_H +#define __PACKET_DCERPC_IWBEMSERVICES_H + +int IWbemServices_dissect_struct_ORPCTHIS(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_); +int IWbemServices_dissect_struct_ORPCTHAT(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_); +int IWbemServices_dissect_struct_IWbemCallResult(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_); +int IWbemServices_dissect_struct_IWbemClassObject(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_); +int IWbemServices_dissect_struct_MInterfacePointer(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_); +int IWbemServices_dissect_struct_IWbemContext(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_); +#endif /* __PACKET_DCERPC_IWBEMSERVICES_H */ diff --git a/epan/dissectors/packet-dcom.c b/epan/dissectors/packet-dcom.c index 4b621748ac..f01065bf3b 100644 --- a/epan/dissectors/packet-dcom.c +++ b/epan/dissectors/packet-dcom.c @@ -2017,7 +2017,7 @@ dissect_dcom_CUSTOBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo, /* the following data depends on the iid, get the routine by iid */ routine = dcom_get_routine_by_uuid(iid); if (routine){ - offset = routine(tvb, offset, pinfo, sub_tree, di, drep, 0); + offset = routine(tvb, offset, pinfo, sub_tree, di, drep, u32Size); } /* append info to subtree header */ diff --git a/epan/dissectors/packet-wmio.c b/epan/dissectors/packet-wmio.c new file mode 100644 index 0000000000..cd28c214c4 --- /dev/null +++ b/epan/dissectors/packet-wmio.c @@ -0,0 +1,1242 @@ +/* packet-wmio.c + * Wireshark's WMIO dissector. + * + * Copyright 2024, Hiddencodes Sec <hidd3ncod3s[]gmail.com> + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include <epan/packet.h> +#include "packet-dcerpc.h" +#include <packet-dcom.h> + +void proto_register_WMIO (void); +void proto_reg_handoff_WMIO (void); + +static int proto_WMIO; + +/* IWbemClassObject Interface + * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wmi/46710c5c-d7ab-4e4c-b4a5-ebff311fdcd1 + * dc12a681-737f-11cf-884d-00aa004b2e24 + */ +static e_guid_t iid_WMIO = { 0xdc12a681, 0x737f, 0x11cf, { 0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24} }; + +static guint32 wmio_signature = 0x12345678; + +#define CLASS_HEADER_LENGTH 13 + +#define WMIO_OBJECT_FLAG_CIM_CLASS 0X01 +#define WMIO_OBJECT_FLAG_CIM_INSTANCE 0X02 +#define WMIO_OBJECT_FLAG_HAS_DECORATION 0X04 +#define WMIO_OBJECT_FLAG_PROTOTYPE_RESULT_OBJECT 0X10 +#define WMIO_OBJECT_FLAG_KEY_PROPERTY_MISSING 0X40 + +#define WBEM_FLAVOR_FLAG_PROPAGATE_TO_INSTANCE 0x01 +#define WBEM_FLAVOR_FLAG_PROPAGATE_TO_DERIVED_CLASS 0x02 +#define WBEM_FLAVOR_NOT_OVERRIDABLE 0x10 +#define WBEM_FLAVOR_ORIGIN_PROPAGATED 0x20 +#define WBEM_FLAVOR_ORIGIN_SYSTEM 0x40 +#define WBEM_FLAVOR_AMENDED 0x80 + +#define CIM_ARRAY_FLAG 0x2000 +#define INHERITED_PROPERTY_TYPE 0x4000 + +/* CimType + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/e137e6c6-c1cc-449e-a0b4-76fabf534480 + * CimType is a 32-bit value of which only the lower 16 bits are used. + */ +#define CIM_TYPE_SINT16 2 +#define CIM_TYPE_SINT32 3 +#define CIM_TYPE_REAL32 4 +#define CIM_TYPE_REAL64 5 +#define CIM_TYPE_STRING 8 +#define CIM_TYPE_BOOLEAN 11 +#define CIM_TYPE_OBJECT 13 +#define CIM_TYPE_SINT8 16 +#define CIM_TYPE_UINT8 17 +#define CIM_TYPE_UINT16 18 +#define CIM_TYPE_UINT32 19 +#define CIM_TYPE_SINT64 20 +#define CIM_TYPE_UINT64 21 +#define CIM_TYPE_DATETIME 101 +#define CIM_TYPE_REFERENCE 102 +#define CIM_TYPE_CHAR16 103 + +#define CIM_ARRAY_TYPE(X) (CIM_ARRAY_FLAG | X) + +#define CIM_ARRAY_SINT8 CIM_ARRAY_TYPE(CIM_TYPE_SINT8) +#define CIM_ARRAY_UINT8 CIM_ARRAY_TYPE(CIM_TYPE_UINT8) +#define CIM_ARRAY_SINT16 CIM_ARRAY_TYPE(CIM_TYPE_SINT16) +#define CIM_ARRAY_UINT16 CIM_ARRAY_TYPE(CIM_TYPE_UINT16) +#define CIM_ARRAY_SINT32 CIM_ARRAY_TYPE(CIM_TYPE_SINT32) +#define CIM_ARRAY_UINT32 CIM_ARRAY_TYPE(CIM_TYPE_UINT32) +#define CIM_ARRAY_SINT64 CIM_ARRAY_TYPE(CIM_TYPE_SINT64) +#define CIM_ARRAY_UINT64 CIM_ARRAY_TYPE(CIM_TYPE_UINT64) +#define CIM_ARRAY_REAL32 CIM_ARRAY_TYPE(CIM_TYPE_REAL32) +#define CIM_ARRAY_REAL64 CIM_ARRAY_TYPE(CIM_TYPE_REAL64) +#define CIM_ARRAY_BOOLEAN CIM_ARRAY_TYPE(CIM_TYPE_BOOLEAN) +#define CIM_ARRAY_STRING CIM_ARRAY_TYPE(CIM_TYPE_STRING) +#define CIM_ARRAY_DATETIME CIM_ARRAY_TYPE(CIM_TYPE_DATETIME) +#define CIM_ARRAY_REFERENCE CIM_ARRAY_TYPE(CIM_TYPE_REFERENCE) +#define CIM_ARRAY_CHAR16 CIM_ARRAY_TYPE(CIM_TYPE_CHAR16) +#define CIM_ARRAY_OBJECT CIM_ARRAY_TYPE(CIM_TYPE_OBJECT) + +#define STRINGFY(X) { X, #X} + +static const value_string cim_types[] = { + STRINGFY(CIM_TYPE_SINT8), + STRINGFY(CIM_TYPE_UINT8), + STRINGFY(CIM_TYPE_SINT16), + STRINGFY(CIM_TYPE_UINT16), + STRINGFY(CIM_TYPE_SINT32), + STRINGFY(CIM_TYPE_UINT32), + STRINGFY(CIM_TYPE_SINT64), + STRINGFY(CIM_TYPE_UINT64), + STRINGFY(CIM_TYPE_REAL32), + STRINGFY(CIM_TYPE_REAL64), + STRINGFY(CIM_TYPE_BOOLEAN), + STRINGFY(CIM_TYPE_STRING), + STRINGFY(CIM_TYPE_DATETIME), + STRINGFY(CIM_TYPE_REFERENCE), + STRINGFY(CIM_TYPE_CHAR16), + STRINGFY(CIM_TYPE_OBJECT), + STRINGFY(CIM_ARRAY_SINT8), + STRINGFY(CIM_ARRAY_UINT8), + STRINGFY(CIM_ARRAY_SINT16), + STRINGFY(CIM_ARRAY_UINT16), + STRINGFY(CIM_ARRAY_SINT32), + STRINGFY(CIM_ARRAY_UINT32), + STRINGFY(CIM_ARRAY_SINT64), + STRINGFY(CIM_ARRAY_UINT64), + STRINGFY(CIM_ARRAY_REAL32), + STRINGFY(CIM_ARRAY_REAL64), + STRINGFY(CIM_ARRAY_BOOLEAN), + STRINGFY(CIM_ARRAY_STRING), + STRINGFY(CIM_ARRAY_DATETIME), + STRINGFY(CIM_ARRAY_REFERENCE), + STRINGFY(CIM_ARRAY_CHAR16), + STRINGFY(CIM_ARRAY_OBJECT), + { 0, NULL } }; + +static int hf_wmio; +static int hf_wmio_signature; +static int hf_wmio_objectencodinglength; +static int hf_wmio_object_flags; +static int hf_wmio_object_flags_cim_class; +static int hf_wmio_object_flags_cim_instance; +static int hf_wmio_object_flags_has_decoration; +static int hf_wmio_object_flags_prototype_result_object; +static int hf_wmio_object_flags_key_property_missing; +static int hf_wmio_decoration; +static int hf_wmio_decoration_server_name; +static int hf_wmio_decoration_namespace; +static int hf_wmio_encoded_string; +static int hf_wmio_encoded_string_flags; +static int hf_wmio_encoded_string_flags_unicode; +static int hf_wmio_class_part; +static int hf_wmio_class_header; +static int hf_wmio_class_header_partlength; +static int hf_wmio_class_header_nameref; +static int hf_wmio_class_header_ndtablevaluetablelength; +static int hf_wmio_class_derivation; +static int hf_wmio_class_derivation_length; +static int hf_wmio_derivation_classname; +static int hf_wmio_class_name_length; +static int hf_wmio_qualifierset; +static int hf_wmio_qualifierset_length; +static int hf_wmio_qualifier; +static int hf_wmio_qualifiername; +static int hf_wmio_cimtype; +static int hf_wmio_qualifiervalue; +static int hf_wmio_bytes; +static int hf_wmio_flavor; +static int hf_wmio_flavor_propagate_to_instance; +static int hf_wmio_flavor_propagate_to_derived_class; +static int hf_wmio_flavor_not_overridable; +static int hf_wmio_flavor_origin_propagated; +static int hf_wmio_flavor_origin_system; +static int hf_wmio_flavor_amended; +static int hf_wmio_propertylookuptable; +static int hf_wmio_propertylookuptable_count; +static int hf_wmio_propertylookup; +static int hf_wmio_propertynameref; +static int hf_wmio_propertyinforef; +static int hf_wmio_ndtable; +static int hf_wmio_heap; +static int hf_wmio_heap_length; +static int hf_methodspart; +static int hf_methodspart_length; +static int hf_methodspart_methodcount; +static int hf_methodspart_methods; +static int hf_methodspart_methoddescription; +static int hf_methoddescription_methodname; +static int hf_methoddescription_methodflags; +static int hf_methoddescription_methodqualifiers; +static int hf_parentclass; +static int hf_currentclass; +static int hf_methoddescription_methodorigin; +static int hf_methoddescription_inputsignature; +static int hf_methoddescription_outputsignature; +static int hf_heap_offset; +static int hf_property_info; +static int hf_declaration_order; +static int hf_propertyinfo_inherited; +static int hf_propertyinfo_valuetableoffset; +static int hf_propertyinfo_classoforigin; +static int hf_methodsignature_offset; + +static hf_register_info hf[] = { + { &hf_wmio, + { "WMIO", "wmio", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_signature, + { "Signature", "wmio.signature", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_objectencodinglength, + { "Object Encoding Length", "wmio.objectencodinglength", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_object_flags, + { "Object flags", "wmio.objectflags", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_object_flags_cim_class, + { "CIM Class", "wmio.objectflags.cim_class", FT_BOOLEAN, 8, NULL, WMIO_OBJECT_FLAG_CIM_CLASS, NULL, HFILL }}, + { &hf_wmio_object_flags_cim_instance, + { "CIM Instance", "wmio.objectflags.cim_Instance", FT_BOOLEAN, 8, NULL, WMIO_OBJECT_FLAG_CIM_INSTANCE, NULL, HFILL }}, + { &hf_wmio_object_flags_has_decoration, + { "Has Decoration", "wmio.objectflags.has_decoration", FT_BOOLEAN, 8, NULL, WMIO_OBJECT_FLAG_HAS_DECORATION, NULL, HFILL }}, + { &hf_wmio_object_flags_prototype_result_object, + { "Prototype Result Object", "wmio.objectflags.prototype_result_object", FT_BOOLEAN, 8, NULL, WMIO_OBJECT_FLAG_PROTOTYPE_RESULT_OBJECT, NULL, HFILL }}, + { &hf_wmio_object_flags_key_property_missing, + { "Key Property Missing", "wmio.objectflags.key_property_missing", FT_BOOLEAN, 8, NULL, WMIO_OBJECT_FLAG_KEY_PROPERTY_MISSING, NULL, HFILL }}, + { &hf_wmio_encoded_string, + { "Encoded String", "wmio.encoded_string", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_encoded_string_flags, + { "Flag", "wmio.encoded_string.flags", FT_UINT8, BASE_HEX, NULL, 0, NULL, HFILL }}, + { &hf_wmio_encoded_string_flags_unicode, + { "Unicode", "wmio.encoded_string.flags.unicode", FT_BOOLEAN, 8, NULL, 0x1, NULL, HFILL }}, + { &hf_wmio_decoration, + { "Decoration", "wmio.decoration", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_decoration_server_name, + { "CIM Server Name", "wmio.decoration.server_name", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_decoration_namespace, + { "CIM Namespace", "wmio.decoration.namespace", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_class_part, + { "Class Part", "wmio.class.part", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_wmio_class_header, + { "Class Header", "wmio.class.header", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_wmio_class_header_partlength, + { "Class Header ClassPart Length", "wmio.class.header.length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_class_header_nameref, + { "Class Name Reference", "wmio.class.header.nameref", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_class_header_ndtablevaluetablelength, + { "NdTable ValueTable Length", "wmio.class.header.ndtablevaluetablelength", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_class_derivation, + { "Class Derivation", "wmio.class.derivation", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_wmio_class_derivation_length, + { "Class Derivation Length", "wmio.class.derivation.length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_derivation_classname, + { "Derivation", "wmio.derivation.classname", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_class_name_length, + { "Class Name Length", "wmio.derivation.classname_length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_qualifierset, + { "Qualifier Set", "wmio.qualifierset", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_qualifierset_length, + { "Qualifier Length", "wmio.derivation.qualifier_length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_qualifier, + { "Qualifier", "wmio.qualifier", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_qualifiername, + { "Qualifier Name", "wmio.qualifier_name", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_flavor, + { "Flavor", "wmio.flavor", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_flavor_propagate_to_instance, + { "Propagate To Derived Instance", "wmio.flavor.propagate_to_instance", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_FLAG_PROPAGATE_TO_INSTANCE, NULL, HFILL }}, + { &hf_wmio_flavor_propagate_to_derived_class, + { "Propagate To Derived Class", "wmio.flavor.propagate_to_derived_class", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_FLAG_PROPAGATE_TO_DERIVED_CLASS, NULL, HFILL }}, + { &hf_wmio_flavor_not_overridable, + { "Not Overridable", "wmio.flavor.not_overridable", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_NOT_OVERRIDABLE, NULL, HFILL }}, + { &hf_wmio_flavor_origin_propagated, + { "Origin Propagated", "wmio.flavor.origin_propagated", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_ORIGIN_PROPAGATED, NULL, HFILL }}, + { &hf_wmio_flavor_origin_system, + { "Origin System", "wmio.flavor.origin_system", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_ORIGIN_SYSTEM, NULL, HFILL }}, + { &hf_wmio_flavor_amended, + { "Amended", "wmio.flavor.amended", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_AMENDED, NULL, HFILL }}, + { &hf_wmio_cimtype, + { "CIM Type", "wmio.cim_type", FT_UINT32, BASE_HEX, VALS(cim_types), 0, NULL, HFILL }}, + { &hf_wmio_propertylookuptable, + { "Property Lookup Table", "wmio.property_lookup_table", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_propertylookuptable_count, + { "Property Lookup Table Count", "wmio.property_lookup_table.count", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_ndtable, + { "NdTable", "wmio.ndtable", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_propertylookup, + { "Property Lookup", "wmio.property_lookup", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_propertynameref, + { "Property Name Ref", "wmio.property_lookup.propertynameref", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_propertyinforef, + { "Property Info Ref", "wmio.property_lookup.propertyinforef", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_heap, + { "Heap", "wmio.heap", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_heap_length, + { "HeapLength", "wmio.heap.length", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, + { &hf_wmio_bytes, + { "WMIO Bytes", "wmio.bytes", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_methodspart, + { "Methodspart", "wmio.methodspart", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_methodspart_length, + { "Methodspart Length", "wmio.methodspart.length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_methodspart_methodcount, + { "Methods Count", "wmio.methodspart.methodcount", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_methodspart_methods, + { "Methods", "wmio.methodspart.methods", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_methodspart_methoddescription, + { "MethodDescription", "wmio.methodspart.methoddescription", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_methoddescription_methodname, + { "Methodname", "wmio.methodspart.methoddescription.methodname", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_methoddescription_methodflags, + { "Methodflags", "wmio.methodspart.methoddescription.methodflags", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_methoddescription_methodorigin, + { "Methodorigin", "wmio.methodspart.methoddescription.methodorigin", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_methoddescription_methodqualifiers, + { "Methodqualifiers", "wmio.methodspart.methoddescription.methodqualifiers", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_methoddescription_inputsignature, + { "Inputsignature", "wmio.methodspart.methoddescription.inputsignature", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_methoddescription_outputsignature, + { "Outputsignature", "wmio.methodspart.methoddescription.outputsignature", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_parentclass, + { "Parent Class", "wmio.parentclass", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_currentclass, + { "Current Class", "wmio.currentclass", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_heap_offset, + { "Heap Offset", "wmio.heapoffset", FT_UINT32, BASE_HEX_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_wmio_qualifiervalue, + { "Qualifier Value", "wmio.qualifier_value", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_property_info, + { "Property Info", "wmio.property_info", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_declaration_order, + { "Declaration Order", "wmio.declaration_order", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_propertyinfo_inherited, + { "Inherited", "wmio.propertytype.inherited", FT_BOOLEAN, 32, NULL, INHERITED_PROPERTY_TYPE, NULL, HFILL }}, + { &hf_propertyinfo_valuetableoffset, + { "ValueTable Offset", "wmio.propertytype.valuetableoffset", FT_UINT32, BASE_HEX_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_propertyinfo_classoforigin, + { "ClassOfOrigin", "wmio.propertytype.classoforigin", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_methodsignature_offset, + { "Methodsignature Offset", "wmio.methodsignature.offset", FT_UINT32, BASE_HEX_DEC, NULL, 0x0, NULL, HFILL }}, +}; + +static int * const wmio_object_flags[] = { + &hf_wmio_object_flags_cim_class, + &hf_wmio_object_flags_cim_instance, + &hf_wmio_object_flags_has_decoration, + &hf_wmio_object_flags_prototype_result_object, + &hf_wmio_object_flags_key_property_missing, + NULL +}; + +static int * const wmio_flavor[] = { + &hf_wmio_flavor_propagate_to_instance, + &hf_wmio_flavor_propagate_to_derived_class, + &hf_wmio_flavor_not_overridable, + &hf_wmio_flavor_origin_propagated, + &hf_wmio_flavor_origin_system, + &hf_wmio_flavor_amended, + NULL +}; + +static int * const wmio_encoded_string_flags[] = { + &hf_wmio_encoded_string_flags_unicode, + NULL +}; + +static gint ett_wmio; +static gint ett_wmio_object_flags; +static gint ett_wmio_encoded_string; +static gint ett_wmio_encoded_string_flags; +static gint ett_wmio_class_part; +static gint ett_wmio_class_header; +static gint ett_wmio_decoration; +static gint ett_wmio_class_derivation; +static gint ett_wmio_qualifierset; +static gint ett_wmio_qualifier; +static gint ett_wmio_flavor; +static gint ett_wmio_propertylookuptable; +static gint ett_wmio_propertylookup; +static gint ett_wmio_heap; +static gint ett_methodspart; +static gint ett_parentclass; +static gint ett_currentclass; +static gint ett_methodspart_methods; +static gint ett_methodspart_methoddescription; +static gint ett_methodsignature; +static gint ett_property_info; + +/* Tree */ +static gint *ett[] = { + &ett_wmio, + &ett_wmio_object_flags, + &ett_wmio_encoded_string, + &ett_wmio_encoded_string_flags, + &ett_wmio_class_part, + &ett_wmio_class_header, + &ett_wmio_decoration, + &ett_wmio_class_derivation, + &ett_wmio_qualifierset, + &ett_wmio_qualifier, + &ett_wmio_flavor, + &ett_wmio_propertylookuptable, + &ett_wmio_propertylookup, + &ett_wmio_heap, + &ett_methodspart, + &ett_methodspart_methods, + &ett_methodspart_methoddescription, + &ett_methodsignature, + &ett_parentclass, + &ett_currentclass, + &ett_property_info, +}; + +static int dissect_wmio_objectblock(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree); +static int dissect_wmio_object_decoration(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree); +static int dissect_wmio_encoded_string(tvbuff_t *tvb, gint offset, int hfindex, packet_info *pinfo, proto_tree *tree, gboolean withlength, gint heapoffset); +static int dissect_wmio_encoding_classtype(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree); +static int dissect_wmio_encoding_classandmethodspart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, int hf_index, gint ett, bool methods); +static int dissect_wmio_encoding_classpart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree); +static int dissect_wmio_encoding_classheader(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, guint32 *pPartlength, guint32 *pNdLength, gint classheapoffset); +static int dissect_wmio_encoding_methodpart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree); +static int dissect_wmio_encoding_methodpart_methods(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, guint32 methodscount, gint methodsheapoffset); +static int dissect_wmio_encoding_methodpart_methoddescription(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, gint methodsheapoffset); +static int dissect_wmio_encoding_derivationlist(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree); +static int dissect_wmio_encoding_qualifierset(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *parent_tree, gint classheapoffset); + +/* DictionaryReference + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/40adf451-f5bc-4b0a-ab97-d620bb638470 + */ +const gchar* stringDictionary[] = + { "'" + , "key" + , "" + , "read" + , "write" + , "volatile" + , "provider" + , "dynamic" + , "cimwin32" + , "DWORD" + , "CIMTYPE" + }; + +/* Encoded-String + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/2f3afcf6-169e-41ff-80c2-367f2f74285b + * Encoded-String = Encoded-String-Flag *Character Null + * Encoded-String-Flag = OCTET + * Character = AnsiCharacter / UnicodeCharacter + * Null = Character + * AnsiCharacter = OCTET + * UnicodeCharacter = 2OCTET + */ +static int +dissect_wmio_encoded_string(tvbuff_t *tvb, gint offset, int hfindex, packet_info *pinfo, + proto_tree *tree, gboolean withlength, gint heapoffset) +{ + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset = offset; + int fn_len = 0; + header_field_info *hfinfo; + char *s= NULL; + guint32 foffset = 0; + + /* Make sure this really is a string field. */ + hfinfo = proto_registrar_get_nth(hfindex); + DISSECTOR_ASSERT_FIELD_TYPE(hfinfo, FT_STRINGZ); + + if(heapoffset > 0){ + /* HeapRef + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/f9d22d98-ed26-45d7-8792-aa0f210cffb2 + * HeapRef is a reference to any HeapItem and is expressed in 31 bits. If the HeapItem referred to is a string, + * and the most significant bit of the 32-bit HeapStringRef value is set, the reference is actually to an implied + * dictionary-based string entry and does not point to a literal Encoded-String within the Heap. + */ + foffset = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN); + + if (foffset < 0x80000000){ + offset = heapoffset + foffset; + } + } + + sub_item = proto_tree_add_item(tree, hf_wmio_encoded_string, tvb, offset, -1, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_wmio_encoded_string); + + if((heapoffset > 0) && (foffset >= 0x80000000)){ + proto_tree_add_item(sub_tree, hf_heap_offset, tvb, old_offset, 4, ENC_LITTLE_ENDIAN); + /* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/f9d22d98-ed26-45d7-8792-aa0f210cffb2 + * If the value of HeapRef is 0xFFFFFFFF, then HeapItem is not present and MUST be considered NULL. + */ + if(foffset == 0xFFFFFFFF){ + /* NULL String */ + proto_item_set_text(sub_tree, "%s: %s", proto_registrar_get_name(hfindex), "NULL"); + proto_item_set_len(sub_item, 4); + } else { + if (foffset & 0x80000000){ + foffset = 0x7FFFFFFF & foffset; + if (foffset < (sizeof(stringDictionary)/sizeof(stringDictionary[0]))){ + proto_item_set_text(sub_tree, "%s: %s", proto_registrar_get_name(hfindex), stringDictionary[foffset]); + } else { + proto_item_set_text(sub_tree, "%s: Unknown Index %d", proto_registrar_get_name(hfindex), hfindex); + } + proto_item_set_len(sub_item, 4); + } + } + } else { + guint64 encoded_string_flags; + + if(heapoffset > 0){ + proto_tree_add_item(sub_tree, hf_heap_offset, tvb, old_offset, 4, ENC_LITTLE_ENDIAN); + } + + old_offset = offset; + + proto_tree_add_bitmask_ret_uint64(sub_tree, tvb, offset, hf_wmio_encoded_string_flags, ett_wmio_encoded_string_flags, wmio_encoded_string_flags, ENC_NA, &encoded_string_flags); + offset++; + + if (encoded_string_flags == 0){ + /* ASCII */ + proto_tree_add_item_ret_length(sub_tree, hfindex, tvb, offset, -1, ENC_ASCII, &fn_len); + s = tvb_get_string_enc(pinfo->pool, tvb, offset, fn_len, ENC_ASCII); + } else if (encoded_string_flags == 1){ + /* UNICODE */ + proto_tree_add_item_ret_length(sub_tree, hfindex, tvb, offset, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN, &fn_len); + s = tvb_get_string_enc(pinfo->pool, tvb, offset, fn_len, ENC_UTF_16); + } + offset += fn_len; + + proto_item_set_text(sub_tree, "%s: %s", proto_registrar_get_name(hfindex), s); + + if(withlength){ + proto_tree_add_item(sub_tree, hf_wmio_class_name_length, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + } + proto_item_set_len(sub_item, offset-old_offset); + } + return offset; +} + +/* ObjectBlock + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/4e74c9f9-4a47-4111-9e67-6476c896b7fb + * ObjectBlock = ObjectFlags [Decoration] Encoding + */ +static int +dissect_wmio_objectblock(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree) +{ + gint8 flags = tvb_get_guint8(tvb, offset); + + proto_tree_add_bitmask(tree, tvb, offset, hf_wmio_object_flags, + ett_wmio_object_flags, wmio_object_flags, ENC_NA); + offset+=1; + + if (WMIO_OBJECT_FLAG_HAS_DECORATION & flags){ + offset = dissect_wmio_object_decoration(tvb, offset, pinfo, tree); + } + + if (WMIO_OBJECT_FLAG_CIM_CLASS & flags){ + offset = dissect_wmio_encoding_classtype(tvb, offset, pinfo, tree); + } + + return offset; +} + +/* Decoration = DecServerName DecNamespaceName + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/0650ad93-88fa-49e9-aebc-e4462e4a7786 + * Decoration = DecServerName DecNamespaceName + */ +static int +dissect_wmio_object_decoration(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *parent_tree) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + + item = proto_tree_add_item(parent_tree, hf_wmio_decoration, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_wmio_decoration); + + offset = dissect_wmio_encoded_string(tvb, offset, hf_wmio_decoration_server_name, pinfo, tree, FALSE, 0); + offset = dissect_wmio_encoded_string(tvb, offset, hf_wmio_decoration_namespace, pinfo, tree, FALSE, 0); + + proto_item_set_len(item, offset-old_offset); + + return offset; +} + +static int +dissect_wmio_encoding_classtype(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree) +{ + // ParentClass + offset = dissect_wmio_encoding_classandmethodspart(tvb, offset, pinfo, tree, hf_parentclass, ett_parentclass, true); + + // CurrentClass + offset = dissect_wmio_encoding_classandmethodspart(tvb, offset, pinfo, tree, hf_currentclass, ett_currentclass, true); + + return offset; +} + +/* ClassAndMethodsPart = ClassPart [MethodsPart] + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/35589520-cee8-4bb1-b09e-bb009d1d1b88 + * ClassAndMethodsPart = ClassPart [MethodsPart] + */ +static int +dissect_wmio_encoding_classandmethodspart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *parent_tree, int hf_index, gint ett_id, bool methods) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_id); + + offset = dissect_wmio_encoding_classpart(tvb, offset, pinfo, tree); + if (methods){ + offset = dissect_wmio_encoding_methodpart(tvb, offset, pinfo, tree); + } + + proto_item_set_len(item, offset-old_offset); + return offset; +} + +/* Qualifier + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/f4c4ec0a-e38b-4591-8111-cbb03cc405c2 + * Qualifier = QualifierName QualifierFlavor QualifierType QualifierValue + */ +static int +dissect_wmio_qualifier(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *parent_tree, gint classheapoffset) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + + item = proto_tree_add_item(parent_tree, hf_wmio_qualifier, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_wmio_qualifier); + + dissect_wmio_encoded_string(tvb, offset, hf_wmio_qualifiername, pinfo, tree, FALSE, classheapoffset); + offset+= 4; + + proto_tree_add_bitmask(tree, tvb, offset, hf_wmio_flavor, ett_wmio_flavor, wmio_flavor, ENC_NA); + offset+= 1; + + // QualifierType = CimType + // CimType is a 32-bit value + gint32 cimType = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN); + proto_tree_add_item(tree, hf_wmio_cimtype, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset+= 4; + + // QualifierValue = EncodedValue + if (cimType & CIM_ARRAY_FLAG){ + guint32 array_count = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN); + offset += 4; + + // CimArrayType + switch(cimType){ + case CIM_ARRAY_SINT8: + offset += array_count; + break; + case CIM_ARRAY_UINT8: + offset += array_count; + break; + case CIM_ARRAY_SINT16: + offset += (sizeof(gint16) * array_count); + break; + case CIM_ARRAY_UINT16: + offset += (sizeof(guint16) * array_count); + break; + case CIM_ARRAY_SINT32: + offset += (sizeof(gint32) * array_count); + break; + case CIM_ARRAY_UINT32: + offset += (sizeof(guint32) * array_count); + break; + case CIM_ARRAY_SINT64: + offset += (sizeof(gint64) * array_count); + break; + case CIM_ARRAY_UINT64: + offset += (sizeof(guint64) * array_count); + break; + case CIM_ARRAY_REAL32: + offset += (sizeof(gint32) * array_count); + break; + case CIM_ARRAY_REAL64: + offset += (sizeof(gint64) * array_count); + break; + case CIM_ARRAY_BOOLEAN: + offset += (2 * array_count); + break; + case CIM_ARRAY_STRING: + case CIM_ARRAY_DATETIME: + case CIM_ARRAY_REFERENCE: + // TODO + break; + case CIM_ARRAY_CHAR16: + offset += (sizeof(gint16) * array_count); + break; + case CIM_ARRAY_OBJECT: + { + guint32 i = 0; + while (i < array_count){ + gint32 objEncLength = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN); + offset += objEncLength; + } + break; + } + default: + break; + } + } else { + // CimBaseType + switch(cimType){ + case CIM_TYPE_SINT8: + { + proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII); + proto_item_set_text(vitem, "%s: %d", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_gint8(tvb, offset)); + proto_item_set_len(vitem, 1); + offset+= 1; + } + break; + case CIM_TYPE_UINT8: + { + proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII); + proto_item_set_text(vitem, "%s: %u", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_gint8(tvb, offset)); + proto_item_set_len(vitem, 1); + offset+= 1; + } + break; + case CIM_TYPE_SINT16: + case CIM_TYPE_CHAR16: + { + proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII); + proto_item_set_text(vitem, "%s: %d", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_gint16(tvb, offset, ENC_LITTLE_ENDIAN)); + proto_item_set_len(vitem, 2); + offset+= 2; + } + break; + case CIM_TYPE_UINT16: + { + proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII); + proto_item_set_text(tree, "%s: %u", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_guint16(tvb, offset, ENC_LITTLE_ENDIAN)); + proto_item_set_len(vitem, 2); + offset+= 2; + } + break; + case CIM_TYPE_SINT32: + { + proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII); + proto_item_set_text(vitem, "%s: %d", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_gint32(tvb, offset, ENC_LITTLE_ENDIAN)); + proto_item_set_len(vitem, 4); + offset+= 4; + } + break; + case CIM_TYPE_UINT32: + { + proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII); + proto_item_set_text(vitem, "%s: %u", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN)); + proto_item_set_len(vitem, 4); + offset+= 4; + } + break; + case CIM_TYPE_SINT64: + { + proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII); + proto_item_set_text(vitem, "%s: %" PRIi64, proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_gint64(tvb, offset, ENC_LITTLE_ENDIAN)); + proto_item_set_len(vitem, 8); + offset+= 8; + } + break; + case CIM_TYPE_UINT64: + { + proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII); + proto_item_set_text(vitem, "%s: %" PRIu64, proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_guint64(tvb, offset, ENC_LITTLE_ENDIAN)); + proto_item_set_len(vitem, 8); + offset+= 8; + } + break; + case CIM_TYPE_REAL32: + { + proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII); + proto_item_set_text(vitem, "%s: %f", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_ieee_float(tvb, offset, ENC_LITTLE_ENDIAN)); + proto_item_set_len(vitem, 4); + offset+= 4; + } + break; + case CIM_TYPE_REAL64: + { + proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII); + proto_item_set_text(vitem, "%s: %lf", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_ieee_double(tvb, offset, ENC_LITTLE_ENDIAN)); + proto_item_set_len(vitem, 8); + offset+= 8; + } + break; + case CIM_TYPE_BOOLEAN: + { + proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII); + proto_item_set_text(vitem, "%s: %s", proto_registrar_get_name(hf_wmio_qualifiervalue), 0 != tvb_get_guint16(tvb, offset, ENC_LITTLE_ENDIAN) ? "TRUE" : "FALSE"); + proto_item_set_len(vitem, 2); + offset+= 2; + } + break; + case CIM_TYPE_STRING: + case CIM_TYPE_DATETIME: + case CIM_TYPE_REFERENCE: + dissect_wmio_encoded_string(tvb, offset, hf_wmio_qualifiervalue, pinfo, tree, FALSE, classheapoffset); + offset+= 4; + break; + case CIM_TYPE_OBJECT: + { + gint32 objEncLength = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN); + offset += objEncLength; + } + break; + default: + break; + } + } + + proto_item_set_len(item, offset - old_offset); + + return offset; +} + +/* QualifierSet + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/224c7463-01df-4e09-bd71-650ec0b8adaf + * QualifierSet = EncodingLength *Qualifier + */ +static int +dissect_wmio_encoding_qualifierset(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *parent_tree, gint classheapoffset) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + guint32 length; + + item = proto_tree_add_item(parent_tree, hf_wmio_qualifierset, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_wmio_qualifierset); + + proto_tree_add_item_ret_uint(tree, hf_wmio_qualifierset_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length); + offset += 4; + + while((guint32)offset < (old_offset + length)){ + offset = dissect_wmio_qualifier(tvb, offset, pinfo, tree, classheapoffset); + } + + proto_item_set_len(item, offset - old_offset); + + return old_offset+length; +} + +/* PropertyInfo + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/563356b2-7bc7-4016-a88b-6685d3e09b59 + * PropertyInfo = PropertyType DeclarationOrder ValueTableOffset ClassOfOrigin PropertyQualifierSet + */ +static void +dissect_wmio_encoding_propertyinfo(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *parent_tree, gint classheapoffset) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + guint32 propertyinfo_offset; + gint old_offset = 0; + + item = proto_tree_add_item(parent_tree, hf_property_info, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_property_info); + + proto_tree_add_item_ret_uint(tree, hf_wmio_propertyinforef, tvb, offset, 4, ENC_LITTLE_ENDIAN, &propertyinfo_offset); + + offset = classheapoffset + propertyinfo_offset; + old_offset = offset; + + gint32 propType = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN); + proto_tree_add_uint(tree, hf_wmio_cimtype, tvb, offset, 4, propType & 0x3FFF); + proto_tree_add_boolean(tree, hf_propertyinfo_inherited, tvb, offset, 4, propType); + offset += 4; + + proto_tree_add_item(tree, hf_declaration_order, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; + + proto_tree_add_item(tree, hf_propertyinfo_valuetableoffset, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + + proto_tree_add_item(tree, hf_propertyinfo_classoforigin, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + + offset = dissect_wmio_encoding_qualifierset(tvb, offset, pinfo, tree, classheapoffset); + + proto_item_set_len(item, offset - old_offset); +} + +/* PropertyLookup + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/e401de4a-58fa-423b-89e0-4b832a99d0e9 + * PropertyLookup = PropertyNameRef PropertyInfoRef + */ +static int +dissect_wmio_encoding_propertylookup(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *parent_tree, gint classheapoffset) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + + item = proto_tree_add_item(parent_tree, hf_wmio_propertylookup, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_wmio_propertylookup); + + dissect_wmio_encoded_string(tvb, offset, hf_wmio_propertynameref, pinfo, tree, FALSE, classheapoffset); + offset += 4; + + + dissect_wmio_encoding_propertyinfo(tvb, offset, pinfo, tree, classheapoffset); + offset += 4; + + proto_item_set_len(item, offset - old_offset); + + return offset; +} + +/* PropertyLookupTable + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/d4927ca8-b358-48eb-8879-a57ea4f090c3 + * PropertyLookupTable = PropertyCount *PropertyLookup + */ +static int +dissect_wmio_encoding_propertylookuptable(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *parent_tree, guint32 *property_count, gint classheapoffset) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + guint32 count; + + item = proto_tree_add_item(parent_tree, hf_wmio_propertylookuptable, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_wmio_propertylookuptable); + + // PropertyCount + proto_tree_add_item_ret_uint(tree, hf_wmio_propertylookuptable_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &count); + offset += 4; + + for(guint32 i = 0; i < count; ++i){ + offset = dissect_wmio_encoding_propertylookup(tvb, offset, pinfo, tree, classheapoffset); + } + + *property_count = count; + + proto_item_set_len(item, offset - old_offset); + + return offset; +} + +/* ClassPart + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/06ec93f3-b4df-4f7e-b2ba-090cd435becc + * ClassPart = ClassHeader DerivationList ClassQualifierSet PropertyLookupTable [NdTable ValueTable] ClassHeap + */ +static int +dissect_wmio_encoding_classpart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *parent_tree) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + gint classheapoffset = 0; + + guint32 partlength, ndLength; + guint32 property_count; + + item = proto_tree_add_item(parent_tree, hf_wmio_class_part, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_wmio_class_part); + + { + /* Jump through the various structures to find the heap offset. */ + guint32 derivationListLength = tvb_get_guint32(tvb, offset + CLASS_HEADER_LENGTH, ENC_LITTLE_ENDIAN); + guint32 classQualifierSetLength = tvb_get_guint32(tvb, offset + CLASS_HEADER_LENGTH + derivationListLength, ENC_LITTLE_ENDIAN); + guint32 propertyLookupTableLength = 4 + 8 * tvb_get_guint32(tvb, offset + CLASS_HEADER_LENGTH + derivationListLength + classQualifierSetLength, ENC_LITTLE_ENDIAN); + guint32 ndTableLength = tvb_get_guint32(tvb, offset + (CLASS_HEADER_LENGTH - 4), ENC_LITTLE_ENDIAN); + + classheapoffset = offset /* Starting offset */ + + CLASS_HEADER_LENGTH /* ClassHeader */ + + derivationListLength /* DerivationList */ + + classQualifierSetLength /* ClassQualifierSet */ + + propertyLookupTableLength /* PropertyLookupTable */ + + ndTableLength; /* NdTable */ + } + + offset = dissect_wmio_encoding_classheader(tvb, offset, pinfo, tree, &partlength, &ndLength, classheapoffset+4); + offset = dissect_wmio_encoding_derivationlist(tvb, offset, pinfo, tree); + offset = dissect_wmio_encoding_qualifierset(tvb, offset, pinfo, tree,classheapoffset+4); + offset = dissect_wmio_encoding_propertylookuptable(tvb, offset, pinfo, tree, &property_count, classheapoffset+4); + + if(ndLength > 0){ + proto_tree_add_item(tree, hf_wmio_ndtable, tvb, offset, ndLength, ENC_NA); + offset += ndLength; + } + + { + proto_item *heapitem = NULL; + proto_tree *heaptree = NULL; + + heapitem = proto_tree_add_item(tree, hf_wmio_heap, tvb, offset, -1, ENC_NA); + heaptree = proto_item_add_subtree(heapitem, ett_wmio_heap); + + gint32 heaplength = 0x7FFFFFFF & tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN); + + proto_tree_add_uint(heaptree, hf_wmio_heap_length, tvb, offset, 4, heaplength); + + proto_item_set_len(heapitem, heaplength); + } + + proto_item_set_len(item, partlength); + + return old_offset + partlength; +} + +/* ClassHeader + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/b179b579-9585-47b8-bef8-8fdca9f5a94d + * ClassHeader = EncodingLength ReservedOctet ClassNameRef NdTableValueTableLength + */ +static int +dissect_wmio_encoding_classheader(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *parent_tree, guint32 *pPartlength, guint32 *pNdLength, gint classheapoffset) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + + guint32 partlength, length; + + item = proto_tree_add_item(parent_tree, hf_wmio_class_header, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_wmio_class_header); + + proto_tree_add_item_ret_uint(tree, hf_wmio_class_header_partlength, tvb, offset, 4, ENC_LITTLE_ENDIAN, &partlength); + offset+= 4; + *pPartlength = partlength; + + // ReservedOctet + offset+= 1; + + dissect_wmio_encoded_string(tvb, offset, hf_wmio_class_header_nameref, pinfo, tree, FALSE, classheapoffset); + offset+= 4; + + proto_tree_add_item_ret_uint(tree, hf_wmio_class_header_ndtablevaluetablelength, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length); + offset+= 4; + *pNdLength = length; + + proto_item_set_len(item, offset-old_offset); + + return offset; +} + +/* DerivationList + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/3bfbcac6-318c-4b0a-ab87-13bfbc86f36f + * DerivationList = EncodingLength *ClassNameEncoding + */ +static int +dissect_wmio_encoding_derivationlist(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *parent_tree) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + + guint32 length; + + item = proto_tree_add_item(parent_tree, hf_wmio_class_derivation, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_wmio_class_derivation); + + proto_tree_add_item_ret_uint(tree, hf_wmio_class_derivation_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length); + offset+= 4; + + while((guint32)offset < (old_offset + length)){ + offset = dissect_wmio_encoded_string(tvb, offset, hf_wmio_derivation_classname, pinfo, tree, TRUE, 0); + } + + proto_item_set_len(item, length); + + return offset; +} + +/* MethodSignature + * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wmio/a9d7c0d1-f99a-4762-b460-e881a8c7d566 + * MethodSignature = HeapMethodSignatureBlockRef + */ +static void +dissect_wmio_encoding_methodsignature(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *parent_tree, int hfindex, gint methodsheapoffset) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = 0; + + gint32 signatureHeapOffset = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN); + + old_offset = methodsheapoffset + signatureHeapOffset; + + item = proto_tree_add_item(parent_tree, hfindex, tvb, old_offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_methodsignature); + + proto_tree_add_item(tree, hf_methodsignature_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN); + + offset = old_offset; + + proto_tree_add_item(tree, hf_wmio_objectencodinglength, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset+= 4; + + offset = dissect_wmio_objectblock(tvb, offset, pinfo, tree); + + proto_item_set_len(item, offset - old_offset); +} + +/* MethodDescription + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/8c81e4fa-634a-469f-8434-4ef87f2f256e + * MethodDescription = MethodName MethodFlags MethodPadding MethodOrigin MethodQualifiers InputSignature OutputSignature + */ +static int +dissect_wmio_encoding_methodpart_methoddescription(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *parent_tree, gint methodsheapoffset) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + + item = proto_tree_add_item(parent_tree, hf_methodspart_methoddescription, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_methodspart_methoddescription); + + dissect_wmio_encoded_string(tvb, offset, hf_methoddescription_methodname, pinfo, tree, FALSE, methodsheapoffset); + offset+= 4; + + proto_tree_add_item(tree, hf_methoddescription_methodflags, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset+= 1; + + // MethodPadding + offset+= 3; + + proto_tree_add_item(tree, hf_methoddescription_methodorigin, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset+= 4; + + proto_tree_add_item(tree, hf_methoddescription_methodqualifiers, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset+= 4; + + dissect_wmio_encoding_methodsignature(tvb, offset, pinfo, tree, hf_methoddescription_inputsignature, methodsheapoffset); + offset+= 4; + + dissect_wmio_encoding_methodsignature(tvb, offset, pinfo, tree, hf_methoddescription_outputsignature, methodsheapoffset); + offset+= 4; + + proto_item_set_len(item, offset - old_offset); + + return offset; +} + +static int +dissect_wmio_encoding_methodpart_methods(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *parent_tree, guint32 methodscount, gint methodsheapoffset) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + + item = proto_tree_add_item(parent_tree, hf_methodspart_methods, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_methodspart_methods); + + for(guint32 methodi = 0; methodi < methodscount; ++methodi){ + offset = dissect_wmio_encoding_methodpart_methoddescription(tvb, offset, pinfo, tree, methodsheapoffset); + } + + proto_item_set_len(item, offset - old_offset); + return offset; +} + +/* MethodsPart + * https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/e00d7c6c-fa1e-4b1d-85c5-5a91a5d71299 + * MethodsPart = EncodingLength MethodCount MethodCountPadding *MethodDescription MethodHeap + */ +static int +dissect_wmio_encoding_methodpart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *parent_tree) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gint old_offset = offset; + + guint32 length; + guint32 methodscount; + + item = proto_tree_add_item(parent_tree, hf_methodspart, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_methodspart); + + proto_tree_add_item_ret_uint(tree, hf_methodspart_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length); + offset+= 4; + + proto_tree_add_item_ret_uint(tree, hf_methodspart_methodcount, tvb, offset, 2, ENC_LITTLE_ENDIAN, &methodscount); + offset+= 2; + + // MethodCountPadding + offset+= 2; + + if(methodscount > 0){ + gint methodsHeapOffset = offset + (methodscount * 24); + methodsHeapOffset += 4; + offset = dissect_wmio_encoding_methodpart_methods(tvb, offset, pinfo, tree, methodscount, methodsHeapOffset); + } + + { + proto_item *heapitem = NULL; + proto_tree *heaptree = NULL; + + heapitem = proto_tree_add_item(tree, hf_wmio_heap, tvb, offset, -1, ENC_NA); + heaptree = proto_item_add_subtree(heapitem, ett_wmio_heap); + + gint32 heaplength = 0x7FFFFFFF & tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN); + + proto_tree_add_uint(heaptree, hf_wmio_heap_length, tvb, offset, 4, heaplength); + + proto_item_set_len(heapitem, heaplength); + } + + proto_item_set_len(item, length); + + return old_offset+length; +} + + +static int +dissect_wmio(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di _U_, guint8 *drep _U_, gint size) +{ + proto_item *sub_item; + proto_tree *sub_tree; + int old_offset = offset; + guint32 signature; + + sub_item = proto_tree_add_item(tree, hf_wmio, tvb, offset, size, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_wmio); + + proto_tree_add_item_ret_uint(sub_tree, hf_wmio_signature, tvb, offset, 4, ENC_LITTLE_ENDIAN, &signature); + offset+= 4; + + if (signature != wmio_signature){ + return old_offset + size; + } + + proto_tree_add_item(sub_tree, hf_wmio_objectencodinglength, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset+= 4; + + dissect_wmio_objectblock(tvb, offset, pinfo, sub_tree); + + return old_offset + size; +} + +void +register_dcom_wmio (void) +{ + dcom_register_routine(dissect_wmio, &iid_WMIO); +} + +void +proto_register_WMIO (void) +{ + proto_WMIO = proto_register_protocol ("WMIO", "WMIO", "WMIO"); + proto_register_field_array (proto_WMIO, hf, array_length (hf)); + proto_register_subtree_array (ett, array_length (ett)); +}
\ No newline at end of file diff --git a/epan/dissectors/pidl/CMakeLists.txt b/epan/dissectors/pidl/CMakeLists.txt index 30e404397d..2c1747366c 100644 --- a/epan/dissectors/pidl/CMakeLists.txt +++ b/epan/dissectors/pidl/CMakeLists.txt @@ -24,6 +24,7 @@ set(PIDL_DISSECTOR_NAMES iwbemlevel1login iwbemloginclientid iwbemloginclientidex + iwbemservices lsa mapi mdssvc @@ -76,6 +77,9 @@ set(PIDL_DISSECTOR_iwbemloginclientid_EXTRA_DEPS set(PIDL_DISSECTOR_iwbemloginclientidex_EXTRA_DEPS idl_types.h ) +set(PIDL_DISSECTOR_iwbemservices_EXTRA_DEPS + idl_types.h +) set(PIDL_DISSECTOR_lsa_EXTRA_DEPS idl_types.h ) diff --git a/epan/dissectors/pidl/Makefile.pidl b/epan/dissectors/pidl/Makefile.pidl index 8ca5a2b5cc..ae1300109c 100644 --- a/epan/dissectors/pidl/Makefile.pidl +++ b/epan/dissectors/pidl/Makefile.pidl @@ -38,6 +38,7 @@ SUBDIRS = \ iwbemlevel1login \ iwbemloginclientid \ iwbemloginclientidex \ + iwbemservices \ lsa \ mapi \ mdssvc \ @@ -130,6 +131,12 @@ $(SUBDIRS) $(DONT_BUILD_SUBDIRS): %: ../packet-dcerpc-%.c ../packet-dcerpc-%.h idl_types.h cd $(<D) && $(PIDL) $(pidl_out) $(pidl_inc) -- $(<F) +../packet-dcerpc-iwbemservices.c \ +../packet-dcerpc-iwbemservices.h: iwbemservices/iwbemservices.idl \ + iwbemservices/iwbemservices.cnf \ + idl_types.h + cd $(<D) && $(PIDL) $(pidl_out) $(pidl_inc) -- $(<F) + ../packet-dcerpc-lsa.c \ ../packet-dcerpc-lsa.h: lsa/lsa.idl lsa/lsa.cnf idl_types.h cd $(<D) && $(PIDL) $(pidl_out) $(pidl_inc) -- $(<F) diff --git a/epan/dissectors/pidl/README b/epan/dissectors/pidl/README index f7f08bde3d..82442d5aca 100644 --- a/epan/dissectors/pidl/README +++ b/epan/dissectors/pidl/README @@ -29,6 +29,7 @@ The following files: ../packet-dcerpc-iwbemlevel1login.h ../packet-dcerpc-iwbemloginclientid.h ../packet-dcerpc-iwbemloginclientidex.h +../packet-dcerpc-iwbemservices.h ../packet-dcerpc-lsa.h ../packet-dcerpc-mapi.h ../packet-dcerpc-misc.h diff --git a/epan/dissectors/pidl/iwbemservices/iwbemservices.cnf b/epan/dissectors/pidl/iwbemservices/iwbemservices.cnf new file mode 100644 index 0000000000..8dd4c8a8e0 --- /dev/null +++ b/epan/dissectors/pidl/iwbemservices/iwbemservices.cnf @@ -0,0 +1,111 @@ +# Conformance file for iwbemservices + +MANUAL IWbemServices_dissect_element_GetObject_orpcthis +MANUAL IWbemServices_dissect_element_GetObject_orpcthat_ + +MANUAL IWbemServices_dissect_element_ExecMethod_orpcthis +MANUAL IWbemServices_dissect_element_ExecMethod_orpcthat_ + +MANUAL IWbemServices_dissect_element_IWbemClassObject_objects +NOEMIT IWbemServices_dissect_element_IWbemClassObject_objects_ +NOEMIT IWbemServices_dissect_element_GetObject_strObjectPath_ + +ETT_FIELD ett_IWbemServices_GetObject_orpcthis +ETT_FIELD ett_IWbemServices_GetObject_orpcthat + +ETT_FIELD ett_IWbemServices_ExecMethod_orpcthis +ETT_FIELD ett_IWbemServices_ExecMethod_orpcthat + +CODE START + + #include "packet-dcom.h" + +static int +IWbemServices_dissect_element_IWbemClassObject_objects_(tvbuff_t *tvb, int offset, int length, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep); +static int +IWbemServices_dissect_element_GetObject_strObjectPath_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep); + +extern void register_dcom_wmio (void); + +/* GetObject */ +static int +IWbemServices_dissect_element_GetObject_orpcthis(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + proto_item *sub_item; + proto_tree *sub_tree; + + sub_item = proto_tree_add_item(tree, hf_IWbemServices_GetObject_orpcthis, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_IWbemServices_GetObject_orpcthis); + + return dissect_dcom_this(tvb, offset, pinfo, sub_tree, di, drep); +} + +static int +IWbemServices_dissect_element_GetObject_orpcthat_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + proto_item *sub_item; + proto_tree *sub_tree; + + register_dcom_wmio(); + + sub_item = proto_tree_add_item(tree, hf_IWbemServices_GetObject_orpcthat, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_IWbemServices_GetObject_orpcthat); + + return dissect_dcom_that(tvb, offset, pinfo, sub_tree, di, drep); +} + +/* ExecMethod */ +static int +IWbemServices_dissect_element_ExecMethod_orpcthis(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + proto_item *sub_item; + proto_tree *sub_tree; + + sub_item = proto_tree_add_item(tree, hf_IWbemServices_ExecMethod_orpcthis, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_IWbemServices_ExecMethod_orpcthis); + + return dissect_dcom_this(tvb, offset, pinfo, sub_tree, di, drep); +} + +static int +IWbemServices_dissect_element_ExecMethod_orpcthat_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + proto_item *sub_item; + proto_tree *sub_tree; + + register_dcom_wmio(); + + sub_item = proto_tree_add_item(tree, hf_IWbemServices_ExecMethod_orpcthat, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_IWbemServices_ExecMethod_orpcthat); + + return dissect_dcom_that(tvb, offset, pinfo, sub_tree, di, drep); +} + +static int +IWbemServices_dissect_element_IWbemClassObject_objects(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + return dissect_ndr_ucarray_block(tvb, offset, pinfo, tree, di, drep, &IWbemServices_dissect_element_IWbemClassObject_objects_); +} + +static int +IWbemServices_dissect_element_IWbemClassObject_objects_(tvbuff_t *tvb, int offset, int length, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) +{ + dissect_dcom_OBJREF(tvb, offset, pinfo, tree, di, drep, hf_IWbemServices_IWbemClassObject_objects, NULL); + return offset + length; +} + +static int +IWbemServices_dissect_element_GetObject_strObjectPath_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) +{ + char *data = NULL; + + offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint16), hf_IWbemServices_GetObject_strObjectPath, FALSE, &data); + if (data){ + proto_item_append_text(tree, ": %s", data); + col_append_fstr(pinfo->cinfo, COL_INFO, " Object=%s", data); + } + + return offset; +} + +CODE END
\ No newline at end of file diff --git a/epan/dissectors/pidl/iwbemservices/iwbemservices.idl b/epan/dissectors/pidl/iwbemservices/iwbemservices.idl new file mode 100644 index 0000000000..c4de5c55ce --- /dev/null +++ b/epan/dissectors/pidl/iwbemservices/iwbemservices.idl @@ -0,0 +1,158 @@ +#include "idl_types.h" + +/* + IWbemServices interface definitions +*/ +[ uuid("9556dc99-828c-11cf-a37e-00aa003240c7"), + restricted, + pointer_default(unique) +] +interface IWbemServices +{ + typedef struct + { + } ORPCTHIS; + + typedef struct + { + } ORPCTHAT; + + typedef struct + { + } IWbemCallResult; + + /*****************/ + /* Function 0 */ + [todo] WERROR iwbemservices_opnum0( + ); + /*****************/ + /* Function 1 */ + [todo] WERROR iwbemservices_opnum1( + ); + /*****************/ + /* Function 2 */ + [todo] WERROR iwbemservices_opnum2( + ); + /*****************/ + /* Function 3 */ + [todo] WERROR iwbemservices_OpenNamespace( + ); + /*****************/ + /* Function 4 */ + [todo] WERROR iwbemservices_CancelAsyncCall( + ); + /*****************/ + /* Function 5 */ + [todo] WERROR iwbemservices_QueryObjectSink( + ); + + typedef struct + { + uint32 count; + [size_is(count)] uint8 objects[]; + } IWbemClassObject; + + typedef struct + { + uint32 ulCntData; + [size_is(count)] uint8 abData[]; + } MInterfacePointer; + + typedef struct + { + uint32 u; + MInterfacePointer *intPtr; + } IWbemContext; + + /*****************/ + /* Function 6 */ + WERROR GetObject( + [in] ORPCTHIS orpcthis, + [in, unique, string, charset(UTF16)] uint16* strObjectPath, + [in] uint32 lFlags, + [in] IWbemContext* pCtx, + [out] ORPCTHAT* orpcthat, + [out, in, unique] IWbemClassObject** ppObject, + [out, in, unique] IWbemCallResult** ppCallResult + ); + + /*****************/ + /* Function 7 */ + [todo] WERROR iwbemservices_opnum7( + ); + /*****************/ + /* Function 8 */ + [todo] WERROR iwbemservices_opnum8( + ); + /*****************/ + /* Function 9 */ + [todo] WERROR iwbemservices_opnum9( + ); + /*****************/ + /* Function 10 */ + [todo] WERROR iwbemservices_opnum10( + ); + /*****************/ + /* Function 11 */ + [todo] WERROR iwbemservices_opnum11( + ); + /*****************/ + /* Function 12 */ + [todo] WERROR iwbemservices_opnum12( + ); + /*****************/ + /* Function 13 */ + [todo] WERROR iwbemservices_opnum13( + ); + /*****************/ + /* Function 14 */ + [todo] WERROR iwbemservices_opnum14( + ); + /*****************/ + /* Function 15 */ + [todo] WERROR iwbemservices_opnum15( + ); + /*****************/ + /* Function 16 */ + [todo] WERROR iwbemservices_opnum16( + ); + /*****************/ + /* Function 17 */ + [todo] WERROR iwbemservices_opnum17( + ); + /*****************/ + /* Function 18 */ + [todo] WERROR iwbemservices_opnum18( + ); + /*****************/ + /* Function 19 */ + [todo] WERROR iwbemservices_opnum19( + ); + /*****************/ + /* Function 20 */ + [todo] WERROR iwbemservices_opnum20( + ); + /*****************/ + /* Function 21 */ + [todo] WERROR iwbemservices_opnum21( + ); + /*****************/ + /* Function 22 */ + [todo] WERROR iwbemservices_opnum22( + ); + /*****************/ + /* Function 23 */ + [todo] WERROR iwbemservices_opnum23( + ); + + /*****************/ + /* Function 24 */ + WERROR ExecMethod( + [in] ORPCTHIS orpcthis, + [in, unique, string, charset(UTF16)] uint16* strObjectPath, + [in, unique, string, charset(UTF16)] uint16* strMethodName, + [in] uint32 lFlags, + [out] ORPCTHAT* orpcthat + ); + +};
\ No newline at end of file |