diff options
author | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2006-09-22 01:40:23 +0000 |
---|---|---|
committer | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2006-09-22 01:40:23 +0000 |
commit | f1aec19c5377d2258197acccc370a96e2bd1c0a6 (patch) | |
tree | eced228ae61446e5b78f521c4eb4d51b10d59670 /epan/dissectors/packet-dcerpc-eventlog.c | |
parent | e38da936298bfaf84ad122a200a35f730a7a7225 (diff) |
add conformance file magic to decode the non-NDR source/computer name strings of the eventlog_Record
svn path=/trunk/; revision=19280
Diffstat (limited to 'epan/dissectors/packet-dcerpc-eventlog.c')
-rw-r--r-- | epan/dissectors/packet-dcerpc-eventlog.c | 125 |
1 files changed, 85 insertions, 40 deletions
diff --git a/epan/dissectors/packet-dcerpc-eventlog.c b/epan/dissectors/packet-dcerpc-eventlog.c index 1c46d782a6..da7d90dc1d 100644 --- a/epan/dissectors/packet-dcerpc-eventlog.c +++ b/epan/dissectors/packet-dcerpc-eventlog.c @@ -68,8 +68,8 @@ static gint hf_eventlog_eventlog_GetLogIntormation_handle = -1; static gint hf_eventlog_eventlog_ReadEventLogW_number_of_bytes = -1; static gint hf_eventlog_eventlog_RegisterEventSourceW_servername = -1; static gint hf_eventlog_eventlog_Record_reserved = -1; -static gint hf_eventlog_eventlog_Record_raw_data = -1; static gint hf_eventlog_eventlogEventTypes_EVENTLOG_AUDIT_FAILURE = -1; +static gint hf_eventlog_eventlog_Record_raw_data = -1; static gint hf_eventlog_eventlog_ChangeNotify_handle = -1; static gint hf_eventlog_eventlogEventTypes_EVENTLOG_WARNING_TYPE = -1; static gint hf_eventlog_eventlog_OpenUnknown0_unknown0 = -1; @@ -81,13 +81,15 @@ static gint hf_eventlog_eventlog_ReadEventLogW_data = -1; static gint hf_eventlog_eventlog_Record_event_category = -1; static gint hf_eventlog_eventlog_DeregisterEventSource_handle = -1; static gint hf_eventlog_eventlogEventTypes_EVENTLOG_ERROR_TYPE = -1; +static gint hf_eventlog_Record_source_name = -1; static gint hf_eventlog_eventlog_ReadEventLogW_sent_size = -1; static gint hf_eventlog_eventlogEventTypes_EVENTLOG_INFORMATION_TYPE = -1; static gint hf_eventlog_opnum = -1; static gint hf_eventlog_eventlog_Record_time_generated = -1; static gint hf_eventlog_eventlog_Record_stringoffset = -1; -static gint hf_eventlog_eventlogReadFlags_EVENTLOG_FORWARDS_READ = -1; +static gint hf_eventlog_Record_computer_name = -1; static gint hf_eventlog_eventlog_OpenBackupEventLogW_unknown0 = -1; +static gint hf_eventlog_eventlogReadFlags_EVENTLOG_FORWARDS_READ = -1; static gint hf_eventlog_eventlog_OpenBackupEventLogW_unknown2 = -1; static gint hf_eventlog_eventlog_OpenBackupEventLogW_unknown3 = -1; static gint hf_eventlog_eventlog_Record_event_id = -1; @@ -109,8 +111,8 @@ static gint hf_eventlog_eventlog_RegisterEventSourceW_unknown2 = -1; static gint hf_eventlog_eventlog_Record_data_length = -1; static gint hf_eventlog_eventlog_GetOldestRecord_handle = -1; static gint hf_eventlog_eventlog_RegisterEventSourceW_unknown3 = -1; -static gint hf_eventlog_Record = -1; static gint hf_eventlog_eventlog_ClearEventLogW_handle = -1; +static gint hf_eventlog_Record = -1; static gint hf_eventlog_eventlog_Record_closing_record_number = -1; static gint hf_eventlog_eventlog_OpenBackupEventLogW_handle = -1; @@ -273,6 +275,7 @@ eventlog_dissect_element_ReadEventLogW_data_(tvbuff_t *tvb, int offset, packet_i { guint32 len; dcerpc_info *di; + tvbuff_t *record_tvb; di=pinfo->private_data; if(di->conformant_run){ /*just a run to handle conformant arrays, nothing to dissect */ @@ -280,7 +283,75 @@ eventlog_dissect_element_ReadEventLogW_data_(tvbuff_t *tvb, int offset, packet_i } offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_Record_length, &len); - offset=eventlog_dissect_struct_Record(tvb, offset, pinfo, tree, drep, hf_eventlog_Record, 0); + /* Create a new tvb so that we know that offset==0 is the beginning + * of the record. We need to know this since the data is not really + * NDR encoded at all and there are byte offsets into this buffer + * encoded therein. + */ + record_tvb=tvb_new_subset(tvb, offset, MIN(len, tvb_length_remaining(tvb, offset)), len); + eventlog_dissect_struct_Record(record_tvb, 0, pinfo, tree, drep, hf_eventlog_Record, 0); + offset+=len; + return offset; +} +/* sid_length and sid_offset handled by manual code since this is not NDR + and we want to dissect the sid from the data blob */ +static guint32 sid_length; +static int +eventlog_dissect_element_Record_sid_length(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + sid_length=0; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_sid_length,&sid_length); + return offset; +} +static int +eventlog_dissect_element_Record_sid_offset(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 sid_offset=0; + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_sid_offset,&sid_offset); + if(sid_offset && sid_length){ + tvbuff_t *sid_tvb; + /* this blob contains an NT SID. + * tvb starts at the beginning of the record. + */ + sid_tvb=tvb_new_subset(tvb, sid_offset, MIN(sid_length, tvb_length_remaining(tvb, offset)), sid_length); + dissect_nt_sid(sid_tvb, 0, tree, "SID", NULL, -1); + } + return offset; +} +static int +eventlog_get_unicode_string_length(tvbuff_t *tvb, int offset) +{ + int len; + len=0; + while(1){ + if(!tvb_get_ntohs(tvb, offset+len*2)){ + len++; + break; + } + len++; + } + return len; +} +static int +eventlog_dissect_element_Record_source_name(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + char *str; + int len; + len=eventlog_get_unicode_string_length(tvb, offset); + str=tvb_get_ephemeral_faked_unicode(tvb, offset, len, TRUE); + proto_tree_add_string_format(tree, hf_eventlog_Record_source_name, tvb, offset, len*2, str, "source_name: %s", str); + offset+=len*2; + return offset; +} +static int +eventlog_dissect_element_Record_computer_name(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + char *str; + int len; + len=eventlog_get_unicode_string_length(tvb, offset); + str=tvb_get_ephemeral_faked_unicode(tvb, offset, len, TRUE); + proto_tree_add_string_format(tree, hf_eventlog_Record_computer_name, tvb, offset, len*2, str, "computer_name: %s", str); + offset+=len*2; return offset; } @@ -601,22 +672,6 @@ eventlog_dissect_element_Record_stringoffset(tvbuff_t *tvb, int offset, packet_i } static int -eventlog_dissect_element_Record_sid_length(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) -{ - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_sid_length,NULL); - - return offset; -} - -static int -eventlog_dissect_element_Record_sid_offset(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) -{ - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_sid_offset,NULL); - - return offset; -} - -static int eventlog_dissect_element_Record_data_length(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_data_length,NULL); @@ -633,20 +688,6 @@ eventlog_dissect_element_Record_data_offset(tvbuff_t *tvb, int offset, packet_in } static int -eventlog_dissect_element_Record_source_name(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) -{ - - return offset; -} - -static int -eventlog_dissect_element_Record_computer_name(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) -{ - - return offset; -} - -static int eventlog_dissect_element_Record_strings(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { @@ -2092,10 +2133,10 @@ void proto_register_dcerpc_eventlog(void) { "Servername", "eventlog.eventlog_RegisterEventSourceW.servername", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }}, { &hf_eventlog_eventlog_Record_reserved, { "Reserved", "eventlog.eventlog_Record.reserved", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }}, - { &hf_eventlog_eventlog_Record_raw_data, - { "Raw Data", "eventlog.eventlog_Record.raw_data", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }}, { &hf_eventlog_eventlogEventTypes_EVENTLOG_AUDIT_FAILURE, { "Eventlog Audit Failure", "eventlog.eventlogEventTypes.EVENTLOG_AUDIT_FAILURE", FT_BOOLEAN, 32, TFS(&eventlogEventTypes_EVENTLOG_AUDIT_FAILURE_tfs), ( 0x0010 ), "", HFILL }}, + { &hf_eventlog_eventlog_Record_raw_data, + { "Raw Data", "eventlog.eventlog_Record.raw_data", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }}, { &hf_eventlog_eventlog_ChangeNotify_handle, { "Handle", "eventlog.eventlog_ChangeNotify.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }}, { &hf_eventlog_eventlogEventTypes_EVENTLOG_WARNING_TYPE, @@ -2118,6 +2159,8 @@ void proto_register_dcerpc_eventlog(void) { "Handle", "eventlog.eventlog_DeregisterEventSource.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }}, { &hf_eventlog_eventlogEventTypes_EVENTLOG_ERROR_TYPE, { "Eventlog Error Type", "eventlog.eventlogEventTypes.EVENTLOG_ERROR_TYPE", FT_BOOLEAN, 32, TFS(&eventlogEventTypes_EVENTLOG_ERROR_TYPE_tfs), ( 0x0001 ), "", HFILL }}, + { &hf_eventlog_Record_source_name, + { "Source Name", "eventlog.Record.source_name", FT_STRING, BASE_NONE, NULL, 0, " ", HFILL }}, { &hf_eventlog_eventlog_ReadEventLogW_sent_size, { "Sent Size", "eventlog.eventlog_ReadEventLogW.sent_size", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }}, { &hf_eventlog_eventlogEventTypes_EVENTLOG_INFORMATION_TYPE, @@ -2128,10 +2171,12 @@ void proto_register_dcerpc_eventlog(void) { "Time Generated", "eventlog.eventlog_Record.time_generated", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }}, { &hf_eventlog_eventlog_Record_stringoffset, { "Stringoffset", "eventlog.eventlog_Record.stringoffset", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }}, - { &hf_eventlog_eventlogReadFlags_EVENTLOG_FORWARDS_READ, - { "Eventlog Forwards Read", "eventlog.eventlogReadFlags.EVENTLOG_FORWARDS_READ", FT_BOOLEAN, 32, TFS(&eventlogReadFlags_EVENTLOG_FORWARDS_READ_tfs), ( 0x0004 ), "", HFILL }}, + { &hf_eventlog_Record_computer_name, + { "Computer Name", "eventlog.Record.computer_name", FT_STRING, BASE_NONE, NULL, 0, " ", HFILL }}, { &hf_eventlog_eventlog_OpenBackupEventLogW_unknown0, { "Unknown0", "eventlog.eventlog_OpenBackupEventLogW.unknown0", FT_NONE, BASE_NONE, NULL, 0, "", HFILL }}, + { &hf_eventlog_eventlogReadFlags_EVENTLOG_FORWARDS_READ, + { "Eventlog Forwards Read", "eventlog.eventlogReadFlags.EVENTLOG_FORWARDS_READ", FT_BOOLEAN, 32, TFS(&eventlogReadFlags_EVENTLOG_FORWARDS_READ_tfs), ( 0x0004 ), "", HFILL }}, { &hf_eventlog_eventlog_OpenBackupEventLogW_unknown2, { "Unknown2", "eventlog.eventlog_OpenBackupEventLogW.unknown2", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }}, { &hf_eventlog_eventlog_OpenBackupEventLogW_unknown3, @@ -2174,10 +2219,10 @@ void proto_register_dcerpc_eventlog(void) { "Handle", "eventlog.eventlog_GetOldestRecord.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }}, { &hf_eventlog_eventlog_RegisterEventSourceW_unknown3, { "Unknown3", "eventlog.eventlog_RegisterEventSourceW.unknown3", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }}, - { &hf_eventlog_Record, - { "Record", "eventlog.Record", FT_NONE, BASE_NONE, NULL, 0, " ", HFILL }}, { &hf_eventlog_eventlog_ClearEventLogW_handle, { "Handle", "eventlog.eventlog_ClearEventLogW.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }}, + { &hf_eventlog_Record, + { "Record", "eventlog.Record", FT_NONE, BASE_NONE, NULL, 0, " ", HFILL }}, { &hf_eventlog_eventlog_Record_closing_record_number, { "Closing Record Number", "eventlog.eventlog_Record.closing_record_number", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }}, { &hf_eventlog_eventlog_OpenBackupEventLogW_handle, |