diff options
| -rw-r--r-- | epan/dissectors/dcerpc/efs/Makefile | 16 | ||||
| -rw-r--r-- | epan/dissectors/dcerpc/efs/efs.cnf | 1 | ||||
| -rw-r--r-- | epan/dissectors/dcerpc/efs/efs.idl | 108 | ||||
| -rwxr-xr-x | epan/dissectors/dcerpc/efs/template.c | 80 | ||||
| -rwxr-xr-x | epan/dissectors/dcerpc/efs/template.h | 36 | ||||
| -rw-r--r-- | epan/dissectors/dcerpc/idl2eth.c | 33 | ||||
| -rw-r--r-- | epan/dissectors/packet-dcerpc-efs.c | 1365 | ||||
| -rw-r--r-- | epan/dissectors/packet-dcerpc-efs.h | 34 |
8 files changed, 1222 insertions, 451 deletions
diff --git a/epan/dissectors/dcerpc/efs/Makefile b/epan/dissectors/dcerpc/efs/Makefile new file mode 100644 index 0000000000..8e728d1f51 --- /dev/null +++ b/epan/dissectors/dcerpc/efs/Makefile @@ -0,0 +1,16 @@ +# $Id: Makefile 13071 2005-01-16 10:19:21Z guy $ + +DISSECTOR_FILES=packet-dcerpc-efs.c packet-dcerpc-efs.h + +all: generate_dissector + +generate_dissector: $(DISSECTOR_FILES) + +$(DISSECTOR_FILES): ../idl2eth efs.idl efs.cnf template.c template.h + ../idl2eth efs + +clean: + rm -f ETH_* $(DISSECTOR_FILES) + +copy_files: generate_dissector + cp $(DISSECTOR_FILES) ../.. diff --git a/epan/dissectors/dcerpc/efs/efs.cnf b/epan/dissectors/dcerpc/efs/efs.cnf new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/epan/dissectors/dcerpc/efs/efs.cnf @@ -0,0 +1 @@ +# diff --git a/epan/dissectors/dcerpc/efs/efs.idl b/epan/dissectors/dcerpc/efs/efs.idl new file mode 100644 index 0000000000..65f6c3290d --- /dev/null +++ b/epan/dissectors/dcerpc/efs/efs.idl @@ -0,0 +1,108 @@ +/* + IDL definitions from original packet-dcerpc-efs.c + by Jean-Baptiste Marchand +*/ + +[ + uuid("c681d488-d850-11d0-8c52-00c04fd90f7e"), + version(1.0), + implicit_handle(handle_t rpc_binding) + pointer_default(unique) +] interface efs +{ + +WERROR EfsRpcOpenFileRaw( + [out,ref] policy_handle *pvContext, + [in] unistr FileName, + [in] long Flags + ); + +WERROR EfsRpcReadFileRaw( + [in,ref] policy_handle *pvContext +/* incomplete */ +); + + +WERROR EfsRpcWriteFileRaw( + [in,ref] policy_handle *pvContext +/* incomplete */ +); + +/*XXX this one is really void, need to fix idl2eth for this */ +WERROR EfsRpcCloseRaw( + [in,out,ref] policy_handle *pvContext, +); + +WERROR EfsRpcEncryptFileSrv( + [in] unistr Filename +); + +WERROR EfsRpcDecryptFileSrv( + [in] unistr FileName, + [in] long Reserved +); + +typedef struct { + long cbData; + [size_is(cbData), unique] uint8 *pbData; +} EFS_HASH_BLOB; + +typedef struct { + long cbTotalLength; + [unique] SID *pUserSid; + [unique] EFS_HASH_BLOB *pHash; + [unique] unistr *lpDisplayInformation; +} ENCRYPTION_CERTIFICATE_HASH; + +typedef struct { + long nCert_Hash; + /* this is a pointer to an array of pointers */ + [size_is(nCert_Hash)] ENCRYPTION_CERTIFICATE_HASH *pUsers[*]; +} ENCRYPTION_CERTIFICATE_HASH_LIST; + +WERROR EfsRpcQueryUsersOnFile( + [in] unistr FileName, + [out,ref,unique] ENCRYPTION_CERTIFICATE_HASH_LIST **pUsers +); + +WERROR EfsRpcQueryRecoveryAgents( + [in] unistr FileName, + [out,ref,unique] ENCRYPTION_CERTIFICATE_HASH_LIST **pRecoveryAgents +); + +WERROR EfsRpcRemoveUsersFromFile( + [in] unistr FileName + /* [in] ENCRYPTION_CERTIFICATE_LIST Hashes*/ +); + +WERROR EfsRpcAddUsersToFile( + [in] unistr FileName + /* [in] ENCRYPTION_CERTIFICATE_LIST Hashes*/ +); + +typedef struct { + long dwCertEncodingType; + long cbData; + [size_is(cbData)] [unique] uint8 *pbData; +} EFS_CERTIFICATE_BLOB; + +typedef struct { + long TotalLength; + [unique] SID *pUserSid; + [unique] EFS_CERTIFICATE_BLOB *pCertBlob; +} ENCRYPTION_CERTIFICATE; + +WERROR EfsRpcSetFileEncryptionKey( + [in] [unique] ENCRYPTION_CERTIFICATE *pEncryptionCertificate +); + +WERROR EfsRpcNotSupported( +); + +WERROR EfsRpcFileKeyInfo( +); + +WERROR EfsRpcDuplicateEncryptionInfoFile( +); + +} diff --git a/epan/dissectors/dcerpc/efs/template.c b/epan/dissectors/dcerpc/efs/template.c new file mode 100755 index 0000000000..734e5025e1 --- /dev/null +++ b/epan/dissectors/dcerpc/efs/template.c @@ -0,0 +1,80 @@ +/* DO NOT EDIT + * This dissector is autogenerated + */ + +/* packet-dcerpc-efs.c + * Routines for EFS packet disassembly + * ronnie sahlberg 2005 + * Autogenerated based on the IDL definitions by + * Jean-Baptiste Marchand + * + * $Id: packet-dcerpc-efs.c 11592 2004-08-03 02:28:49Z guy $ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs <gerald@ethereal.com> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <glib.h> +#include <string.h> + +#include <epan/packet.h> +#include "packet-dcerpc.h" +#include "packet-dcerpc-nt.h" +#include "packet-windows-common.h" +#include "packet-dcerpc-efs.h" + +static int proto_efs = -1; +ETH_HF + +ETH_ETT + +ETH_CODE + +void +proto_register_efs(void) +{ + static hf_register_info hf[] = { +ETH_HFARR + }; + + static gint *ett[] = { +ETH_ETTARR + }; + + proto_efs = proto_register_protocol( + "Microsoft Encrypted File System Service", + "EFS", "efs"); + proto_register_field_array(proto_efs, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); +} + +static dcerpc_sub_dissector function_dissectors[] = { +ETH_FT + { 0, NULL, NULL, NULL }, +}; + +void +proto_reg_handoff_efs(void) +{ +ETH_HANDOFF +} + diff --git a/epan/dissectors/dcerpc/efs/template.h b/epan/dissectors/dcerpc/efs/template.h new file mode 100755 index 0000000000..901aac4094 --- /dev/null +++ b/epan/dissectors/dcerpc/efs/template.h @@ -0,0 +1,36 @@ +/* DO NOT EDIT + * This dissector is autogenerated + * ronnie sahlberg 2005 + * Autogenerated based on the IDL definitions by + * Jean-Baptiste Marchand + */ +/* packet-dcerpc-efs.h + * Routines for EFS packet disassembly + * + * $Id: packet-dcerpc-efs.h 11410 2004-07-18 18:06:47Z gram $ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs <gerald@ethereal.com> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifndef __PACKET_DCERPC_EFS_H +#define __PACKET_DCERPC_EFS_H + +ETH_HDR + +#endif /* packet-dcerpc-efs.h */ diff --git a/epan/dissectors/dcerpc/idl2eth.c b/epan/dissectors/dcerpc/idl2eth.c index ee02631630..9d4b49b348 100644 --- a/epan/dissectors/dcerpc/idl2eth.c +++ b/epan/dissectors/dcerpc/idl2eth.c @@ -35,11 +35,16 @@ TODO NTTIME_hyper A 64 bit integer representing a NTTIME NTTIME_1sec + unistr A conformant and varying unicode string - bool8 + ascstr A conformant and varying ascii string + + + SID A SID structure. - unistr - ascstr + + policy_handle + bool8 GUID uuid_t policy_handle @@ -1248,6 +1253,22 @@ find_type(char *name) FPRINTF(eth_code, "}\n"); FPRINTF(eth_code, "\n"); tmptype=register_new_type("time_t", dissectorname, "FT_ABSOLUTE_TIME", "BASE_DEC", "0", "NULL", 4); + } else if(!strcmp(name,"SID")){ + sprintf(dissectorname, "%s_dissect_%s", ifname, name); + FPRINTF(NULL,"\nAutogenerating built-in type:%s\n------------\n",name); + FPRINTF(eth_code, "\n"); + FPRINTF(eth_code, "static int\n"); + FPRINTF(eth_code, "%s(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param)\n", dissectorname); + FPRINTF(eth_code, "{\n"); + FPRINTF(eth_code, " dcerpc_info *di = (dcerpc_info *)pinfo->private_data;\n"); + FPRINTF(eth_code, "\n"); + FPRINTF(eth_code, " di->hf_index=hf_index;\n"); + + FPRINTF(eth_code, " offset=dissect_ndr_nt_SID_with_options(tvb, offset, pinfo, tree, drep, param);\n"); + FPRINTF(eth_code, " return offset;\n"); + FPRINTF(eth_code, "}\n"); + FPRINTF(eth_code, "\n"); + tmptype=register_new_type("SID", dissectorname, "FT_STRING", "BASE_DEC", "0", "NULL", 4); } else if(!strcmp(name,"WERROR")){ sprintf(dissectorname, "%s_dissect_%s", ifname, name); FPRINTF(NULL,"\nAutogenerating built-in type:%s\n------------\n",name); @@ -1519,7 +1540,7 @@ void parsetypedefstruct(int pass) alignment=4; } } - /* now that we know how many real poitner there were we must + /* now that we know how many real pointers there were we must prepend default pointers to the list so it has the right length. */ @@ -1548,9 +1569,7 @@ void parsetypedefstruct(int pass) /* this is just a normal [] array */ fixed_array_size=0; } else if(!strcmp("*", ti->str)){ - if(bi && !(bi->flags|BI_POINTER)){ - pi=prepend_pointer_list(pi, 1); - } + pi=prepend_pointer_list(pi, num_pointers+1); fixed_array_size=0; is_array_of_pointers=1; ti=ti->next; diff --git a/epan/dissectors/packet-dcerpc-efs.c b/epan/dissectors/packet-dcerpc-efs.c index 5487912024..fe074f3e89 100644 --- a/epan/dissectors/packet-dcerpc-efs.c +++ b/epan/dissectors/packet-dcerpc-efs.c @@ -1,6 +1,12 @@ +/* DO NOT EDIT + * This dissector is autogenerated + */ + /* packet-dcerpc-efs.c - * Routines for the efsrpc MSRPC interface - * Copyright 2004 Ronnie Sahlberg, Jean-Baptiste Marchand + * Routines for EFS packet disassembly + * ronnie sahlberg 2005 + * Autogenerated based on the IDL definitions by + * Jean-Baptiste Marchand * * $Id$ * @@ -23,676 +29,1181 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - #ifdef HAVE_CONFIG_H #include "config.h" #endif #include <glib.h> +#include <string.h> + #include <epan/packet.h> #include "packet-dcerpc.h" #include "packet-dcerpc-nt.h" -#include "packet-dcerpc-efs.h" #include "packet-windows-common.h" +#include "packet-dcerpc-efs.h" +static int proto_efs = -1; + + +/* INCLUDED FILE : ETH_HF */ +static int hf_efs_opnum = -1; +static int hf_efs_rc = -1; +static int hf_efs_EfsRpcOpenFileRaw_pvContext = -1; +static int hf_efs_EfsRpcOpenFileRaw_FileName = -1; +static int hf_efs_EfsRpcOpenFileRaw_Flags = -1; +static int hf_efs_EfsRpcReadFileRaw_pvContext = -1; +static int hf_efs_EfsRpcWriteFileRaw_pvContext = -1; +static int hf_efs_EfsRpcCloseRaw_pvContext = -1; +static int hf_efs_EfsRpcEncryptFileSrv_Filename = -1; +static int hf_efs_EfsRpcDecryptFileSrv_FileName = -1; +static int hf_efs_EfsRpcDecryptFileSrv_Reserved = -1; +static int hf_efs_EFS_HASH_BLOB_cbData = -1; +static int hf_efs_EFS_HASH_BLOB_pbData = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers = -1; +static int hf_efs_EfsRpcQueryUsersOnFile_FileName = -1; +static int hf_efs_EfsRpcQueryUsersOnFile_pUsers = -1; +static int hf_efs_EfsRpcQueryRecoveryAgents_FileName = -1; +static int hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents = -1; +static int hf_efs_EfsRpcRemoveUsersFromFile_FileName = -1; +static int hf_efs_EfsRpcAddUsersToFile_FileName = -1; +static int hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType = -1; +static int hf_efs_EFS_CERTIFICATE_BLOB_cbData = -1; +static int hf_efs_EFS_CERTIFICATE_BLOB_pbData = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_TotalLength = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_pUserSid = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob = -1; +static int hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate = -1; +/* END OF INCLUDED FILE : ETH_HF */ + + + + + +/* INCLUDED FILE : ETH_ETT */ +static gint ett_efs = -1; +static gint ett_efs_EFS_HASH_BLOB = -1; +static gint ett_efs_ENCRYPTION_CERTIFICATE_HASH = -1; +static gint ett_efs_ENCRYPTION_CERTIFICATE_HASH_LIST = -1; +static gint ett_efs_EFS_CERTIFICATE_BLOB = -1; +static gint ett_efs_ENCRYPTION_CERTIFICATE = -1; +/* END OF INCLUDED FILE : ETH_ETT */ + + + + + +/* INCLUDED FILE : ETH_CODE */ +static e_uuid_t uuid_dcerpc_efs = { + 0xc681d488, 0xd850, 0x11d0, + { 0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e} +}; -static int proto_dcerpc_efs = -1; -static int hf_efsrpc_opnum = -1; -static int hf_efsrpc_rc = -1; -static int hf_efsrpc_filename = -1; -static int hf_efsrpc_flags = -1; -static int hf_efsrpc_hnd = -1; -static int hf_efsrpc_reserved = -1; -static int hf_efsrpc_num_entries = -1; -static int hf_efsrpc_data_size = -1; -static int hf_efsrpc_cert_dn = -1; +static guint16 ver_efs = 1; -static gint ett_dcerpc_efs = -1; -static gint ett_dcerpc_efs_cert_hash = -1; +static e_ctx_hnd policy_hnd; +static proto_item *hnd_item; -/* -IDL [ uuid(c681d488-d850-11d0-8c52-00c04fd90f7e), -IDL version(1.0), -IDL implicit_handle(handle_t rpc_binding) -IDL ] interface efsrpc -*/ +static int +efs_dissect_policy_handle(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param) +{ + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_index, &policy_hnd, &hnd_item, + param&0x01, param&0x02); + return offset; +} +static int +efs_dissect_EfsRpcOpenFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_policy_handle(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcOpenFileRaw_pvContext, param); + return offset; +} -static e_uuid_t uuid_dcerpc_efs = { - 0xc681d488, 0xd850, 0x11d0, - { 0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e } -}; +static int +ref_efs_dissect_EfsRpcOpenFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcOpenFileRaw_pvContext, NDR_POINTER_REF, "pvContext", -1); + return offset; +} -static guint16 ver_dcerpc_efs = 1; +static int +efs_dissect_unistr(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + offset=dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, 2, hf_index, FALSE, NULL); + return offset; +} + +static int +efs_dissect_EfsRpcOpenFileRaw_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcOpenFileRaw_FileName, param); + return offset; +} -/* -IDL long EfsRpcOpenFileRaw( -IDL [out] [context_handle] void *pvContext, -IDL [in] [string] wchar_t FileName, -IDL [in] long Flags -IDL ); -*/ static int -efsrpc_dissect_open_file_raw_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_long(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param _U_) { + offset=dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_index, NULL); + return offset; +} + +static int +efs_dissect_EfsRpcOpenFileRaw_Flags(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcOpenFileRaw_Flags, param); + return offset; +} + - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); +static int +efs_dissect_EfsRpcOpenFileRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=efs_dissect_EfsRpcOpenFileRaw_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_flags, NULL); + offset=efs_dissect_EfsRpcOpenFileRaw_Flags(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - return offset; + return offset; } static int -efsrpc_dissect_open_file_raw_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcOpenFileRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, - hf_efsrpc_hnd, NULL, NULL, TRUE, FALSE); + offset=ref_efs_dissect_EfsRpcOpenFileRaw_pvContext(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - return offset; + + return offset; +} +static int +efs_dissect_EfsRpcReadFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_policy_handle(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcReadFileRaw_pvContext, param); + return offset; } +static int +ref_efs_dissect_EfsRpcReadFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcReadFileRaw_pvContext, NDR_POINTER_REF, "pvContext", -1); + return offset; +} -/* -IDL long EfsRpcReadFileRaw( -IDL [in] [context_handle] void *pvContext, -IDL [out] ??? element_5 -IDL ); -*/ +static int +efs_dissect_EfsRpcReadFileRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=ref_efs_dissect_EfsRpcReadFileRaw_pvContext(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + + return offset; +} static int -efsrpc_dissect_read_file_raw_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcReadFileRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, - hf_efsrpc_hnd, NULL, NULL, FALSE, FALSE); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcWriteFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_policy_handle(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcWriteFileRaw_pvContext, param); + return offset; +} +static int +ref_efs_dissect_EfsRpcWriteFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcWriteFileRaw_pvContext, NDR_POINTER_REF, "pvContext", -1); + return offset; } -/* -IDL long EfsRpcWriteFileRaw( -IDL [in] [context_handle] void *pvContext, -IDL [in] ??? element_7 -IDL ); -*/ +static int +efs_dissect_EfsRpcWriteFileRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=ref_efs_dissect_EfsRpcWriteFileRaw_pvContext(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + return offset; +} static int -efsrpc_dissect_write_file_raw_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcWriteFileRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, - hf_efsrpc_hnd, NULL, NULL, FALSE, FALSE); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcCloseRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_policy_handle(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcCloseRaw_pvContext, param); + return offset; +} +static int +ref_efs_dissect_EfsRpcCloseRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcCloseRaw_pvContext, NDR_POINTER_REF, "pvContext", -1); + return offset; } static int -efsrpc_dissect_write_file_raw_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcCloseRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=ref_efs_dissect_EfsRpcCloseRaw_pvContext(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + + return offset; +} + +static int +efs_dissect_EfsRpcCloseRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=ref_efs_dissect_EfsRpcCloseRaw_pvContext(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcEncryptFileSrv_Filename(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcEncryptFileSrv_Filename, param); + return offset; } -/* -IDL -IDL void EfsRpcCloseRaw( -IDL [in,out] [context_handle] void *pvContext, -IDL ); -*/ +static int +efs_dissect_EfsRpcEncryptFileSrv_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=efs_dissect_EfsRpcEncryptFileSrv_Filename(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + return offset; +} static int -efsrpc_dissect_close_file_raw_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcEncryptFileSrv_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, - hf_efsrpc_hnd, NULL, NULL, FALSE, TRUE); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcDecryptFileSrv_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcDecryptFileSrv_FileName, param); + return offset; +} +static int +efs_dissect_EfsRpcDecryptFileSrv_Reserved(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcDecryptFileSrv_Reserved, param); + return offset; } static int -efsrpc_dissect_close_file_raw_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcDecryptFileSrv_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=efs_dissect_EfsRpcDecryptFileSrv_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, - hf_efsrpc_hnd, NULL, NULL, FALSE, FALSE); + offset=efs_dissect_EfsRpcDecryptFileSrv_Reserved(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - return offset; + return offset; } +static int +efs_dissect_EfsRpcDecryptFileSrv_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); -/* -IDL long EfsRpcEncryptFileSrv( -IDL [in] [string] wchar_t Filename -IDL ); - */ - + return offset; +} static int -efsrpc_dissect_encrypt_file_srv_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EFS_HASH_BLOB_cbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_EFS_HASH_BLOB_cbData, param); + return offset; +} - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); - return offset; +static int +efs_dissect_uint8(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + offset=dissect_ndr_uint8(tvb, offset, pinfo, tree, drep, hf_index, NULL); + return offset; +} +static int +efs_dissect_EFS_HASH_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_uint8(tvb, offset, pinfo, tree, drep, hf_efs_EFS_HASH_BLOB_pbData, param); + return offset; } +static int +ucarray_efs_dissect_EFS_HASH_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, efs_dissect_EFS_HASH_BLOB_pbData); + return offset; +} static int -efsrpc_dissect_encrypt_file_srv_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +unique_ucarray_efs_dissect_EFS_HASH_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, ucarray_efs_dissect_EFS_HASH_BLOB_pbData, NDR_POINTER_UNIQUE, "pbData", -1); + return offset; +} + - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); +int +efs_dissect_EFS_HASH_BLOB(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + int old_offset; - return offset; + ALIGN_TO_4_BYTES; -} + old_offset=offset; + if(parent_tree){ + item=proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + tree=proto_item_add_subtree(item, ett_efs_EFS_HASH_BLOB); + } + offset=efs_dissect_EFS_HASH_BLOB_cbData(tvb, offset, pinfo, tree, drep); -/* -IDL long EfsRpcDecryptFileSrv( -IDL [in] [string] wchar_t FileName, -IDL [in] long Reserved -IDL ); -*/ + offset=unique_ucarray_efs_dissect_EFS_HASH_BLOB_pbData(tvb, offset, pinfo, tree, drep); + proto_item_set_len(item, offset-old_offset); + return offset; +} static int -efsrpc_dissect_decrypt_file_srv_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength, param); + return offset; +} - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_reserved, NULL); +static int +efs_dissect_SID(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param) +{ + dcerpc_info *di = (dcerpc_info *)pinfo->private_data; - return offset; + di->hf_index=hf_index; + offset=dissect_ndr_nt_SID_with_options(tvb, offset, pinfo, tree, drep, param); + return offset; +} +static int +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pUserSid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_SID(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid, param); + return offset; } +static int +unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pUserSid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pUserSid, NDR_POINTER_UNIQUE, "pUserSid", -1); + return offset; +} static int -efsrpc_dissect_decrypt_file_srv_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pHash(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + guint32 param=0; + offset=efs_dissect_EFS_HASH_BLOB(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash, param); + return offset; +} - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); +static int +unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pHash(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pHash, NDR_POINTER_UNIQUE, "pHash", -1); + return offset; +} - return offset; +static int +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation, param); + return offset; +} +static int +unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation, NDR_POINTER_UNIQUE, "lpDisplayInformation", -1); + return offset; } -/* -IDL typedef struct { -IDL long cbData; -IDL [size_is(cbData)] void *pbData; -IDL } EFS_HASH_BLOB; -*/ +int +efs_dissect_ENCRYPTION_CERTIFICATE_HASH(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + int old_offset; + + ALIGN_TO_4_BYTES; + + old_offset=offset; + if(parent_tree){ + item=proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + tree=proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE_HASH); + } + + offset=efs_dissect_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength(tvb, offset, pinfo, tree, drep); + + offset=unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pUserSid(tvb, offset, pinfo, tree, drep); + + offset=unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pHash(tvb, offset, pinfo, tree, drep); + + offset=unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation(tvb, offset, pinfo, tree, drep); + + proto_item_set_len(item, offset-old_offset); + return offset; +} static int -efsrpc_dissect_EFS_HASH_BLOB_data(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - guint8 *drep) +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { - guint32 size; - dcerpc_info *di = (dcerpc_info *)pinfo->private_data; + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash, param); + return offset; +} - if(di->conformant_run){ - return offset; /* cant modify offset while performing conformant run */ - } +static int +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_ENCRYPTION_CERTIFICATE_HASH(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers, param); + return offset; +} - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_data_size, &size); +static int +unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers, NDR_POINTER_UNIQUE, "pUsers", -1); + return offset; +} - /* XXX insert some sort of proto_tree_add_item here and show hex data - of the blob */ - offset += size; - return offset; +static int +ucarray_unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers); + return offset; } static int -efsrpc_dissect_EFS_HASH_BLOB(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - guint8 *drep) +unique_ucarray_unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { - guint32 size; + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, ucarray_unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers, NDR_POINTER_UNIQUE, "pUsers", -1); + return offset; +} - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_data_size, &size); - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_EFS_HASH_BLOB_data, NDR_POINTER_UNIQUE, - "HASH_BLOB", -1); +int +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + int old_offset; - return offset; -} + ALIGN_TO_4_BYTES; + old_offset=offset; + if(parent_tree){ + item=proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + tree=proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE_HASH_LIST); + } + offset=efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash(tvb, offset, pinfo, tree, drep); + + offset=unique_ucarray_unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvb, offset, pinfo, tree, drep); + + proto_item_set_len(item, offset-old_offset); + + return offset; +} static int -efsrpc_dissect_efs_SID_ptr(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - guint8 *drep) +efs_dissect_EfsRpcQueryUsersOnFile_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { - offset = dissect_ndr_nt_SID(tvb, offset, pinfo, tree, drep); + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcQueryUsersOnFile_FileName, param); + return offset; +} + +static int +efs_dissect_EfsRpcQueryUsersOnFile_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcQueryUsersOnFile_pUsers, param); + return offset; +} - return offset; +static int +unique_efs_dissect_EfsRpcQueryUsersOnFile_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcQueryUsersOnFile_pUsers, NDR_POINTER_UNIQUE, "pUsers", -1); + return offset; } +static int +ref_unique_efs_dissect_EfsRpcQueryUsersOnFile_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, unique_efs_dissect_EfsRpcQueryUsersOnFile_pUsers, NDR_POINTER_REF, "pUsers", -1); + return offset; +} -/* -IDL typedef struct { -IDL long cbTotalLength; -IDL SID *pUserSid; -IDL EFS_HASH_BLOB *pHash; -IDL [string] wchar_t lpDisplayInformation; -IDL } ENCRYPTION_CERTIFICATE_HASH; -*/ static int -efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *parent_tree, - guint8 *drep) +efs_dissect_EfsRpcQueryUsersOnFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - proto_item *item = NULL; - proto_tree *tree = NULL; + offset=efs_dissect_EfsRpcQueryUsersOnFile_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - if (parent_tree) { - item = proto_tree_add_text(parent_tree, tvb, offset, -1, "ENCRYPTION_CERTIFICATE_HASH"); - tree = proto_item_add_subtree(item, ett_dcerpc_efs_cert_hash); - } - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_data_size, NULL); + return offset; +} - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_efs_SID_ptr, NDR_POINTER_UNIQUE, - "SID", -1); +static int +efs_dissect_EfsRpcQueryUsersOnFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=ref_unique_efs_dissect_EfsRpcQueryUsersOnFile_pUsers(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_EFS_HASH_BLOB, NDR_POINTER_UNIQUE, - "EFS_HASH_BLOB", -1); + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_ndr_pointer_cb( - tvb, offset, pinfo, tree, drep, - dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, - "Certificate DN", hf_efsrpc_cert_dn, cb_wstr_postprocess, - GINT_TO_POINTER(CB_STR_COL_INFO | 1)); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcQueryRecoveryAgents_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcQueryRecoveryAgents_FileName, param); + return offset; } +static int +efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents, param); + return offset; +} static int -efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_ptr(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - guint8 *drep) +unique_efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents, NDR_POINTER_UNIQUE, "pRecoveryAgents", -1); + return offset; +} - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH, NDR_POINTER_UNIQUE, - "ENCRYPTION_CERTIFICATE_HASH", -1); +static int +ref_unique_efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, unique_efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents, NDR_POINTER_REF, "pRecoveryAgents", -1); + return offset; +} - return offset; -} +static int +efs_dissect_EfsRpcQueryRecoveryAgents_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=efs_dissect_EfsRpcQueryRecoveryAgents_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + return offset; +} static int -efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_array(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - guint8 *drep) +efs_dissect_EfsRpcQueryRecoveryAgents_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_ptr); + offset=ref_unique_efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); + - return offset; + return offset; +} +static int +efs_dissect_EfsRpcRemoveUsersFromFile_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcRemoveUsersFromFile_FileName, param); + return offset; } -/* -IDL typedef struct { -IDL long nCert_Hash; -IDL [size_is(nCert_Hash)] [unique] ENCRYPTION_CERTIFICATE_HASH *pUsers; -IDL } ENCRYPTION_CERTIFICATE_HASH_LIST; -*/ -static int -efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +static int +efs_dissect_EfsRpcRemoveUsersFromFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=efs_dissect_EfsRpcRemoveUsersFromFile_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_num_entries, NULL); - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_array, NDR_POINTER_UNIQUE, - "ENCRYPTION_CERTIFICATE_HASH array:", -1); + return offset; +} + +static int +efs_dissect_EfsRpcRemoveUsersFromFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcAddUsersToFile_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcAddUsersToFile_FileName, param); + return offset; } +static int +efs_dissect_EfsRpcAddUsersToFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=efs_dissect_EfsRpcAddUsersToFile_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); -/* -IDL long EfsRpcQueryUsersOnFile( -IDL [in] [string] wchar_t FileName, -IDL [out] [ref] ENCRYPTION_CERTIFICATE_HASH_LIST **pUsers -IDL ); -*/ + return offset; +} static int -efsrpc_dissect_query_users_on_file_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcAddUsersToFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); + return offset; +} +static int +efs_dissect_EFS_CERTIFICATE_BLOB_dwCertEncodingType(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType, param); + return offset; +} - return offset; +static int +efs_dissect_EFS_CERTIFICATE_BLOB_cbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_EFS_CERTIFICATE_BLOB_cbData, param); + return offset; +} +static int +efs_dissect_EFS_CERTIFICATE_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_uint8(tvb, offset, pinfo, tree, drep, hf_efs_EFS_CERTIFICATE_BLOB_pbData, param); + return offset; } +static int +ucarray_efs_dissect_EFS_CERTIFICATE_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, efs_dissect_EFS_CERTIFICATE_BLOB_pbData); + return offset; +} static int -efsrpc_dissect_query_users_on_file_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +unique_ucarray_efs_dissect_EFS_CERTIFICATE_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST, NDR_POINTER_UNIQUE, - "ENCRYPTION_CERTIFICATE_HASH_LIST", -1); + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, ucarray_efs_dissect_EFS_CERTIFICATE_BLOB_pbData, NDR_POINTER_UNIQUE, "pbData", -1); + return offset; +} - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); - return offset; +int +efs_dissect_EFS_CERTIFICATE_BLOB(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + int old_offset; -} + ALIGN_TO_4_BYTES; + + old_offset=offset; + if(parent_tree){ + item=proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + tree=proto_item_add_subtree(item, ett_efs_EFS_CERTIFICATE_BLOB); + } + + offset=efs_dissect_EFS_CERTIFICATE_BLOB_dwCertEncodingType(tvb, offset, pinfo, tree, drep); + + offset=efs_dissect_EFS_CERTIFICATE_BLOB_cbData(tvb, offset, pinfo, tree, drep); + + offset=unique_ucarray_efs_dissect_EFS_CERTIFICATE_BLOB_pbData(tvb, offset, pinfo, tree, drep); -/* -IDL long EfsRpcQueryRecoveryAgents( -IDL [in] [string] wchar_t FileName, -IDL [out] [ref] ENCRYPTION_CERTIFICATE_HASH_LIST **pRecoveryAgents -IDL ); -*/ + proto_item_set_len(item, offset-old_offset); + return offset; +} static int -efsrpc_dissect_query_recovery_agents_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_ENCRYPTION_CERTIFICATE_TotalLength(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_TotalLength, param); + return offset; +} - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); - - return offset; +static int +efs_dissect_ENCRYPTION_CERTIFICATE_pUserSid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_SID(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_pUserSid, param); + return offset; +} +static int +unique_efs_dissect_ENCRYPTION_CERTIFICATE_pUserSid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_pUserSid, NDR_POINTER_UNIQUE, "pUserSid", -1); + return offset; } +static int +efs_dissect_ENCRYPTION_CERTIFICATE_pCertBlob(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_EFS_CERTIFICATE_BLOB(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob, param); + return offset; +} static int -efsrpc_dissect_query_recovery_agents_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +unique_efs_dissect_ENCRYPTION_CERTIFICATE_pCertBlob(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_pCertBlob, NDR_POINTER_UNIQUE, "pCertBlob", -1); + return offset; +} - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST, NDR_POINTER_UNIQUE, - "ENCRYPTION_CERTIFICATE_HASH_LIST", -1); - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); +int +efs_dissect_ENCRYPTION_CERTIFICATE(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + int old_offset; - return offset; + ALIGN_TO_4_BYTES; + old_offset=offset; + if(parent_tree){ + item=proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + tree=proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE); + } -} + offset=efs_dissect_ENCRYPTION_CERTIFICATE_TotalLength(tvb, offset, pinfo, tree, drep); + offset=unique_efs_dissect_ENCRYPTION_CERTIFICATE_pUserSid(tvb, offset, pinfo, tree, drep); + offset=unique_efs_dissect_ENCRYPTION_CERTIFICATE_pCertBlob(tvb, offset, pinfo, tree, drep); -/* -IDL long EfsRpcRemoveUsersFromFile( -IDL [in] [string] wchar_t FileName, -IDL [in] ENCRYPTION_CERTIFICATE_LIST Hashes -IDL ); -*/ + proto_item_set_len(item, offset-old_offset); + return offset; +} static int -efsrpc_dissect_remove_users_from_file_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcSetFileEncryptionKey_pEncryptionCertificate(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + guint32 param=0; + offset=efs_dissect_ENCRYPTION_CERTIFICATE(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate, param); + return offset; +} - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); -#if 0 - offset = efsrpc_dissect_ENCRYPTION_CERTIFICATE_LIST(tvb, offset, - pinfo, tree, drep); -#endif - return offset; +static int +unique_efs_dissect_EfsRpcSetFileEncryptionKey_pEncryptionCertificate(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcSetFileEncryptionKey_pEncryptionCertificate, NDR_POINTER_UNIQUE, "pEncryptionCertificate", -1); + return offset; +} + +static int +efs_dissect_EfsRpcSetFileEncryptionKey_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=unique_efs_dissect_EfsRpcSetFileEncryptionKey_pEncryptionCertificate(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + + return offset; } +static int +efs_dissect_EfsRpcSetFileEncryptionKey_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); + + + return offset; +} static int -efsrpc_dissect_remove_users_from_file_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcNotSupported_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); + return offset; +} - return offset; +static int +efs_dissect_EfsRpcNotSupported_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); + + return offset; } -/* -IDL long EfsRpcAddUsersToFile( -IDL [in] [string] wchar_t FileName, -IDL [in] ENCRYPTION_CERTIFICATE_LIST Hashes -IDL ); -*/ +static int +efs_dissect_EfsRpcFileKeyInfo_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + + return offset; +} static int -efsrpc_dissect_add_users_from_file_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcFileKeyInfo_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); -#if 0 - offset = efsrpc_dissect_ENCRYPTION_CERTIFICATE_LIST(tvb, offset, - pinfo, tree, drep); -#endif - return offset; - -} - - -static int -efsrpc_dissect_add_users_from_file_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) -{ - - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); - - return offset; - -} - - -/* -IDL typedef struct { -IDL long dwCertEncodingType; -IDL long cbData; -IDL [size_is(cbData)] [unique] byte *pbData -IDL } EFS_CERTIFICATE_BLOB; -*/ - -/* -IDL typedef struct { -IDL long TotalLength; -IDL [unique] SID *pUserSid; -IDL [unique] EFS_CERTIFICATE_BLOB *pCertBlob; -IDL } ENCRYPTION_CERTIFICATE; -*/ - -/* -IDL long EfsRpcSetFileEncryptionKey( -IDL [in] [unique] ENCRYPTION_CERTIFICATE *pEncryptionCertificate -IDL ); -*/ - -static dcerpc_sub_dissector dcerpc_efs_dissectors[] = { - { EFS_RPC_OPEN_FILE_RAW , "EfsRpcOpenFileRaw", - efsrpc_dissect_open_file_raw_rqst, - efsrpc_dissect_open_file_raw_reply }, - { EFS_RPC_READ_FILE_RAW, "EfsRpcReadFileRaw", - efsrpc_dissect_read_file_raw_rqst, - NULL }, - { EFS_RPC_WRITE_FILE_RAW, "EfsRpcWriteFileRaw", - efsrpc_dissect_write_file_raw_rqst, - efsrpc_dissect_write_file_raw_reply }, - { EFS_RPC_CLOSE_RAW, "EfsRpcCloseRaw", - efsrpc_dissect_close_file_raw_rqst, - efsrpc_dissect_close_file_raw_reply }, - { EFS_RPC_ENCRYPT_FILE_SRV, "EfsRpcEncryptFileSrv", - efsrpc_dissect_encrypt_file_srv_rqst, - efsrpc_dissect_encrypt_file_srv_reply }, - { EFS_RPC_DECRYPT_FILE_SRV, "EfsRpcDecryptFileSrv", - efsrpc_dissect_decrypt_file_srv_rqst, - efsrpc_dissect_decrypt_file_srv_reply }, - { EFS_RPC_QUERY_USERS_ON_FILE, "EfsRpcQueryUsersOnFile", - efsrpc_dissect_query_users_on_file_rqst, - efsrpc_dissect_query_users_on_file_reply }, - { EFS_RPC_QUERY_RECOVERY_AGENTS, "EfsRpcQueryRecoveryAgents", - efsrpc_dissect_query_recovery_agents_rqst, - efsrpc_dissect_query_recovery_agents_reply }, - { EFS_RPC_REMOVE_USERS_FROM_FILE, "EfsRpcRemoveUsersFromFile", - efsrpc_dissect_remove_users_from_file_rqst, - efsrpc_dissect_remove_users_from_file_reply }, - { EFS_RPC_ADD_USERS_TO_FILE, "EfsRpcAddUsersToFile", - efsrpc_dissect_add_users_from_file_rqst, - efsrpc_dissect_add_users_from_file_reply }, - { EFS_RPC_SET_FILE_ENCRYPTION_KEY, "EfsRpcSetFileEncryptionKey" - , NULL, NULL }, - { EFS_RPC_NOT_SUPPORTED, "EfsRpcNotSupported" - , NULL, NULL }, - { EFS_RPC_FILE_KEY_INFO, "EfsRpcFileKeyInfo" - , NULL, NULL }, - { EFS_RPC_DUPLICATE_ENCRYPTION_INFO_FILE, - "EfsRpcDuplicateEncryptionInfoFile", NULL, NULL }, - { 0, NULL, NULL, NULL } -}; -void -proto_register_dcerpc_efs(void) + return offset; +} + +static int +efs_dissect_EfsRpcDuplicateEncryptionInfoFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { -static hf_register_info hf[] = { - { &hf_efsrpc_opnum, { - "Operation", "efsrpc.opnum", FT_UINT16, BASE_DEC, - NULL, 0x0, "", HFILL }}, - { &hf_efsrpc_rc, { - "Return code", "efsrpc.rc", FT_UINT32, BASE_HEX, - VALS(NT_errors), 0x0, "EFSRPC return code", HFILL }}, - { &hf_efsrpc_filename, - { "Filename", "efsrpc.filename", FT_STRING, BASE_NONE, - NULL, 0x0, "File name", HFILL}}, - { &hf_efsrpc_flags, { - "Flags", "efsrpc.flags", FT_UINT32, BASE_HEX, - NULL, 0x0, "EFSRPC Flags", HFILL }}, + return offset; +} - { &hf_efsrpc_hnd, { - "Context Handle", "efsrpc.hnd", FT_BYTES, - BASE_NONE, NULL, 0x0, "Context Handle", HFILL}}, +static int +efs_dissect_EfsRpcDuplicateEncryptionInfoFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - { &hf_efsrpc_reserved, { - "Reserved value", "efsrpc.reserved", FT_UINT32, BASE_HEX, - NULL, 0x0, "Reserved value", HFILL }}, - { &hf_efsrpc_num_entries, - { "Number of entries", "efsrpc.num_entries", FT_UINT32, - BASE_DEC, NULL, 0x0, "Number of Entries", HFILL}}, + return offset; +} +/* END OF INCLUDED FILE : ETH_CODE */ + - { &hf_efsrpc_data_size, - { "Size of data structure", "efsrpc.data_size", FT_UINT32, - BASE_DEC, NULL, 0x0, "Size of data structure", HFILL}}, - { &hf_efsrpc_cert_dn, - { "Certificate DN", "efsrpc.cert_dn", FT_STRING, BASE_NONE, - NULL, 0x0, "Distinguished Name of EFS certificate", HFILL}}, +void +proto_register_efs(void) +{ + static hf_register_info hf[] = { + + +/* INCLUDED FILE : ETH_HFARR */ + { &hf_efs_opnum, + { "Operation", "efs.opnum", FT_UINT16, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_rc, + { "Return code", "efs.rc", FT_UINT32, BASE_HEX, + VALS(NT_errors), 0, + "", HFILL }}, + + { &hf_efs_EfsRpcOpenFileRaw_pvContext, + { "pvContext", "efs.EfsRpcOpenFileRaw.pvContext", FT_BYTES, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcOpenFileRaw_FileName, + { "FileName", "efs.EfsRpcOpenFileRaw.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcOpenFileRaw_Flags, + { "Flags", "efs.EfsRpcOpenFileRaw.Flags", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcReadFileRaw_pvContext, + { "pvContext", "efs.EfsRpcReadFileRaw.pvContext", FT_BYTES, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcWriteFileRaw_pvContext, + { "pvContext", "efs.EfsRpcWriteFileRaw.pvContext", FT_BYTES, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcCloseRaw_pvContext, + { "pvContext", "efs.EfsRpcCloseRaw.pvContext", FT_BYTES, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcEncryptFileSrv_Filename, + { "Filename", "efs.EfsRpcEncryptFileSrv.Filename", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcDecryptFileSrv_FileName, + { "FileName", "efs.EfsRpcDecryptFileSrv.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcDecryptFileSrv_Reserved, + { "Reserved", "efs.EfsRpcDecryptFileSrv.Reserved", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EFS_HASH_BLOB_cbData, + { "cbData", "efs.EFS_HASH_BLOB.cbData", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EFS_HASH_BLOB_pbData, + { "pbData", "efs.EFS_HASH_BLOB.pbData", FT_UINT8, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength, + { "cbTotalLength", "efs.ENCRYPTION_CERTIFICATE_HASH.cbTotalLength", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid, + { "pUserSid", "efs.ENCRYPTION_CERTIFICATE_HASH.pUserSid", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash, + { "pHash", "efs.ENCRYPTION_CERTIFICATE_HASH.pHash", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation, + { "lpDisplayInformation", "efs.ENCRYPTION_CERTIFICATE_HASH.lpDisplayInformation", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash, + { "nCert_Hash", "efs.ENCRYPTION_CERTIFICATE_HASH_LIST.nCert_Hash", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers, + { "pUsers", "efs.ENCRYPTION_CERTIFICATE_HASH_LIST.pUsers", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcQueryUsersOnFile_FileName, + { "FileName", "efs.EfsRpcQueryUsersOnFile.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcQueryUsersOnFile_pUsers, + { "pUsers", "efs.EfsRpcQueryUsersOnFile.pUsers", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcQueryRecoveryAgents_FileName, + { "FileName", "efs.EfsRpcQueryRecoveryAgents.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents, + { "pRecoveryAgents", "efs.EfsRpcQueryRecoveryAgents.pRecoveryAgents", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcRemoveUsersFromFile_FileName, + { "FileName", "efs.EfsRpcRemoveUsersFromFile.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcAddUsersToFile_FileName, + { "FileName", "efs.EfsRpcAddUsersToFile.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType, + { "dwCertEncodingType", "efs.EFS_CERTIFICATE_BLOB.dwCertEncodingType", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EFS_CERTIFICATE_BLOB_cbData, + { "cbData", "efs.EFS_CERTIFICATE_BLOB.cbData", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EFS_CERTIFICATE_BLOB_pbData, + { "pbData", "efs.EFS_CERTIFICATE_BLOB.pbData", FT_UINT8, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_TotalLength, + { "TotalLength", "efs.ENCRYPTION_CERTIFICATE.TotalLength", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_pUserSid, + { "pUserSid", "efs.ENCRYPTION_CERTIFICATE.pUserSid", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob, + { "pCertBlob", "efs.ENCRYPTION_CERTIFICATE.pCertBlob", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate, + { "pEncryptionCertificate", "efs.EfsRpcSetFileEncryptionKey.pEncryptionCertificate", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + +/* END OF INCLUDED FILE : ETH_HFARR */ }; static gint *ett[] = { - &ett_dcerpc_efs, - &ett_dcerpc_efs_cert_hash - }; - proto_dcerpc_efs = proto_register_protocol( - "Microsoft Encrypted File System Service", "EFSRPC", "efsrpc"); - proto_register_field_array(proto_dcerpc_efs, hf, - array_length(hf)); +/* INCLUDED FILE : ETH_ETTARR */ + &ett_efs, + &ett_efs_EFS_HASH_BLOB, + &ett_efs_ENCRYPTION_CERTIFICATE_HASH, + &ett_efs_ENCRYPTION_CERTIFICATE_HASH_LIST, + &ett_efs_EFS_CERTIFICATE_BLOB, + &ett_efs_ENCRYPTION_CERTIFICATE, +/* END OF INCLUDED FILE : ETH_ETTARR */ + + }; + + proto_efs = proto_register_protocol( + "Microsoft Encrypted File System Service", + "EFS", "efs"); + proto_register_field_array(proto_efs, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); } +static dcerpc_sub_dissector function_dissectors[] = { + + +/* INCLUDED FILE : ETH_FT */ + { 0, "EfsRpcOpenFileRaw", + efs_dissect_EfsRpcOpenFileRaw_request, + efs_dissect_EfsRpcOpenFileRaw_response }, + { 1, "EfsRpcReadFileRaw", + efs_dissect_EfsRpcReadFileRaw_request, + efs_dissect_EfsRpcReadFileRaw_response }, + { 2, "EfsRpcWriteFileRaw", + efs_dissect_EfsRpcWriteFileRaw_request, + efs_dissect_EfsRpcWriteFileRaw_response }, + { 3, "EfsRpcCloseRaw", + efs_dissect_EfsRpcCloseRaw_request, + efs_dissect_EfsRpcCloseRaw_response }, + { 4, "EfsRpcEncryptFileSrv", + efs_dissect_EfsRpcEncryptFileSrv_request, + efs_dissect_EfsRpcEncryptFileSrv_response }, + { 5, "EfsRpcDecryptFileSrv", + efs_dissect_EfsRpcDecryptFileSrv_request, + efs_dissect_EfsRpcDecryptFileSrv_response }, + { 6, "EfsRpcQueryUsersOnFile", + efs_dissect_EfsRpcQueryUsersOnFile_request, + efs_dissect_EfsRpcQueryUsersOnFile_response }, + { 7, "EfsRpcQueryRecoveryAgents", + efs_dissect_EfsRpcQueryRecoveryAgents_request, + efs_dissect_EfsRpcQueryRecoveryAgents_response }, + { 8, "EfsRpcRemoveUsersFromFile", + efs_dissect_EfsRpcRemoveUsersFromFile_request, + efs_dissect_EfsRpcRemoveUsersFromFile_response }, + { 9, "EfsRpcAddUsersToFile", + efs_dissect_EfsRpcAddUsersToFile_request, + efs_dissect_EfsRpcAddUsersToFile_response }, + { 10, "EfsRpcSetFileEncryptionKey", + efs_dissect_EfsRpcSetFileEncryptionKey_request, + efs_dissect_EfsRpcSetFileEncryptionKey_response }, + { 11, "EfsRpcNotSupported", + efs_dissect_EfsRpcNotSupported_request, + efs_dissect_EfsRpcNotSupported_response }, + { 12, "EfsRpcFileKeyInfo", + efs_dissect_EfsRpcFileKeyInfo_request, + efs_dissect_EfsRpcFileKeyInfo_response }, + { 13, "EfsRpcDuplicateEncryptionInfoFile", + efs_dissect_EfsRpcDuplicateEncryptionInfoFile_request, + efs_dissect_EfsRpcDuplicateEncryptionInfoFile_response }, +/* END OF INCLUDED FILE : ETH_FT */ + + + { 0, NULL, NULL, NULL }, +}; + void -proto_reg_handoff_dcerpc_efs(void) +proto_reg_handoff_efs(void) { - /* Register protocol as dcerpc */ - dcerpc_init_uuid(proto_dcerpc_efs, ett_dcerpc_efs, - &uuid_dcerpc_efs, ver_dcerpc_efs, - dcerpc_efs_dissectors, hf_efsrpc_opnum); + +/* INCLUDED FILE : ETH_HANDOFF */ + dcerpc_init_uuid(proto_efs, ett_efs, + &uuid_dcerpc_efs, ver_efs, + function_dissectors, hf_efs_opnum); +/* END OF INCLUDED FILE : ETH_HANDOFF */ + + } + diff --git a/epan/dissectors/packet-dcerpc-efs.h b/epan/dissectors/packet-dcerpc-efs.h index 31ac17a4d5..d1e1294058 100644 --- a/epan/dissectors/packet-dcerpc-efs.h +++ b/epan/dissectors/packet-dcerpc-efs.h @@ -1,6 +1,11 @@ +/* DO NOT EDIT + * This dissector is autogenerated + * ronnie sahlberg 2005 + * Autogenerated based on the IDL definitions by + * Jean-Baptiste Marchand + */ /* packet-dcerpc-efs.h - * Routines for the efsrpc MSRPC interface - * Copyright 2004 Ronnie Sahlberg, Jean-Baptiste Marchand + * Routines for EFS packet disassembly * * $Id$ * @@ -26,21 +31,16 @@ #ifndef __PACKET_DCERPC_EFS_H #define __PACKET_DCERPC_EFS_H -/* MSRPC functions available in the efsrpc interface */ -#define EFS_RPC_OPEN_FILE_RAW 0x00 -#define EFS_RPC_READ_FILE_RAW 0x01 -#define EFS_RPC_WRITE_FILE_RAW 0x02 -#define EFS_RPC_CLOSE_RAW 0x03 -#define EFS_RPC_ENCRYPT_FILE_SRV 0x04 -#define EFS_RPC_DECRYPT_FILE_SRV 0x05 -#define EFS_RPC_QUERY_USERS_ON_FILE 0x06 -#define EFS_RPC_QUERY_RECOVERY_AGENTS 0x07 -#define EFS_RPC_REMOVE_USERS_FROM_FILE 0x08 -#define EFS_RPC_ADD_USERS_TO_FILE 0x09 -#define EFS_RPC_SET_FILE_ENCRYPTION_KEY 0x0a -#define EFS_RPC_NOT_SUPPORTED 0x0b -#define EFS_RPC_FILE_KEY_INFO 0x0c -#define EFS_RPC_DUPLICATE_ENCRYPTION_INFO_FILE 0x0d + +/* INCLUDED FILE : ETH_HDR */ +int efs_dissect_EFS_HASH_BLOB(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param); +int efs_dissect_ENCRYPTION_CERTIFICATE_HASH(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param); +int efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param); +int efs_dissect_EFS_CERTIFICATE_BLOB(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param); +int efs_dissect_ENCRYPTION_CERTIFICATE(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param); +/* END OF INCLUDED FILE : ETH_HDR */ + + #endif /* packet-dcerpc-efs.h */ |