diff options
Diffstat (limited to 'epan/dissectors/packet-dcerpc-efs.c')
-rw-r--r-- | epan/dissectors/packet-dcerpc-efs.c | 698 |
1 files changed, 698 insertions, 0 deletions
diff --git a/epan/dissectors/packet-dcerpc-efs.c b/epan/dissectors/packet-dcerpc-efs.c new file mode 100644 index 0000000000..260fbb0ef5 --- /dev/null +++ b/epan/dissectors/packet-dcerpc-efs.c @@ -0,0 +1,698 @@ +/* packet-dcerpc-efs.c + * Routines for the efsrpc MSRPC interface + * Copyright 2004 Ronnie Sahlberg, Jean-Baptiste Marchand + * + * $Id$ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs <gerald@ethereal.com> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <glib.h> +#include <epan/packet.h> +#include "packet-dcerpc.h" +#include "packet-dcerpc-nt.h" +#include "packet-dcerpc-efs.h" +#include "smb.h" + + +static int proto_dcerpc_efs = -1; +static int hf_efsrpc_opnum = -1; +static int hf_efsrpc_rc = -1; +static int hf_efsrpc_filename = -1; +static int hf_efsrpc_flags = -1; +static int hf_efsrpc_hnd = -1; +static int hf_efsrpc_reserved = -1; +static int hf_efsrpc_num_entries = -1; +static int hf_efsrpc_data_size = -1; +static int hf_efsrpc_cert_dn = -1; + +static gint ett_dcerpc_efs = -1; +static gint ett_dcerpc_efs_cert_hash = -1; + + +/* +IDL [ uuid(c681d488-d850-11d0-8c52-00c04fd90f7e), +IDL version(1.0), +IDL implicit_handle(handle_t rpc_binding) +IDL ] interface efsrpc +*/ + + +static e_uuid_t uuid_dcerpc_efs = { + 0xc681d488, 0xd850, 0x11d0, + { 0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e } +}; + +static guint16 ver_dcerpc_efs = 1; + + +/* +IDL long EfsRpcOpenFileRaw( +IDL [out] [context_handle] void *pvContext, +IDL [in] [string] wchar_t FileName, +IDL [in] long Flags +IDL ); +*/ + +static int +efsrpc_dissect_open_file_raw_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, + sizeof(guint16), + hf_efsrpc_filename, TRUE, NULL); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_efsrpc_flags, NULL); + + return offset; + +} + +static int +efsrpc_dissect_open_file_raw_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_efsrpc_hnd, NULL, NULL, TRUE, FALSE); + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_efsrpc_rc, NULL); + + return offset; +} + + + +/* +IDL long EfsRpcReadFileRaw( +IDL [in] [context_handle] void *pvContext, +IDL [out] ??? element_5 +IDL ); +*/ + +static int +efsrpc_dissect_read_file_raw_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_efsrpc_hnd, NULL, NULL, FALSE, FALSE); + + return offset; + +} + + +/* +IDL long EfsRpcWriteFileRaw( +IDL [in] [context_handle] void *pvContext, +IDL [in] ??? element_7 +IDL ); +*/ + + +static int +efsrpc_dissect_write_file_raw_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_efsrpc_hnd, NULL, NULL, FALSE, FALSE); + + return offset; + +} + + +static int +efsrpc_dissect_write_file_raw_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_efsrpc_rc, NULL); + + return offset; + +} + + +/* +IDL +IDL void EfsRpcCloseRaw( +IDL [in,out] [context_handle] void *pvContext, +IDL ); +*/ + + +static int +efsrpc_dissect_close_file_raw_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_efsrpc_hnd, NULL, NULL, FALSE, TRUE); + + return offset; + +} + + +static int +efsrpc_dissect_close_file_raw_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_efsrpc_hnd, NULL, NULL, FALSE, FALSE); + + return offset; + +} + + + +/* +IDL long EfsRpcEncryptFileSrv( +IDL [in] [string] wchar_t Filename +IDL ); + */ + +static int +efsrpc_dissect_encrypt_file_srv_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, + sizeof(guint16), + hf_efsrpc_filename, TRUE, NULL); + + return offset; + +} + + +static int +efsrpc_dissect_encrypt_file_srv_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_efsrpc_rc, NULL); + + return offset; + +} + + +/* +IDL long EfsRpcDecryptFileSrv( +IDL [in] [string] wchar_t FileName, +IDL [in] long Reserved +IDL ); +*/ + + +static int +efsrpc_dissect_decrypt_file_srv_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, + sizeof(guint16), + hf_efsrpc_filename, TRUE, NULL); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_efsrpc_reserved, NULL); + + return offset; + +} + + +static int +efsrpc_dissect_decrypt_file_srv_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_efsrpc_rc, NULL); + + return offset; + +} + + +/* +IDL typedef struct { +IDL long cbData; +IDL [size_is(cbData)] void *pbData; +IDL } EFS_HASH_BLOB; +*/ + +static int +efsrpc_dissect_EFS_HASH_BLOB_data(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, + guint8 *drep) +{ + guint32 size; + dcerpc_info *di = (dcerpc_info *)pinfo->private_data; + + if(di->conformant_run){ + return offset; /* cant modify offset while performing conformant run */ + } + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_efsrpc_data_size, &size); + + /* XXX insert some sort of proto_tree_add_item here and show hex data + of the blob */ + offset += size; + return offset; +} + +static int +efsrpc_dissect_EFS_HASH_BLOB(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, + guint8 *drep) +{ + guint32 size; + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_efsrpc_data_size, &size); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + efsrpc_dissect_EFS_HASH_BLOB_data, NDR_POINTER_UNIQUE, + "HASH_BLOB", -1); + + return offset; +} + + +static int +efsrpc_dissect_efs_SID_ptr(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, + guint8 *drep) +{ + offset = dissect_ndr_nt_SID(tvb, offset, pinfo, tree, drep); + + return offset; +} + + +/* +IDL typedef struct { +IDL long cbTotalLength; +IDL SID *pUserSid; +IDL EFS_HASH_BLOB *pHash; +IDL [string] wchar_t lpDisplayInformation; +IDL } ENCRYPTION_CERTIFICATE_HASH; +*/ + +static int +efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *parent_tree, + guint8 *drep) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + + if (parent_tree) { + item = proto_tree_add_text(parent_tree, tvb, offset, -1, "ENCRYPTION_CERTIFICATE_HASH"); + tree = proto_item_add_subtree(item, ett_dcerpc_efs_cert_hash); + } + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_efsrpc_data_size, NULL); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + efsrpc_dissect_efs_SID_ptr, NDR_POINTER_UNIQUE, + "SID", -1); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + efsrpc_dissect_EFS_HASH_BLOB, NDR_POINTER_UNIQUE, + "EFS_HASH_BLOB", -1); + + offset = dissect_ndr_pointer_cb( + tvb, offset, pinfo, tree, drep, + dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, + "Certificate DN", hf_efsrpc_cert_dn, cb_wstr_postprocess, + GINT_TO_POINTER(CB_STR_COL_INFO | 1)); + + return offset; +} + + +static int +efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_ptr(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, + guint8 *drep) +{ + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH, NDR_POINTER_UNIQUE, + "ENCRYPTION_CERTIFICATE_HASH", -1); + + return offset; + +} + + +static int +efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_array(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, + guint8 *drep) +{ + offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, + efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_ptr); + + return offset; +} + +/* +IDL typedef struct { +IDL long nCert_Hash; +IDL [size_is(nCert_Hash)] [unique] ENCRYPTION_CERTIFICATE_HASH *pUsers; +IDL } ENCRYPTION_CERTIFICATE_HASH_LIST; +*/ + +static int +efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_efsrpc_num_entries, NULL); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_array, NDR_POINTER_UNIQUE, + "ENCRYPTION_CERTIFICATE_HASH array:", -1); + + return offset; + +} + + + +/* +IDL long EfsRpcQueryUsersOnFile( +IDL [in] [string] wchar_t FileName, +IDL [out] [ref] ENCRYPTION_CERTIFICATE_HASH_LIST **pUsers +IDL ); +*/ + + +static int +efsrpc_dissect_query_users_on_file_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, + sizeof(guint16), + hf_efsrpc_filename, TRUE, NULL); + + + return offset; + +} + + +static int +efsrpc_dissect_query_users_on_file_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST, NDR_POINTER_UNIQUE, + "ENCRYPTION_CERTIFICATE_HASH_LIST", -1); + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_efsrpc_rc, NULL); + + return offset; + +} + +/* +IDL long EfsRpcQueryRecoveryAgents( +IDL [in] [string] wchar_t FileName, +IDL [out] [ref] ENCRYPTION_CERTIFICATE_HASH_LIST **pRecoveryAgents +IDL ); +*/ + +static int +efsrpc_dissect_query_recovery_agents_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, + sizeof(guint16), + hf_efsrpc_filename, TRUE, NULL); + + return offset; + +} + + +static int +efsrpc_dissect_query_recovery_agents_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST, NDR_POINTER_UNIQUE, + "ENCRYPTION_CERTIFICATE_HASH_LIST", -1); + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_efsrpc_rc, NULL); + + return offset; + + +} + + + +/* +IDL long EfsRpcRemoveUsersFromFile( +IDL [in] [string] wchar_t FileName, +IDL [in] ENCRYPTION_CERTIFICATE_LIST Hashes +IDL ); +*/ + +static int +efsrpc_dissect_remove_users_from_file_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, + sizeof(guint16), + hf_efsrpc_filename, TRUE, NULL); +#if 0 + offset = efsrpc_dissect_ENCRYPTION_CERTIFICATE_LIST(tvb, offset, + pinfo, tree, drep); +#endif + return offset; + +} + + +static int +efsrpc_dissect_remove_users_from_file_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_efsrpc_rc, NULL); + + return offset; + +} + +/* +IDL long EfsRpcAddUsersToFile( +IDL [in] [string] wchar_t FileName, +IDL [in] ENCRYPTION_CERTIFICATE_LIST Hashes +IDL ); +*/ + +static int +efsrpc_dissect_add_users_from_file_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, + sizeof(guint16), + hf_efsrpc_filename, TRUE, NULL); +#if 0 + offset = efsrpc_dissect_ENCRYPTION_CERTIFICATE_LIST(tvb, offset, + pinfo, tree, drep); +#endif + return offset; + +} + + +static int +efsrpc_dissect_add_users_from_file_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_efsrpc_rc, NULL); + + return offset; + +} + + +/* +IDL typedef struct { +IDL long dwCertEncodingType; +IDL long cbData; +IDL [size_is(cbData)] [unique] byte *pbData +IDL } EFS_CERTIFICATE_BLOB; +*/ + +/* +IDL typedef struct { +IDL long TotalLength; +IDL [unique] SID *pUserSid; +IDL [unique] EFS_CERTIFICATE_BLOB *pCertBlob; +IDL } ENCRYPTION_CERTIFICATE; +*/ + +/* +IDL long EfsRpcSetFileEncryptionKey( +IDL [in] [unique] ENCRYPTION_CERTIFICATE *pEncryptionCertificate +IDL ); +*/ + +static dcerpc_sub_dissector dcerpc_efs_dissectors[] = { + { EFS_RPC_OPEN_FILE_RAW , "EfsRpcOpenFileRaw", + efsrpc_dissect_open_file_raw_rqst, + efsrpc_dissect_open_file_raw_reply }, + { EFS_RPC_READ_FILE_RAW, "EfsRpcReadFileRaw", + efsrpc_dissect_read_file_raw_rqst, + NULL }, + { EFS_RPC_WRITE_FILE_RAW, "EfsRpcWriteFileRaw", + efsrpc_dissect_write_file_raw_rqst, + efsrpc_dissect_write_file_raw_reply }, + { EFS_RPC_CLOSE_RAW, "EfsRpcCloseRaw", + efsrpc_dissect_close_file_raw_rqst, + efsrpc_dissect_close_file_raw_reply }, + { EFS_RPC_ENCRYPT_FILE_SRV, "EfsRpcEncryptFileSrv", + efsrpc_dissect_encrypt_file_srv_rqst, + efsrpc_dissect_encrypt_file_srv_reply }, + { EFS_RPC_DECRYPT_FILE_SRV, "EfsRpcDecryptFileSrv", + efsrpc_dissect_decrypt_file_srv_rqst, + efsrpc_dissect_decrypt_file_srv_reply }, + { EFS_RPC_QUERY_USERS_ON_FILE, "EfsRpcQueryUsersOnFile", + efsrpc_dissect_query_users_on_file_rqst, + efsrpc_dissect_query_users_on_file_reply }, + { EFS_RPC_QUERY_RECOVERY_AGENTS, "EfsRpcQueryRecoveryAgents", + efsrpc_dissect_query_recovery_agents_rqst, + efsrpc_dissect_query_recovery_agents_reply }, + { EFS_RPC_REMOVE_USERS_FROM_FILE, "EfsRpcRemoveUsersFromFile", + efsrpc_dissect_remove_users_from_file_rqst, + efsrpc_dissect_remove_users_from_file_reply }, + { EFS_RPC_ADD_USERS_TO_FILE, "EfsRpcAddUsersToFile", + efsrpc_dissect_add_users_from_file_rqst, + efsrpc_dissect_add_users_from_file_reply }, + { EFS_RPC_SET_FILE_ENCRYPTION_KEY, "EfsRpcSetFileEncryptionKey" + , NULL, NULL }, + { EFS_RPC_NOT_SUPPORTED, "EfsRpcNotSupported" + , NULL, NULL }, + { EFS_RPC_FILE_KEY_INFO, "EfsRpcFileKeyInfo" + , NULL, NULL }, + { EFS_RPC_DUPLICATE_ENCRYPTION_INFO_FILE, + "EfsRpcDuplicateEncryptionInfoFile", NULL, NULL }, + { 0, NULL, NULL, NULL } +}; + +void +proto_register_dcerpc_efs(void) +{ +static hf_register_info hf[] = { + { &hf_efsrpc_opnum, { + "Operation", "efsrpc.opnum", FT_UINT16, BASE_DEC, + NULL, 0x0, "", HFILL }}, + { &hf_efsrpc_rc, { + "Return code", "efsrpc.rc", FT_UINT32, BASE_HEX, + VALS(NT_errors), 0x0, "EFSRPC return code", HFILL }}, + { &hf_efsrpc_filename, + { "Filename", "efsrpc.filename", FT_STRING, BASE_NONE, + NULL, 0x0, "File name", HFILL}}, + + { &hf_efsrpc_flags, { + "Flags", "efsrpc.flags", FT_UINT32, BASE_HEX, + NULL, 0x0, "EFSRPC Flags", HFILL }}, + + { &hf_efsrpc_hnd, { + "Context Handle", "efsrpc.hnd", FT_BYTES, + BASE_NONE, NULL, 0x0, "Context Handle", HFILL}}, + + { &hf_efsrpc_reserved, { + "Reserved value", "efsrpc.reserved", FT_UINT32, BASE_HEX, + NULL, 0x0, "Reserved value", HFILL }}, + + { &hf_efsrpc_num_entries, + { "Number of entries", "efsrpc.num_entries", FT_UINT32, + BASE_DEC, NULL, 0x0, "Number of Entries", HFILL}}, + + { &hf_efsrpc_data_size, + { "Size of data structure", "efsrpc.data_size", FT_UINT32, + BASE_DEC, NULL, 0x0, "Size of data structure", HFILL}}, + + { &hf_efsrpc_cert_dn, + { "Certificate DN", "efsrpc.cert_dn", FT_STRING, BASE_NONE, + NULL, 0x0, "Distinguished Name of EFS certificate", HFILL}}, + + + }; + + static gint *ett[] = { + &ett_dcerpc_efs, + &ett_dcerpc_efs_cert_hash + }; + + proto_dcerpc_efs = proto_register_protocol( + "Microsoft Encrypted File System Service", "EFSRPC", "efsrpc"); + + proto_register_field_array(proto_dcerpc_efs, hf, + array_length(hf)); + + proto_register_subtree_array(ett, array_length(ett)); +} + +void +proto_reg_handoff_dcerpc_efs(void) +{ + /* Register protocol as dcerpc */ + + dcerpc_init_uuid(proto_dcerpc_efs, ett_dcerpc_efs, + &uuid_dcerpc_efs, ver_dcerpc_efs, + dcerpc_efs_dissectors, hf_efsrpc_opnum); +} |