diff options
Diffstat (limited to 'epan/dissectors')
-rw-r--r-- | epan/dissectors/packet-dcerpc-lsa.c | 4 | ||||
-rw-r--r-- | epan/dissectors/packet-dcerpc-nt.c | 74 | ||||
-rw-r--r-- | epan/dissectors/packet-dcerpc-nt.h | 9 | ||||
-rw-r--r-- | epan/dissectors/packet-dcerpc-samr.c | 62 | ||||
-rw-r--r-- | epan/dissectors/packet-dcerpc-spoolss.c | 20 | ||||
-rw-r--r-- | epan/dissectors/packet-dcerpc-svcctl.c | 6 | ||||
-rw-r--r-- | epan/dissectors/packet-dcerpc.c | 2 | ||||
-rw-r--r-- | epan/dissectors/packet-dcerpc.h | 33 | ||||
-rw-r--r-- | epan/dissectors/packet-smb-sidsnooping.c | 2 | ||||
-rw-r--r-- | epan/dissectors/packet-smb2.c | 4 | ||||
-rw-r--r-- | epan/dissectors/pidl/samr.cnf | 63 |
11 files changed, 205 insertions, 74 deletions
diff --git a/epan/dissectors/packet-dcerpc-lsa.c b/epan/dissectors/packet-dcerpc-lsa.c index 9c406961db..40e07471db 100644 --- a/epan/dissectors/packet-dcerpc-lsa.c +++ b/epan/dissectors/packet-dcerpc-lsa.c @@ -604,7 +604,7 @@ lsa_dissect_lsaropenpolicy_reply(tvbuff_t *tvb, int offset, tvb, offset, pinfo, tree, drep, hf_lsa_rc, &status); if (status == 0) { - dcerpc_smb_store_pol_name(&policy_hnd, pinfo, + dcerpc_store_polhnd_name(&policy_hnd, pinfo, "OpenPolicy handle"); if (hnd_item != NULL) @@ -671,7 +671,7 @@ lsa_dissect_lsaropenpolicy2_reply(tvbuff_t *tvb, int offset, pol_name = "Unknown OpenPolicy2() handle"; } if(!pinfo->fd->flags.visited){ - dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name); + dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name); } if(hnd_item) diff --git a/epan/dissectors/packet-dcerpc-nt.c b/epan/dissectors/packet-dcerpc-nt.c index ebae197a04..a94526566a 100644 --- a/epan/dissectors/packet-dcerpc-nt.c +++ b/epan/dissectors/packet-dcerpc-nt.c @@ -400,14 +400,6 @@ typedef struct { guint8 policy_hnd[20]; } pol_hash_key; -typedef struct pol_value { - struct pol_value *next; /* Next entry in hash bucket */ - guint32 open_frame, close_frame; /* Frame numbers for open/close */ - guint32 first_frame; /* First frame in which this instance was seen */ - guint32 last_frame; /* Last frame in which this instance was seen */ - char *name; /* Name of policy handle */ -} pol_value; - typedef struct { pol_value *list; /* List of policy handle entries */ } pol_hash_value; @@ -612,15 +604,43 @@ void dcerpc_smb_store_pol_pkts(e_ctx_hnd *policy_hnd, packet_info *pinfo, pol->close_frame = is_close ? pinfo->fd->num : 0; pol->first_frame = pinfo->fd->num; pol->last_frame = pol->close_frame; /* if 0, unknown; if non-0, known */ - + pol->type=0; pol->name = NULL; add_pol_handle(policy_hnd, pinfo->fd->num, pol, value); } -/* Store a text string with a policy handle */ +/* Store the type of a policy handle */ +static void dcerpc_store_polhnd_type(e_ctx_hnd *policy_hnd, packet_info *pinfo, + guint32 type) +{ + pol_hash_value *value; + pol_value *pol; + + /* + * By the time the first pass is done, the policy handle database + * has been completely constructed. If we've already seen this + * frame, there's nothing to do. + */ + if (pinfo->fd->flags.visited) + return; + + if (is_null_pol(policy_hnd)) + return; + + /* Look up existing value */ + pol = find_pol_handle(policy_hnd, pinfo->fd->num, &value); -void dcerpc_smb_store_pol_name(e_ctx_hnd *policy_hnd, packet_info *pinfo, + if (pol != NULL) { + /* + * Update the existing value as appropriate. + */ + pol->type=type; + } +} + +/* Store a text string with a policy handle */ +void dcerpc_store_polhnd_name(e_ctx_hnd *policy_hnd, packet_info *pinfo, const char *name) { pol_hash_value *value; @@ -666,7 +686,7 @@ void dcerpc_smb_store_pol_name(e_ctx_hnd *policy_hnd, packet_info *pinfo, pol->close_frame = 0; pol->first_frame = pinfo->fd->num; pol->last_frame = 0; - + pol->type = 0; if (name) pol->name = strdup(name); else @@ -683,7 +703,8 @@ void dcerpc_smb_store_pol_name(e_ctx_hnd *policy_hnd, packet_info *pinfo, * close operations? */ -gboolean dcerpc_smb_fetch_pol(e_ctx_hnd *policy_hnd, char **name, +gboolean dcerpc_fetch_polhnd_data(e_ctx_hnd *policy_hnd, + char **name, guint32 *type, guint32 *open_frame, guint32 *close_frame, guint32 cur_frame) { @@ -695,12 +716,15 @@ gboolean dcerpc_smb_fetch_pol(e_ctx_hnd *policy_hnd, char **name, if (name) *name = NULL; + if (type) + *type = 0; + if (open_frame) *open_frame = 0; if (close_frame) *close_frame = 0; - + /* Look up existing value */ pol = find_pol_handle(policy_hnd, cur_frame, &value); @@ -708,6 +732,9 @@ gboolean dcerpc_smb_fetch_pol(e_ctx_hnd *policy_hnd, char **name, if (name) *name = pol->name; + if (type) + *type = pol->type; + if (open_frame) *open_frame = pol->open_frame; @@ -872,9 +899,8 @@ dissect_nt_hnd(tvbuff_t *tvb, gint offset, packet_info *pinfo, dcerpc_smb_store_pol_pkts(&hnd, pinfo, is_open, is_close); /* Insert open/close/name information if known */ - - if (dcerpc_smb_fetch_pol(&hnd, &name, &open_frame, &close_frame, - pinfo->fd->num)) { + if (dcerpc_fetch_polhnd_data(&hnd, &name, NULL, &open_frame, + &close_frame, pinfo->fd->num)) { if (open_frame) { proto_item *item; @@ -973,7 +999,19 @@ PIDL_dissect_policy_hnd(tvbuff_t *tvb, gint offset, packet_info *pinfo, pol_name="<...>"; } pol_string=ep_strdup_printf("%s(%s)", pinfo->dcerpc_procedure_name, pol_name); - dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_string); + dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_string); + dcerpc_store_polhnd_type(&policy_hnd, pinfo, param&PIDL_POLHND_TYPE_MASK); + } + + /* Track this policy handle for the response */ + if(!pinfo->fd->flags.visited + && !di->conformant_run){ + dcerpc_call_value *dcv; + + dcv = (dcerpc_call_value *)di->call_data; + if(!dcv->pol){ + dcv->pol=se_memdup(&policy_hnd, sizeof(e_ctx_hnd)); + } } return offset; diff --git a/epan/dissectors/packet-dcerpc-nt.h b/epan/dissectors/packet-dcerpc-nt.h index bc64b3e9f0..1e63e1dc9e 100644 --- a/epan/dissectors/packet-dcerpc-nt.h +++ b/epan/dissectors/packet-dcerpc-nt.h @@ -162,13 +162,13 @@ dcerpc_smb_store_pol_pkts(e_ctx_hnd *policy_hnd, packet_info *pinfo, /* Store a name with a policy handle */ void -dcerpc_smb_store_pol_name(e_ctx_hnd *policy_hnd, packet_info *pinfo, +dcerpc_store_polhnd_name(e_ctx_hnd *policy_hnd, packet_info *pinfo, const char *name); /* Fetch details stored with a policy handle */ gboolean -dcerpc_smb_fetch_pol(e_ctx_hnd *policy_hnd, char **name, +dcerpc_fetch_polhnd_data(e_ctx_hnd *policy_hnd, char **name, guint32 *type, guint32 *open_frame, guint32 *close_frame, guint32 cur_frame); @@ -236,8 +236,8 @@ int dissect_ndr_str_pointer_item(tvbuff_t *tvb, gint offset, /* Number of levels to go up appending string to pointer item */ #define CB_STR_ITEM_LEVELS(x) ((x) & 0xFFFF) -#define CB_STR_COL_INFO 0x10000 /* Append string to COL_INFO */ -#define CB_STR_SAVE 0x20000 /* Save string to dcv->private_data */ +#define CB_STR_SAVE 0x20000000 /* Save string to dcv->private_data */ +#define CB_STR_COL_INFO 0x10000000 /* Append string to COL_INFO */ void cb_wstr_postprocess(packet_info *pinfo, proto_tree *tree _U_, proto_item *item, tvbuff_t *tvb, @@ -252,4 +252,5 @@ void cb_str_postprocess(packet_info *pinfo, proto_tree *tree _U_, void dcerpc_smb_init(int proto_dcerpc); + #endif /* packet-dcerpc-nt.h */ diff --git a/epan/dissectors/packet-dcerpc-samr.c b/epan/dissectors/packet-dcerpc-samr.c index 3ba55d57f4..c28a2b3c30 100644 --- a/epan/dissectors/packet-dcerpc-samr.c +++ b/epan/dissectors/packet-dcerpc-samr.c @@ -1853,7 +1853,11 @@ static int cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { guint32 len; - dcerpc_info *di; + dcerpc_info *di = NULL; + e_ctx_hnd *polhnd = NULL; + dcerpc_call_value *dcv = NULL; + guint32 type=0; + struct access_mask_info *ami=NULL; di=pinfo->private_data; if(di->conformant_run){ /*just a run to handle conformant arrays, nothing to dissect */ @@ -1861,8 +1865,34 @@ cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_t } offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_samr_sec_desc_buf_len, &len); - dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len, - NULL); + if(di){ + dcv = (dcerpc_call_value *)di->call_data; + } + if(dcv){ + polhnd = dcv->pol; + } + if(polhnd){ + dcerpc_fetch_polhnd_data(polhnd, NULL, &type, NULL, NULL, + pinfo->fd->num); + } + switch(type){ + case PIDL_POLHND_TYPE_SAMR_USER: + ami=&samr_user_access_mask_info; + break; + case PIDL_POLHND_TYPE_SAMR_CONNECT: + ami=&samr_connect_access_mask_info; + break; + case PIDL_POLHND_TYPE_SAMR_DOMAIN: + ami=&samr_domain_access_mask_info; + break; + case PIDL_POLHND_TYPE_SAMR_GROUP: + ami=&samr_group_access_mask_info; + break; + case PIDL_POLHND_TYPE_SAMR_ALIAS: + ami=&samr_alias_access_mask_info; + break; + } + dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len, ami); offset += len; return offset; } @@ -7547,7 +7577,7 @@ samr_dissect_element_Connect_connect_handle(tvbuff_t *tvb _U_, int offset _U_, p static int samr_dissect_element_Connect_connect_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT); return offset; } @@ -8063,7 +8093,7 @@ samr_dissect_element_OpenDomain_domain_handle(tvbuff_t *tvb _U_, int offset _U_, static int samr_dissect_element_OpenDomain_domain_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_domain_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_domain_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_DOMAIN); return offset; } @@ -8303,7 +8333,7 @@ samr_dissect_element_CreateDomainGroup_group_handle(tvbuff_t *tvb _U_, int offse static int samr_dissect_element_CreateDomainGroup_group_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_group_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_group_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_GROUP); return offset; } @@ -8524,7 +8554,7 @@ samr_dissect_element_CreateUser_user_handle(tvbuff_t *tvb _U_, int offset _U_, p static int samr_dissect_element_CreateUser_user_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER); return offset; } @@ -8756,7 +8786,7 @@ samr_dissect_element_CreateDomAlias_alias_handle(tvbuff_t *tvb _U_, int offset _ static int samr_dissect_element_CreateDomAlias_alias_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_alias_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_alias_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_ALIAS); return offset; } @@ -9261,7 +9291,7 @@ samr_dissect_element_OpenGroup_group_handle(tvbuff_t *tvb _U_, int offset _U_, p static int samr_dissect_element_OpenGroup_group_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_group_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_group_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_GROUP); return offset; } @@ -9786,7 +9816,7 @@ samr_dissect_element_OpenAlias_alias_handle(tvbuff_t *tvb _U_, int offset _U_, p static int samr_dissect_element_OpenAlias_alias_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_alias_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_alias_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_ALIAS); return offset; } @@ -10243,7 +10273,7 @@ samr_dissect_element_OpenUser_user_handle(tvbuff_t *tvb _U_, int offset _U_, pac static int samr_dissect_element_OpenUser_user_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER); return offset; } @@ -11552,7 +11582,7 @@ samr_dissect_element_CreateUser2_user_handle(tvbuff_t *tvb _U_, int offset _U_, static int samr_dissect_element_CreateUser2_user_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER); return offset; } @@ -12226,7 +12256,7 @@ samr_dissect_element_Connect2_connect_handle(tvbuff_t *tvb _U_, int offset _U_, static int samr_dissect_element_Connect2_connect_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT); return offset; } @@ -12515,7 +12545,7 @@ samr_dissect_element_Connect3_connect_handle(tvbuff_t *tvb _U_, int offset _U_, static int samr_dissect_element_Connect3_connect_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT); return offset; } @@ -12603,7 +12633,7 @@ samr_dissect_element_Connect4_connect_handle(tvbuff_t *tvb _U_, int offset _U_, static int samr_dissect_element_Connect4_connect_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT); return offset; } @@ -12915,7 +12945,7 @@ samr_dissect_element_Connect5_connect_handle(tvbuff_t *tvb _U_, int offset _U_, static int samr_dissect_element_Connect5_connect_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN); + offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT); return offset; } diff --git a/epan/dissectors/packet-dcerpc-spoolss.c b/epan/dissectors/packet-dcerpc-spoolss.c index e3f8b7785c..d226bad2ce 100644 --- a/epan/dissectors/packet-dcerpc-spoolss.c +++ b/epan/dissectors/packet-dcerpc-spoolss.c @@ -584,7 +584,7 @@ static int SpoolssClosePrinter_q(tvbuff_t *tvb, int offset, tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL, FALSE, TRUE); - dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL, + dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL, pinfo->fd->num); if (check_col(pinfo->cinfo, COL_INFO) && pol_name) @@ -2600,7 +2600,7 @@ static int SpoolssOpenPrinterEx_r(tvbuff_t *tvb, int offset, pol_name = "Unknown OpenPrinterEx() handle"; } if(!pinfo->fd->flags.visited){ - dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name); + dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name); } if(hnd_item) @@ -3224,7 +3224,7 @@ static int SpoolssReplyOpenPrinter_r(tvbuff_t *tvb, int offset, pol_name = "Unknown ReplyOpenPrinter() handle"; } if(!pinfo->fd->flags.visited){ - dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name); + dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name); } if(hnd_item) @@ -3732,7 +3732,7 @@ static int SpoolssAddPrinterEx_r(tvbuff_t *tvb, int offset, packet_info *pinfo, pol_name = "Unknown AddPrinterEx() handle"; } if(!pinfo->fd->flags.visited){ - dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name); + dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name); } if(hnd_item) @@ -4766,7 +4766,7 @@ static int SpoolssStartPagePrinter_q(tvbuff_t *tvb, int offset, tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL, FALSE, FALSE); - dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL, + dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL, pinfo->fd->num); if (check_col(pinfo->cinfo, COL_INFO) && pol_name) @@ -4805,7 +4805,7 @@ static int SpoolssEndPagePrinter_q(tvbuff_t *tvb, int offset, tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL, FALSE, FALSE); - dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL, + dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL, pinfo->fd->num); if (check_col(pinfo->cinfo, COL_INFO) && pol_name) @@ -4959,7 +4959,7 @@ static int SpoolssStartDocPrinter_q(tvbuff_t *tvb, int offset, tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL, FALSE, FALSE); - dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL, + dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL, pinfo->fd->num); if (check_col(pinfo->cinfo, COL_INFO) && pol_name) @@ -5003,7 +5003,7 @@ static int SpoolssEndDocPrinter_q(tvbuff_t *tvb, int offset, tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL, FALSE, FALSE); - dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL, + dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL, pinfo->fd->num); if (check_col(pinfo->cinfo, COL_INFO) && pol_name) @@ -5049,7 +5049,7 @@ static int SpoolssWritePrinter_q(tvbuff_t *tvb, int offset, packet_info *pinfo, tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL, FALSE, FALSE); - dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL, + dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL, pinfo->fd->num); if (check_col(pinfo->cinfo, COL_INFO) && pol_name) @@ -5542,7 +5542,7 @@ static int SpoolssGetPrinterDriver2_q(tvbuff_t *tvb, int offset, tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL, FALSE, FALSE); - dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL, + dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL, pinfo->fd->num); if (check_col(pinfo->cinfo, COL_INFO) && pol_name) diff --git a/epan/dissectors/packet-dcerpc-svcctl.c b/epan/dissectors/packet-dcerpc-svcctl.c index 49fb39f525..361eeb2416 100644 --- a/epan/dissectors/packet-dcerpc-svcctl.c +++ b/epan/dissectors/packet-dcerpc-svcctl.c @@ -186,7 +186,7 @@ svcctl_dissect_OpenSCManager_reply(tvbuff_t *tvb, int offset, pol_name = "Unknown OpenSCManagerW() handle"; } if(!pinfo->fd->flags.visited){ - dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name); + dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name); } if(hnd_item) @@ -272,7 +272,7 @@ svcctl_dissect_OpenSCManagerW_reply(tvbuff_t *tvb, int offset, pol_name = "Unknown OpenSCManagerW() handle"; } if(!pinfo->fd->flags.visited){ - dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name); + dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name); } if(hnd_item) @@ -303,7 +303,7 @@ svcctl_dissect_CloseServiceHandle_rqst(tvbuff_t *tvb, int offset, tvb, offset, pinfo, tree, drep, hf_svcctl_hnd, &policy_hnd, NULL, FALSE, TRUE); - dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL, + dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL, pinfo->fd->num); if (check_col(pinfo->cinfo, COL_INFO) && pol_name) diff --git a/epan/dissectors/packet-dcerpc.c b/epan/dissectors/packet-dcerpc.c index 3e2c521cfb..6989d6c17b 100644 --- a/epan/dissectors/packet-dcerpc.c +++ b/epan/dissectors/packet-dcerpc.c @@ -3358,6 +3358,7 @@ dissect_dcerpc_cn_rqst (tvbuff_t *tvb, gint offset, packet_info *pinfo, call_value->max_ptr=0; call_value->se_data = NULL; call_value->private_data = NULL; + call_value->pol = NULL; g_hash_table_insert (dcerpc_cn_calls, call_key, call_value); new_matched_key = se_alloc(sizeof (dcerpc_matched_key)); @@ -4564,6 +4565,7 @@ dissect_dcerpc_dg_rqst (tvbuff_t *tvb, int offset, packet_info *pinfo, call_value->max_ptr=0; call_value->se_data = NULL; call_value->private_data = NULL; + call_value->pol = NULL; g_hash_table_insert (dcerpc_dg_calls, call_key, call_value); new_matched_key = se_alloc(sizeof (dcerpc_matched_key)); diff --git a/epan/dissectors/packet-dcerpc.h b/epan/dissectors/packet-dcerpc.h index 6482df2681..3dfd954999 100644 --- a/epan/dissectors/packet-dcerpc.h +++ b/epan/dissectors/packet-dcerpc.h @@ -294,6 +294,7 @@ typedef struct _dcerpc_call_value { * request to the reply. */ void *private_data; /* XXX This will later be renamed as ep_data */ + e_ctx_hnd *pol; /* policy handle tracked between request/response*/ } dcerpc_call_value; typedef struct _dcerpc_info { @@ -430,12 +431,40 @@ init_ndr_pointer_list(packet_info *pinfo); */ /* Policy handle tracking. Describes in which function a handle is * opened/closed. See "winreg.cnf" for example. + * + * The guint32 param is divided up into multiple fields + * + * +--------+--------+--------+--------+ + * | Flags | Type | | | + * +--------+--------+--------+--------+ */ +/* Flags : */ #define PIDL_POLHND_OPEN 0x80000000 #define PIDL_POLHND_CLOSE 0x40000000 /* To "save" a pointer to the string in dcv->private_data */ -#define PIDL_STR_SAVE 0x00020000 +#define PIDL_STR_SAVE 0x20000000 /* To make this value appear on the summary line for the packet */ -#define PIDL_SET_COL_INFO 0x00010000 +#define PIDL_SET_COL_INFO 0x10000000 + +/* Type */ +#define PIDL_POLHND_TYPE_MASK 0x00ff0000 +#define PIDL_POLHND_TYPE_SAMR_USER 0x00010000 +#define PIDL_POLHND_TYPE_SAMR_CONNECT 0x00020000 +#define PIDL_POLHND_TYPE_SAMR_DOMAIN 0x00030000 +#define PIDL_POLHND_TYPE_SAMR_GROUP 0x00040000 +#define PIDL_POLHND_TYPE_SAMR_ALIAS 0x00050000 + + +/* a structure we store for all policy handles we track */ +typedef struct pol_value { + struct pol_value *next; /* Next entry in hash bucket */ + guint32 open_frame, close_frame; /* Frame numbers for open/close */ + guint32 first_frame; /* First frame in which this instance was seen */ + guint32 last_frame; /* Last frame in which this instance was seen */ + char *name; /* Name of policy handle */ + guint32 type; /* policy handle type */ +} pol_value; + + #endif /* packet-dcerpc.h */ diff --git a/epan/dissectors/packet-smb-sidsnooping.c b/epan/dissectors/packet-smb-sidsnooping.c index 443df7da3d..5d868a0827 100644 --- a/epan/dissectors/packet-smb-sidsnooping.c +++ b/epan/dissectors/packet-smb-sidsnooping.c @@ -164,7 +164,7 @@ samr_query_dispinfo(void *dummy _U_, packet_info *pinfo, epan_dissect_t *edt, co return 0; } - if (!dcerpc_smb_fetch_pol(old_ctx, &pol_name, NULL, NULL, ri->call_data->req_frame)) { + if (!dcerpc_fetch_polhnd_data(old_ctx, &pol_name, NULL, NULL, NULL, ri->call_data->req_frame)) { return 0; } diff --git a/epan/dissectors/packet-smb2.c b/epan/dissectors/packet-smb2.c index 5009f0237d..8615a41a23 100644 --- a/epan/dissectors/packet-smb2.c +++ b/epan/dissectors/packet-smb2.c @@ -941,7 +941,7 @@ dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset } else { fid_name = se_strdup_printf("File: "); } - dcerpc_smb_store_pol_name(&policy_hnd, pinfo, + dcerpc_store_polhnd_name(&policy_hnd, pinfo, fid_name); } break; @@ -957,7 +957,7 @@ dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset /* put the filename in col_info */ - if (dcerpc_smb_fetch_pol(&policy_hnd, &fid_name, &open_frame, &close_frame, pinfo->fd->num)) { + if (dcerpc_fetch_polhnd_data(&policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->fd->num)) { if(fid_name){ if(hnd_item){ proto_item_append_text(hnd_item, " %s", fid_name); diff --git a/epan/dissectors/pidl/samr.cnf b/epan/dissectors/pidl/samr.cnf index bbc1e8b793..c5164f5283 100644 --- a/epan/dissectors/pidl/samr.cnf +++ b/epan/dissectors/pidl/samr.cnf @@ -9,19 +9,19 @@ HF_FIELD hf_samr_sec_info "SecInfo" "samr.sec_info" FT_UINT32 BASE_HEX NULL 0 "" # [opened in xxx] [closed in yyy] # # Policyhandles are opened in these functions -PARAM_VALUE samr_dissect_element_Connect_connect_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_OpenDomain_domain_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_CreateDomainGroup_group_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_CreateUser_user_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_CreateDomAlias_alias_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_OpenGroup_group_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_OpenAlias_alias_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_OpenUser_user_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_CreateUser2_user_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_Connect2_connect_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_Connect3_connect_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_Connect4_connect_handle_ PIDL_POLHND_OPEN -PARAM_VALUE samr_dissect_element_Connect5_connect_handle_ PIDL_POLHND_OPEN +PARAM_VALUE samr_dissect_element_Connect_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT +PARAM_VALUE samr_dissect_element_OpenDomain_domain_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_DOMAIN +PARAM_VALUE samr_dissect_element_CreateDomainGroup_group_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_GROUP +PARAM_VALUE samr_dissect_element_CreateUser_user_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER +PARAM_VALUE samr_dissect_element_CreateDomAlias_alias_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_ALIAS +PARAM_VALUE samr_dissect_element_OpenGroup_group_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_GROUP +PARAM_VALUE samr_dissect_element_OpenAlias_alias_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_ALIAS +PARAM_VALUE samr_dissect_element_OpenUser_user_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER +PARAM_VALUE samr_dissect_element_CreateUser2_user_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER +PARAM_VALUE samr_dissect_element_Connect2_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT +PARAM_VALUE samr_dissect_element_Connect3_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT +PARAM_VALUE samr_dissect_element_Connect4_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT +PARAM_VALUE samr_dissect_element_Connect5_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT # Policyhandles are closed in these functions PARAM_VALUE samr_dissect_element_Close_handle_ PIDL_POLHND_CLOSE PARAM_VALUE samr_dissect_element_Shutdown_connect_handle_ PIDL_POLHND_CLOSE @@ -417,7 +417,11 @@ static int cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { guint32 len; - dcerpc_info *di; + dcerpc_info *di = NULL; + e_ctx_hnd *polhnd = NULL; + dcerpc_call_value *dcv = NULL; + guint32 type=0; + struct access_mask_info *ami=NULL; di=pinfo->private_data; if(di->conformant_run){ @@ -428,8 +432,35 @@ cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_t offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_samr_sec_desc_buf_len, &len); - dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len, - NULL); + if(di){ + dcv = (dcerpc_call_value *)di->call_data; + } + if(dcv){ + polhnd = dcv->pol; + } + if(polhnd){ + dcerpc_fetch_polhnd_data(polhnd, NULL, &type, NULL, NULL, + pinfo->fd->num); + } + switch(type){ + case PIDL_POLHND_TYPE_SAMR_USER: + ami=&samr_user_access_mask_info; + break; + case PIDL_POLHND_TYPE_SAMR_CONNECT: + ami=&samr_connect_access_mask_info; + break; + case PIDL_POLHND_TYPE_SAMR_DOMAIN: + ami=&samr_domain_access_mask_info; + break; + case PIDL_POLHND_TYPE_SAMR_GROUP: + ami=&samr_group_access_mask_info; + break; + case PIDL_POLHND_TYPE_SAMR_ALIAS: + ami=&samr_alias_access_mask_info; + break; + } + + dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len, ami); offset += len; |