/* packet-windows-common.c * Routines for dissecting various Windows data types * * Wireshark - Network traffic analyzer * By Gerald Combs * Copyright 1998 Gerald Combs * * SPDX-License-Identifier: GPL-2.0-or-later */ #include "config.h" #include #include #include #include "packet-smb-sidsnooping.h" #include "packet-windows-common.h" #include "packet-smb.h" /* for "sid_name_snooping" */ static int hf_nt_sec_desc_revision = -1; static int hf_nt_sec_desc_type_owner_defaulted = -1; static int hf_nt_sec_desc_type_group_defaulted = -1; static int hf_nt_sec_desc_type_dacl_present = -1; static int hf_nt_sec_desc_type_dacl_defaulted = -1; static int hf_nt_sec_desc_type_sacl_present = -1; static int hf_nt_sec_desc_type_sacl_defaulted = -1; static int hf_nt_sec_desc_type_dacl_trusted = -1; static int hf_nt_sec_desc_type_server_security = -1; static int hf_nt_sec_desc_type_dacl_auto_inherit_req = -1; static int hf_nt_sec_desc_type_sacl_auto_inherit_req = -1; static int hf_nt_sec_desc_type_dacl_auto_inherited = -1; static int hf_nt_sec_desc_type_sacl_auto_inherited = -1; static int hf_nt_sec_desc_type_dacl_protected = -1; static int hf_nt_sec_desc_type_sacl_protected = -1; static int hf_nt_sec_desc_type_rm_control_valid = -1; static int hf_nt_sec_desc_type_self_relative = -1; static int hf_nt_sid = -1; static int hf_nt_sid_revision = -1; static int hf_nt_sid_num_auth = -1; static int hf_nt_sid_auth_dec = -1; static int hf_nt_sid_auth_hex = -1; static int hf_nt_sid_subauth = -1; static int hf_nt_sid_rid_dec = -1; static int hf_nt_sid_rid_hex = -1; static int hf_nt_sid_wkwn = -1; static int hf_nt_sid_domain = -1; static int hf_nt_acl_revision = -1; static int hf_nt_acl_size = -1; static int hf_nt_acl_num_aces = -1; static int hf_nt_ace_flags_object_inherit = -1; static int hf_nt_ace_flags_container_inherit = -1; static int hf_nt_ace_flags_non_propagate_inherit = -1; static int hf_nt_ace_flags_inherit_only = -1; static int hf_nt_ace_flags_inherited_ace = -1; static int hf_nt_ace_flags_successful_access = -1; static int hf_nt_ace_flags_failed_access = -1; static int hf_nt_ace_type = -1; static int hf_nt_ace_size = -1; static int hf_nt_ace_flags_object_type_present = -1; static int hf_nt_ace_flags_inherited_object_type_present = -1; static int hf_nt_ace_guid = -1; static int hf_nt_ace_inherited_guid = -1; static int hf_nt_security_information_sacl = -1; static int hf_nt_security_information_dacl = -1; static int hf_nt_security_information_group = -1; static int hf_nt_security_information_owner = -1; /* Generated from convert_proto_tree_add_text.pl */ static int hf_nt_security_information = -1; static int hf_nt_sec_desc_type = -1; static int hf_nt_offset_to_dacl = -1; static int hf_nt_offset_to_owner_sid = -1; static int hf_nt_ace_flags_object = -1; static int hf_nt_offset_to_group_sid = -1; static int hf_nt_ace_flags = -1; static int hf_nt_offset_to_sacl = -1; static gint ett_nt_sec_desc = -1; static gint ett_nt_sec_desc_type = -1; static gint ett_nt_sid = -1; static gint ett_nt_acl = -1; static gint ett_nt_ace = -1; static gint ett_nt_ace_flags = -1; static gint ett_nt_ace_object = -1; static gint ett_nt_ace_object_flags = -1; static gint ett_nt_security_information = -1; static expert_field ei_nt_owner_sid_beyond_data = EI_INIT; static expert_field ei_nt_owner_sid_beyond_reassembled_data = EI_INIT; static expert_field ei_nt_ace_extends_beyond_data = EI_INIT; static expert_field ei_nt_ace_extends_beyond_reassembled_data = EI_INIT; static expert_field ei_nt_group_sid_beyond_data = EI_INIT; static expert_field ei_nt_group_sid_beyond_reassembled_data = EI_INIT; static expert_field ei_nt_item_offs_out_of_range = EI_INIT; /* WERR error codes */ VALUE_STRING_ARRAY2_GLOBAL_DEF(WERR_errors); /* XXX: Remove GLOBAL_DEF once all PIDL generated dissectors ref WERR_errors_ext */ value_string_ext WERR_errors_ext = VALUE_STRING_EXT_INIT(WERR_errors); /* * HRES error codes. */ VALUE_STRING_ARRAY2_GLOBAL_DEF(HRES_errors); /* XXX: Remove GLOBAL_DEF once all PIDL generated dissectors ref HRES_errors_ext */ value_string_ext HRES_errors_ext = VALUE_STRING_EXT_INIT(HRES_errors); /* * DOS error codes. */ VALUE_STRING_ARRAY(DOS_errors); value_string_ext DOS_errors_ext = VALUE_STRING_EXT_INIT(DOS_errors); /* * NT error codes. * * From * * http://www.wildpackets.com/elements/misc/SMB_NT_Status_Codes.txt */ const value_string NT_errors[] = { { 0x00000000, "STATUS_SUCCESS" }, /*{ 0x00000000, "STATUS_WAIT_0" }, */ { 0x00000001, "STATUS_WAIT_1" }, { 0x00000002, "STATUS_WAIT_2" }, { 0x00000003, "STATUS_WAIT_3" }, { 0x0000003F, "STATUS_WAIT_63" }, { 0x00000080, "STATUS_ABANDONED" }, /*{ 0x00000080, "STATUS_ABANDONED_WAIT_0" },*/ { 0x000000BF, "STATUS_ABANDONED_WAIT_63" }, { 0x000000C0, "STATUS_USER_APC" }, { 0x00000100, "STATUS_KERNEL_APC" }, { 0x00000101, "STATUS_ALERTED" }, { 0x00000102, "STATUS_TIMEOUT" }, { 0x00000103, "STATUS_PENDING" }, { 0x00000104, "STATUS_REPARSE" }, { 0x00000105, "STATUS_MORE_ENTRIES" }, { 0x00000106, "STATUS_NOT_ALL_ASSIGNED" }, { 0x00000107, "STATUS_SOME_NOT_MAPPED" }, { 0x00000108, "STATUS_OPLOCK_BREAK_IN_PROGRESS" }, { 0x00000109, "STATUS_VOLUME_MOUNTED" }, { 0x0000010A, "STATUS_RXACT_COMMITTED" }, { 0x0000010B, "STATUS_NOTIFY_CLEANUP" }, { 0x0000010C, "STATUS_NOTIFY_ENUM_DIR" }, { 0x0000010D, "STATUS_NO_QUOTAS_FOR_ACCOUNT" }, { 0x0000010E, "STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED" }, { 0x00000110, "STATUS_PAGE_FAULT_TRANSITION" }, { 0x00000111, "STATUS_PAGE_FAULT_DEMAND_ZERO" }, { 0x00000112, "STATUS_PAGE_FAULT_COPY_ON_WRITE" }, { 0x00000113, "STATUS_PAGE_FAULT_GUARD_PAGE" }, { 0x00000114, "STATUS_PAGE_FAULT_PAGING_FILE" }, { 0x00000115, "STATUS_CACHE_PAGE_LOCKED" }, { 0x00000116, "STATUS_CRASH_DUMP" }, { 0x00000117, "STATUS_BUFFER_ALL_ZEROS" }, { 0x00000118, "STATUS_REPARSE_OBJECT" }, { 0x0000045C, "STATUS_NO_SHUTDOWN_IN_PROGRESS" }, { 0x40000000, "STATUS_OBJECT_NAME_EXISTS" }, { 0x40000001, "STATUS_THREAD_WAS_SUSPENDED" }, { 0x40000002, "STATUS_WORKING_SET_LIMIT_RANGE" }, { 0x40000003, "STATUS_IMAGE_NOT_AT_BASE" }, { 0x40000004, "STATUS_RXACT_STATE_CREATED" }, { 0x40000005, "STATUS_SEGMENT_NOTIFICATION" }, { 0x40000006, "STATUS_LOCAL_USER_SESSION_KEY" }, { 0x40000007, "STATUS_BAD_CURRENT_DIRECTORY" }, { 0x40000008, "STATUS_SERIAL_MORE_WRITES" }, { 0x40000009, "STATUS_REGISTRY_RECOVERED" }, { 0x4000000A, "STATUS_FT_READ_RECOVERY_FROM_BACKUP" }, { 0x4000000B, "STATUS_FT_WRITE_RECOVERY" }, { 0x4000000C, "STATUS_SERIAL_COUNTER_TIMEOUT" }, { 0x4000000D, "STATUS_NULL_LM_PASSWORD" }, { 0x4000000E, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH" }, { 0x4000000F, "STATUS_RECEIVE_PARTIAL" }, { 0x40000010, "STATUS_RECEIVE_EXPEDITED" }, { 0x40000011, "STATUS_RECEIVE_PARTIAL_EXPEDITED" }, { 0x40000012, "STATUS_EVENT_DONE" }, { 0x40000013, "STATUS_EVENT_PENDING" }, { 0x40000014, "STATUS_CHECKING_FILE_SYSTEM" }, { 0x40000015, "STATUS_FATAL_APP_EXIT" }, { 0x40000016, "STATUS_PREDEFINED_HANDLE" }, { 0x40000017, "STATUS_WAS_UNLOCKED" }, { 0x40000018, "STATUS_SERVICE_NOTIFICATION" }, { 0x40000019, "STATUS_WAS_LOCKED" }, { 0x4000001A, "STATUS_LOG_HARD_ERROR" }, { 0x4000001B, "STATUS_ALREADY_WIN32" }, { 0x4000001C, "STATUS_WX86_UNSIMULATE" }, { 0x4000001D, "STATUS_WX86_CONTINUE" }, { 0x4000001E, "STATUS_WX86_SINGLE_STEP" }, { 0x4000001F, "STATUS_WX86_BREAKPOINT" }, { 0x40000020, "STATUS_WX86_EXCEPTION_CONTINUE" }, { 0x40000021, "STATUS_WX86_EXCEPTION_LASTCHANCE" }, { 0x40000022, "STATUS_WX86_EXCEPTION_CHAIN" }, { 0x40000023, "STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE" }, { 0x40000024, "STATUS_NO_YIELD_PERFORMED" }, { 0x40000025, "STATUS_TIMER_RESUME_IGNORED" }, { 0x40000294, "STATUS_WAKE_SYSTEM" }, { 0x40020056, "RPC_NT_UUID_LOCAL_ONLY" }, { 0x400200AF, "RPC_NT_SEND_INCOMPLETE" }, { 0x80000001, "STATUS_GUARD_PAGE_VIOLATION" }, { 0x80000002, "STATUS_DATATYPE_MISALIGNMENT" }, { 0x80000003, "STATUS_BREAKPOINT" }, { 0x80000004, "STATUS_SINGLE_STEP" }, { 0x80000005, "STATUS_BUFFER_OVERFLOW" }, { 0x80000006, "STATUS_NO_MORE_FILES" }, { 0x80000007, "STATUS_WAKE_SYSTEM_DEBUGGER" }, { 0x8000000A, "STATUS_HANDLES_CLOSED" }, { 0x8000000B, "STATUS_NO_INHERITANCE" }, { 0x8000000C, "STATUS_GUID_SUBSTITUTION_MADE" }, { 0x8000000D, "STATUS_PARTIAL_COPY" }, { 0x8000000E, "STATUS_DEVICE_PAPER_EMPTY" }, { 0x8000000F, "STATUS_DEVICE_POWERED_OFF" }, { 0x80000010, "STATUS_DEVICE_OFF_LINE" }, { 0x80000011, "STATUS_DEVICE_BUSY" }, { 0x80000012, "STATUS_NO_MORE_EAS" }, { 0x80000013, "STATUS_INVALID_EA_NAME" }, { 0x80000014, "STATUS_EA_LIST_INCONSISTENT" }, { 0x80000015, "STATUS_INVALID_EA_FLAG" }, { 0x80000016, "STATUS_VERIFY_REQUIRED" }, { 0x80000017, "STATUS_EXTRANEOUS_INFORMATION" }, { 0x80000018, "STATUS_RXACT_COMMIT_NECESSARY" }, { 0x8000001A, "STATUS_NO_MORE_ENTRIES" }, { 0x8000001B, "STATUS_FILEMARK_DETECTED" }, { 0x8000001C, "STATUS_MEDIA_CHANGED" }, { 0x8000001D, "STATUS_BUS_RESET" }, { 0x8000001E, "STATUS_END_OF_MEDIA" }, { 0x8000001F, "STATUS_BEGINNING_OF_MEDIA" }, { 0x80000020, "STATUS_MEDIA_CHECK" }, { 0x80000021, "STATUS_SETMARK_DETECTED" }, { 0x80000022, "STATUS_NO_DATA_DETECTED" }, { 0x80000023, "STATUS_REDIRECTOR_HAS_OPEN_HANDLES" }, { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" }, { 0x80000025, "STATUS_ALREADY_DISCONNECTED" }, { 0x80000026, "STATUS_LONGJUMP" }, { 0x8000002D, "STATUS_STOPPED_ON_SYMLINK" }, { 0x80000288, "STATUS_DEVICE_REQUIRES_CLEANING" }, { 0x80000289, "STATUS_DEVICE_DOOR_OPEN" }, { 0x80040111, "MAPI_E_LOGON_FAILED" }, { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" }, { 0x80090301, "SEC_E_INVALID_HANDLE" }, { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" }, { 0x8009030B, "SEC_E_NO_IMPERSONATION" }, { 0x8009030D, "SEC_E_UNKNOWN_CREDENTIALS" }, { 0x8009030E, "SEC_E_NO_CREDENTIALS" }, { 0x8009030F, "SEC_E_MESSAGE_ALTERED" }, { 0x80090310, "SEC_E_OUT_OF_SEQUENCE" }, { 0x80090311, "SEC_E_NO_AUTHENTICATING_AUTHORITY" }, { 0xC0000001, "STATUS_UNSUCCESSFUL" }, { 0xC0000002, "STATUS_NOT_IMPLEMENTED" }, { 0xC0000003, "STATUS_INVALID_INFO_CLASS" }, { 0xC0000004, "STATUS_INFO_LENGTH_MISMATCH" }, { 0xC0000005, "STATUS_ACCESS_VIOLATION" }, { 0xC0000006, "STATUS_IN_PAGE_ERROR" }, { 0xC0000007, "STATUS_PAGEFILE_QUOTA" }, { 0xC0000008, "STATUS_INVALID_HANDLE" }, { 0xC0000009, "STATUS_BAD_INITIAL_STACK" }, { 0xC000000A, "STATUS_BAD_INITIAL_PC" }, { 0xC000000B, "STATUS_INVALID_CID" }, { 0xC000000C, "STATUS_TIMER_NOT_CANCELED" }, { 0xC000000D, "STATUS_INVALID_PARAMETER" }, { 0xC000000E, "STATUS_NO_SUCH_DEVICE" }, { 0xC000000F, "STATUS_NO_SUCH_FILE" }, { 0xC0000010, "STATUS_INVALID_DEVICE_REQUEST" }, { 0xC0000011, "STATUS_END_OF_FILE" }, { 0xC0000012, "STATUS_WRONG_VOLUME" }, { 0xC0000013, "STATUS_NO_MEDIA_IN_DEVICE" }, { 0xC0000014, "STATUS_UNRECOGNIZED_MEDIA" }, { 0xC0000015, "STATUS_NONEXISTENT_SECTOR" }, { 0xC0000016, "STATUS_MORE_PROCESSING_REQUIRED" }, { 0xC0000017, "STATUS_NO_MEMORY" }, { 0xC0000018, "STATUS_CONFLICTING_ADDRESSES" }, { 0xC0000019, "STATUS_NOT_MAPPED_VIEW" }, { 0xC000001A, "STATUS_UNABLE_TO_FREE_VM" }, { 0xC000001B, "STATUS_UNABLE_TO_DELETE_SECTION" }, { 0xC000001C, "STATUS_INVALID_SYSTEM_SERVICE" }, { 0xC000001D, "STATUS_ILLEGAL_INSTRUCTION" }, { 0xC000001E, "STATUS_INVALID_LOCK_SEQUENCE" }, { 0xC000001F, "STATUS_INVALID_VIEW_SIZE" }, { 0xC0000020, "STATUS_INVALID_FILE_FOR_SECTION" }, { 0xC0000021, "STATUS_ALREADY_COMMITTED" }, { 0xC0000022, "STATUS_ACCESS_DENIED" }, { 0xC0000023, "STATUS_BUFFER_TOO_SMALL" }, { 0xC0000024, "STATUS_OBJECT_TYPE_MISMATCH" }, { 0xC0000025, "STATUS_NONCONTINUABLE_EXCEPTION" }, { 0xC0000026, "STATUS_INVALID_DISPOSITION" }, { 0xC0000027, "STATUS_UNWIND" }, { 0xC0000028, "STATUS_BAD_STACK" }, { 0xC0000029, "STATUS_INVALID_UNWIND_TARGET" }, { 0xC000002A, "STATUS_NOT_LOCKED" }, { 0xC000002B, "STATUS_PARITY_ERROR" }, { 0xC000002C, "STATUS_UNABLE_TO_DECOMMIT_VM" }, { 0xC000002D, "STATUS_NOT_COMMITTED" }, { 0xC000002E, "STATUS_INVALID_PORT_ATTRIBUTES" }, { 0xC000002F, "STATUS_PORT_MESSAGE_TOO_LONG" }, { 0xC0000030, "STATUS_INVALID_PARAMETER_MIX" }, { 0xC0000031, "STATUS_INVALID_QUOTA_LOWER" }, { 0xC0000032, "STATUS_DISK_CORRUPT_ERROR" }, { 0xC0000033, "STATUS_OBJECT_NAME_INVALID" }, { 0xC0000034, "STATUS_OBJECT_NAME_NOT_FOUND" }, { 0xC0000035, "STATUS_OBJECT_NAME_COLLISION" }, { 0xC0000037, "STATUS_PORT_DISCONNECTED" }, { 0xC0000038, "STATUS_DEVICE_ALREADY_ATTACHED" }, { 0xC0000039, "STATUS_OBJECT_PATH_INVALID" }, { 0xC000003A, "STATUS_OBJECT_PATH_NOT_FOUND" }, { 0xC000003B, "STATUS_OBJECT_PATH_SYNTAX_BAD" }, { 0xC000003C, "STATUS_DATA_OVERRUN" }, { 0xC000003D, "STATUS_DATA_LATE_ERROR" }, { 0xC000003E, "STATUS_DATA_ERROR" }, { 0xC000003F, "STATUS_CRC_ERROR" }, { 0xC0000040, "STATUS_SECTION_TOO_BIG" }, { 0xC0000041, "STATUS_PORT_CONNECTION_REFUSED" }, { 0xC0000042, "STATUS_INVALID_PORT_HANDLE" }, { 0xC0000043, "STATUS_SHARING_VIOLATION" }, { 0xC0000044, "STATUS_QUOTA_EXCEEDED" }, { 0xC0000045, "STATUS_INVALID_PAGE_PROTECTION" }, { 0xC0000046, "STATUS_MUTANT_NOT_OWNED" }, { 0xC0000047, "STATUS_SEMAPHORE_LIMIT_EXCEEDED" }, { 0xC0000048, "STATUS_PORT_ALREADY_SET" }, { 0xC0000049, "STATUS_SECTION_NOT_IMAGE" }, { 0xC000004A, "STATUS_SUSPEND_COUNT_EXCEEDED" }, { 0xC000004B, "STATUS_THREAD_IS_TERMINATING" }, { 0xC000004C, "STATUS_BAD_WORKING_SET_LIMIT" }, { 0xC000004D, "STATUS_INCOMPATIBLE_FILE_MAP" }, { 0xC000004E, "STATUS_SECTION_PROTECTION" }, { 0xC000004F, "STATUS_EAS_NOT_SUPPORTED" }, { 0xC0000050, "STATUS_EA_TOO_LARGE" }, { 0xC0000051, "STATUS_NONEXISTENT_EA_ENTRY" }, { 0xC0000052, "STATUS_NO_EAS_ON_FILE" }, { 0xC0000053, "STATUS_EA_CORRUPT_ERROR" }, { 0xC0000054, "STATUS_FILE_LOCK_CONFLICT" }, { 0xC0000055, "STATUS_LOCK_NOT_GRANTED" }, { 0xC0000056, "STATUS_DELETE_PENDING" }, { 0xC0000057, "STATUS_CTL_FILE_NOT_SUPPORTED" }, { 0xC0000058, "STATUS_UNKNOWN_REVISION" }, { 0xC0000059, "STATUS_REVISION_MISMATCH" }, { 0xC000005A, "STATUS_INVALID_OWNER" }, { 0xC000005B, "STATUS_INVALID_PRIMARY_GROUP" }, { 0xC000005C, "STATUS_NO_IMPERSONATION_TOKEN" }, { 0xC000005D, "STATUS_CANT_DISABLE_MANDATORY" }, { 0xC000005E, "STATUS_NO_LOGON_SERVERS" }, { 0xC000005F, "STATUS_NO_SUCH_LOGON_SESSION" }, { 0xC0000060, "STATUS_NO_SUCH_PRIVILEGE" }, { 0xC0000061, "STATUS_PRIVILEGE_NOT_HELD" }, { 0xC0000062, "STATUS_INVALID_ACCOUNT_NAME" }, { 0xC0000063, "STATUS_USER_EXISTS" }, { 0xC0000064, "STATUS_NO_SUCH_USER" }, { 0xC0000065, "STATUS_GROUP_EXISTS" }, { 0xC0000066, "STATUS_NO_SUCH_GROUP" }, { 0xC0000067, "STATUS_MEMBER_IN_GROUP" }, { 0xC0000068, "STATUS_MEMBER_NOT_IN_GROUP" }, { 0xC0000069, "STATUS_LAST_ADMIN" }, { 0xC000006A, "STATUS_WRONG_PASSWORD" }, { 0xC000006B, "STATUS_ILL_FORMED_PASSWORD" }, { 0xC000006C, "STATUS_PASSWORD_RESTRICTION" }, { 0xC000006D, "STATUS_LOGON_FAILURE" }, { 0xC000006E, "STATUS_ACCOUNT_RESTRICTION" }, { 0xC000006F, "STATUS_INVALID_LOGON_HOURS" }, { 0xC0000070, "STATUS_INVALID_WORKSTATION" }, { 0xC0000071, "STATUS_PASSWORD_EXPIRED" }, { 0xC0000072, "STATUS_ACCOUNT_DISABLED" }, { 0xC0000073, "STATUS_NONE_MAPPED" }, { 0xC0000074, "STATUS_TOO_MANY_LUIDS_REQUESTED" }, { 0xC0000075, "STATUS_LUIDS_EXHAUSTED" }, { 0xC0000076, "STATUS_INVALID_SUB_AUTHORITY" }, { 0xC0000077, "STATUS_INVALID_ACL" }, { 0xC0000078, "STATUS_INVALID_SID" }, { 0xC0000079, "STATUS_INVALID_SECURITY_DESCR" }, { 0xC000007A, "STATUS_PROCEDURE_NOT_FOUND" }, { 0xC000007B, "STATUS_INVALID_IMAGE_FORMAT" }, { 0xC000007C, "STATUS_NO_TOKEN" }, { 0xC000007D, "STATUS_BAD_INHERITANCE_ACL" }, { 0xC000007E, "STATUS_RANGE_NOT_LOCKED" }, { 0xC000007F, "STATUS_DISK_FULL" }, { 0xC0000080, "STATUS_SERVER_DISABLED" }, { 0xC0000081, "STATUS_SERVER_NOT_DISABLED" }, { 0xC0000082, "STATUS_TOO_MANY_GUIDS_REQUESTED" }, { 0xC0000083, "STATUS_GUIDS_EXHAUSTED" }, { 0xC0000084, "STATUS_INVALID_ID_AUTHORITY" }, { 0xC0000085, "STATUS_AGENTS_EXHAUSTED" }, { 0xC0000086, "STATUS_INVALID_VOLUME_LABEL" }, { 0xC0000087, "STATUS_SECTION_NOT_EXTENDED" }, { 0xC0000088, "STATUS_NOT_MAPPED_DATA" }, { 0xC0000089, "STATUS_RESOURCE_DATA_NOT_FOUND" }, { 0xC000008A, "STATUS_RESOURCE_TYPE_NOT_FOUND" }, { 0xC000008B, "STATUS_RESOURCE_NAME_NOT_FOUND" }, { 0xC000008C, "STATUS_ARRAY_BOUNDS_EXCEEDED" }, { 0xC000008D, "STATUS_FLOAT_DENORMAL_OPERAND" }, { 0xC000008E, "STATUS_FLOAT_DIVIDE_BY_ZERO" }, { 0xC000008F, "STATUS_FLOAT_INEXACT_RESULT" }, { 0xC0000090, "STATUS_FLOAT_INVALID_OPERATION" }, { 0xC0000091, "STATUS_FLOAT_OVERFLOW" }, { 0xC0000092, "STATUS_FLOAT_STACK_CHECK" }, { 0xC0000093, "STATUS_FLOAT_UNDERFLOW" }, { 0xC0000094, "STATUS_INTEGER_DIVIDE_BY_ZERO" }, { 0xC0000095, "STATUS_INTEGER_OVERFLOW" }, { 0xC0000096, "STATUS_PRIVILEGED_INSTRUCTION" }, { 0xC0000097, "STATUS_TOO_MANY_PAGING_FILES" }, { 0xC0000098, "STATUS_FILE_INVALID" }, { 0xC0000099, "STATUS_ALLOTTED_SPACE_EXCEEDED" }, { 0xC000009A, "STATUS_INSUFFICIENT_RESOURCES" }, { 0xC000009B, "STATUS_DFS_EXIT_PATH_FOUND" }, { 0xC000009C, "STATUS_DEVICE_DATA_ERROR" }, { 0xC000009D, "STATUS_DEVICE_NOT_CONNECTED" }, { 0xC000009E, "STATUS_DEVICE_POWER_FAILURE" }, { 0xC000009F, "STATUS_FREE_VM_NOT_AT_BASE" }, { 0xC00000A0, "STATUS_MEMORY_NOT_ALLOCATED" }, { 0xC00000A1, "STATUS_WORKING_SET_QUOTA" }, { 0xC00000A2, "STATUS_MEDIA_WRITE_PROTECTED" }, { 0xC00000A3, "STATUS_DEVICE_NOT_READY" }, { 0xC00000A4, "STATUS_INVALID_GROUP_ATTRIBUTES" }, { 0xC00000A5, "STATUS_BAD_IMPERSONATION_LEVEL" }, { 0xC00000A6, "STATUS_CANT_OPEN_ANONYMOUS" }, { 0xC00000A7, "STATUS_BAD_VALIDATION_CLASS" }, { 0xC00000A8, "STATUS_BAD_TOKEN_TYPE" }, { 0xC00000A9, "STATUS_BAD_MASTER_BOOT_RECORD" }, { 0xC00000AA, "STATUS_INSTRUCTION_MISALIGNMENT" }, { 0xC00000AB, "STATUS_INSTANCE_NOT_AVAILABLE" }, { 0xC00000AC, "STATUS_PIPE_NOT_AVAILABLE" }, { 0xC00000AD, "STATUS_INVALID_PIPE_STATE" }, { 0xC00000AE, "STATUS_PIPE_BUSY" }, { 0xC00000AF, "STATUS_ILLEGAL_FUNCTION" }, { 0xC00000B0, "STATUS_PIPE_DISCONNECTED" }, { 0xC00000B1, "STATUS_PIPE_CLOSING" }, { 0xC00000B2, "STATUS_PIPE_CONNECTED" }, { 0xC00000B3, "STATUS_PIPE_LISTENING" }, { 0xC00000B4, "STATUS_INVALID_READ_MODE" }, { 0xC00000B5, "STATUS_IO_TIMEOUT" }, { 0xC00000B6, "STATUS_FILE_FORCED_CLOSED" }, { 0xC00000B7, "STATUS_PROFILING_NOT_STARTED" }, { 0xC00000B8, "STATUS_PROFILING_NOT_STOPPED" }, { 0xC00000B9, "STATUS_COULD_NOT_INTERPRET" }, { 0xC00000BA, "STATUS_FILE_IS_A_DIRECTORY" }, { 0xC00000BB, "STATUS_NOT_SUPPORTED" }, { 0xC00000BC, "STATUS_REMOTE_NOT_LISTENING" }, { 0xC00000BD, "STATUS_DUPLICATE_NAME" }, { 0xC00000BE, "STATUS_BAD_NETWORK_PATH" }, { 0xC00000BF, "STATUS_NETWORK_BUSY" }, { 0xC00000C0, "STATUS_DEVICE_DOES_NOT_EXIST" }, { 0xC00000C1, "STATUS_TOO_MANY_COMMANDS" }, { 0xC00000C2, "STATUS_ADAPTER_HARDWARE_ERROR" }, { 0xC00000C3, "STATUS_INVALID_NETWORK_RESPONSE" }, { 0xC00000C4, "STATUS_UNEXPECTED_NETWORK_ERROR" }, { 0xC00000C5, "STATUS_BAD_REMOTE_ADAPTER" }, { 0xC00000C6, "STATUS_PRINT_QUEUE_FULL" }, { 0xC00000C7, "STATUS_NO_SPOOL_SPACE" }, { 0xC00000C8, "STATUS_PRINT_CANCELLED" }, { 0xC00000C9, "STATUS_NETWORK_NAME_DELETED" }, { 0xC00000CA, "STATUS_NETWORK_ACCESS_DENIED" }, { 0xC00000CB, "STATUS_BAD_DEVICE_TYPE" }, { 0xC00000CC, "STATUS_BAD_NETWORK_NAME" }, { 0xC00000CD, "STATUS_TOO_MANY_NAMES" }, { 0xC00000CE, "STATUS_TOO_MANY_SESSIONS" }, { 0xC00000CF, "STATUS_SHARING_PAUSED" }, { 0xC00000D0, "STATUS_REQUEST_NOT_ACCEPTED" }, { 0xC00000D1, "STATUS_REDIRECTOR_PAUSED" }, { 0xC00000D2, "STATUS_NET_WRITE_FAULT" }, { 0xC00000D3, "STATUS_PROFILING_AT_LIMIT" }, { 0xC00000D4, "STATUS_NOT_SAME_DEVICE" }, { 0xC00000D5, "STATUS_FILE_RENAMED" }, { 0xC00000D6, "STATUS_VIRTUAL_CIRCUIT_CLOSED" }, { 0xC00000D7, "STATUS_NO_SECURITY_ON_OBJECT" }, { 0xC00000D8, "STATUS_CANT_WAIT" }, { 0xC00000D9, "STATUS_PIPE_EMPTY" }, { 0xC00000DA, "STATUS_CANT_ACCESS_DOMAIN_INFO" }, { 0xC00000DB, "STATUS_CANT_TERMINATE_SELF" }, { 0xC00000DC, "STATUS_INVALID_SERVER_STATE" }, { 0xC00000DD, "STATUS_INVALID_DOMAIN_STATE" }, { 0xC00000DE, "STATUS_INVALID_DOMAIN_ROLE" }, { 0xC00000DF, "STATUS_NO_SUCH_DOMAIN" }, { 0xC00000E0, "STATUS_DOMAIN_EXISTS" }, { 0xC00000E1, "STATUS_DOMAIN_LIMIT_EXCEEDED" }, { 0xC00000E2, "STATUS_OPLOCK_NOT_GRANTED" }, { 0xC00000E3, "STATUS_INVALID_OPLOCK_PROTOCOL" }, { 0xC00000E4, "STATUS_INTERNAL_DB_CORRUPTION" }, { 0xC00000E5, "STATUS_INTERNAL_ERROR" }, { 0xC00000E6, "STATUS_GENERIC_NOT_MAPPED" }, { 0xC00000E7, "STATUS_BAD_DESCRIPTOR_FORMAT" }, { 0xC00000E8, "STATUS_INVALID_USER_BUFFER" }, { 0xC00000E9, "STATUS_UNEXPECTED_IO_ERROR" }, { 0xC00000EA, "STATUS_UNEXPECTED_MM_CREATE_ERR" }, { 0xC00000EB, "STATUS_UNEXPECTED_MM_MAP_ERROR" }, { 0xC00000EC, "STATUS_UNEXPECTED_MM_EXTEND_ERR" }, { 0xC00000ED, "STATUS_NOT_LOGON_PROCESS" }, { 0xC00000EE, "STATUS_LOGON_SESSION_EXISTS" }, { 0xC00000EF, "STATUS_INVALID_PARAMETER_1" }, { 0xC00000F0, "STATUS_INVALID_PARAMETER_2" }, { 0xC00000F1, "STATUS_INVALID_PARAMETER_3" }, { 0xC00000F2, "STATUS_INVALID_PARAMETER_4" }, { 0xC00000F3, "STATUS_INVALID_PARAMETER_5" }, { 0xC00000F4, "STATUS_INVALID_PARAMETER_6" }, { 0xC00000F5, "STATUS_INVALID_PARAMETER_7" }, { 0xC00000F6, "STATUS_INVALID_PARAMETER_8" }, { 0xC00000F7, "STATUS_INVALID_PARAMETER_9" }, { 0xC00000F8, "STATUS_INVALID_PARAMETER_10" }, { 0xC00000F9, "STATUS_INVALID_PARAMETER_11" }, { 0xC00000FA, "STATUS_INVALID_PARAMETER_12" }, { 0xC00000FB, "STATUS_REDIRECTOR_NOT_STARTED" }, { 0xC00000FC, "STATUS_REDIRECTOR_STARTED" }, { 0xC00000FD, "STATUS_STACK_OVERFLOW" }, { 0xC00000FE, "STATUS_NO_SUCH_PACKAGE" }, { 0xC00000FF, "STATUS_BAD_FUNCTION_TABLE" }, { 0xC0000100, "STATUS_VARIABLE_NOT_FOUND" }, { 0xC0000101, "STATUS_DIRECTORY_NOT_EMPTY" }, { 0xC0000102, "STATUS_FILE_CORRUPT_ERROR" }, { 0xC0000103, "STATUS_NOT_A_DIRECTORY" }, { 0xC0000104, "STATUS_BAD_LOGON_SESSION_STATE" }, { 0xC0000105, "STATUS_LOGON_SESSION_COLLISION" }, { 0xC0000106, "STATUS_NAME_TOO_LONG" }, { 0xC0000107, "STATUS_FILES_OPEN" }, { 0xC0000108, "STATUS_CONNECTION_IN_USE" }, { 0xC0000109, "STATUS_MESSAGE_NOT_FOUND" }, { 0xC000010A, "STATUS_PROCESS_IS_TERMINATING" }, { 0xC000010B, "STATUS_INVALID_LOGON_TYPE" }, { 0xC000010C, "STATUS_NO_GUID_TRANSLATION" }, { 0xC000010D, "STATUS_CANNOT_IMPERSONATE" }, { 0xC000010E, "STATUS_IMAGE_ALREADY_LOADED" }, { 0xC000010F, "STATUS_ABIOS_NOT_PRESENT" }, { 0xC0000110, "STATUS_ABIOS_LID_NOT_EXIST" }, { 0xC0000111, "STATUS_ABIOS_LID_ALREADY_OWNED" }, { 0xC0000112, "STATUS_ABIOS_NOT_LID_OWNER" }, { 0xC0000113, "STATUS_ABIOS_INVALID_COMMAND" }, { 0xC0000114, "STATUS_ABIOS_INVALID_LID" }, { 0xC0000115, "STATUS_ABIOS_SELECTOR_NOT_AVAILABLE" }, { 0xC0000116, "STATUS_ABIOS_INVALID_SELECTOR" }, { 0xC0000117, "STATUS_NO_LDT" }, { 0xC0000118, "STATUS_INVALID_LDT_SIZE" }, { 0xC0000119, "STATUS_INVALID_LDT_OFFSET" }, { 0xC000011A, "STATUS_INVALID_LDT_DESCRIPTOR" }, { 0xC000011B, "STATUS_INVALID_IMAGE_NE_FORMAT" }, { 0xC000011C, "STATUS_RXACT_INVALID_STATE" }, { 0xC000011D, "STATUS_RXACT_COMMIT_FAILURE" }, { 0xC000011E, "STATUS_MAPPED_FILE_SIZE_ZERO" }, { 0xC000011F, "STATUS_TOO_MANY_OPENED_FILES" }, { 0xC0000120, "STATUS_CANCELLED" }, { 0xC0000121, "STATUS_CANNOT_DELETE" }, { 0xC0000122, "STATUS_INVALID_COMPUTER_NAME" }, { 0xC0000123, "STATUS_FILE_DELETED" }, { 0xC0000124, "STATUS_SPECIAL_ACCOUNT" }, { 0xC0000125, "STATUS_SPECIAL_GROUP" }, { 0xC0000126, "STATUS_SPECIAL_USER" }, { 0xC0000127, "STATUS_MEMBERS_PRIMARY_GROUP" }, { 0xC0000128, "STATUS_FILE_CLOSED" }, { 0xC0000129, "STATUS_TOO_MANY_THREADS" }, { 0xC000012A, "STATUS_THREAD_NOT_IN_PROCESS" }, { 0xC000012B, "STATUS_TOKEN_ALREADY_IN_USE" }, { 0xC000012C, "STATUS_PAGEFILE_QUOTA_EXCEEDED" }, { 0xC000012D, "STATUS_COMMITMENT_LIMIT" }, { 0xC000012E, "STATUS_INVALID_IMAGE_LE_FORMAT" }, { 0xC000012F, "STATUS_INVALID_IMAGE_NOT_MZ" }, { 0xC0000130, "STATUS_INVALID_IMAGE_PROTECT" }, { 0xC0000131, "STATUS_INVALID_IMAGE_WIN_16" }, { 0xC0000132, "STATUS_LOGON_SERVER_CONFLICT" }, { 0xC0000133, "STATUS_TIME_DIFFERENCE_AT_DC" }, { 0xC0000134, "STATUS_SYNCHRONIZATION_REQUIRED" }, { 0xC0000135, "STATUS_DLL_NOT_FOUND" }, { 0xC0000136, "STATUS_OPEN_FAILED" }, { 0xC0000137, "STATUS_IO_PRIVILEGE_FAILED" }, { 0xC0000138, "STATUS_ORDINAL_NOT_FOUND" }, { 0xC0000139, "STATUS_ENTRYPOINT_NOT_FOUND" }, { 0xC000013A, "STATUS_CONTROL_C_EXIT" }, { 0xC000013B, "STATUS_LOCAL_DISCONNECT" }, { 0xC000013C, "STATUS_REMOTE_DISCONNECT" }, { 0xC000013D, "STATUS_REMOTE_RESOURCES" }, { 0xC000013E, "STATUS_LINK_FAILED" }, { 0xC000013F, "STATUS_LINK_TIMEOUT" }, { 0xC0000140, "STATUS_INVALID_CONNECTION" }, { 0xC0000141, "STATUS_INVALID_ADDRESS" }, { 0xC0000142, "STATUS_DLL_INIT_FAILED" }, { 0xC0000143, "STATUS_MISSING_SYSTEMFILE" }, { 0xC0000144, "STATUS_UNHANDLED_EXCEPTION" }, { 0xC0000145, "STATUS_APP_INIT_FAILURE" }, { 0xC0000146, "STATUS_PAGEFILE_CREATE_FAILED" }, { 0xC0000147, "STATUS_NO_PAGEFILE" }, { 0xC0000148, "STATUS_INVALID_LEVEL" }, { 0xC0000149, "STATUS_WRONG_PASSWORD_CORE" }, { 0xC000014A, "STATUS_ILLEGAL_FLOAT_CONTEXT" }, { 0xC000014B, "STATUS_PIPE_BROKEN" }, { 0xC000014C, "STATUS_REGISTRY_CORRUPT" }, { 0xC000014D, "STATUS_REGISTRY_IO_FAILED" }, { 0xC000014E, "STATUS_NO_EVENT_PAIR" }, { 0xC000014F, "STATUS_UNRECOGNIZED_VOLUME" }, { 0xC0000150, "STATUS_SERIAL_NO_DEVICE_INITED" }, { 0xC0000151, "STATUS_NO_SUCH_ALIAS" }, { 0xC0000152, "STATUS_MEMBER_NOT_IN_ALIAS" }, { 0xC0000153, "STATUS_MEMBER_IN_ALIAS" }, { 0xC0000154, "STATUS_ALIAS_EXISTS" }, { 0xC0000155, "STATUS_LOGON_NOT_GRANTED" }, { 0xC0000156, "STATUS_TOO_MANY_SECRETS" }, { 0xC0000157, "STATUS_SECRET_TOO_LONG" }, { 0xC0000158, "STATUS_INTERNAL_DB_ERROR" }, { 0xC0000159, "STATUS_FULLSCREEN_MODE" }, { 0xC000015A, "STATUS_TOO_MANY_CONTEXT_IDS" }, { 0xC000015B, "STATUS_LOGON_TYPE_NOT_GRANTED" }, { 0xC000015C, "STATUS_NOT_REGISTRY_FILE" }, { 0xC000015D, "STATUS_NT_CROSS_ENCRYPTION_REQUIRED" }, { 0xC000015E, "STATUS_DOMAIN_CTRLR_CONFIG_ERROR" }, { 0xC000015F, "STATUS_FT_MISSING_MEMBER" }, { 0xC0000160, "STATUS_ILL_FORMED_SERVICE_ENTRY" }, { 0xC0000161, "STATUS_ILLEGAL_CHARACTER" }, { 0xC0000162, "STATUS_UNMAPPABLE_CHARACTER" }, { 0xC0000163, "STATUS_UNDEFINED_CHARACTER" }, { 0xC0000164, "STATUS_FLOPPY_VOLUME" }, { 0xC0000165, "STATUS_FLOPPY_ID_MARK_NOT_FOUND" }, { 0xC0000166, "STATUS_FLOPPY_WRONG_CYLINDER" }, { 0xC0000167, "STATUS_FLOPPY_UNKNOWN_ERROR" }, { 0xC0000168, "STATUS_FLOPPY_BAD_REGISTERS" }, { 0xC0000169, "STATUS_DISK_RECALIBRATE_FAILED" }, { 0xC000016A, "STATUS_DISK_OPERATION_FAILED" }, { 0xC000016B, "STATUS_DISK_RESET_FAILED" }, { 0xC000016C, "STATUS_SHARED_IRQ_BUSY" }, { 0xC000016D, "STATUS_FT_ORPHANING" }, { 0xC000016E, "STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT" }, { 0xC0000172, "STATUS_PARTITION_FAILURE" }, { 0xC0000173, "STATUS_INVALID_BLOCK_LENGTH" }, { 0xC0000174, "STATUS_DEVICE_NOT_PARTITIONED" }, { 0xC0000175, "STATUS_UNABLE_TO_LOCK_MEDIA" }, { 0xC0000176, "STATUS_UNABLE_TO_UNLOAD_MEDIA" }, { 0xC0000177, "STATUS_EOM_OVERFLOW" }, { 0xC0000178, "STATUS_NO_MEDIA" }, { 0xC000017A, "STATUS_NO_SUCH_MEMBER" }, { 0xC000017B, "STATUS_INVALID_MEMBER" }, { 0xC000017C, "STATUS_KEY_DELETED" }, { 0xC000017D, "STATUS_NO_LOG_SPACE" }, { 0xC000017E, "STATUS_TOO_MANY_SIDS" }, { 0xC000017F, "STATUS_LM_CROSS_ENCRYPTION_REQUIRED" }, { 0xC0000180, "STATUS_KEY_HAS_CHILDREN" }, { 0xC0000181, "STATUS_CHILD_MUST_BE_VOLATILE" }, { 0xC0000182, "STATUS_DEVICE_CONFIGURATION_ERROR" }, { 0xC0000183, "STATUS_DRIVER_INTERNAL_ERROR" }, { 0xC0000184, "STATUS_INVALID_DEVICE_STATE" }, { 0xC0000185, "STATUS_IO_DEVICE_ERROR" }, { 0xC0000186, "STATUS_DEVICE_PROTOCOL_ERROR" }, { 0xC0000187, "STATUS_BACKUP_CONTROLLER" }, { 0xC0000188, "STATUS_LOG_FILE_FULL" }, { 0xC0000189, "STATUS_TOO_LATE" }, { 0xC000018A, "STATUS_NO_TRUST_LSA_SECRET" }, { 0xC000018B, "STATUS_NO_TRUST_SAM_ACCOUNT" }, { 0xC000018C, "STATUS_TRUSTED_DOMAIN_FAILURE" }, { 0xC000018D, "STATUS_TRUSTED_RELATIONSHIP_FAILURE" }, { 0xC000018E, "STATUS_EVENTLOG_FILE_CORRUPT" }, { 0xC000018F, "STATUS_EVENTLOG_CANT_START" }, { 0xC0000190, "STATUS_TRUST_FAILURE" }, { 0xC0000191, "STATUS_MUTANT_LIMIT_EXCEEDED" }, { 0xC0000192, "STATUS_NETLOGON_NOT_STARTED" }, { 0xC0000193, "STATUS_ACCOUNT_EXPIRED" }, { 0xC0000194, "STATUS_POSSIBLE_DEADLOCK" }, { 0xC0000195, "STATUS_NETWORK_CREDENTIAL_CONFLICT" }, { 0xC0000196, "STATUS_REMOTE_SESSION_LIMIT" }, { 0xC0000197, "STATUS_EVENTLOG_FILE_CHANGED" }, { 0xC0000198, "STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT" }, { 0xC0000199, "STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT" }, { 0xC000019A, "STATUS_NOLOGON_SERVER_TRUST_ACCOUNT" }, { 0xC000019B, "STATUS_DOMAIN_TRUST_INCONSISTENT" }, { 0xC000019C, "STATUS_FS_DRIVER_REQUIRED" }, { 0xC0000202, "STATUS_NO_USER_SESSION_KEY" }, { 0xC0000203, "STATUS_USER_SESSION_DELETED" }, { 0xC0000204, "STATUS_RESOURCE_LANG_NOT_FOUND" }, { 0xC0000205, "STATUS_INSUFF_SERVER_RESOURCES" }, { 0xC0000206, "STATUS_INVALID_BUFFER_SIZE" }, { 0xC0000207, "STATUS_INVALID_ADDRESS_COMPONENT" }, { 0xC0000208, "STATUS_INVALID_ADDRESS_WILDCARD" }, { 0xC0000209, "STATUS_TOO_MANY_ADDRESSES" }, { 0xC000020A, "STATUS_ADDRESS_ALREADY_EXISTS" }, { 0xC000020B, "STATUS_ADDRESS_CLOSED" }, { 0xC000020C, "STATUS_CONNECTION_DISCONNECTED" }, { 0xC000020D, "STATUS_CONNECTION_RESET" }, { 0xC000020E, "STATUS_TOO_MANY_NODES" }, { 0xC000020F, "STATUS_TRANSACTION_ABORTED" }, { 0xC0000210, "STATUS_TRANSACTION_TIMED_OUT" }, { 0xC0000211, "STATUS_TRANSACTION_NO_RELEASE" }, { 0xC0000212, "STATUS_TRANSACTION_NO_MATCH" }, { 0xC0000213, "STATUS_TRANSACTION_RESPONDED" }, { 0xC0000214, "STATUS_TRANSACTION_INVALID_ID" }, { 0xC0000215, "STATUS_TRANSACTION_INVALID_TYPE" }, { 0xC0000216, "STATUS_NOT_SERVER_SESSION" }, { 0xC0000217, "STATUS_NOT_CLIENT_SESSION" }, { 0xC0000218, "STATUS_CANNOT_LOAD_REGISTRY_FILE" }, { 0xC0000219, "STATUS_DEBUG_ATTACH_FAILED" }, { 0xC000021A, "STATUS_SYSTEM_PROCESS_TERMINATED" }, { 0xC000021B, "STATUS_DATA_NOT_ACCEPTED" }, { 0xC000021C, "STATUS_NO_BROWSER_SERVERS_FOUND" }, { 0xC000021D, "STATUS_VDM_HARD_ERROR" }, { 0xC000021E, "STATUS_DRIVER_CANCEL_TIMEOUT" }, { 0xC000021F, "STATUS_REPLY_MESSAGE_MISMATCH" }, { 0xC0000220, "STATUS_MAPPED_ALIGNMENT" }, { 0xC0000221, "STATUS_IMAGE_CHECKSUM_MISMATCH" }, { 0xC0000222, "STATUS_LOST_WRITEBEHIND_DATA" }, { 0xC0000223, "STATUS_CLIENT_SERVER_PARAMETERS_INVALID" }, { 0xC0000224, "STATUS_PASSWORD_MUST_CHANGE" }, { 0xC0000225, "STATUS_NOT_FOUND" }, { 0xC0000226, "STATUS_NOT_TINY_STREAM" }, { 0xC0000227, "STATUS_RECOVERY_FAILURE" }, { 0xC0000228, "STATUS_STACK_OVERFLOW_READ" }, { 0xC0000229, "STATUS_FAIL_CHECK" }, { 0xC000022A, "STATUS_DUPLICATE_OBJECTID" }, { 0xC000022B, "STATUS_OBJECTID_EXISTS" }, { 0xC000022C, "STATUS_CONVERT_TO_LARGE" }, { 0xC000022D, "STATUS_RETRY" }, { 0xC000022E, "STATUS_FOUND_OUT_OF_SCOPE" }, { 0xC000022F, "STATUS_ALLOCATE_BUCKET" }, { 0xC0000230, "STATUS_PROPSET_NOT_FOUND" }, { 0xC0000231, "STATUS_MARSHALL_OVERFLOW" }, { 0xC0000232, "STATUS_INVALID_VARIANT" }, { 0xC0000233, "STATUS_DOMAIN_CONTROLLER_NOT_FOUND" }, { 0xC0000234, "STATUS_ACCOUNT_LOCKED_OUT" }, { 0xC0000235, "STATUS_HANDLE_NOT_CLOSABLE" }, { 0xC0000236, "STATUS_CONNECTION_REFUSED" }, { 0xC0000237, "STATUS_GRACEFUL_DISCONNECT" }, { 0xC0000238, "STATUS_ADDRESS_ALREADY_ASSOCIATED" }, { 0xC0000239, "STATUS_ADDRESS_NOT_ASSOCIATED" }, { 0xC000023A, "STATUS_CONNECTION_INVALID" }, { 0xC000023B, "STATUS_CONNECTION_ACTIVE" }, { 0xC000023C, "STATUS_NETWORK_UNREACHABLE" }, { 0xC000023D, "STATUS_HOST_UNREACHABLE" }, { 0xC000023E, "STATUS_PROTOCOL_UNREACHABLE" }, { 0xC000023F, "STATUS_PORT_UNREACHABLE" }, { 0xC0000240, "STATUS_REQUEST_ABORTED" }, { 0xC0000241, "STATUS_CONNECTION_ABORTED" }, { 0xC0000242, "STATUS_BAD_COMPRESSION_BUFFER" }, { 0xC0000243, "STATUS_USER_MAPPED_FILE" }, { 0xC0000244, "STATUS_AUDIT_FAILED" }, { 0xC0000245, "STATUS_TIMER_RESOLUTION_NOT_SET" }, { 0xC0000246, "STATUS_CONNECTION_COUNT_LIMIT" }, { 0xC0000247, "STATUS_LOGIN_TIME_RESTRICTION" }, { 0xC0000248, "STATUS_LOGIN_WKSTA_RESTRICTION" }, { 0xC0000249, "STATUS_IMAGE_MP_UP_MISMATCH" }, { 0xC0000250, "STATUS_INSUFFICIENT_LOGON_INFO" }, { 0xC0000251, "STATUS_BAD_DLL_ENTRYPOINT" }, { 0xC0000252, "STATUS_BAD_SERVICE_ENTRYPOINT" }, { 0xC0000253, "STATUS_LPC_REPLY_LOST" }, { 0xC0000254, "STATUS_IP_ADDRESS_CONFLICT1" }, { 0xC0000255, "STATUS_IP_ADDRESS_CONFLICT2" }, { 0xC0000256, "STATUS_REGISTRY_QUOTA_LIMIT" }, { 0xC0000257, "STATUS_PATH_NOT_COVERED" }, { 0xC0000258, "STATUS_NO_CALLBACK_ACTIVE" }, { 0xC0000259, "STATUS_LICENSE_QUOTA_EXCEEDED" }, { 0xC000025A, "STATUS_PWD_TOO_SHORT" }, { 0xC000025B, "STATUS_PWD_TOO_RECENT" }, { 0xC000025C, "STATUS_PWD_HISTORY_CONFLICT" }, { 0xC000025E, "STATUS_PLUGPLAY_NO_DEVICE" }, { 0xC000025F, "STATUS_UNSUPPORTED_COMPRESSION" }, { 0xC0000260, "STATUS_INVALID_HW_PROFILE" }, { 0xC0000261, "STATUS_INVALID_PLUGPLAY_DEVICE_PATH" }, { 0xC0000262, "STATUS_DRIVER_ORDINAL_NOT_FOUND" }, { 0xC0000263, "STATUS_DRIVER_ENTRYPOINT_NOT_FOUND" }, { 0xC0000264, "STATUS_RESOURCE_NOT_OWNED" }, { 0xC0000265, "STATUS_TOO_MANY_LINKS" }, { 0xC0000266, "STATUS_QUOTA_LIST_INCONSISTENT" }, { 0xC0000267, "STATUS_FILE_IS_OFFLINE" }, { 0xC0000268, "STATUS_EVALUATION_EXPIRATION" }, { 0xC0000269, "STATUS_ILLEGAL_DLL_RELOCATION" }, { 0xC000026A, "STATUS_LICENSE_VIOLATION" }, { 0xC000026B, "STATUS_DLL_INIT_FAILED_LOGOFF" }, { 0xC000026C, "STATUS_DRIVER_UNABLE_TO_LOAD" }, { 0xC000026D, "STATUS_DFS_UNAVAILABLE" }, { 0xC000026E, "STATUS_VOLUME_DISMOUNTED" }, { 0xC000026F, "STATUS_WX86_INTERNAL_ERROR" }, { 0xC0000270, "STATUS_WX86_FLOAT_STACK_CHECK" }, { 0xC0000271, "STATUS_VALIDATE_CONTINUE" }, { 0xC0000272, "STATUS_NO_MATCH" }, { 0xC0000273, "STATUS_NO_MORE_MATCHES" }, { 0xC0000275, "STATUS_NOT_A_REPARSE_POINT" }, { 0xC0000276, "STATUS_IO_REPARSE_TAG_INVALID" }, { 0xC0000277, "STATUS_IO_REPARSE_TAG_MISMATCH" }, { 0xC0000278, "STATUS_IO_REPARSE_DATA_INVALID" }, { 0xC0000279, "STATUS_IO_REPARSE_TAG_NOT_HANDLED" }, { 0xC0000280, "STATUS_REPARSE_POINT_NOT_RESOLVED" }, { 0xC0000281, "STATUS_DIRECTORY_IS_A_REPARSE_POINT" }, { 0xC0000282, "STATUS_RANGE_LIST_CONFLICT" }, { 0xC0000283, "STATUS_SOURCE_ELEMENT_EMPTY" }, { 0xC0000284, "STATUS_DESTINATION_ELEMENT_FULL" }, { 0xC0000285, "STATUS_ILLEGAL_ELEMENT_ADDRESS" }, { 0xC0000286, "STATUS_MAGAZINE_NOT_PRESENT" }, { 0xC0000287, "STATUS_REINITIALIZATION_NEEDED" }, { 0xC000028A, "STATUS_ENCRYPTION_FAILED" }, { 0xC000028B, "STATUS_DECRYPTION_FAILED" }, { 0xC000028C, "STATUS_RANGE_NOT_FOUND" }, { 0xC000028D, "STATUS_NO_RECOVERY_POLICY" }, { 0xC000028E, "STATUS_NO_EFS" }, { 0xC000028F, "STATUS_WRONG_EFS" }, { 0xC0000290, "STATUS_NO_USER_KEYS" }, { 0xC0000291, "STATUS_FILE_NOT_ENCRYPTED" }, { 0xC0000292, "STATUS_NOT_EXPORT_FORMAT" }, { 0xC0000293, "STATUS_FILE_ENCRYPTED" }, { 0xC0000295, "STATUS_WMI_GUID_NOT_FOUND" }, { 0xC0000296, "STATUS_WMI_INSTANCE_NOT_FOUND" }, { 0xC0000297, "STATUS_WMI_ITEMID_NOT_FOUND" }, { 0xC0000298, "STATUS_WMI_TRY_AGAIN" }, { 0xC0000299, "STATUS_SHARED_POLICY" }, { 0xC000029A, "STATUS_POLICY_OBJECT_NOT_FOUND" }, { 0xC000029B, "STATUS_POLICY_ONLY_IN_DS" }, { 0xC000029C, "STATUS_VOLUME_NOT_UPGRADED" }, { 0xC000029D, "STATUS_REMOTE_STORAGE_NOT_ACTIVE" }, { 0xC000029E, "STATUS_REMOTE_STORAGE_MEDIA_ERROR" }, { 0xC000029F, "STATUS_NO_TRACKING_SERVICE" }, { 0xC00002A0, "STATUS_SERVER_SID_MISMATCH" }, { 0xC00002A1, "STATUS_DS_NO_ATTRIBUTE_OR_VALUE" }, { 0xC00002A2, "STATUS_DS_INVALID_ATTRIBUTE_SYNTAX" }, { 0xC00002A3, "STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED" }, { 0xC00002A4, "STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS" }, { 0xC00002A5, "STATUS_DS_BUSY" }, { 0xC00002A6, "STATUS_DS_UNAVAILABLE" }, { 0xC00002A7, "STATUS_DS_NO_RIDS_ALLOCATED" }, { 0xC00002A8, "STATUS_DS_NO_MORE_RIDS" }, { 0xC00002A9, "STATUS_DS_INCORRECT_ROLE_OWNER" }, { 0xC00002AA, "STATUS_DS_RIDMGR_INIT_ERROR" }, { 0xC00002AB, "STATUS_DS_OBJ_CLASS_VIOLATION" }, { 0xC00002AC, "STATUS_DS_CANT_ON_NON_LEAF" }, { 0xC00002AD, "STATUS_DS_CANT_ON_RDN" }, { 0xC00002AE, "STATUS_DS_CANT_MOD_OBJ_CLASS" }, { 0xC00002AF, "STATUS_DS_CROSS_DOM_MOVE_FAILED" }, { 0xC00002B0, "STATUS_DS_GC_NOT_AVAILABLE" }, { 0xC00002B1, "STATUS_DIRECTORY_SERVICE_REQUIRED" }, { 0xC00002B2, "STATUS_REPARSE_ATTRIBUTE_CONFLICT" }, { 0xC00002B3, "STATUS_CANT_ENABLE_DENY_ONLY" }, { 0xC00002B4, "STATUS_FLOAT_MULTIPLE_FAULTS" }, { 0xC00002B5, "STATUS_FLOAT_MULTIPLE_TRAPS" }, { 0xC00002B6, "STATUS_DEVICE_REMOVED" }, { 0xC00002B7, "STATUS_JOURNAL_DELETE_IN_PROGRESS" }, { 0xC00002B8, "STATUS_JOURNAL_NOT_ACTIVE" }, { 0xC00002B9, "STATUS_NOINTERFACE" }, { 0xC00002C1, "STATUS_DS_ADMIN_LIMIT_EXCEEDED" }, { 0xC00002C2, "STATUS_DRIVER_FAILED_SLEEP" }, { 0xC00002C3, "STATUS_MUTUAL_AUTHENTICATION_FAILED" }, { 0xC00002C4, "STATUS_CORRUPT_SYSTEM_FILE" }, { 0xC00002C5, "STATUS_DATATYPE_MISALIGNMENT_ERROR" }, { 0xC00002C6, "STATUS_WMI_READ_ONLY" }, { 0xC00002C7, "STATUS_WMI_SET_FAILURE" }, { 0xC00002C8, "STATUS_COMMITMENT_MINIMUM" }, { 0xC00002C9, "STATUS_REG_NAT_CONSUMPTION" }, { 0xC00002CA, "STATUS_TRANSPORT_FULL" }, { 0xC00002CB, "STATUS_DS_SAM_INIT_FAILURE" }, { 0xC00002CC, "STATUS_ONLY_IF_CONNECTED" }, { 0xC00002CD, "STATUS_DS_SENSITIVE_GROUP_VIOLATION" }, { 0xC00002CE, "STATUS_PNP_RESTART_ENUMERATION" }, { 0xC00002CF, "STATUS_JOURNAL_ENTRY_DELETED" }, { 0xC00002D0, "STATUS_DS_CANT_MOD_PRIMARYGROUPID" }, { 0xC00002D1, "STATUS_SYSTEM_IMAGE_BAD_SIGNATURE" }, { 0xC00002D2, "STATUS_PNP_REBOOT_REQUIRED" }, { 0xC00002D3, "STATUS_POWER_STATE_INVALID" }, { 0xC00002D4, "STATUS_DS_INVALID_GROUP_TYPE" }, { 0xC00002D5, "STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN" }, { 0xC00002D6, "STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN" }, { 0xC00002D7, "STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER" }, { 0xC00002D8, "STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER" }, { 0xC00002D9, "STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER" }, { 0xC00002DA, "STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER" }, { 0xC00002DB, "STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER" }, { 0xC00002DC, "STATUS_DS_HAVE_PRIMARY_MEMBERS" }, { 0xC00002DD, "STATUS_WMI_NOT_SUPPORTED" }, { 0xC00002DE, "STATUS_INSUFFICIENT_POWER" }, { 0xC00002DF, "STATUS_SAM_NEED_BOOTKEY_PASSWORD" }, { 0xC00002E0, "STATUS_SAM_NEED_BOOTKEY_FLOPPY" }, { 0xC00002E1, "STATUS_DS_CANT_START" }, { 0xC00002E2, "STATUS_DS_INIT_FAILURE" }, { 0xC00002E3, "STATUS_SAM_INIT_FAILURE" }, { 0xC00002E4, "STATUS_DS_GC_REQUIRED" }, { 0xC00002E5, "STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY" }, { 0xC00002E6, "STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS" }, { 0xC00002E7, "STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED" }, { 0xC00002E8, "STATUS_MULTIPLE_FAULT_VIOLATION" }, { 0xC0000300, "STATUS_NOT_SUPPORTED_ON_SBS" }, { 0xC000035C, "STATUS_NETWORK_SESSION_EXPIRED" }, { 0xC0009898, "STATUS_WOW_ASSERTION" }, { 0xC0020001, "RPC_NT_INVALID_STRING_BINDING" }, { 0xC0020002, "RPC_NT_WRONG_KIND_OF_BINDING" }, { 0xC0020003, "RPC_NT_INVALID_BINDING" }, { 0xC0020004, "RPC_NT_PROTSEQ_NOT_SUPPORTED" }, { 0xC0020005, "RPC_NT_INVALID_RPC_PROTSEQ" }, { 0xC0020006, "RPC_NT_INVALID_STRING_UUID" }, { 0xC0020007, "RPC_NT_INVALID_ENDPOINT_FORMAT" }, { 0xC0020008, "RPC_NT_INVALID_NET_ADDR" }, { 0xC0020009, "RPC_NT_NO_ENDPOINT_FOUND" }, { 0xC002000A, "RPC_NT_INVALID_TIMEOUT" }, { 0xC002000B, "RPC_NT_OBJECT_NOT_FOUND" }, { 0xC002000C, "RPC_NT_ALREADY_REGISTERED" }, { 0xC002000D, "RPC_NT_TYPE_ALREADY_REGISTERED" }, { 0xC002000E, "RPC_NT_ALREADY_LISTENING" }, { 0xC002000F, "RPC_NT_NO_PROTSEQS_REGISTERED" }, { 0xC0020010, "RPC_NT_NOT_LISTENING" }, { 0xC0020011, "RPC_NT_UNKNOWN_MGR_TYPE" }, { 0xC0020012, "RPC_NT_UNKNOWN_IF" }, { 0xC0020013, "RPC_NT_NO_BINDINGS" }, { 0xC0020014, "RPC_NT_NO_PROTSEQS" }, { 0xC0020015, "RPC_NT_CANT_CREATE_ENDPOINT" }, { 0xC0020016, "RPC_NT_OUT_OF_RESOURCES" }, { 0xC0020017, "RPC_NT_SERVER_UNAVAILABLE" }, { 0xC0020018, "RPC_NT_SERVER_TOO_BUSY" }, { 0xC0020019, "RPC_NT_INVALID_NETWORK_OPTIONS" }, { 0xC002001A, "RPC_NT_NO_CALL_ACTIVE" }, { 0xC002001B, "RPC_NT_CALL_FAILED" }, { 0xC002001C, "RPC_NT_CALL_FAILED_DNE" }, { 0xC002001D, "RPC_NT_PROTOCOL_ERROR" }, { 0xC002001F, "RPC_NT_UNSUPPORTED_TRANS_SYN" }, { 0xC0020021, "RPC_NT_UNSUPPORTED_TYPE" }, { 0xC0020022, "RPC_NT_INVALID_TAG" }, { 0xC0020023, "RPC_NT_INVALID_BOUND" }, { 0xC0020024, "RPC_NT_NO_ENTRY_NAME" }, { 0xC0020025, "RPC_NT_INVALID_NAME_SYNTAX" }, { 0xC0020026, "RPC_NT_UNSUPPORTED_NAME_SYNTAX" }, { 0xC0020028, "RPC_NT_UUID_NO_ADDRESS" }, { 0xC0020029, "RPC_NT_DUPLICATE_ENDPOINT" }, { 0xC002002A, "RPC_NT_UNKNOWN_AUTHN_TYPE" }, { 0xC002002B, "RPC_NT_MAX_CALLS_TOO_SMALL" }, { 0xC002002C, "RPC_NT_STRING_TOO_LONG" }, { 0xC002002D, "RPC_NT_PROTSEQ_NOT_FOUND" }, { 0xC002002E, "RPC_NT_PROCNUM_OUT_OF_RANGE" }, { 0xC002002F, "RPC_NT_BINDING_HAS_NO_AUTH" }, { 0xC0020030, "RPC_NT_UNKNOWN_AUTHN_SERVICE" }, { 0xC0020031, "RPC_NT_UNKNOWN_AUTHN_LEVEL" }, { 0xC0020032, "RPC_NT_INVALID_AUTH_IDENTITY" }, { 0xC0020033, "RPC_NT_UNKNOWN_AUTHZ_SERVICE" }, { 0xC0020034, "EPT_NT_INVALID_ENTRY" }, { 0xC0020035, "EPT_NT_CANT_PERFORM_OP" }, { 0xC0020036, "EPT_NT_NOT_REGISTERED" }, { 0xC0020037, "RPC_NT_NOTHING_TO_EXPORT" }, { 0xC0020038, "RPC_NT_INCOMPLETE_NAME" }, { 0xC0020039, "RPC_NT_INVALID_VERS_OPTION" }, { 0xC002003A, "RPC_NT_NO_MORE_MEMBERS" }, { 0xC002003B, "RPC_NT_NOT_ALL_OBJS_UNEXPORTED" }, { 0xC002003C, "RPC_NT_INTERFACE_NOT_FOUND" }, { 0xC002003D, "RPC_NT_ENTRY_ALREADY_EXISTS" }, { 0xC002003E, "RPC_NT_ENTRY_NOT_FOUND" }, { 0xC002003F, "RPC_NT_NAME_SERVICE_UNAVAILABLE" }, { 0xC0020040, "RPC_NT_INVALID_NAF_ID" }, { 0xC0020041, "RPC_NT_CANNOT_SUPPORT" }, { 0xC0020042, "RPC_NT_NO_CONTEXT_AVAILABLE" }, { 0xC0020043, "RPC_NT_INTERNAL_ERROR" }, { 0xC0020044, "RPC_NT_ZERO_DIVIDE" }, { 0xC0020045, "RPC_NT_ADDRESS_ERROR" }, { 0xC0020046, "RPC_NT_FP_DIV_ZERO" }, { 0xC0020047, "RPC_NT_FP_UNDERFLOW" }, { 0xC0020048, "RPC_NT_FP_OVERFLOW" }, { 0xC0020049, "RPC_NT_CALL_IN_PROGRESS" }, { 0xC002004A, "RPC_NT_NO_MORE_BINDINGS" }, { 0xC002004B, "RPC_NT_GROUP_MEMBER_NOT_FOUND" }, { 0xC002004C, "EPT_NT_CANT_CREATE" }, { 0xC002004D, "RPC_NT_INVALID_OBJECT" }, { 0xC002004F, "RPC_NT_NO_INTERFACES" }, { 0xC0020050, "RPC_NT_CALL_CANCELLED" }, { 0xC0020051, "RPC_NT_BINDING_INCOMPLETE" }, { 0xC0020052, "RPC_NT_COMM_FAILURE" }, { 0xC0020053, "RPC_NT_UNSUPPORTED_AUTHN_LEVEL" }, { 0xC0020054, "RPC_NT_NO_PRINC_NAME" }, { 0xC0020055, "RPC_NT_NOT_RPC_ERROR" }, { 0xC0020057, "RPC_NT_SEC_PKG_ERROR" }, { 0xC0020058, "RPC_NT_NOT_CANCELLED" }, { 0xC0021007, "RPC_P_RECEIVE_ALERTED" }, { 0xC0021008, "RPC_P_CONNECTION_CLOSED" }, { 0xC0021009, "RPC_P_RECEIVE_FAILED" }, { 0xC002100A, "RPC_P_SEND_FAILED" }, { 0xC002100B, "RPC_P_TIMEOUT" }, { 0xC002100C, "RPC_P_SERVER_TRANSPORT_ERROR" }, { 0xC002100E, "RPC_P_EXCEPTION_OCCURED" }, { 0xC0021012, "RPC_P_CONNECTION_SHUTDOWN" }, { 0xC0021015, "RPC_P_THREAD_LISTENING" }, { 0xC0030001, "RPC_NT_NO_MORE_ENTRIES" }, { 0xC0030002, "RPC_NT_SS_CHAR_TRANS_OPEN_FAIL" }, { 0xC0030003, "RPC_NT_SS_CHAR_TRANS_SHORT_FILE" }, { 0xC0030004, "RPC_NT_SS_IN_NULL_CONTEXT" }, { 0xC0030005, "RPC_NT_SS_CONTEXT_MISMATCH" }, { 0xC0030006, "RPC_NT_SS_CONTEXT_DAMAGED" }, { 0xC0030007, "RPC_NT_SS_HANDLES_MISMATCH" }, { 0xC0030008, "RPC_NT_SS_CANNOT_GET_CALL_HANDLE" }, { 0xC0030009, "RPC_NT_NULL_REF_POINTER" }, { 0xC003000A, "RPC_NT_ENUM_VALUE_OUT_OF_RANGE" }, { 0xC003000B, "RPC_NT_BYTE_COUNT_TOO_SMALL" }, { 0xC003000C, "RPC_NT_BAD_STUB_DATA" }, { 0xC0030059, "RPC_NT_INVALID_ES_ACTION" }, { 0xC003005A, "RPC_NT_WRONG_ES_VERSION" }, { 0xC003005B, "RPC_NT_WRONG_STUB_VERSION" }, { 0xC003005C, "RPC_NT_INVALID_PIPE_OBJECT" }, { 0xC003005D, "RPC_NT_INVALID_PIPE_OPERATION" }, { 0xC003005E, "RPC_NT_WRONG_PIPE_VERSION" }, { 0xC05C0000, "STATUS_SVHDX_ERROR_STORED" }, { 0xC05CFF00, "STATUS_SVHDX_ERROR_NOT_AVAILABLE" }, { 0xC05CFF01, "STATUS_SVHDX_UNIT_ATTENTION_AVAILABLE" }, { 0xC05CFF02, "STATUS_SVHDX_UNIT_ATTENTION_CAPACITY_DATA_CHANGED" }, { 0xC05CFF03, "STATUS_SVHDX_UNIT_ATTENTION_RESERVATIONS_PREEMPTED" }, { 0xC05CFF04, "STATUS_SVHDX_UNIT_ATTENTION_RESERVATIONS_RELEASED" }, { 0xC05CFF05, "STATUS_SVHDX_UNIT_ATTENTION_REGISTRATIONS_PREEMPTED" }, { 0xC05CFF06, "STATUS_SVHDX_UNIT_ATTENTION_OPERATING_DEFINITION_CHANGED" }, { 0xC05CFF07, "STATUS_SVHDX_RESERVATION_CONFLICT" }, { 0xC05CFF08, "STATUS_SVHDX_WRONG_FILE_TYPE" }, { 0xC05CFF09, "STATUS_SVHDX_VERSION_MISMATCH" }, { 0xC05CFF0A, "STATUS_VHD_SHARED" }, { 0, NULL } }; value_string_ext NT_errors_ext = VALUE_STRING_EXT_INIT(NT_errors); /* These are the MS country codes from http://www.unicode.org/unicode/onlinedat/countries.html For countries that share the same number, I choose to use only the name of the largest country. Apologies for this. If this offends you, here is the table to change that. This also includes the code of 0 for "Default", which isn't in that list, but is in Microsoft's SDKs and the Cygnus "winnls.h" header file. Presumably it means "don't override the setting on the user's machine". Future versions of Microsoft's "winnls.h" header file might include additional codes; the current version matches the Unicode Consortium's table. */ static const value_string ms_country_codes[] = { { 0, "Default"}, { 1, "USA"}, { 2, "Canada"}, { 7, "Russia"}, { 20, "Egypt"}, { 27, "South Africa"}, { 30, "Greece"}, { 31, "Netherlands"}, { 32, "Belgium"}, { 33, "France"}, { 34, "Spain"}, { 36, "Hungary"}, { 39, "Italy"}, { 40, "Romania"}, { 41, "Switzerland"}, { 43, "Austria"}, { 44, "United Kingdom"}, { 45, "Denmark"}, { 46, "Sweden"}, { 47, "Norway"}, { 48, "Poland"}, { 49, "Germany"}, { 51, "Peru"}, { 52, "Mexico"}, { 54, "Argentina"}, { 55, "Brazil"}, { 56, "Chile"}, { 57, "Colombia"}, { 58, "Venezuela"}, { 60, "Malaysia"}, { 61, "Australia"}, { 62, "Indonesia"}, { 63, "Philippines"}, { 64, "New Zealand"}, { 65, "Singapore"}, { 66, "Thailand"}, { 81, "Japan"}, { 82, "South Korea"}, { 84, "Viet Nam"}, { 86, "China"}, { 90, "Turkey"}, { 91, "India"}, { 92, "Pakistan"}, {212, "Morocco"}, {213, "Algeria"}, {216, "Tunisia"}, {218, "Libya"}, {254, "Kenya"}, {263, "Zimbabwe"}, {298, "Faroe Islands"}, {351, "Portugal"}, {352, "Luxembourg"}, {353, "Ireland"}, {354, "Iceland"}, {355, "Albania"}, {358, "Finland"}, {359, "Bulgaria"}, {370, "Lithuania"}, {371, "Latvia"}, {372, "Estonia"}, {374, "Armenia"}, {375, "Belarus"}, {380, "Ukraine"}, {381, "Serbia"}, {385, "Croatia"}, {386, "Slovenia"}, {389, "Macedonia"}, {420, "Czech Republic"}, {421, "Slovak Republic"}, {501, "Belize"}, {502, "Guatemala"}, {503, "El Salvador"}, {504, "Honduras"}, {505, "Nicaragua"}, {506, "Costa Rica"}, {507, "Panama"}, {591, "Bolivia"}, {593, "Ecuador"}, {595, "Paraguay"}, {598, "Uruguay"}, {673, "Brunei Darussalam"}, {852, "Hong Kong"}, {853, "Macau"}, {886, "Taiwan"}, {960, "Maldives"}, {961, "Lebanon"}, {962, "Jordan"}, {963, "Syria"}, {964, "Iraq"}, {965, "Kuwait"}, {966, "Saudi Arabia"}, {967, "Yemen"}, {968, "Oman"}, {971, "United Arab Emirates"}, {972, "Israel"}, {973, "Bahrain"}, {974, "Qatar"}, {976, "Mongolia"}, {981, "Iran"}, {994, "Azerbaijan"}, {995, "Georgia"}, {996, "Kyrgyzstan"}, {0, NULL} }; value_string_ext ms_country_codes_ext = VALUE_STRING_EXT_INIT(ms_country_codes); /*module_t* module;*/ /*pref_t* sid_display_hex;*/ /* * Translate an 8-byte FILETIME value, given as the upper and lower 32 bits, * to an "nstime_t". * A FILETIME is a 64-bit integer, giving the time since Jan 1, 1601, * midnight "UTC", in 100ns units. * Return TRUE if the conversion succeeds, FALSE otherwise. * * According to the Samba code, it appears to be kludge-GMT (at least for * file listings). This means it's the GMT you get by taking a local time * and adding the server time zone offset. This is NOT the same as GMT in * some cases. However, we don't know the server time zone, so we don't * do that adjustment. * * This code is based on the Samba code: * * Unix SMB/Netbios implementation. * Version 1.9. * time handling functions * Copyright (C) Andrew Tridgell 1992-1998 */ static gboolean nt_time_to_nstime(guint32 filetime_high, guint32 filetime_low, nstime_t *tv, gboolean onesec_resolution) { guint64 d; if (filetime_high == 0) return FALSE; d = ((guint64)filetime_high << 32) | filetime_low; if (onesec_resolution) { d *= 10000000; } return filetime_to_nstime(tv, d); } int dissect_nt_64bit_time_opt(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, gboolean onesec_resolution _U_) { return dissect_nt_64bit_time_ex(tvb, tree, offset, hf_date, NULL, FALSE); } int dissect_nt_64bit_time_ex(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date, proto_item **createdItem, gboolean onesec_resolution) { guint32 filetime_high, filetime_low; nstime_t ts; /* XXX there seems also to be another special time value which is fairly common : 0x40000000 00000000 the meaning of this one is yet unknown */ if (tree) { proto_item *item = NULL; filetime_low = tvb_get_letohl(tvb, offset); filetime_high = tvb_get_letohl(tvb, offset + 4); if (filetime_low == 0 && filetime_high == 0) { ts.secs = 0; ts.nsecs = 0; item = proto_tree_add_time_format_value(tree, hf_date, tvb, offset, 8, &ts, "No time specified (0)"); } else if(filetime_low==0 && filetime_high==0x80000000){ ts.secs = filetime_low; ts.nsecs = filetime_high; item = proto_tree_add_time_format_value(tree, hf_date, tvb, offset, 8, &ts, "Infinity (relative time)"); } else if(filetime_low==0xffffffff && filetime_high==0x7fffffff){ ts.secs = filetime_low; ts.nsecs = filetime_high; item = proto_tree_add_time_format_value(tree, hf_date, tvb, offset, 8, &ts, "Infinity (absolute time)"); } else { if (nt_time_to_nstime(filetime_high, filetime_low, &ts, onesec_resolution)) { proto_tree_add_time(tree, hf_date, tvb, offset, 8, &ts); } else { item = proto_tree_add_time_format_value(tree, hf_date, tvb, offset, 8, &ts, "Time can't be converted"); } } if (createdItem != NULL) { *createdItem = item; } } offset += 8; return offset; } int dissect_nt_64bit_time(tvbuff_t *tvb, proto_tree *tree, int offset, int hf_date) { return dissect_nt_64bit_time_opt(tvb, tree, offset, hf_date, FALSE); } /* Well-known SIDs defined in http://support.microsoft.com/kb/243330 */ static const sid_strings well_known_sids[] = { {"S-1-0", "Null Authority"}, {"S-1-0-0", "Nobody"}, {"S-1-1", "World Authority"}, {"S-1-1-0", "Everyone"}, {"S-1-2", "Local Authority"}, {"S-1-2-0", "Local"}, {"S-1-2-1", "Console Logon"}, {"S-1-3", "Creator Authority"}, {"S-1-3-0", "Creator Owner"}, {"S-1-3-1", "Creator Group"}, {"S-1-3-2", "Creator Owner Server"}, {"S-1-3-3", "Creator Group Server"}, {"S-1-3-4", "Owner Rights"}, {"S-1-4", "Non-unique Authority"}, {"S-1-5-1", "Dialup"}, {"S-1-5-2", "Network"}, {"S-1-5-3", "Batch"}, {"S-1-5-4", "Interactive"}, {"S-1-5-5", "Logon Session"}, /* S-1-5-5-X-Y has 6 fields */ {"S-1-5-6", "Service"}, {"S-1-5-7", "Anonymous"}, {"S-1-5-8", "Proxy"}, {"S-1-5-9", "Enterprise Domain Controllers"}, {"S-1-5-10", "Principal Self"}, {"S-1-5-11", "Authenticated Users"}, {"S-1-5-12", "Reserved"}, {"S-1-5-13", "Terminal Server Users"}, {"S-1-5-14", "Remote Interactive Logon"}, {"S-1-5-15", "All users in this organization"}, {"S-1-5-17", "Default IIS user account"}, {"S-1-5-18", "Local System"}, {"S-1-5-19", "Local Service"}, {"S-1-5-20", "Network Service"}, /* * S-1-5-21---- where "--" is the NT domain * RIDs are defined in 'wkwn_S_1_5_21_rids' */ {"S-1-5-21", "Domain SID"}, /* S-1-5-32-: Builtin local group SIDs */ {"S-1-5-32", "Local Group"}, {"S-1-5-32-544", "Administrators"}, {"S-1-5-32-545", "Users"}, {"S-1-5-32-546", "Guests"}, {"S-1-5-32-547", "Power Users"}, {"S-1-5-32-548", "Account Operators"}, {"S-1-5-32-549", "Server Operators"}, {"S-1-5-32-550", "Print Operators"}, {"S-1-5-32-551", "Backup Operators"}, {"S-1-5-32-552", "Replicators"}, {"S-1-5-32-554", "Pre-Windows 2000 Compatible Access"}, {"S-1-5-32-555", "Remote Desktop Users"}, {"S-1-5-32-556", "Network Configuration Operators"}, {"S-1-5-32-557", "Incoming Forest Trust Builders"}, {"S-1-5-32-558", "Performance Monitor Users"}, {"S-1-5-32-559", "Performance Log Users"}, {"S-1-5-32-560", "Windows Authorization Access Group"}, {"S-1-5-32-561", "Terminal Server License Servers"}, {"S-1-5-32-562", "Distributed COM Users"}, {"S-1-5-32-569", "Cryptographic Operators"}, {"S-1-5-32-573", "Event Log Readers"}, {"S-1-5-32-574", "Certificate Service DCOM Access"}, {"S-1-5-64", "Authentication"}, {"S-1-5-64-10", "NTLM"}, {"S-1-5-64-14", "SChannel"}, {"S-1-5-64-21", "Digest"}, {"S-1-5-80", "NT Service"}, {"S-1-16", "Mandatory Level"}, {"S-1-16-0", "Untrusted"}, {"S-1-16-4096", "Low"}, {"S-1-16-8192", "Medium"}, {"S-1-16-8448", "Medium Plus"}, {"S-1-16-12288", "High"}, {"S-1-16-16384", "System"}, {"S-1-16-20480", "Protected Process"}, {"S-1-16-28672", "Secure Process"}, {NULL, NULL} }; static const char* match_wkwn_sids(const char* sid) { int i = 0; while (well_known_sids[i].name) { if (strcmp(well_known_sids[i].sid, sid)==0) { return(well_known_sids[i].name); } i++; } return NULL; } /* For SIDs in the form 'S-1-5-21-X-Y-Z-', '21-X-Y-Z' is referred to as the "domain SID" (NT domain) or "machine SID" (local machine). The following are well-known RIDs which are appended to domain/machine SIDs as defined in http://support.microsoft.com/kb/243330. */ static const value_string wkwn_S_1_5_21_rids[] = { {498, "Enterprise Read-only Domain Controllers"}, {500, "Administrator"}, {501, "Guest"}, {502, "KRBTGT"}, {512, "Domain Admins"}, {513, "Domain Users"}, {514, "Domain Guests"}, {515, "Domain Computers"}, {516, "Domain Controllers"}, {517, "Cert Publishers"}, {518, "Schema Administrators"}, {519, "Enterprise Admins"}, {520, "Group Policy Creator Owners"}, {521, "Read-only Domain Controllers"}, {553, "RAS and IAS Servers"}, {571, "Allowed RODC Password Replication Group"}, {572, "Denied RODC Password Replication Group"}, {0, NULL} }; static value_string_ext wkwn_S_1_5_21_rids_ext = VALUE_STRING_EXT_INIT(wkwn_S_1_5_21_rids); /* Dissect an NT SID. Label it with 'name' and return a string version * of the SID in the 'sid_str' parameter which has a packet lifetime * scope and should NOT be freed by the caller. hf_sid can be -1 if * the caller doesn't care what name is used and then "nt.sid" will be * the default instead. If the caller wants a more appropriate hf * field, it will just pass a FT_STRING hf field here */ int dissect_nt_sid(tvbuff_t *tvb, int offset, proto_tree *parent_tree, const char *name, char **sid_str, int hf_sid) { int offset_sid_start = offset, sa_offset, rid_offset=0, wkwn_sid1_len=0, wkwn_sid2_len = 0, i; guint8 revision, num_auth; guint32 sa_field, rid=0; guint64 authority=0; wmem_strbuf_t *sa_str = NULL, *sid_in_dec_str = NULL, *sid_in_hex_str = NULL, *label_str = NULL, *domain_str = NULL, *wkwn_sid1_str = NULL, *wkwn_sid2_str = NULL; const char *mapped_name = NULL, *mapped_rid = NULL; gboolean domain_sid = FALSE, s_1_5_32 = FALSE, s_1_5_64 = FALSE, locally_defined = FALSE, S_1_16 = FALSE; proto_item *item = NULL, *hidden_item; proto_tree *subtree = NULL; /* Revision of SID */ revision = tvb_get_guint8(tvb, offset); offset++; /* Number of subauthority fields */ num_auth = tvb_get_guint8(tvb, offset); offset++; if(sid_str) *sid_str=NULL; if(hf_sid==-1){ /* if no tree, just return the offset of the end_of_SID+1 */ if (!parent_tree) return(offset+(6+(num_auth*4))); hf_sid=hf_nt_sid; } /* Identifier Authority */ for(i=0; i<6; i++){ authority = (authority << 8) + tvb_get_guint8(tvb, offset); offset++; } sid_in_dec_str = wmem_strbuf_new_label(wmem_packet_scope()); wmem_strbuf_append_printf (sid_in_dec_str, "S-%u-%" G_GINT64_MODIFIER "u", revision, authority); /* If sid_display_hex is set, sid_in_dec_str is still needed for looking up well-known SIDs*/ if (sid_display_hex) { sid_in_hex_str = wmem_strbuf_new_label(wmem_packet_scope()); wmem_strbuf_append_printf (sid_in_hex_str, "S-%x-%" G_GINT64_MODIFIER "x", revision, authority); } wkwn_sid1_str = wmem_strbuf_new_label(wmem_packet_scope()); label_str = wmem_strbuf_new_label(wmem_packet_scope()); if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-16")==0) S_1_16 = TRUE; /* Look for well-known SIDs in format 'S-1-' (i.e., exactly 3 fields) */ if (num_auth==0 || S_1_16) { mapped_name = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str)); if (mapped_name) { wmem_strbuf_append(label_str, mapped_name); wmem_strbuf_append(wkwn_sid1_str, (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str))); wkwn_sid1_len = 8; } } sa_offset = offset; sa_str = wmem_strbuf_new_label(wmem_packet_scope()); wkwn_sid2_str = wmem_strbuf_new_label(wmem_packet_scope()); domain_str = wmem_strbuf_new_label(wmem_packet_scope()); /* Build the sub-authorities and full SID strings */ for(i=1; i-") */ if (S_1_16) { /* Mandatory Level (S-1-16) */ mapped_rid = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str)); if (mapped_rid) { /* Get the RID */ wmem_strbuf_append_printf(label_str, "%s-%s", mapped_name, mapped_rid); rid = sa_field; rid_offset = offset; wmem_strbuf_append(wkwn_sid2_str, (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str))); wkwn_sid1_len=12; } } else { mapped_name = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str)); if (mapped_name) { wmem_strbuf_append(label_str, mapped_name); wmem_strbuf_append(wkwn_sid1_str, (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str))); wkwn_sid1_len = 12; } /* The following three SID types have (unique) RIDs */ if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-5-21")==0) { /* Domain SID */ domain_sid = TRUE; } else if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-5-32")==0) { /* Local Group (S-1-5-32) SID */ s_1_5_32 = TRUE; } else if (strcmp(wmem_strbuf_get_str(sid_in_dec_str), "S-1-5-64")==0) { /* Authentication (S-1-5-64) SID */ s_1_5_64 = TRUE; } } } else if (i==2 && !domain_sid) { /* The only well-known SIDS with two subauthority fields ("level 2 SIDs") are Local Group (S-1-5-32), and Authentication (S-1-5-64). */ if (s_1_5_32 || s_1_5_64) { mapped_rid = match_wkwn_sids(wmem_strbuf_get_str(sid_in_dec_str)); if (mapped_rid) { /* Get the RID */ wmem_strbuf_append_printf(label_str, "-%s", mapped_rid); rid = sa_field; rid_offset = offset; wmem_strbuf_append(wkwn_sid2_str, (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str))); wkwn_sid2_len=16; } else { /* The RID not well-known. */ locally_defined = TRUE; } } else { if (mapped_name) { /* A level 1 well-known SID appended with locally defined value */ locally_defined = TRUE; } } } else { /* 3 or more sub-auth fields - NOTE: Except for domain SIDs, there are no wkwn SIDs with 3 or more sub-auth fields so we don't lookup SIDs here. Logon Session SIDs have 3 sub-auth fields but the last two are locally defined. */ if (domain_sid) { if (num_auth >= 4) { if (i >= 2 && i <=4 ) { /* Add the field to the domain string (d1-d2-d3) */ wmem_strbuf_append_printf(domain_str, (i==2 ? (sid_display_hex ? "%x" : "%u") : (sid_display_hex ? "-%x" : "-%u")), sa_field); } else if (i==5) { rid = sa_field; rid_offset = offset; mapped_rid = val_to_str_ext_const(rid, &wkwn_S_1_5_21_rids_ext, "Domain RID"); wmem_strbuf_append_printf(label_str, "-%s", mapped_rid); } else { locally_defined = TRUE; } } else { mapped_name = "Corrupt domain SID"; } } else { if (mapped_name) { /* A locally defined value appended to a level 2 well-known SID*/ locally_defined = TRUE; } } } offset+=4; } /* End of for loop */ if ( !(mapped_name || domain_sid || s_1_5_32 || s_1_5_64) ) { /* If requested, try to map the NON-well-known SID to an object name discovered in this capture */ if (sid_name_snooping) { mapped_name = find_sid_name(wmem_strbuf_get_str(sid_in_dec_str)); } else { mapped_name = ""; } } if (locally_defined) { wmem_strbuf_append_printf(label_str, "-"); } /* It's tree time Display the full SID string in hex or dec */ item = proto_tree_add_string_format( parent_tree, hf_sid, tvb, offset_sid_start, (offset - offset_sid_start), (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)), "%s: %s", name, (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)) ); proto_item_append_text(item, " (%s)", wmem_strbuf_get_str(label_str)); subtree = proto_item_add_subtree(item, ett_nt_sid); /* Add revision, num_auth, and authority */ proto_tree_add_item(subtree, hf_nt_sid_revision, tvb, offset_sid_start, 1, ENC_LITTLE_ENDIAN); proto_tree_add_item(subtree, hf_nt_sid_num_auth, tvb, offset_sid_start+1, 1, ENC_LITTLE_ENDIAN); proto_tree_add_uint64(subtree, (sid_display_hex ? hf_nt_sid_auth_hex : hf_nt_sid_auth_dec), tvb, offset_sid_start+2, 6, authority); /* Add subauthorities */ proto_tree_add_string_format_value(subtree, hf_nt_sid_subauth, tvb, sa_offset, num_auth*4, wmem_strbuf_get_str(sa_str), "%s", wmem_strbuf_get_str(sa_str)); if (rid) { item = proto_tree_add_item (subtree, (sid_display_hex ? hf_nt_sid_rid_hex : hf_nt_sid_rid_dec), tvb, rid_offset, 4, ENC_LITTLE_ENDIAN); proto_item_append_text(item, " (%s)", mapped_rid); } /* Add well-known SID and domain strings if present */ if (wmem_strbuf_get_len(wkwn_sid1_str) > 0) { hidden_item = proto_tree_add_string_format_value( subtree, hf_nt_sid_wkwn, tvb, offset_sid_start, wkwn_sid1_len, wmem_strbuf_get_str(wkwn_sid1_str), "%s", wmem_strbuf_get_str(wkwn_sid1_str)); proto_item_append_text(hidden_item, " (%s)", mapped_name); PROTO_ITEM_SET_HIDDEN(hidden_item); } if (wmem_strbuf_get_len(wkwn_sid2_str) > 0) { hidden_item = proto_tree_add_string_format_value( subtree, hf_nt_sid_wkwn, tvb, offset_sid_start, wkwn_sid2_len, wmem_strbuf_get_str(wkwn_sid2_str), "%s", wmem_strbuf_get_str(wkwn_sid2_str)); proto_item_append_text(hidden_item, " (%s)", wmem_strbuf_get_str(label_str)); PROTO_ITEM_SET_HIDDEN(hidden_item); } if (domain_sid && wmem_strbuf_get_len(domain_str) > 0) { hidden_item = proto_tree_add_string_format_value( subtree, hf_nt_sid_domain, tvb, offset_sid_start + 12, 12, wmem_strbuf_get_str(domain_str), "%s", wmem_strbuf_get_str(domain_str)); PROTO_ITEM_SET_HIDDEN(hidden_item); } /* If requested, return SID string with mapped name */ if(sid_str){ if(mapped_name){ *sid_str = wmem_strdup_printf(wmem_packet_scope(), "%s (%s)", (sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)), wmem_strbuf_get_str(label_str)); } else { *sid_str = wmem_strdup(wmem_packet_scope(), sid_display_hex ? wmem_strbuf_get_str(sid_in_hex_str) : wmem_strbuf_get_str(sid_in_dec_str)); } if(!(*sid_str)){ *sid_str=wmem_strdup(wmem_packet_scope(), "corrupted SID"); } } return offset; } /* Dissect an access mask. All this stuff is kind of explained at MSDN: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/windows_2000_windows_nt_access_mask_format.asp */ static gint ett_nt_access_mask = -1; static gint ett_nt_access_mask_generic = -1; static gint ett_nt_access_mask_standard = -1; static gint ett_nt_access_mask_specific = -1; static int hf_access_sacl = -1; static int hf_access_maximum_allowed = -1; static int hf_access_generic_read = -1; static int hf_access_generic_write = -1; static int hf_access_generic_execute = -1; static int hf_access_generic_all = -1; static int hf_access_standard_delete = -1; static int hf_access_standard_read_control = -1; static int hf_access_standard_synchronise = -1; static int hf_access_standard_write_dac = -1; static int hf_access_standard_write_owner = -1; static int hf_access_specific_15 = -1; static int hf_access_specific_14 = -1; static int hf_access_specific_13 = -1; static int hf_access_specific_12 = -1; static int hf_access_specific_11 = -1; static int hf_access_specific_10 = -1; static int hf_access_specific_9 = -1; static int hf_access_specific_8 = -1; static int hf_access_specific_7 = -1; static int hf_access_specific_6 = -1; static int hf_access_specific_5 = -1; static int hf_access_specific_4 = -1; static int hf_access_specific_3 = -1; static int hf_access_specific_2 = -1; static int hf_access_specific_1 = -1; static int hf_access_specific_0 = -1; /* Map generic permissions to specific permissions */ static void map_generic_access(guint32 *access_mask, struct generic_mapping *mapping) { if (*access_mask & GENERIC_READ_ACCESS) { *access_mask &= ~GENERIC_READ_ACCESS; *access_mask |= mapping->generic_read; } if (*access_mask & GENERIC_WRITE_ACCESS) { *access_mask &= ~GENERIC_WRITE_ACCESS; *access_mask |= mapping->generic_write; } if (*access_mask & GENERIC_EXECUTE_ACCESS) { *access_mask &= ~GENERIC_EXECUTE_ACCESS; *access_mask |= mapping->generic_execute; } if (*access_mask & GENERIC_ALL_ACCESS) { *access_mask &= ~GENERIC_ALL_ACCESS; *access_mask |= mapping->generic_all; } } /* Map standard permissions to specific permissions */ static void map_standard_access(guint32 *access_mask, struct standard_mapping *mapping) { if (*access_mask & READ_CONTROL_ACCESS) { *access_mask &= ~READ_CONTROL_ACCESS; *access_mask |= mapping->std_read; } if (*access_mask & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS| SYNCHRONIZE_ACCESS)) { *access_mask &= ~(DELETE_ACCESS|WRITE_DAC_ACCESS| WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS); *access_mask |= mapping->std_all; } } int dissect_nt_access_mask(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, struct access_mask_info *ami, guint32 *perms) { proto_item *item; proto_tree *subtree, *generic_tree, *standard_tree, *specific_tree; guint32 access; static const int * generic_access_flags[] = { &hf_access_generic_read, &hf_access_generic_write, &hf_access_generic_execute, &hf_access_generic_all, &hf_access_maximum_allowed, &hf_access_sacl, NULL }; static const int * standard_access_flags[] = { &hf_access_standard_synchronise, &hf_access_standard_write_owner, &hf_access_standard_write_dac, &hf_access_standard_read_control, &hf_access_standard_delete, NULL }; static const int * access_specific_flags[] = { &hf_access_specific_15, &hf_access_specific_14, &hf_access_specific_13, &hf_access_specific_12, &hf_access_specific_11, &hf_access_specific_10, &hf_access_specific_9, &hf_access_specific_8, &hf_access_specific_7, &hf_access_specific_6, &hf_access_specific_5, &hf_access_specific_4, &hf_access_specific_3, &hf_access_specific_2, &hf_access_specific_1, &hf_access_specific_0, NULL }; if (drep != NULL) { /* * Called from a DCE RPC protocol dissector, for a * protocol where a 32-bit NDR integer contains * an NT access mask; extract the access mask * with an NDR call. */ offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep, hfindex, &access); } else { /* * Called from SMB, where the access mask is just a * 4-byte little-endian quantity with no special * NDR alignment requirement; extract it with * "tvb_get_letohl()". */ access = tvb_get_letohl(tvb, offset); offset += 4; } if (perms) { *perms = access; } item = proto_tree_add_uint(tree, hfindex, tvb, offset - 4, 4, access); subtree = proto_item_add_subtree(item, ett_nt_access_mask); /* Generic access rights */ generic_tree = proto_tree_add_subtree_format(subtree, tvb, offset - 4, 4, ett_nt_access_mask_generic, NULL, "Generic rights: 0x%08x", access & GENERIC_RIGHTS_MASK); proto_tree_add_bitmask_list_value(generic_tree, tvb, offset - 4, 4, generic_access_flags, access); /* Standard access rights */ standard_tree = proto_tree_add_subtree_format(subtree, tvb, offset - 4, 4, ett_nt_access_mask_standard, NULL, "Standard rights: 0x%08x", access & STANDARD_RIGHTS_MASK); proto_tree_add_bitmask_list_value(standard_tree, tvb, offset - 4, 4, standard_access_flags, access); /* Specific access rights. Call the specific_rights_fn pointer if we have one, otherwise just display bits 0-15 in boring fashion. */ if (ami && ami->specific_rights_name) specific_tree = proto_tree_add_subtree_format(subtree, tvb, offset - 4, 4, ett_nt_access_mask_specific, &item, "%s specific rights: 0x%08x", ami->specific_rights_name, access & SPECIFIC_RIGHTS_MASK); else specific_tree = proto_tree_add_subtree_format(subtree, tvb, offset - 4, 4, ett_nt_access_mask_specific, &item, "Specific rights: 0x%08x", access & SPECIFIC_RIGHTS_MASK); if (ami && ami->specific_rights_fn) { guint32 mapped_access = access; proto_tree *specific_mapped; specific_mapped = proto_item_add_subtree( item, ett_nt_access_mask_specific); ami->specific_rights_fn( tvb, offset - 4, specific_tree, access); if (ami->generic_mapping) map_generic_access(&access, ami->generic_mapping); if (ami->standard_mapping) map_standard_access(&access, ami->standard_mapping); if (access != mapped_access) { ami->specific_rights_fn( tvb, offset - 4, specific_mapped, mapped_access); } return offset; } proto_tree_add_bitmask_list_value(specific_tree, tvb, offset - 4, 4, access_specific_flags, access); return offset; } static int hf_nt_access_mask = -1; #define ACL_REVISION_NT4 2 #define ACL_REVISION_ADS 4 static const value_string acl_revision_vals[] = { { ACL_REVISION_NT4, "NT4"}, { ACL_REVISION_ADS, "AD"}, {0,NULL} }; #define ACE_TYPE_ACCESS_ALLOWED 0 #define ACE_TYPE_ACCESS_DENIED 1 #define ACE_TYPE_SYSTEM_AUDIT 2 #define ACE_TYPE_SYSTEM_ALARM 3 #define ACE_TYPE_ALLOWED_COMPOUND 4 #define ACE_TYPE_ACCESS_ALLOWED_OBJECT 5 #define ACE_TYPE_ACCESS_DENIED_OBJECT 6 #define ACE_TYPE_SYSTEM_AUDIT_OBJECT 7 #define ACE_TYPE_SYSTEM_ALARM_OBJECT 8 #define ACE_TYPE_ACCESS_ALLOWED_CALLBACK 9 #define ACE_TYPE_ACCESS_DENIED_CALLBACK 10 #define ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT 11 #define ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT 12 #define ACE_TYPE_SYSTEM_AUDIT_CALLBACK 13 #define ACE_TYPE_SYSTEM_ALARM_CALLBACK 14 #define ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT 15 #define ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT 16 #define ACE_TYPE_SYSTEM_MANDATORY_LABEL 17 static const value_string ace_type_vals[] = { { ACE_TYPE_ACCESS_ALLOWED, "Access Allowed"}, { ACE_TYPE_ACCESS_DENIED, "Access Denied"}, { ACE_TYPE_SYSTEM_AUDIT, "System Audit"}, { ACE_TYPE_SYSTEM_ALARM, "System Alarm"}, { ACE_TYPE_ALLOWED_COMPOUND, "Allowed Compound"}, { ACE_TYPE_ACCESS_ALLOWED_OBJECT, "Allowed Object"}, { ACE_TYPE_ACCESS_DENIED_OBJECT, "Denied Object"}, { ACE_TYPE_SYSTEM_AUDIT_OBJECT, "Audit Object"}, { ACE_TYPE_SYSTEM_ALARM_OBJECT, "Alarm Object"}, { ACE_TYPE_ACCESS_ALLOWED_CALLBACK, "Allowed Callback"}, { ACE_TYPE_ACCESS_DENIED_CALLBACK, "Denied Callback"}, { ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT, "Allowed Callback Object"}, { ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT, "Denied Callback Object"}, { ACE_TYPE_SYSTEM_AUDIT_CALLBACK, "Audit Callback"}, { ACE_TYPE_SYSTEM_ALARM_CALLBACK, "Alarm Callback"}, { ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT, "Audit Callback Object"}, { ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT, "Alarm Callback Object"}, { ACE_TYPE_SYSTEM_MANDATORY_LABEL, "Mandatory label"}, { 0, NULL} }; static const true_false_string tfs_ace_flags_object_inherit = { "Subordinate files will inherit this ACE", "Subordinate files will not inherit this ACE" }; static const true_false_string tfs_ace_flags_container_inherit = { "Subordinate containers will inherit this ACE", "Subordinate containers will not inherit this ACE" }; static const true_false_string tfs_ace_flags_non_propagate_inherit = { "Subordinate object will not propagate the inherited ACE further", "Subordinate object will propagate the inherited ACE further" }; static const true_false_string tfs_ace_flags_inherit_only = { "This ACE does not apply to the current object", "This ACE applies to the current object" }; static const true_false_string tfs_ace_flags_inherited_ace = { "This ACE was inherited from its parent object", "This ACE was not inherited from its parent object" }; static const true_false_string tfs_ace_flags_successful_access = { "Successful accesses will be audited", "Successful accesses will not be audited" }; static const true_false_string tfs_ace_flags_failed_access = { "Failed accesses will be audited", "Failed accesses will not be audited" }; static const true_false_string flags_sec_info_sacl = { "Request SACL", "Do NOT request SACL" }; static const true_false_string flags_sec_info_dacl = { "Request DACL", "Do NOT request DACL" }; static const true_false_string flags_sec_info_group = { "Request GROUP", "Do NOT request group" }; static const true_false_string flags_sec_info_owner = { "Request OWNER", "Do NOT request owner" }; #define APPEND_ACE_TEXT(flag, item, string) \ if(flag){ \ if(item) \ proto_item_append_text(item, string, sep); \ sep = ", "; \ } static int dissect_nt_ace_object(tvbuff_t *tvb, int offset, proto_tree *parent_tree) { proto_item *item; proto_tree *tree; proto_item *flags_item; guint32 flags; int old_offset=offset; const char *sep = " "; static const int * ace_flags[] = { &hf_nt_ace_flags_object_type_present, &hf_nt_ace_flags_inherited_object_type_present, NULL }; tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0, ett_nt_ace_object, &item, "ACE Object"); /* flags */ flags=tvb_get_letohl(tvb, offset); flags_item = proto_tree_add_bitmask(tree, tvb, offset, hf_nt_ace_flags_object, ett_nt_ace_object_flags, ace_flags, ENC_LITTLE_ENDIAN); APPEND_ACE_TEXT(flags&0x00000001, flags_item, "%sObject Type Present"); APPEND_ACE_TEXT(flags&0x00000002, flags_item, "%sInherited Object Type Present"); offset+=4; /* is there a GUID ? */ if(flags&0x00000001){ proto_tree_add_item(tree, hf_nt_ace_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN); offset+=16; } /* is there an inherited GUID ? */ if(flags&0x00000002){ proto_tree_add_item(tree, hf_nt_ace_inherited_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN); offset+=16; } proto_item_set_len(item, offset-old_offset); return offset; } static int dissect_nt_v2_ace_flags(tvbuff_t *tvb, int offset, proto_tree *parent_tree, guint8 *data) { proto_item *item = NULL; guint8 mask; const char *sep = " "; static const int * ace_flags[] = { &hf_nt_ace_flags_failed_access, &hf_nt_ace_flags_successful_access, &hf_nt_ace_flags_inherited_ace, &hf_nt_ace_flags_inherit_only, &hf_nt_ace_flags_non_propagate_inherit, &hf_nt_ace_flags_container_inherit, &hf_nt_ace_flags_object_inherit, NULL }; mask = tvb_get_guint8(tvb, offset); if (data) *data = mask; item = proto_tree_add_bitmask(parent_tree, tvb, offset, hf_nt_ace_flags, ett_nt_ace_flags, ace_flags, ENC_NA); APPEND_ACE_TEXT(mask&0x80, item, "%sFailed Access"); APPEND_ACE_TEXT(mask&0x40, item, "%sSuccessful Access"); APPEND_ACE_TEXT(mask&0x10, item, "%sInherited ACE"); APPEND_ACE_TEXT(mask&0x08, item, "%sInherit Only"); APPEND_ACE_TEXT(mask&0x04, item, "%sNo Propagate Inherit"); APPEND_ACE_TEXT(mask&0x02, item, "%sContainer Inherit"); APPEND_ACE_TEXT(mask&0x01, item, "%sObject Inherit"); offset += 1; return offset; } static int dissect_nt_v2_ace(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, struct access_mask_info *ami) { proto_item *item; proto_tree *tree; int old_offset = offset; char *sid_str = NULL; guint16 size; guint8 type; guint8 flags; guint32 perms = 0; tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_nt_ace, &item, "NT ACE: "); /* type */ type = tvb_get_guint8(tvb, offset); proto_tree_add_uint(tree, hf_nt_ace_type, tvb, offset, 1, type); offset += 1; /* flags */ offset = dissect_nt_v2_ace_flags(tvb, offset, tree, &flags); /* size */ size = tvb_get_letohs(tvb, offset); if (size < 4) { /* * BOGUS - the size includes the ACE header length, * which is 4. */ proto_tree_add_uint_format_value(tree, hf_nt_ace_size, tvb, offset, 2, size, "%u (bogus, must be >= 4)", size); return old_offset; /* our caller quits in this case */ } proto_tree_add_uint(tree, hf_nt_ace_size, tvb, offset, 2, size); offset += 2; /* some ACE types we not yet handle store other things than access mask * and SID in here. * sometimes things that are not related at all to access control. * naughty naughty. -- ronnie */ switch(type){ case ACE_TYPE_ACCESS_ALLOWED: case ACE_TYPE_ACCESS_DENIED: case ACE_TYPE_SYSTEM_AUDIT: case ACE_TYPE_SYSTEM_ALARM: case ACE_TYPE_ALLOWED_COMPOUND: case ACE_TYPE_ACCESS_ALLOWED_OBJECT: case ACE_TYPE_ACCESS_DENIED_OBJECT: case ACE_TYPE_SYSTEM_AUDIT_OBJECT: case ACE_TYPE_SYSTEM_ALARM_OBJECT: case ACE_TYPE_ACCESS_ALLOWED_CALLBACK: case ACE_TYPE_ACCESS_DENIED_CALLBACK: case ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT: case ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT: case ACE_TYPE_SYSTEM_AUDIT_CALLBACK: case ACE_TYPE_SYSTEM_ALARM_CALLBACK: case ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT: case ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT: case ACE_TYPE_SYSTEM_MANDATORY_LABEL: /* access mask */ offset = dissect_nt_access_mask( tvb, offset, pinfo, tree, NULL, drep, hf_nt_access_mask, ami, &perms); /* these aces contain an extra object */ switch(type){ case ACE_TYPE_ACCESS_ALLOWED_OBJECT: case ACE_TYPE_ACCESS_DENIED_OBJECT: case ACE_TYPE_SYSTEM_AUDIT_OBJECT: case ACE_TYPE_SYSTEM_ALARM_OBJECT: case ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT: case ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT: case ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT: case ACE_TYPE_SYSTEM_ALARM_CALLBACK_OBJECT: offset=dissect_nt_ace_object(tvb, offset, tree); } /* SID */ offset = dissect_nt_sid(tvb, offset, tree, "SID", &sid_str, -1); if (item) proto_item_append_text( item, "%s, flags 0x%02x, %s, mask 0x%08x", sid_str, flags, val_to_str(type, ace_type_vals, "Unknown ACE type (0x%02x)"), perms); break; }; proto_item_set_len(item, offset-old_offset); /* Sometimes there is some spare space at the end of the ACE so use the size field to work out where the end is. */ return old_offset + size; } static int dissect_nt_acl(tvbuff_t *tvb, int offset_a, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, const char *name, struct access_mask_info *ami) { proto_item *item; proto_tree *tree; int old_offset = offset_a; int pre_ace_offset; guint16 revision; guint32 num_aces; volatile int offset_v = offset_a; volatile gboolean missing_data = FALSE; volatile gboolean bad_ace = FALSE; tree = proto_tree_add_subtree_format(parent_tree, tvb, offset_v, -1, ett_nt_acl, &item, "NT %s ACL", name); /* revision */ /* * XXX - is this *really* 2 bytes? The page at * * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/acl.asp * * indicates that it's one byte of revision and one byte of * zero padding, which means the code that used to be here * was correct - and this code would give the same results * as long as the padding is zero, so if this dissects it * correctly when the padding is zero, and the padding is * always zero, the old code would dissect it correctly * also. */ revision = tvb_get_letohs(tvb, offset_v); proto_tree_add_uint(tree, hf_nt_acl_revision, tvb, offset_v, 2, revision); offset_v += 2; switch(revision){ case ACL_REVISION_NT4: case ACL_REVISION_ADS: case 3: /* weirdo type */ /* size */ proto_tree_add_item(tree, hf_nt_acl_size, tvb, offset_v, 2, ENC_LITTLE_ENDIAN); offset_v += 2; /* number of ace structures */ /* * XXX - is this *really* 4 bytes? The page referred to above * says it's 2 bytes of count followed by two bytes of * zero padding. */ num_aces = tvb_get_letohl(tvb, offset_v); proto_tree_add_uint(tree, hf_nt_acl_num_aces, tvb, offset_v, 4, num_aces); offset_v += 4; while(num_aces-- && !missing_data && !bad_ace) { pre_ace_offset = offset_v; /* * These are at an offset_v later in the packet; don't * fail if we can't fetch them, just note the problem * and dissect the stuff before it. */ TRY { offset_v = dissect_nt_v2_ace(tvb, offset_v, pinfo, tree, drep, ami); if (pre_ace_offset == offset_v) { /* * Bogus ACE, with a length < 4. */ bad_ace = TRUE; } } CATCH(ContainedBoundsError) { proto_tree_add_expert(tree, pinfo, &ei_nt_ace_extends_beyond_data, tvb, offset_v, 0); missing_data = TRUE; } CATCH(ReportedBoundsError) { proto_tree_add_expert(tree, pinfo, &ei_nt_ace_extends_beyond_reassembled_data, tvb, offset_v, 0); missing_data = TRUE; } ENDTRY; } } proto_item_set_len(item, offset_v-old_offset); return offset_v; } static const true_false_string tfs_sec_desc_type_owner_defaulted = { "OWNER is DEFAULTED", "Owner is NOT defaulted" }; static const true_false_string tfs_sec_desc_type_group_defaulted = { "GROUP is DEFAULTED", "Group is NOT defaulted" }; static const true_false_string tfs_sec_desc_type_dacl_present = { "DACL is PRESENT", "DACL is NOT present" }; static const true_false_string tfs_sec_desc_type_dacl_defaulted = { "DACL is DEFAULTED", "DACL is NOT defaulted" }; static const true_false_string tfs_sec_desc_type_sacl_present = { "SACL is PRESENT", "SACL is NOT present" }; static const true_false_string tfs_sec_desc_type_sacl_defaulted = { "SACL is DEFAULTED", "SACL is NOT defaulted" }; static const true_false_string tfs_sec_desc_type_dacl_trusted = { "DACL TRUSTED is TRUE", "Dacl trusted is FALSE" }; static const true_false_string tfs_sec_desc_type_server_security = { "SERVER SECURITY is TRUE", "Server security is FALSE" }; static const true_false_string tfs_sec_desc_type_dacl_auto_inherit_req = { "DACL has AUTO INHERIT REQUIRED", "DACL does NOT require auto inherit" }; static const true_false_string tfs_sec_desc_type_sacl_auto_inherit_req = { "SACL has AUTO INHERIT REQUIRED", "SACL does NOT require auto inherit" }; static const true_false_string tfs_sec_desc_type_dacl_auto_inherited = { "DACL is AUTO INHERITED", "DACL is NOT auto inherited" }; static const true_false_string tfs_sec_desc_type_sacl_auto_inherited = { "SACL is AUTO INHERITED", "SACL is NOT auto inherited" }; static const true_false_string tfs_sec_desc_type_dacl_protected = { "The DACL is PROTECTED", "The DACL is NOT protected" }; static const true_false_string tfs_sec_desc_type_sacl_protected = { "The SACL is PROTECTED", "The SACL is NOT protected" }; static const true_false_string tfs_sec_desc_type_rm_control_valid = { "Rm control valid is TRUE", "Rm control valid is FALSE" }; static const true_false_string tfs_sec_desc_type_self_relative = { "This SecDesc is SELF RELATIVE", "This SecDesc is NOT self relative" }; static int dissect_nt_sec_desc_type(tvbuff_t *tvb, int offset, proto_tree *parent_tree) { static const int * flags[] = { &hf_nt_sec_desc_type_self_relative, &hf_nt_sec_desc_type_rm_control_valid, &hf_nt_sec_desc_type_sacl_protected, &hf_nt_sec_desc_type_dacl_protected, &hf_nt_sec_desc_type_sacl_auto_inherited, &hf_nt_sec_desc_type_dacl_auto_inherited, &hf_nt_sec_desc_type_sacl_auto_inherit_req, &hf_nt_sec_desc_type_dacl_auto_inherit_req, &hf_nt_sec_desc_type_server_security, &hf_nt_sec_desc_type_dacl_trusted, &hf_nt_sec_desc_type_sacl_defaulted, &hf_nt_sec_desc_type_sacl_present, &hf_nt_sec_desc_type_dacl_defaulted, &hf_nt_sec_desc_type_dacl_present, &hf_nt_sec_desc_type_group_defaulted, &hf_nt_sec_desc_type_owner_defaulted, NULL }; proto_tree_add_bitmask(parent_tree, tvb, offset, hf_nt_sec_desc_type, ett_nt_sec_desc_type, flags, ENC_LITTLE_ENDIAN); offset += 2; return offset; } int dissect_nt_security_information(tvbuff_t *tvb, int offset, proto_tree *parent_tree) { proto_item *item = NULL; guint32 mask; static const int * flags[] = { &hf_nt_security_information_sacl, &hf_nt_security_information_dacl, &hf_nt_security_information_group, &hf_nt_security_information_owner, NULL }; mask = tvb_get_letohl(tvb, offset); item = proto_tree_add_bitmask(parent_tree, tvb, offset, hf_nt_security_information, ett_nt_security_information, flags, ENC_LITTLE_ENDIAN); if (mask & 0x00000008) { proto_item_append_text(item, " SACL"); } if (mask & 0x00000004) { proto_item_append_text(item, " DACL"); } if (mask & 0x00000002) { proto_item_append_text(item, " GROUP"); } if (mask & 0x00000001) { proto_item_append_text(item, " OWNER"); } offset += 4; return offset; } int dissect_nt_sec_desc(tvbuff_t *tvb, int offset_a, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, gboolean len_supplied _U_, int len, struct access_mask_info *ami) { proto_item *item = NULL; proto_tree *tree = NULL; guint16 revision; int start_offset = offset_a; volatile int offset_v=offset_a; volatile int end_offset; volatile int item_offset; guint32 owner_sid_offset; proto_item *it_owner_sid_offs = NULL; volatile guint32 group_sid_offset; proto_item * volatile it_gr_sid_offs = NULL; volatile guint32 sacl_offset; proto_item * volatile it_sacl_offs = NULL; volatile guint32 dacl_offset; proto_item * volatile it_dacl_offs = NULL; tree = proto_tree_add_subtree(parent_tree, tvb, offset_v, -1, ett_nt_sec_desc, &item, "NT Security Descriptor"); /* revision */ revision = tvb_get_letohs(tvb, offset_v); proto_tree_add_uint(tree, hf_nt_sec_desc_revision, tvb, offset_v, 2, revision); offset_v += 2; switch(revision){ case 1: /* only version we will ever see of this structure?*/ /* type */ offset_v = dissect_nt_sec_desc_type(tvb, offset_v, tree); /* offset_v to owner sid */ owner_sid_offset = tvb_get_letohl(tvb, offset_v); if(owner_sid_offset != 0 && owner_sid_offset < 20){ /* Bogus value - points into fixed portion of descriptor */ proto_tree_add_uint_format_value(tree, hf_nt_offset_to_owner_sid, tvb, offset_v, 4, owner_sid_offset, "%u (bogus, must be >= 20)", owner_sid_offset); owner_sid_offset = 0; } else it_owner_sid_offs = proto_tree_add_item(tree, hf_nt_offset_to_owner_sid, tvb, offset_v, 4, ENC_LITTLE_ENDIAN); offset_v += 4; /* offset to group sid */ group_sid_offset = tvb_get_letohl(tvb, offset_v); if(group_sid_offset != 0 && group_sid_offset < 20){ /* Bogus value - points into fixed portion of descriptor */ proto_tree_add_uint_format_value(tree, hf_nt_offset_to_group_sid, tvb, offset_v, 4, group_sid_offset, "%u (bogus, must be >= 20)", group_sid_offset); group_sid_offset = 0; } else it_gr_sid_offs = proto_tree_add_item(tree, hf_nt_offset_to_group_sid, tvb, offset_v, 4, ENC_LITTLE_ENDIAN); offset_v += 4; /* offset to sacl */ sacl_offset = tvb_get_letohl(tvb, offset_v); if(sacl_offset != 0 && sacl_offset < 20){ /* Bogus value - points into fixed portion of descriptor */ proto_tree_add_uint_format_value(tree, hf_nt_offset_to_sacl, tvb, offset_v, 4, sacl_offset, "%u (bogus, must be >= 20)", sacl_offset); sacl_offset = 0; } else it_sacl_offs = proto_tree_add_item(tree, hf_nt_offset_to_sacl, tvb, offset_v, 4, ENC_LITTLE_ENDIAN); offset_v += 4; /* offset to dacl */ dacl_offset = tvb_get_letohl(tvb, offset_v); if(dacl_offset != 0 && dacl_offset < 20){ /* Bogus value - points into fixed portion of descriptor */ proto_tree_add_uint_format_value(tree, hf_nt_offset_to_dacl, tvb, offset_v, 4, dacl_offset, "%u (bogus, must be >= 20)", dacl_offset); dacl_offset = 0; } else it_dacl_offs = proto_tree_add_item(tree, hf_nt_offset_to_dacl, tvb, offset_v, 4, ENC_LITTLE_ENDIAN); offset_v += 4; end_offset = offset_v; /*owner SID*/ if(owner_sid_offset){ item_offset = start_offset+owner_sid_offset; if (item_offset < start_offset) { expert_add_info(pinfo, it_owner_sid_offs, &ei_nt_item_offs_out_of_range); break; } TRY{ offset_v = dissect_nt_sid(tvb, item_offset, tree, "Owner", NULL, -1); if (offset_v > end_offset) end_offset = offset_v; } CATCH(ContainedBoundsError) { proto_tree_add_expert(tree, pinfo, &ei_nt_owner_sid_beyond_data, tvb, item_offset, 0); } CATCH(ReportedBoundsError) { proto_tree_add_expert(tree, pinfo, &ei_nt_owner_sid_beyond_reassembled_data, tvb, item_offset, 0); } ENDTRY; } /*group SID*/ if(group_sid_offset){ item_offset = start_offset+group_sid_offset; if (item_offset < start_offset) { expert_add_info(pinfo, it_gr_sid_offs, &ei_nt_item_offs_out_of_range); break; } TRY { offset_v = dissect_nt_sid(tvb, item_offset, tree, "Group", NULL, -1); if (offset_v > end_offset) end_offset = offset_v; } CATCH(ContainedBoundsError) { proto_tree_add_expert(tree, pinfo, &ei_nt_group_sid_beyond_data, tvb, item_offset, 0); } CATCH(ReportedBoundsError) { proto_tree_add_expert(tree, pinfo, &ei_nt_group_sid_beyond_reassembled_data, tvb, item_offset, 0); } ENDTRY; } /* sacl */ if(sacl_offset){ item_offset = start_offset+sacl_offset; if (item_offset < start_offset) { expert_add_info(pinfo, it_sacl_offs, &ei_nt_item_offs_out_of_range); break; } offset_v = dissect_nt_acl(tvb, item_offset, pinfo, tree, drep, "System (SACL)", ami); if (offset_v > end_offset) end_offset = offset_v; } /* dacl */ if(dacl_offset){ item_offset = start_offset+dacl_offset; if (item_offset < start_offset) { expert_add_info(pinfo, it_dacl_offs, &ei_nt_item_offs_out_of_range); break; } offset_v = dissect_nt_acl(tvb, item_offset, pinfo, tree, drep, "User (DACL)", ami); if (offset_v > end_offset) end_offset = offset_v; } break; default: end_offset = offset_v; break; } len = end_offset - start_offset; proto_item_set_len(item, len); return offset_v; } /* * XXX - we should have a way to register fields not associated with a * protocol. * * XXX - make-reg-dotc.py doesn't check for an argument list of "(void)", * so we have to give this a name other than "proto_register_..." so that * it doesn't end up being called from "register.c". */ void proto_do_register_windows_common(int proto_smb) { static hf_register_info hf[] = { /* Security descriptors */ { &hf_nt_sec_desc_revision, { "Revision", "nt.sec_desc.revision", FT_UINT16, BASE_DEC, NULL, 0, "Version of NT Security Descriptor structure", HFILL }}, { &hf_nt_sec_desc_type_owner_defaulted, { "Owner Defaulted", "nt.sec_desc.type.owner_defaulted", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_owner_defaulted), 0x0001, "Is Owner Defaulted set?", HFILL }}, { &hf_nt_sec_desc_type_group_defaulted, { "Group Defaulted", "nt.sec_desc.type.group_defaulted", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_group_defaulted), 0x0002, "Is Group Defaulted?", HFILL }}, { &hf_nt_sec_desc_type_dacl_present, { "DACL Present", "nt.sec_desc.type.dacl_present", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_dacl_present), 0x0004, "Does this SecDesc have DACL present?", HFILL }}, { &hf_nt_sec_desc_type_dacl_defaulted, { "DACL Defaulted", "nt.sec_desc.type.dacl_defaulted", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_dacl_defaulted), 0x0008, "Does this SecDesc have DACL Defaulted?", HFILL }}, { &hf_nt_sec_desc_type_sacl_present, { "SACL Present", "nt.sec_desc.type.sacl_present", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_sacl_present), 0x0010, "Is the SACL present?", HFILL }}, { &hf_nt_sec_desc_type_sacl_defaulted, { "SACL Defaulted", "nt.sec_desc.type.sacl_defaulted", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_sacl_defaulted), 0x0020, "Does this SecDesc have SACL Defaulted?", HFILL }}, { &hf_nt_sec_desc_type_dacl_auto_inherit_req, { "DACL Auto Inherit Required", "nt.sec_desc.type.dacl_auto_inherit_req", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_dacl_auto_inherit_req), 0x0100, "Does this SecDesc have DACL Auto Inherit Required set?", HFILL }}, { &hf_nt_sec_desc_type_dacl_trusted, { "DACL Trusted", "nt.sec_desc.type.dacl_trusted", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_dacl_trusted), 0x0040, "Does this SecDesc have DACL TRUSTED set?", HFILL }}, { &hf_nt_sec_desc_type_server_security, { "Server Security", "nt.sec_desc.type.server_security", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_server_security), 0x0080, "Does this SecDesc have SERVER SECURITY set?", HFILL }}, { &hf_nt_sec_desc_type_sacl_auto_inherit_req, { "SACL Auto Inherit Required", "nt.sec_desc.type.sacl_auto_inherit_req", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_sacl_auto_inherit_req), 0x0200, "Does this SecDesc have SACL Auto Inherit Required set?", HFILL }}, { &hf_nt_sec_desc_type_dacl_auto_inherited, { "DACL Auto Inherited", "nt.sec_desc.type.dacl_auto_inherited", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_dacl_auto_inherited), 0x0400, "Is this DACL auto inherited", HFILL }}, { &hf_nt_sec_desc_type_sacl_auto_inherited, { "SACL Auto Inherited", "nt.sec_desc.type.sacl_auto_inherited", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_sacl_auto_inherited), 0x0800, "Is this SACL auto inherited", HFILL }}, { &hf_nt_sec_desc_type_dacl_protected, { "DACL Protected", "nt.sec_desc.type.dacl_protected", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_dacl_protected), 0x1000, "Is the DACL structure protected?", HFILL }}, { &hf_nt_sec_desc_type_sacl_protected, { "SACL Protected", "nt.sec_desc.type.sacl_protected", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_sacl_protected), 0x2000, "Is the SACL structure protected?", HFILL }}, { &hf_nt_sec_desc_type_self_relative, { "Self Relative", "nt.sec_desc.type.self_relative", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_self_relative), 0x8000, "Is this SecDesc self relative?", HFILL }}, { &hf_nt_sec_desc_type_rm_control_valid, { "RM Control Valid", "nt.sec_desc.type.rm_control_valid", FT_BOOLEAN, 16, TFS(&tfs_sec_desc_type_rm_control_valid), 0x4000, "Is RM Control Valid set?", HFILL }}, /* SIDs */ { &hf_nt_sid, { "SID", "nt.sid", FT_STRING, BASE_NONE, NULL, 0, "SID: Security Identifier", HFILL }}, { &hf_nt_sid_revision, { "Revision", "nt.sid.revision", FT_UINT8, BASE_DEC, NULL, 0, "Version of SID structure", HFILL }}, { &hf_nt_sid_num_auth, { "Num Auth", "nt.sid.num_auth", FT_UINT8, BASE_DEC, NULL, 0, "Number of authorities for this SID", HFILL }}, { &hf_nt_sid_auth_dec, { "Authority", "nt.sid.auth", FT_UINT64, BASE_DEC, NULL, 0, "Identifier Authority", HFILL }}, { &hf_nt_sid_auth_hex, { "Authority", "nt.sid.auth", FT_UINT64, BASE_HEX, NULL, 0, "Identifier Authority", HFILL }}, { &hf_nt_sid_subauth, { "Subauthorities", "nt.sid.subauth", FT_STRING, BASE_NONE, NULL, 0, "Subauthorities fields", HFILL }}, { &hf_nt_sid_rid_dec, { "RID", "nt.sid.rid", FT_UINT32, BASE_DEC, NULL, 0, "Relative IDentifier: identifies a user or group", HFILL }}, { &hf_nt_sid_rid_hex, { "RID", "nt.sid.rid", FT_UINT32, BASE_HEX, NULL, 0, "Relative IDentifier: identifies a user or group", HFILL }}, { &hf_nt_sid_wkwn, { "Well-known SID", "nt.sid.wkwn", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_nt_sid_domain, { "Domain", "nt.sid.domain", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, /* ACLs */ { &hf_nt_acl_revision, { "Revision", "nt.acl.revision", FT_UINT16, BASE_DEC, VALS(acl_revision_vals), 0, "Version of NT ACL structure", HFILL }}, { &hf_nt_acl_size, { "Size", "nt.acl.size", FT_UINT16, BASE_DEC, NULL, 0, "Size of NT ACL structure", HFILL }}, { &hf_nt_acl_num_aces, { "Num ACEs", "nt.acl.num_aces", FT_UINT32, BASE_DEC, NULL, 0, "Number of ACE structures for this ACL", HFILL }}, /* ACEs */ { &hf_nt_ace_type, { "Type", "nt.ace.type", FT_UINT8, BASE_DEC, VALS(ace_type_vals), 0, "Type of ACE", HFILL }}, { &hf_nt_ace_size, { "Size", "nt.ace.size", FT_UINT16, BASE_DEC, NULL, 0, "Size of this ACE", HFILL }}, { &hf_nt_ace_flags_object_inherit, { "Object Inherit", "nt.ace.flags.object_inherit", FT_BOOLEAN, 8, TFS(&tfs_ace_flags_object_inherit), 0x01, "Will subordinate files inherit this ACE?", HFILL }}, { &hf_nt_ace_flags_container_inherit, { "Container Inherit", "nt.ace.flags.container_inherit", FT_BOOLEAN, 8, TFS(&tfs_ace_flags_container_inherit), 0x02, "Will subordinate containers inherit this ACE?", HFILL }}, { &hf_nt_ace_flags_non_propagate_inherit, { "Non-Propagate Inherit", "nt.ace.flags.non_propagate_inherit", FT_BOOLEAN, 8, TFS(&tfs_ace_flags_non_propagate_inherit), 0x04, "Will subordinate object propagate this ACE further?", HFILL }}, { &hf_nt_ace_flags_inherit_only, { "Inherit Only", "nt.ace.flags.inherit_only", FT_BOOLEAN, 8, TFS(&tfs_ace_flags_inherit_only), 0x08, "Does this ACE apply to the current object?", HFILL }}, { &hf_nt_ace_flags_inherited_ace, { "Inherited ACE", "nt.ace.flags.inherited_ace", FT_BOOLEAN, 8, TFS(&tfs_ace_flags_inherited_ace), 0x10, "Was this ACE inherited from its parent object?", HFILL }}, { &hf_nt_ace_flags_successful_access, { "Audit Successful Accesses", "nt.ace.flags.successful_access", FT_BOOLEAN, 8, TFS(&tfs_ace_flags_successful_access), 0x40, "Should successful accesses be audited?", HFILL }}, { &hf_nt_ace_flags_failed_access, { "Audit Failed Accesses", "nt.ace.flags.failed_access", FT_BOOLEAN, 8, TFS(&tfs_ace_flags_failed_access), 0x80, "Should failed accesses be audited?", HFILL }}, /* Access masks */ { &hf_nt_access_mask, { "Access required", "nt.access_mask", FT_UINT32, BASE_HEX, NULL, 0x0, "Access mask", HFILL }}, { &hf_access_generic_read, { "Generic read", "nt.access_mask.generic_read", FT_BOOLEAN, 32, TFS(&tfs_set_notset), GENERIC_READ_ACCESS, NULL, HFILL }}, { &hf_access_generic_write, { "Generic write", "nt.access_mask.generic_write", FT_BOOLEAN, 32, TFS(&tfs_set_notset), GENERIC_WRITE_ACCESS, NULL, HFILL }}, { &hf_access_generic_execute, { "Generic execute", "nt.access_mask.generic_execute", FT_BOOLEAN, 32, TFS(&tfs_set_notset), GENERIC_EXECUTE_ACCESS, NULL, HFILL }}, { &hf_access_generic_all, { "Generic all", "nt.access_mask.generic_all", FT_BOOLEAN, 32, TFS(&tfs_set_notset), GENERIC_ALL_ACCESS, NULL, HFILL }}, { &hf_access_maximum_allowed, { "Maximum allowed", "nt.access_mask.maximum_allowed", FT_BOOLEAN, 32, TFS(&tfs_set_notset), MAXIMUM_ALLOWED_ACCESS, NULL, HFILL }}, { &hf_access_sacl, { "Access SACL", "nt.access_mask.access_sacl", FT_BOOLEAN, 32, TFS(&tfs_set_notset), ACCESS_SACL_ACCESS, NULL, HFILL }}, { &hf_access_standard_read_control, { "Read control", "nt.access_mask.read_control", FT_BOOLEAN, 32, TFS(&tfs_set_notset), READ_CONTROL_ACCESS, NULL, HFILL }}, { &hf_access_standard_delete, { "Delete", "nt.access_mask.delete", FT_BOOLEAN, 32, TFS(&tfs_set_notset), DELETE_ACCESS, NULL, HFILL }}, { &hf_access_standard_synchronise, { "Synchronise", "nt.access_mask.synchronise", FT_BOOLEAN, 32, TFS(&tfs_set_notset), SYNCHRONIZE_ACCESS, NULL, HFILL }}, { &hf_access_standard_write_dac, { "Write DAC", "nt.access_mask.write_dac", FT_BOOLEAN, 32, TFS(&tfs_set_notset), WRITE_DAC_ACCESS, NULL, HFILL }}, { &hf_access_standard_write_owner, { "Write owner", "nt.access_mask.write_owner", FT_BOOLEAN, 32, TFS(&tfs_set_notset), WRITE_OWNER_ACCESS, NULL, HFILL }}, { &hf_access_specific_15, { "Specific access, bit 15", "nt.access_mask.specific_15", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x8000, NULL, HFILL }}, { &hf_access_specific_14, { "Specific access, bit 14", "nt.access_mask.specific_14", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x4000, NULL, HFILL }}, { &hf_access_specific_13, { "Specific access, bit 13", "nt.access_mask.specific_13", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x2000, NULL, HFILL }}, { &hf_access_specific_12, { "Specific access, bit 12", "nt.access_mask.specific_12", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x1000, NULL, HFILL }}, { &hf_access_specific_11, { "Specific access, bit 11", "nt.access_mask.specific_11", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0800, NULL, HFILL }}, { &hf_access_specific_10, { "Specific access, bit 10", "nt.access_mask.specific_10", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0400, NULL, HFILL }}, { &hf_access_specific_9, { "Specific access, bit 9", "nt.access_mask.specific_9", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0200, NULL, HFILL }}, { &hf_access_specific_8, { "Specific access, bit 8", "nt.access_mask.specific_8", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0100, NULL, HFILL }}, { &hf_access_specific_7, { "Specific access, bit 7", "nt.access_mask.specific_7", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0080, NULL, HFILL }}, { &hf_access_specific_6, { "Specific access, bit 6", "nt.access_mask.specific_6", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0040, NULL, HFILL }}, { &hf_access_specific_5, { "Specific access, bit 5", "nt.access_mask.specific_5", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0020, NULL, HFILL }}, { &hf_access_specific_4, { "Specific access, bit 4", "nt.access_mask.specific_4", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0010, NULL, HFILL }}, { &hf_access_specific_3, { "Specific access, bit 3", "nt.access_mask.specific_3", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0008, NULL, HFILL }}, { &hf_access_specific_2, { "Specific access, bit 2", "nt.access_mask.specific_2", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0004, NULL, HFILL }}, { &hf_access_specific_1, { "Specific access, bit 1", "nt.access_mask.specific_1", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0002, NULL, HFILL }}, { &hf_access_specific_0, { "Specific access, bit 0", "nt.access_mask.specific_0", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x0001, NULL, HFILL }}, { &hf_nt_ace_flags_object_type_present, { "Object Type Present", "nt.ace.object.flags.object_type_present", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x00000001, NULL, HFILL }}, { &hf_nt_ace_flags_inherited_object_type_present, { "Inherited Object Type Present", "nt.ace.object.flags.inherited_object_type_present", FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x00000002, NULL, HFILL }}, { &hf_nt_ace_guid, { "GUID", "nt.ace.object.guid", FT_GUID, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_nt_ace_inherited_guid, { "Inherited GUID", "nt.ace.object.inherited_guid", FT_GUID, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_nt_security_information_sacl, { "SACL", "nt.sec_info.sacl", FT_BOOLEAN, 32, TFS(&flags_sec_info_sacl), 0x00000008, NULL, HFILL }}, { &hf_nt_security_information_dacl, { "DACL", "nt.sec_info.dacl", FT_BOOLEAN, 32, TFS(&flags_sec_info_dacl), 0x00000004, NULL, HFILL }}, { &hf_nt_security_information_group, { "Group", "nt.sec_info.group", FT_BOOLEAN, 32, TFS(&flags_sec_info_group), 0x00000002, NULL, HFILL }}, { &hf_nt_security_information_owner, { "Owner", "nt.sec_info.owner", FT_BOOLEAN, 32, TFS(&flags_sec_info_owner), 0x00000001, NULL, HFILL }}, /* Generated from convert_proto_tree_add_text.pl */ { &hf_nt_ace_flags_object, { "ACE Object Flags", "nt.ace.object.flags", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_nt_ace_flags, { "NT ACE Flags", "nt.ace.flags", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_nt_sec_desc_type, { "Type", "nt.sec_desc.type", FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_nt_security_information, { "SEC INFO", "nt.sec_info", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_nt_offset_to_owner_sid, { "Offset to owner SID", "nt.offset_to_owner_sid", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_nt_offset_to_group_sid, { "Offset to group SID", "nt.offset_to_group_sid", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_nt_offset_to_sacl, { "Offset to SACL", "nt.offset_to_sacl", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_nt_offset_to_dacl, { "Offset to DACL", "nt.offset_to_dacl", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, }; static gint *ett[] = { &ett_nt_sec_desc, &ett_nt_sec_desc_type, &ett_nt_sid, &ett_nt_acl, &ett_nt_ace, &ett_nt_ace_flags, &ett_nt_ace_object, &ett_nt_ace_object_flags, &ett_nt_access_mask, &ett_nt_access_mask_generic, &ett_nt_access_mask_standard, &ett_nt_access_mask_specific, &ett_nt_security_information, }; static ei_register_info ei[] = { { &ei_nt_ace_extends_beyond_data, { "nt.ace_extends_beyond_data", PI_MALFORMED, PI_ERROR, "ACE Extends beyond end of data", EXPFILL }}, { &ei_nt_ace_extends_beyond_reassembled_data, { "nt.ace_extends_beyond_reassembled_data", PI_MALFORMED, PI_ERROR, "ACE Extends beyond end of reassembled data", EXPFILL }}, { &ei_nt_owner_sid_beyond_data, { "nt.owner_sid.beyond_data", PI_MALFORMED, PI_ERROR, "Owner SID beyond end of data", EXPFILL }}, { &ei_nt_owner_sid_beyond_reassembled_data, { "nt.owner_sid.beyond_reassembled_data", PI_MALFORMED, PI_ERROR, "Owner SID beyond end of reassembled data", EXPFILL }}, { &ei_nt_group_sid_beyond_data, { "nt.group_sid.beyond_data", PI_MALFORMED, PI_ERROR, "Group SID beyond end of data", EXPFILL }}, { &ei_nt_group_sid_beyond_reassembled_data, { "nt.group_sid.beyond_reassembled_data", PI_MALFORMED, PI_ERROR, "Group SID beyond end of reassembled data", EXPFILL }}, { &ei_nt_item_offs_out_of_range, { "nt.item_offset.out_of_range", PI_MALFORMED, PI_ERROR, "Item offset is out of range", EXPFILL }}, }; expert_module_t* expert_nt; proto_register_subtree_array(ett, array_length(ett)); proto_register_field_array(proto_smb, hf, array_length(hf)); expert_nt = expert_register_protocol(proto_smb); expert_register_field_array(expert_nt, ei, array_length(ei)); } /* * Editor modelines - http://www.wireshark.org/tools/modelines.html * * Local variables: * c-basic-offset: 8 * tab-width: 8 * indent-tabs-mode: t * End: * * vi: set shiftwidth=8 tabstop=8 noexpandtab: * :indentSize=8:tabSize=8:noTabs=false: */