1# 2# policyhandle tracking 3# This block is to specify where a policyhandle is opened and where it is 4# closed so that policyhandles when dissected contain nice info such as 5# [opened in xxx] [closed in yyy] 6# 7# Policyhandles are opened in these functions 8PARAM_VALUE lsarpc_dissect_element_lsa_OpenPolicy_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_POLICY 9PARAM_VALUE lsarpc_dissect_element_lsa_OpenPolicy2_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_POLICY 10PARAM_VALUE lsarpc_dissect_element_lsa_CreateAccount_acct_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_ACCOUNT 11PARAM_VALUE lsarpc_dissect_element_lsa_OpenAccount_acct_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_ACCOUNT 12PARAM_VALUE lsarpc_dissect_element_lsa_CreateTrustedDomain_trustdom_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_DOMAIN 13PARAM_VALUE lsarpc_dissect_element_lsa_OpenTrustedDomain_trustdom_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_DOMAIN 14PARAM_VALUE lsarpc_dissect_element_lsa_OpenTrustedDomainByName_trustdom_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_DOMAIN 15PARAM_VALUE lsarpc_dissect_element_lsa_CreateSecret_sec_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_SECRET 16PARAM_VALUE lsarpc_dissect_element_lsa_OpenSecret_sec_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_SECRET 17# Policyhandles are closed in these functions 18PARAM_VALUE lsarpc_dissect_element_lsa_Close_handle_ PIDL_POLHND_CLOSE 19PARAM_VALUE lsarpc_dissect_element_lsa_Delete_handle_ PIDL_POLHND_CLOSE 20PARAM_VALUE lsarpc_dissect_element_lsa_CloseTrustedDomainEx_handle_ PIDL_POLHND_CLOSE 21 22 23 24TYPE hyper "offset=cnf_dissect_hyper(tvb, offset, pinfo, tree, di, drep, @PARAM@, @HF@);" FT_UINT64 BASE_DEC 0 NULL 8 25 26TYPE sec_desc_buf "offset=cnf_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);" FT_NONE BASE_NONE 0 NULL 4 27HF_FIELD hf_lsarpc_sec_desc_buf_len "Sec Desc Buf Len" "lsarpc.sec_desc_buf_len" FT_UINT32 BASE_DEC NULL 0 "" "" "" 28 29 30MANUAL lsarpc_dissect_bitmap_lsa_PolicyAccessMask 31MANUAL lsarpc_dissect_bitmap_lsa_AccountAccessMask 32MANUAL lsarpc_dissect_bitmap_lsa_SecretAccessMask 33MANUAL lsarpc_dissect_bitmap_lsa_DomainAccessMask 34HF_FIELD hf_lsarpc_policy_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" "" 35HF_FIELD hf_lsarpc_account_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" "" 36HF_FIELD hf_lsarpc_secret_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" "" 37HF_FIELD hf_lsarpc_domain_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" "" 38 39HF_FIELD hf_lsarpc_String_name "String" "lsarpc.lsa.string" FT_STRING BASE_NONE NULL 0 "" "" "" 40 41MANUAL lsarpc_dissect_element_lsa_LookupNames_names 42MANUAL lsarpc_dissect_element_lsa_LookupNames2_names 43MANUAL lsarpc_dissect_element_lsa_LookupNames3_names 44MANUAL lsarpc_dissect_element_lsa_LookupNames4_names 45MANUAL lsarpc_dissect_element_lsa_String_string_ 46MANUAL lsarpc_dissect_element_lsa_StringLarge_string_ 47 48NOEMIT lsarpc_dissect_element_lsa_String_string__ 49NOEMIT lsarpc_dissect_element_lsa_StringLarge_string__ 50NOEMIT lsarpc_dissect_element_lsa_DomainInfoEfs_efs_blob__ 51NOEMIT lsarpc_dissect_element_lsa_LookupNames_names_ 52NOEMIT lsarpc_dissect_element_lsa_LookupNames2_names_ 53NOEMIT lsarpc_dissect_element_lsa_LookupNames4_names_ 54 55ETT_FIELD ett_lsarpc_names 56HF_FIELD hf_lsarpc_names "Names" "lsarpc.lookup.names" FT_NONE BASE_NONE NULL 0 "" "" "" 57 58 59MANUAL lsarpc_dissect_element_lsa_DomainInfoEfs_efs_blob_ 60HF_FIELD hf_lsarpc_efs_blob_len "EFS blob size" "lsarpc.efs.blob_size" FT_UINT32 BASE_DEC NULL 0 "" "" "" 61 62CODE START 63 64 65static void 66lsarpc_policy_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access) 67{ 68 static int* const access_flags[] = { 69 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_NOTIFICATION, 70 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_LOOKUP_NAMES, 71 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_SERVER_ADMIN, 72 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_AUDIT_LOG_ADMIN, 73 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_SET_AUDIT_REQUIREMENTS, 74 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS, 75 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_CREATE_PRIVILEGE, 76 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_CREATE_SECRET, 77 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_CREATE_ACCOUNT, 78 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_TRUST_ADMIN, 79 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_GET_PRIVATE_INFORMATION, 80 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_VIEW_AUDIT_INFORMATION, 81 &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_VIEW_LOCAL_INFORMATION, 82 NULL 83 }; 84 85 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access); 86} 87 88static void 89lsarpc_account_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access) 90{ 91 static int* const access_flags[] = { 92 &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS, 93 &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_ADJUST_QUOTAS, 94 &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_ADJUST_PRIVILEGES, 95 &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_VIEW, 96 NULL 97 }; 98 99 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access); 100} 101 102static void 103lsarpc_secret_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access) 104{ 105 static int* const access_flags[] = { 106 &hf_lsarpc_lsa_SecretAccessMask_LSA_SECRET_QUERY_VALUE, 107 &hf_lsarpc_lsa_SecretAccessMask_LSA_SECRET_SET_VALUE, 108 NULL 109 }; 110 111 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access); 112} 113 114static void 115lsarpc_domain_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access) 116{ 117 static int* const access_flags[] = { 118 &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_QUERY_AUTH, 119 &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_SET_AUTH, 120 &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_SET_POSIX, 121 &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_QUERY_POSIX, 122 &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_SET_CONTROLLERS, 123 &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_QUERY_CONTROLLERS, 124 &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_QUERY_DOMAIN_NAME, 125 NULL 126 }; 127 128 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access); 129} 130 131 132struct access_mask_info lsarpc_policy_access_mask_info = { 133 "LSA Policy", /* Name of specific rights */ 134 lsarpc_policy_specific_rights, /* Dissection function */ 135 NULL, /* Generic mapping table */ 136 NULL /* Standard mapping table */ 137}; 138 139struct access_mask_info lsarpc_account_access_mask_info = { 140 "LSA Account", /* Name of specific rights */ 141 lsarpc_account_specific_rights, /* Dissection function */ 142 NULL, /* Generic mapping table */ 143 NULL /* Standard mapping table */ 144}; 145 146struct access_mask_info lsarpc_secret_access_mask_info = { 147 "LSA Secret", /* Name of specific rights */ 148 lsarpc_secret_specific_rights, /* Dissection function */ 149 NULL, /* Generic mapping table */ 150 NULL /* Standard mapping table */ 151}; 152 153struct access_mask_info lsarpc_domain_access_mask_info = { 154 "LSA Domain", /* Name of specific rights */ 155 lsarpc_domain_specific_rights, /* Dissection function */ 156 NULL, /* Generic mapping table */ 157 NULL /* Standard mapping table */ 158}; 159 160int 161lsarpc_dissect_bitmap_lsa_PolicyAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int hf_index _U_, guint32 param _U_) 162{ 163 offset = dissect_nt_access_mask( 164 tvb, offset, pinfo, tree, di, drep, hf_lsarpc_policy_access_mask, 165 &lsarpc_policy_access_mask_info, NULL); 166 return offset; 167} 168 169int 170lsarpc_dissect_bitmap_lsa_AccountAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int hf_index _U_, guint32 param _U_) 171{ 172 offset = dissect_nt_access_mask( 173 tvb, offset, pinfo, tree, di, drep, hf_lsarpc_account_access_mask, 174 &lsarpc_account_access_mask_info, NULL); 175 return offset; 176} 177 178int 179lsarpc_dissect_bitmap_lsa_SecretAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int hf_index _U_, guint32 param _U_) 180{ 181 offset = dissect_nt_access_mask( 182 tvb, offset, pinfo, tree, di, drep, hf_lsarpc_secret_access_mask, 183 &lsarpc_secret_access_mask_info, NULL); 184 return offset; 185} 186 187int 188lsarpc_dissect_bitmap_lsa_DomainAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int hf_index _U_, guint32 param _U_) 189{ 190 offset = dissect_nt_access_mask( 191 tvb, offset, pinfo, tree, di, drep, hf_lsarpc_domain_access_mask, 192 &lsarpc_domain_access_mask_info, NULL); 193 return offset; 194} 195 196static int 197cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) 198{ 199 guint32 len; 200 e_ctx_hnd *polhnd = NULL; 201 dcerpc_call_value *dcv = NULL; 202 guint32 type=0; 203 struct access_mask_info *ami=NULL; 204 205 if(di->conformant_run){ 206 /*just a run to handle conformant arrays, nothing to dissect */ 207 return offset; 208 } 209 210 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, 211 hf_lsarpc_sec_desc_buf_len, &len); 212 213 dcv = (dcerpc_call_value *)di->call_data; 214 if(dcv){ 215 polhnd = dcv->pol; 216 } 217 if(polhnd){ 218 dcerpc_fetch_polhnd_data(polhnd, NULL, &type, NULL, NULL, 219 pinfo->num); 220 } 221 switch(type){ 222 case PIDL_POLHND_TYPE_LSA_POLICY: 223 ami=&lsarpc_policy_access_mask_info; 224 break; 225 case PIDL_POLHND_TYPE_LSA_ACCOUNT: 226 ami=&lsarpc_account_access_mask_info; 227 break; 228 case PIDL_POLHND_TYPE_LSA_SECRET: 229 ami=&lsarpc_secret_access_mask_info; 230 break; 231 case PIDL_POLHND_TYPE_LSA_DOMAIN: 232 ami=&lsarpc_domain_access_mask_info; 233 break; 234 } 235 236 dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len, ami); 237 238 offset += len; 239 240 return offset; 241} 242 243static int 244cnf_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) 245{ 246 guint32 len; 247 248 if(di->conformant_run){ 249 /*just a run to handle conformant arrays, nothing to dissect */ 250 return offset; 251 } 252 253 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, 254 hf_lsarpc_sec_desc_buf_len, &len); 255 256 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep, 257 cnf_dissect_sec_desc_buf_, NDR_POINTER_UNIQUE, 258 "LSA SECURITY DESCRIPTOR data:", -1); 259 260 return offset; 261} 262 263 264int 265lsarpc_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep){ 266 return cnf_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep); 267} 268 269static int 270lsarpc_dissect_struct_security_descriptor(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_, int unused1 _U_, int unused2 _U_){ 271 return cnf_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep); 272} 273 274 275int 276lsarpc_dissect_struct_dom_sid2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_, int unused1 _U_, int unused2 _U_) { 277 /* sid */ 278 return dissect_ndr_nt_SID(tvb, offset, pinfo, tree, di, drep); 279 280} 281 282static int 283cnf_dissect_hyper(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, guint32 param _U_, int hfindex) 284{ 285 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, di, drep, hfindex, NULL); 286 287 return offset; 288} 289 290# PIDL cant handle top level arrays so we must explicitely go through a 291# ref pointer here 292static int 293lsarpc_dissect_element_lsa_LookupNames3_names_X(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di, guint8 *drep _U_) 294{ 295 proto_item *item = NULL; 296 proto_tree *tree = NULL; 297 int old_offset = offset; 298 299 if (parent_tree) { 300 item = proto_tree_add_item(parent_tree, hf_lsarpc_names, tvb, offset, -1, ENC_NA); 301 tree = proto_item_add_subtree(item, ett_lsarpc_names); 302 } 303 304 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_); 305 306 proto_item_set_len(item, offset-old_offset); 307 return offset; 308} 309 310static int 311lsarpc_dissect_element_lsa_LookupNames_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) 312{ 313 offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names); 314 315 return offset; 316} 317static int 318lsarpc_dissect_element_lsa_LookupNames2_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) 319{ 320 offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names); 321 322 return offset; 323} 324static int 325lsarpc_dissect_element_lsa_LookupNames3_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) 326{ 327 offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names); 328 329 return offset; 330} 331static int 332lsarpc_dissect_element_lsa_LookupNames4_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) 333{ 334 offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names); 335 336 return offset; 337} 338 339 340 341static int 342lsarpc_dissect_element_lsa_String_string_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) 343{ 344 char *data; 345 346 offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint16), hf_lsarpc_String_name, FALSE, &data); 347 proto_item_append_text(tree, ": %s", data); 348 349 return offset; 350} 351 352static int 353lsarpc_dissect_element_lsa_StringLarge_string_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) 354{ 355 char *data; 356 357 offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint16), hf_lsarpc_String_name, FALSE, &data); 358 proto_item_append_text(tree, ": %s", data); 359 360 return offset; 361} 362 363 364 365static int 366lsarpc_dissect_element_lsa_DomainInfoEfs_efs_blob_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) 367{ 368 tvbuff_t *next_tvb; 369 gint len, reported_len; 370 dissector_handle_t efsblob_handle; 371 372 if(di->conformant_run){ 373 /*just a run to handle conformant arrays, nothing to dissect */ 374 return offset; 375 } 376 377 378 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, 379 hf_lsarpc_efs_blob_len, &reported_len); 380 381 len = reported_len; 382 if (len > tvb_captured_length_remaining(tvb, offset)) { 383 len = tvb_captured_length_remaining(tvb, offset); 384 } 385 386 next_tvb = tvb_new_subset_length_caplen(tvb, offset, len, reported_len); 387 388 efsblob_handle = find_dissector("efsblob"); 389 if (efsblob_handle) { 390 call_dissector(efsblob_handle, next_tvb, pinfo, tree); 391 } 392 393 offset += reported_len; 394 395 return offset; 396} 397 398CODE END 399 400HEADER START 401 402extern int 403lsarpc_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep); 404extern int 405lsarpc_dissect_struct_dom_sid2(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int unused1, int unused2); 406 407HEADER END 408