1TYPE lsa_StringLarge "offset=lsarpc_dissect_struct_lsa_StringLarge(tvb, offset, pinfo, tree, di, drep, @HF@, @PARAM@);" FT_NONE BASE_NONE 0 NULL NULL 2TYPE winreg_Type "offset=misc_dissect_enum_winreg_Type(tvb, offset, pinfo, tree, di, drep, @HF@, @PARAM@);" FT_NONE BASE_NONE 0 NULL NULL 3IMPORT security_secinfo offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_winreg_winreg_GetKeySecurity_sec_info, NULL); 4 5# 6# Make all instances of an access mask use the same hf field display filter 7# name 8# 9HF_FIELD hf_winreg_access_mask "Access Mask" "winreg.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" "" 10HF_RENAME hf_winreg_winreg_OpenHKCR_access_mask hf_winreg_access_mask 11HF_RENAME hf_winreg_winreg_OpenHKLM_access_mask hf_winreg_access_mask 12HF_RENAME hf_winreg_winreg_OpenHKU_access_mask hf_winreg_access_mask 13HF_RENAME hf_winreg_winreg_CreateKey_access_mask hf_winreg_access_mask 14HF_RENAME hf_winreg_winreg_OpenHKCC_access_mask hf_winreg_access_mask 15HF_RENAME hf_winreg_winreg_OpenHKDD_access_mask hf_winreg_access_mask 16HF_RENAME hf_winreg_winreg_OpenHKPT_access_mask hf_winreg_access_mask 17HF_RENAME hf_winreg_winreg_OpenHKPN_access_mask hf_winreg_access_mask 18 19 20# 21# Make all instances of a system name use the same hf display filter name 22# 23HF_FIELD hf_winreg_system_name "System Name" "winreg.system_name" FT_UINT16 BASE_DEC NULL 0 "" "" "" 24HF_RENAME hf_winreg_winreg_OpenHKCR_system_name hf_winreg_system_name 25HF_RENAME hf_winreg_winreg_OpenHKCU_system_name hf_winreg_system_name 26HF_RENAME hf_winreg_winreg_OpenHKLM_system_name hf_winreg_system_name 27HF_RENAME hf_winreg_winreg_OpenHKPD_system_name hf_winreg_system_name 28HF_RENAME hf_winreg_winreg_OpenHKU_system_name hf_winreg_system_name 29HF_RENAME hf_winreg_winreg_OpenHKCC_system_name hf_winreg_system_name 30HF_RENAME hf_winreg_winreg_OpenHKDD_system_name hf_winreg_system_name 31HF_RENAME hf_winreg_winreg_OpenHKPT_system_name hf_winreg_system_name 32HF_RENAME hf_winreg_winreg_OpenHKPN_system_name hf_winreg_system_name 33 34 35# 36# make all policyhandles use the same hf display filter name 37# 38HF_FIELD hf_winreg_handle "Handle" "winreg.handle" FT_BYTES BASE_NONE NULL 0 "" "" "" 39HF_RENAME hf_winreg_winreg_OpenHKCR_handle hf_winreg_handle 40HF_RENAME hf_winreg_winreg_OpenHKCU_handle hf_winreg_handle 41HF_RENAME hf_winreg_winreg_OpenHKLM_handle hf_winreg_handle 42HF_RENAME hf_winreg_winreg_OpenHKPD_handle hf_winreg_handle 43HF_RENAME hf_winreg_winreg_OpenHKU_handle hf_winreg_handle 44HF_RENAME hf_winreg_winreg_CloseKey_handle hf_winreg_handle 45HF_RENAME hf_winreg_winreg_CreateKey_handle hf_winreg_handle 46HF_RENAME hf_winreg_winreg_DeleteKey_handle hf_winreg_handle 47HF_RENAME hf_winreg_winreg_DeleteValue_handle hf_winreg_handle 48HF_RENAME hf_winreg_winreg_EnumKey_handle hf_winreg_handle 49HF_RENAME hf_winreg_winreg_EnumValue_handle hf_winreg_handle 50HF_RENAME hf_winreg_winreg_FlushKey_handle hf_winreg_handle 51HF_RENAME hf_winreg_winreg_GetKeySecurity_handle hf_winreg_handle 52HF_RENAME hf_winreg_winreg_LoadKey_handle hf_winreg_handle 53HF_RENAME hf_winreg_winreg_NotifyChangeKeyValue_handle hf_winreg_handle 54HF_RENAME hf_winreg_winreg_OpenKey_handle hf_winreg_handle 55HF_RENAME hf_winreg_winreg_QueryInfoKey_handle hf_winreg_handle 56HF_RENAME hf_winreg_winreg_QueryValue_handle hf_winreg_handle 57HF_RENAME hf_winreg_winreg_SetKeySecurity_handle hf_winreg_handle 58HF_RENAME hf_winreg_winreg_SetValue_handle hf_winreg_handle 59HF_RENAME hf_winreg_winreg_GetVersion_handle hf_winreg_handle 60HF_RENAME hf_winreg_winreg_OpenHKCC_handle hf_winreg_handle 61HF_RENAME hf_winreg_winreg_OpenHKDD_handle hf_winreg_handle 62HF_RENAME hf_winreg_winreg_OpenHKPT_handle hf_winreg_handle 63HF_RENAME hf_winreg_winreg_OpenHKPN_handle hf_winreg_handle 64 65 66 67# 68# Make both instances of KeySecurityData resolve to the same 69# hf display filter field. 70# 71HF_FIELD hf_winreg_sd "KeySecurityData" "winreg.sd" FT_NONE BASE_NONE NULL 0 "" "" "" 72HF_RENAME hf_winreg_winreg_GetKeySecurity_sd hf_winreg_sd 73HF_RENAME hf_winreg_winreg_SetKeySecurity_sd hf_winreg_sd 74 75 76 77# 78# policyhandle tracking 79# This block is to specify where a policyhandle is opened and where it is 80# closed so that policyhandles when dissected contain nice info such as 81# [opened in xxx] [closed in yyy] 82# 83# Policyhandles are opened in these functions 84PARAM_VALUE winreg_dissect_element_OpenHKCR_handle_ PIDL_POLHND_OPEN 85PARAM_VALUE winreg_dissect_element_OpenHKCU_handle_ PIDL_POLHND_OPEN 86PARAM_VALUE winreg_dissect_element_OpenHKLM_handle_ PIDL_POLHND_OPEN 87PARAM_VALUE winreg_dissect_element_OpenHKPD_handle_ PIDL_POLHND_OPEN 88PARAM_VALUE winreg_dissect_element_OpenHKU_handle_ PIDL_POLHND_OPEN 89PARAM_VALUE winreg_dissect_element_OpenHKCC_handle_ PIDL_POLHND_OPEN 90PARAM_VALUE winreg_dissect_element_OpenHKDD_handle_ PIDL_POLHND_OPEN 91PARAM_VALUE winreg_dissect_element_OpenHKPT_handle_ PIDL_POLHND_OPEN 92PARAM_VALUE winreg_dissect_element_OpenHKPN_handle_ PIDL_POLHND_OPEN 93PARAM_VALUE winreg_dissect_element_CreateKey_new_handle_ PIDL_POLHND_OPEN 94PARAM_VALUE winreg_dissect_element_OpenKey_handle_ PIDL_POLHND_OPEN 95# Policyhandles are closed in these functions 96PARAM_VALUE winreg_dissect_element_CloseKey_handle_ PIDL_POLHND_CLOSE 97 98 99# winreg_String 100# 101# Create a new type to handle winreg_String so that we can get nice and 102# pretty dissection of the strings contained within winreg 103TYPE winreg_String "offset=cnf_dissect_winreg_String(tvb, offset, pinfo, tree, di, drep, @PARAM@, @HF@);" FT_STRING BASE_NONE 0 NULL 4 104# 105# 106# 107PARAM_VALUE winreg_dissect_element_CreateKey_name 2|PIDL_SET_COL_INFO 108PARAM_VALUE winreg_dissect_element_DeleteKey_key 2|PIDL_SET_COL_INFO 109PARAM_VALUE winreg_dissect_element_LoadKey_keyname 2|PIDL_SET_COL_INFO 110PARAM_VALUE winreg_dissect_element_OpenKey_keyname 2|PIDL_SET_COL_INFO|PIDL_STR_SAVE 111PARAM_VALUE winreg_dissect_element_QueryValue_value_name 2|PIDL_SET_COL_INFO 112PARAM_VALUE winreg_dissect_element_SaveKey_filename 2|PIDL_SET_COL_INFO 113PARAM_VALUE winreg_dissect_element_SetValue_name 2|PIDL_SET_COL_INFO 114 115# 116# Override the generation of dissectors of the security descriptor and the 117# access mask. 118# The security descriptor is just an array of bytes in the idl file 119# so we override generation of it and calls the proper wireshark dissector 120# after manually eating the 12 bytes of conformance data. 121# 122# Same for the access mask dissector since the idl would only define those 123# flag bits that are specific to WINREG therefore we set up the appropriate 124# structures and then call the wireshark accessmask dissector instead. 125# 126# 127HF_FIELD hf_winreg_sd_max_size "Max Size" "winreg.sd.max_size" FT_UINT32 BASE_DEC NULL 0 "" "" "" 128HF_FIELD hf_winreg_sd_offset "Offset" "winreg.sd.offset" FT_UINT32 BASE_DEC NULL 0 "" "" "" 129HF_FIELD hf_winreg_sd_actual_size "Actual Size" "winreg.sd.actual_size" FT_UINT32 BASE_DEC NULL 0 "" "" "" 130NOEMIT winreg_dissect_element_KeySecurityData_data__ 131MANUAL winreg_dissect_element_KeySecurityData_data_ 132MANUAL winreg_dissect_bitmap_AccessMask 133 134 135 136CODE START 137 #include "packet-dcerpc-lsa.h" 138static void 139winreg_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access) 140{ 141 static int* const access_flags[] = { 142 &hf_winreg_winreg_AccessMask_KEY_WOW64_32KEY, 143 &hf_winreg_winreg_AccessMask_KEY_WOW64_64KEY, 144 &hf_winreg_winreg_AccessMask_KEY_CREATE_LINK, 145 &hf_winreg_winreg_AccessMask_KEY_NOTIFY, 146 &hf_winreg_winreg_AccessMask_KEY_ENUMERATE_SUB_KEYS, 147 &hf_winreg_winreg_AccessMask_KEY_CREATE_SUB_KEY, 148 &hf_winreg_winreg_AccessMask_KEY_SET_VALUE, 149 &hf_winreg_winreg_AccessMask_KEY_QUERY_VALUE, 150 NULL 151 }; 152 153 proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access); 154} 155 156struct access_mask_info winreg_access_mask_info = { 157 "WINREG", /* Name of specific rights */ 158 winreg_specific_rights, /* Dissection function */ 159 NULL, /* Generic mapping table */ 160 NULL /* Standard mapping table */ 161}; 162 163static int 164winreg_dissect_element_KeySecurityData_data_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) 165{ 166 guint32 len; 167 168 if(di->conformant_run){ 169 /*just a run to handle conformant arrays, nothing to dissect */ 170 return offset; 171 } 172 173 /* this is a varying and conformant array */ 174 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_winreg_sd_max_size, NULL); 175 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_winreg_sd_offset, NULL); 176 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_winreg_sd_actual_size, &len); 177 178 dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len, 179 &winreg_access_mask_info); 180 181 offset += len; 182 183 return offset; 184} 185 186int 187winreg_dissect_bitmap_AccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int hf_index _U_, guint32 param _U_) 188{ 189 offset = dissect_nt_access_mask( 190 tvb, offset, pinfo, tree, di, drep, hf_winreg_access_mask, 191 &winreg_access_mask_info, NULL); 192 return offset; 193} 194 195/* winreg_String : 196 * typedef [public,noejs] struct { 197 * [value(strlen_m_term(name)*2)] uint16 name_len; 198 * [value(strlen_m_term(name)*2)] uint16 name_size; 199 * [string,charset(UTF16)] uint16 *name; 200 * } winreg_String; 201 */ 202static int 203cnf_dissect_winreg_String(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, dcerpc_info* di, guint8 *drep, guint32 param, int hfindex) 204{ 205 proto_item *item = NULL; 206 proto_tree *tree = NULL; 207 int old_offset; 208 header_field_info *hf_info; 209 210 ALIGN_TO_4_BYTES; 211 212 old_offset = offset; 213 hf_info=proto_registrar_get_nth(hfindex); 214 215 if (parent_tree) { 216 tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, 0, ett_winreg_winreg_String, &item, "%s: ", hf_info->name); 217 } 218 219 offset = winreg_dissect_element_String_name_len(tvb, offset, pinfo, tree, di, drep); 220 221 offset = winreg_dissect_element_String_name_size(tvb, offset, pinfo, tree, di, drep); 222 223 offset = dissect_ndr_pointer_cb( 224 tvb, offset, pinfo, tree, di, drep, 225 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, 226 hf_info->name, hfindex, cb_wstr_postprocess, 227 GINT_TO_POINTER(param)); 228 229 proto_item_set_len(item, offset-old_offset); 230 231 return offset; 232} 233 234CODE END 235