xref: /dports/net/tshark-lite/wireshark-3.6.1/epan/dissectors/pidl/winreg/winreg.cnf

TYPE lsa_StringLarge "offset=lsarpc_dissect_struct_lsa_StringLarge(tvb, offset, pinfo, tree, di, drep, @HF@, @PARAM@);" FT_NONE BASE_NONE 0 NULL NULL
TYPE winreg_Type "offset=misc_dissect_enum_winreg_Type(tvb, offset, pinfo, tree, di, drep, @HF@, @PARAM@);" FT_NONE BASE_NONE 0 NULL NULL
IMPORT security_secinfo 	offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_winreg_winreg_GetKeySecurity_sec_info, NULL);

#
# Make all instances of an access mask use the same hf field display filter
# name
#
HF_FIELD hf_winreg_access_mask "Access Mask" "winreg.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" ""
HF_RENAME hf_winreg_winreg_OpenHKCR_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKLM_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKU_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_CreateKey_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKCC_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKDD_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKPT_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKPN_access_mask hf_winreg_access_mask


#
# Make all instances of a system name use the same hf display filter name
#
HF_FIELD hf_winreg_system_name "System Name" "winreg.system_name" FT_UINT16 BASE_DEC NULL 0 "" "" ""
HF_RENAME hf_winreg_winreg_OpenHKCR_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKCU_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKLM_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKPD_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKU_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKCC_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKDD_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKPT_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKPN_system_name hf_winreg_system_name


#
# make all policyhandles use the same hf display filter name
#
HF_FIELD hf_winreg_handle "Handle" "winreg.handle" FT_BYTES BASE_NONE NULL 0 "" "" ""
HF_RENAME hf_winreg_winreg_OpenHKCR_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKCU_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKLM_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKPD_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKU_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_CloseKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_CreateKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_DeleteKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_DeleteValue_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_EnumKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_EnumValue_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_FlushKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_GetKeySecurity_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_LoadKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_NotifyChangeKeyValue_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_QueryInfoKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_QueryValue_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_SetKeySecurity_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_SetValue_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_GetVersion_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKCC_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKDD_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKPT_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKPN_handle hf_winreg_handle



#
# Make both instances of KeySecurityData resolve to the same
# hf display filter field.
#
HF_FIELD hf_winreg_sd "KeySecurityData" "winreg.sd" FT_NONE BASE_NONE NULL 0 "" "" ""
HF_RENAME hf_winreg_winreg_GetKeySecurity_sd hf_winreg_sd
HF_RENAME hf_winreg_winreg_SetKeySecurity_sd hf_winreg_sd



#
# policyhandle tracking
# This block is to specify where a policyhandle is opened and where it is
# closed so that policyhandles when dissected contain nice info such as
# [opened in xxx]  [closed in yyy]
#
# Policyhandles are opened in these functions
PARAM_VALUE winreg_dissect_element_OpenHKCR_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKCU_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKLM_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKPD_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKU_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKCC_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKDD_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKPT_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKPN_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_CreateKey_new_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenKey_handle_ PIDL_POLHND_OPEN
# Policyhandles are closed in these functions
PARAM_VALUE winreg_dissect_element_CloseKey_handle_ PIDL_POLHND_CLOSE


# winreg_String
#
# Create a new type to handle winreg_String so that we can get nice and
# pretty dissection of the strings contained within winreg
TYPE winreg_String "offset=cnf_dissect_winreg_String(tvb, offset, pinfo, tree, di, drep, @PARAM@, @HF@);" FT_STRING BASE_NONE 0 NULL 4
#
#
#
PARAM_VALUE winreg_dissect_element_CreateKey_name 2|PIDL_SET_COL_INFO
PARAM_VALUE winreg_dissect_element_DeleteKey_key 2|PIDL_SET_COL_INFO
PARAM_VALUE winreg_dissect_element_LoadKey_keyname 2|PIDL_SET_COL_INFO
PARAM_VALUE winreg_dissect_element_OpenKey_keyname 2|PIDL_SET_COL_INFO|PIDL_STR_SAVE
PARAM_VALUE winreg_dissect_element_QueryValue_value_name 2|PIDL_SET_COL_INFO
PARAM_VALUE winreg_dissect_element_SaveKey_filename 2|PIDL_SET_COL_INFO
PARAM_VALUE winreg_dissect_element_SetValue_name 2|PIDL_SET_COL_INFO

#
# Override the generation of dissectors of the security descriptor and the
# access mask.
# The security descriptor is just an array of bytes in the idl file
# so we override generation of it and calls the proper wireshark dissector
# after manually eating the 12 bytes of conformance data.
#
# Same for the access mask dissector since the idl would only define those
# flag bits that are specific to WINREG  therefore we set up the appropriate
# structures and then call the wireshark accessmask dissector instead.
#
#
HF_FIELD hf_winreg_sd_max_size "Max Size" "winreg.sd.max_size" FT_UINT32 BASE_DEC NULL 0 "" "" ""
HF_FIELD hf_winreg_sd_offset "Offset" "winreg.sd.offset" FT_UINT32 BASE_DEC NULL 0 "" "" ""
HF_FIELD hf_winreg_sd_actual_size "Actual Size" "winreg.sd.actual_size" FT_UINT32 BASE_DEC NULL 0 "" "" ""
NOEMIT winreg_dissect_element_KeySecurityData_data__
MANUAL winreg_dissect_element_KeySecurityData_data_
MANUAL winreg_dissect_bitmap_AccessMask



CODE START
 #include "packet-dcerpc-lsa.h"
static void
winreg_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access)
{
	static int* const access_flags[] = {
		&hf_winreg_winreg_AccessMask_KEY_WOW64_32KEY,
		&hf_winreg_winreg_AccessMask_KEY_WOW64_64KEY,
		&hf_winreg_winreg_AccessMask_KEY_CREATE_LINK,
		&hf_winreg_winreg_AccessMask_KEY_NOTIFY,
		&hf_winreg_winreg_AccessMask_KEY_ENUMERATE_SUB_KEYS,
		&hf_winreg_winreg_AccessMask_KEY_CREATE_SUB_KEY,
		&hf_winreg_winreg_AccessMask_KEY_SET_VALUE,
		&hf_winreg_winreg_AccessMask_KEY_QUERY_VALUE,
		NULL
	};

	proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access);
}

struct access_mask_info winreg_access_mask_info = {
	"WINREG",		/* Name of specific rights */
	winreg_specific_rights,	/* Dissection function */
	NULL,			/* Generic mapping table */
	NULL			/* Standard mapping table */
};

static int
winreg_dissect_element_KeySecurityData_data_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep)
{
	guint32 len;

	if(di->conformant_run){
		/*just a run to handle conformant arrays, nothing to dissect */
		return offset;
	}

	/* this is a varying and conformant array */
	offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_winreg_sd_max_size, NULL);
	offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_winreg_sd_offset, NULL);
	offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_winreg_sd_actual_size, &len);

	dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len,
		&winreg_access_mask_info);

	offset += len;

	return offset;
}

int
winreg_dissect_bitmap_AccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int hf_index _U_, guint32 param _U_)
{
	offset = dissect_nt_access_mask(
		tvb, offset, pinfo, tree, di, drep, hf_winreg_access_mask,
		&winreg_access_mask_info, NULL);
	return offset;
}

/* winreg_String :
 *	typedef [public,noejs] struct {
 *		[value(strlen_m_term(name)*2)] uint16 name_len;
 *		[value(strlen_m_term(name)*2)] uint16 name_size;
 *		[string,charset(UTF16)] uint16 *name;
 *	} winreg_String;
 */
static int
cnf_dissect_winreg_String(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, dcerpc_info* di, guint8 *drep, guint32 param, int hfindex)
{
	proto_item *item = NULL;
	proto_tree *tree = NULL;
	int old_offset;
	header_field_info *hf_info;

	ALIGN_TO_4_BYTES;

	old_offset = offset;
	hf_info=proto_registrar_get_nth(hfindex);

	if (parent_tree) {
		tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, 0, ett_winreg_winreg_String, &item, "%s: ", hf_info->name);
	}

	offset = winreg_dissect_element_String_name_len(tvb, offset, pinfo, tree, di, drep);

	offset = winreg_dissect_element_String_name_size(tvb, offset, pinfo, tree, di, drep);

	offset = dissect_ndr_pointer_cb(
		tvb, offset, pinfo, tree, di, drep,
		dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE,
		hf_info->name, hfindex, cb_wstr_postprocess,
		GINT_TO_POINTER(param));

	proto_item_set_len(item, offset-old_offset);

	return offset;
}

CODE END