1 /* packet-smb2.h 2 * Defines for SMB2 packet dissection 3 * 4 * Wireshark - Network traffic analyzer 5 * By Gerald Combs <gerald@wireshark.org> 6 * Copyright 1998, 1999 Gerald Combs 7 * 8 * SPDX-License-Identifier: GPL-2.0-or-later 9 */ 10 11 #ifndef __PACKET_SMB2_H__ 12 #define __PACKET_SMB2_H__ 13 14 #include "packet-dcerpc.h" 15 #include "packet-smb.h" 16 #include "packet-ntlmssp.h" 17 18 /* SMB2 command codes. With MSVC and a 19 * libwireshark.dll, we need a special declaration. 20 */ 21 WS_DLL_PUBLIC value_string_ext smb2_cmd_vals_ext; 22 23 /* Structure to keep track of information specific to a single 24 * SMB2 transaction. Here we store things we need to remember between 25 * a specific request and a specific response. 26 * 27 * There is no guarantee we will have this structure available for all 28 * SMB2 packets so a dissector must check this pointer for NULL 29 * before dereferencing it. 30 * 31 * private data is set to NULL when the structure is created. It is used 32 * for communications between the Request and the Response packets. 33 */ 34 35 /* extra info needed by export object smb */ 36 typedef struct _smb2_eo_file_info_t { 37 guint32 attr_mask; 38 gint64 end_of_file; 39 } smb2_eo_file_info_t; 40 41 typedef struct _smb2_fid_info_t { 42 guint64 fid_persistent; 43 guint64 fid_volatile; 44 guint64 sesid; /* *host* byte order - not necessarily little-endian! */ 45 guint32 tid; 46 /* only used for key lookup in equal func, must be zero when inserting */ 47 guint32 frame_key; 48 /* first and last frame nums this FID is valid */ 49 guint32 frame_beg; 50 guint32 frame_end; 51 /* file name used to open this FID */ 52 char *name; 53 } smb2_fid_info_t; 54 55 typedef enum { 56 SMB2_EI_NONE, /* Unassigned / NULL */ 57 SMB2_EI_TREENAME, /* tid tracking char * */ 58 SMB2_EI_FILENAME, /* fid tracking char * */ 59 SMB2_EI_FINDPATTERN /* find tracking char * */ 60 } smb2_extra_info_t; 61 typedef struct _smb2_saved_info_t { 62 guint8 smb2_class; 63 guint8 infolevel; 64 guint64 msg_id; 65 guint32 frame_req, frame_res; 66 nstime_t req_time; 67 guint8 *preauth_hash_req, *preauth_hash_res; 68 smb2_fid_info_t *file; 69 e_ctx_hnd policy_hnd; /* for eo_smb tracking */ 70 smb_eo_t *eo_info_t; /* for storing eo_smb infos */ 71 guint64 file_offset; /* needed file_offset for eo_smb */ 72 guint32 bytes_moved; /* needed for eo_smb */ 73 void *extra_info; 74 smb2_extra_info_t extra_info_type; 75 } smb2_saved_info_t; 76 77 typedef struct _smb2_tid_info_t { 78 guint32 tid; 79 guint32 connect_frame; 80 guint8 share_type; 81 char *name; 82 } smb2_tid_info_t; 83 84 #define SMB2_PREAUTH_HASH_SIZE 64 85 #define AES_KEY_SIZE 16 86 87 typedef struct _smb2_sesid_info_t { 88 guint64 sesid; /* *host* byte order - not necessarily little-endian! */ 89 guint32 auth_frame; 90 char *acct_name; 91 char *domain_name; 92 char *host_name; 93 guint16 server_port; 94 guint8 session_key[NTLMSSP_KEY_LEN]; 95 guint8 signing_key[NTLMSSP_KEY_LEN]; 96 guint8 client_decryption_key[AES_KEY_SIZE]; 97 guint8 server_decryption_key[AES_KEY_SIZE]; 98 99 wmem_map_t *tids; 100 wmem_map_t *fids; 101 /* table to store some infos for smb export object */ 102 wmem_map_t *files; 103 104 guint8 preauth_hash[SMB2_PREAUTH_HASH_SIZE]; 105 } smb2_sesid_info_t; 106 107 /* Structure to keep track of conversations and the hash tables. 108 * There is one such structure for each conversation. 109 */ 110 typedef struct _smb2_conv_info_t { 111 /* these two tables are used to match requests with responses */ 112 GHashTable *unmatched; 113 GHashTable *matched; 114 guint16 dialect; 115 guint16 enc_alg; 116 117 /* preauth hash before session setup */ 118 guint8 *preauth_hash_current; 119 guint8 preauth_hash_con[SMB2_PREAUTH_HASH_SIZE]; 120 guint8 preauth_hash_ses[SMB2_PREAUTH_HASH_SIZE]; 121 } smb2_conv_info_t; 122 123 124 /* This structure contains information from the SMB2 header 125 * as well as pointers to the conversation and the transaction specific 126 * structures. 127 */ 128 #define SMB2_FLAGS_RESPONSE 0x00000001 129 #define SMB2_FLAGS_ASYNC_CMD 0x00000002 130 #define SMB2_FLAGS_CHAINED 0x00000004 131 #define SMB2_FLAGS_SIGNATURE 0x00000008 132 #define SMB2_FLAGS_PRIORITY_MASK 0x00000070 133 #define SMB2_FLAGS_DFS_OP 0x10000000 134 #define SMB2_FLAGS_REPLAY_OPERATION 0x20000000 135 136 #define SMB2_FLAGS_PRIORITY1 0x00000010 137 #define SMB2_FLAGS_PRIORITY2 0x00000020 138 #define SMB2_FLAGS_PRIORITY3 0x00000030 139 #define SMB2_FLAGS_PRIORITY4 0x00000040 140 #define SMB2_FLAGS_PRIORITY5 0x00000050 141 #define SMB2_FLAGS_PRIORITY6 0x00000060 142 #define SMB2_FLAGS_PRIORITY7 0x00000070 143 144 /* SMB2 FLAG MASKS */ 145 #define SMB2_FLAGS_ATTR_ENCRYPTED 0x00004000 146 #define SMB2_FLAGS_ATTR_INDEXED 0x00002000 147 #define SMB2_FLAGS_ATTR_OFFLINE 0x00001000 148 #define SMB2_FLAGS_ATTR_COMPRESSED 0x00000800 149 #define SMB2_FLAGS_ATTR_REPARSEPOINT 0x00000400 150 #define SMB2_FLAGS_ATTR_SPARSE 0x00000200 151 #define SMB2_FLAGS_ATTR_TEMPORARY 0x00000100 152 #define SMB2_FLAGS_ATTR_NORMAL 0x00000080 153 #define SMB2_FLAGS_ATTR_DEVICE 0x00000040 154 #define SMB2_FLAGS_ATTR_ARCHIVE 0x00000020 155 #define SMB2_FLAGS_ATTR_DIRECTORY 0x00000010 156 #define SMB2_FLAGS_ATTR_VOLUMEID 0x00000008 157 #define SMB2_FLAGS_ATTR_SYSTEM 0x00000004 158 #define SMB2_FLAGS_ATTR_HIDDEN 0x00000002 159 #define SMB2_FLAGS_ATTR_READONLY 0x00000001 160 161 /* SMB2 FILE TYPES ASIGNED TO EXPORT OBJECTS */ 162 #define SMB2_FID_TYPE_UNKNOWN 0 163 #define SMB2_FID_TYPE_FILE 1 164 #define SMB2_FID_TYPE_DIR 2 165 #define SMB2_FID_TYPE_PIPE 3 166 #define SMB2_FID_TYPE_OTHER 4 167 168 /* SMB2 COMMAND CODES */ 169 #define SMB2_COM_NEGOTIATE_PROTOCOL 0x00 170 #define SMB2_COM_SESSION_SETUP 0x01 171 #define SMB2_COM_SESSION_LOGOFF 0x02 172 #define SMB2_COM_TREE_CONNECT 0x03 173 #define SMB2_COM_TREE_DISCONNECT 0x04 174 #define SMB2_COM_CREATE 0x05 175 #define SMB2_COM_CLOSE 0x06 176 #define SMB2_COM_FLUSH 0x07 177 #define SMB2_COM_READ 0x08 178 #define SMB2_COM_WRITE 0x09 179 #define SMB2_COM_LOCK 0x0A 180 #define SMB2_COM_IOCTL 0x0B 181 #define SMB2_COM_CANCEL 0x0C 182 #define SMB2_COM_KEEPALIVE 0x0D 183 #define SMB2_COM_FIND 0x0E 184 #define SMB2_COM_NOTIFY 0x0F 185 #define SMB2_COM_GETINFO 0x10 186 #define SMB2_COM_SETINFO 0x11 187 #define SMB2_COM_BREAK 0x12 188 189 typedef struct _smb2_info_t { 190 guint16 opcode; 191 guint32 ioctl_function; 192 guint32 status; 193 guint32 tid; 194 guint64 sesid; /* *host* byte order - not necessarily little-endian! */ 195 guint64 msg_id; 196 guint32 flags; 197 smb2_eo_file_info_t *eo_file_info; /* eo_smb extra info */ 198 smb2_conv_info_t *conv; 199 smb2_saved_info_t *saved; 200 smb2_tid_info_t *tree; 201 smb2_sesid_info_t *session; 202 smb2_fid_info_t *file; 203 proto_tree *top_tree; 204 } smb2_info_t; 205 206 /* for transform content information */ 207 208 typedef struct _smb2_transform_info_t { 209 guint8 nonce[16]; 210 guint32 size; 211 guint16 flags; 212 guint64 sesid; /* *host* byte order - not necessarily little-endian! */ 213 smb2_conv_info_t *conv; 214 smb2_sesid_info_t *session; 215 } smb2_transform_info_t; 216 217 typedef struct _smb2_comp_transform_info_t { 218 guint orig_size; 219 guint alg; 220 guint comp_offset; 221 smb2_conv_info_t *conv; 222 smb2_sesid_info_t *session; 223 } smb2_comp_transform_info_t; 224 225 226 int dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset); 227 int dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, guint32 *ioctl_function); 228 void dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, guint32 ioctl_function, gboolean data_in, void *private_data); 229 230 #endif 231 232 /* 233 * Editor modelines - https://www.wireshark.org/tools/modelines.html 234 * 235 * Local variables: 236 * c-basic-offset: 8 237 * tab-width: 8 238 * indent-tabs-mode: t 239 * End: 240 * 241 * vi: set shiftwidth=8 tabstop=8 noexpandtab: 242 * :indentSize=8:tabSize=8:noTabs=false: 243 */ 244