Adding upstream version 4.2.2.upstream/4.2.2

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

2 files changed, 382 insertions, 0 deletions

diff --git a/epan/dissectors/pidl/eventlog/eventlog.cnf b/epan/dissectors/pidl/eventlog/eventlog.cnf
new file mode 100644
index 00000000..f9182117
--- /dev/null
+++ b/epan/dissectors/pidl/eventlog/eventlog.cnf
@@ -0,0 +1,158 @@
+# Conformance file for EVENTLOG
+#
+
+HF_FIELD hf_eventlog_Record "Record" "eventlog.Record" FT_NONE BASE_NONE NULL 0 "" "" ""
+HF_FIELD hf_eventlog_Record_length "Record Length" "eventlog.Record.length" FT_UINT32 BASE_DEC NULL 0 "" "" ""
+HF_FIELD hf_eventlog_Record_source_name "Source Name" "eventlog.Record.source_name" FT_STRING BASE_NONE NULL 0 "" "" ""
+HF_FIELD hf_eventlog_Record_computer_name "Computer Name" "eventlog.Record.computer_name" FT_STRING BASE_NONE NULL 0 "" "" ""
+HF_FIELD hf_eventlog_Record_string "string" "eventlog.Record.string" FT_STRING BASE_NONE NULL 0 "" "" ""
+
+MANUAL eventlog_dissect_element_ReadEventLogW_data_
+MANUAL eventlog_dissect_element_Record_sid_length
+MANUAL eventlog_dissect_element_Record_sid_offset
+MANUAL eventlog_dissect_element_Record_source_name
+MANUAL eventlog_dissect_element_Record_computer_name
+MANUAL eventlog_dissect_element_Record_num_of_strings
+MANUAL eventlog_dissect_element_Record_stringoffset
+MANUAL eventlog_dissect_element_Record_strings
+
+NOEMIT eventlog_dissect_element_Record_strings_
+NOEMIT eventlog_dissect_element_ReadEventLogW_data__
+#
+# policyhandle tracking
+# This block is to specify where a policyhandle is opened and where it is
+# closed so that policyhandles when dissected contain nice info such as
+# [opened in xxx]  [closed in yyy]
+#
+# Policyhandles are opened in these functions
+PARAM_VALUE eventlog_dissect_element_OpenEventLogW_handle_       PIDL_POLHND_OPEN
+PARAM_VALUE eventlog_dissect_element_OpenBackupEventLogW_handle_ PIDL_POLHND_OPEN
+# Policyhandles are closed in these functions
+PARAM_VALUE eventlog_dissect_element_CloseEventLog_handle_       PIDL_POLHND_CLOSE
+
+TYPE lsa_String "offset=dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep, @HF@, @PARAM@);" FT_STRING BASE_NONE 0 NULL 4
+
+
+CODE START
+
+static int
+eventlog_dissect_element_ReadEventLogW_data_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
+{
+	guint32 len;
+	tvbuff_t *record_tvb;
+
+	if(di->conformant_run){
+		/*just a run to handle conformant arrays, nothing to dissect */
+		return offset;
+	}
+
+	offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
+		hf_eventlog_Record_length, &len);
+
+	/* Create a new tvb so that we know that offset==0 is the beginning
+	 * of the record. We need to know this since the data is not really
+	 * NDR encoded at all and there are byte offsets into this buffer
+	 * encoded therein.
+	 */
+	record_tvb=tvb_new_subset_length_caplen(tvb, offset, MIN((gint)len, tvb_captured_length_remaining(tvb, offset)), len);
+	eventlog_dissect_struct_Record(record_tvb, 0, pinfo, tree, di, drep, hf_eventlog_Record, 0);
+	offset+=len;
+
+	return offset;
+}
+
+
+/* sid_length and sid_offset handled by manual code since this is not NDR
+   and we want to dissect the sid from the data blob */
+static guint32 sid_length;
+static int
+eventlog_dissect_element_Record_sid_length(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
+{
+	sid_length=0;
+	offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_eventlog_eventlog_Record_sid_length,&sid_length);
+
+	return offset;
+}
+static int
+eventlog_dissect_element_Record_sid_offset(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
+{
+	guint32 sid_offset=0;
+	offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_eventlog_eventlog_Record_sid_offset,&sid_offset);
+
+	if(sid_offset && sid_length){
+		tvbuff_t *sid_tvb;
+
+		/* this blob contains an NT SID.
+		 * tvb starts at the beginning of the record.
+		 */
+		sid_tvb=tvb_new_subset_length_caplen(tvb, sid_offset, MIN((gint)sid_length, tvb_captured_length_remaining(tvb, offset)), sid_length);
+		dissect_nt_sid(sid_tvb, 0, tree, "SID", NULL, -1);
+	}
+
+	return offset;
+}
+
+static int
+eventlog_dissect_element_Record_source_name(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, dcerpc_info *di _U_, guint8 *drep _U_)
+{
+	guint len;
+
+	len=tvb_unicode_strsize(tvb, offset);
+	proto_tree_add_item(tree, hf_eventlog_Record_source_name, tvb, offset, len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
+
+	offset+=len;
+	return offset;
+}
+
+static int
+eventlog_dissect_element_Record_computer_name(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, dcerpc_info *di _U_, guint8 *drep _U_)
+{
+	guint len;
+
+	len=tvb_unicode_strsize(tvb, offset);
+	proto_tree_add_item(tree, hf_eventlog_Record_computer_name, tvb, offset, len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
+
+	offset+=len;
+	return offset;
+}
+
+static guint16 num_of_strings;
+
+static int
+eventlog_dissect_element_Record_num_of_strings(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
+{
+	num_of_strings=0;
+	offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep, hf_eventlog_eventlog_Record_num_of_strings,&num_of_strings);
+
+	return offset;
+}
+
+static guint32 string_offset;
+
+static int
+eventlog_dissect_element_Record_stringoffset(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
+{
+	string_offset=0;
+	offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_eventlog_eventlog_Record_stringoffset,&string_offset);
+
+	return offset;
+}
+
+static int
+eventlog_dissect_element_Record_strings(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, dcerpc_info *di _U_, guint8 *drep _U_)
+{
+	while(string_offset && num_of_strings){
+		guint len;
+
+		len=tvb_unicode_strsize(tvb, string_offset);
+		proto_tree_add_item(tree, hf_eventlog_Record_string, tvb, string_offset, len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
+		string_offset+=len;
+
+		num_of_strings--;
+	}
+
+
+	return offset;
+}
+
+CODE END
diff --git a/epan/dissectors/pidl/eventlog/eventlog.idl b/epan/dissectors/pidl/eventlog/eventlog.idl
new file mode 100644
index 00000000..cef3c388
--- /dev/null
+++ b/epan/dissectors/pidl/eventlog/eventlog.idl
@@ -0,0 +1,224 @@
+#include "idl_types.h"
+
+/* import "lsa.idl", "security.idl";*/
+
+/*
+  eventlog interface definition
+*/
+[ uuid("82273fdc-e32a-18c3-3f78-827929dc23ea"),
+  version(0.0),
+  pointer_default(unique),
+  helpstring("Event Logger")
+] interface eventlog
+{
+	typedef bitmap {
+		EVENTLOG_SEQUENTIAL_READ = 0x0001,
+		EVENTLOG_SEEK_READ       = 0x0002,
+		EVENTLOG_FORWARDS_READ   = 0x0004,
+		EVENTLOG_BACKWARDS_READ  = 0x0008
+	} eventlogReadFlags;
+
+	typedef bitmap {
+		EVENTLOG_SUCCESS          = 0x0000,
+		EVENTLOG_ERROR_TYPE       = 0x0001,
+		EVENTLOG_WARNING_TYPE     = 0x0002,
+		EVENTLOG_INFORMATION_TYPE = 0x0004,
+		EVENTLOG_AUDIT_SUCCESS    = 0x0008,
+		EVENTLOG_AUDIT_FAILURE    = 0x0010
+	} eventlogEventTypes;
+
+	typedef struct {
+		uint16 unknown0;
+		uint16 unknown1;
+	} eventlog_OpenUnknown0;
+
+	typedef [public] struct {
+		uint32 size;
+		uint32 reserved;
+		uint32 record_number;
+		uint32 time_generated;
+		uint32 time_written;
+		uint32 event_id;
+		uint16 event_type;
+		uint16 num_of_strings;
+		uint16 event_category;
+		uint16 reserved_flags;
+		uint32 closing_record_number;
+		uint32 stringoffset;
+		uint32 sid_length;
+		uint32 sid_offset;
+		uint32 data_length;
+		uint32 data_offset;
+		nstring source_name;
+		nstring computer_name;
+		nstring strings[num_of_strings];
+		astring raw_data;
+	} eventlog_Record;
+
+	/******************/
+	/* Function: 0x00 */
+	NTSTATUS eventlog_ClearEventLogW(
+		[in] policy_handle *handle,
+		[in,unique] lsa_String *backupfilename
+	);
+
+	/******************/
+	/* Function: 0x01 */
+	NTSTATUS eventlog_BackupEventLogW(
+		[in] policy_handle *handle,
+		[in,unique] lsa_String *backupfilename
+	);
+
+	/******************/
+	/* Function: 0x02 */
+	NTSTATUS eventlog_CloseEventLog(
+		[in,out] policy_handle *handle
+	);
+
+	/******************/
+	/* Function: 0x03 */
+	NTSTATUS eventlog_DeregisterEventSource(
+		[in,out] policy_handle *handle
+	);
+
+	/******************/
+	/* Function: 0x04 */
+	NTSTATUS eventlog_GetNumRecords(
+		[in] policy_handle *handle,
+		[out,ref] uint32 *number
+	);
+
+	/******************/
+	/* Function: 0x05 */
+	NTSTATUS eventlog_GetOldestRecord(
+		[in] policy_handle *handle,
+		[out,ref] uint32 *oldest
+	);
+
+	/******************/
+	/* Function: 0x06 */
+	typedef struct {
+		uint32 unknown0;
+		uint32 unknown1;
+	} eventlog_ChangeUnknown0;
+
+	NTSTATUS eventlog_ChangeNotify(
+		[in] policy_handle *handle,
+		[in, ref] eventlog_ChangeUnknown0 *unknown2,
+		[in] uint32 unknown3
+	);
+
+	/******************/
+	/* Function: 0x07 */
+	NTSTATUS eventlog_OpenEventLogW(
+		[in,unique]	    eventlog_OpenUnknown0 *unknown0,
+		[in]	    lsa_String Module,
+		[in]	    lsa_String RegModuleName,
+		[in]	    uint32 MajorVersion,
+		[in]	    uint32 MinorVersion,
+		[out]   policy_handle *handle
+	);
+
+	/******************/
+	/* Function: 0x08 */
+	NTSTATUS eventlog_RegisterEventSourceW(
+		[in,unique]	    eventlog_OpenUnknown0 *unknown0,
+		[in]	    lsa_String logname,
+		[in]	    lsa_String servername,
+		[in]	    uint32 unknown2,
+		[in]	    uint32 unknown3,
+		[out]   policy_handle *handle
+	);
+
+	/******************/
+	/* Function: 0x09 */
+	NTSTATUS eventlog_OpenBackupEventLogW(
+		[in,unique]	    eventlog_OpenUnknown0 *unknown0,
+		[in]	    lsa_String logname,
+		[in]	    uint32 unknown2,
+		[in]	    uint32 unknown3,
+		[out]   policy_handle *handle
+	);
+
+	/******************/
+	/* Function: 0x0a */
+	NTSTATUS eventlog_ReadEventLogW(
+		[in] policy_handle *handle,
+		[in] eventlogReadFlags flags,
+		[in] uint32 offset,
+		[in] uint32 number_of_bytes,
+		[out,size_is(number_of_bytes)] uint8 *data,
+		[out,ref] uint32 *sent_size,
+		[out,ref] uint32 *real_size
+	);
+
+	/*****************/
+	/* Function 0x0b */
+	NTSTATUS eventlog_ReportEventW(
+		[in] policy_handle *handle,
+		[in] uint32 time,
+		[in] eventlogEventTypes Type,
+		[in] uint16 event_category,
+		[in] uint32 event_id,
+		[in] uint16 num_of_strings,
+		[in] uint32 data_length,
+		[in] lsa_String computer_name
+		/* sid */
+	);
+
+	/*****************/
+	/* Function 0x0c */
+	NTSTATUS eventlog_ClearEventLogA();
+
+	/******************/
+	/* Function: 0x0d */
+	NTSTATUS eventlog_BackupEventLogA();
+
+	/*****************/
+	/* Function 0x0e */
+	NTSTATUS eventlog_OpenEventLogA();
+
+	/*****************/
+	/* Function 0x0f */
+	NTSTATUS eventlog_RegisterEventSourceA();
+
+	/*****************/
+	/* Function 0x10 */
+	NTSTATUS eventlog_OpenBackupEventLogA();
+
+	/*****************/
+	/* Function 0x11 */
+	NTSTATUS eventlog_ReadEventLogA();
+
+	/*****************/
+	/* Function 0x12 */
+	NTSTATUS eventlog_ReportEventA();
+
+	/*****************/
+	/* Function 0x13 */
+	NTSTATUS eventlog_RegisterClusterSvc();
+
+	/*****************/
+	/* Function 0x14 */
+	NTSTATUS eventlog_DeregisterClusterSvc();
+
+	/*****************/
+	/* Function 0x15 */
+	NTSTATUS eventlog_WriteClusterEvents();
+
+	/*****************/
+	/* Function 0x16 */
+	NTSTATUS eventlog_GetLogIntormation(
+		[in] policy_handle *handle,
+		[in] uint32 dwInfoLevel,
+		[out] [size_is(cbBufSize)] char lpBuffer[*],
+		[in] uint32 cbBufSize,
+		[out,ref] long *cbBytesNeeded
+	);
+
+	/*****************/
+	/* Function 0x17 */
+	NTSTATUS eventlog_FlushEventLog(
+		[in] policy_handle *handle
+	);
+}