diff options
Diffstat (limited to 'epan/dissectors/packet-dcerpc.h')
-rw-r--r-- | epan/dissectors/packet-dcerpc.h | 575 |
1 files changed, 575 insertions, 0 deletions
diff --git a/epan/dissectors/packet-dcerpc.h b/epan/dissectors/packet-dcerpc.h new file mode 100644 index 00000000..f1759111 --- /dev/null +++ b/epan/dissectors/packet-dcerpc.h @@ -0,0 +1,575 @@ +/* packet-dcerpc.h + * Copyright 2001, Todd Sabin <tas@webspan.net> + * Copyright 2003, Tim Potter <tpot@samba.org> + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef __PACKET_DCERPC_H__ +#define __PACKET_DCERPC_H__ + +#include <epan/conversation.h> +#include "ws_symbol_export.h" + +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + +#define DCERPC_TABLE_NAME "dcerpc.uuid" +/* + * Data representation. + */ +#define DREP_LITTLE_ENDIAN 0x10 + +#define DREP_EBCDIC 0x01 + +/* + * Data representation to integer byte order. + */ +#define DREP_ENC_INTEGER(drep) \ + (((drep)[0] & DREP_LITTLE_ENDIAN) ? ENC_LITTLE_ENDIAN : ENC_BIG_ENDIAN) + +/* + * Data representation to (octet-string) character encoding. + */ +#define DREP_ENC_CHAR(drep) \ + (((drep)[0] & DREP_EBCDIC) ? ENC_EBCDIC|ENC_NA : ENC_ASCII|ENC_NA) + +#ifdef PT_R4 +/* now glib always includes signal.h and on linux PPC + * signal.h defines PT_R4 +*/ +#undef PT_R4 +#endif + +#define DCERPC_UUID_NULL { 0,0,0, {0,0,0,0,0,0,0,0} } + +/* %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x */ +#define DCERPC_UUID_STR_LEN 36+1 + +typedef struct _e_ctx_hnd { + guint32 attributes; + e_guid_t uuid; +} e_ctx_hnd; + +typedef struct _e_dce_cn_common_hdr_t { + guint8 rpc_ver; + guint8 rpc_ver_minor; + guint8 ptype; + guint8 flags; + guint8 drep[4]; + guint16 frag_len; + guint16 auth_len; + guint32 call_id; +} e_dce_cn_common_hdr_t; + +typedef struct _e_dce_dg_common_hdr_t { + guint8 rpc_ver; + guint8 ptype; + guint8 flags1; + guint8 flags2; + guint8 drep[3]; + guint8 serial_hi; + e_guid_t obj_id; + e_guid_t if_id; + e_guid_t act_id; + guint32 server_boot; + guint32 if_ver; + guint32 seqnum; + guint16 opnum; + guint16 ihint; + guint16 ahint; + guint16 frag_len; + guint16 frag_num; + guint8 auth_proto; + guint8 serial_lo; +} e_dce_dg_common_hdr_t; + +struct _dcerpc_auth_subdissector_fns; + +typedef struct _dcerpc_auth_info { + gboolean hdr_signing; + guint8 auth_type; + guint8 auth_level; + guint32 auth_context_id; + guint8 auth_pad_len; + guint32 auth_size; + struct _dcerpc_auth_subdissector_fns *auth_fns; + tvbuff_t *auth_hdr_tvb; + tvbuff_t *auth_tvb; + proto_item *auth_item; + proto_tree *auth_tree; +} dcerpc_auth_info; + +typedef struct dcerpcstat_tap_data +{ + const char *prog; + e_guid_t uuid; + guint16 ver; + int num_procedures; +} dcerpcstat_tap_data_t; + +/* Private data passed to subdissectors from the main DCERPC dissector. + * One unique instance of this structure is created for each + * DCERPC request/response transaction when we see the initial request + * of the transaction. + * These instances are persistent and will remain available until the + * capture file is closed and a new one is read. + * + * For transactions where we never saw the request (missing from the trace) + * the dcerpc runtime will create a temporary "fake" such structure to pass + * to the response dissector. These fake structures are not persistent + * and can not be used to keep data hanging around. + */ +typedef struct _dcerpc_call_value { + e_guid_t uuid; /* interface UUID */ + guint16 ver; /* interface version */ + e_guid_t object_uuid; /* optional object UUID (or DCERPC_UUID_NULL) */ + guint16 opnum; + guint32 req_frame; + nstime_t req_time; + guint32 rep_frame; + guint32 max_ptr; + void *se_data; /* This holds any data with se allocation scope + * that we might want to keep + * for this request/response transaction. + * The pointer is initialized to NULL and must be + * checked before being dereferenced. + * This is useful for such things as when we + * need to pass persistent data from the request + * to the reply, such as LSA/OpenPolicy2() that + * uses this to pass the domain name from the + * request to the reply. + */ + void *private_data; /* XXX This will later be renamed as ep_data */ + e_ctx_hnd *pol; /* policy handle tracked between request/response*/ +#define DCERPC_IS_NDR64 0x00000001 + guint32 flags; /* flags for this transaction */ +} dcerpc_call_value; + +typedef struct _dcerpc_info { + conversation_t *conv; /* Which TCP stream we are in */ + guint32 call_id; /* Call ID for this call */ + guint64 transport_salt; /* e.g. FID for DCERPC over SMB */ + guint8 ptype; /* packet type: PDU_REQ, PDU_RESP, ... */ + gboolean conformant_run; + gboolean no_align; /* are data aligned? (default yes) */ + gint32 conformant_eaten; /* how many bytes did the conformant run eat?*/ + guint32 array_max_count; /* max_count for conformant arrays */ + guint32 array_max_count_offset; + guint32 array_offset; + guint32 array_offset_offset; + guint32 array_actual_count; + guint32 array_actual_count_offset; + int hf_index; + dcerpc_call_value *call_data; + const char *dcerpc_procedure_name; /* Used by PIDL to store the name of the current dcerpc procedure */ + void *private_data; +} dcerpc_info; + +#define PDU_REQ 0 +#define PDU_PING 1 +#define PDU_RESP 2 +#define PDU_FAULT 3 +#define PDU_WORKING 4 +#define PDU_NOCALL 5 +#define PDU_REJECT 6 +#define PDU_ACK 7 +#define PDU_CL_CANCEL 8 +#define PDU_FACK 9 +#define PDU_CANCEL_ACK 10 +#define PDU_BIND 11 +#define PDU_BIND_ACK 12 +#define PDU_BIND_NAK 13 +#define PDU_ALTER 14 +#define PDU_ALTER_ACK 15 +#define PDU_AUTH3 16 +#define PDU_SHUTDOWN 17 +#define PDU_CO_CANCEL 18 +#define PDU_ORPHANED 19 +#define PDU_RTS 20 + +/* + * helpers for packet-dcerpc.c and packet-dcerpc-ndr.c + * If you're writing a subdissector, you almost certainly want the + * NDR functions below. + */ +guint16 dcerpc_tvb_get_ntohs (tvbuff_t *tvb, gint offset, guint8 *drep); +guint32 dcerpc_tvb_get_ntohl (tvbuff_t *tvb, gint offset, guint8 *drep); +void dcerpc_tvb_get_uuid (tvbuff_t *tvb, gint offset, guint8 *drep, e_guid_t *uuid); +WS_DLL_PUBLIC +int dissect_dcerpc_char (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, + int hfindex, guint8 *pdata); +WS_DLL_PUBLIC +int dissect_dcerpc_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, + int hfindex, guint8 *pdata); +WS_DLL_PUBLIC +int dissect_dcerpc_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, + int hfindex, guint16 *pdata); +WS_DLL_PUBLIC +int dissect_dcerpc_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, + int hfindex, guint32 *pdata); +WS_DLL_PUBLIC +int dissect_dcerpc_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, guint64 *pdata); +int dissect_dcerpc_float (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, + int hfindex, gfloat *pdata); +int dissect_dcerpc_double (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, + int hfindex, gdouble *pdata); +int dissect_dcerpc_time_t (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, + int hfindex, guint32 *pdata); +WS_DLL_PUBLIC +int dissect_dcerpc_uuid_t (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, + int hfindex, e_guid_t *pdata); + +/* + * NDR routines for subdissectors. + */ +WS_DLL_PUBLIC +int dissect_ndr_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, guint8 *pdata); +int PIDL_dissect_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param); +int PIDL_dissect_uint8_val (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param, guint8 *pval); +WS_DLL_PUBLIC +int dissect_ndr_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, guint16 *pdata); +int PIDL_dissect_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param); +int PIDL_dissect_uint16_val (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param, guint16 *pval); +WS_DLL_PUBLIC +int dissect_ndr_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, guint32 *pdata); +int PIDL_dissect_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param); +int PIDL_dissect_uint32_val (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param, guint32 *rval); +WS_DLL_PUBLIC +int dissect_ndr_duint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, guint64 *pdata); +WS_DLL_PUBLIC +int dissect_ndr_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, guint64 *pdata); +int PIDL_dissect_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param); +int PIDL_dissect_uint64_val (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint32 param, guint64 *pval); +WS_DLL_PUBLIC +int dissect_ndr_float (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, gfloat *pdata); +WS_DLL_PUBLIC +int dissect_ndr_double (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, gdouble *pdata); + +WS_DLL_PUBLIC +int dissect_ndr_time_t (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, guint32 *pdata); +WS_DLL_PUBLIC +int dissect_ndr_uuid_t (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, e_guid_t *pdata); +int dissect_ndr_ctx_hnd (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, e_ctx_hnd *pdata); + +#define FT_UINT1632 FT_UINT32 +typedef guint32 guint1632; + +WS_DLL_PUBLIC +int dissect_ndr_uint1632 (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, guint1632 *pdata); + +typedef guint64 guint3264; + +WS_DLL_PUBLIC +int dissect_ndr_uint3264 (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + int hfindex, guint3264 *pdata); + +typedef int (dcerpc_dissect_fnct_t)(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep); +typedef int (dcerpc_dissect_fnct_blk_t)(tvbuff_t *tvb, int offset, int length, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep); + +typedef void (dcerpc_callback_fnct_t)(packet_info *pinfo, proto_tree *tree, proto_item *item, dcerpc_info *di, tvbuff_t *tvb, int start_offset, int end_offset, void *callback_args); + +#define NDR_POINTER_REF 1 +#define NDR_POINTER_UNIQUE 2 +#define NDR_POINTER_PTR 3 + +int dissect_ndr_pointer_cb(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + dcerpc_dissect_fnct_t *fnct, int type, const char *text, + int hf_index, dcerpc_callback_fnct_t *callback, + void *callback_args); + +int dissect_ndr_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + dcerpc_dissect_fnct_t *fnct, int type, const char *text, + int hf_index); +int dissect_deferred_pointers(packet_info *pinfo, tvbuff_t *tvb, int offset, dcerpc_info *di, guint8 *drep); +int dissect_ndr_embedded_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + dcerpc_dissect_fnct_t *fnct, int type, const char *text, + int hf_index); +int dissect_ndr_toplevel_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + dcerpc_dissect_fnct_t *fnct, int type, const char *text, + int hf_index); + +/* dissect a NDR unidimensional conformant array */ +int dissect_ndr_ucarray(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + dcerpc_dissect_fnct_t *fnct); + +int dissect_ndr_ucarray_block(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + dcerpc_dissect_fnct_blk_t *fnct); + +/* dissect a NDR unidimensional conformant and varying array + * each byte in the array is processed separately + */ +int dissect_ndr_ucvarray(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + dcerpc_dissect_fnct_t *fnct); + +int dissect_ndr_ucvarray_block(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + dcerpc_dissect_fnct_blk_t *fnct); + +/* dissect a NDR unidimensional varying array */ +int dissect_ndr_uvarray(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, + dcerpc_dissect_fnct_t *fnct); + +int dissect_ndr_byte_array(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep); + +int dissect_ndr_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, int size_is, + int hfinfo, gboolean add_subtree, + char **data); +int dissect_ndr_char_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep); +int dissect_ndr_wchar_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep); +int PIDL_dissect_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int chsize, int hfindex, guint32 param); + +int dissect_ndr_cstring(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, int size_is, + int hfindex, gboolean add_subtree, char **data); +int dissect_ndr_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep, int size_is, + int hfinfo, gboolean add_subtree, + char **data); +int dissect_ndr_char_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep); +int dissect_ndr_wchar_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep); + +typedef struct _dcerpc_sub_dissector { + guint16 num; + const gchar *name; + dcerpc_dissect_fnct_t *dissect_rqst; + dcerpc_dissect_fnct_t *dissect_resp; +} dcerpc_sub_dissector; + +/* registration function for subdissectors */ +WS_DLL_PUBLIC +void dcerpc_init_uuid (int proto, int ett, e_guid_t *uuid, guint16 ver, dcerpc_sub_dissector *procs, int opnum_hf); +WS_DLL_PUBLIC +const char *dcerpc_get_proto_name(e_guid_t *uuid, guint16 ver); +WS_DLL_PUBLIC +int dcerpc_get_proto_hf_opnum(e_guid_t *uuid, guint16 ver); +WS_DLL_PUBLIC +dcerpc_sub_dissector *dcerpc_get_proto_sub_dissector(e_guid_t *uuid, guint16 ver); + +/* Create a opnum, name value_string from a subdissector list */ + +value_string *value_string_from_subdissectors(dcerpc_sub_dissector *sd); + +/* Decode As... functionality */ +/* remove all bindings */ +WS_DLL_PUBLIC void decode_dcerpc_reset_all(void); +typedef void (*decode_add_show_list_func)(gpointer data, gpointer user_data); +WS_DLL_PUBLIC void decode_dcerpc_add_show_list(decode_add_show_list_func func, gpointer user_data); + + +/* the registered subdissectors. With MSVC and a + * libwireshark.dll, we need a special declaration. + */ +/* Key: guid_key * + * Value: dcerpc_uuid_value * + */ +WS_DLL_PUBLIC GHashTable *dcerpc_uuids; + +typedef struct _dcerpc_uuid_value { + protocol_t *proto; + int proto_id; + int ett; + const gchar *name; + dcerpc_sub_dissector *procs; + int opnum_hf; +} dcerpc_uuid_value; + +/* Authenticated pipe registration functions and miscellanea */ + +typedef tvbuff_t *(dcerpc_decode_data_fnct_t)(tvbuff_t *header_tvb, + tvbuff_t *payload_tvb, + tvbuff_t *trailer_tvb, + tvbuff_t *auth_tvb, + packet_info *pinfo, + dcerpc_auth_info *auth_info); + +typedef struct _dcerpc_auth_subdissector_fns { + + /* Dissect credentials and verifiers */ + + dcerpc_dissect_fnct_t *bind_fn; + dcerpc_dissect_fnct_t *bind_ack_fn; + dcerpc_dissect_fnct_t *auth3_fn; + dcerpc_dissect_fnct_t *req_verf_fn; + dcerpc_dissect_fnct_t *resp_verf_fn; + + /* Decrypt encrypted requests/response PDUs */ + + dcerpc_decode_data_fnct_t *req_data_fn; + dcerpc_decode_data_fnct_t *resp_data_fn; + +} dcerpc_auth_subdissector_fns; + +void register_dcerpc_auth_subdissector(guint8 auth_level, guint8 auth_type, + dcerpc_auth_subdissector_fns *fns); + +/* all values needed to (re-)build a dcerpc binding */ +typedef struct decode_dcerpc_bind_values_s { + /* values of a typical conversation */ + address addr_a; + address addr_b; + port_type ptype; + guint32 port_a; + guint32 port_b; + /* dcerpc conversation specific */ + guint16 ctx_id; + guint64 transport_salt; + /* corresponding "interface" */ + GString *ifname; + e_guid_t uuid; + guint16 ver; +} decode_dcerpc_bind_values_t; + +WS_DLL_PUBLIC guint64 dcerpc_get_transport_salt(packet_info *pinfo); +WS_DLL_PUBLIC void dcerpc_set_transport_salt(guint64 dcetransportsalt, packet_info *pinfo); + +/* Authentication services */ + +/* + * For MS-specific SSPs (Security Service Provider), see + * + * https://docs.microsoft.com/en-us/windows/win32/rpc/authentication-level-constants + */ + +#define DCE_C_RPC_AUTHN_PROTOCOL_NONE 0 +#define DCE_C_RPC_AUTHN_PROTOCOL_KRB5 1 +#define DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO 9 +#define DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP 10 +#define DCE_C_RPC_AUTHN_PROTOCOL_GSS_SCHANNEL 14 +#define DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS 16 +#define DCE_C_RPC_AUTHN_PROTOCOL_DPA 17 +#define DCE_C_RPC_AUTHN_PROTOCOL_MSN 18 +#define DCE_C_RPC_AUTHN_PROTOCOL_DIGEST 21 +#define DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN 68 +#define DCE_C_RPC_AUTHN_PROTOCOL_MQ 100 + +/* Protection levels */ + +#define DCE_C_AUTHN_LEVEL_NONE 1 +#define DCE_C_AUTHN_LEVEL_CONNECT 2 +#define DCE_C_AUTHN_LEVEL_CALL 3 +#define DCE_C_AUTHN_LEVEL_PKT 4 +#define DCE_C_AUTHN_LEVEL_PKT_INTEGRITY 5 +#define DCE_C_AUTHN_LEVEL_PKT_PRIVACY 6 + +void +init_ndr_pointer_list(dcerpc_info *di); + + + +/* These defines are used in the PIDL conformance files when using + * the PARAM_VALUE directive. + */ +/* Policy handle tracking. Describes in which function a handle is + * opened/closed. See "winreg.cnf" for example. + * + * The guint32 param is divided up into multiple fields + * + * +--------+--------+--------+--------+ + * | Flags | Type | | | + * +--------+--------+--------+--------+ + */ +/* Flags : */ +#define PIDL_POLHND_OPEN 0x80000000 +#define PIDL_POLHND_CLOSE 0x40000000 +/* To "save" a pointer to the string in dcv->private_data */ +#define PIDL_STR_SAVE 0x20000000 +/* To make this value appear on the summary line for the packet */ +#define PIDL_SET_COL_INFO 0x10000000 + +/* Type */ +#define PIDL_POLHND_TYPE_MASK 0x00ff0000 +#define PIDL_POLHND_TYPE_SAMR_USER 0x00010000 +#define PIDL_POLHND_TYPE_SAMR_CONNECT 0x00020000 +#define PIDL_POLHND_TYPE_SAMR_DOMAIN 0x00030000 +#define PIDL_POLHND_TYPE_SAMR_GROUP 0x00040000 +#define PIDL_POLHND_TYPE_SAMR_ALIAS 0x00050000 + +#define PIDL_POLHND_TYPE_LSA_POLICY 0x00060000 +#define PIDL_POLHND_TYPE_LSA_ACCOUNT 0x00070000 +#define PIDL_POLHND_TYPE_LSA_SECRET 0x00080000 +#define PIDL_POLHND_TYPE_LSA_DOMAIN 0x00090000 + +/* a structure we store for all policy handles we track */ +typedef struct pol_value { + struct pol_value *next; /* Next entry in hash bucket */ + guint32 open_frame, close_frame; /* Frame numbers for open/close */ + guint32 first_frame; /* First frame in which this instance was seen */ + guint32 last_frame; /* Last frame in which this instance was seen */ + char *name; /* Name of policy handle */ + guint32 type; /* policy handle type */ +} pol_value; + + +extern int hf_dcerpc_drep_byteorder; +extern int hf_dcerpc_ndr_padding; + +#define FAKE_DCERPC_INFO_STRUCTURE \ + /* Fake dcerpc_info structure */ \ + dcerpc_info di; \ + dcerpc_call_value call_data; \ + \ + di.conformant_run = FALSE; \ + di.no_align = TRUE; \ + \ + /* we need di->call_data->flags.NDR64 == 0 */ \ + call_data.flags = 0; \ + di.call_data = &call_data; + +#ifdef __cplusplus +} +#endif /* __cplusplus */ + +#endif /* packet-dcerpc.h */ |