1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
|
/* packet-dcom.h
* Routines for DCOM generics
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef __PACKET_DCOM_H
#define __PACKET_DCOM_H
#include "ws_symbol_export.h"
WS_DLL_PUBLIC const value_string dcom_hresult_vals[];
WS_DLL_PUBLIC const value_string dcom_variant_type_vals[];
extern const value_string dcom_protseq_vals[];
extern int hf_dcom_iid;
extern int hf_dcom_clsid;
extern int hf_dcom_oxid;
extern int hf_dcom_oid;
extern int hf_dcom_ipid;
extern GHashTable *dcom_uuids;
/* preferences */
WS_DLL_PUBLIC gboolean dcom_prefs_display_unmarshalling_details;
typedef struct dcom_machine_s {
GList *objects;
gint first_packet;
address ip;
} dcom_machine_t;
typedef struct dcom_object_s {
dcom_machine_t *parent;
GList *interfaces;
void *private_data;
gint first_packet;
guint64 oid;
guint64 oxid;
} dcom_object_t;
typedef struct dcom_interface_s {
dcom_object_t *parent;
void *private_data;
gint first_packet;
e_guid_t iid;
e_guid_t ipid; /* the DCE/RPC Object UUID */
} dcom_interface_t;
typedef int (*dcom_dissect_fn_t) (tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, gint size);
typedef struct dcom_marshaler_s {
dcom_object_t *parent;
void *private_data;
e_guid_t uuid;
dcom_dissect_fn_t routine;
} dcom_marshaler_t;
WS_DLL_PUBLIC dcom_interface_t *dcom_interface_new(packet_info *pinfo, const address *addr, e_guid_t *iid, guint64 oxid, guint64 oid, e_guid_t *ipid);
WS_DLL_PUBLIC dcom_interface_t *dcom_interface_find(packet_info *pinfo, const address *addr, e_guid_t *ipid);
#ifdef DEBUG
extern void dcom_interface_dump(void);
#endif
extern int dcom_register_routine(dcom_dissect_fn_t routine, e_guid_t* uuid);
extern void dcom_register_common_routines_(void);
extern dcom_dissect_fn_t dcom_get_routine_by_uuid(const e_guid_t* uuid);
/* the essential DCOM this and that, starting every call */
WS_DLL_PUBLIC int
dissect_dcom_this(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep);
WS_DLL_PUBLIC int
dissect_dcom_that(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep);
/* dissection of somewhat more simple data types */
#define dissect_dcom_BOOLEAN dissect_ndr_uint8
#define dissect_dcom_BYTE dissect_ndr_uint8
#define dissect_dcom_WORD dissect_ndr_uint16
#define dissect_dcom_DWORD dissect_ndr_uint32
#define dissect_dcom_I8 dissect_ndr_uint64
#define dissect_dcom_ID dissect_ndr_duint32
#define dissect_dcom_FILETIME dissect_ndr_duint32 /* ToBeDone */
#define dissect_dcom_VARIANT_BOOL dissect_ndr_uint16
#define dissect_dcom_FLOAT dissect_ndr_float
#define dissect_dcom_DOUBLE dissect_ndr_double
#define dissect_dcom_DATE dissect_ndr_double
WS_DLL_PUBLIC int
dissect_dcom_UUID(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep,
int hfindex, e_guid_t *uuid);
WS_DLL_PUBLIC int
dissect_dcom_append_UUID(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep,
int hfindex, int field_index, e_guid_t *uuid);
extern int
dissect_dcom_indexed_WORD(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep,
int hfindex, guint16 * pu16WORD, int field_index);
WS_DLL_PUBLIC int
dissect_dcom_indexed_DWORD(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep,
int hfindex, guint32 * pu32DWORD, int field_index);
WS_DLL_PUBLIC int
dissect_dcom_HRESULT(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, guint32 * pu32hresult);
WS_DLL_PUBLIC int
dissect_dcom_HRESULT_item(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep,
guint32 * pu32HResult, int field_index, proto_item **item);
WS_DLL_PUBLIC int
dissect_dcom_indexed_HRESULT(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep,
guint32 * pu32hresult, int field_index);
extern int
dissect_dcom_COMVERSION(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep,
guint16 * pu16version_major, guint16 * pu16version_minor);
typedef void (*sa_callback_t) (tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep,
guint32 u32VarType, guint32 u32ArraySize);
WS_DLL_PUBLIC int
dissect_dcom_SAFEARRAY(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex _U_, sa_callback_t sacb);
WS_DLL_PUBLIC int
dissect_dcom_LPWSTR(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex,
gchar *psz_buffer, guint32 u32max_buffer);
WS_DLL_PUBLIC int
dissect_dcom_indexed_LPWSTR(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex,
gchar *pszStr, guint32 u32MaxStr, int field_index);
WS_DLL_PUBLIC int
dissect_dcom_BSTR(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex,
gchar *psz_buffer, guint32 u32max_buffer);
extern int
dissect_dcom_DUALSTRINGARRAY(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, gchar *ip);
extern int
dissect_dcom_STDOBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex,
guint64 *oxid, guint64 *oid, e_guid_t *ipid);
extern int
dissect_dcom_OBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, dcom_interface_t **interf);
WS_DLL_PUBLIC int
dissect_dcom_MInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, dcom_interface_t **interf);
WS_DLL_PUBLIC int
dissect_dcom_PMInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, dcom_interface_t **interf);
WS_DLL_PUBLIC int
dissect_dcom_VARTYPE(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep,
guint16 *pu16Vartype);
WS_DLL_PUBLIC int
dissect_dcom_VARIANT(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex);
/* dcom "dcerpc internal" unmarshalling */
WS_DLL_PUBLIC int
dissect_dcom_dcerpc_array_size(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, guint32 *pu32array_size);
WS_DLL_PUBLIC int
dissect_dcom_dcerpc_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, dcerpc_info *di, guint8 *drep, guint32 *pu32pointer);
/* mark things as "to be done" */
extern int
dissect_dcom_tobedone_data(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, guint8 *drep, int length);
/* mark things "no specification available" */
extern int
dissect_dcom_nospec_data(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, guint8 *drep, int length);
/* very simple parameter-profiles dissectors (for very simple requests ;-) */
/* request: no parameters */
WS_DLL_PUBLIC int
dissect_dcom_simple_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep);
/* response: only HRESULT */
WS_DLL_PUBLIC int
dissect_dcom_simple_resp(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep);
#endif /* packet-dcom.h */
|