1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
|
/* packet-smb2.h
* Defines for SMB2 packet dissection
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998, 1999 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef __PACKET_SMB2_H__
#define __PACKET_SMB2_H__
#include "packet-dcerpc.h"
#include "packet-smb.h"
#include "packet-ntlmssp.h"
/* SMB2 command codes. With MSVC and a
* libwireshark.dll, we need a special declaration.
*/
WS_DLL_PUBLIC value_string_ext smb2_cmd_vals_ext;
/* Structure to keep track of information specific to a single
* SMB2 transaction. Here we store things we need to remember between
* a specific request and a specific response.
*
* There is no guarantee we will have this structure available for all
* SMB2 packets so a dissector must check this pointer for NULL
* before dereferencing it.
*
* private data is set to NULL when the structure is created. It is used
* for communications between the Request and the Response packets.
*/
/* extra info needed by export object smb */
typedef struct _smb2_eo_file_info_t {
guint32 attr_mask;
gint64 end_of_file;
} smb2_eo_file_info_t;
typedef struct _smb2_fid_info_t {
guint64 fid_persistent;
guint64 fid_volatile;
guint64 sesid; /* *host* byte order - not necessarily little-endian! */
guint32 tid;
/* only used for key lookup in equal func, must be zero when inserting */
guint32 frame_key;
/* first and last frame nums this FID is valid */
guint32 frame_beg;
guint32 frame_end;
/* file name used to open this FID */
char *name;
} smb2_fid_info_t;
typedef enum {
SMB2_EI_NONE, /* Unassigned / NULL */
SMB2_EI_TREENAME, /* tid tracking char * */
SMB2_EI_FILENAME, /* fid tracking char * */
SMB2_EI_FINDPATTERN /* find tracking char * */
} smb2_extra_info_t;
typedef struct _smb2_saved_info_t {
guint8 smb2_class;
guint8 infolevel;
guint64 msg_id;
guint32 frame_req, frame_res;
nstime_t req_time;
guint8 *preauth_hash_req, *preauth_hash_res;
smb2_fid_info_t *file;
e_ctx_hnd policy_hnd; /* for eo_smb tracking */
smb_eo_t *eo_info_t; /* for storing eo_smb infos */
guint64 file_offset; /* needed file_offset for eo_smb */
guint32 bytes_moved; /* needed for eo_smb */
void *extra_info;
smb2_extra_info_t extra_info_type;
} smb2_saved_info_t;
typedef struct _smb2_tid_info_t {
guint32 tid;
guint32 connect_frame;
guint8 share_type;
char *name;
} smb2_tid_info_t;
#define SMB2_PREAUTH_HASH_SIZE 64
#define AES_KEY_SIZE 16
typedef struct _smb2_sesid_info_t {
guint64 sesid; /* *host* byte order - not necessarily little-endian! */
guint32 auth_frame;
char *acct_name;
char *domain_name;
char *host_name;
guint16 server_port;
guint8 session_key[NTLMSSP_KEY_LEN];
guint8 signing_key[NTLMSSP_KEY_LEN];
guint8 client_decryption_key16[AES_KEY_SIZE];
guint8 server_decryption_key16[AES_KEY_SIZE];
guint8 client_decryption_key32[AES_KEY_SIZE*2];
guint8 server_decryption_key32[AES_KEY_SIZE*2];
wmem_map_t *tids;
wmem_map_t *fids;
/* table to store some infos for smb export object */
wmem_map_t *files;
guint8 preauth_hash[SMB2_PREAUTH_HASH_SIZE];
} smb2_sesid_info_t;
/* Structure to keep track of conversations and the hash tables.
* There is one such structure for each conversation.
*/
typedef struct _smb2_conv_info_t {
/* these two tables are used to match requests with responses */
GHashTable *unmatched;
GHashTable *matched;
guint16 dialect;
guint16 sign_alg;
guint16 enc_alg;
/* preauth hash before session setup */
guint8 *preauth_hash_current;
guint8 preauth_hash_con[SMB2_PREAUTH_HASH_SIZE];
guint8 preauth_hash_ses[SMB2_PREAUTH_HASH_SIZE];
} smb2_conv_info_t;
/* This structure contains information from the SMB2 header
* as well as pointers to the conversation and the transaction specific
* structures.
*/
#define SMB2_FLAGS_RESPONSE 0x00000001
#define SMB2_FLAGS_ASYNC_CMD 0x00000002
#define SMB2_FLAGS_CHAINED 0x00000004
#define SMB2_FLAGS_SIGNATURE 0x00000008
#define SMB2_FLAGS_PRIORITY_MASK 0x00000070
#define SMB2_FLAGS_DFS_OP 0x10000000
#define SMB2_FLAGS_REPLAY_OPERATION 0x20000000
#define SMB2_FLAGS_PRIORITY1 0x00000010
#define SMB2_FLAGS_PRIORITY2 0x00000020
#define SMB2_FLAGS_PRIORITY3 0x00000030
#define SMB2_FLAGS_PRIORITY4 0x00000040
#define SMB2_FLAGS_PRIORITY5 0x00000050
#define SMB2_FLAGS_PRIORITY6 0x00000060
#define SMB2_FLAGS_PRIORITY7 0x00000070
/* SMB2 FLAG MASKS */
#define SMB2_FLAGS_ATTR_ENCRYPTED 0x00004000
#define SMB2_FLAGS_ATTR_INDEXED 0x00002000
#define SMB2_FLAGS_ATTR_OFFLINE 0x00001000
#define SMB2_FLAGS_ATTR_COMPRESSED 0x00000800
#define SMB2_FLAGS_ATTR_REPARSEPOINT 0x00000400
#define SMB2_FLAGS_ATTR_SPARSE 0x00000200
#define SMB2_FLAGS_ATTR_TEMPORARY 0x00000100
#define SMB2_FLAGS_ATTR_NORMAL 0x00000080
#define SMB2_FLAGS_ATTR_DEVICE 0x00000040
#define SMB2_FLAGS_ATTR_ARCHIVE 0x00000020
#define SMB2_FLAGS_ATTR_DIRECTORY 0x00000010
#define SMB2_FLAGS_ATTR_VOLUMEID 0x00000008
#define SMB2_FLAGS_ATTR_SYSTEM 0x00000004
#define SMB2_FLAGS_ATTR_HIDDEN 0x00000002
#define SMB2_FLAGS_ATTR_READONLY 0x00000001
/* SMB2 FILE TYPES ASIGNED TO EXPORT OBJECTS */
#define SMB2_FID_TYPE_UNKNOWN 0
#define SMB2_FID_TYPE_FILE 1
#define SMB2_FID_TYPE_DIR 2
#define SMB2_FID_TYPE_PIPE 3
#define SMB2_FID_TYPE_OTHER 4
/* SMB2 COMMAND CODES */
#define SMB2_COM_NEGOTIATE_PROTOCOL 0x00
#define SMB2_COM_SESSION_SETUP 0x01
#define SMB2_COM_SESSION_LOGOFF 0x02
#define SMB2_COM_TREE_CONNECT 0x03
#define SMB2_COM_TREE_DISCONNECT 0x04
#define SMB2_COM_CREATE 0x05
#define SMB2_COM_CLOSE 0x06
#define SMB2_COM_FLUSH 0x07
#define SMB2_COM_READ 0x08
#define SMB2_COM_WRITE 0x09
#define SMB2_COM_LOCK 0x0A
#define SMB2_COM_IOCTL 0x0B
#define SMB2_COM_CANCEL 0x0C
#define SMB2_COM_KEEPALIVE 0x0D
#define SMB2_COM_FIND 0x0E
#define SMB2_COM_NOTIFY 0x0F
#define SMB2_COM_GETINFO 0x10
#define SMB2_COM_SETINFO 0x11
#define SMB2_COM_BREAK 0x12
typedef struct _smb2_info_t {
guint16 opcode;
guint32 ioctl_function;
guint32 status;
guint32 tid;
guint64 sesid; /* *host* byte order - not necessarily little-endian! */
guint64 msg_id;
guint32 flags;
smb2_eo_file_info_t *eo_file_info; /* eo_smb extra info */
smb2_conv_info_t *conv;
smb2_saved_info_t *saved;
smb2_tid_info_t *tree;
smb2_sesid_info_t *session;
smb2_fid_info_t *file;
proto_tree *top_tree;
} smb2_info_t;
/* for transform content information */
typedef struct _smb2_transform_info_t {
guint8 nonce[16];
guint32 size;
guint16 flags;
guint64 sesid; /* *host* byte order - not necessarily little-endian! */
smb2_conv_info_t *conv;
smb2_sesid_info_t *session;
} smb2_transform_info_t;
typedef struct _smb2_comp_transform_info_t {
guint orig_size;
guint alg;
guint comp_offset;
smb2_conv_info_t *conv;
smb2_sesid_info_t *session;
} smb2_comp_transform_info_t;
int dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset);
int dissect_smb2_ioctl_function(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, guint32 *ioctl_function);
void dissect_smb2_ioctl_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree *top_tree, guint32 ioctl_function, gboolean data_in, void *private_data);
#endif
/*
* Editor modelines - https://www.wireshark.org/tools/modelines.html
*
* Local variables:
* c-basic-offset: 8
* tab-width: 8
* indent-tabs-mode: t
* End:
*
* vi: set shiftwidth=8 tabstop=8 noexpandtab:
* :indentSize=8:tabSize=8:noTabs=false:
*/
|