1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
|
# Conformance file for mapi
HF_FIELD hf_mapi_decrypted_data "Decrypted data" "mapi.decrypted.data" FT_BYTES BASE_NONE NULL 0 NULL HFILL
HF_FIELD hf_mapi_LogonId "LogonId" "mapi.rop.LogonId" FT_UINT8 BASE_DEC NULL 0 NULL HFILL
HF_FIELD hf_mapi_ResponseHandleIndex "ResponseHandleIndex" "mapi.rop.ResponseHandleIndex" FT_UINT8 BASE_DEC NULL 0 NULL HFILL
HF_FIELD hf_mapi_InputHandleIndex "InputHandleIndex" "mapi.rop.InputHandleIndex" FT_UINT8 BASE_DEC NULL 0 NULL HFILL
HF_FIELD hf_mapi_OutputHandleIndex "OutputHandleIndex" "mapi.rop.OutputHandleIndex" FT_UINT8 BASE_DEC NULL 0 NULL HFILL
HF_FIELD hf_mapi_RgbInSize "RgbInSize" "mapi.RgbIn.RgbInSize" FT_UINT32 BASE_DEC NULL 0 NULL HFILL
HF_FIELD hf_mapi_RgbOutSize "RgbOutSize" "mapi.RgbOut.RgbOutSize" FT_UINT32 BASE_DEC NULL 0 NULL HFILL
HF_FIELD hf_mapi_AUX_PERF_CLIENTINFO_ClientIPV4 "ClientIP" "mapi.AUX_PERF_CLIENTINFO.ClientIP" FT_IPv4 BASE_NONE NULL 0 NULL HFILL
HF_FIELD hf_mapi_AUX_PERF_CLIENTINFO_ClientIPV6 "ClientIPV6" "mapi.AUX_PERF_CLIENTINFO.ClientIPV6" FT_IPv6 BASE_NONE NULL 0 NULL HFILL
HF_FIELD hf_mapi_AUX_PERF_CLIENTINFO_MacAddressEther "MacAddress" "mapi.AUX_PERF_CLIENTINFO.MacAddress" FT_ETHER BASE_NONE NULL 0 NULL HFILL
HF_RENAME hf_mapi_AUX_PERF_CLIENTINFO_MacAddress hf_mapi_AUX_PERF_CLIENTINFO_MacAddressEther
HF_RENAME hf_mapi_AUX_PERF_CLIENTINFO_ClientIP hf_mapi_AUX_PERF_CLIENTINFO_ClientIPV4
HF_RENAME hf_mapi_AbortSubmit_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_Abort_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_AddressTypes_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_CloneStream_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_CollapseRow_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_CommitStream_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_CopyFolder_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_CopyProperties_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_CopyToStream_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_CopyTo_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_CreateAttach_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_CreateBookmark_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_CreateFolder_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_CreateMessage_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_DeleteAttach_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_DeleteFolder_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_DeleteMessages_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_DeletePropertiesNoReplicate_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_DeleteProps_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_EmptyFolder_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_ExpandRow_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_FastTransferSourceGetBuffer_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_FindRow_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_FreeBookmark_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetAttachmentTable_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetCollapseState_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetContentsTable_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetHierarchyTable_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetIDsFromNames_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetLocalReplicaIds_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetMessageStatus_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetNamesFromIDs_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetOwningServers_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetPerUserGuid_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetPerUserLongTermIds_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetPermissionsTable_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetPropList_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetPropsAll_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetProps_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetReceiveFolderTable_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetReceiveFolder_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetRulesTable_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetSearchCriteria_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetStatus_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetStoreState_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetStreamSize_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetTransportFolder_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_GetValidAttachments_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_HardDeleteMessagesAndSubfolders_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_HardDeleteMessages_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_IdFromLongTermId_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_LockRegionStream_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_Logon_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_LongTermIdFromId_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_ModifyPermissions_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_ModifyRecipients_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_ModifyRules_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_MoveCopyMessages_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_MoveFolder_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_OpenAttach_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_OpenEmbeddedMessage_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_OpenFolder_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_OpenMessage_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_OpenStream_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_OptionsData_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_Progress_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_PublicFolderIsGhosted_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_QueryColumnsAll_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_QueryNamedProperties_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_QueryPosition_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_QueryRows_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_ReadPerUserInformation_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_ReadRecipients_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_ReadStream_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_RegisterNotification_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_Release_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_RemoveAllRecipients_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_ResetTable_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SaveChangesAttachment_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SaveChangesMessage_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SeekRowApprox_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SeekRowBookmark_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SeekRow_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SeekStream_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SetCollapseState_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SetColumns_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SetMessageReadFlag_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SetMessageStatus_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SetPropertiesNoReplicate_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SetProps_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SetReadFlags_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SetReceiveFolder_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SetSearchCriteria_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SetSpooler_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SetStreamSize_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SortTable_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SpoolerLockMessage_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SubmitMessage_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SyncConfigure_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SyncGetTransferState_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SyncImportDeletes_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SyncImportHierarchyChange_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SyncImportMessageChange_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SyncImportMessageMove_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SyncImportReadStateChanges_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SyncOpenCollector_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SyncUploadStateStreamBegin_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SyncUploadStateStreamContinue_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_SyncUploadStateStreamEnd_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_TransportNewMail_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_TransportSend_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_UnlockRegionStream_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_UpdateDeferredActionMessages_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_WriteAndCommitStream_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_WriteStream_req_LogonId hf_mapi_LogonId
HF_RENAME hf_mapi_AbortSubmit_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_Abort_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_AddressTypes_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_CloneStream_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_CollapseRow_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_CommitStream_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_CreateAttach_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_CreateBookmark_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_CreateFolder_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_CreateMessage_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_DeleteAttach_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_DeleteFolder_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_DeleteMessages_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_DeletePropertiesNoReplicate_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_DeleteProps_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_EmptyFolder_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_ExpandRow_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_FastTransferSourceGetBuffer_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_FindRow_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_FreeBookmark_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetAttachmentTable_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetCollapseState_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetContentsTable_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetHierarchyTable_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetIDsFromNames_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetLocalReplicaIds_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetMessageStatus_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetNamesFromIDs_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetOwningServers_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetPerUserGuid_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetPerUserLongTermIds_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetPermissionsTable_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetPropList_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetPropsAll_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetProps_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetReceiveFolderTable_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetReceiveFolder_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetRulesTable_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetSearchCriteria_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetStatus_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetStoreState_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetStreamSize_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetTransportFolder_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_GetValidAttachments_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_HardDeleteMessagesAndSubfolders_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_HardDeleteMessages_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_IdFromLongTermId_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_LockRegionStream_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_LongTermIdFromId_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_ModifyPermissions_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_ModifyRecipients_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_ModifyRules_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_OpenAttach_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_OpenEmbeddedMessage_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_OpenFolder_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_OpenMessage_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_OpenStream_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_OptionsData_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_Progress_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_PublicFolderIsGhosted_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_QueryColumnsAll_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_QueryNamedProperties_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_QueryPosition_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_QueryRows_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_ReadPerUserInformation_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_ReadRecipients_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_ReadStream_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_RegisterNotification_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_Release_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_RemoveAllRecipients_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_ResetTable_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SaveChangesAttachment_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SaveChangesMessage_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SeekRowApprox_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SeekRowBookmark_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SeekRow_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SeekStream_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SetCollapseState_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SetColumns_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SetMessageReadFlag_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SetMessageStatus_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SetPropertiesNoReplicate_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SetProps_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SetReadFlags_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SetReceiveFolder_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SetSearchCriteria_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SetSpooler_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SetStreamSize_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SortTable_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SpoolerLockMessage_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SubmitMessage_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SyncConfigure_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SyncGetTransferState_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SyncImportDeletes_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SyncImportHierarchyChange_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SyncImportMessageChange_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SyncImportMessageMove_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SyncImportReadStateChanges_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SyncOpenCollector_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SyncUploadStateStreamBegin_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SyncUploadStateStreamContinue_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_SyncUploadStateStreamEnd_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_TransportNewMail_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_TransportSend_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_UnlockRegionStream_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_UpdateDeferredActionMessages_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_WriteAndCommitStream_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_WriteStream_req_InputHandleIndex hf_mapi_InputHandleIndex
HF_RENAME hf_mapi_CloneStream_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_CreateAttach_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_CreateFolder_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_CreateMessage_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_GetAttachmentTable_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_GetContentsTable_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_GetHierarchyTable_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_GetPermissionsTable_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_GetRulesTable_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_Logon_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_OpenAttach_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_OpenEmbeddedMessage_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_OpenFolder_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_OpenMessage_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_OpenStream_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_RegisterNotification_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_SyncConfigure_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_SyncGetTransferState_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_SyncImportMessageChange_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_SyncOpenCollector_req_OutputHandleIndex hf_mapi_OutputHandleIndex
HF_RENAME hf_mapi_SaveChangesAttachment_req_ResponseHandleIndex hf_mapi_ResponseHandleIndex
HF_RENAME hf_mapi_SaveChangesMessage_req_ResponseHandleIndex hf_mapi_ResponseHandleIndex
HF_RENAME hf_mapi_SetMessageReadFlag_req_ResponseHandleIndex hf_mapi_ResponseHandleIndex
HF_FIELD hf_mapi_SyncUploadStateStreamContinue_req_StreamDataValue "StreamData" "mapi.SyncUploadStateStreamContinue_req.StreamData" FT_BYTES BASE_NONE NULL 0 NULL HFILL
HF_RENAME hf_mapi_SyncUploadStateStreamContinue_req_StreamData hf_mapi_SyncUploadStateStreamContinue_req_StreamDataValue
HF_FIELD hf_mapi_SyncImportMessageMove_req_SourceFolderIdValue "SourceFolderId" "mapi.SyncImportMessageMove_req.SourceFolderId" FT_BYTES BASE_NONE NULL 0 NULL HFILL
HF_RENAME hf_mapi_SyncImportMessageMove_req_SourceFolderId hf_mapi_SyncImportMessageMove_req_SourceFolderIdValue
HF_FIELD hf_mapi_SyncImportMessageMove_req_SourceMessageIdValue "SourceMessageId" "mapi.SyncImportMessageMove_req.SourceMessageId" FT_BYTES BASE_NONE NULL 0 NULL HFILL
HF_RENAME hf_mapi_SyncImportMessageMove_req_SourceMessageId hf_mapi_SyncImportMessageMove_req_SourceMessageIdValue
HF_FIELD hf_mapi_SyncImportMessageMove_req_PredecessorChangeListValue "PredecessorChangeList" "mapi.SyncImportMessageMove_req.PredecessorChangeList" FT_BYTES BASE_NONE NULL 0 NULL HFILL
HF_RENAME hf_mapi_SyncImportMessageMove_req_PredecessorChangeList hf_mapi_SyncImportMessageMove_req_PredecessorChangeListValue
HF_FIELD hf_mapi_SyncImportMessageMove_req_DestinationMessageIdValue "DestinationMessageId" "mapi.SyncImportMessageMove_req.DestinationMessageId" FT_BYTES BASE_NONE NULL 0 NULL HFILL
HF_RENAME hf_mapi_SyncImportMessageMove_req_DestinationMessageId hf_mapi_SyncImportMessageMove_req_DestinationMessageIdValue
HF_FIELD hf_mapi_SyncImportMessageMove_req_ChangeNumberValue "ChangeNumber" "mapi.SyncImportMessageMove_req.ChangeNumber" FT_BYTES BASE_NONE NULL 0 NULL HFILL
HF_RENAME hf_mapi_SyncImportMessageMove_req_ChangeNumber hf_mapi_SyncImportMessageMove_req_ChangeNumberValue
ETT_FIELD ett_mapi_connect_request
ETT_FIELD ett_ServerObjectHandleTable
MANUAL mapi_dissect_struct_request
MANUAL mapi_dissect_struct_EcDoRpcMapiRequest
MANUAL mapi_dissect_struct_AuxInfo
MANUAL mapi_dissect_struct_AUX_HEADER
MANUAL mapi_dissect_AUX_HEADER_TYPE_ENUM
MANUAL mapi_dissect_AUX_DATA
MANUAL mapi_dissect_struct_EcDoRpcMapiResponse
MANUAL mapi_dissect_struct_response
MANUAL mapi_dissect_element_EcDoRpc_response
MANUAL mapi_dissect_struct_AUX_PERF_CLIENTINFO
MANUAL mapi_dissect_element_AuxInfo_auxHeader
MANUAL mapi_dissect_element_EcDoConnect_szUserDN
MANUAL mapi_dissect_element_EcDoConnectEx_szUserDN
MANUAL mapi_dissect_element_EcDoConnectEx_rgbAuxOut_
MANUAL mapi_dissect_element_EcDoRpcExt2_rgbAuxOut_
MANUAL mapi_dissect_element_EcDoConnect_rgwClientVersion
MANUAL mapi_dissect_element_EcDoConnect_rgwServerVersion
MANUAL mapi_dissect_element_EcDoConnect_rgwBestVersion
MANUAL mapi_dissect_element_EcDoConnectEx_rgwClientVersion
MANUAL mapi_dissect_element_EcDoConnectEx_rgwServerVersion
MANUAL mapi_dissect_element_EcDoConnectEx_rgwBestVersion
MANUAL mapi_dissect_struct_SyncUploadStateStreamContinue_req
MANUAL mapi_dissect_struct_SyncImportMessageMove_req
MANUAL mapi_dissect_bitmap_OpenFlags
MANUAL mapi_dissect_bitmap_StoreState
MANUAL mapi_dissect_struct_Logon_repl
MANUAL mapi_dissect_struct_RgbIn
MANUAL mapi_dissect_struct_RgbOut
MANUAL mapi_dissect_element_EcDoRpcExt2_rgbOut_
MANUAL mapi_dissect_element_EcDoRpcExt_rgbOut_
NOEMIT mapi_dissect_element_EcDoRpc_request
NOEMIT mapi_dissect_element_request_len
NOEMIT mapi_dissect_element_request_length
NOEMIT mapi_dissect_element_EcDoRpcMapiRequest_opnum
NOEMIT mapi_dissect_element_request_handles
NOEMIT mapi_dissect_element_EcDoRpc_MAPI_REPL_opnum
NOEMIT mapi_dissect_element_EcDoRpcMapiResponse_opnum
NOEMIT mapi_dissect_element_response_len
NOEMIT mapi_dissect_element_response_length
NOEMIT mapi_dissect_element_response_handles
NOEMIT mapi_dissect_element_EcDoRpc_response_
NOEMIT mapi_dissect_element_AuxInfo_auxInSize
NOEMIT mapi_dissect_element_AuxInfo_auxIn
NOEMIT mapi_dissect_element_AuxInfo_RpcHeaderExtension
NOEMIT mapi_dissect_element_AuxInfo_AUX_HEADER
NOEMIT mapi_dissect_element_AUX_HEADER_hdrType
NOEMIT mapi_dissect_element_AUX_HEADER_TYPE_ENUM_Type
NOEMIT mapi_dissect_element_AUX_HEADER_TYPE_ENUM_Type_2
NOEMIT mapi_dissect_element_AUX_HEADER_AuxData
NOEMIT mapi_dissect_element_AUX_DATA_Version1
NOEMIT mapi_dissect_element_AUX_DATA_Version2
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_MachineNameOffset
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_UserNameOffset
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_ClientIPSize
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_ClientIPOffset
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_ClientIPMaskSize
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_ClientIPMaskOffset
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_AdapterNameOffset
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_MacAddressSize
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_MacAddressOffset
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_MachineName
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_UserName
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_ClientIP
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_ClientIPMask
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_AdapterName
NOEMIT mapi_dissect_element_AUX_PERF_CLIENTINFO_MacAddress
NOEMIT mapi_dissect_element_AUX_HEADER_Size
NOEMIT mapi_dissect_element_EcDoConnectEx_rgbAuxOut__
NOEMIT mapi_dissect_element_EcDoRpcExt2_rgbAuxOut__
NOEMIT mapi_dissect_element_AuxInfo_auxHeader_
NOEMIT mapi_dissect_element_EcDoConnect_rgwClientVersion_
NOEMIT mapi_dissect_element_ROPRequest_RopId
NOEMIT mapi_dissect_element_SyncUploadStateStreamContinue_req_StreamDataSize
NOEMIT mapi_dissect_element_SyncUploadStateStreamContinue_req_StreamData
NOEMIT mapi_dissect_element_SyncImportMessageMove_req_SourceFolderIdSize
NOEMIT mapi_dissect_element_SyncImportMessageMove_req_SourceFolderId
NOEMIT mapi_dissect_element_SyncImportMessageMove_req_SourceMessageIdSize
NOEMIT mapi_dissect_element_SyncImportMessageMove_req_SourceMessageId
NOEMIT mapi_dissect_element_SyncImportMessageMove_req_PredecessorChangeListSize
NOEMIT mapi_dissect_element_SyncImportMessageMove_req_PredecessorChangeList
NOEMIT mapi_dissect_element_SyncImportMessageMove_req_DestinationMessageIdSize
NOEMIT mapi_dissect_element_SyncImportMessageMove_req_DestinationMessageId
NOEMIT mapi_dissect_element_SyncImportMessageMove_req_ChangeNumberSize
NOEMIT mapi_dissect_element_SyncImportMessageMove_req_ChangeNumber
NOEMIT mapi_dissect_element_Logon_repl_ReturnValue
NOEMIT mapi_dissect_element_Logon_repl_LogonFlags
NOEMIT mapi_dissect_element_RgbIn_RpcHeaderExtension
NOEMIT mapi_dissect_element_RgbIn_ropIn
NOEMIT mapi_dissect_element_RgbOut_RpcHeaderExtension
NOEMIT mapi_dissect_element_RgbOut_ropOut
NOEMIT mapi_dissect_element_EcDoRpcExt2_rgbOut__
NOEMIT mapi_dissect_element_EcDoRpcExt_rgbOut__
CODE START
static tvbuff_t *
mapi_deobfuscate(tvbuff_t *tvb, int offset, packet_info *pinfo, uint32_t size)
{
tvbuff_t *deob_tvb = NULL;
uint8_t *decrypted_data;
const uint8_t *ptr;
int reported_len;
reported_len = tvb_reported_length_remaining(tvb, offset);
if ((uint32_t) reported_len > size) {
reported_len = size;
}
if (size > (uint32_t) reported_len) {
size = reported_len;
}
ptr = tvb_get_ptr(tvb, offset, size);
decrypted_data = (uint8_t *)wmem_alloc0(pinfo->pool, size);
for (uint32_t i = 0; i < size; i++) {
decrypted_data[i] = ptr[i] ^ 0xA5;
}
deob_tvb = tvb_new_child_real_data(tvb, decrypted_data, size, reported_len);
return deob_tvb;
}
/* [MS-OXCRPC] 3.1.4.1.3.1 Version Number Comparison
*/
static int
normalize_version(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *tree, int hf_index, const char * str)
{
uint16_t version_0, build_major, product_major, product_minor;
char *value;
version_0= tvb_get_letohs(tvb, offset);
build_major= tvb_get_letohs(tvb, offset + 2);
if(build_major & 0x8000){
product_major = (version_0 & 0xFF00) >> 8;
product_minor = (version_0 & 0xFF);
build_major = (build_major & 0x7FFF);
} else {
product_major = version_0;
product_minor = 0;
}
value = wmem_strdup_printf( pinfo->pool
, "%d.%d.%d.%d"
, product_major
, product_minor
, build_major
, tvb_get_letohs(tvb, offset + 4));
proto_tree_add_string_format( tree
, hf_index
, tvb
, offset
, 6
, value
, "%s: %s"
, str
, value
);
return offset + 6;
}
static int
mapi_dissect_element_EcDoConnect_rgwClientVersion(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return normalize_version(tvb, pinfo, offset, tree, hf_mapi_mapi_EcDoConnect_rgwClientVersion, "rgwClientVersion");
}
static int
mapi_dissect_element_EcDoConnect_rgwServerVersion(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return normalize_version(tvb, pinfo, offset, tree, hf_mapi_mapi_EcDoConnect_rgwServerVersion, "rgwServerVersion");
}
static int
mapi_dissect_element_EcDoConnect_rgwBestVersion(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return normalize_version(tvb, pinfo, offset, tree, hf_mapi_mapi_EcDoConnect_rgwBestVersion, "rgwBestVersion");
}
static int
mapi_dissect_element_EcDoConnectEx_rgwClientVersion(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return normalize_version(tvb, pinfo, offset, tree, hf_mapi_mapi_EcDoConnectEx_rgwClientVersion, "rgwClientVersion");
}
static int
mapi_dissect_element_EcDoConnectEx_rgwServerVersion(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return normalize_version(tvb, pinfo, offset, tree, hf_mapi_mapi_EcDoConnectEx_rgwServerVersion, "rgwServerVersion");
}
static int
mapi_dissect_element_EcDoConnectEx_rgwBestVersion(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return normalize_version(tvb, pinfo, offset, tree, hf_mapi_mapi_EcDoConnectEx_rgwBestVersion, "rgwBestVersion");
}
static int
mapi_dissect_element_EcDoRpc_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return mapi_dissect_struct_request(tvb, offset, pinfo, tree, di, drep, hf_mapi_mapi_EcDoRpc_mapi_request, 0);
}
static int
mapi_dissect_element_EcDoRpc_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return mapi_dissect_struct_response(tvb, offset, pinfo, tree, di, drep, hf_mapi_mapi_EcDoRpc_mapi_response, 0);
}
/**
* Analyze mapi_request MAPI Handles
*/
static int
mapi_dissect_element_handles_cnf(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, int hf_index _U_, uint8_t *drep _U_)
{
int reported_len;
int handles_cnt = 0;
uint32_t value;
proto_tree *tr = NULL;
reported_len = tvb_reported_length_remaining(tvb, offset);
handles_cnt = reported_len / 4;
tr = proto_tree_add_subtree_format(tree, tvb, offset, reported_len, ett_mapi_mapi_request, NULL, "MAPI Handles: %d", handles_cnt);
for (int i = 0; i < handles_cnt; i++) {
value = tvb_get_letohl(tvb, offset);
proto_tree_add_uint_format(tr, hf_index, tvb, offset, 4, value, "[%.2d] MAPI handle: 0x%.8x", i, value);
offset += 4;
}
return offset;
}
int
mapi_dissect_struct_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
int start_offset = offset;
tvbuff_t *decrypted_tvb;
uint32_t size;
uint16_t pdu_len;
ALIGN_TO_5_BYTES;
if (parent_tree) {
item = proto_tree_add_item(parent_tree, hf_index, tvb, start_offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_mapi_mapi_response);
}
offset = dissect_ndr_uint32(tvb, start_offset, pinfo, tree, di, drep, hf_mapi_mapi_response_mapi_len, &size);
decrypted_tvb = mapi_deobfuscate(tvb, offset, pinfo, size);
if (!decrypted_tvb || tvb_reported_length(decrypted_tvb) != size) {
return offset;
}
offset += size;
proto_item_set_len(item, offset - start_offset);
{
add_new_data_source(pinfo, decrypted_tvb, "Decrypted MAPI Response");
tree = proto_tree_add_subtree(tree, decrypted_tvb, 0, size, ett_mapi_mapi_response, NULL, "Decrypted MAPI Response PDU");
pdu_len = tvb_get_letohs(decrypted_tvb, 0);
proto_tree_add_uint(tree, hf_mapi_mapi_response_length, decrypted_tvb, 0, sizeof(uint16_t), pdu_len);
proto_tree_add_item(tree, hf_mapi_decrypted_data, decrypted_tvb, sizeof(uint16_t), pdu_len - sizeof(uint16_t), ENC_NA);
/* analyze contents */
mapi_dissect_element_response_rpcResponse(decrypted_tvb, sizeof(uint16_t), pinfo, tree, di, drep);
mapi_dissect_element_handles_cnf(decrypted_tvb, pdu_len, pinfo, tree, di, hf_mapi_mapi_response_handles, drep);
}
if (di->call_data->flags & DCERPC_IS_NDR64) {
ALIGN_TO_5_BYTES;
}
return offset;
}
static int
mapi_dissect_element_AuxInfo_auxHeader(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
unsigned total_length = tvb_reported_length(tvb);
if(di->conformant_run){
return offset;
}
while(offset >= 0 && (unsigned)offset < total_length){
offset = mapi_dissect_struct_AUX_HEADER(tvb,offset,pinfo,tree,di,drep,di->ptype == PDU_REQ ? hf_mapi_AuxInfo_auxHeader : hf_mapi_AuxInfoOut_auxHeader ,0);
}
return offset;
}
static int
dissect_EcDoConnectEx_AuxInfoOut(tvbuff_t *tvb _U_, int offset _U_, int length _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
if (length == 0){
return offset;
}
return mapi_dissect_struct_AuxInfo(tvb, offset, pinfo, parent_tree, di, drep, hf_mapi_mapi_EcDoConnectEx_rgbAuxOut, 0);
}
static int
mapi_dissect_element_EcDoConnectEx_rgbAuxOut_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return dissect_ndr_ucvarray_block(tvb, offset, pinfo, tree, di, drep, &dissect_EcDoConnectEx_AuxInfoOut);
}
static int
dissect_EcDoRpcExt2_AuxInfoOut(tvbuff_t *tvb _U_, int offset _U_, int length _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
if (length == 0){
return offset;
}
return mapi_dissect_struct_AuxInfo(tvb, offset, pinfo, parent_tree, di, drep, hf_mapi_mapi_EcDoRpcExt2_rgbAuxOut, 0);
}
static int
mapi_dissect_element_EcDoRpcExt2_rgbAuxOut_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return dissect_ndr_ucvarray_block(tvb, offset, pinfo, tree, di, drep, &dissect_EcDoRpcExt2_AuxInfoOut);
}
int
mapi_dissect_struct_AUX_PERF_CLIENTINFO(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
bool oldalign = di->no_align;
int old_offset, cur_end_offset;
uint16_t MachineNameOffset;
uint16_t UserNameOffset;
uint16_t ClientIPSize;
uint16_t ClientIPOffset;
uint16_t ClientIPMaskSize;
uint16_t ClientIPMaskOffset;
uint16_t AdapterNameOffset;
uint16_t MacAddressSize;
uint16_t MacAddressOffset;
di->no_align = true;
old_offset = offset;
if (parent_tree) {
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_mapi_AUX_PERF_CLIENTINFO);
}
offset = mapi_dissect_element_AUX_PERF_CLIENTINFO_AdapterSpeed(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_AUX_PERF_CLIENTINFO_ClientID(tvb, offset, pinfo, tree, di, drep);
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_AUX_PERF_CLIENTINFO_MachineNameOffset, 0, &MachineNameOffset);
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_AUX_PERF_CLIENTINFO_UserNameOffset, 0, &UserNameOffset);
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_AUX_PERF_CLIENTINFO_ClientIPSize, 0, &ClientIPSize);
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_AUX_PERF_CLIENTINFO_ClientIPOffset, 0, &ClientIPOffset);
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_AUX_PERF_CLIENTINFO_ClientIPMaskSize, 0, &ClientIPMaskSize);
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_AUX_PERF_CLIENTINFO_ClientIPMaskOffset, 0, &ClientIPMaskOffset);
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_AUX_PERF_CLIENTINFO_AdapterNameOffset, 0, &AdapterNameOffset);
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_AUX_PERF_CLIENTINFO_MacAddressSize, 0, &MacAddressSize);
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_AUX_PERF_CLIENTINFO_MacAddressOffset, 0, &MacAddressOffset);
offset = mapi_dissect_element_AUX_PERF_CLIENTINFO_ClientMode(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_AUX_PERF_CLIENTINFO_Reserved(tvb, offset, pinfo, tree, di, drep);
if (MachineNameOffset > 0){
cur_end_offset = dissect_null_term_wstring(tvb, MachineNameOffset, pinfo, tree, drep, hf_mapi_AUX_PERF_CLIENTINFO_MachineName , 0);
if (cur_end_offset > offset)
offset = cur_end_offset;
}
if (UserNameOffset > 0){
cur_end_offset = dissect_null_term_wstring(tvb, UserNameOffset, pinfo, tree, drep, hf_mapi_AUX_PERF_CLIENTINFO_UserName , 0);
if (cur_end_offset > offset)
offset = cur_end_offset;
}
if (ClientIPOffset > 0 && ClientIPSize > 0){
if(ClientIPSize == 4){
proto_tree_add_item(tree, hf_mapi_AUX_PERF_CLIENTINFO_ClientIPV4, tvb, ClientIPOffset, 4, ENC_NA);
} else if(ClientIPSize == 16){
proto_tree_add_item(tree, hf_mapi_AUX_PERF_CLIENTINFO_ClientIPV6, tvb, ClientIPOffset, 16, ENC_NA);
}
cur_end_offset = ClientIPOffset + ClientIPSize;
if (cur_end_offset > offset)
offset = cur_end_offset;
}
if (ClientIPMaskOffset > 0 && ClientIPMaskSize > 0){
for (int i = 0; i < ClientIPMaskSize; i++)
cur_end_offset = PIDL_dissect_uint8(tvb, ClientIPMaskOffset+i, pinfo, tree, di, drep, hf_mapi_AUX_PERF_CLIENTINFO_ClientIPMask, 0);
if (cur_end_offset > offset)
offset = cur_end_offset;
}
if (AdapterNameOffset > 0){
cur_end_offset = dissect_null_term_wstring(tvb, AdapterNameOffset, pinfo, tree, drep, hf_mapi_AUX_PERF_CLIENTINFO_AdapterName , 0);
if (cur_end_offset > offset)
offset = cur_end_offset;
}
if (MacAddressOffset > 0 && MacAddressSize > 0){
if(MacAddressSize == 6){
proto_tree_add_item(tree, hf_mapi_AUX_PERF_CLIENTINFO_MacAddressEther, tvb, MacAddressOffset, 6, ENC_NA);
}
cur_end_offset = MacAddressOffset + MacAddressSize;
if (cur_end_offset > offset)
offset = cur_end_offset;
}
proto_item_set_len(item, offset-old_offset);
di->no_align = oldalign;
return offset;
}
static int
mapi_dissect_AuxDataVersion1(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_);
static int
mapi_dissect_AuxDataVersion2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_);
static int
mapi_dissect_AUX_DATA(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, uint8_t Version, int hf_index _U_, uint8_t hdrType)
{
switch(Version) {
case AUX_VERSION_1:
return mapi_dissect_AuxDataVersion1(tvb, offset, pinfo, parent_tree, di, drep, hf_mapi_AUX_DATA_Version1, hdrType);
case AUX_VERSION_2:
return mapi_dissect_AuxDataVersion2(tvb, offset, pinfo, parent_tree, di, drep, hf_mapi_AUX_DATA_Version2, hdrType);
default:
return offset;
}
}
static int
mapi_dissect_AUX_HEADER_TYPE_ENUM(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, uint8_t Version, int hf_index _U_, uint8_t *hdrType)
{
switch(Version) {
case AUX_VERSION_1:
return PIDL_dissect_uint8_val(tvb, offset, pinfo, parent_tree, di, drep, hf_mapi_AUX_HEADER_TYPE_ENUM_Type, 0, hdrType);
case AUX_VERSION_2:
return PIDL_dissect_uint8_val(tvb, offset, pinfo, parent_tree, di, drep, hf_mapi_AUX_HEADER_TYPE_ENUM_Type_2, 0, hdrType);
default:
return offset;
}
}
int
mapi_dissect_struct_AUX_HEADER(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
{
uint16_t auxSize = 0;
uint8_t Version = 0;
uint8_t hdrType = 0;
proto_item *item = NULL;
proto_tree *tree = NULL;
bool oldalign = di->no_align;
di->no_align = true;
if (parent_tree) {
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_mapi_AUX_HEADER);
}
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_AUX_HEADER_Size, 0, &auxSize);
offset = mapi_dissect_element_AUX_HEADER_Version(tvb, offset, pinfo, tree, di, drep, &Version);
offset = mapi_dissect_AUX_HEADER_TYPE_ENUM(tvb, offset, pinfo, tree, di, drep, Version, hf_mapi_AUX_HEADER_hdrType, &hdrType);
offset = mapi_dissect_AUX_DATA(tvb, offset, pinfo, tree, di, drep, Version, hf_mapi_AUX_HEADER_AuxData, hdrType);
proto_item_set_len(item, auxSize);
di->no_align = oldalign;
return offset;
}
int
mapi_dissect_struct_EcDoRpcMapiRequest(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, dcerpc_info* di, uint8_t *drep, int hf_index, uint32_t param)
{
uint8_t opnum = 0;
proto_item *item = NULL;
proto_tree *tree = NULL;
bool oldalign = di->no_align;
int old_offset;
di->no_align = true;
old_offset = offset;
if (parent_tree) {
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_mapi_EcDoRpcMapiRequest);
}
offset = PIDL_dissect_uint8_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_EcDoRpcMapiRequest_opnum, param, &opnum);
col_append_fstr(pinfo->cinfo, COL_INFO, " + %s", val_to_str_const(opnum, mapi_ROP_OPNUM_vals, "Unknown MAPI operation"));
offset = mapi_dissect_element_EcDoRpcMapiRequest_u(tvb, offset, pinfo, tree, di, drep, &opnum);
proto_item_set_len(item, offset-old_offset);
di->no_align = oldalign;
return offset;
}
int
mapi_dissect_struct_request(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, dcerpc_info* di, uint8_t *drep, int hf_index, uint32_t param _U_)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
int start_offset = offset;
tvbuff_t *decrypted_tvb = NULL;
uint16_t pdu_len;
uint32_t size;
ALIGN_TO_5_BYTES;
if (parent_tree) {
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_mapi_mapi_request);
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_mapi_mapi_request_mapi_len, &size);
decrypted_tvb = mapi_deobfuscate(tvb, offset, pinfo, size);
if (!decrypted_tvb || tvb_reported_length(decrypted_tvb) != size) {
return offset;
}
offset += size;
proto_item_set_len(item, offset - start_offset);
{
add_new_data_source(pinfo, decrypted_tvb, "Decrypted MAPI Request");
tree = proto_tree_add_subtree(tree, decrypted_tvb, 0, size, ett_mapi_mapi_request, NULL, "Decrypted MAPI Request PDU");
pdu_len = tvb_get_letohs(decrypted_tvb, 0);
proto_tree_add_uint(tree, hf_mapi_mapi_request_length, decrypted_tvb, 0, 2, pdu_len);
proto_tree_add_item(tree, hf_mapi_decrypted_data, decrypted_tvb, 2, pdu_len - 2, ENC_NA);
/* analyze contents */
mapi_dissect_element_request_rpcRequest(decrypted_tvb, 2, pinfo, tree, di, drep);
mapi_dissect_element_handles_cnf(decrypted_tvb, pdu_len, pinfo, tree, di, hf_mapi_mapi_request_handles, drep);
}
if (di->call_data->flags & DCERPC_IS_NDR64) {
ALIGN_TO_5_BYTES;
}
return offset;
}
static int
mapi_dissect_element_EcDoConnect_szUserDN(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
char *data= NULL;
offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(uint8_t), hf_mapi_mapi_EcDoConnect_szUserDN, false, &data);
proto_item_append_text(tree, ": %s", data);
col_append_fstr(pinfo->cinfo, COL_INFO, " DN: %s", data);
return offset;
}
static int
mapi_dissect_element_EcDoConnectEx_szUserDN(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
char *data= NULL;
offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(uint8_t), hf_mapi_mapi_EcDoConnectEx_szUserDN, false, &data);
proto_item_append_text(tree, ": %s", data);
col_append_fstr(pinfo->cinfo, COL_INFO, " DN: %s", data);
return offset;
}
int
mapi_dissect_struct_EcDoRpcMapiResponse(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, dcerpc_info* di, uint8_t *drep, int hf_index, uint32_t param)
{
uint8_t opnum = 0;
proto_item *item = NULL;
proto_tree *tree = NULL;
bool oldalign = di->no_align;
int old_offset= offset;
di->no_align = true;
if (parent_tree) {
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_mapi_EcDoRpcMapiResponse);
}
offset = PIDL_dissect_uint8_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_EcDoRpcMapiResponse_opnum, param, &opnum);
col_append_fstr(pinfo->cinfo, COL_INFO, " + %s", val_to_str_const(opnum, mapi_ROP_OPNUM_vals, "Unknown MAPI operation"));
offset = mapi_dissect_element_EcDoRpcMapiResponse_u(tvb, offset, pinfo, tree, di, drep, &opnum);
proto_item_set_len(item, offset-old_offset);
di->no_align = oldalign;
return offset;
}
static int
uint32_size_uint8_buffer(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, dcerpc_info* di, uint8_t *drep, int hf_size_index, int hf_buffer_index, uint32_t param)
{
uint32_t size= 0;
offset = PIDL_dissect_uint32_val(tvb, offset, pinfo, parent_tree, di, drep, hf_size_index, param, &size);
proto_tree_add_item(parent_tree, hf_buffer_index, tvb, offset, size, ENC_NA);
return offset+size;
}
int
mapi_dissect_struct_SyncUploadStateStreamContinue_req(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
bool oldalign = di->no_align;
int old_offset= offset;
di->no_align = true;
if (parent_tree) {
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_mapi_SyncUploadStateStreamContinue_req);
}
offset = mapi_dissect_element_SyncUploadStateStreamContinue_req_LogonId(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_SyncUploadStateStreamContinue_req_InputHandleIndex(tvb, offset, pinfo, tree, di, drep);
offset = uint32_size_uint8_buffer(tvb, offset, pinfo, tree, di, drep, hf_mapi_SyncUploadStateStreamContinue_req_StreamDataSize, hf_mapi_SyncUploadStateStreamContinue_req_StreamDataValue, 0);
proto_item_set_len(item, offset-old_offset);
di->no_align = oldalign;
return offset;
}
int
mapi_dissect_struct_SyncImportMessageMove_req(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
bool oldalign = di->no_align;
int old_offset = offset;
di->no_align = true;
if (parent_tree) {
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_mapi_SyncImportMessageMove_req);
}
offset = mapi_dissect_element_SyncImportMessageMove_req_LogonId(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_SyncImportMessageMove_req_InputHandleIndex(tvb, offset, pinfo, tree, di, drep);
offset = uint32_size_uint8_buffer(tvb, offset, pinfo, tree, di, drep, hf_mapi_SyncImportMessageMove_req_SourceFolderIdSize, hf_mapi_SyncImportMessageMove_req_SourceFolderIdValue, 0);
offset = uint32_size_uint8_buffer(tvb, offset, pinfo, tree, di, drep, hf_mapi_SyncImportMessageMove_req_SourceMessageIdSize, hf_mapi_SyncImportMessageMove_req_SourceMessageIdValue, 0);
offset = uint32_size_uint8_buffer(tvb, offset, pinfo, tree, di, drep, hf_mapi_SyncImportMessageMove_req_PredecessorChangeListSize, hf_mapi_SyncImportMessageMove_req_PredecessorChangeListValue, 0);
offset = uint32_size_uint8_buffer(tvb, offset, pinfo, tree, di, drep, hf_mapi_SyncImportMessageMove_req_DestinationMessageIdSize, hf_mapi_SyncImportMessageMove_req_DestinationMessageIdValue, 0);
offset = uint32_size_uint8_buffer(tvb, offset, pinfo, tree, di, drep, hf_mapi_SyncImportMessageMove_req_ChangeNumberSize, hf_mapi_SyncImportMessageMove_req_ChangeNumberValue, 0);
proto_item_set_len(item, offset-old_offset);
di->no_align = oldalign;
return offset;
}
/* IDL: bitmap { */
/* IDL: PUBLIC = 0x2 , */
/* IDL: HOME_LOGON = 0x4 , */
/* IDL: TAKE_OWNERSHIP = 0x8 , */
/* IDL: ALTERNATE_SERVER = 0x100 , */
/* IDL: IGNORE_HOME_MDB = 0x200 , */
/* IDL: NO_MAIL = 0x400 , */
/* IDL: USE_PER_MDB_REPLID_MAPPING = 0x010000000 , */
/* IDL: } */
int
mapi_dissect_bitmap_OpenFlags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
{
proto_item *item= NULL;
static int * const mapi_OpenFlags_fields[] = {
&hf_mapi_OpenFlags_PUBLIC,
&hf_mapi_OpenFlags_HOME_LOGON,
&hf_mapi_OpenFlags_TAKE_OWNERSHIP,
&hf_mapi_OpenFlags_ALTERNATE_SERVER,
&hf_mapi_OpenFlags_IGNORE_HOME_MDB,
&hf_mapi_OpenFlags_NO_MAIL,
&hf_mapi_OpenFlags_USE_PER_MDB_REPLID_MAPPING,
NULL
};
uint32_t flags;
item = proto_tree_add_bitmask_with_flags(parent_tree, tvb, offset, hf_index,
ett_mapi_OpenFlags, mapi_OpenFlags_fields, DREP_ENC_INTEGER(drep), BMT_NO_FALSE);
offset = dissect_ndr_uint32(tvb, offset, pinfo, parent_tree, di, drep, -1, &flags);
if (!flags)
proto_item_append_text(item, ": (No values set)");
if (flags & (~0x1000070e)) {
flags &= (~0x1000070e);
proto_item_append_text(item, "Unknown bitmap value 0x%x", flags);
}
return offset;
}
int
mapi_dissect_bitmap_StoreState(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
{
proto_item *item;
static int * const mapi_StoreState_fields[] = {
&hf_mapi_StoreState_STORE_HAS_SEARCHES,
NULL
};
uint32_t flags;
item = proto_tree_add_bitmask_with_flags(parent_tree, tvb, offset, hf_index,
ett_mapi_StoreState, mapi_StoreState_fields, DREP_ENC_INTEGER(drep), BMT_NO_FALSE);
offset = dissect_ndr_uint32(tvb, offset, pinfo, parent_tree, di, drep, -1, &flags);
if (!flags)
proto_item_append_text(item, ": (No values set)");
if (flags & (~0x10000000)) {
flags &= (~0x10000000);
proto_item_append_text(item, "Unknown bitmap value 0x%x", flags);
}
return offset;
}
int
mapi_dissect_struct_Logon_repl(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
bool oldalign = di->no_align;
int old_offset= offset;
uint32_t returnValue;
di->no_align = true;
if (parent_tree) {
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_mapi_Logon_repl);
}
offset = mapi_dissect_element_Logon_repl_OutputHandleIndex(tvb, offset, pinfo, tree, di, drep);
offset = PIDL_dissect_uint32_val(tvb, offset, pinfo, tree, di, drep, hf_mapi_Logon_repl_ReturnValue, 0, &returnValue);
if (returnValue == 0x0){
// 2.2.3.1.2 RopLogon ROP Success Response Buffer
uint8_t LogonFlags= 0;
offset = mapi_dissect_enum_LogonFlags(tvb, offset, pinfo, tree, di, drep, hf_mapi_Logon_repl_LogonFlags, &LogonFlags);
if (LogonFlags == 0x1){
// Private
offset = mapi_dissect_element_Logon_repl_FolderIds(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_Logon_repl_ResponseFlags(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_Logon_repl_MailboxGuid(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_Logon_repl_ReplId(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_Logon_repl_ReplGuid(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_Logon_repl_LogonTime(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_Logon_repl_GwartTime(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_Logon_repl_StoreState(tvb, offset, pinfo, tree, di, drep);
} else {
// Public
offset = mapi_dissect_element_Logon_repl_FolderIds(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_Logon_repl_ReplId(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_Logon_repl_ReplGuid(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_Logon_repl_PerUserGuid(tvb, offset, pinfo, tree, di, drep);
}
} else if (returnValue == 0x00000478){
// 2.2.1.1.2 RopLogon ROP Redirect Response Buffer
offset = mapi_dissect_enum_LogonFlags(tvb, offset, pinfo, tree, di, drep, hf_mapi_Logon_repl_LogonFlags, 0);
offset = mapi_dissect_element_Logon_repl_ServerNameSize(tvb, offset, pinfo, tree, di, drep);
offset = mapi_dissect_element_Logon_repl_ServerName(tvb, offset, pinfo, tree, di, drep);
}
proto_item_set_len(item, offset-old_offset);
di->no_align = oldalign;
return offset;
}
#define RHEF_Compressed 0x0001
#define RHEF_XorMagic 0x0002
#define RHEF_Last 0x0004
static
int dissect_RPC_HEADER_EXT(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, dcerpc_info* di, uint8_t *drep, int hf_index, tvbuff_t **ppUncomp_tvb)
{
proto_tree *hTree = NULL;
proto_item *rpcItem = NULL;
uint16_t flags;
uint16_t compressedSize= 0, uncompressedSize= 0;
int old_offset= offset;
ALIGN_TO_2_BYTES;
if (parent_tree) {
rpcItem = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
hTree = proto_item_add_subtree(rpcItem, ett_mapi_RPC_HEADER_EXT);
}
offset = mapi_dissect_element_RPC_HEADER_EXT_Version(tvb, offset, pinfo, hTree, di, drep);
proto_item *flagItem;
static int * const mapi_RPC_HEADER_EXT_Flags_fields[] = {
&hf_mapi_RPC_HEADER_EXT_Flags_RHEF_Compressed,
&hf_mapi_RPC_HEADER_EXT_Flags_RHEF_XorMagic,
&hf_mapi_RPC_HEADER_EXT_Flags_RHEF_Last,
NULL
};
ALIGN_TO_2_BYTES;
flagItem = proto_tree_add_bitmask_with_flags(hTree, tvb, offset, hf_mapi_RPC_HEADER_EXT_Flags,
ett_mapi_RPC_HEADER_EXT_Flags, mapi_RPC_HEADER_EXT_Flags_fields, DREP_ENC_INTEGER(drep), BMT_NO_FALSE);
offset = dissect_ndr_uint16(tvb, offset, pinfo, hTree, di, drep, -1, &flags);
if (!flags)
proto_item_append_text(flagItem, ": (No values set)");
if (flags & (~0x00000007)) {
flags &= (~0x00000007);
proto_item_append_text(flagItem, "Unknown bitmap value 0x%x", flags);
}
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, hTree, di, drep, hf_mapi_RPC_HEADER_EXT_Size, 0, &compressedSize);
offset = PIDL_dissect_uint16_val(tvb, offset, pinfo, hTree, di, drep, hf_mapi_RPC_HEADER_EXT_SizeActual, 0, &uncompressedSize);
proto_item_set_len(flagItem, 2);
if (di->call_data->flags & DCERPC_IS_NDR64) {
ALIGN_TO_2_BYTES;
}
bool last = RHEF_Last == (flags & RHEF_Last);
bool compressed = RHEF_Compressed == (flags & RHEF_Compressed);
bool xored = RHEF_XorMagic == (flags & RHEF_XorMagic);
if (!last){
// TODO: Currently we don't support multiple buffers of RPC_HEADER_EXT.
return offset;
}
if (compressed && xored){
// TODO: Currently we don't support both compressed and Xored
return offset;
}
if (compressed){
*ppUncomp_tvb= tvb_child_uncompress_lz77(tvb, tvb, offset, compressedSize);
} else if (xored){
*ppUncomp_tvb= mapi_deobfuscate(tvb, offset, pinfo, uncompressedSize);
} else if (!compressed && !xored) {
*ppUncomp_tvb = tvb_new_subset_length(tvb, offset, uncompressedSize);
} else {
return offset;
}
if (!(*ppUncomp_tvb) || tvb_reported_length(*ppUncomp_tvb) != uncompressedSize) {
*ppUncomp_tvb= NULL;
return offset;
}
offset += compressedSize;
proto_item_set_len(rpcItem, offset-old_offset);
return offset;
}
int
mapi_dissect_struct_AuxInfo(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
int old_offset= offset;
tvbuff_t *uncomp_tvb = NULL;
ALIGN_TO_4_BYTES;
if(di->conformant_run){
return offset;
}
if (parent_tree) {
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_mapi_AuxInfo);
}
if (di->ptype == PDU_REQ){
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_mapi_AuxInfo_auxInSize, NULL);
}
offset = dissect_RPC_HEADER_EXT(tvb, offset, pinfo, tree, di, drep, di->ptype == PDU_REQ ? hf_mapi_AuxInfo_RpcHeaderExtension : hf_mapi_AuxInfoOut_RpcHeaderExtension, &uncomp_tvb);
if (!uncomp_tvb) {
return offset;
}
proto_item_set_len(item, offset-old_offset);
add_new_data_source(pinfo, uncomp_tvb, "Decrypted MAPI AuxInfo");
{
tree = proto_tree_add_subtree(tree, uncomp_tvb, 0, tvb_reported_length(uncomp_tvb), ett_mapi_connect_request, NULL, "Decrypted MAPI AuxInfo");
mapi_dissect_element_AuxInfo_auxHeader(uncomp_tvb, 0, pinfo, tree, di, drep);
}
if (di->call_data->flags & DCERPC_IS_NDR64) {
ALIGN_TO_4_BYTES;
}
return offset;
}
static int
mapi_dissect_RgbInOut(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, dcerpc_info* di, uint8_t *drep, int hf_index)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
int old_offset= offset;
tvbuff_t *uncomp_tvb = NULL;
if (parent_tree) {
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, di->ptype == PDU_REQ ? ett_mapi_RgbIn : ett_mapi_RgbOut);
}
if (di->ptype == PDU_REQ){
offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep, di->ptype == PDU_REQ ? hf_mapi_RgbInSize : hf_mapi_RgbOutSize, NULL);
}
offset = dissect_RPC_HEADER_EXT(tvb, offset, pinfo, tree, di, drep, di->ptype == PDU_REQ ? hf_mapi_RgbIn_RpcHeaderExtension : hf_mapi_RgbOut_RpcHeaderExtension, &uncomp_tvb);
if (!uncomp_tvb) {
return offset;
}
proto_item_set_len(item, offset-old_offset);
add_new_data_source(pinfo, uncomp_tvb, di->ptype == PDU_REQ ? "Decrypted MAPI ROPIn PDU" : "Decrypted MAPI ROPOut PDU");
{
int uncompressed_offset= 0;
uint16_t total_length;
item = proto_tree_add_item(tree, di->ptype == PDU_REQ ? hf_mapi_RgbIn_ropIn : hf_mapi_RgbOut_ropOut, uncomp_tvb, 0, tvb_reported_length(uncomp_tvb), ENC_NA);
tree = proto_item_add_subtree(item, di->ptype == PDU_REQ ? ett_mapi_RgbIn : ett_mapi_RgbOut);
uncompressed_offset = PIDL_dissect_uint16_val(uncomp_tvb, uncompressed_offset, pinfo, tree, di, drep, di->ptype == PDU_REQ ? hf_mapi_ROPInputBuffer_ropSize : hf_mapi_ROPOutputBuffer_ropSize, 0, &total_length);
while((unsigned)(uncompressed_offset) < total_length){
if (di->ptype == PDU_REQ){
uncompressed_offset = mapi_dissect_struct_RopInput(uncomp_tvb, uncompressed_offset,pinfo,tree,di,drep,hf_mapi_ROPInputBuffer_rop,0);
} else {
uncompressed_offset = mapi_dissect_struct_RopOutput(uncomp_tvb, uncompressed_offset,pinfo,tree,di,drep,hf_mapi_ROPOutputBuffer_rop,0);
}
}
}
ALIGN_TO_5_BYTES
return offset;
}
int
mapi_dissect_struct_RgbIn(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, dcerpc_info* di, uint8_t *drep, int hf_index, uint32_t param _U_)
{
return mapi_dissect_RgbInOut(tvb, offset, pinfo, parent_tree, di, drep, hf_index);
}
static int
dissect_EcDoRpcExt2_RgbOut(tvbuff_t *tvb _U_, int offset _U_, int length _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
if (length == 0){
return offset;
}
return mapi_dissect_struct_RgbOut(tvb, offset, pinfo, parent_tree, di, drep, hf_mapi_mapi_EcDoRpcExt2_rgbOut, 0);
}
static int
mapi_dissect_element_EcDoRpcExt2_rgbOut_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return dissect_ndr_ucvarray_block(tvb, offset, pinfo, tree, di, drep, &dissect_EcDoRpcExt2_RgbOut);
}
static int
dissect_EcDoRpcExt_RgbOut(tvbuff_t *tvb _U_, int offset _U_, int length _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
if (length == 0){
return offset;
}
return mapi_dissect_struct_RgbOut(tvb, offset, pinfo, parent_tree, di, drep, hf_mapi_mapi_EcDoRpcExt_rgbOut, 0);
}
static int
mapi_dissect_element_EcDoRpcExt_rgbOut_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_)
{
return dissect_ndr_ucvarray_block(tvb, offset, pinfo, tree, di, drep, &dissect_EcDoRpcExt_RgbOut);
}
int
mapi_dissect_struct_RgbOut(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, uint8_t *drep _U_, int hf_index _U_, uint32_t param _U_)
{
return mapi_dissect_RgbInOut(tvb, offset, pinfo, parent_tree, di, drep, hf_index);
}
CODE END
|
