1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
|
TYPE lsa_StringLarge "offset=lsarpc_dissect_struct_lsa_StringLarge(tvb, offset, pinfo, tree, di, drep, @HF@, @PARAM@);" FT_NONE BASE_NONE 0 NULL NULL
TYPE winreg_Type "offset=misc_dissect_enum_winreg_Type(tvb, offset, pinfo, tree, di, drep, @HF@, @PARAM@);" FT_NONE BASE_NONE 0 NULL NULL
IMPORT security_secinfo offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_winreg_winreg_GetKeySecurity_sec_info, NULL);
#
# Make all instances of an access mask use the same hf field display filter
# name
#
HF_FIELD hf_winreg_access_mask "Access Mask" "winreg.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" ""
HF_RENAME hf_winreg_winreg_OpenHKCR_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKLM_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKU_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_CreateKey_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKCC_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKDD_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKPT_access_mask hf_winreg_access_mask
HF_RENAME hf_winreg_winreg_OpenHKPN_access_mask hf_winreg_access_mask
#
# Make all instances of a system name use the same hf display filter name
#
HF_FIELD hf_winreg_system_name "System Name" "winreg.system_name" FT_UINT16 BASE_DEC NULL 0 "" "" ""
HF_RENAME hf_winreg_winreg_OpenHKCR_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKCU_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKLM_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKPD_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKU_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKCC_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKDD_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKPT_system_name hf_winreg_system_name
HF_RENAME hf_winreg_winreg_OpenHKPN_system_name hf_winreg_system_name
#
# make all policyhandles use the same hf display filter name
#
HF_FIELD hf_winreg_handle "Handle" "winreg.handle" FT_BYTES BASE_NONE NULL 0 "" "" ""
HF_RENAME hf_winreg_winreg_OpenHKCR_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKCU_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKLM_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKPD_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKU_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_CloseKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_CreateKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_DeleteKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_DeleteValue_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_EnumKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_EnumValue_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_FlushKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_GetKeySecurity_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_LoadKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_NotifyChangeKeyValue_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_QueryInfoKey_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_QueryValue_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_SetKeySecurity_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_SetValue_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_GetVersion_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKCC_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKDD_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKPT_handle hf_winreg_handle
HF_RENAME hf_winreg_winreg_OpenHKPN_handle hf_winreg_handle
#
# Make both instances of KeySecurityData resolve to the same
# hf display filter field.
#
HF_FIELD hf_winreg_sd "KeySecurityData" "winreg.sd" FT_NONE BASE_NONE NULL 0 "" "" ""
HF_RENAME hf_winreg_winreg_GetKeySecurity_sd hf_winreg_sd
HF_RENAME hf_winreg_winreg_SetKeySecurity_sd hf_winreg_sd
#
# policyhandle tracking
# This block is to specify where a policyhandle is opened and where it is
# closed so that policyhandles when dissected contain nice info such as
# [opened in xxx] [closed in yyy]
#
# Policyhandles are opened in these functions
PARAM_VALUE winreg_dissect_element_OpenHKCR_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKCU_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKLM_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKPD_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKU_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKCC_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKDD_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKPT_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenHKPN_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_CreateKey_new_handle_ PIDL_POLHND_OPEN
PARAM_VALUE winreg_dissect_element_OpenKey_handle_ PIDL_POLHND_OPEN
# Policyhandles are closed in these functions
PARAM_VALUE winreg_dissect_element_CloseKey_handle_ PIDL_POLHND_CLOSE
# winreg_String
#
# Create a new type to handle winreg_String so that we can get nice and
# pretty dissection of the strings contained within winreg
TYPE winreg_String "offset=cnf_dissect_winreg_String(tvb, offset, pinfo, tree, di, drep, @PARAM@, @HF@);" FT_STRING BASE_NONE 0 NULL 4
#
#
#
PARAM_VALUE winreg_dissect_element_CreateKey_name 2|PIDL_SET_COL_INFO
PARAM_VALUE winreg_dissect_element_DeleteKey_key 2|PIDL_SET_COL_INFO
PARAM_VALUE winreg_dissect_element_LoadKey_keyname 2|PIDL_SET_COL_INFO
PARAM_VALUE winreg_dissect_element_OpenKey_keyname 2|PIDL_SET_COL_INFO|PIDL_STR_SAVE
PARAM_VALUE winreg_dissect_element_QueryValue_value_name 2|PIDL_SET_COL_INFO
PARAM_VALUE winreg_dissect_element_SaveKey_filename 2|PIDL_SET_COL_INFO
PARAM_VALUE winreg_dissect_element_SetValue_name 2|PIDL_SET_COL_INFO
#
# Override the generation of dissectors of the security descriptor and the
# access mask.
# The security descriptor is just an array of bytes in the idl file
# so we override generation of it and calls the proper wireshark dissector
# after manually eating the 12 bytes of conformance data.
#
# Same for the access mask dissector since the idl would only define those
# flag bits that are specific to WINREG therefore we set up the appropriate
# structures and then call the wireshark accessmask dissector instead.
#
#
HF_FIELD hf_winreg_sd_max_size "Max Size" "winreg.sd.max_size" FT_UINT32 BASE_DEC NULL 0 "" "" ""
HF_FIELD hf_winreg_sd_offset "Offset" "winreg.sd.offset" FT_UINT32 BASE_DEC NULL 0 "" "" ""
HF_FIELD hf_winreg_sd_actual_size "Actual Size" "winreg.sd.actual_size" FT_UINT32 BASE_DEC NULL 0 "" "" ""
NOEMIT winreg_dissect_element_KeySecurityData_data__
MANUAL winreg_dissect_element_KeySecurityData_data_
MANUAL winreg_dissect_bitmap_AccessMask
CODE START
#include "packet-dcerpc-lsa.h"
static void
winreg_specific_rights(tvbuff_t *tvb, int offset, proto_tree *tree, uint32_t access)
{
static int* const access_flags[] = {
&hf_winreg_winreg_AccessMask_KEY_WOW64_32KEY,
&hf_winreg_winreg_AccessMask_KEY_WOW64_64KEY,
&hf_winreg_winreg_AccessMask_KEY_CREATE_LINK,
&hf_winreg_winreg_AccessMask_KEY_NOTIFY,
&hf_winreg_winreg_AccessMask_KEY_ENUMERATE_SUB_KEYS,
&hf_winreg_winreg_AccessMask_KEY_CREATE_SUB_KEY,
&hf_winreg_winreg_AccessMask_KEY_SET_VALUE,
&hf_winreg_winreg_AccessMask_KEY_QUERY_VALUE,
NULL
};
proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access);
}
static struct access_mask_info winreg_access_mask_info = {
"WINREG", /* Name of specific rights */
winreg_specific_rights, /* Dissection function */
NULL, /* Generic mapping table */
NULL /* Standard mapping table */
};
static int
winreg_dissect_element_KeySecurityData_data_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep)
{
uint32_t len;
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
/* this is a varying and conformant array */
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_winreg_sd_max_size, NULL);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_winreg_sd_offset, NULL);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_winreg_sd_actual_size, &len);
dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, true, len,
&winreg_access_mask_info);
offset += len;
return offset;
}
int
winreg_dissect_bitmap_AccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, uint8_t *drep, int hf_index _U_, uint32_t param _U_)
{
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, di, drep, hf_winreg_access_mask,
&winreg_access_mask_info, NULL);
return offset;
}
/* winreg_String :
* typedef [public,noejs] struct {
* [value(strlen_m_term(name)*2)] uint16 name_len;
* [value(strlen_m_term(name)*2)] uint16 name_size;
* [string,charset(UTF16)] uint16 *name;
* } winreg_String;
*/
static int
cnf_dissect_winreg_String(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, dcerpc_info* di, uint8_t *drep, uint32_t param, int hfindex)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
int old_offset;
header_field_info *hf_info;
ALIGN_TO_4_BYTES;
old_offset = offset;
hf_info=proto_registrar_get_nth(hfindex);
if (parent_tree) {
tree = proto_tree_add_subtree_format(parent_tree, tvb, offset, 0, ett_winreg_winreg_String, &item, "%s: ", hf_info->name);
}
offset = winreg_dissect_element_String_name_len(tvb, offset, pinfo, tree, di, drep);
offset = winreg_dissect_element_String_name_size(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_pointer_cb(
tvb, offset, pinfo, tree, di, drep,
dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE,
hf_info->name, hfindex, cb_wstr_postprocess,
GINT_TO_POINTER(param));
proto_item_set_len(item, offset-old_offset);
return offset;
}
CODE END
|