# Conformance file for EVENTLOG # HF_FIELD hf_eventlog_Record "Record" "eventlog.Record" FT_NONE BASE_NONE NULL 0 "" "" "" HF_FIELD hf_eventlog_Record_length "Record Length" "eventlog.Record.length" FT_UINT32 BASE_DEC NULL 0 "" "" "" HF_FIELD hf_eventlog_Record_source_name "Source Name" "eventlog.Record.source_name" FT_STRING BASE_NONE NULL 0 "" "" "" HF_FIELD hf_eventlog_Record_computer_name "Computer Name" "eventlog.Record.computer_name" FT_STRING BASE_NONE NULL 0 "" "" "" HF_FIELD hf_eventlog_Record_string "string" "eventlog.Record.string" FT_STRING BASE_NONE NULL 0 "" "" "" MANUAL eventlog_dissect_element_ReadEventLogW_data_ MANUAL eventlog_dissect_element_Record_sid_length MANUAL eventlog_dissect_element_Record_sid_offset MANUAL eventlog_dissect_element_Record_source_name MANUAL eventlog_dissect_element_Record_computer_name MANUAL eventlog_dissect_element_Record_num_of_strings MANUAL eventlog_dissect_element_Record_stringoffset MANUAL eventlog_dissect_element_Record_strings NOEMIT eventlog_dissect_element_Record_strings_ NOEMIT eventlog_dissect_element_ReadEventLogW_data__ # # policyhandle tracking # This block is to specify where a policyhandle is opened and where it is # closed so that policyhandles when dissected contain nice info such as # [opened in xxx] [closed in yyy] # # Policyhandles are opened in these functions PARAM_VALUE eventlog_dissect_element_OpenEventLogW_handle_ PIDL_POLHND_OPEN PARAM_VALUE eventlog_dissect_element_OpenBackupEventLogW_handle_ PIDL_POLHND_OPEN # Policyhandles are closed in these functions PARAM_VALUE eventlog_dissect_element_CloseEventLog_handle_ PIDL_POLHND_CLOSE TYPE lsa_String "offset=dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep, @HF@, @PARAM@);" FT_STRING BASE_NONE 0 NULL 4 CODE START static int eventlog_dissect_element_ReadEventLogW_data_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) { guint32 len; tvbuff_t *record_tvb; if(di->conformant_run){ /*just a run to handle conformant arrays, nothing to dissect */ return offset; } offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_eventlog_Record_length, &len); /* Create a new tvb so that we know that offset==0 is the beginning * of the record. We need to know this since the data is not really * NDR encoded at all and there are byte offsets into this buffer * encoded therein. */ record_tvb=tvb_new_subset(tvb, offset, MIN((gint)len, tvb_captured_length_remaining(tvb, offset)), len); eventlog_dissect_struct_Record(record_tvb, 0, pinfo, tree, di, drep, hf_eventlog_Record, 0); offset+=len; return offset; } /* sid_length and sid_offset handled by manual code since this is not NDR and we want to dissect the sid from the data blob */ static guint32 sid_length; static int eventlog_dissect_element_Record_sid_length(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) { sid_length=0; offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_eventlog_eventlog_Record_sid_length,&sid_length); return offset; } static int eventlog_dissect_element_Record_sid_offset(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) { guint32 sid_offset=0; offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_eventlog_eventlog_Record_sid_offset,&sid_offset); if(sid_offset && sid_length){ tvbuff_t *sid_tvb; /* this blob contains an NT SID. * tvb starts at the beginning of the record. */ sid_tvb=tvb_new_subset(tvb, sid_offset, MIN((gint)sid_length, tvb_captured_length_remaining(tvb, offset)), sid_length); dissect_nt_sid(sid_tvb, 0, tree, "SID", NULL, -1); } return offset; } static int eventlog_dissect_element_Record_source_name(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, dcerpc_info *di _U_, guint8 *drep _U_) { guint len; len=tvb_unicode_strsize(tvb, offset); proto_tree_add_item(tree, hf_eventlog_Record_source_name, tvb, offset, len, ENC_UTF_16|ENC_LITTLE_ENDIAN); offset+=len; return offset; } static int eventlog_dissect_element_Record_computer_name(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, dcerpc_info *di _U_, guint8 *drep _U_) { guint len; len=tvb_unicode_strsize(tvb, offset); proto_tree_add_item(tree, hf_eventlog_Record_computer_name, tvb, offset, len, ENC_UTF_16|ENC_LITTLE_ENDIAN); offset+=len; return offset; } static guint16 num_of_strings; static int eventlog_dissect_element_Record_num_of_strings(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) { num_of_strings=0; offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep, hf_eventlog_eventlog_Record_num_of_strings,&num_of_strings); return offset; } static guint32 string_offset; static int eventlog_dissect_element_Record_stringoffset(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) { string_offset=0; offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_eventlog_eventlog_Record_stringoffset,&string_offset); return offset; } static int eventlog_dissect_element_Record_strings(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, dcerpc_info *di _U_, guint8 *drep _U_) { while(string_offset && num_of_strings){ guint len; len=tvb_unicode_strsize(tvb, string_offset); proto_tree_add_item(tree, hf_eventlog_Record_string, tvb, string_offset, len, ENC_UTF_16|ENC_LITTLE_ENDIAN); string_offset+=len; num_of_strings--; } return offset; } CODE END