# # policyhandle tracking # This block is to specify where a policyhandle is opened and where it is # closed so that policyhandles when dissected contain nice info such as # [opened in xxx] [closed in yyy] # # Policyhandles are opened in these functions PARAM_VALUE lsarpc_dissect_element_lsa_OpenPolicy_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_POLICY PARAM_VALUE lsarpc_dissect_element_lsa_OpenPolicy2_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_POLICY PARAM_VALUE lsarpc_dissect_element_lsa_CreateAccount_acct_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_ACCOUNT PARAM_VALUE lsarpc_dissect_element_lsa_OpenAccount_acct_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_ACCOUNT PARAM_VALUE lsarpc_dissect_element_lsa_CreateTrustedDomain_trustdom_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_DOMAIN PARAM_VALUE lsarpc_dissect_element_lsa_OpenTrustedDomain_trustdom_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_DOMAIN PARAM_VALUE lsarpc_dissect_element_lsa_OpenTrustedDomainByName_trustdom_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_DOMAIN PARAM_VALUE lsarpc_dissect_element_lsa_CreateSecret_sec_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_SECRET PARAM_VALUE lsarpc_dissect_element_lsa_OpenSecret_sec_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_LSA_SECRET # Policyhandles are closed in these functions PARAM_VALUE lsarpc_dissect_element_lsa_Close_handle_ PIDL_POLHND_CLOSE PARAM_VALUE lsarpc_dissect_element_lsa_Delete_handle_ PIDL_POLHND_CLOSE PARAM_VALUE lsarpc_dissect_element_lsa_CloseTrustedDomainEx_handle_ PIDL_POLHND_CLOSE TYPE hyper "offset=cnf_dissect_hyper(tvb, offset, pinfo, tree, di, drep, @PARAM@, @HF@);" FT_UINT64 BASE_DEC 0 NULL 8 TYPE sec_desc_buf "offset=cnf_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);" FT_NONE BASE_NONE 0 NULL 4 HF_FIELD hf_lsarpc_sec_desc_buf_len "Sec Desc Buf Len" "lsarpc.sec_desc_buf_len" FT_UINT32 BASE_DEC NULL 0 "" "" "" MANUAL lsarpc_dissect_bitmap_lsa_PolicyAccessMask MANUAL lsarpc_dissect_bitmap_lsa_AccountAccessMask MANUAL lsarpc_dissect_bitmap_lsa_SecretAccessMask MANUAL lsarpc_dissect_bitmap_lsa_DomainAccessMask HF_FIELD hf_lsarpc_policy_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" "" HF_FIELD hf_lsarpc_account_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" "" HF_FIELD hf_lsarpc_secret_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" "" HF_FIELD hf_lsarpc_domain_access_mask "Access Mask" "lsarpc.policy.access_mask" FT_UINT32 BASE_HEX NULL 0 "" "" "" HF_FIELD hf_lsarpc_String_name "String" "lsarpc.lsa.string" FT_STRING BASE_NONE NULL 0 "" "" "" MANUAL lsarpc_dissect_element_lsa_LookupNames_names MANUAL lsarpc_dissect_element_lsa_LookupNames2_names MANUAL lsarpc_dissect_element_lsa_LookupNames3_names MANUAL lsarpc_dissect_element_lsa_LookupNames4_names MANUAL lsarpc_dissect_element_lsa_String_string_ MANUAL lsarpc_dissect_element_lsa_StringLarge_string_ NOEMIT lsarpc_dissect_element_lsa_String_string__ NOEMIT lsarpc_dissect_element_lsa_StringLarge_string__ NOEMIT lsarpc_dissect_element_lsa_DomainInfoEfs_efs_blob__ NOEMIT lsarpc_dissect_element_lsa_LookupNames_names_ NOEMIT lsarpc_dissect_element_lsa_LookupNames2_names_ NOEMIT lsarpc_dissect_element_lsa_LookupNames4_names_ ETT_FIELD ett_lsarpc_names HF_FIELD hf_lsarpc_names "Names" "lsarpc.lookup.names" FT_NONE BASE_NONE NULL 0 "" "" "" MANUAL lsarpc_dissect_element_lsa_DomainInfoEfs_efs_blob_ HF_FIELD hf_lsarpc_efs_blob_len "EFS blob size" "lsarpc.efs.blob_size" FT_UINT32 BASE_DEC NULL 0 "" "" "" CODE START static void lsarpc_policy_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access) { static const int* access_flags[] = { &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_NOTIFICATION, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_LOOKUP_NAMES, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_SERVER_ADMIN, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_AUDIT_LOG_ADMIN, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_SET_AUDIT_REQUIREMENTS, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_CREATE_PRIVILEGE, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_CREATE_SECRET, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_CREATE_ACCOUNT, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_TRUST_ADMIN, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_GET_PRIVATE_INFORMATION, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_VIEW_AUDIT_INFORMATION, &hf_lsarpc_lsa_PolicyAccessMask_LSA_POLICY_VIEW_LOCAL_INFORMATION, NULL }; proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access); } static void lsarpc_account_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access) { static const int* access_flags[] = { &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS, &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_ADJUST_QUOTAS, &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_ADJUST_PRIVILEGES, &hf_lsarpc_lsa_AccountAccessMask_LSA_ACCOUNT_VIEW, NULL }; proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access); } static void lsarpc_secret_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access) { static const int* access_flags[] = { &hf_lsarpc_lsa_SecretAccessMask_LSA_SECRET_QUERY_VALUE, &hf_lsarpc_lsa_SecretAccessMask_LSA_SECRET_SET_VALUE, NULL }; proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access); } static void lsarpc_domain_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access) { static const int* access_flags[] = { &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_QUERY_AUTH, &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_SET_AUTH, &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_SET_POSIX, &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_QUERY_POSIX, &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_SET_CONTROLLERS, &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_QUERY_CONTROLLERS, &hf_lsarpc_lsa_DomainAccessMask_LSA_DOMAIN_QUERY_DOMAIN_NAME, NULL }; proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access); } struct access_mask_info lsarpc_policy_access_mask_info = { "LSA Policy", /* Name of specific rights */ lsarpc_policy_specific_rights, /* Dissection function */ NULL, /* Generic mapping table */ NULL /* Standard mapping table */ }; struct access_mask_info lsarpc_account_access_mask_info = { "LSA Account", /* Name of specific rights */ lsarpc_account_specific_rights, /* Dissection function */ NULL, /* Generic mapping table */ NULL /* Standard mapping table */ }; struct access_mask_info lsarpc_secret_access_mask_info = { "LSA Secret", /* Name of specific rights */ lsarpc_secret_specific_rights, /* Dissection function */ NULL, /* Generic mapping table */ NULL /* Standard mapping table */ }; struct access_mask_info lsarpc_domain_access_mask_info = { "LSA Domain", /* Name of specific rights */ lsarpc_domain_specific_rights, /* Dissection function */ NULL, /* Generic mapping table */ NULL /* Standard mapping table */ }; int lsarpc_dissect_bitmap_lsa_PolicyAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int hf_index _U_, guint32 param _U_) { offset = dissect_nt_access_mask( tvb, offset, pinfo, tree, di, drep, hf_lsarpc_policy_access_mask, &lsarpc_policy_access_mask_info, NULL); return offset; } int lsarpc_dissect_bitmap_lsa_AccountAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int hf_index _U_, guint32 param _U_) { offset = dissect_nt_access_mask( tvb, offset, pinfo, tree, di, drep, hf_lsarpc_account_access_mask, &lsarpc_account_access_mask_info, NULL); return offset; } int lsarpc_dissect_bitmap_lsa_SecretAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int hf_index _U_, guint32 param _U_) { offset = dissect_nt_access_mask( tvb, offset, pinfo, tree, di, drep, hf_lsarpc_secret_access_mask, &lsarpc_secret_access_mask_info, NULL); return offset; } int lsarpc_dissect_bitmap_lsa_DomainAccessMask(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int hf_index _U_, guint32 param _U_) { offset = dissect_nt_access_mask( tvb, offset, pinfo, tree, di, drep, hf_lsarpc_domain_access_mask, &lsarpc_domain_access_mask_info, NULL); return offset; } static int cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) { guint32 len; e_ctx_hnd *polhnd = NULL; dcerpc_call_value *dcv = NULL; guint32 type=0; struct access_mask_info *ami=NULL; if(di->conformant_run){ /*just a run to handle conformant arrays, nothing to dissect */ return offset; } offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_lsarpc_sec_desc_buf_len, &len); dcv = (dcerpc_call_value *)di->call_data; if(dcv){ polhnd = dcv->pol; } if(polhnd){ dcerpc_fetch_polhnd_data(polhnd, NULL, &type, NULL, NULL, pinfo->num); } switch(type){ case PIDL_POLHND_TYPE_LSA_POLICY: ami=&lsarpc_policy_access_mask_info; break; case PIDL_POLHND_TYPE_LSA_ACCOUNT: ami=&lsarpc_account_access_mask_info; break; case PIDL_POLHND_TYPE_LSA_SECRET: ami=&lsarpc_secret_access_mask_info; break; case PIDL_POLHND_TYPE_LSA_DOMAIN: ami=&lsarpc_domain_access_mask_info; break; } dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len, ami); offset += len; return offset; } static int cnf_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep) { guint32 len; if(di->conformant_run){ /*just a run to handle conformant arrays, nothing to dissect */ return offset; } offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_lsarpc_sec_desc_buf_len, &len); offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep, cnf_dissect_sec_desc_buf_, NDR_POINTER_UNIQUE, "LSA SECURITY DESCRIPTOR data:", -1); return offset; } int lsarpc_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep){ return cnf_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep); } static int lsarpc_dissect_struct_security_descriptor(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_, int unused1 _U_, int unused2 _U_){ return cnf_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep); } int lsarpc_dissect_struct_dom_sid2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_, int unused1 _U_, int unused2 _U_) { /* sid */ return dissect_ndr_nt_SID(tvb, offset, pinfo, tree, di, drep); } static int cnf_dissect_hyper(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, guint32 param _U_, int hfindex) { offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, di, drep, hfindex, NULL); return offset; } # PIDL cant handle top level arrays so we must explicitely go through a # ref pointer here static int lsarpc_dissect_element_lsa_LookupNames3_names_X(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di, guint8 *drep _U_) { proto_item *item = NULL; proto_tree *tree = NULL; int old_offset = offset; if (parent_tree) { item = proto_tree_add_item(parent_tree, hf_lsarpc_names, tvb, offset, -1, ENC_NA); tree = proto_item_add_subtree(item, ett_lsarpc_names); } offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_); proto_item_set_len(item, offset-old_offset); return offset; } static int lsarpc_dissect_element_lsa_LookupNames_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) { offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names); return offset; } static int lsarpc_dissect_element_lsa_LookupNames2_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) { offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names); return offset; } static int lsarpc_dissect_element_lsa_LookupNames3_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) { offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names); return offset; } static int lsarpc_dissect_element_lsa_LookupNames4_names(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) { offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, di, drep, lsarpc_dissect_element_lsa_LookupNames3_names_X, NDR_POINTER_REF, "Pointer to Names", hf_lsarpc_names); return offset; } static int lsarpc_dissect_element_lsa_String_string_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) { char *data; offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint16), hf_lsarpc_String_name, FALSE, &data); proto_item_append_text(tree, ": %s", data); return offset; } static int lsarpc_dissect_element_lsa_StringLarge_string_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) { char *data; offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint16), hf_lsarpc_String_name, FALSE, &data); proto_item_append_text(tree, ": %s", data); return offset; } static int lsarpc_dissect_element_lsa_DomainInfoEfs_efs_blob_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di, guint8 *drep _U_) { tvbuff_t *next_tvb; gint len, reported_len; dissector_handle_t efsblob_handle; if(di->conformant_run){ /*just a run to handle conformant arrays, nothing to dissect */ return offset; } offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep, hf_lsarpc_efs_blob_len, &reported_len); len = reported_len; if (len > tvb_captured_length_remaining(tvb, offset)) { len = tvb_captured_length_remaining(tvb, offset); } next_tvb = tvb_new_subset(tvb, offset, len, reported_len); efsblob_handle = find_dissector("efsblob"); if (efsblob_handle) { call_dissector(efsblob_handle, next_tvb, pinfo, tree); } offset += reported_len; return offset; } CODE END HEADER START extern int lsarpc_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep); extern int lsarpc_dissect_struct_dom_sid2(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info* di, guint8 *drep, int unused1, int unused2); HEADER END