osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

rename dcerpc_smb_store_pol_name to dcerpc_store_polhnd_name 

rename dcerpc_smb_fetch_pol  to dcerpc_fetch_polhnd_data and also make 
it take an additional parameter to return the "type" of the policy 
handle, if such a type was stored.

extend the pol_value structure used to track policy handles to also 
store a type to represent what created the policy handle
types could be USER/ALIAS/CONNECT/... etc handles returned from the 
SAMR interface

add a new helper function  dcerpc_store_polhnd_type()

track policy handles between request/responses for dcerpc

update the samr.cnf file to make the samr dissectors for
SetSecurity/QuerySecurity dissect the specific bits for the security 
descriptor correctly based on whether the policy handle refers to a 
CONNECT/DOMAIN/USER/ALIAS or GROUP



svn path=/trunk/; revision=22703
This commit is contained in:
Ronnie Sahlberg 2007-08-28 11:45:08 +00:00
parent 659b175cd7
commit 8fde3b7561
11 changed files with 205 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
epan/dissectors/packet-dcerpc-lsa.c
View File

@ -604,7 +604,7 @@ lsa_dissect_lsaropenpolicy_reply(tvbuff_t *tvb, int offset,
tvb, offset, pinfo, tree, drep, hf_lsa_rc, &status);
if (status == 0) {
dcerpc_smb_store_pol_name(&policy_hnd, pinfo,
dcerpc_store_polhnd_name(&policy_hnd, pinfo,
"OpenPolicy handle");
if (hnd_item != NULL)
@ -671,7 +671,7 @@ lsa_dissect_lsaropenpolicy2_reply(tvbuff_t *tvb, int offset,
pol_name = "Unknown OpenPolicy2() handle";
}
if(!pinfo->fd->flags.visited){
dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name);
dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name);
}
if(hnd_item)

74
epan/dissectors/packet-dcerpc-nt.c
View File

@ -400,14 +400,6 @@ typedef struct {
guint8 policy_hnd[20];
} pol_hash_key;
typedef struct pol_value {
struct pol_value *next; /* Next entry in hash bucket */
guint32 open_frame, close_frame; /* Frame numbers for open/close */
guint32 first_frame; /* First frame in which this instance was seen */
guint32 last_frame; /* Last frame in which this instance was seen */
char *name; /* Name of policy handle */
} pol_value;
typedef struct {
pol_value *list; /* List of policy handle entries */
} pol_hash_value;
@ -612,15 +604,43 @@ void dcerpc_smb_store_pol_pkts(e_ctx_hnd *policy_hnd, packet_info *pinfo,
pol->close_frame = is_close ? pinfo->fd->num : 0;
pol->first_frame = pinfo->fd->num;
pol->last_frame = pol->close_frame; /* if 0, unknown; if non-0, known */
pol->type=0;
pol->name = NULL;
add_pol_handle(policy_hnd, pinfo->fd->num, pol, value);
}
/* Store a text string with a policy handle */
/* Store the type of a policy handle */
static void dcerpc_store_polhnd_type(e_ctx_hnd *policy_hnd, packet_info *pinfo,
guint32 type)
{
pol_hash_value *value;
pol_value *pol;
void dcerpc_smb_store_pol_name(e_ctx_hnd *policy_hnd, packet_info *pinfo,
/*
* By the time the first pass is done, the policy handle database
* has been completely constructed. If we've already seen this
* frame, there's nothing to do.
*/
if (pinfo->fd->flags.visited)
return;
if (is_null_pol(policy_hnd))
return;
/* Look up existing value */
pol = find_pol_handle(policy_hnd, pinfo->fd->num, &value);
if (pol != NULL) {
/*
* Update the existing value as appropriate.
*/
pol->type=type;
}
}
/* Store a text string with a policy handle */
void dcerpc_store_polhnd_name(e_ctx_hnd *policy_hnd, packet_info *pinfo,
const char *name)
{
pol_hash_value *value;
@ -666,7 +686,7 @@ void dcerpc_smb_store_pol_name(e_ctx_hnd *policy_hnd, packet_info *pinfo,
pol->close_frame = 0;
pol->first_frame = pinfo->fd->num;
pol->last_frame = 0;
pol->type = 0;
if (name)
pol->name = strdup(name);
else
@ -683,7 +703,8 @@ void dcerpc_smb_store_pol_name(e_ctx_hnd *policy_hnd, packet_info *pinfo,
* close operations?
*/
gboolean dcerpc_smb_fetch_pol(e_ctx_hnd *policy_hnd, char **name,
gboolean dcerpc_fetch_polhnd_data(e_ctx_hnd *policy_hnd,
char **name, guint32 *type,
guint32 *open_frame, guint32 *close_frame,
guint32 cur_frame)
{
@ -695,12 +716,15 @@ gboolean dcerpc_smb_fetch_pol(e_ctx_hnd *policy_hnd, char **name,
if (name)
*name = NULL;
if (type)
*type = 0;
if (open_frame)
*open_frame = 0;
if (close_frame)
*close_frame = 0;
/* Look up existing value */
pol = find_pol_handle(policy_hnd, cur_frame, &value);
@ -708,6 +732,9 @@ gboolean dcerpc_smb_fetch_pol(e_ctx_hnd *policy_hnd, char **name,
if (name)
*name = pol->name;
if (type)
*type = pol->type;
if (open_frame)
*open_frame = pol->open_frame;
@ -872,9 +899,8 @@ dissect_nt_hnd(tvbuff_t *tvb, gint offset, packet_info *pinfo,
dcerpc_smb_store_pol_pkts(&hnd, pinfo, is_open, is_close);
/* Insert open/close/name information if known */
if (dcerpc_smb_fetch_pol(&hnd, &name, &open_frame, &close_frame,
pinfo->fd->num)) {
if (dcerpc_fetch_polhnd_data(&hnd, &name, NULL, &open_frame,
&close_frame, pinfo->fd->num)) {
if (open_frame) {
proto_item *item;
@ -973,7 +999,19 @@ PIDL_dissect_policy_hnd(tvbuff_t *tvb, gint offset, packet_info *pinfo,
pol_name="<...>";
}
pol_string=ep_strdup_printf("%s(%s)", pinfo->dcerpc_procedure_name, pol_name);
dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_string);
dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_string);
dcerpc_store_polhnd_type(&policy_hnd, pinfo, param&PIDL_POLHND_TYPE_MASK);
}
/* Track this policy handle for the response */
if(!pinfo->fd->flags.visited
&& !di->conformant_run){
dcerpc_call_value *dcv;
dcv = (dcerpc_call_value *)di->call_data;
if(!dcv->pol){
dcv->pol=se_memdup(&policy_hnd, sizeof(e_ctx_hnd));
}
}
return offset;

9
epan/dissectors/packet-dcerpc-nt.h
View File

@ -162,13 +162,13 @@ dcerpc_smb_store_pol_pkts(e_ctx_hnd *policy_hnd, packet_info *pinfo,
/* Store a name with a policy handle */
void
dcerpc_smb_store_pol_name(e_ctx_hnd *policy_hnd, packet_info *pinfo,
dcerpc_store_polhnd_name(e_ctx_hnd *policy_hnd, packet_info *pinfo,
const char *name);
/* Fetch details stored with a policy handle */
gboolean
dcerpc_smb_fetch_pol(e_ctx_hnd *policy_hnd, char **name,
dcerpc_fetch_polhnd_data(e_ctx_hnd *policy_hnd, char **name, guint32 *type,
guint32 *open_frame, guint32 *close_frame,
guint32 cur_frame);
@ -236,8 +236,8 @@ int dissect_ndr_str_pointer_item(tvbuff_t *tvb, gint offset,
/* Number of levels to go up appending string to pointer item */
#define CB_STR_ITEM_LEVELS(x) ((x) & 0xFFFF)
#define CB_STR_COL_INFO 0x10000 /* Append string to COL_INFO */
#define CB_STR_SAVE 0x20000 /* Save string to dcv->private_data */
#define CB_STR_SAVE 0x20000000 /* Save string to dcv->private_data */
#define CB_STR_COL_INFO 0x10000000 /* Append string to COL_INFO */
void cb_wstr_postprocess(packet_info *pinfo, proto_tree *tree _U_,
proto_item *item, tvbuff_t *tvb,
@ -252,4 +252,5 @@ void cb_str_postprocess(packet_info *pinfo, proto_tree *tree _U_,
void dcerpc_smb_init(int proto_dcerpc);
#endif /* packet-dcerpc-nt.h */

62
epan/dissectors/packet-dcerpc-samr.c
View File

@ -1853,7 +1853,11 @@ static int
cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep)
{
guint32 len;
dcerpc_info *di;
dcerpc_info *di = NULL;
e_ctx_hnd *polhnd = NULL;
dcerpc_call_value *dcv = NULL;
guint32 type=0;
struct access_mask_info *ami=NULL;
di=pinfo->private_data;
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
@ -1861,8 +1865,34 @@ cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_t
}
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_sec_desc_buf_len, &len);
dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len,
NULL);
if(di){
dcv = (dcerpc_call_value *)di->call_data;
}
if(dcv){
polhnd = dcv->pol;
}
if(polhnd){
dcerpc_fetch_polhnd_data(polhnd, NULL, &type, NULL, NULL,
pinfo->fd->num);
}
switch(type){
case PIDL_POLHND_TYPE_SAMR_USER:
ami=&samr_user_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_CONNECT:
ami=&samr_connect_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_DOMAIN:
ami=&samr_domain_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_GROUP:
ami=&samr_group_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_ALIAS:
ami=&samr_alias_access_mask_info;
break;
}
dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len, ami);
offset += len;
return offset;
}
@ -7547,7 +7577,7 @@ samr_dissect_element_Connect_connect_handle(tvbuff_t *tvb _U_, int offset _U_, p
static int
samr_dissect_element_Connect_connect_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT);
return offset;
}
@ -8063,7 +8093,7 @@ samr_dissect_element_OpenDomain_domain_handle(tvbuff_t *tvb _U_, int offset _U_,
static int
samr_dissect_element_OpenDomain_domain_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_domain_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_domain_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_DOMAIN);
return offset;
}
@ -8303,7 +8333,7 @@ samr_dissect_element_CreateDomainGroup_group_handle(tvbuff_t *tvb _U_, int offse
static int
samr_dissect_element_CreateDomainGroup_group_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_group_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_group_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_GROUP);
return offset;
}
@ -8524,7 +8554,7 @@ samr_dissect_element_CreateUser_user_handle(tvbuff_t *tvb _U_, int offset _U_, p
static int
samr_dissect_element_CreateUser_user_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER);
return offset;
}
@ -8756,7 +8786,7 @@ samr_dissect_element_CreateDomAlias_alias_handle(tvbuff_t *tvb _U_, int offset _
static int
samr_dissect_element_CreateDomAlias_alias_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_alias_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_alias_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_ALIAS);
return offset;
}
@ -9261,7 +9291,7 @@ samr_dissect_element_OpenGroup_group_handle(tvbuff_t *tvb _U_, int offset _U_, p
static int
samr_dissect_element_OpenGroup_group_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_group_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_group_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_GROUP);
return offset;
}
@ -9786,7 +9816,7 @@ samr_dissect_element_OpenAlias_alias_handle(tvbuff_t *tvb _U_, int offset _U_, p
static int
samr_dissect_element_OpenAlias_alias_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_alias_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_alias_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_ALIAS);
return offset;
}
@ -10243,7 +10273,7 @@ samr_dissect_element_OpenUser_user_handle(tvbuff_t *tvb _U_, int offset _U_, pac
static int
samr_dissect_element_OpenUser_user_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER);
return offset;
}
@ -11552,7 +11582,7 @@ samr_dissect_element_CreateUser2_user_handle(tvbuff_t *tvb _U_, int offset _U_,
static int
samr_dissect_element_CreateUser2_user_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_user_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER);
return offset;
}
@ -12226,7 +12256,7 @@ samr_dissect_element_Connect2_connect_handle(tvbuff_t *tvb _U_, int offset _U_,
static int
samr_dissect_element_Connect2_connect_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT);
return offset;
}
@ -12515,7 +12545,7 @@ samr_dissect_element_Connect3_connect_handle(tvbuff_t *tvb _U_, int offset _U_,
static int
samr_dissect_element_Connect3_connect_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT);
return offset;
}
@ -12603,7 +12633,7 @@ samr_dissect_element_Connect4_connect_handle(tvbuff_t *tvb _U_, int offset _U_,
static int
samr_dissect_element_Connect4_connect_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT);
return offset;
}
@ -12915,7 +12945,7 @@ samr_dissect_element_Connect5_connect_handle(tvbuff_t *tvb _U_, int offset _U_,
static int
samr_dissect_element_Connect5_connect_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
{
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN);
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_samr_connect_handle, PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT);
return offset;
}

20
epan/dissectors/packet-dcerpc-spoolss.c
View File

@ -584,7 +584,7 @@ static int SpoolssClosePrinter_q(tvbuff_t *tvb, int offset,
tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL,
FALSE, TRUE);
dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL,
dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL,
pinfo->fd->num);
if (check_col(pinfo->cinfo, COL_INFO) && pol_name)
@ -2600,7 +2600,7 @@ static int SpoolssOpenPrinterEx_r(tvbuff_t *tvb, int offset,
pol_name = "Unknown OpenPrinterEx() handle";
}
if(!pinfo->fd->flags.visited){
dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name);
dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name);
}
if(hnd_item)
@ -3224,7 +3224,7 @@ static int SpoolssReplyOpenPrinter_r(tvbuff_t *tvb, int offset,
pol_name = "Unknown ReplyOpenPrinter() handle";
}
if(!pinfo->fd->flags.visited){
dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name);
dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name);
}
if(hnd_item)
@ -3732,7 +3732,7 @@ static int SpoolssAddPrinterEx_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
pol_name = "Unknown AddPrinterEx() handle";
}
if(!pinfo->fd->flags.visited){
dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name);
dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name);
}
if(hnd_item)
@ -4766,7 +4766,7 @@ static int SpoolssStartPagePrinter_q(tvbuff_t *tvb, int offset,
tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL,
FALSE, FALSE);
dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL,
dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL,
pinfo->fd->num);
if (check_col(pinfo->cinfo, COL_INFO) && pol_name)
@ -4805,7 +4805,7 @@ static int SpoolssEndPagePrinter_q(tvbuff_t *tvb, int offset,
tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL,
FALSE, FALSE);
dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL,
dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL,
pinfo->fd->num);
if (check_col(pinfo->cinfo, COL_INFO) && pol_name)
@ -4959,7 +4959,7 @@ static int SpoolssStartDocPrinter_q(tvbuff_t *tvb, int offset,
tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL,
FALSE, FALSE);
dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL,
dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL,
pinfo->fd->num);
if (check_col(pinfo->cinfo, COL_INFO) && pol_name)
@ -5003,7 +5003,7 @@ static int SpoolssEndDocPrinter_q(tvbuff_t *tvb, int offset,
tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL,
FALSE, FALSE);
dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL,
dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL,
pinfo->fd->num);
if (check_col(pinfo->cinfo, COL_INFO) && pol_name)
@ -5049,7 +5049,7 @@ static int SpoolssWritePrinter_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL,
FALSE, FALSE);
dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL,
dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL,
pinfo->fd->num);
if (check_col(pinfo->cinfo, COL_INFO) && pol_name)
@ -5542,7 +5542,7 @@ static int SpoolssGetPrinterDriver2_q(tvbuff_t *tvb, int offset,
tvb, offset, pinfo, tree, drep, hf_hnd, &policy_hnd, NULL,
FALSE, FALSE);
dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL,
dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL,
pinfo->fd->num);
if (check_col(pinfo->cinfo, COL_INFO) && pol_name)

6
epan/dissectors/packet-dcerpc-svcctl.c
View File

@ -186,7 +186,7 @@ svcctl_dissect_OpenSCManager_reply(tvbuff_t *tvb, int offset,
pol_name = "Unknown OpenSCManagerW() handle";
}
if(!pinfo->fd->flags.visited){
dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name);
dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name);
}
if(hnd_item)
@ -272,7 +272,7 @@ svcctl_dissect_OpenSCManagerW_reply(tvbuff_t *tvb, int offset,
pol_name = "Unknown OpenSCManagerW() handle";
}
if(!pinfo->fd->flags.visited){
dcerpc_smb_store_pol_name(&policy_hnd, pinfo, pol_name);
dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name);
}
if(hnd_item)
@ -303,7 +303,7 @@ svcctl_dissect_CloseServiceHandle_rqst(tvbuff_t *tvb, int offset,
tvb, offset, pinfo, tree, drep, hf_svcctl_hnd, &policy_hnd,
NULL, FALSE, TRUE);
dcerpc_smb_fetch_pol(&policy_hnd, &pol_name, NULL, NULL,
dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL,
pinfo->fd->num);
if (check_col(pinfo->cinfo, COL_INFO) && pol_name)

2
epan/dissectors/packet-dcerpc.c
View File

@ -3358,6 +3358,7 @@ dissect_dcerpc_cn_rqst (tvbuff_t *tvb, gint offset, packet_info *pinfo,
call_value->max_ptr=0;
call_value->se_data = NULL;
call_value->private_data = NULL;
call_value->pol = NULL;
g_hash_table_insert (dcerpc_cn_calls, call_key, call_value);
new_matched_key = se_alloc(sizeof (dcerpc_matched_key));
@ -4564,6 +4565,7 @@ dissect_dcerpc_dg_rqst (tvbuff_t *tvb, int offset, packet_info *pinfo,
call_value->max_ptr=0;
call_value->se_data = NULL;
call_value->private_data = NULL;
call_value->pol = NULL;
g_hash_table_insert (dcerpc_dg_calls, call_key, call_value);
new_matched_key = se_alloc(sizeof (dcerpc_matched_key));

33
epan/dissectors/packet-dcerpc.h
View File

@ -294,6 +294,7 @@ typedef struct _dcerpc_call_value {
* request to the reply.
*/
void *private_data; /* XXX This will later be renamed as ep_data */
e_ctx_hnd *pol; /* policy handle tracked between request/response*/
} dcerpc_call_value;
typedef struct _dcerpc_info {
@ -430,12 +431,40 @@ init_ndr_pointer_list(packet_info *pinfo);
*/
/* Policy handle tracking. Describes in which function a handle is
* opened/closed. See "winreg.cnf" for example.
*
* The guint32 param is divided up into multiple fields
*
* +--------+--------+--------+--------+
* | Flags | Type | | |
* +--------+--------+--------+--------+
*/
/* Flags : */
#define PIDL_POLHND_OPEN 0x80000000
#define PIDL_POLHND_CLOSE 0x40000000
/* To "save" a pointer to the string in dcv->private_data */
#define PIDL_STR_SAVE 0x00020000
#define PIDL_STR_SAVE 0x20000000
/* To make this value appear on the summary line for the packet */
#define PIDL_SET_COL_INFO 0x00010000
#define PIDL_SET_COL_INFO 0x10000000
/* Type */
#define PIDL_POLHND_TYPE_MASK 0x00ff0000
#define PIDL_POLHND_TYPE_SAMR_USER 0x00010000
#define PIDL_POLHND_TYPE_SAMR_CONNECT 0x00020000
#define PIDL_POLHND_TYPE_SAMR_DOMAIN 0x00030000
#define PIDL_POLHND_TYPE_SAMR_GROUP 0x00040000
#define PIDL_POLHND_TYPE_SAMR_ALIAS 0x00050000
/* a structure we store for all policy handles we track */
typedef struct pol_value {
struct pol_value *next; /* Next entry in hash bucket */
guint32 open_frame, close_frame; /* Frame numbers for open/close */
guint32 first_frame; /* First frame in which this instance was seen */
guint32 last_frame; /* Last frame in which this instance was seen */
char *name; /* Name of policy handle */
guint32 type; /* policy handle type */
} pol_value;
#endif /* packet-dcerpc.h */

2
epan/dissectors/packet-smb-sidsnooping.c
View File

@ -164,7 +164,7 @@ samr_query_dispinfo(void *dummy _U_, packet_info *pinfo, epan_dissect_t *edt, co
return 0;
}
if (!dcerpc_smb_fetch_pol(old_ctx, &pol_name, NULL, NULL, ri->call_data->req_frame)) {
if (!dcerpc_fetch_polhnd_data(old_ctx, &pol_name, NULL, NULL, NULL, ri->call_data->req_frame)) {
return 0;
}

4
epan/dissectors/packet-smb2.c
View File

@ -941,7 +941,7 @@ dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset
} else {
fid_name = se_strdup_printf("File: ");
}
dcerpc_smb_store_pol_name(&policy_hnd, pinfo,
dcerpc_store_polhnd_name(&policy_hnd, pinfo,
fid_name);
}
break;
@ -957,7 +957,7 @@ dissect_smb2_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset
/* put the filename in col_info */
if (dcerpc_smb_fetch_pol(&policy_hnd, &fid_name, &open_frame, &close_frame, pinfo->fd->num)) {
if (dcerpc_fetch_polhnd_data(&policy_hnd, &fid_name, NULL, &open_frame, &close_frame, pinfo->fd->num)) {
if(fid_name){
if(hnd_item){
proto_item_append_text(hnd_item, " %s", fid_name);

63
epan/dissectors/pidl/samr.cnf
View File

@ -9,19 +9,19 @@ HF_FIELD hf_samr_sec_info "SecInfo" "samr.sec_info" FT_UINT32 BASE_HEX NULL 0 ""
# [opened in xxx] [closed in yyy]
#
# Policyhandles are opened in these functions
PARAM_VALUE samr_dissect_element_Connect_connect_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_OpenDomain_domain_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_CreateDomainGroup_group_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_CreateUser_user_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_CreateDomAlias_alias_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_OpenGroup_group_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_OpenAlias_alias_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_OpenUser_user_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_CreateUser2_user_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_Connect2_connect_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_Connect3_connect_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_Connect4_connect_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_Connect5_connect_handle_ PIDL_POLHND_OPEN
PARAM_VALUE samr_dissect_element_Connect_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT
PARAM_VALUE samr_dissect_element_OpenDomain_domain_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_DOMAIN
PARAM_VALUE samr_dissect_element_CreateDomainGroup_group_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_GROUP
PARAM_VALUE samr_dissect_element_CreateUser_user_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER
PARAM_VALUE samr_dissect_element_CreateDomAlias_alias_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_ALIAS
PARAM_VALUE samr_dissect_element_OpenGroup_group_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_GROUP
PARAM_VALUE samr_dissect_element_OpenAlias_alias_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_ALIAS
PARAM_VALUE samr_dissect_element_OpenUser_user_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER
PARAM_VALUE samr_dissect_element_CreateUser2_user_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_USER
PARAM_VALUE samr_dissect_element_Connect2_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT
PARAM_VALUE samr_dissect_element_Connect3_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT
PARAM_VALUE samr_dissect_element_Connect4_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT
PARAM_VALUE samr_dissect_element_Connect5_connect_handle_ PIDL_POLHND_OPEN|PIDL_POLHND_TYPE_SAMR_CONNECT
# Policyhandles are closed in these functions
PARAM_VALUE samr_dissect_element_Close_handle_ PIDL_POLHND_CLOSE
PARAM_VALUE samr_dissect_element_Shutdown_connect_handle_ PIDL_POLHND_CLOSE
@ -417,7 +417,11 @@ static int
cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep)
{
guint32 len;
dcerpc_info *di;
dcerpc_info *di = NULL;
e_ctx_hnd *polhnd = NULL;
dcerpc_call_value *dcv = NULL;
guint32 type=0;
struct access_mask_info *ami=NULL;
di=pinfo->private_data;
if(di->conformant_run){
@ -428,8 +432,35 @@ cnf_dissect_sec_desc_buf_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_t
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_sec_desc_buf_len, &len);
dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len,
NULL);
if(di){
dcv = (dcerpc_call_value *)di->call_data;
}
if(dcv){
polhnd = dcv->pol;
}
if(polhnd){
dcerpc_fetch_polhnd_data(polhnd, NULL, &type, NULL, NULL,
pinfo->fd->num);
}
switch(type){
case PIDL_POLHND_TYPE_SAMR_USER:
ami=&samr_user_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_CONNECT:
ami=&samr_connect_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_DOMAIN:
ami=&samr_domain_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_GROUP:
ami=&samr_group_access_mask_info;
break;
case PIDL_POLHND_TYPE_SAMR_ALIAS:
ami=&samr_alias_access_mask_info;
break;
}
dissect_nt_sec_desc(tvb, offset, pinfo, tree, drep, TRUE, len, ami);
offset += len;