From b2751079ac330a0a8d7201ea0b403e1f90dc7066 Mon Sep 17 00:00:00 2001 From: Ulf Lamping Date: Mon, 14 Aug 2006 23:39:48 +0000 Subject: [PATCH] various minor DCOM dissection enhancements: - add a generic guid register to dissect UUID's (move this to a seperate file?) - this enables us to set some known names for special UUID's - use standard DCOM fields for IID and alike in remunk.c - cleanup dcom_protseq_vals handling - some FT_STRING to FT_GUID changes svn path=/trunk/; revision=18904 --- epan/dissectors/packet-dcom-oxid.c | 2 +- epan/dissectors/packet-dcom-remact.c | 13 --- epan/dissectors/packet-dcom-remunkn.c | 19 +--- epan/dissectors/packet-dcom.c | 121 +++++++++++++++++++++++--- epan/dissectors/packet-dcom.h | 1 + 5 files changed, 115 insertions(+), 41 deletions(-) diff --git a/epan/dissectors/packet-dcom-oxid.c b/epan/dissectors/packet-dcom-oxid.c index d4580673ce..35729d3c8a 100644 --- a/epan/dissectors/packet-dcom-oxid.c +++ b/epan/dissectors/packet-dcom-oxid.c @@ -321,7 +321,7 @@ proto_register_oxid (void) { &hf_oxid_requested_protseqs, { "RequestedProtSeq", "oxid_requested_protseqs", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, { &hf_oxid_protseqs, - { "ProtSeq", "oxid_protseqs", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { "ProtSeq", "oxid_protseqs", FT_UINT16, BASE_DEC, VALS(dcom_protseq_vals), 0x0, "", HFILL }}, { &hf_oxid_bindings, { "OxidBindings", "oxid_bindings", FT_NONE, BASE_DEC, NULL, 0x0, "", HFILL }}, diff --git a/epan/dissectors/packet-dcom-remact.c b/epan/dissectors/packet-dcom-remact.c index 93e5671f21..a471c582d4 100644 --- a/epan/dissectors/packet-dcom-remact.c +++ b/epan/dissectors/packet-dcom-remact.c @@ -51,19 +51,6 @@ static int hf_remact_interface_data = -1; static int hf_remact_oxid_bindings = -1; static int hf_remact_authn_hint = -1; -static const value_string dcom_protseq_vals[] = { - { 0x04, "NCACN_DNET_NSP" }, - { 0x07, "NCACN_IP_TCP" }, - { 0x08, "NCADG_IP_UDP" }, - { 0x09, "NCACN_IP" }, - { 0x0C, "NCACN_SPX" }, - { 0x0D, "NCACN_NB_IPX" }, - { 0x0E, "NCADG_IPX" }, - { 0x12, "NCACN_NB_NB" }, - { 0x1F, "NCACN_HTTP" }, - { 0, NULL } -}; - static int proto_remact = -1; static gint ett_remact = -1; diff --git a/epan/dissectors/packet-dcom-remunkn.c b/epan/dissectors/packet-dcom-remunkn.c index d7f29aaf08..48525402da 100644 --- a/epan/dissectors/packet-dcom-remunkn.c +++ b/epan/dissectors/packet-dcom-remunkn.c @@ -40,14 +40,11 @@ static int hf_remunk_opnum = -1; -static int hf_remunk_ipid = -1; + static int hf_remunk_refs = -1; static int hf_remunk_iids = -1; -static int hf_remunk_iid = -1; static int hf_remunk_flags = -1; -static int hf_remunk_oxid = -1; -static int hf_remunk_oid = -1; static int hf_remunk_qiresult = -1; static gint ett_remunk_reminterfaceref = -1; @@ -100,7 +97,7 @@ dissect_remunk_remqueryinterface_rqst(tvbuff_t *tvb, int offset, offset = dissect_dcom_this(tvb, offset, pinfo, tree, drep); offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, drep, - hf_remunk_ipid, &ipid); + hf_dcom_ipid, &ipid); offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep, hf_remunk_refs, &u32Refs); @@ -123,7 +120,7 @@ dissect_remunk_remqueryinterface_rqst(tvbuff_t *tvb, int offset, for (u32ItemIdx = 0; u32ArraySize--; u32ItemIdx++) { offset = dissect_dcom_append_UUID(tvb, offset, pinfo, tree, drep, - hf_remunk_iid, "IID", u32ItemIdx+1, &iid); + hf_dcom_iid, "IID", u32ItemIdx+1, &iid); if(call != NULL) { call->iids[u32ItemIdx] = iid; } @@ -265,7 +262,7 @@ dissect_remunk_remrelease_rqst(tvbuff_t *tvb, int offset, u32SubStart = offset; offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep, - hf_remunk_ipid, &ipid); + hf_dcom_ipid, &ipid); offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, hf_remunk_public_refs, &u32PublicRefs); @@ -335,24 +332,16 @@ proto_register_remunk (void) { &hf_remunk_opnum, { "Operation", "remunk_opnum", FT_UINT16, BASE_DEC, NULL, 0x0, "Operation", HFILL }}, - { &hf_remunk_ipid, - { "IPID", "remunk_ipid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_remunk_refs, { "Refs", "remunk_refs", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, { &hf_remunk_iids, { "IIDs", "remunk_iids", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, - { &hf_remunk_iid, - { "IID", "remunk_iid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_remunk_qiresult, { "QIResult", "remunk_qiresult", FT_NONE, BASE_DEC, NULL, 0x0, "", HFILL }}, { &hf_remunk_flags, { "Flags", "remunk_flags", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_remunk_public_refs, { "PublicRefs", "remunk_public_refs", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, - { &hf_remunk_oxid, - { "OXID", "remunk_oxid", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }}, - { &hf_remunk_oid, - { "OID", "remunk_oid", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_remunk_reminterfaceref, { "RemInterfaceRef", "remunk_reminterfaceref", FT_NONE, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_remunk_interface_refs, diff --git a/epan/dissectors/packet-dcom.c b/epan/dissectors/packet-dcom.c index 116f147514..e38728f339 100644 --- a/epan/dissectors/packet-dcom.c +++ b/epan/dissectors/packet-dcom.c @@ -215,10 +215,80 @@ static int hf_dcom_vt_bstr = -1; static int hf_dcom_vt_byref = -1; static int hf_dcom_vt_dispatch = -1; +static e_uuid_t uuid_debug_ext = { 0xf1f19680, 0x4d2a, 0x11ce, { 0xa6, 0x6a, 0x00, 0x20, 0xaf, 0x6e, 0x72, 0xf4} }; +static e_uuid_t uuid_ext_error_ext = { 0xf1f19681, 0x4d2a, 0x11ce, { 0xa6, 0x6a, 0x00, 0x20, 0xaf, 0x6e, 0x72, 0xf4} }; GList *dcom_machines; GList *dcom_interfaces; +static const value_string dcom_thisthat_flag_vals[] = { + { 0, "INFO_NULL" }, + { 0, NULL } +}; + + +typedef struct _guid_key { + e_guid_t guid; +} guid_key; + +typedef struct _guid_value { + const gchar *name; + void *private_data; +} guid_value; + + +GHashTable *guids=NULL; + +static gint +guid_equal (gconstpointer k1, gconstpointer k2) +{ + const guid_key *key1 = (const guid_key *)k1; + const guid_key *key2 = (const guid_key *)k2; + return ((memcmp (&key1->guid, &key2->guid, sizeof (e_guid_t)) == 0)); +} + +static guint +guid_hash (gconstpointer k) +{ + const guid_key *key = (const guid_key *)k; + /* This isn't perfect, but the Data1 part of these is almost always + unique. */ + return key->guid.data1; +} + + +void guid_add_name(e_guid_t *guid, gchar *name, void *private_data) +{ + guid_key *key = g_malloc (sizeof (*key)); + guid_value *value = g_malloc (sizeof (*value)); + + key->guid = *guid; + + value->name = name; + value->private_data = private_data; + + g_hash_table_insert (guids, key, value); +} + + +/* try to get registered name for this guid */ +const gchar *guid_get_name(e_guid_t *guid) +{ + guid_key key; + guid_value *value; + + + /* try to get registered guid "name" of if_id */ + key.guid = *guid; + + if ((value = g_hash_table_lookup (guids, &key)) != NULL) { + return value->name; + } + + return NULL; +} + + void dcom_interface_dump(void) { dcom_machine_t *machine; dcom_object_t *object; @@ -630,7 +700,7 @@ static const value_string dcom_dualstringarray_authn[] = { { 0, NULL} }; -static const value_string dcom_dualstringarray_tower_id_vals[] = { +const value_string dcom_protseq_vals[] = { { 0x04, "NCACN_DNET_NSP" }, { 0x07, "NCACN_IP_TCP" }, { 0x08, "NCADG_IP_UDP" }, @@ -670,6 +740,7 @@ dissect_dcom_extent(tvbuff_t *tvb, int offset, guint32 u32ExtentSize; e_uuid_t uuidExtend; + const char *uuid_name; offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep, &u32Pointer); @@ -705,16 +776,39 @@ dissect_dcom_extent(tvbuff_t *tvb, int offset, if(u32Pointer != 0) { u32VariableOffset = dissect_dcom_DWORD(tvb, u32VariableOffset, pinfo, sub_tree, drep, hf_dcom_extent_size, &u32ExtentSize); - u32VariableOffset = dissect_dcom_UUID(tvb, u32VariableOffset, pinfo, sub_tree, drep, + + dissect_dcom_UUID(tvb, u32VariableOffset, pinfo, NULL, drep, hf_dcom_extent_id, &uuidExtend); + /* look for a registered uuid name */ + if((uuid_name = guid_get_name( (e_guid_t *) &uuidExtend)) != NULL) { + proto_tree_add_guid_format_value(sub_tree, hf_dcom_extent_id, tvb, + offset, sizeof(e_uuid_t), (e_guid_t *) &uuidExtend, "%s (%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x)", + uuid_name, + uuidExtend.Data1, uuidExtend.Data2, uuidExtend.Data3, + uuidExtend.Data4[0], uuidExtend.Data4[1], + uuidExtend.Data4[2], uuidExtend.Data4[3], + uuidExtend.Data4[4], uuidExtend.Data4[5], + uuidExtend.Data4[6], uuidExtend.Data4[7]); + u32VariableOffset += 16; + } else { + u32VariableOffset = dissect_dcom_UUID(tvb, u32VariableOffset, pinfo, sub_tree, drep, + hf_dcom_extent_id, &uuidExtend); + } + + u32VariableOffset = dissect_dcom_dcerpc_array_size(tvb, u32VariableOffset, pinfo, sub_tree, drep, &u32ArraySize2); u32VariableOffset = dissect_dcom_tobedone_data(tvb, u32VariableOffset, pinfo, sub_tree, drep, u32ArraySize2); /* update subtree header */ - proto_item_append_text(sub_item, "[%u]: Bytes=%u", - u32Idx, u32ArraySize2); + if(uuid_name != NULL) { + proto_item_append_text(sub_item, "[%u]: %s, Bytes=%u", + u32Idx, uuid_name, u32ArraySize2); + } else { + proto_item_append_text(sub_item, "[%u]: Bytes=%u", + u32Idx, u32ArraySize2); + } proto_item_set_len(sub_item, offset - u32SubStart); } else { /* update subtree header */ @@ -1685,7 +1779,7 @@ dissect_dcom_DUALSTRINGARRAY(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_item_append_text(subsub_item, "[%u]: TowerId=%s, NetworkAddr=\"%s\"", u32StringBindings, - val_to_str(u16TowerId, dcom_dualstringarray_tower_id_vals, "Unknown (0x%04x"), + val_to_str(u16TowerId, dcom_protseq_vals, "Unknown (0x%04x"), szStr); proto_item_set_len(subsub_item, offset - u32SubSubStart); } @@ -1932,7 +2026,7 @@ proto_register_dcom (void) { &hf_dcom_this_version_minor, { "VersionMinor", "dcom.this.version_minor", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, { &hf_dcom_this_flags, - { "Flags", "dcom.this.flags", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { "Flags", "dcom.this.flags", FT_UINT32, BASE_HEX, VALS(dcom_thisthat_flag_vals), 0x0, "", HFILL }}, { &hf_dcom_this_res, { "Reserved", "dcom.this.res", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_dcom_this_cid, @@ -1941,7 +2035,7 @@ proto_register_dcom (void) static hf_register_info hf_dcom_that_array[] = { { &hf_dcom_that_flags, - { "Flags", "dcom.that.flags", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }} + { "Flags", "dcom.that.flags", FT_UINT32, BASE_HEX, VALS(dcom_thisthat_flag_vals), 0x0, "", HFILL }} }; static hf_register_info hf_dcom_extent_array[] = { @@ -1954,7 +2048,7 @@ proto_register_dcom (void) { &hf_dcom_extent_size, { "Extension Size", "dcom.extent.size", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, { &hf_dcom_extent_id, - { "Extension Id", "dcom.extent.id", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }} + { "Extension Id", "dcom.extent.id", FT_GUID, BASE_NONE, NULL, 0x0, "", HFILL }} }; static hf_register_info hf_dcom_array[] = { @@ -2009,9 +2103,9 @@ proto_register_dcom (void) { &hf_dcom_objref_flags, { "Flags", "dcom.objref.flags", FT_UINT32, BASE_HEX, VALS(dcom_objref_flag_vals), 0x0, "", HFILL }}, { &hf_dcom_iid, - { "IID", "dcom.iid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, + { "IID", "dcom.iid", FT_GUID, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_dcom_clsid, - { "CLSID", "dcom.clsid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, + { "CLSID", "dcom.clsid", FT_GUID, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_dcom_objref_resolver_address, { "ResolverAddress", "dcom.objref.resolver_address", FT_NONE, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_dcom_objref_cbextension, @@ -2043,7 +2137,7 @@ proto_register_dcom (void) { &hf_dcom_dualstringarray_string, { "StringBinding", "dcom.dualstringarray.string", FT_NONE, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_dcom_dualstringarray_string_tower_id, - { "TowerId", "dcom.dualstringarray.tower_id", FT_UINT16, BASE_HEX, VALS(dcom_dualstringarray_tower_id_vals), 0x0, "", HFILL }}, + { "TowerId", "dcom.dualstringarray.tower_id", FT_UINT16, BASE_HEX, VALS(dcom_protseq_vals), 0x0, "", HFILL }}, { &hf_dcom_dualstringarray_string_network_addr, { "NetworkAddr", "dcom.dualstringarray.network_addr", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_dcom_dualstringarray_security, @@ -2168,7 +2262,10 @@ proto_register_dcom (void) proto_register_field_array(proto_dcom, hf_dcom_sa_array, array_length(hf_dcom_sa_array)); proto_register_subtree_array (ett_dcom, array_length (ett_dcom)); - + guids = g_hash_table_new (guid_hash, guid_equal); + guid_add_name( (e_guid_t *) &uuid_debug_ext, "Debug Information Body Extension", NULL); + guid_add_name( (e_guid_t *) &uuid_ext_error_ext, "Extended Error Info Body Extension", NULL); + /* preferences */ dcom_module = prefs_register_protocol(proto_dcom, proto_reg_handoff_dcom); diff --git a/epan/dissectors/packet-dcom.h b/epan/dissectors/packet-dcom.h index 4d9cabcf89..0f3914064b 100644 --- a/epan/dissectors/packet-dcom.h +++ b/epan/dissectors/packet-dcom.h @@ -28,6 +28,7 @@ extern const value_string dcom_hresult_vals[]; extern const value_string dcom_variant_type_vals[]; +extern const value_string dcom_protseq_vals[]; extern int hf_dcom_iid; extern int hf_dcom_clsid;