osmocom
/
wireshark
14
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

add an experimental DCOM object "database" based on the exchanged interface pointers 

add a lot more PROFINET CBA dissection output based on these DCOM context information
still need some improvements, e.g. dissection uses a simple (slow) linear list search
changes are fuzz-tested

svn path=/trunk/; revision=18882
This commit is contained in:
Ulf Lamping 2006-08-11 19:15:12 +00:00
parent 5f8e067936
commit d0aed5f920
10 changed files with 2076 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1598
epan/dissectors/packet-dcom-cba-acco.c
View File

File diff suppressed because it is too large Load Diff

50
epan/dissectors/packet-dcom-cba-acco.h
View File

@ -25,8 +25,54 @@
#ifndef __PACKET_DCERPC_DCOM_CBA_ACCO_H
#define __PACKET_DCERPC_DCOM_CBA_ACCO_H
int
typedef struct cba_pdev_s {
GList *ldevs;
dcom_object_t *object;
gint first_packet;
const guint8 ip[4];
} cba_pdev_t;
typedef struct cba_ldev_s {
GList *provframes;
GList *consframes;
GList *provconns;
GList *consconns;
dcom_object_t *ldev_object;
dcom_object_t *acco_object;
cba_pdev_t *parent;
gint first_packet;
const char *name;
} cba_ldev_t;
extern GList *cba_pdevs;
extern cba_pdev_t *
cba_pdev_find(packet_info *pinfo, const char *ip, e_uuid_t *ipid);
extern void
cba_pdev_link(packet_info *pinfo, cba_pdev_t *pdev, dcom_interface_t *pdev_interf);
extern cba_pdev_t *
cba_pdev_add(packet_info *pinfo, const char *ip);
extern void
cba_ldev_link(packet_info *pinfo, cba_ldev_t *ldev, dcom_interface_t *ldev_interf);
extern void
cba_ldev_link_acco(packet_info *pinfo, cba_ldev_t *ldev, dcom_interface_t *acco_interf);
extern cba_ldev_t *
cba_ldev_find(packet_info *pinfo, const gchar *ip, e_uuid_t *ipid);
extern cba_ldev_t *
cba_ldev_add(packet_info *pinfo, cba_pdev_t *pdev, const char *name);
/*int
dissect_CBA_Connection_Data(tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree);
proto_tree *tree, cba_ldev_t *ldev, cba_frame_t *frame);*/
#endif /* packet-dcerpc-dcom-cba-acco.h */

100
epan/dissectors/packet-dcom-cba.c
View File

@ -33,9 +33,12 @@
#include <glib.h>
#include <epan/packet.h>
#include <epan/emem.h>
#include <epan/expert.h>
#include "packet-dcerpc.h"
#include "packet-dcom.h"
#include "packet-dcom-dispatch.h"
#include "packet-dcom-cba-acco.h"
static int hf_cba_opnum = -1;
@ -569,6 +572,8 @@ dissect_ICBAPhysicalDevice_get_LogicalDevice_rqst(tvbuff_t *tvb, int offset,
guint32 u32Pointer;
gchar szStr[1000];
guint32 u32MaxStr = sizeof(szStr);
dcerpc_info *info = (dcerpc_info *) pinfo->private_data;
gchar *call;
offset = dissect_dcom_this(tvb, offset, pinfo, tree, drep);
@ -579,7 +584,12 @@ dissect_ICBAPhysicalDevice_get_LogicalDevice_rqst(tvbuff_t *tvb, int offset,
offset = dissect_dcom_BSTR(tvb, offset, pinfo, tree, drep,
hf_cba_name, szStr, u32MaxStr);
}
if(szStr != NULL) {
call = se_strdup(szStr);
info->call_data->private_data = call;
}
if (check_col(pinfo->cinfo, COL_INFO)) {
col_append_fstr(pinfo->cinfo, COL_INFO, ": \"%s\"", szStr);
}
@ -593,11 +603,31 @@ dissect_ICBAPhysicalDevice_get_LogicalDevice_resp(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, guint8 *drep)
{
guint32 u32HResult;
dcerpc_info *info = (dcerpc_info *) pinfo->private_data;
gchar *ldev_name = info->call_data->private_data;
dcom_interface_t *pdev_interf;
dcom_interface_t *ldev_interf;
cba_pdev_t *pdev;
cba_ldev_t *ldev;
offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, 0);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, 0, &ldev_interf);
/* try to read the ldev name from the request */
if(ldev_name != NULL && ldev_interf != NULL) {
/* XXX - this is a hack to create a pdev interface */
/* as I currently don't understand the objref process for a root interface! */
pdev_interf = dcom_interface_new(pinfo, pinfo->net_dst.data, &uuid_ICBAPhysicalDevice, 0, 0, &info->call_data->object_uuid);
if(pdev_interf != NULL) {
pdev = cba_pdev_add(pinfo, pinfo->net_dst.data);
cba_pdev_link(pinfo, pdev, pdev_interf);
ldev = cba_ldev_add(pinfo, pdev, ldev_name);
cba_ldev_link(pinfo, ldev, ldev_interf);
}
}
offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
&u32HResult);
@ -730,7 +760,38 @@ dissect_Revision_resp(tvbuff_t *tvb, int offset,
static int
dissect_get_Name_resp(tvbuff_t *tvb, int offset,
dissect_ICBALogicalDevice_get_Name_resp(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, guint8 *drep)
{
gchar szStr[1000];
guint32 u32MaxStr = sizeof(szStr);
guint32 u32Pointer;
guint32 u32HResult;
offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep,
&u32Pointer);
if (u32Pointer) {
offset = dissect_dcom_BSTR(tvb, offset, pinfo, tree, drep,
hf_cba_name, szStr, u32MaxStr);
}
offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
&u32HResult);
if (check_col(pinfo->cinfo, COL_INFO)) {
col_append_fstr(pinfo->cinfo, COL_INFO, ": \"%s\" -> %s", szStr,
val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") );
}
return offset;
}
static int
dissect_RTAuto_get_Name_resp(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, guint8 *drep)
{
@ -743,11 +804,25 @@ dissect_ICBALogicalDevice_get_ACCO_resp(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, guint8 *drep)
{
guint32 u32HResult;
dcom_interface_t *acco_interf;
dcerpc_info *info = (dcerpc_info *) pinfo->private_data;
cba_ldev_t *ldev;
offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, 0);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, 0, &acco_interf);
if(acco_interf == NULL) {
expert_add_info_format(pinfo, NULL, PI_UNDECODED, PI_WARN,
"LDev_get_ACCO: can't resolve ACCO interface pointer");
}
ldev = cba_ldev_find(pinfo, pinfo->net_src.data, &info->call_data->object_uuid);
/* "crosslink" interface and it's object */
if(ldev != NULL && acco_interf != NULL) {
cba_ldev_link_acco(pinfo, ldev, acco_interf);
}
offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, &u32HResult);
@ -769,7 +844,7 @@ dissect_ICBALogicalDevice_get_RTAuto_resp(tvbuff_t *tvb, int offset,
offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, 0);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, 0, NULL);
offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, &u32HResult);
@ -857,7 +932,7 @@ dissect_Advise_rqst(tvbuff_t *tvb, int offset,
offset = dissect_dcom_this(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, 0);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, 0, NULL);
return offset;
}
@ -1001,7 +1076,7 @@ dissect_ICBAPhysicalDevicePCEvent_OnLogicalDeviceAdded_rqst(tvbuff_t *tvb, int o
offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep,
hf_cba_cookie, &u32Cookie);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, 0);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, 0, NULL);
offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
&u32HResult);
@ -1158,7 +1233,7 @@ static dcerpc_sub_dissector ICBALogicalDevice_dissectors[] = {
{ 5, "GetIDsOfNames", dissect_IDispatch_GetIDsOfNames_rqst, dissect_IDispatch_GetIDsOfNames_resp },
{ 6, "Invoke", dissect_IDispatch_Invoke_rqst, dissect_IDispatch_Invoke_resp },
{ 7, "get_Name", dissect_dcom_simple_rqst, dissect_get_Name_resp },
{ 7, "get_Name", dissect_dcom_simple_rqst, dissect_ICBALogicalDevice_get_Name_resp },
{ 8, "get_Producer", dissect_dcom_simple_rqst, dissect_get_Producer_resp },
{ 9, "get_Product", dissect_dcom_simple_rqst, dissect_get_Product_resp },
{10, "get_SerialNo", dissect_dcom_simple_rqst, dissect_get_SerialNo_resp },
@ -1262,7 +1337,7 @@ static dcerpc_sub_dissector ICBARTAuto_dissectors[] = {
{ 5, "GetIDsOfNames", dissect_IDispatch_GetIDsOfNames_rqst, dissect_IDispatch_GetIDsOfNames_resp },
{ 6, "Invoke", dissect_IDispatch_Invoke_rqst, dissect_IDispatch_Invoke_resp },
{ 7, "get_Name", dissect_dcom_simple_rqst, dissect_get_Name_resp },
{ 7, "get_Name", dissect_dcom_simple_rqst, dissect_RTAuto_get_Name_resp },
{ 8, "Revision", dissect_dcom_simple_rqst, dissect_Revision_resp },
/* stage 2 */
@ -1290,6 +1365,11 @@ static dcerpc_sub_dissector ICBASystemProperties_dissectors[] = {
};
static void cba_reinit( void) {
cba_pdevs = NULL;
}
/* register protocol */
void
proto_register_dcom_cba (void)
@ -1451,6 +1531,8 @@ proto_register_dcom_cba (void)
ett[0] = &ett_ICBASystemProperties;
proto_ICBASystemProperties = proto_register_protocol ("ICBASystemProperties", "ICBASysProp", "cba_sysprop");
proto_register_subtree_array (ett, array_length (ett));
register_init_routine(cba_reinit);
}

2
epan/dissectors/packet-dcom-dispatch.c
View File

@ -147,7 +147,7 @@ dissect_IDispatch_GetTypeInfo_resp(tvbuff_t *tvb, int offset,
offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep,
&u32Pointer);
if (u32Pointer) {
offset = dissect_dcom_MInterfacePointer(tvb, offset, pinfo, tree, drep, hf_dispatch_itinfo);
offset = dissect_dcom_MInterfacePointer(tvb, offset, pinfo, tree, drep, hf_dispatch_itinfo, NULL /* XXX */);
}
/* HRESULT of call */

4
epan/dissectors/packet-dcom-oxid.c
View File

@ -239,7 +239,7 @@ dissect_oxid_resolve_oxid2_resp(tvbuff_t *tvb, int offset,
&u32ArraySize);
offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, drep,
hf_oxid_bindings);
hf_oxid_bindings, NULL);
offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, drep,
hf_oxid_ipid, &ipid);
@ -275,7 +275,7 @@ dissect_oxid_server_alive2_resp(tvbuff_t *tvb, int offset, packet_info *pinfo,
dissect_dcerpc_uint64(tvb , offset, pinfo, tree, drep, hf_oxid_Unknown1, NULL);
offset += 8;
offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, drep, hf_oxid_ds_array);
offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, drep, hf_oxid_ds_array, NULL);
/* unknown field 2 */
dissect_dcerpc_uint64(tvb, offset, pinfo, tree, drep, hf_oxid_Unknown2, NULL);

28
epan/dissectors/packet-dcom-remact.c
View File

@ -39,8 +39,6 @@
static int hf_remact_opnum = -1;
static int hf_remact_clsid = -1;
static int hf_remact_iid = -1;
static int hf_remact_requested_protseqs = -1;
static int hf_remact_protseqs = -1;
static int hf_remact_interfaces = -1;
@ -50,9 +48,7 @@ static int hf_remact_object_name = -1;
static int hf_remact_object_storage = -1;
static int hf_remact_interface_data = -1;
static int hf_remact_oxid = -1;
static int hf_remact_oxid_bindings = -1;
static int hf_remact_ipid = -1;
static int hf_remact_authn_hint = -1;
static const value_string dcom_protseq_vals[] = {
@ -86,6 +82,8 @@ dissect_remact_remote_activation_rqst(tvbuff_t *tvb, int offset,
guint32 u32ArraySize;
guint32 u32ItemIdx;
guint16 u16ProtSeqs;
e_uuid_t clsid;
e_uuid_t iid;
gchar szObjName[1000] = { 0 };
guint32 u32ObjNameLen = sizeof(szObjName);
@ -93,7 +91,7 @@ dissect_remact_remote_activation_rqst(tvbuff_t *tvb, int offset,
offset = dissect_dcom_this(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_append_UUID(tvb, offset, pinfo, tree, drep,
hf_remact_clsid, "CLSID", -1);
hf_dcom_clsid, "CLSID", -1, &clsid);
offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep,
&u32Pointer);
@ -103,7 +101,7 @@ dissect_remact_remote_activation_rqst(tvbuff_t *tvb, int offset,
}
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep,
hf_remact_object_storage);
hf_remact_object_storage, NULL /* XXX */);
offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep,
hf_remact_client_impl_level, &u32ClientImpLevel);
@ -121,7 +119,7 @@ dissect_remact_remote_activation_rqst(tvbuff_t *tvb, int offset,
u32ItemIdx = 1;
while (u32Interfaces--) {
offset = dissect_dcom_append_UUID(tvb, offset, pinfo, tree, drep,
hf_remact_iid, "IID", u32ArraySize);
hf_dcom_iid, "IID", u32ArraySize, &iid);
u32ItemIdx++;
}
@ -161,18 +159,18 @@ dissect_remact_remote_activation_resp(tvbuff_t *tvb, int offset,
offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
hf_remact_oxid, NULL);
hf_dcom_oxid, NULL);
offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep,
&u32Pointer);
if (u32Pointer) {
offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep,
&u32ArraySize);
offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, drep,
hf_remact_oxid_bindings);
hf_remact_oxid_bindings, NULL);
}
offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, drep,
hf_remact_ipid, &ipid);
hf_dcom_ipid, &ipid);
offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep,
hf_remact_authn_hint, &u32AuthnHint);
offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, tree, drep,
@ -189,7 +187,7 @@ dissect_remact_remote_activation_resp(tvbuff_t *tvb, int offset,
&u32Pointer);
if (u32Pointer) {
u32VariableOffset = dissect_dcom_MInterfacePointer(tvb, u32VariableOffset, pinfo, tree, drep,
hf_remact_interface_data);
hf_remact_interface_data, NULL /* XXX */);
}
}
offset = u32VariableOffset;
@ -235,10 +233,6 @@ proto_register_remact (void)
{ &hf_remact_opnum,
{ "Operation", "remact_opnum", FT_UINT16, BASE_DEC, NULL, 0x0, "Operation", HFILL }},
{ &hf_remact_clsid,
{ "CLSID", "remact_clsid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
{ &hf_remact_iid,
{ "IID", "remact_iid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
{ &hf_remact_requested_protseqs,
{ "RequestedProtSeqs", "remact_req_prot_seqs", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
{ &hf_remact_protseqs,
@ -256,12 +250,8 @@ proto_register_remact (void)
{ &hf_remact_interface_data,
{ "InterfaceData", "remact_interface_data", FT_NONE, BASE_NONE, NULL, 0x0, "", HFILL }},
{ &hf_remact_oxid,
{ "OXID", "remact_oxid", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_remact_oxid_bindings,
{ "OxidBindings", "hf_remact_oxid_bindings", FT_NONE, BASE_DEC, NULL, 0x0, "", HFILL }},
{ &hf_remact_ipid,
{ "IPID", "remact_ipid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
{ &hf_remact_authn_hint,
{ "AuthnHint", "remact_authn_hint", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }},
};

64
epan/dissectors/packet-dcom-remunkn.c
View File

@ -33,6 +33,7 @@
#include <glib.h>
#include <epan/packet.h>
#include <epan/emem.h>
#include "packet-dcerpc.h"
#include "packet-dcom.h"
@ -76,6 +77,11 @@ static guint16 ver_remunk2 = 0;
static int proto_remunk2 = -1;
typedef struct remunk_remqueryinterface_call_s {
guint iid_count;
e_uuid_t *iids;
} remunk_remqueryinterface_call_t;
static int
dissect_remunk_remqueryinterface_rqst(tvbuff_t *tvb, int offset,
@ -86,9 +92,12 @@ dissect_remunk_remqueryinterface_rqst(tvbuff_t *tvb, int offset,
guint16 u16IIDs;
guint32 u32ArraySize;
guint32 u32ItemIdx;
e_uuid_t iid;
dcerpc_info *info = (dcerpc_info *) pinfo->private_data;
remunk_remqueryinterface_call_t *call;
offset = dissect_dcom_this(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_this(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, drep,
hf_remunk_ipid, &ipid);
@ -102,10 +111,22 @@ dissect_remunk_remqueryinterface_rqst(tvbuff_t *tvb, int offset,
offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep,
&u32ArraySize);
u32ItemIdx = 1;
while (u32ArraySize--) {
/* limit the allocation to a reasonable size */
if(u32ArraySize < 100) {
call = se_alloc(sizeof(remunk_remqueryinterface_call_t) + u32ArraySize * sizeof(e_uuid_t));
call->iid_count = u32ArraySize;
call->iids = (e_uuid_t *) (call+1);
info->call_data->private_data = call;
} else {
call = NULL;
}
for (u32ItemIdx = 0; u32ArraySize--; u32ItemIdx++) {
offset = dissect_dcom_append_UUID(tvb, offset, pinfo, tree, drep,
hf_remunk_iid, "IID", u32ItemIdx++);
hf_remunk_iid, "IID", u32ItemIdx+1, &iid);
if(call != NULL) {
call->iids[u32ItemIdx] = iid;
}
}
return offset;
@ -123,9 +144,17 @@ dissect_remunk_remqueryinterface_resp(tvbuff_t *tvb, int offset,
proto_tree *sub_tree;
guint32 u32HResult;
guint32 u32SubStart;
e_uuid_t iid;
e_uuid_t iid_null = DCERPC_UUID_NULL;
dcerpc_info *info = (dcerpc_info *) pinfo->private_data;
remunk_remqueryinterface_call_t *call = info->call_data->private_data;
guint64 oxid;
guint64 oid;
e_uuid_t ipid;
dcom_interface_t *dcom_if;
offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep,
&u32Pointer);
@ -134,7 +163,7 @@ dissect_remunk_remqueryinterface_resp(tvbuff_t *tvb, int offset,
u32ItemIdx = 1;
while (u32ArraySize--) {
/* add subtree */
/* add subtree */
sub_item = proto_tree_add_item(tree, hf_remunk_qiresult, tvb, offset, 0, FALSE);
sub_tree = proto_item_add_subtree(sub_item, ett_remunk_rqi_result);
@ -144,10 +173,27 @@ dissect_remunk_remqueryinterface_resp(tvbuff_t *tvb, int offset,
u32SubStart = offset - 4;
offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, sub_tree, drep,
&u32Pointer);
if (u32Pointer) {
offset = dissect_dcom_STDOBJREF(tvb, offset, pinfo, sub_tree, drep, 0 /* hfindex */);
/* try to read the iid from the request */
if(call != NULL && u32ItemIdx <= call->iid_count) {
iid = call->iids[u32ItemIdx-1];
} else {
iid = iid_null;
}
/* XXX - this doesn't seem to be dependent on the pointer above?!? */
/*if (u32Pointer) {*/
offset = dissect_dcom_STDOBJREF(tvb, offset, pinfo, sub_tree, drep, 0 /* hfindex */,
&oxid, &oid, &ipid);
/*}*/
/* add interface instance to database (we currently only handle IPv4) */
if(pinfo->net_src.type == AT_IPv4) {
dcom_if = dcom_interface_new(pinfo,
pinfo->net_src.data,
&iid, oxid, oid, &ipid);
}
/* update subtree */
proto_item_append_text(sub_item, "[%u]: %s",
u32ItemIdx,
@ -163,7 +209,7 @@ dissect_remunk_remqueryinterface_resp(tvbuff_t *tvb, int offset,
u32ItemIdx++;
}
/* HRESULT of call */
offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
&u32HResult);

4
epan/dissectors/packet-dcom-sysact.c
View File

@ -58,7 +58,7 @@ dissect_remsysact_remotecreateinstance_rqst(tvbuff_t *tvb, int offset,
4);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep,
hf_sysact_unknown);
hf_sysact_unknown, NULL /* XXX */);
return offset;
}
@ -72,7 +72,7 @@ dissect_remsysact_remotecreateinstance_resp(tvbuff_t *tvb, int offset,
offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep);
offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep,
hf_sysact_unknown);
hf_sysact_unknown, NULL /* XXX */);
offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
NULL /* pu32HResult */);

313
epan/dissectors/packet-dcom.c
View File

@ -85,6 +85,8 @@
#include <glib.h>
#include <epan/packet.h>
#include <epan/emem.h>
#include <epan/addr_resolv.h>
#include <epan/inet_aton.h>
#include "packet-dcerpc.h"
#include "packet-dcom.h"
#include "prefs.h"
@ -134,8 +136,8 @@ gint ett_dcom_objref = -1;
static int hf_dcom_objref = -1;
static int hf_dcom_objref_signature = -1;
static int hf_dcom_objref_flags = -1;
static int hf_dcom_objref_iid = -1;
static int hf_dcom_objref_clsid = -1;
int hf_dcom_iid = -1;
int hf_dcom_clsid = -1;
static int hf_dcom_objref_resolver_address = -1;
static int hf_dcom_objref_cbextension = -1;
static int hf_dcom_objref_size = -1;
@ -144,9 +146,9 @@ gint ett_dcom_stdobjref = -1;
static int hf_dcom_stdobjref = -1;
static int hf_dcom_stdobjref_flags = -1;
static int hf_dcom_stdobjref_public_refs = -1;
static int hf_dcom_stdobjref_oxid = -1;
static int hf_dcom_stdobjref_oid = -1;
static int hf_dcom_stdobjref_ipid = -1;
int hf_dcom_oxid = -1;
int hf_dcom_oid = -1;
int hf_dcom_ipid = -1;
gint ett_dcom_dualstringarray = -1;
gint ett_dcom_dualstringarray_binding = -1;
@ -214,6 +216,160 @@ static int hf_dcom_vt_byref = -1;
static int hf_dcom_vt_dispatch = -1;
GList *dcom_machines;
GList *dcom_interfaces;
void dcom_interface_dump(void) {
dcom_machine_t *machine;
dcom_object_t *object;
dcom_interface_t *interf;
GList *machines;
GList *objects;
GList *interfaces;
for(machines = dcom_machines; machines != NULL; machines = g_list_next(machines)) {
machine = machines->data;
g_warning("Machine(#%4u): IP:%s", machine->first_packet, ip_to_str(machine->ip));
for(objects = machine->objects; objects != NULL; objects = g_list_next(objects)) {
object = objects->data;
g_warning(" Object(#%4u): OID:0x%x%x private:0x%x", object->first_packet, object->oid, object->private_data);
for(interfaces = object->interfaces; interfaces != NULL; interfaces = g_list_next(interfaces)) {
interf = interfaces->data;
g_warning(" Interface(#%4u): iid:%s",
interf->first_packet, dcom_uuid_to_str(&interf->iid));
g_warning(" ipid:%s", dcom_uuid_to_str(&interf->ipid));
}
}
}
}
dcom_interface_t *dcom_interface_find(packet_info *pinfo, const guint8 *ip, e_uuid_t *ipid)
{
dcom_interface_t *interf;
GList *interfaces;
static const e_uuid_t uuid_null = DCERPC_UUID_NULL;
if(memcmp(ipid, &uuid_null, sizeof(uuid_null)) == 0)
{
return NULL;
}
for(interfaces = dcom_interfaces; interfaces != NULL; interfaces = g_list_next(interfaces)) {
interf = interfaces->data;
if(memcmp(&interf->ipid, ipid, sizeof(e_uuid_t)) == 0) {
return interf;
}
}
return NULL;
}
dcom_interface_t *dcom_interface_new(packet_info *pinfo, const guint8 *ip, e_uuid_t *iid, guint64 oxid, guint64 oid, e_uuid_t *ipid)
{
static const e_uuid_t uuid_null = DCERPC_UUID_NULL;
GList *dcom_iter;
dcom_machine_t *machine;
dcom_object_t *object;
dcom_interface_t *interf;
if( memcmp(iid, &uuid_null, sizeof(uuid_null)) == 0 ||
memcmp(ipid, &uuid_null, sizeof(uuid_null)) == 0)
{
return NULL;
}
if(oxid == 0 || oid == 0) {
/*g_warning("interface_new#%u", pinfo->fd->num);*/
interf = se_alloc(sizeof(dcom_interface_t));
interf->parent = NULL; //object;
interf->private_data = NULL;
interf->first_packet = pinfo->fd->num;
interf->iid = *iid;
interf->ipid = *ipid;
dcom_interfaces = g_list_append(dcom_interfaces, interf);
//object->interfaces = g_list_append(object->interfaces, interf);
return interf;
}
/* find machine */
dcom_iter = dcom_machines;
while(dcom_iter != NULL) {
machine = dcom_iter->data;
if(memcmp(machine->ip, ip, 4) == 0) {
break;
}
dcom_iter = g_list_next(dcom_iter);
}
/* create new machine if not found */
if(dcom_iter == NULL) {
machine = se_alloc(sizeof(dcom_machine_t));
memcpy( (void *) (machine->ip), ip, 4);
machine->objects = NULL;
machine->first_packet = pinfo->fd->num;
dcom_machines = g_list_append(dcom_machines, machine);
}
/* find object */
dcom_iter = machine->objects;
while(dcom_iter != NULL) {
object = dcom_iter->data;
if(object->oid == oid) {
break;
}
dcom_iter = g_list_next(dcom_iter);
}
/* create new object if not found */
if(dcom_iter == NULL) {
object = se_alloc(sizeof(dcom_object_t));
object->parent = machine;
object->interfaces = NULL;
object->private_data = NULL;
object->first_packet = pinfo->fd->num;
object->oid = oid;
object->oxid = oxid;
machine->objects = g_list_append(machine->objects, object);
}
/* find interface */
dcom_iter = object->interfaces;
while(dcom_iter != NULL) {
interf = dcom_iter->data;
if(memcmp(&interf->ipid, ipid, sizeof(e_uuid_t)) == 0) {
break;
}
dcom_iter = g_list_next(dcom_iter);
}
/* create new interface if not found */
if(dcom_iter == NULL) {
interf = se_alloc(sizeof(dcom_interface_t));
interf->parent = object;
interf->private_data = NULL;
interf->first_packet = pinfo->fd->num;
interf->iid = *iid;
interf->ipid = *ipid;
object->interfaces = g_list_append(object->interfaces, interf);
dcom_interfaces = g_list_append(dcom_interfaces, interf);
}
return interf;
}
/*
* Flag bits in connection-oriented PDU header.
*/
@ -586,6 +742,9 @@ dissect_dcom_this(tvbuff_t *tvb, int offset,
proto_item *sub_item;
proto_tree *sub_tree;
guint32 u32SubStart;
proto_item *pi;
dcerpc_info *info = (dcerpc_info *)pinfo->private_data;
e_uuid_t uuid_null = DCERPC_UUID_NULL;
sub_item = proto_tree_add_protocol_format(tree, proto_dcom, tvb, offset, 0,
@ -611,6 +770,11 @@ dissect_dcom_this(tvbuff_t *tvb, int offset,
u16VersionMajor, u16VersionMinor, dcom_uuid_to_str(&uuidCausality));
proto_item_set_len(sub_item, offset - u32SubStart);
if(memcmp(&info->call_data->object_uuid, &uuid_null, sizeof(uuid_null)) != 0) {
pi = proto_tree_add_guid(tree, hf_dcom_ipid, tvb, offset, GUID_LEN, (e_guid_t *) &info->call_data->object_uuid);
PROTO_ITEM_SET_GENERATED(pi);
}
return offset;
}
@ -623,6 +787,9 @@ dissect_dcom_that(tvbuff_t *tvb, int offset,
proto_item *sub_item;
proto_tree *sub_tree;
guint32 u32SubStart;
proto_item *pi;
dcerpc_info *info = (dcerpc_info *)pinfo->private_data;
e_uuid_t uuid_null = DCERPC_UUID_NULL;
sub_item = proto_tree_add_protocol_format(tree, proto_dcom, tvb, offset, 0,
@ -638,6 +805,11 @@ dissect_dcom_that(tvbuff_t *tvb, int offset,
/* update subtree header */
proto_item_set_len(sub_item, offset - u32SubStart);
if(memcmp(&info->call_data->object_uuid, &uuid_null, sizeof(uuid_null)) != 0) {
pi = proto_tree_add_guid(tree, hf_dcom_ipid, tvb, offset, GUID_LEN, (e_guid_t *) &info->call_data->object_uuid);
PROTO_ITEM_SET_GENERATED(pi);
}
return offset;
}
@ -1177,7 +1349,7 @@ dissect_dcom_VARIANT(tvbuff_t *tvb, int offset, packet_info *pinfo,
offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, sub_tree, drep, &u32Pointer);
if (u32Pointer) {
offset = dissect_dcom_MInterfacePointer(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_vt_dispatch);
hf_dcom_vt_dispatch, NULL); /* XXX - how to handle this? */
}
break;
case(WIRESHARK_VT_ARRAY):
@ -1217,21 +1389,20 @@ dissect_dcom_VARIANT(tvbuff_t *tvb, int offset, packet_info *pinfo,
int
dissect_dcom_append_UUID(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, guint8 *drep,
int hfindex, const gchar *field_name, int field_index)
int hfindex, const gchar *field_name, int field_index, e_uuid_t *uuid)
{
e_uuid_t uuid;
const gchar *uuid_name;
offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, drep,
hfindex, &uuid);
hfindex, uuid);
/* update column info now */
if (check_col(pinfo->cinfo, COL_INFO)) {
/* XXX: improve it: getting the hash value is done the second time here */
/* look for a registered uuid name */
uuid_name = dcerpc_get_uuid_name(&uuid, 0);
uuid_name = dcerpc_get_uuid_name(uuid, 0);
if (field_index != -1) {
col_append_fstr(pinfo->cinfo, COL_INFO, " %s[%u]=%s",
@ -1437,7 +1608,7 @@ dissect_dcom_BSTR(tvbuff_t *tvb, gint offset, packet_info *pinfo,
/* dissect an DUALSTRINGARRAY */
int
dissect_dcom_DUALSTRINGARRAY(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, guint8 *drep, int hfindex)
proto_tree *tree, guint8 *drep, int hfindex, gchar *ip)
{
guint16 u16NumEntries;
guint16 u16SecurityOffset;
@ -1456,6 +1627,9 @@ dissect_dcom_DUALSTRINGARRAY(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *subsub_tree;
guint32 u32SubSubStart;
gboolean isPrintable;
guint32 first_ip = 0;
guint32 curr_ip = 0;
struct in_addr ipaddr;
/* add subtree header */
@ -1485,6 +1659,30 @@ dissect_dcom_DUALSTRINGARRAY(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree_add_string(subsub_tree, hf_dcom_dualstringarray_string_network_addr,
tvb, u32Start, offset - u32Start, szStr);
/* convert ip address (if it is dotted decimal) */
/* XXX - this conversion is ugly */
if (inet_aton(szStr, &ipaddr)) {
if(get_host_ipaddr(szStr, &curr_ip)) {
curr_ip = ntohl(curr_ip);
/*expert_add_info_format(pinfo, NULL, PI_UNDECODED, PI_WARN, "DUALSTRINGARRAY: IP:%s",
ip_to_str( (gchar *) &curr_ip));*/
if(first_ip == 0) {
if(ip != NULL) {
memcpy(ip, &curr_ip, sizeof(curr_ip));
}
first_ip = curr_ip;
} else {
if(first_ip != curr_ip) {
expert_add_info_format(pinfo, NULL, PI_UNDECODED, PI_NOTE,
"DUALSTRINGARRAY: multiple IP's %s %s",
ip_to_str( (char *) &first_ip), ip_to_str( (char *) &curr_ip));
}
}
}
}
proto_item_append_text(subsub_item, "[%u]: TowerId=%s, NetworkAddr=\"%s\"",
u32StringBindings,
val_to_str(u16TowerId, dcom_dualstringarray_tower_id_vals, "Unknown (0x%04x"),
@ -1532,11 +1730,11 @@ dissect_dcom_DUALSTRINGARRAY(tvbuff_t *tvb, gint offset, packet_info *pinfo,
/* dissect an STDOBJREF */
int
dissect_dcom_STDOBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, guint8 *drep, int hfindex _U_)
proto_tree *tree, guint8 *drep, int hfindex _U_,
guint64 *oxid, guint64 *oid, e_uuid_t *ipid)
{
guint32 u32Flags;
guint32 u32PublicRefs;
e_uuid_t ipid;
proto_item *sub_item;
proto_tree *sub_tree;
guint32 u32SubStart;
@ -1553,15 +1751,15 @@ dissect_dcom_STDOBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_stdobjref_public_refs, &u32PublicRefs);
offset = dissect_dcom_ID(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_stdobjref_oxid, NULL);
hf_dcom_oxid, oxid);
offset = dissect_dcom_ID(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_stdobjref_oid, NULL);
hf_dcom_oid, oid);
offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_stdobjref_ipid, &ipid);
hf_dcom_ipid, ipid);
/* append info to subtree header */
proto_item_append_text(sub_item, ": PublicRefs=%u IPID=%s",
u32PublicRefs, dcom_uuid_to_str(&ipid));
u32PublicRefs, dcom_uuid_to_str(ipid));
proto_item_set_len(sub_item, offset - u32SubStart);
return offset;
@ -1571,7 +1769,7 @@ dissect_dcom_STDOBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
/* dissect an OBJREF */
int
dissect_dcom_OBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, guint8 *drep, int hfindex)
proto_tree *tree, guint8 *drep, int hfindex, dcom_interface_t **interf)
{
guint32 u32Signature;
guint32 u32Flags;
@ -1582,6 +1780,11 @@ dissect_dcom_OBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
guint32 u32SubStart;
guint32 u32CBExtension;
guint32 u32Size;
guint64 oxid;
guint64 oid;
e_uuid_t ipid;
dcom_interface_t *dcom_if = NULL;
gchar ip[4];
/* add subtree header */
@ -1595,25 +1798,26 @@ dissect_dcom_OBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_objref_flags, &u32Flags);
offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_objref_iid, &iid);
hf_dcom_iid, &iid);
switch(u32Flags) {
case(0x1): /* standard */
offset = dissect_dcom_STDOBJREF(tvb, offset, pinfo, sub_tree, drep, hfindex);
offset = dissect_dcom_STDOBJREF(tvb, offset, pinfo, sub_tree, drep, hfindex,
&oxid, &oid, &ipid);
offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_objref_resolver_address);
hf_dcom_objref_resolver_address, ip);
break;
case(0x2): /* handler (untested) */
offset = dissect_dcom_STDOBJREF(tvb, offset, pinfo, sub_tree, drep, hfindex);
offset = dissect_dcom_STDOBJREF(tvb, offset, pinfo, sub_tree, drep, hfindex,
&oxid, &oid, &iid);
offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_objref_clsid, &clsid);
hf_dcom_clsid, &clsid);
offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_objref_resolver_address);
hf_dcom_objref_resolver_address, ip);
break;
case(0x4): /* custom */
offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_objref_clsid, &clsid);
hf_dcom_clsid, &clsid);
offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep,
hf_dcom_objref_cbextension, &u32CBExtension);
offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep,
@ -1623,6 +1827,19 @@ dissect_dcom_OBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
break;
}
if(u32Flags == 0x1 || u32Flags == 0x2) {
/* add interface instance to database (we currently only handle IPv4) */
if(pinfo->net_src.type == AT_IPv4) {
dcom_if = dcom_interface_new(pinfo,
ip,
&iid, oxid, oid, &ipid);
}
}
if(interf != NULL) {
*interf = dcom_if;
}
/* append info to subtree header */
proto_item_set_len(sub_item, offset - u32SubStart);
@ -1634,7 +1851,7 @@ dissect_dcom_OBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
/* dissect an MInterfacePointer */
int
dissect_dcom_MInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, guint8 *drep, int hfindex)
proto_tree *tree, guint8 *drep, int hfindex, dcom_interface_t **interf)
{
guint32 u32CntData;
guint32 u32ArraySize;
@ -1657,7 +1874,7 @@ dissect_dcom_MInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, sub_tree, drep, &u32ArraySize);
offset = dissect_dcom_OBJREF(tvb, offset, pinfo, sub_tree, drep, hfindex);
offset = dissect_dcom_OBJREF(tvb, offset, pinfo, sub_tree, drep, hfindex, interf);
/* append info to subtree header */
proto_item_set_len(sub_item, offset - u32SubStart);
@ -1669,7 +1886,7 @@ dissect_dcom_MInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
/* dissect a pointer to a MInterfacePointer */
int
dissect_dcom_PMInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, guint8 *drep, int hfindex)
proto_tree *tree, guint8 *drep, int hfindex, dcom_interface_t **interf)
{
guint32 u32Pointer;
@ -1677,8 +1894,12 @@ dissect_dcom_PMInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep, &u32Pointer);
if (u32Pointer) {
offset = dissect_dcom_MInterfacePointer(tvb, offset, pinfo, tree, drep, hfindex);
}
offset = dissect_dcom_MInterfacePointer(tvb, offset, pinfo, tree, drep, hfindex, interf);
} else {
if(interf != NULL) {
*interf = NULL;
}
}
return offset;
}
@ -1695,6 +1916,12 @@ void dcom_register_server_coclass(int proto _U_, int ett _U_, e_uuid_t *uuid _U_
}
static void dcom_reinit( void) {
dcom_machines = NULL;
dcom_interfaces = NULL;
}
void
proto_register_dcom (void)
{
@ -1709,7 +1936,7 @@ proto_register_dcom (void)
{ &hf_dcom_this_res,
{ "Reserved", "dcom.this.res", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_dcom_this_cid,
{ "Causality ID", "dcom.this.uuid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}
{ "Causality ID", "dcom.this.uuid", FT_GUID, BASE_NONE, NULL, 0x0, "", HFILL }}
};
static hf_register_info hf_dcom_that_array[] = {
@ -1781,10 +2008,10 @@ proto_register_dcom (void)
{ "Signature", "dcom.objref.signature", FT_UINT32, BASE_HEX, VALS(dcom_objref_signature_vals), 0x0, "", HFILL }},
{ &hf_dcom_objref_flags,
{ "Flags", "dcom.objref.flags", FT_UINT32, BASE_HEX, VALS(dcom_objref_flag_vals), 0x0, "", HFILL }},
{ &hf_dcom_objref_iid,
{ "IID", "dcom.objref.iid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
{ &hf_dcom_objref_clsid,
{ "CLSID", "dcom.objref.clsid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
{ &hf_dcom_iid,
{ "IID", "dcom.iid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
{ &hf_dcom_clsid,
{ "CLSID", "dcom.clsid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
{ &hf_dcom_objref_resolver_address,
{ "ResolverAddress", "dcom.objref.resolver_address", FT_NONE, BASE_NONE, NULL, 0x0, "", HFILL }},
{ &hf_dcom_objref_cbextension,
@ -1800,12 +2027,12 @@ proto_register_dcom (void)
{ "Flags", "dcom.stdobjref.flags", FT_UINT32, BASE_HEX, VALS(dcom_stdobjref_flag_vals), 0x0, "", HFILL }},
{ &hf_dcom_stdobjref_public_refs,
{ "PublicRefs", "dcom.stdobjref.public_refs", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_dcom_stdobjref_oxid,
{ "OXID", "dcom.stdobjref.oxid", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_dcom_stdobjref_oid,
{ "OID", "dcom.stdobjref.oid", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_dcom_stdobjref_ipid,
{ "IPID", "dcom.stdobjref.ipid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}
{ &hf_dcom_oxid,
{ "OXID", "dcom.oxid", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_dcom_oid,
{ "OID", "dcom.oid", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_dcom_ipid,
{ "IPID", "dcom.ipid", FT_GUID, BASE_NONE, NULL, 0x0, "", HFILL }}
};
static hf_register_info hf_dcom_dualstringarray_array[] = {
@ -1950,6 +2177,8 @@ proto_register_dcom (void)
"Display some DCOM unmarshalled fields "
"usually hidden",
&dcom_prefs_display_unmarshalling_details);
register_init_routine(dcom_reinit);
}

52
epan/dissectors/packet-dcom.h
View File

@ -29,10 +29,48 @@
extern const value_string dcom_hresult_vals[];
extern const value_string dcom_variant_type_vals[];
extern int hf_dcom_iid;
extern int hf_dcom_clsid;
extern int hf_dcom_oxid;
extern int hf_dcom_oid;
extern int hf_dcom_ipid;
/* preferences */
extern int dcom_prefs_display_unmarshalling_details;
typedef struct dcom_machine_s {
GList *objects;
gint first_packet;
const guint8 ip[4];
} dcom_machine_t;
typedef struct dcom_object_s {
dcom_machine_t *parent;
GList *interfaces;
void *private_data;
gint first_packet;
guint64 oid;
guint64 oxid;
} dcom_object_t;
typedef struct dcom_interface_s {
dcom_object_t *parent;
void *private_data;
gint first_packet;
e_uuid_t iid;
e_uuid_t ipid; /* the DCE/RPC Object UUID */
} dcom_interface_t;
extern dcom_interface_t *dcom_interface_new(packet_info *pinfo, const guint8 *ip, e_uuid_t *iid, guint64 oxid, guint64 oid, e_uuid_t *ipid);
extern dcom_interface_t *dcom_interface_find(packet_info *pinfo, const guint8 *ip, e_uuid_t *ipid);
extern void dcom_interface_dump(void);
/* the essential DCOM this and that, starting every call */
extern int
dissect_dcom_this(tvbuff_t *tvb, int offset,
@ -59,7 +97,7 @@ dissect_dcom_that(tvbuff_t *tvb, int offset,
extern int
dissect_dcom_append_UUID(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, guint8 *drep,
int hfindex, const gchar *field_name, int field_index);
int hfindex, const gchar *field_name, int field_index, e_uuid_t *uuid);
extern const gchar* dcom_uuid_to_str(e_uuid_t *uuid);
extern int
@ -103,22 +141,22 @@ dissect_dcom_BSTR(tvbuff_t *tvb, gint offset, packet_info *pinfo,
extern int
dissect_dcom_DUALSTRINGARRAY(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, guint8 *drep, int hfindex);
proto_tree *tree, guint8 *drep, int hfindex, gchar *ip);
extern int
dissect_dcom_STDOBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, guint8 *drep, int hfindex);
proto_tree *tree, guint8 *drep, int hfindex,
guint64 *oxid, guint64 *oid, e_uuid_t *ipid);
extern int
dissect_dcom_OBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, guint8 *drep, int hfindex);
proto_tree *tree, guint8 *drep, int hfindex, dcom_interface_t **interf);
extern int
dissect_dcom_MInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, guint8 *drep, int hfindex);
proto_tree *tree, guint8 *drep, int hfindex, dcom_interface_t **interf);
extern int
dissect_dcom_PMInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *tree, guint8 *drep, int hfindex);
proto_tree *tree, guint8 *drep, int hfindex, dcom_interface_t **interf);
extern int
dissect_dcom_VARTYPE(tvbuff_t *tvb, int offset,