/* packet-dcerpc.c * Routines for DCERPC packet disassembly * Copyright 2001, Todd Sabin * Copyright 2003, Tim Potter * Copyright 2010, Julien Kerihuel * * Wireshark - Network traffic analyzer * By Gerald Combs * Copyright 1998 Gerald Combs * * SPDX-License-Identifier: GPL-2.0-or-later */ /* The DCE RPC 1.1 specification can be found at: * * https://publications.opengroup.org/c706 * https://pubs.opengroup.org/onlinepubs/009629399/ * https://pubs.opengroup.org/onlinepubs/009629399/toc.htm * https://pubs.opengroup.org/onlinepubs/009629399/toc.pdf * * Microsoft extensions can be found at: * * MS-WPO section 7.3.1 "RPC": * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wpo/7d2df784-557e-4fde-9281-9509653a0f17 */ #include "config.h" #include /* for sscanf() */ #include #include #include #include #include #include #include #include #include #include #include #include #include "packet-tcp.h" #include "packet-dcerpc.h" #include "packet-dcerpc-nt.h" void proto_register_dcerpc(void); void proto_reg_handoff_dcerpc(void); static dissector_handle_t dcerpc_tcp_handle; static int dcerpc_tap = -1; /* 32bit Network Data Representation, see DCE/RPC Appendix I */ static e_guid_t uuid_data_repr_proto = { 0x8a885d04, 0x1ceb, 0x11c9, { 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 } }; /* 64bit Network Data Representation, introduced in Windows Server 2008 */ static e_guid_t uuid_ndr64 = { 0x71710533, 0xbeba, 0x4937, { 0x83, 0x19, 0xb5, 0xdb, 0xef, 0x9c, 0xcc, 0x36 } }; /* see [MS-OXRPC] Appendix A: Full IDL, https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcrpc/70adbb71-85a1-4023-bfdb-41e32ff37bf1 */ static e_guid_t uuid_asyncemsmdb = { 0x5261574a, 0x4572, 0x206e, { 0xb2, 0x68, 0x6b, 0x19, 0x92, 0x13, 0xb4, 0xe4 } }; static const value_string pckt_vals[] = { { PDU_REQ, "Request"}, { PDU_PING, "Ping"}, { PDU_RESP, "Response"}, { PDU_FAULT, "Fault"}, { PDU_WORKING, "Working"}, { PDU_NOCALL, "Nocall"}, { PDU_REJECT, "Reject"}, { PDU_ACK, "Ack"}, { PDU_CL_CANCEL, "Cl_cancel"}, { PDU_FACK, "Fack"}, { PDU_CANCEL_ACK, "Cancel_ack"}, { PDU_BIND, "Bind"}, { PDU_BIND_ACK, "Bind_ack"}, { PDU_BIND_NAK, "Bind_nak"}, { PDU_ALTER, "Alter_context"}, { PDU_ALTER_ACK, "Alter_context_resp"}, { PDU_AUTH3, "AUTH3"}, { PDU_SHUTDOWN, "Shutdown"}, { PDU_CO_CANCEL, "Co_cancel"}, { PDU_ORPHANED, "Orphaned"}, { PDU_RTS, "RPC-over-HTTP RTS"}, { 0, NULL } }; static const value_string drep_byteorder_vals[] = { { 0, "Big-endian" }, { 1, "Little-endian" }, { 0, NULL } }; static const value_string drep_character_vals[] = { { 0, "ASCII" }, { 1, "EBCDIC" }, { 0, NULL } }; #define DCE_RPC_DREP_FP_IEEE 0 #define DCE_RPC_DREP_FP_VAX 1 #define DCE_RPC_DREP_FP_CRAY 2 #define DCE_RPC_DREP_FP_IBM 3 static const value_string drep_fp_vals[] = { { DCE_RPC_DREP_FP_IEEE, "IEEE" }, { DCE_RPC_DREP_FP_VAX, "VAX" }, { DCE_RPC_DREP_FP_CRAY, "Cray" }, { DCE_RPC_DREP_FP_IBM, "IBM" }, { 0, NULL } }; /* * Authentication services. */ static const value_string authn_protocol_vals[] = { { DCE_C_RPC_AUTHN_PROTOCOL_NONE, "None" }, { DCE_C_RPC_AUTHN_PROTOCOL_KRB5, "Kerberos 5" }, { DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO, "SPNEGO" }, { DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP, "NTLMSSP" }, { DCE_C_RPC_AUTHN_PROTOCOL_GSS_SCHANNEL, "SCHANNEL SSP" }, { DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS, "Kerberos SSP" }, { DCE_C_RPC_AUTHN_PROTOCOL_DPA, "Distributed Password Authentication SSP"}, { DCE_C_RPC_AUTHN_PROTOCOL_MSN, "MSN SSP"}, { DCE_C_RPC_AUTHN_PROTOCOL_DIGEST, "Digest SSP"}, { DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN, "NETLOGON Secure Channel" }, { DCE_C_RPC_AUTHN_PROTOCOL_MQ, "MSMQ SSP"}, { 0, NULL } }; /* * Protection levels. */ static const value_string authn_level_vals[] = { { DCE_C_AUTHN_LEVEL_NONE, "None" }, { DCE_C_AUTHN_LEVEL_CONNECT, "Connect" }, { DCE_C_AUTHN_LEVEL_CALL, "Call" }, { DCE_C_AUTHN_LEVEL_PKT, "Packet" }, { DCE_C_AUTHN_LEVEL_PKT_INTEGRITY, "Packet integrity" }, { DCE_C_AUTHN_LEVEL_PKT_PRIVACY, "Packet privacy" }, { 0, NULL } }; /* * Flag bits in first flag field in connectionless PDU header. */ #define PFCL1_RESERVED_01 0x01 /* Reserved for use by implementations */ #define PFCL1_LASTFRAG 0x02 /* If set, the PDU is the last * fragment of a multi-PDU * transmission */ #define PFCL1_FRAG 0x04 /* If set, the PDU is a fragment of a multi-PDU transmission */ #define PFCL1_NOFACK 0x08 /* If set, the receiver is not * requested to send a `fack' PDU * for the fragment */ #define PFCL1_MAYBE 0x10 /* If set, the PDU is for a `maybe' * request */ #define PFCL1_IDEMPOTENT 0x20 /* If set, the PDU is for an idempotent * request */ #define PFCL1_BROADCAST 0x40 /* If set, the PDU is for a broadcast * request */ #define PFCL1_RESERVED_80 0x80 /* Reserved for use by implementations */ /* * Flag bits in second flag field in connectionless PDU header. */ #define PFCL2_RESERVED_01 0x01 /* Reserved for use by implementations */ #define PFCL2_CANCEL_PENDING 0x02 /* Cancel pending at the call end */ #define PFCL2_RESERVED_04 0x04 /* Reserved for future use */ #define PFCL2_RESERVED_08 0x08 /* Reserved for future use */ #define PFCL2_RESERVED_10 0x10 /* Reserved for future use */ #define PFCL2_RESERVED_20 0x20 /* Reserved for future use */ #define PFCL2_RESERVED_40 0x40 /* Reserved for future use */ #define PFCL2_RESERVED_80 0x80 /* Reserved for future use */ /* * Flag bits in connection-oriented PDU header. */ #define PFC_FIRST_FRAG 0x01 /* First fragment */ #define PFC_LAST_FRAG 0x02 /* Last fragment */ #define PFC_PENDING_CANCEL 0x04 /* Cancel was pending at sender */ #define PFC_HDR_SIGNING PFC_PENDING_CANCEL /* on bind and alter req */ #define PFC_RESERVED_1 0x08 #define PFC_CONC_MPX 0x10 /* supports concurrent multiplexing * of a single connection. */ #define PFC_DID_NOT_EXECUTE 0x20 /* only meaningful on `fault' packet; * if true, guaranteed call did not * execute. */ #define PFC_MAYBE 0x40 /* `maybe' call semantics requested */ #define PFC_OBJECT_UUID 0x80 /* if true, a non-nil object UUID * was specified in the handle, and * is present in the optional object * field. If false, the object field * is omitted. */ /* * Tests whether a connection-oriented PDU is fragmented; returns TRUE if * it's not fragmented (i.e., this is both the first *and* last fragment), * and FALSE otherwise. */ #define PFC_NOT_FRAGMENTED(hdr) \ ((hdr->flags&(PFC_FIRST_FRAG|PFC_LAST_FRAG)) == (PFC_FIRST_FRAG|PFC_LAST_FRAG)) /* * Presentation context negotiation result. */ static const value_string p_cont_result_vals[] = { { 0, "Acceptance" }, { 1, "User rejection" }, { 2, "Provider rejection" }, { 3, "Negotiate ACK" }, /* [MS-RPCE] 2.2.2.4 */ { 0, NULL } }; /* * Presentation context negotiation rejection reasons. */ static const value_string p_provider_reason_vals[] = { { 0, "Reason not specified" }, { 1, "Abstract syntax not supported" }, { 2, "Proposed transfer syntaxes not supported" }, { 3, "Local limit exceeded" }, { 0, NULL } }; /* * Reject reasons. */ #define REASON_NOT_SPECIFIED 0 #define TEMPORARY_CONGESTION 1 #define LOCAL_LIMIT_EXCEEDED 2 #define CALLED_PADDR_UNKNOWN 3 /* not used */ #define PROTOCOL_VERSION_NOT_SUPPORTED 4 #define DEFAULT_CONTEXT_NOT_SUPPORTED 5 /* not used */ #define USER_DATA_NOT_READABLE 6 /* not used */ #define NO_PSAP_AVAILABLE 7 /* not used */ #define AUTH_TYPE_NOT_RECOGNIZED 8 /* [MS-RPCE] 2.2.2.5 */ #define INVALID_CHECKSUM 9 /* [MS-RPCE] 2.2.2.5 */ static const value_string reject_reason_vals[] = { { REASON_NOT_SPECIFIED, "Reason not specified" }, { TEMPORARY_CONGESTION, "Temporary congestion" }, { LOCAL_LIMIT_EXCEEDED, "Local limit exceeded" }, { CALLED_PADDR_UNKNOWN, "Called paddr unknown" }, { PROTOCOL_VERSION_NOT_SUPPORTED, "Protocol version not supported" }, { DEFAULT_CONTEXT_NOT_SUPPORTED, "Default context not supported" }, { USER_DATA_NOT_READABLE, "User data not readable" }, { NO_PSAP_AVAILABLE, "No PSAP available" }, { AUTH_TYPE_NOT_RECOGNIZED, "Authentication type not recognized" }, { INVALID_CHECKSUM, "Invalid checksum" }, { 0, NULL } }; /* * Reject status codes. */ static const value_string reject_status_vals[] = { { 0, "Stub-defined exception" }, { 0x00000001, "nca_s_fault_other" }, { 0x00000005, "nca_s_fault_access_denied" }, { 0x000006f7, "nca_s_fault_ndr" }, { 0x000006d8, "nca_s_fault_cant_perform" }, { 0x00000721, "nca_s_fault_sec_pkg_error" }, { 0x1c000001, "nca_s_fault_int_div_by_zero" }, { 0x1c000002, "nca_s_fault_addr_error" }, { 0x1c000003, "nca_s_fault_fp_div_zero" }, { 0x1c000004, "nca_s_fault_fp_underflow" }, { 0x1c000005, "nca_s_fault_fp_overflow" }, { 0x1c000006, "nca_s_fault_invalid_tag" }, { 0x1c000007, "nca_s_fault_invalid_bound" }, { 0x1c000008, "nca_rpc_version_mismatch" }, { 0x1c000009, "nca_unspec_reject" }, { 0x1c00000a, "nca_s_bad_actid" }, { 0x1c00000b, "nca_who_are_you_failed" }, { 0x1c00000c, "nca_manager_not_entered" }, { 0x1c00000d, "nca_s_fault_cancel" }, { 0x1c00000e, "nca_s_fault_ill_inst" }, { 0x1c00000f, "nca_s_fault_fp_error" }, { 0x1c000010, "nca_s_fault_int_overflow" }, { 0x1c000014, "nca_s_fault_pipe_empty" }, { 0x1c000015, "nca_s_fault_pipe_closed" }, { 0x1c000016, "nca_s_fault_pipe_order" }, { 0x1c000017, "nca_s_fault_pipe_discipline" }, { 0x1c000018, "nca_s_fault_pipe_comm_error" }, { 0x1c000019, "nca_s_fault_pipe_memory" }, { 0x1c00001a, "nca_s_fault_context_mismatch" }, { 0x1c00001b, "nca_s_fault_remote_no_memory" }, { 0x1c00001c, "nca_invalid_pres_context_id" }, { 0x1c00001d, "nca_unsupported_authn_level" }, { 0x1c00001f, "nca_invalid_checksum" }, { 0x1c000020, "nca_invalid_crc" }, { 0x1c000021, "ncs_s_fault_user_defined" }, { 0x1c000022, "nca_s_fault_tx_open_failed" }, { 0x1c000023, "nca_s_fault_codeset_conv_error" }, { 0x1c000024, "nca_s_fault_object_not_found" }, { 0x1c000025, "nca_s_fault_no_client_stub" }, { 0x1c010002, "nca_op_rng_error" }, { 0x1c010003, "nca_unk_if"}, { 0x1c010006, "nca_wrong_boot_time" }, { 0x1c010009, "nca_s_you_crashed" }, { 0x1c01000b, "nca_proto_error" }, { 0x1c010013, "nca_out_args_too_big" }, { 0x1c010014, "nca_server_too_busy" }, { 0x1c010017, "nca_unsupported_type" }, /* MS Windows specific values * see: https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--1700-3999- * and: https://docs.microsoft.com/en-us/windows/win32/seccrypto/common-hresult-values * and: https://web.archive.org/web/20150825015741/http://www.megos.ch/support/doserrors.txt * * XXX - we might need a way to dynamically add entries here, as higher layer protocols use these values too, * at least MS protocols (like DCOM) do it that way ... */ { 0x80004001, "E_NOTIMPL" }, { 0x80004003, "E_POINTER" }, { 0x80004004, "E_ABORT" }, { 0x8000FFFF, "E_UNEXPECTED" }, { 0x80010105, "RPC_E_SERVERFAULT" }, { 0x80010108, "RPC_E_DISCONNECTED" }, { 0x80010113, "RPC_E_INVALID_IPID" }, { 0x8001011F, "RPC_E_TIMEOUT" }, { 0x80020003, "DISP_E_MEMBERNOTFOUND" }, { 0x80020006, "DISP_E_UNKNOWNNAME" }, { 0x8002000E, "DISP_E_BADPARAMCOUNT" }, { 0x8004CB00, "CBA_E_MALFORMED" }, { 0x8004CB01, "CBA_E_UNKNOWNOBJECT" }, { 0x8004CB05, "CBA_E_INVALIDID" }, { 0x8004CB09, "CBA_E_INVALIDCOOKIE" }, { 0x8004CB0B, "CBA_E_QOSTYPEUNSUPPORTED" }, { 0x8004CB0C, "CBA_E_QOSVALUEUNSUPPORTED" }, { 0x8004CB0F, "CBA_E_NOTAPPLICABLE" }, { 0x8004CB12, "CBA_E_LIMITVIOLATION" }, { 0x8004CB13, "CBA_E_QOSTYPENOTAPPLICABLE" }, { 0x8004CB18, "CBA_E_OUTOFPARTNERACCOS" }, { 0x8004CB1C, "CBA_E_FLAGUNSUPPORTED" }, { 0x8004CB23, "CBA_E_FRAMECOUNTUNSUPPORTED" }, { 0x8004CB25, "CBA_E_MODECHANGE" }, { 0x8007000E, "E_OUTOFMEMORY" }, { 0x80070057, "E_INVALIDARG" }, { 0x800706d1, "RPC_S_PROCNUM_OUT_OF_RANGE" }, { 0x80070776, "OR_INVALID_OXID" }, { 0, NULL } }; /* * RTS Flags */ #define RTS_FLAG_NONE 0x0000 #define RTS_FLAG_PING 0x0001 #define RTS_FLAG_OTHER_CMD 0x0002 #define RTS_FLAG_RECYCLE_CHANNEL 0x0004 #define RTS_FLAG_IN_CHANNEL 0x0008 #define RTS_FLAG_OUT_CHANNEL 0x0010 #define RTS_FLAG_EOF 0x0020 #define RTS_FLAG_ECHO 0x0040 /* * RTS Commands */ #define RTS_CMD_RECEIVEWINDOWSIZE 0x0 #define RTS_CMD_FLOWCONTROLACK 0x1 #define RTS_CMD_CONNECTIONTIMEOUT 0x2 #define RTS_CMD_COOKIE 0x3 #define RTS_CMD_CHANNELLIFETIME 0x4 #define RTS_CMD_CLIENTKEEPALIVE 0x5 #define RTS_CMD_VERSION 0x6 #define RTS_CMD_EMPTY 0x7 #define RTS_CMD_PADDING 0x8 #define RTS_CMD_NEGATIVEANCE 0x9 #define RTS_CMD_ANCE 0xA #define RTS_CMD_CLIENTADDRESS 0xB #define RTS_CMD_ASSOCIATIONGROUPID 0xC #define RTS_CMD_DESTINATION 0xD #define RTS_CMD_PINGTRAFFICSENTNOTIFY 0xE static const value_string rts_command_vals[] = { { RTS_CMD_RECEIVEWINDOWSIZE, "ReceiveWindowSize" }, { RTS_CMD_FLOWCONTROLACK, "FlowControlAck" }, { RTS_CMD_CONNECTIONTIMEOUT, "ConnectionTimeOut" }, { RTS_CMD_COOKIE, "Cookie" }, { RTS_CMD_CHANNELLIFETIME, "ChannelLifetime" }, { RTS_CMD_CLIENTKEEPALIVE, "ClientKeepalive" }, { RTS_CMD_VERSION, "Version" }, { RTS_CMD_EMPTY, "Empty" }, { RTS_CMD_PADDING, "Padding" }, { RTS_CMD_NEGATIVEANCE, "NegativeANCE" }, { RTS_CMD_ANCE, "ANCE" }, { RTS_CMD_CLIENTADDRESS, "ClientAddress" }, { RTS_CMD_ASSOCIATIONGROUPID, "AssociationGroupId" }, { RTS_CMD_DESTINATION, "Destination" }, { RTS_CMD_PINGTRAFFICSENTNOTIFY, "PingTrafficSentNotify" }, { 0x0, NULL } }; /* * RTS client address type */ #define RTS_IPV4 0 #define RTS_IPV6 1 static const value_string rts_addresstype_vals[] = { { RTS_IPV4, "IPV4" }, { RTS_IPV6, "IPV6" }, { 0x0, NULL } }; /* * RTS Forward destination */ static const value_string rts_forward_destination_vals[] = { { 0x0, "FDClient" }, { 0x1, "FDInProxy" }, { 0x2, "FDServer" }, { 0x3, "FDOutProxy" }, { 0x0, NULL } }; /* we need to keep track of what transport were used, ie what handle we came * in through so we know what kind of pinfo->dce_smb_fid was passed to us. */ /* Value of -1 is reserved for "not DCE packet" in packet_info.dcetransporttype. */ #define DCE_TRANSPORT_UNKNOWN 0 #define DCE_CN_TRANSPORT_SMBPIPE 1 static int proto_dcerpc = -1; /* field defines */ static int hf_dcerpc_request_in = -1; static int hf_dcerpc_time = -1; static int hf_dcerpc_response_in = -1; static int hf_dcerpc_ver = -1; static int hf_dcerpc_ver_minor = -1; static int hf_dcerpc_packet_type = -1; static int hf_dcerpc_cn_flags = -1; static int hf_dcerpc_cn_flags_first_frag = -1; static int hf_dcerpc_cn_flags_last_frag = -1; static int hf_dcerpc_cn_flags_cancel_pending = -1; static int hf_dcerpc_cn_flags_reserved = -1; static int hf_dcerpc_cn_flags_mpx = -1; static int hf_dcerpc_cn_flags_dne = -1; static int hf_dcerpc_cn_flags_maybe = -1; static int hf_dcerpc_cn_flags_object = -1; static int hf_dcerpc_drep = -1; int hf_dcerpc_drep_byteorder = -1; int hf_dcerpc_ndr_padding = -1; static int hf_dcerpc_drep_character = -1; static int hf_dcerpc_drep_fp = -1; static int hf_dcerpc_cn_frag_len = -1; static int hf_dcerpc_cn_auth_len = -1; static int hf_dcerpc_cn_call_id = -1; static int hf_dcerpc_cn_max_xmit = -1; static int hf_dcerpc_cn_max_recv = -1; static int hf_dcerpc_cn_assoc_group = -1; static int hf_dcerpc_cn_num_ctx_items = -1; static int hf_dcerpc_cn_ctx_item = -1; static int hf_dcerpc_cn_ctx_id = -1; static int hf_dcerpc_cn_num_trans_items = -1; static int hf_dcerpc_cn_bind_abstract_syntax = -1; static int hf_dcerpc_cn_bind_if_id = -1; static int hf_dcerpc_cn_bind_if_ver = -1; static int hf_dcerpc_cn_bind_if_ver_minor = -1; static int hf_dcerpc_cn_bind_trans_syntax = -1; static int hf_dcerpc_cn_bind_trans_id = -1; static int hf_dcerpc_cn_bind_trans_ver = -1; static int hf_dcerpc_cn_bind_trans_btfn = -1; static int hf_dcerpc_cn_bind_trans_btfn_01 = -1; static int hf_dcerpc_cn_bind_trans_btfn_02 = -1; static int hf_dcerpc_cn_alloc_hint = -1; static int hf_dcerpc_cn_sec_addr_len = -1; static int hf_dcerpc_cn_sec_addr = -1; static int hf_dcerpc_cn_num_results = -1; static int hf_dcerpc_cn_ack_result = -1; static int hf_dcerpc_cn_ack_reason = -1; static int hf_dcerpc_cn_ack_trans_id = -1; static int hf_dcerpc_cn_ack_trans_ver = -1; static int hf_dcerpc_cn_reject_reason = -1; static int hf_dcerpc_cn_num_protocols = -1; static int hf_dcerpc_cn_protocol_ver_major = -1; static int hf_dcerpc_cn_protocol_ver_minor = -1; static int hf_dcerpc_cn_cancel_count = -1; static int hf_dcerpc_cn_fault_flags = -1; static int hf_dcerpc_cn_fault_flags_extended_error_info = -1; static int hf_dcerpc_cn_status = -1; static int hf_dcerpc_cn_deseg_req = -1; static int hf_dcerpc_cn_rts_flags = -1; static int hf_dcerpc_cn_rts_flags_ping = -1; static int hf_dcerpc_cn_rts_flags_other_cmd = -1; static int hf_dcerpc_cn_rts_flags_recycle_channel = -1; static int hf_dcerpc_cn_rts_flags_in_channel = -1; static int hf_dcerpc_cn_rts_flags_out_channel = -1; static int hf_dcerpc_cn_rts_flags_eof = -1; static int hf_dcerpc_cn_rts_commands_nb = -1; static int hf_dcerpc_cn_rts_command = -1; static int hf_dcerpc_cn_rts_command_receivewindowsize = -1; static int hf_dcerpc_cn_rts_command_fack_bytesreceived = -1; static int hf_dcerpc_cn_rts_command_fack_availablewindow = -1; static int hf_dcerpc_cn_rts_command_fack_channelcookie = -1; static int hf_dcerpc_cn_rts_command_connectiontimeout = -1; static int hf_dcerpc_cn_rts_command_cookie = -1; static int hf_dcerpc_cn_rts_command_channellifetime = -1; static int hf_dcerpc_cn_rts_command_clientkeepalive = -1; static int hf_dcerpc_cn_rts_command_version = -1; static int hf_dcerpc_cn_rts_command_conformancecount = -1; static int hf_dcerpc_cn_rts_command_padding = -1; static int hf_dcerpc_cn_rts_command_addrtype = -1; static int hf_dcerpc_cn_rts_command_associationgroupid = -1; static int hf_dcerpc_cn_rts_command_forwarddestination = -1; static int hf_dcerpc_cn_rts_command_pingtrafficsentnotify = -1; static int hf_dcerpc_auth_type = -1; static int hf_dcerpc_auth_level = -1; static int hf_dcerpc_auth_pad_len = -1; static int hf_dcerpc_auth_rsrvd = -1; static int hf_dcerpc_auth_ctx_id = -1; static int hf_dcerpc_dg_flags1 = -1; static int hf_dcerpc_dg_flags1_rsrvd_01 = -1; static int hf_dcerpc_dg_flags1_last_frag = -1; static int hf_dcerpc_dg_flags1_frag = -1; static int hf_dcerpc_dg_flags1_nofack = -1; static int hf_dcerpc_dg_flags1_maybe = -1; static int hf_dcerpc_dg_flags1_idempotent = -1; static int hf_dcerpc_dg_flags1_broadcast = -1; static int hf_dcerpc_dg_flags1_rsrvd_80 = -1; static int hf_dcerpc_dg_flags2 = -1; static int hf_dcerpc_dg_flags2_rsrvd_01 = -1; static int hf_dcerpc_dg_flags2_cancel_pending = -1; static int hf_dcerpc_dg_flags2_rsrvd_04 = -1; static int hf_dcerpc_dg_flags2_rsrvd_08 = -1; static int hf_dcerpc_dg_flags2_rsrvd_10 = -1; static int hf_dcerpc_dg_flags2_rsrvd_20 = -1; static int hf_dcerpc_dg_flags2_rsrvd_40 = -1; static int hf_dcerpc_dg_flags2_rsrvd_80 = -1; static int hf_dcerpc_dg_serial_hi = -1; static int hf_dcerpc_obj_id = -1; static int hf_dcerpc_dg_if_id = -1; static int hf_dcerpc_dg_act_id = -1; static int hf_dcerpc_dg_serial_lo = -1; static int hf_dcerpc_dg_ahint = -1; static int hf_dcerpc_dg_ihint = -1; static int hf_dcerpc_dg_frag_len = -1; static int hf_dcerpc_dg_frag_num = -1; static int hf_dcerpc_dg_auth_proto = -1; static int hf_dcerpc_opnum = -1; static int hf_dcerpc_dg_seqnum = -1; static int hf_dcerpc_dg_server_boot = -1; static int hf_dcerpc_dg_if_ver = -1; static int hf_dcerpc_krb5_av_prot_level = -1; static int hf_dcerpc_krb5_av_key_vers_num = -1; static int hf_dcerpc_krb5_av_key_auth_verifier = -1; static int hf_dcerpc_dg_cancel_vers = -1; static int hf_dcerpc_dg_cancel_id = -1; static int hf_dcerpc_dg_server_accepting_cancels = -1; static int hf_dcerpc_dg_fack_vers = -1; static int hf_dcerpc_dg_fack_window_size = -1; static int hf_dcerpc_dg_fack_max_tsdu = -1; static int hf_dcerpc_dg_fack_max_frag_size = -1; static int hf_dcerpc_dg_fack_serial_num = -1; static int hf_dcerpc_dg_fack_selack_len = -1; static int hf_dcerpc_dg_fack_selack = -1; static int hf_dcerpc_dg_status = -1; static int hf_dcerpc_array_max_count = -1; static int hf_dcerpc_array_offset = -1; static int hf_dcerpc_array_actual_count = -1; static int hf_dcerpc_op = -1; static int hf_dcerpc_referent_id32 = -1; static int hf_dcerpc_referent_id64 = -1; static int hf_dcerpc_null_pointer = -1; static int hf_dcerpc_fragments = -1; static int hf_dcerpc_fragment = -1; static int hf_dcerpc_fragment_overlap = -1; static int hf_dcerpc_fragment_overlap_conflict = -1; static int hf_dcerpc_fragment_multiple_tails = -1; static int hf_dcerpc_fragment_too_long_fragment = -1; static int hf_dcerpc_fragment_error = -1; static int hf_dcerpc_fragment_count = -1; static int hf_dcerpc_reassembled_in = -1; static int hf_dcerpc_reassembled_length = -1; static int hf_dcerpc_unknown_if_id = -1; static int hf_dcerpc_sec_vt_signature = -1; static int hf_dcerpc_sec_vt_command = -1; static int hf_dcerpc_sec_vt_command_cmd = -1; static int hf_dcerpc_sec_vt_command_end = -1; static int hf_dcerpc_sec_vt_command_must = -1; static int hf_dcerpc_sec_vt_command_length = -1; static int hf_dcerpc_sec_vt_bitmask = -1; static int hf_dcerpc_sec_vt_bitmask_sign = -1; static int hf_dcerpc_sec_vt_pcontext_uuid = -1; static int hf_dcerpc_sec_vt_pcontext_ver = -1; static int * const sec_vt_command_fields[] = { &hf_dcerpc_sec_vt_command_cmd, &hf_dcerpc_sec_vt_command_end, &hf_dcerpc_sec_vt_command_must, NULL }; static int hf_dcerpc_reserved = -1; static int hf_dcerpc_unknown = -1; static int hf_dcerpc_missalign = -1; /* Generated from convert_proto_tree_add_text.pl */ static int hf_dcerpc_duplicate_ptr = -1; static int hf_dcerpc_encrypted_stub_data = -1; static int hf_dcerpc_decrypted_stub_data = -1; static int hf_dcerpc_payload_stub_data = -1; static int hf_dcerpc_stub_data_with_sec_vt = -1; static int hf_dcerpc_stub_data = -1; static int hf_dcerpc_auth_padding = -1; static int hf_dcerpc_auth_info = -1; static int hf_dcerpc_auth_credentials = -1; static int hf_dcerpc_fault_stub_data = -1; static int hf_dcerpc_fragment_data = -1; static int hf_dcerpc_cmd_client_ipv4 = -1; static int hf_dcerpc_cmd_client_ipv6 = -1; static int hf_dcerpc_authentication_verifier = -1; static int * const dcerpc_cn_bind_trans_btfn_fields[] = { &hf_dcerpc_cn_bind_trans_btfn_01, &hf_dcerpc_cn_bind_trans_btfn_02, NULL }; static int * const sec_vt_bitmask_fields[] = { &hf_dcerpc_sec_vt_bitmask_sign, NULL }; static int * const dcerpc_cn_fault_flags_fields[] = { &hf_dcerpc_cn_fault_flags_extended_error_info, NULL }; static const value_string sec_vt_command_cmd_vals[] = { {1, "BITMASK_1"}, {2, "PCONTEXT"}, {3, "HEADER2"}, {0, NULL} }; static gint ett_dcerpc = -1; static gint ett_dcerpc_cn_flags = -1; static gint ett_dcerpc_cn_ctx = -1; static gint ett_dcerpc_cn_iface = -1; static gint ett_dcerpc_cn_trans_syntax = -1; static gint ett_dcerpc_cn_trans_btfn = -1; static gint ett_dcerpc_cn_bind_trans_btfn = -1; static gint ett_dcerpc_cn_rts_flags = -1; static gint ett_dcerpc_cn_rts_command = -1; static gint ett_dcerpc_cn_rts_pdu = -1; static gint ett_dcerpc_drep = -1; static gint ett_dcerpc_dg_flags1 = -1; static gint ett_dcerpc_dg_flags2 = -1; static gint ett_dcerpc_pointer_data = -1; static gint ett_dcerpc_string = -1; static gint ett_dcerpc_fragments = -1; static gint ett_dcerpc_fragment = -1; static gint ett_dcerpc_krb5_auth_verf = -1; static gint ett_dcerpc_auth_info = -1; static gint ett_dcerpc_verification_trailer = -1; static gint ett_dcerpc_sec_vt_command = -1; static gint ett_dcerpc_sec_vt_bitmask = -1; static gint ett_dcerpc_sec_vt_pcontext = -1; static gint ett_dcerpc_sec_vt_header = -1; static gint ett_dcerpc_complete_stub_data = -1; static gint ett_dcerpc_fault_flags = -1; static gint ett_dcerpc_fault_stub_data = -1; static expert_field ei_dcerpc_fragment_multiple = EI_INIT; static expert_field ei_dcerpc_cn_status = EI_INIT; static expert_field ei_dcerpc_fragment_reassembled = EI_INIT; static expert_field ei_dcerpc_fragment = EI_INIT; static expert_field ei_dcerpc_no_request_found = EI_INIT; /* static expert_field ei_dcerpc_context_change = EI_INIT; */ static expert_field ei_dcerpc_cn_ctx_id_no_bind = EI_INIT; static expert_field ei_dcerpc_bind_not_acknowledged = EI_INIT; static expert_field ei_dcerpc_verifier_unavailable = EI_INIT; static expert_field ei_dcerpc_invalid_pdu_authentication_attempt = EI_INIT; /* Generated from convert_proto_tree_add_text.pl */ static expert_field ei_dcerpc_long_frame = EI_INIT; static expert_field ei_dcerpc_cn_rts_command = EI_INIT; static expert_field ei_dcerpc_not_implemented = EI_INIT; static const guint8 TRAILER_SIGNATURE[] = {0x8a, 0xe3, 0x13, 0x71, 0x02, 0xf4, 0x36, 0x71}; static tvbuff_t *tvb_trailer_signature = NULL; static GSList *decode_dcerpc_bindings = NULL; /* * To keep track of ctx_id mappings. * * Every time we see a bind call we update this table. * Note that we always specify a SMB FID. For non-SMB transports this * value is 0. */ static wmem_map_t *dcerpc_binds = NULL; typedef struct _dcerpc_bind_key { conversation_t *conv; guint16 ctx_id; guint64 transport_salt; } dcerpc_bind_key; typedef struct _dcerpc_bind_value { e_guid_t uuid; guint16 ver; e_guid_t transport; } dcerpc_bind_value; static wmem_map_t *dcerpc_auths = NULL; typedef struct _dcerpc_auth_context { conversation_t *conv; guint64 transport_salt; guint8 auth_type; guint8 auth_level; guint32 auth_context_id; guint32 first_frame; gboolean hdr_signing; } dcerpc_auth_context; /* Extra data for DCERPC handling and tracking of context ids */ typedef struct _dcerpc_decode_as_data { guint16 dcectxid; /**< Context ID (DCERPC-specific) */ int dcetransporttype; /**< Transport type * Value -1 means "not a DCERPC packet" */ guint64 dcetransportsalt; /**< fid: if transporttype==DCE_CN_TRANSPORT_SMBPIPE */ } dcerpc_decode_as_data; static dcerpc_decode_as_data* dcerpc_get_decode_data(packet_info* pinfo) { dcerpc_decode_as_data* data = (dcerpc_decode_as_data*)p_get_proto_data(pinfo->pool, pinfo, proto_dcerpc, 0); if (data == NULL) { data = wmem_new0(pinfo->pool, dcerpc_decode_as_data); data->dcetransporttype = -1; p_add_proto_data(pinfo->pool, pinfo, proto_dcerpc, 0, data); } return data; } /** * Registers a conversation/UUID binding association, so that * we can invoke the proper sub-dissector for a given DCERPC * conversation. * * @param binding all values needed to create and bind a new conversation * * @return Pointer to newly-added UUID/conversation binding. */ static struct _dcerpc_bind_value * dcerpc_add_conv_to_bind_table(decode_dcerpc_bind_values_t *binding) { dcerpc_bind_value *bind_value; dcerpc_bind_key *key; conversation_t *conv; conv = find_conversation( 0, &binding->addr_a, &binding->addr_b, conversation_pt_to_conversation_type(binding->ptype), binding->port_a, binding->port_b, 0); if (!conv) { conv = conversation_new( 0, &binding->addr_a, &binding->addr_b, conversation_pt_to_conversation_type(binding->ptype), binding->port_a, binding->port_b, 0); } bind_value = wmem_new(wmem_file_scope(), dcerpc_bind_value); bind_value->uuid = binding->uuid; bind_value->ver = binding->ver; /* For now, assume all DCE/RPC we pick from "decode as" is using standard ndr and not ndr64. We should make this selectable from the dialog in the future */ bind_value->transport = uuid_data_repr_proto; key = wmem_new(wmem_file_scope(), dcerpc_bind_key); key->conv = conv; key->ctx_id = binding->ctx_id; key->transport_salt = binding->transport_salt; /* add this entry to the bind table */ wmem_map_insert(dcerpc_binds, key, bind_value); return bind_value; } /* inject one of our bindings into the dcerpc binding table */ static void decode_dcerpc_inject_binding(gpointer data, gpointer user_data _U_) { dcerpc_add_conv_to_bind_table((decode_dcerpc_bind_values_t *) data); } /* inject all of our bindings into the dcerpc binding table */ static void decode_dcerpc_inject_bindings(void) { g_slist_foreach(decode_dcerpc_bindings, decode_dcerpc_inject_binding, NULL /* user_data */); } /* free a binding */ static void decode_dcerpc_binding_free(void *binding_in) { decode_dcerpc_bind_values_t *binding = (decode_dcerpc_bind_values_t *)binding_in; free_address(&binding->addr_a); free_address(&binding->addr_b); if (binding->ifname) g_string_free(binding->ifname, TRUE); g_free(binding); } static void dcerpc_decode_as_free(gpointer value) { decode_dcerpc_bind_values_t *binding = (decode_dcerpc_bind_values_t *)value; if (binding != NULL) decode_dcerpc_binding_free(binding); } /* removes all bindings */ void decode_dcerpc_reset_all(void) { decode_dcerpc_bind_values_t *binding; while (decode_dcerpc_bindings) { binding = (decode_dcerpc_bind_values_t *)decode_dcerpc_bindings->data; decode_dcerpc_bindings = g_slist_remove( decode_dcerpc_bindings, decode_dcerpc_bindings->data); decode_dcerpc_binding_free(binding); } } void decode_dcerpc_add_show_list(decode_add_show_list_func func, gpointer user_data) { g_slist_foreach(decode_dcerpc_bindings, func, user_data); } static void dcerpc_prompt(packet_info *pinfo, gchar* result) { GString *str = g_string_new("Replace binding between:\r\n"), *address_str = g_string_new(""); dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); switch (pinfo->ptype) { case(PT_TCP): g_string_append(address_str, "Address: ToBeDone TCP port"); break; case(PT_UDP): g_string_append(address_str, "Address: ToBeDone UDP port"); break; default: g_string_append(address_str, "Address: ToBeDone Unknown port type"); } g_string_append_printf(str, "%s: %u\r\n", address_str->str, pinfo->srcport); g_string_append(str, "&\r\n"); g_string_append_printf(str, "%s: %u\r\n", address_str->str, pinfo->destport); g_string_append_printf(str, "&\r\nContext ID: %u\r\n", decode_data->dcectxid); g_string_append_printf(str, "&\r\nSMB FID: %"PRIu64"\r\n", dcerpc_get_transport_salt(pinfo)); g_string_append(str, "with:\r\n"); (void) g_strlcpy(result, str->str, MAX_DECODE_AS_PROMPT_LEN); g_string_free(str, TRUE); g_string_free(address_str, TRUE); } static gpointer dcerpc_value(packet_info *pinfo) { decode_dcerpc_bind_values_t *binding; dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); /* clone binding */ binding = g_new(decode_dcerpc_bind_values_t,1); copy_address(&binding->addr_a, &pinfo->src); copy_address(&binding->addr_b, &pinfo->dst); binding->ptype = pinfo->ptype; binding->port_a = pinfo->srcport; binding->port_b = pinfo->destport; binding->ctx_id = decode_data->dcectxid; binding->transport_salt = dcerpc_get_transport_salt(pinfo); binding->ifname = NULL; /*binding->uuid = NULL;*/ binding->ver = 0; return binding; } struct dcerpc_decode_as_populate { decode_as_add_to_list_func add_to_list; gpointer ui_element; }; static void decode_dcerpc_add_to_list(gpointer key, gpointer value, gpointer user_data) { struct dcerpc_decode_as_populate* populate = (struct dcerpc_decode_as_populate*)user_data; /*guid_key *k = key;*/ dcerpc_uuid_value *v = (dcerpc_uuid_value *)value; if (strcmp(v->name, "(none)")) populate->add_to_list("DCE-RPC", v->name, key, populate->ui_element); } static void dcerpc_populate_list(const gchar *table_name _U_, decode_as_add_to_list_func add_to_list, gpointer ui_element) { struct dcerpc_decode_as_populate populate; populate.add_to_list = add_to_list; populate.ui_element = ui_element; g_hash_table_foreach(dcerpc_uuids, decode_dcerpc_add_to_list, &populate); } /* compare two bindings (except the interface related things, e.g. uuid) */ static gint decode_dcerpc_binding_cmp(gconstpointer a, gconstpointer b) { const decode_dcerpc_bind_values_t *binding_a = (const decode_dcerpc_bind_values_t *)a; const decode_dcerpc_bind_values_t *binding_b = (const decode_dcerpc_bind_values_t *)b; /* don't compare uuid and ver! */ if ( addresses_equal(&binding_a->addr_a, &binding_b->addr_a) && addresses_equal(&binding_a->addr_b, &binding_b->addr_b) && binding_a->ptype == binding_b->ptype && binding_a->port_a == binding_b->port_a && binding_a->port_b == binding_b->port_b && binding_a->ctx_id == binding_b->ctx_id && binding_a->transport_salt == binding_b->transport_salt) { /* equal */ return 0; } /* unequal */ return 1; } /* remove a binding (looking the same way as the given one) */ static gboolean decode_dcerpc_binding_reset(const char *name _U_, gconstpointer pattern) { const decode_dcerpc_bind_values_t *binding = (const decode_dcerpc_bind_values_t *)pattern; GSList *le; decode_dcerpc_bind_values_t *old_binding; /* find the old binding (if it exists) */ le = g_slist_find_custom(decode_dcerpc_bindings, binding, decode_dcerpc_binding_cmp); if (le == NULL) return FALSE; old_binding = (decode_dcerpc_bind_values_t *)le->data; decode_dcerpc_bindings = g_slist_remove(decode_dcerpc_bindings, le->data); free_address(&old_binding->addr_a); free_address(&old_binding->addr_b); g_string_free(old_binding->ifname, TRUE); g_free(old_binding); return FALSE; } static gboolean dcerpc_decode_as_change(const char *name, gconstpointer pattern, gconstpointer handle, const gchar* list_name) { const decode_dcerpc_bind_values_t *binding = (const decode_dcerpc_bind_values_t*)pattern; decode_dcerpc_bind_values_t *stored_binding; const guid_key *key = (const guid_key *)handle; /* remove a probably existing old binding */ decode_dcerpc_binding_reset(name, binding); /* * Clone the new binding, update the changing parts, and append it * to the list. */ stored_binding = g_new(decode_dcerpc_bind_values_t,1); *stored_binding = *binding; copy_address(&stored_binding->addr_a, &binding->addr_a); copy_address(&stored_binding->addr_b, &binding->addr_b); stored_binding->ifname = g_string_new(list_name); stored_binding->uuid = key->guid; stored_binding->ver = key->ver; decode_dcerpc_bindings = g_slist_append (decode_dcerpc_bindings, stored_binding); return FALSE; } static const fragment_items dcerpc_frag_items = { &ett_dcerpc_fragments, &ett_dcerpc_fragment, &hf_dcerpc_fragments, &hf_dcerpc_fragment, &hf_dcerpc_fragment_overlap, &hf_dcerpc_fragment_overlap_conflict, &hf_dcerpc_fragment_multiple_tails, &hf_dcerpc_fragment_too_long_fragment, &hf_dcerpc_fragment_error, &hf_dcerpc_fragment_count, NULL, &hf_dcerpc_reassembled_length, /* Reassembled data field */ NULL, "fragments" }; /* try to desegment big DCE/RPC packets over TCP? */ static gboolean dcerpc_cn_desegment = TRUE; /* reassemble DCE/RPC fragments */ /* reassembly of cl dcerpc fragments will not work for the case where ONE frame might contain multiple dcerpc fragments for different PDUs. this case would be so unusual/weird so if you got captures like that: too bad reassembly of co dcerpc fragments will not work for the case where TCP/SMB frames are coming in out of sequence, but that will hurt in a lot of other places as well. */ static gboolean dcerpc_reassemble = TRUE; static reassembly_table dcerpc_co_reassembly_table; static reassembly_table dcerpc_cl_reassembly_table; typedef struct _dcerpc_fragment_key { address src; address dst; guint32 id; e_guid_t act_id; } dcerpc_fragment_key; static guint dcerpc_fragment_hash(gconstpointer k) { const dcerpc_fragment_key* key = (const dcerpc_fragment_key*) k; guint hash_val; hash_val = 0; hash_val += key->id; hash_val += key->act_id.data1; hash_val += key->act_id.data2 << 16; hash_val += key->act_id.data3; return hash_val; } static gint dcerpc_fragment_equal(gconstpointer k1, gconstpointer k2) { const dcerpc_fragment_key* key1 = (const dcerpc_fragment_key*) k1; const dcerpc_fragment_key* key2 = (const dcerpc_fragment_key*) k2; /*key.id is the first item to compare since item is most likely to differ between sessions, thus shortcircuiting the comparison of addresses. */ return (((key1->id == key2->id) && (addresses_equal(&key1->src, &key2->src)) && (addresses_equal(&key1->dst, &key2->dst)) && (memcmp (&key1->act_id, &key2->act_id, sizeof (e_guid_t)) == 0)) ? TRUE : FALSE); } /* allocate a persistent dcerpc fragment key to insert in the hash */ static void * dcerpc_fragment_temporary_key(const packet_info *pinfo, const guint32 id, const void *data) { dcerpc_fragment_key *key = g_slice_new(dcerpc_fragment_key); const e_dce_dg_common_hdr_t *hdr = (const e_dce_dg_common_hdr_t *)data; copy_address_shallow(&key->src, &pinfo->src); copy_address_shallow(&key->dst, &pinfo->dst); key->id = id; key->act_id = hdr->act_id; return key; } /* allocate a persistent dcerpc fragment key to insert in the hash */ static void * dcerpc_fragment_persistent_key(const packet_info *pinfo, const guint32 id, const void *data) { dcerpc_fragment_key *key = g_slice_new(dcerpc_fragment_key); const e_dce_dg_common_hdr_t *hdr = (const e_dce_dg_common_hdr_t *)data; copy_address(&key->src, &pinfo->src); copy_address(&key->dst, &pinfo->dst); key->id = id; key->act_id = hdr->act_id; return key; } static void dcerpc_fragment_free_temporary_key(gpointer ptr) { dcerpc_fragment_key *key = (dcerpc_fragment_key *)ptr; g_slice_free(dcerpc_fragment_key, key); } static void dcerpc_fragment_free_persistent_key(gpointer ptr) { dcerpc_fragment_key *key = (dcerpc_fragment_key *)ptr; if (key) { /* * Free up the copies of the addresses from the old key. */ free_address(&key->src); free_address(&key->dst); g_slice_free(dcerpc_fragment_key, key); } } static const reassembly_table_functions dcerpc_cl_reassembly_table_functions = { dcerpc_fragment_hash, dcerpc_fragment_equal, dcerpc_fragment_temporary_key, dcerpc_fragment_persistent_key, dcerpc_fragment_free_temporary_key, dcerpc_fragment_free_persistent_key }; /* * Authentication subdissectors. Used to dissect authentication blobs in * DCERPC binds, requests and responses. */ typedef struct _dcerpc_auth_subdissector { guint8 auth_level; guint8 auth_type; dcerpc_auth_subdissector_fns auth_fns; } dcerpc_auth_subdissector; static GSList *dcerpc_auth_subdissector_list; static dcerpc_auth_subdissector_fns *get_auth_subdissector_fns( guint8 auth_level, guint8 auth_type) { gpointer data; int i; for (i = 0; (data = g_slist_nth_data(dcerpc_auth_subdissector_list, i)); i++) { dcerpc_auth_subdissector *asd = (dcerpc_auth_subdissector *)data; if ((asd->auth_level == auth_level) && (asd->auth_type == auth_type)) return &asd->auth_fns; } return NULL; } void register_dcerpc_auth_subdissector(guint8 auth_level, guint8 auth_type, dcerpc_auth_subdissector_fns *fns) { dcerpc_auth_subdissector *d; if (get_auth_subdissector_fns(auth_level, auth_type)) return; d = g_new(dcerpc_auth_subdissector, 1); d->auth_level = auth_level; d->auth_type = auth_type; d->auth_fns = *fns; dcerpc_auth_subdissector_list = g_slist_append(dcerpc_auth_subdissector_list, d); } /* Hand off verifier data to a registered dissector */ static void dissect_auth_verf(packet_info *pinfo, e_dce_cn_common_hdr_t *hdr, dcerpc_auth_info *auth_info) { dcerpc_dissect_fnct_t *fn = NULL; /* XXX - "stub" a fake DCERPC INFO STRUCTURE If a dcerpc_info is really needed, update the call stacks to include it */ FAKE_DCERPC_INFO_STRUCTURE if (auth_info == NULL) { return; } if (auth_info->auth_fns == NULL) { return; } switch (hdr->ptype) { case PDU_BIND: case PDU_ALTER: fn = auth_info->auth_fns->bind_fn; break; case PDU_BIND_ACK: case PDU_ALTER_ACK: fn = auth_info->auth_fns->bind_ack_fn; break; case PDU_AUTH3: fn = auth_info->auth_fns->auth3_fn; break; case PDU_REQ: case PDU_CO_CANCEL: case PDU_ORPHANED: fn = auth_info->auth_fns->req_verf_fn; break; case PDU_RESP: case PDU_FAULT: fn = auth_info->auth_fns->resp_verf_fn; break; default: /* Don't know how to handle authentication data in this pdu type. */ proto_tree_add_expert_format(auth_info->auth_tree, pinfo, &ei_dcerpc_invalid_pdu_authentication_attempt, auth_info->auth_tvb, 0, 0, "Don't know how to dissect authentication data for %s pdu type", val_to_str(hdr->ptype, pckt_vals, "Unknown (%u)")); return; break; } if (fn) fn(auth_info->auth_tvb, 0, pinfo, auth_info->auth_tree, &di, hdr->drep); else proto_tree_add_expert_format(auth_info->auth_tree, pinfo, &ei_dcerpc_verifier_unavailable, auth_info->auth_tvb, 0, hdr->auth_len, "%s Verifier unavailable", val_to_str(auth_info->auth_type, authn_protocol_vals, "Unknown (%u)")); } static proto_item* proto_tree_add_dcerpc_drep(proto_tree *tree, tvbuff_t *tvb, int offset, guint8 drep[], int drep_len) { const guint8 byteorder = drep[0] >> 4; const guint8 character = drep[0] & 0x0f; const guint8 fp = drep[1]; proto_item *ti = proto_tree_add_bytes(tree, hf_dcerpc_drep, tvb, offset, drep_len, drep); proto_tree *tr = proto_item_add_subtree(ti, ett_dcerpc_drep); proto_tree_add_uint(tr, hf_dcerpc_drep_byteorder, tvb, offset, 1, byteorder); proto_tree_add_uint(tr, hf_dcerpc_drep_character, tvb, offset, 1, character); proto_tree_add_uint(tr, hf_dcerpc_drep_fp, tvb, offset+1, 1, fp); proto_item_append_text(ti, " (Order: %s, Char: %s, Float: %s)", val_to_str(byteorder, drep_byteorder_vals, "Unknown (%u)"), val_to_str(character, drep_character_vals, "Unknown (%u)"), val_to_str(fp, drep_fp_vals, "Unknown (%u)")); return ti; } /* Hand off payload data to a registered dissector */ static tvbuff_t *decode_encrypted_data(tvbuff_t *header_tvb, tvbuff_t *payload_tvb, tvbuff_t *trailer_tvb, packet_info *pinfo, e_dce_cn_common_hdr_t *hdr, dcerpc_auth_info *auth_info) { dcerpc_decode_data_fnct_t *fn = NULL; if (auth_info == NULL) return NULL; if (auth_info->auth_fns == NULL) return NULL; switch (hdr->ptype) { case PDU_REQ: fn = auth_info->auth_fns->req_data_fn; break; case PDU_RESP: case PDU_FAULT: fn = auth_info->auth_fns->resp_data_fn; break; } if (fn) return fn(header_tvb, payload_tvb, trailer_tvb, auth_info->auth_tvb, pinfo, auth_info); return NULL; } typedef struct _dcerpc_dissector_data { dcerpc_uuid_value *sub_proto; dcerpc_info *info; gboolean decrypted; dcerpc_auth_info *auth_info; guint8 *drep; proto_tree *dcerpc_tree; } dcerpc_dissector_data_t; /* * Subdissectors */ static dissector_table_t uuid_dissector_table; /* the registered subdissectors */ GHashTable *dcerpc_uuids = NULL; static gint dcerpc_uuid_equal(gconstpointer k1, gconstpointer k2) { const guid_key *key1 = (const guid_key *)k1; const guid_key *key2 = (const guid_key *)k2; return ((memcmp(&key1->guid, &key2->guid, sizeof (e_guid_t)) == 0) && (key1->ver == key2->ver)); } static guint dcerpc_uuid_hash(gconstpointer k) { const guid_key *key = (const guid_key *)k; /* This isn't perfect, but the Data1 part of these is almost always unique. */ return key->guid.data1; } static int dissect_verification_trailer(packet_info *pinfo, tvbuff_t *tvb, int stub_offset, proto_tree *parent_tree, int *signature_offset); static void show_stub_data(packet_info *pinfo, tvbuff_t *tvb, gint offset, proto_tree *dcerpc_tree, dcerpc_auth_info *auth_info, gboolean is_encrypted) { int length, plain_length, auth_pad_len; guint auth_pad_offset; /* * We don't show stub data unless we have some in the tvbuff; * however, in the protocol tree, we show, as the number of * bytes, the reported number of bytes, not the number of bytes * that happen to be in the tvbuff. */ if (tvb_reported_length_remaining(tvb, offset) > 0) { auth_pad_len = auth_info?auth_info->auth_pad_len:0; length = tvb_reported_length_remaining(tvb, offset); /* if auth_pad_len is larger than length then we ignore auth_pad_len totally */ plain_length = length - auth_pad_len; if (plain_length < 1) { plain_length = length; auth_pad_len = 0; } auth_pad_offset = offset + plain_length; if ((auth_info != NULL) && (auth_info->auth_level == DCE_C_AUTHN_LEVEL_PKT_PRIVACY)) { if (is_encrypted) { proto_tree_add_item(dcerpc_tree, hf_dcerpc_encrypted_stub_data, tvb, offset, length, ENC_NA); /* is the padding is still inside the encrypted blob, don't display it explicit */ auth_pad_len = 0; } else { proto_tree_add_item(dcerpc_tree, hf_dcerpc_decrypted_stub_data, tvb, offset, plain_length, ENC_NA); dissect_verification_trailer(pinfo, tvb, offset, dcerpc_tree, NULL); } } else { proto_tree_add_item(dcerpc_tree, hf_dcerpc_stub_data, tvb, offset, plain_length, ENC_NA); dissect_verification_trailer(pinfo, tvb, offset, dcerpc_tree, NULL); } /* If there is auth padding at the end of the stub, display it */ if (auth_pad_len != 0) { proto_tree_add_item(dcerpc_tree, hf_dcerpc_auth_padding, tvb, auth_pad_offset, auth_pad_len, ENC_NA); } } } static int dissect_dcerpc_guid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) { dcerpc_dissector_data_t* dissector_data = (dcerpc_dissector_data_t*)data; const gchar *name = NULL; dcerpc_sub_dissector *proc; int (*volatile sub_dissect)(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) = NULL; proto_item *pi, *sub_item; proto_tree *sub_tree; volatile guint length; guint reported_length; volatile gint offset = 0; tvbuff_t *volatile stub_tvb; tvbuff_t *volatile payload_tvb = NULL; volatile guint auth_pad_len; volatile int auth_pad_offset; const char *volatile saved_proto; for (proc = dissector_data->sub_proto->procs; proc->name; proc++) { if (proc->num == dissector_data->info->call_data->opnum) { name = proc->name; break; } } col_set_str(pinfo->cinfo, COL_PROTOCOL, dissector_data->sub_proto->name); if (!name) col_add_fstr(pinfo->cinfo, COL_INFO, "Unknown operation %u %s", dissector_data->info->call_data->opnum, (dissector_data->info->ptype == PDU_REQ) ? "request" : "response"); else col_add_fstr(pinfo->cinfo, COL_INFO, "%s %s", name, (dissector_data->info->ptype == PDU_REQ) ? "request" : "response"); sub_dissect = (dissector_data->info->ptype == PDU_REQ) ? proc->dissect_rqst : proc->dissect_resp; sub_item = proto_tree_add_item(tree, dissector_data->sub_proto->proto_id, tvb,//(decrypted_tvb != NULL)?decrypted_tvb:tvb, 0, -1, ENC_NA); sub_tree = proto_item_add_subtree(sub_item, dissector_data->sub_proto->ett); if (!name) proto_item_append_text(sub_item, ", unknown operation %u", dissector_data->info->call_data->opnum); else proto_item_append_text(sub_item, ", %s", name); if (tree) { /* * Put the operation number into the tree along with * the operation's name. */ if (dissector_data->sub_proto->opnum_hf != -1) proto_tree_add_uint_format(sub_tree, dissector_data->sub_proto->opnum_hf, tvb, 0, 0, dissector_data->info->call_data->opnum, "Operation: %s (%u)", name ? name : "Unknown operation", dissector_data->info->call_data->opnum); else proto_tree_add_uint_format_value(sub_tree, hf_dcerpc_op, tvb, 0, 0, dissector_data->info->call_data->opnum, "%s (%u)", name ? name : "Unknown operation", dissector_data->info->call_data->opnum); if ((dissector_data->info->ptype == PDU_REQ) && (dissector_data->info->call_data->rep_frame != 0)) { pi = proto_tree_add_uint(sub_tree, hf_dcerpc_response_in, tvb, 0, 0, dissector_data->info->call_data->rep_frame); proto_item_set_generated(pi); } if ((dissector_data->info->ptype == PDU_RESP) && (dissector_data->info->call_data->req_frame != 0)) { pi = proto_tree_add_uint(sub_tree, hf_dcerpc_request_in, tvb, 0, 0, dissector_data->info->call_data->req_frame); proto_item_set_generated(pi); } } /* tree */ if (!dissector_data->decrypted || (sub_dissect == NULL)) { show_stub_data(pinfo, tvb, 0, sub_tree, dissector_data->auth_info, !dissector_data->decrypted); return tvb_captured_length(tvb); } /* Either there was no encryption or we successfully decrypted the encrypted payload. */ /* We have a subdissector - call it. */ saved_proto = pinfo->current_proto; pinfo->current_proto = dissector_data->sub_proto->name; init_ndr_pointer_list(dissector_data->info); length = tvb_captured_length(tvb); reported_length = tvb_reported_length(tvb); /* * Remove the authentication padding from the stub data. */ if ((dissector_data->auth_info != NULL) && (dissector_data->auth_info->auth_pad_len != 0)) { if (reported_length >= dissector_data->auth_info->auth_pad_len) { /* * OK, the padding length isn't so big that it * exceeds the stub length. Trim the reported * length of the tvbuff. */ reported_length -= dissector_data->auth_info->auth_pad_len; /* * If that exceeds the actual amount of data in * the tvbuff (which means we have at least one * byte of authentication padding in the tvbuff), * trim the actual amount. */ if (length > reported_length) length = reported_length; stub_tvb = tvb_new_subset_length_caplen(tvb, 0, length, reported_length); auth_pad_len = dissector_data->auth_info->auth_pad_len; auth_pad_offset = reported_length; } else { /* * The padding length exceeds the stub length. * Don't bother dissecting the stub, trim the padding * length to what's in the stub data, and show the * entire stub as authentication padding. */ stub_tvb = NULL; auth_pad_len = reported_length; auth_pad_offset = 0; length = 0; } } else { /* * No authentication padding. */ stub_tvb = tvb; auth_pad_len = 0; auth_pad_offset = 0; } if (sub_item) { proto_item_set_len(sub_item, length); } if (stub_tvb != NULL) { /* * Catch all exceptions other than BoundsError, so that even * if the stub data is bad, we still show the authentication * padding, if any. * * If we get BoundsError, it means the frame was cut short * by a snapshot length, so there's nothing more to * dissect; just re-throw that exception. */ TRY { proto_tree *stub_tree = NULL; int remaining; int trailer_start_offset = -1; int trailer_end_offset = -1; stub_tree = proto_tree_add_subtree_format(dissector_data->dcerpc_tree, stub_tvb, 0, length, ett_dcerpc_complete_stub_data, NULL, "Complete stub data (%d byte%s)", length, plurality(length, "", "s")); trailer_end_offset = dissect_verification_trailer(pinfo, stub_tvb, 0, stub_tree, &trailer_start_offset); if (trailer_end_offset != -1) { remaining = tvb_captured_length_remaining(stub_tvb, trailer_start_offset); length -= remaining; if (sub_item) { proto_item_set_len(sub_item, length); } } else { proto_item *payload_item; payload_item = proto_tree_add_item(stub_tree, hf_dcerpc_payload_stub_data, stub_tvb, 0, length, ENC_NA); proto_item_append_text(payload_item, " (%d byte%s)", length, plurality(length, "", "s")); } payload_tvb = tvb_new_subset_length_caplen(stub_tvb, 0, length, length); offset = sub_dissect(payload_tvb, 0, pinfo, sub_tree, dissector_data->info, dissector_data->drep); /* If we have a subdissector and it didn't dissect all data in the tvb, make a note of it. */ remaining = tvb_reported_length_remaining(stub_tvb, offset); if (trailer_end_offset != -1) { if (offset > trailer_start_offset) { remaining = offset - trailer_start_offset; proto_tree_add_item(sub_tree, hf_dcerpc_stub_data_with_sec_vt, stub_tvb, trailer_start_offset, remaining, ENC_NA); col_append_fstr(pinfo->cinfo, COL_INFO, "[Payload with Verification Trailer (%d byte%s)]", remaining, plurality(remaining, "", "s")); remaining = 0; } else { remaining = trailer_start_offset - offset; } } if (remaining > 0) { proto_tree_add_expert(sub_tree, pinfo, &ei_dcerpc_long_frame, stub_tvb, offset, remaining); col_append_fstr(pinfo->cinfo, COL_INFO, "[Long frame (%d byte%s)]", remaining, plurality(remaining, "", "s")); } } CATCH_NONFATAL_ERRORS { /* * Somebody threw an exception that means that there * was a problem dissecting the payload; that means * that a dissector was found, so we don't need to * dissect the payload as data or update the protocol * or info columns. * * Just show the exception and then drive on to show * the authentication padding. */ show_exception(stub_tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE); } ENDTRY; } /* If there is auth padding at the end of the stub, display it */ if (auth_pad_len != 0) { proto_tree_add_item(sub_tree, hf_dcerpc_auth_padding, tvb, auth_pad_offset, auth_pad_len, ENC_NA); } pinfo->current_proto = saved_proto; return tvb_captured_length(tvb); } void dcerpc_init_uuid(int proto, int ett, e_guid_t *uuid, guint16 ver, dcerpc_sub_dissector *procs, int opnum_hf) { guid_key *key = (guid_key *)g_malloc(sizeof (*key)); dcerpc_uuid_value *value = (dcerpc_uuid_value *)g_malloc(sizeof (*value)); header_field_info *hf_info; module_t *samr_module; const char *filter_name = proto_get_protocol_filter_name(proto); dissector_handle_t guid_handle; key->guid = *uuid; key->ver = ver; value->proto = find_protocol_by_id(proto); value->proto_id = proto; value->ett = ett; value->name = proto_get_protocol_short_name(value->proto); value->procs = procs; value->opnum_hf = opnum_hf; g_hash_table_insert(dcerpc_uuids, key, value); hf_info = proto_registrar_get_nth(opnum_hf); hf_info->strings = value_string_from_subdissectors(procs); /* Register the GUID with the dissector table */ guid_handle = create_dissector_handle( dissect_dcerpc_guid, proto); dissector_add_guid( "dcerpc.uuid", key, guid_handle ); /* add this GUID to the global name resolving */ guids_add_uuid(uuid, proto_get_protocol_short_name(value->proto)); /* Register the samr.nt_password preference as obsolete */ /* This should be in packet-dcerpc-samr.c */ if (strcmp(filter_name, "samr") == 0) { samr_module = prefs_register_protocol_obsolete(proto); prefs_register_obsolete_preference(samr_module, "nt_password"); } } /* Function to find the name of a registered protocol * or NULL if the protocol/version is not known to wireshark. */ const char * dcerpc_get_proto_name(e_guid_t *uuid, guint16 ver) { dissector_handle_t handle; guid_key key; key.guid = *uuid; key.ver = ver; handle = dissector_get_guid_handle(uuid_dissector_table, &key); if (handle == NULL) { return NULL; } return dissector_handle_get_protocol_short_name(handle); } /* Function to find the opnum hf-field of a registered protocol * or -1 if the protocol/version is not known to wireshark. */ int dcerpc_get_proto_hf_opnum(e_guid_t *uuid, guint16 ver) { guid_key key; dcerpc_uuid_value *sub_proto; key.guid = *uuid; key.ver = ver; if (!(sub_proto = (dcerpc_uuid_value *)g_hash_table_lookup(dcerpc_uuids, &key))) { return -1; } return sub_proto->opnum_hf; } /* Create a value_string consisting of DCERPC opnum and name from a subdissector array. */ value_string *value_string_from_subdissectors(dcerpc_sub_dissector *sd) { value_string *vs = NULL; int i; int num_sd = 0; again: for (i = 0; sd[i].name; i++) { if (vs) { vs[i].value = sd[i].num; vs[i].strptr = sd[i].name; } else num_sd++; } if (!vs) { vs = (value_string *)wmem_alloc(wmem_epan_scope(), (num_sd + 1) * sizeof(value_string)); goto again; } vs[num_sd].value = 0; vs[num_sd].strptr = NULL; return vs; } /* Function to find the subdissector table of a registered protocol * or NULL if the protocol/version is not known to wireshark. */ dcerpc_sub_dissector * dcerpc_get_proto_sub_dissector(e_guid_t *uuid, guint16 ver) { guid_key key; dcerpc_uuid_value *sub_proto; key.guid = *uuid; key.ver = ver; if (!(sub_proto = (dcerpc_uuid_value *)g_hash_table_lookup(dcerpc_uuids, &key))) { return NULL; } return sub_proto->procs; } static gint dcerpc_bind_equal(gconstpointer k1, gconstpointer k2) { const dcerpc_bind_key *key1 = (const dcerpc_bind_key *)k1; const dcerpc_bind_key *key2 = (const dcerpc_bind_key *)k2; return ((key1->conv == key2->conv) && (key1->ctx_id == key2->ctx_id) && (key1->transport_salt == key2->transport_salt)); } static guint dcerpc_bind_hash(gconstpointer k) { const dcerpc_bind_key *key = (const dcerpc_bind_key *)k; guint hash; hash = GPOINTER_TO_UINT(key->conv); hash += key->ctx_id; /* sizeof(guint) might be smaller than sizeof(guint64) */ hash += (guint)key->transport_salt; hash += (guint)(key->transport_salt << sizeof(guint)); return hash; } static gint dcerpc_auth_context_equal(gconstpointer k1, gconstpointer k2) { const dcerpc_auth_context *key1 = (const dcerpc_auth_context *)k1; const dcerpc_auth_context *key2 = (const dcerpc_auth_context *)k2; return ((key1->conv == key2->conv) && (key1->auth_context_id == key2->auth_context_id) && (key1->transport_salt == key2->transport_salt)); } static guint dcerpc_auth_context_hash(gconstpointer k) { const dcerpc_auth_context *key = (const dcerpc_auth_context *)k; guint hash; hash = GPOINTER_TO_UINT(key->conv); hash += key->auth_context_id; /* sizeof(guint) might be smaller than sizeof(guint64) */ hash += (guint)key->transport_salt; hash += (guint)(key->transport_salt << sizeof(guint)); return hash; } /* * To keep track of callid mappings. Should really use some generic * conversation support instead. */ static wmem_map_t *dcerpc_cn_calls = NULL; static wmem_map_t *dcerpc_dg_calls = NULL; typedef struct _dcerpc_cn_call_key { conversation_t *conv; guint32 call_id; guint64 transport_salt; } dcerpc_cn_call_key; typedef struct _dcerpc_dg_call_key { conversation_t *conv; guint32 seqnum; e_guid_t act_id ; } dcerpc_dg_call_key; static gint dcerpc_cn_call_equal(gconstpointer k1, gconstpointer k2) { const dcerpc_cn_call_key *key1 = (const dcerpc_cn_call_key *)k1; const dcerpc_cn_call_key *key2 = (const dcerpc_cn_call_key *)k2; return ((key1->conv == key2->conv) && (key1->call_id == key2->call_id) && (key1->transport_salt == key2->transport_salt)); } static gint dcerpc_dg_call_equal(gconstpointer k1, gconstpointer k2) { const dcerpc_dg_call_key *key1 = (const dcerpc_dg_call_key *)k1; const dcerpc_dg_call_key *key2 = (const dcerpc_dg_call_key *)k2; return ((key1->conv == key2->conv) && (key1->seqnum == key2->seqnum) && ((memcmp(&key1->act_id, &key2->act_id, sizeof (e_guid_t)) == 0))); } static guint dcerpc_cn_call_hash(gconstpointer k) { const dcerpc_cn_call_key *key = (const dcerpc_cn_call_key *)k; guint hash; hash = GPOINTER_TO_UINT(key->conv); hash += key->call_id; /* sizeof(guint) might be smaller than sizeof(guint64) */ hash += (guint)key->transport_salt; hash += (guint)(key->transport_salt << sizeof(guint)); return hash; } static guint dcerpc_dg_call_hash(gconstpointer k) { const dcerpc_dg_call_key *key = (const dcerpc_dg_call_key *)k; return (GPOINTER_TO_UINT(key->conv) + key->seqnum + key->act_id.data1 + (key->act_id.data2 << 16) + key->act_id.data3 + (key->act_id.data4[0] << 24) + (key->act_id.data4[1] << 16) + (key->act_id.data4[2] << 8) + (key->act_id.data4[3] << 0) + (key->act_id.data4[4] << 24) + (key->act_id.data4[5] << 16) + (key->act_id.data4[6] << 8) + (key->act_id.data4[7] << 0)); } /* to keep track of matched calls/responses this one uses the same value struct as calls, but the key is the frame id and call id; there can be more than one call in a frame. XXX - why not just use the same keys as are used for calls? */ static wmem_map_t *dcerpc_matched = NULL; typedef struct _dcerpc_matched_key { guint32 frame; guint32 call_id; } dcerpc_matched_key; static gint dcerpc_matched_equal(gconstpointer k1, gconstpointer k2) { const dcerpc_matched_key *key1 = (const dcerpc_matched_key *)k1; const dcerpc_matched_key *key2 = (const dcerpc_matched_key *)k2; return ((key1->frame == key2->frame) && (key1->call_id == key2->call_id)); } static guint dcerpc_matched_hash(gconstpointer k) { const dcerpc_matched_key *key = (const dcerpc_matched_key *)k; return key->frame; } static gboolean uuid_equal(e_guid_t *uuid1, e_guid_t *uuid2) { if( (uuid1->data1 != uuid2->data1) ||(uuid1->data2 != uuid2->data2) ||(uuid1->data3 != uuid2->data3) ||(uuid1->data4[0] != uuid2->data4[0]) ||(uuid1->data4[1] != uuid2->data4[1]) ||(uuid1->data4[2] != uuid2->data4[2]) ||(uuid1->data4[3] != uuid2->data4[3]) ||(uuid1->data4[4] != uuid2->data4[4]) ||(uuid1->data4[5] != uuid2->data4[5]) ||(uuid1->data4[6] != uuid2->data4[6]) ||(uuid1->data4[7] != uuid2->data4[7]) ){ return FALSE; } return TRUE; } static void dcerpcstat_init(struct register_srt* srt, GArray* srt_array) { dcerpcstat_tap_data_t* tap_data = (dcerpcstat_tap_data_t*)get_srt_table_param_data(srt); srt_stat_table *dcerpc_srt_table; int i, hf_opnum; dcerpc_sub_dissector *procs; DISSECTOR_ASSERT(tap_data); hf_opnum = dcerpc_get_proto_hf_opnum(&tap_data->uuid, tap_data->ver); procs = dcerpc_get_proto_sub_dissector(&tap_data->uuid, tap_data->ver); if(hf_opnum != -1){ dcerpc_srt_table = init_srt_table(tap_data->prog, NULL, srt_array, tap_data->num_procedures, NULL, proto_registrar_get_nth(hf_opnum)->abbrev, tap_data); } else { dcerpc_srt_table = init_srt_table(tap_data->prog, NULL, srt_array, tap_data->num_procedures, NULL, NULL, tap_data); } for(i=0;inum_procedures;i++){ int j; const char *proc_name; proc_name = "unknown"; for(j=0;procs[j].name;j++) { if (procs[j].num == i) { proc_name = procs[j].name; } } init_srt_table_row(dcerpc_srt_table, i, proc_name); } } static tap_packet_status dcerpcstat_packet(void *pss, packet_info *pinfo, epan_dissect_t *edt _U_, const void *prv, tap_flags_t flags _U_) { guint i = 0; srt_stat_table *dcerpc_srt_table; srt_data_t *data = (srt_data_t *)pss; const dcerpc_info *ri = (const dcerpc_info *)prv; dcerpcstat_tap_data_t* tap_data; dcerpc_srt_table = g_array_index(data->srt_array, srt_stat_table*, i); tap_data = (dcerpcstat_tap_data_t*)dcerpc_srt_table->table_specific_data; if(!ri->call_data){ return TAP_PACKET_DONT_REDRAW; } if(!ri->call_data->req_frame){ /* we have not seen the request so we don't know the delta*/ return TAP_PACKET_DONT_REDRAW; } if(ri->call_data->opnum >= tap_data->num_procedures){ /* don't handle this since it's outside of known table */ return TAP_PACKET_DONT_REDRAW; } /* we are only interested in reply packets */ if(ri->ptype != PDU_RESP){ return TAP_PACKET_DONT_REDRAW; } /* we are only interested in certain program/versions */ if( (!uuid_equal( (&ri->call_data->uuid), (&tap_data->uuid))) ||(ri->call_data->ver != tap_data->ver)){ return TAP_PACKET_DONT_REDRAW; } add_srt_table_data(dcerpc_srt_table, ri->call_data->opnum, &ri->call_data->req_time, pinfo); return TAP_PACKET_REDRAW; } static guint dcerpcstat_param(register_srt_t* srt, const char* opt_arg, char** err) { int pos = 0; guint32 i, max_procs; dcerpcstat_tap_data_t* tap_data; guint d1,d2,d3,d40,d41,d42,d43,d44,d45,d46,d47; int major, minor; guint16 ver; dcerpc_sub_dissector *procs; if (sscanf(opt_arg, ",%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x,%d.%d%n", &d1,&d2,&d3,&d40,&d41,&d42,&d43,&d44,&d45,&d46,&d47,&major,&minor,&pos) == 13) { if ((major < 0) || (major > 65535)) { *err = ws_strdup_printf("dcerpcstat_init() Major version number %d is invalid - must be positive and <= 65535", major); return pos; } if ((minor < 0) || (minor > 65535)) { *err = ws_strdup_printf("dcerpcstat_init() Minor version number %d is invalid - must be positive and <= 65535", minor); return pos; } ver = major; tap_data = g_new0(dcerpcstat_tap_data_t, 1); tap_data->uuid.data1 = d1; tap_data->uuid.data2 = d2; tap_data->uuid.data3 = d3; tap_data->uuid.data4[0] = d40; tap_data->uuid.data4[1] = d41; tap_data->uuid.data4[2] = d42; tap_data->uuid.data4[3] = d43; tap_data->uuid.data4[4] = d44; tap_data->uuid.data4[5] = d45; tap_data->uuid.data4[6] = d46; tap_data->uuid.data4[7] = d47; procs = dcerpc_get_proto_sub_dissector(&tap_data->uuid, ver); tap_data->prog = dcerpc_get_proto_name(&tap_data->uuid, ver); tap_data->ver = ver; for(i=0,max_procs=0;procs[i].name;i++) { if(procs[i].num>max_procs) { max_procs = procs[i].num; } } tap_data->num_procedures = max_procs+1; set_srt_table_param_data(srt, tap_data); } else { *err = ws_strdup_printf(",.[,]"); } return pos; } /* * Utility functions. Modeled after packet-rpc.c */ int dissect_dcerpc_char(tvbuff_t *tvb, gint offset, packet_info *pinfo _U_, proto_tree *tree, guint8 *drep, int hfindex, guint8 *pdata) { guint8 data; /* * XXX - fix to handle EBCDIC if we ever support EBCDIC FT_CHAR. */ data = tvb_get_guint8(tvb, offset); if (hfindex != -1) { proto_tree_add_item(tree, hfindex, tvb, offset, 1, ENC_ASCII|DREP_ENC_INTEGER(drep)); } if (pdata) *pdata = data; tvb_ensure_bytes_exist(tvb, offset, 1); return offset + 1; } int dissect_dcerpc_uint8(tvbuff_t *tvb, gint offset, packet_info *pinfo _U_, proto_tree *tree, guint8 *drep, int hfindex, guint8 *pdata) { guint8 data; data = tvb_get_guint8(tvb, offset); if (hfindex != -1) { proto_tree_add_item(tree, hfindex, tvb, offset, 1, DREP_ENC_INTEGER(drep)); } if (pdata) *pdata = data; tvb_ensure_bytes_exist(tvb, offset, 1); return offset + 1; } int dissect_dcerpc_uint16(tvbuff_t *tvb, gint offset, packet_info *pinfo _U_, proto_tree *tree, guint8 *drep, int hfindex, guint16 *pdata) { guint16 data; data = ((drep[0] & DREP_LITTLE_ENDIAN) ? tvb_get_letohs(tvb, offset) : tvb_get_ntohs(tvb, offset)); if (hfindex != -1) { proto_tree_add_item(tree, hfindex, tvb, offset, 2, DREP_ENC_INTEGER(drep)); } if (pdata) *pdata = data; tvb_ensure_bytes_exist(tvb, offset, 2); return offset + 2; } int dissect_dcerpc_uint32(tvbuff_t *tvb, gint offset, packet_info *pinfo _U_, proto_tree *tree, guint8 *drep, int hfindex, guint32 *pdata) { guint32 data; data = ((drep[0] & DREP_LITTLE_ENDIAN) ? tvb_get_letohl(tvb, offset) : tvb_get_ntohl(tvb, offset)); if (hfindex != -1) { proto_tree_add_item(tree, hfindex, tvb, offset, 4, DREP_ENC_INTEGER(drep)); } if (pdata) *pdata = data; tvb_ensure_bytes_exist(tvb, offset, 4); return offset+4; } /* handles 32 bit unix time_t */ int dissect_dcerpc_time_t(tvbuff_t *tvb, gint offset, packet_info *pinfo _U_, proto_tree *tree, guint8 *drep, int hfindex, guint32 *pdata) { guint32 data; nstime_t tv; data = ((drep[0] & DREP_LITTLE_ENDIAN) ? tvb_get_letohl(tvb, offset) : tvb_get_ntohl(tvb, offset)); tv.secs = data; tv.nsecs = 0; if (hfindex != -1) { if (data == 0xffffffff) { /* special case, no time specified */ proto_tree_add_time_format_value(tree, hfindex, tvb, offset, 4, &tv, "No time specified"); } else { proto_tree_add_time(tree, hfindex, tvb, offset, 4, &tv); } } if (pdata) *pdata = data; tvb_ensure_bytes_exist(tvb, offset, 4); return offset+4; } int dissect_dcerpc_uint64(tvbuff_t *tvb, gint offset, packet_info *pinfo _U_, proto_tree *tree, dcerpc_info *di, guint8 *drep, int hfindex, guint64 *pdata) { guint64 data; data = ((drep[0] & DREP_LITTLE_ENDIAN) ? tvb_get_letoh64(tvb, offset) : tvb_get_ntoh64(tvb, offset)); if (hfindex != -1) { header_field_info *hfinfo; /* This might be a field that is either 32bit, in NDR or 64 bits in NDR64. So we must be careful and call the right helper here */ hfinfo = proto_registrar_get_nth(hfindex); switch (hfinfo->type) { case FT_UINT64: proto_tree_add_uint64(tree, hfindex, tvb, offset, 8, data); break; case FT_INT64: proto_tree_add_int64(tree, hfindex, tvb, offset, 8, data); break; default: /* The value is truncated to 32bits. 64bit values have only been seen on fuzz-tested files */ DISSECTOR_ASSERT((di->call_data->flags & DCERPC_IS_NDR64) || (data <= G_MAXUINT32)); proto_tree_add_uint(tree, hfindex, tvb, offset, 8, (guint32)data); } } if (pdata) *pdata = data; tvb_ensure_bytes_exist(tvb, offset, 8); return offset+8; } int dissect_dcerpc_float(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hfindex, gfloat *pdata) { gfloat data; switch (drep[1]) { case(DCE_RPC_DREP_FP_IEEE): data = ((drep[0] & DREP_LITTLE_ENDIAN) ? tvb_get_letohieee_float(tvb, offset) : tvb_get_ntohieee_float(tvb, offset)); if (tree && hfindex != -1) { proto_tree_add_float(tree, hfindex, tvb, offset, 4, data); } break; case(DCE_RPC_DREP_FP_VAX): /* (fall trough) */ case(DCE_RPC_DREP_FP_CRAY): /* (fall trough) */ case(DCE_RPC_DREP_FP_IBM): /* (fall trough) */ default: /* ToBeDone: non IEEE floating formats */ /* Set data to a negative infinity value */ data = -G_MAXFLOAT; proto_tree_add_expert_format(tree, pinfo, &ei_dcerpc_not_implemented, tvb, offset, 4, "DCE RPC: dissection of non IEEE floating formats currently not implemented (drep=%u)!", drep[1]); } if (pdata) *pdata = data; tvb_ensure_bytes_exist(tvb, offset, 4); return offset + 4; } int dissect_dcerpc_double(tvbuff_t *tvb, gint offset, packet_info *pinfo _U_, proto_tree *tree, guint8 *drep, int hfindex, gdouble *pdata) { gdouble data; switch (drep[1]) { case(DCE_RPC_DREP_FP_IEEE): data = ((drep[0] & DREP_LITTLE_ENDIAN) ? tvb_get_letohieee_double(tvb, offset) : tvb_get_ntohieee_double(tvb, offset)); if (tree && hfindex != -1) { proto_tree_add_double(tree, hfindex, tvb, offset, 8, data); } break; case(DCE_RPC_DREP_FP_VAX): /* (fall trough) */ case(DCE_RPC_DREP_FP_CRAY): /* (fall trough) */ case(DCE_RPC_DREP_FP_IBM): /* (fall trough) */ default: /* ToBeDone: non IEEE double formats */ /* Set data to a negative infinity value */ data = -G_MAXDOUBLE; proto_tree_add_expert_format(tree, pinfo, &ei_dcerpc_not_implemented, tvb, offset, 8, "DCE RPC: dissection of non IEEE double formats currently not implemented (drep=%u)!", drep[1]); } if (pdata) *pdata = data; tvb_ensure_bytes_exist(tvb, offset, 8); return offset + 8; } int dissect_dcerpc_uuid_t(tvbuff_t *tvb, gint offset, packet_info *pinfo _U_, proto_tree *tree, guint8 *drep, int hfindex, e_guid_t *pdata) { e_guid_t uuid; if (drep[0] & DREP_LITTLE_ENDIAN) { tvb_get_letohguid(tvb, offset, (e_guid_t *) &uuid); } else { tvb_get_ntohguid(tvb, offset, (e_guid_t *) &uuid); } if (tree && hfindex != -1) { proto_tree_add_guid(tree, hfindex, tvb, offset, 16, (e_guid_t *) &uuid); } if (pdata) { *pdata = uuid; } return offset + 16; } /* * a couple simpler things */ guint16 dcerpc_tvb_get_ntohs(tvbuff_t *tvb, gint offset, guint8 *drep) { if (drep[0] & DREP_LITTLE_ENDIAN) { return tvb_get_letohs(tvb, offset); } else { return tvb_get_ntohs(tvb, offset); } } guint32 dcerpc_tvb_get_ntohl(tvbuff_t *tvb, gint offset, guint8 *drep) { if (drep[0] & DREP_LITTLE_ENDIAN) { return tvb_get_letohl(tvb, offset); } else { return tvb_get_ntohl(tvb, offset); } } void dcerpc_tvb_get_uuid(tvbuff_t *tvb, gint offset, guint8 *drep, e_guid_t *uuid) { if (drep[0] & DREP_LITTLE_ENDIAN) { tvb_get_letohguid(tvb, offset, (e_guid_t *) uuid); } else { tvb_get_ntohguid(tvb, offset, (e_guid_t *) uuid); } } /* NDR arrays */ /* function to dissect a unidimensional conformant array */ static int dissect_ndr_ucarray_core(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, dcerpc_dissect_fnct_t *fnct_bytes, dcerpc_dissect_fnct_blk_t *fnct_block) { guint32 i; int old_offset; int conformance_size = 4; /* ensure that just one pointer is set in the call */ DISSECTOR_ASSERT((fnct_bytes && !fnct_block) || (!fnct_bytes && fnct_block)); if (di->call_data->flags & DCERPC_IS_NDR64) { conformance_size = 8; } if (di->conformant_run) { guint64 val; /* conformant run, just dissect the max_count header */ old_offset = offset; di->conformant_run = 0; offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep, hf_dcerpc_array_max_count, &val); di->array_max_count = (gint32)val; di->array_max_count_offset = offset-conformance_size; di->conformant_run = 1; di->conformant_eaten = offset-old_offset; } else { /* we don't remember where in the bytestream this field was */ proto_tree_add_uint(tree, hf_dcerpc_array_max_count, tvb, di->array_max_count_offset, conformance_size, di->array_max_count); /* real run, dissect the elements */ if (fnct_block) { offset = (*fnct_block)(tvb, offset, di->array_max_count, pinfo, tree, di, drep); } else { for (i=0 ;iarray_max_count; i++) { offset = (*fnct_bytes)(tvb, offset, pinfo, tree, di, drep); } } } return offset; } int dissect_ndr_ucarray_block(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, dcerpc_dissect_fnct_blk_t *fnct) { return dissect_ndr_ucarray_core(tvb, offset, pinfo, tree, di, drep, NULL, fnct); } int dissect_ndr_ucarray(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, dcerpc_dissect_fnct_t *fnct) { return dissect_ndr_ucarray_core(tvb, offset, pinfo, tree, di, drep, fnct, NULL); } /* function to dissect a unidimensional conformant and varying array * depending on the dissection function passed as a parameter, * content of the array will be dissected as a block or byte by byte */ static int dissect_ndr_ucvarray_core(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, dcerpc_dissect_fnct_t *fnct_bytes, dcerpc_dissect_fnct_blk_t *fnct_block) { guint32 i; int old_offset; int conformance_size = 4; if (di->call_data->flags & DCERPC_IS_NDR64) { conformance_size = 8; } if (di->conformant_run) { guint64 val; /* conformant run, just dissect the max_count header */ old_offset = offset; di->conformant_run = 0; offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep, hf_dcerpc_array_max_count, &val); DISSECTOR_ASSERT(val <= G_MAXUINT32); di->array_max_count = (guint32)val; di->array_max_count_offset = offset-conformance_size; offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep, hf_dcerpc_array_offset, &val); DISSECTOR_ASSERT(val <= G_MAXUINT32); di->array_offset = (guint32)val; di->array_offset_offset = offset-conformance_size; offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep, hf_dcerpc_array_actual_count, &val); DISSECTOR_ASSERT(val <= G_MAXUINT32); di->array_actual_count = (guint32)val; di->array_actual_count_offset = offset-conformance_size; di->conformant_run = 1; di->conformant_eaten = offset-old_offset; } else { /* we don't remember where in the bytestream these fields were */ proto_tree_add_uint(tree, hf_dcerpc_array_max_count, tvb, di->array_max_count_offset, conformance_size, di->array_max_count); proto_tree_add_uint(tree, hf_dcerpc_array_offset, tvb, di->array_offset_offset, conformance_size, di->array_offset); proto_tree_add_uint(tree, hf_dcerpc_array_actual_count, tvb, di->array_actual_count_offset, conformance_size, di->array_actual_count); /* real run, dissect the elements */ if (fnct_block) { offset = (*fnct_block)(tvb, offset, di->array_actual_count, pinfo, tree, di, drep); } else if (fnct_bytes) { for (i=0 ;iarray_actual_count; i++) { old_offset = offset; offset = (*fnct_bytes)(tvb, offset, pinfo, tree, di, drep); /* Make sure we're moving forward */ if (old_offset >= offset) break; } } } return offset; } int dissect_ndr_ucvarray_block(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, dcerpc_dissect_fnct_blk_t *fnct) { return dissect_ndr_ucvarray_core(tvb, offset, pinfo, tree, di, drep, NULL, fnct); } int dissect_ndr_ucvarray(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, dcerpc_dissect_fnct_t *fnct) { return dissect_ndr_ucvarray_core(tvb, offset, pinfo, tree, di, drep, fnct, NULL); } /* function to dissect a unidimensional varying array */ int dissect_ndr_uvarray(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, dcerpc_dissect_fnct_t *fnct) { guint32 i; int old_offset; int conformance_size = 4; if (di->call_data->flags & DCERPC_IS_NDR64) { conformance_size = 8; } if (di->conformant_run) { guint64 val; /* conformant run, just dissect the max_count header */ old_offset = offset; di->conformant_run = 0; offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep, hf_dcerpc_array_offset, &val); DISSECTOR_ASSERT(val <= G_MAXUINT32); di->array_offset = (guint32)val; di->array_offset_offset = offset-conformance_size; offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep, hf_dcerpc_array_actual_count, &val); DISSECTOR_ASSERT(val <= G_MAXUINT32); di->array_actual_count = (guint32)val; di->array_actual_count_offset = offset-conformance_size; di->conformant_run = 1; di->conformant_eaten = offset-old_offset; } else { /* we don't remember where in the bytestream these fields were */ proto_tree_add_uint(tree, hf_dcerpc_array_offset, tvb, di->array_offset_offset, conformance_size, di->array_offset); proto_tree_add_uint(tree, hf_dcerpc_array_actual_count, tvb, di->array_actual_count_offset, conformance_size, di->array_actual_count); /* real run, dissect the elements */ for (i=0; iarray_actual_count; i++) { offset = (*fnct)(tvb, offset, pinfo, tree, di, drep); } } return offset; } /* Dissect an string of bytes. This corresponds to IDL of the form '[string] byte *foo'. It can also be used for a conformant varying array of bytes if the contents of the array should be shown as a big blob, rather than showing each byte as an individual element. XXX - which of those is really the IDL type for, for example, the encrypted data in some MAPI packets? (Microsoft hasn't released that IDL.) XXX - does this need to do all the conformant array stuff that "dissect_ndr_ucvarray()" does? These are presumably for strings that are conformant and varying - they're stored like conformant varying arrays of bytes. */ int dissect_ndr_byte_array(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) { guint64 len; if (di->conformant_run) { /* just a run to handle conformant arrays, no scalars to dissect */ return offset; } /* NDR array header */ offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep, hf_dcerpc_array_max_count, NULL); offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep, hf_dcerpc_array_offset, NULL); offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep, hf_dcerpc_array_actual_count, &len); DISSECTOR_ASSERT(len <= G_MAXUINT32); if (len) { proto_tree_add_item(tree, di->hf_index, tvb, offset, (guint32)len, ENC_NA); } offset += (guint32)len; return offset; } /* For dissecting arrays that are to be interpreted as strings. */ /* Dissect an NDR conformant varying string of elements. The length of each element is given by the 'size_is' parameter; the elements are assumed to be characters or wide characters. XXX - does this need to do all the conformant array stuff that "dissect_ndr_ucvarray()" does? */ int dissect_ndr_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int size_is, int hfindex, gboolean add_subtree, char **data) { header_field_info *hfinfo; proto_item *string_item; proto_tree *string_tree; guint64 len; guint32 buffer_len; char *s; /* Make sure this really is a string field. */ hfinfo = proto_registrar_get_nth(hfindex); DISSECTOR_ASSERT_FIELD_TYPE(hfinfo, FT_STRING); if (di->conformant_run) { /* just a run to handle conformant arrays, no scalars to dissect */ return offset; } if (add_subtree) { string_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_dcerpc_string, &string_item, proto_registrar_get_name(hfindex)); } else { string_item = NULL; string_tree = tree; } /* NDR array header */ offset = dissect_ndr_uint3264(tvb, offset, pinfo, string_tree, di, drep, hf_dcerpc_array_max_count, NULL); offset = dissect_ndr_uint3264(tvb, offset, pinfo, string_tree, di, drep, hf_dcerpc_array_offset, NULL); offset = dissect_ndr_uint3264(tvb, offset, pinfo, string_tree, di, drep, hf_dcerpc_array_actual_count, &len); /* The value is truncated to 32bits. 64bit values have only been seen on fuzztested files */ buffer_len = size_is * (guint32)len; /* Adjust offset */ if (!di->no_align && (offset % size_is)) offset += size_is - (offset % size_is); /* * "tvb_get_string_enc()" throws an exception if the entire string * isn't in the tvbuff. If the length is bogus, this should * keep us from trying to allocate an immensely large buffer. * (It won't help if the length is *valid* but immensely large, * but that's another matter; in any case, that would happen only * if we had an immensely large tvbuff....) * * XXX - so why are we doing tvb_ensure_bytes_exist()? */ tvb_ensure_bytes_exist(tvb, offset, buffer_len); if (size_is == sizeof(guint16)) { s = tvb_get_string_enc(pinfo->pool, tvb, offset, buffer_len, ENC_UTF_16|DREP_ENC_INTEGER(drep)); } else { /* * XXX - what if size_is is neither 1 nor 2? */ s = tvb_get_string_enc(pinfo->pool, tvb, offset, buffer_len, DREP_ENC_CHAR(drep)); } if (tree && buffer_len) proto_tree_add_string(string_tree, hfindex, tvb, offset, buffer_len, s); if (string_item != NULL) proto_item_append_text(string_item, ": %s", s); if (data) *data = s; offset += buffer_len; proto_item_set_end(string_item, tvb, offset); return offset; } int dissect_ndr_cstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int size_is, int hfindex, gboolean add_subtree, char **data) { return dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, size_is, hfindex, add_subtree, data); } /* Dissect an conformant varying string of chars. This corresponds to IDL of the form '[string] char *foo'. XXX - at least according to the DCE RPC 1.1 spec, a string has a null terminator, which isn't necessary as a terminator for the transfer language (as there's a length), but is presumably there for the benefit of null-terminated-string languages such as C. Is this ever used for purely counted strings? (Not that it matters if it is.) */ int dissect_ndr_char_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) { return dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint8), di->hf_index, FALSE, NULL); } /* Dissect a conformant varying string of wchars (wide characters). This corresponds to IDL of the form '[string] wchar *foo' XXX - at least according to the DCE RPC 1.1 spec, a string has a null terminator, which isn't necessary as a terminator for the transfer language (as there's a length), but is presumably there for the benefit of null-terminated-string languages such as C. Is this ever used for purely counted strings? (Not that it matters if it is.) */ int dissect_ndr_wchar_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) { return dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint16), di->hf_index, FALSE, NULL); } /* This function is aimed for PIDL usage and dissects a UNIQUE pointer to * unicode string. */ int PIDL_dissect_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int chsize, int hfindex, guint32 param) { char *s = NULL; gint levels = CB_STR_ITEM_LEVELS(param); offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, chsize, hfindex, FALSE, &s); if (!di->conformant_run) { /* Append string to COL_INFO */ if (param & PIDL_SET_COL_INFO) { col_append_fstr(pinfo->cinfo, COL_INFO, ", %s", s); } /* Save string to dcv->private_data */ if ((param & PIDL_STR_SAVE) && (!pinfo->fd->visited)) { dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data; dcv->private_data = wmem_strdup(wmem_file_scope(), s); } /* Append string to upper-level proto_items */ if ((levels > 0) && tree && s && s[0]) { proto_item_append_text(tree, ": %s", s); tree = tree->parent; levels--; if (levels > 0) { proto_item_append_text(tree, ": %s", s); tree = tree->parent; levels--; while (levels > 0) { proto_item_append_text(tree, " %s", s); tree = tree->parent; levels--; } } } } return offset; } /* Dissect an NDR varying string of elements. The length of each element is given by the 'size_is' parameter; the elements are assumed to be characters or wide characters. */ int dissect_ndr_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int size_is, int hfindex, gboolean add_subtree, char **data) { header_field_info *hfinfo; proto_item *string_item; proto_tree *string_tree; guint64 len; guint32 buffer_len; char *s; /* Make sure this really is a string field. */ hfinfo = proto_registrar_get_nth(hfindex); DISSECTOR_ASSERT_FIELD_TYPE(hfinfo, FT_STRING); if (di->conformant_run) { /* just a run to handle conformant arrays, no scalars to dissect */ return offset; } if (add_subtree) { string_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_dcerpc_string, &string_item, proto_registrar_get_name(hfindex)); } else { string_item = NULL; string_tree = tree; } /* NDR array header */ offset = dissect_ndr_uint3264(tvb, offset, pinfo, string_tree, di, drep, hf_dcerpc_array_offset, NULL); offset = dissect_ndr_uint3264(tvb, offset, pinfo, string_tree, di, drep, hf_dcerpc_array_actual_count, &len); DISSECTOR_ASSERT(len <= G_MAXUINT32); buffer_len = size_is * (guint32)len; /* Adjust offset */ if (!di->no_align && (offset % size_is)) offset += size_is - (offset % size_is); /* * "tvb_get_string_enc()" throws an exception if the entire string * isn't in the tvbuff. If the length is bogus, this should * keep us from trying to allocate an immensely large buffer. * (It won't help if the length is *valid* but immensely large, * but that's another matter; in any case, that would happen only * if we had an immensely large tvbuff....) * * XXX - so why are we doing tvb_ensure_bytes_exist()? */ tvb_ensure_bytes_exist(tvb, offset, buffer_len); if (size_is == sizeof(guint16)) { s = tvb_get_string_enc(pinfo->pool, tvb, offset, buffer_len, ENC_UTF_16|DREP_ENC_INTEGER(drep)); } else { /* * XXX - what if size_is is neither 1 nor 2? */ s = tvb_get_string_enc(pinfo->pool, tvb, offset, buffer_len, DREP_ENC_CHAR(drep)); } if (tree && buffer_len) proto_tree_add_string(string_tree, hfindex, tvb, offset, buffer_len, s); if (string_item != NULL) proto_item_append_text(string_item, ": %s", s); if (data) *data = s; offset += buffer_len; proto_item_set_end(string_item, tvb, offset); return offset; } /* Dissect an varying string of chars. This corresponds to IDL of the form '[string] char *foo'. XXX - at least according to the DCE RPC 1.1 spec, a string has a null terminator, which isn't necessary as a terminator for the transfer language (as there's a length), but is presumably there for the benefit of null-terminated-string languages such as C. Is this ever used for purely counted strings? (Not that it matters if it is.) */ int dissect_ndr_char_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) { return dissect_ndr_vstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint8), di->hf_index, FALSE, NULL); } /* Dissect a varying string of wchars (wide characters). This corresponds to IDL of the form '[string] wchar *foo' XXX - at least according to the DCE RPC 1.1 spec, a string has a null terminator, which isn't necessary as a terminator for the transfer language (as there's a length), but is presumably there for the benefit of null-terminated-string languages such as C. Is this ever used for purely counted strings? (Not that it matters if it is.) */ int dissect_ndr_wchar_vstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) { return dissect_ndr_vstring(tvb, offset, pinfo, tree, di, drep, sizeof(guint16), di->hf_index, FALSE, NULL); } /* ndr pointer handling */ /* Should we re-read the size of the list ? * Instead of re-calculating the size everytime, use the stored value unless this * flag is set which means: re-read the size of the list */ static gboolean must_check_size = FALSE; /* * List of pointers encountered so far in the current level. Points to an * element of list_ndr_pointer_list. */ static GSList *ndr_pointer_list = NULL; static GHashTable *ndr_pointer_hash = NULL; /* * List of pointer list, in order to avoid huge performance penalty * when dealing with list bigger than 100 elements due to the way we * try to insert in the list. * We instead maintain a stack of pointer list * To make it easier to manage we just use a list to materialize the stack */ static GSList *list_ndr_pointer_list = NULL; /* Boolean controlling whether pointers are top-level or embedded */ static gboolean pointers_are_top_level = TRUE; /* as a kludge, we represent all embedded reference pointers as id == -1 hoping that his will not collide with any non-ref pointers */ typedef struct ndr_pointer_data { guint32 id; proto_item *item; /* proto_item for pointer */ proto_tree *tree; /* subtree of above item */ dcerpc_dissect_fnct_t *fnct; /*if non-NULL, we have not called it yet*/ int hf_index; dcerpc_callback_fnct_t *callback; void *callback_args; } ndr_pointer_data_t; void init_ndr_pointer_list(dcerpc_info *di) { di->conformant_run = 0; while (list_ndr_pointer_list) { GSList *list = (GSList *)g_slist_nth_data(list_ndr_pointer_list, 0); list_ndr_pointer_list = g_slist_remove(list_ndr_pointer_list, list); g_slist_free_full(list, g_free); } g_slist_free_full(list_ndr_pointer_list, g_free); list_ndr_pointer_list = NULL; pointers_are_top_level = TRUE; must_check_size = FALSE; ndr_pointer_list = NULL; if (ndr_pointer_hash) { g_hash_table_destroy(ndr_pointer_hash); } ndr_pointer_hash = g_hash_table_new(g_int_hash, g_int_equal); } int dissect_deferred_pointers(packet_info *pinfo, tvbuff_t *tvb, int offset, dcerpc_info *di, guint8 *drep) { int found_new_pointer; int old_offset; int next_pointer; unsigned original_depth; int len; GSList *current_ndr_pointer_list; /* * pidl has a difficiency of unconditionally emitting calls * dissect_deferred_pointers() to the generated dissectors. */ if (list_ndr_pointer_list == NULL) { return offset; } /* Probably not necessary, it is supposed to prevent more pointers from * being added to the list. */ ndr_pointer_list = NULL; next_pointer = 0; /* Obtain the current list of pointers at this level. */ current_ndr_pointer_list = (GSList *)g_slist_last(list_ndr_pointer_list)->data; original_depth = g_slist_length(list_ndr_pointer_list); len = g_slist_length(current_ndr_pointer_list); do { int i; found_new_pointer = 0; process_list: for (i=next_pointer; ifnct) { GSList *saved_ndr_pointer_list = NULL; dcerpc_dissect_fnct_t *fnct; next_pointer = i+1; found_new_pointer = 1; fnct = tnpd->fnct; tnpd->fnct = NULL; di->hf_index = tnpd->hf_index; /* first a run to handle any conformant array headers */ di->conformant_run = 1; di->conformant_eaten = 0; old_offset = offset; saved_ndr_pointer_list = current_ndr_pointer_list; ndr_pointer_list = NULL; offset = (*(fnct))(tvb, offset, pinfo, NULL, di, drep); DISSECTOR_ASSERT((offset-old_offset) == di->conformant_eaten); /* This is to check for any bugs in the dissectors. * * Basically, the NDR representation will store all * arrays in two blocks, one block with the dimension * description, like size, number of elements and such, * and another block that contains the actual data stored * in the array. * If the array is embedded directly inside another, * encapsulating aggregate type, like a union or struct, * then these two blocks will be stored at different places * in the bytestream, with other data between the blocks. * * For this reason, all pointers to types (both aggregate * and scalar, for simplicity no distinction is made) * will have its dissector called twice. * The dissector will first be called with conformant_run == 1 * in which mode the dissector MUST NOT consume any data from * the tvbuff (i.e. may not dissect anything) except the * initial control block for arrays. * The second time the dissector is called, with * conformant_run == 0, all other data for the type will be * dissected. * * All dissect_ndr_ dissectors are already prepared * for this and knows when it should eat data from the tvb * and when not to, so implementors of dissectors will * normally not need to worry about this or even know about * it. However, if a dissector for an aggregate type calls * a subdissector from outside packet-dcerpc.c, such as * the dissector in packet-smb.c for NT Security Descriptors * as an example, then it is VERY important to encapsulate * this call to an external subdissector with the appropriate * test for conformant_run, i.e. it will need something like * * dcerpc_info *di (received as function parameter) * * if (di->conformant_run) { * return offset; * } * * to make sure it makes the right thing. * This assert will signal when someone has forgotten to * make the dissector aware of this requirement. */ /* now we dissect the actual pointer */ di->conformant_run = 0; old_offset = offset; offset = (*(fnct))(tvb, offset, pinfo, tnpd->tree, di, drep); if (tnpd->callback) tnpd->callback(pinfo, tnpd->tree, tnpd->item, di, tvb, old_offset, offset, tnpd->callback_args); proto_item_set_len(tnpd->item, offset - old_offset); if (ndr_pointer_list) { /* We found some pointers to dissect, descend into it. */ next_pointer = 0; len = g_slist_length(ndr_pointer_list); current_ndr_pointer_list = ndr_pointer_list; ndr_pointer_list = NULL; goto process_list; /* Process the new current_ndr_pointer_list */ } else { current_ndr_pointer_list = saved_ndr_pointer_list; } } /* If we found the end of the list, but add_pointer_to_list extended * it, then be sure to handle those extra elements. */ if (i == (len - 1) && (must_check_size == TRUE)) { len = g_slist_length(ndr_pointer_list); must_check_size = FALSE; } } /* We reached the end of one level, go to the level bellow if possible * reset list a level n */ if ((i >= (len - 1)) && (g_slist_length(list_ndr_pointer_list) > original_depth)) { GSList *list; /* Remove existing list */ g_slist_free_full(current_ndr_pointer_list, g_free); list = (GSList *)g_slist_last(list_ndr_pointer_list)->data; list_ndr_pointer_list = g_slist_remove(list_ndr_pointer_list, list); /* Rewind on the lower level, in theory it's not too great because we * will one more time iterate on pointers already done * In practice it shouldn't be that bad ! */ next_pointer = 0; /* Move to the next list of pointers. */ current_ndr_pointer_list = (GSList *)g_slist_last(list_ndr_pointer_list)->data; len = g_slist_length(current_ndr_pointer_list); found_new_pointer = 1; } } while (found_new_pointer); DISSECTOR_ASSERT(original_depth == g_slist_length(list_ndr_pointer_list)); g_slist_free_full(ndr_pointer_list, g_free); /* Restore the previous list of pointers. */ ndr_pointer_list = (GSList *)g_slist_last(list_ndr_pointer_list)->data; return offset; } static int find_pointer_index(guint32 id) { guint *p = (guint*) g_hash_table_lookup(ndr_pointer_hash, &id); return (p != NULL); } static void add_pointer_to_list(packet_info *pinfo, proto_tree *tree, proto_item *item, dcerpc_info *di, dcerpc_dissect_fnct_t *fnct, guint32 id, int hf_index, dcerpc_callback_fnct_t *callback, void *callback_args) { ndr_pointer_data_t *npd; guint *p_id; /* check if this pointer is valid */ if (id != 0xffffffff) { dcerpc_call_value *value; value = di->call_data; if (di->ptype == PDU_REQ) { if (!(pinfo->fd->visited)) { if (id > value->max_ptr) { value->max_ptr = id; } } } else { /* if we haven't seen the request bail out since we can't know whether this is the first non-NULL instance or not */ if (value->req_frame == 0) { /* XXX THROW EXCEPTION */ } /* We saw this one in the request frame, nothing to dissect later */ if (id <= value->max_ptr) { return; } } } npd = g_new(ndr_pointer_data_t, 1); npd->id = id; npd->tree = tree; npd->item = item; npd->fnct = fnct; npd->hf_index = hf_index; npd->callback = callback; npd->callback_args = callback_args; p_id = wmem_new(wmem_file_scope(), guint); *p_id = id; /* Update the list of pointers for use by dissect_deferred_pointers. If this * is the first pointer, create a list and add it to the stack. */ if (!ndr_pointer_list) { ndr_pointer_list = g_slist_append(NULL, npd); list_ndr_pointer_list = g_slist_append(list_ndr_pointer_list, ndr_pointer_list); } else { ndr_pointer_list = g_slist_append(ndr_pointer_list, npd); } g_hash_table_insert(ndr_pointer_hash, p_id, p_id); must_check_size = TRUE; } /* This function dissects an NDR pointer and stores the callback for later * deferred dissection. * * fnct is the callback function for when we have reached this object in * the bytestream. * * type is what type of pointer. * * this is text is what text we should put in any created tree node. * * hf_index is what hf value we want to pass to the callback function when * it is called, the callback can later pick this one up from di->hf_index. * * callback is executed after the pointer has been dereferenced. * * callback_args is passed as an argument to the callback function * * See packet-dcerpc-samr.c for examples */ int dissect_ndr_pointer_cb(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, dcerpc_dissect_fnct_t *fnct, int type, const char *text, int hf_index, dcerpc_callback_fnct_t *callback, void *callback_args) { proto_tree *tr = NULL; gint start_offset = offset; int pointer_size = 4; if (di->conformant_run) { /* this call was only for dissecting the header for any embedded conformant array. we will not parse any pointers in this mode. */ return offset; } if (di->call_data->flags & DCERPC_IS_NDR64) { pointer_size = 8; } /*TOP LEVEL REFERENCE POINTER*/ if ( pointers_are_top_level && (type == NDR_POINTER_REF) ) { proto_item *item; /* we must find out a nice way to do the length here */ tr = proto_tree_add_subtree(tree, tvb, offset, 0, ett_dcerpc_pointer_data, &item, text); add_pointer_to_list(pinfo, tr, item, di, fnct, 0xffffffff, hf_index, callback, callback_args); goto after_ref_id; } /*TOP LEVEL FULL POINTER*/ if ( pointers_are_top_level && (type == NDR_POINTER_PTR) ) { int found; guint64 id; proto_item *item; /* get the referent id */ offset = dissect_ndr_uint3264(tvb, offset, pinfo, NULL, di, drep, -1, &id); /* we got a NULL pointer */ if (id == 0) { proto_tree_add_bytes_format_value(tree, hf_dcerpc_null_pointer, tvb, offset-pointer_size, pointer_size, NULL, "%s", text); goto after_ref_id; } /* see if we have seen this pointer before The value is truncated to 32bits. 64bit values have only been seen on fuzz-tested files */ found = find_pointer_index((guint32)id); /* we have seen this pointer before */ if (found) { proto_tree_add_string(tree, hf_dcerpc_duplicate_ptr, tvb, offset-pointer_size, pointer_size, text); goto after_ref_id; } /* new pointer */ tr = proto_tree_add_subtree(tree, tvb, offset-pointer_size, pointer_size, ett_dcerpc_pointer_data, &item, text); if (di->call_data->flags & DCERPC_IS_NDR64) { proto_tree_add_uint64(tr, hf_dcerpc_referent_id64, tvb, offset-pointer_size, pointer_size, id); } else { proto_tree_add_uint(tr, hf_dcerpc_referent_id32, tvb, offset-pointer_size, pointer_size, (guint32)id); } add_pointer_to_list(pinfo, tr, item, di, fnct, (guint32)id, hf_index, callback, callback_args); goto after_ref_id; } /*TOP LEVEL UNIQUE POINTER*/ if ( pointers_are_top_level && (type == NDR_POINTER_UNIQUE) ) { guint64 id; proto_item *item; /* get the referent id */ offset = dissect_ndr_uint3264(tvb, offset, pinfo, NULL, di, drep, -1, &id); /* we got a NULL pointer */ if (id == 0) { proto_tree_add_bytes_format_value(tree, hf_dcerpc_null_pointer, tvb, offset-pointer_size, pointer_size, NULL, "%s",text); goto after_ref_id; } /* new pointer */ tr = proto_tree_add_subtree(tree, tvb, offset-pointer_size, pointer_size, ett_dcerpc_pointer_data, &item, text); if (di->call_data->flags & DCERPC_IS_NDR64) { proto_tree_add_uint64(tr, hf_dcerpc_referent_id64, tvb, offset-pointer_size, pointer_size, id); } else { proto_tree_add_uint(tr, hf_dcerpc_referent_id32, tvb, offset-pointer_size, pointer_size, (guint32)id); } add_pointer_to_list(pinfo, tr, item, di, fnct, 0xffffffff, hf_index, callback, callback_args); goto after_ref_id; } /*EMBEDDED REFERENCE POINTER*/ if ( (!pointers_are_top_level) && (type == NDR_POINTER_REF) ) { guint64 id; proto_item *item; /* get the referent id */ offset = dissect_ndr_uint3264(tvb, offset, pinfo, NULL, di, drep, -1, &id); /* new pointer */ tr = proto_tree_add_subtree(tree, tvb, offset-pointer_size, pointer_size, ett_dcerpc_pointer_data,&item,text); if (di->call_data->flags & DCERPC_IS_NDR64) { proto_tree_add_uint64(tr, hf_dcerpc_referent_id64, tvb, offset-pointer_size, pointer_size, id); } else { proto_tree_add_uint(tr, hf_dcerpc_referent_id32, tvb, offset-pointer_size, pointer_size, (guint32)id); } add_pointer_to_list(pinfo, tr, item, di, fnct, 0xffffffff, hf_index, callback, callback_args); goto after_ref_id; } /*EMBEDDED UNIQUE POINTER*/ if ( (!pointers_are_top_level) && (type == NDR_POINTER_UNIQUE) ) { guint64 id; proto_item *item; /* get the referent id */ offset = dissect_ndr_uint3264(tvb, offset, pinfo, NULL, di, drep, -1, &id); /* we got a NULL pointer */ if (id == 0) { proto_tree_add_bytes_format_value(tree, hf_dcerpc_null_pointer, tvb, offset-pointer_size, pointer_size, NULL, "%s",text); goto after_ref_id; } /* new pointer */ tr = proto_tree_add_subtree(tree, tvb, offset-pointer_size, pointer_size, ett_dcerpc_pointer_data,&item,text); if (di->call_data->flags & DCERPC_IS_NDR64) { proto_tree_add_uint64(tr, hf_dcerpc_referent_id64, tvb, offset-pointer_size, pointer_size, id); } else { proto_tree_add_uint(tr, hf_dcerpc_referent_id32, tvb, offset-pointer_size, pointer_size, (guint32)id); } add_pointer_to_list(pinfo, tr, item, di, fnct, 0xffffffff, hf_index, callback, callback_args); goto after_ref_id; } /*EMBEDDED FULL POINTER*/ if ( (!pointers_are_top_level) && (type == NDR_POINTER_PTR) ) { int found; guint64 id; proto_item *item; /* get the referent id */ offset = dissect_ndr_uint3264(tvb, offset, pinfo, NULL, di, drep, -1, &id); /* we got a NULL pointer */ if (id == 0) { proto_tree_add_bytes_format_value(tree, hf_dcerpc_null_pointer, tvb, offset-pointer_size, pointer_size, NULL, "%s",text); goto after_ref_id; } /* see if we have seen this pointer before The value is truncated to 32bits. 64bit values have only been seen on fuzztested files */ found = find_pointer_index((guint32)id); /* we have seen this pointer before */ if (found) { proto_tree_add_string(tree, hf_dcerpc_duplicate_ptr, tvb, offset-pointer_size, pointer_size, text); goto after_ref_id; } /* new pointer */ tr = proto_tree_add_subtree(tree, tvb, offset-pointer_size, pointer_size, ett_dcerpc_pointer_data, &item, text); if (di->call_data->flags & DCERPC_IS_NDR64) { proto_tree_add_uint64(tr, hf_dcerpc_referent_id64, tvb, offset-pointer_size, pointer_size, id); } else { proto_tree_add_uint(tr, hf_dcerpc_referent_id32, tvb, offset-pointer_size, pointer_size, (guint32)id); } add_pointer_to_list(pinfo, tr, item, di, fnct, (guint32)id, hf_index, callback, callback_args); goto after_ref_id; } after_ref_id: /* After each top level pointer we have dissected we have to dissect all deferrals before we move on to the next top level argument */ if (pointers_are_top_level == TRUE) { pointers_are_top_level = FALSE; offset = dissect_deferred_pointers(pinfo, tvb, offset, di, drep); pointers_are_top_level = TRUE; } /* Set the length for the new subtree */ if (tr) { proto_item_set_len(tr, offset-start_offset); } return offset; } int dissect_ndr_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, dcerpc_dissect_fnct_t *fnct, int type, const char *text, int hf_index) { return dissect_ndr_pointer_cb( tvb, offset, pinfo, tree, di, drep, fnct, type, text, hf_index, NULL, NULL); } int dissect_ndr_toplevel_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, dcerpc_dissect_fnct_t *fnct, int type, const char *text, int hf_index) { int ret; pointers_are_top_level = TRUE; ret = dissect_ndr_pointer_cb( tvb, offset, pinfo, tree, di, drep, fnct, type, text, hf_index, NULL, NULL); return ret; } int dissect_ndr_embedded_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, dcerpc_dissect_fnct_t *fnct, int type, const char *text, int hf_index) { int ret; pointers_are_top_level = FALSE; ret = dissect_ndr_pointer_cb( tvb, offset, pinfo, tree, di, drep, fnct, type, text, hf_index, NULL, NULL); return ret; } static void dissect_sec_vt_bitmask(proto_tree *tree, tvbuff_t *tvb) { proto_tree_add_bitmask(tree, tvb, 0, hf_dcerpc_sec_vt_bitmask, ett_dcerpc_sec_vt_bitmask, sec_vt_bitmask_fields, ENC_LITTLE_ENDIAN); } static void dissect_sec_vt_pcontext(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb) { int offset = 0; proto_item *ti = NULL; proto_tree *tr = proto_tree_add_subtree(tree, tvb, offset, -1, ett_dcerpc_sec_vt_pcontext, &ti, "pcontext"); e_guid_t uuid; const char *uuid_name; tvb_get_letohguid(tvb, offset, &uuid); uuid_name = guids_get_uuid_name(&uuid, pinfo->pool); if (!uuid_name) { uuid_name = guid_to_str(pinfo->pool, &uuid); } proto_tree_add_guid_format(tr, hf_dcerpc_sec_vt_pcontext_uuid, tvb, offset, 16, &uuid, "Abstract Syntax: %s", uuid_name); offset += 16; proto_tree_add_item(tr, hf_dcerpc_sec_vt_pcontext_ver, tvb, offset, 4, ENC_LITTLE_ENDIAN); offset += 4; tvb_get_letohguid(tvb, offset, &uuid); uuid_name = guids_get_uuid_name(&uuid, pinfo->pool); if (!uuid_name) { uuid_name = guid_to_str(pinfo->pool, &uuid); } proto_tree_add_guid_format(tr, hf_dcerpc_sec_vt_pcontext_uuid, tvb, offset, 16, &uuid, "Transfer Syntax: %s", uuid_name); offset += 16; proto_tree_add_item(tr, hf_dcerpc_sec_vt_pcontext_ver, tvb, offset, 4, ENC_LITTLE_ENDIAN); offset += 4; proto_item_set_len(ti, offset); } static void dissect_sec_vt_header(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb) { int offset = 0; proto_item *ti = NULL; proto_tree *tr = proto_tree_add_subtree(tree, tvb, offset, -1, ett_dcerpc_sec_vt_header, &ti, "header2"); guint8 drep[4]; guint8 ptype = tvb_get_guint8(tvb, offset); proto_tree_add_uint(tr, hf_dcerpc_packet_type, tvb, offset, 1, ptype); offset += 1; proto_tree_add_item(tr, hf_dcerpc_reserved, tvb, offset, 1, ENC_NA); offset += 1; proto_tree_add_item(tr, hf_dcerpc_reserved, tvb, offset, 2, ENC_NA); offset += 2; tvb_memcpy(tvb, drep, offset, 4); proto_tree_add_dcerpc_drep(tr, tvb, offset, drep, 4); offset += 4; offset = dissect_dcerpc_uint32(tvb, offset, pinfo, tr, drep, hf_dcerpc_cn_call_id, NULL); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, tr, drep, hf_dcerpc_cn_ctx_id, NULL); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, tr, drep, hf_dcerpc_opnum, NULL); proto_item_set_len(ti, offset); } static int dissect_verification_trailer_impl(packet_info *pinfo, tvbuff_t *tvb, int stub_offset, proto_tree *parent_tree, int *signature_offset) { int remaining = tvb_captured_length_remaining(tvb, stub_offset); int offset; gint signature_start; gint payload_length; typedef enum { SEC_VT_COMMAND_BITMASK_1 = 0x0001, SEC_VT_COMMAND_PCONTEXT = 0x0002, SEC_VT_COMMAND_HEADER2 = 0x0003, SEC_VT_COMMAND_END = 0x4000, SEC_VT_MUST_PROCESS_COMMAND = 0x8000, SEC_VT_COMMAND_MASK = 0x3fff, } sec_vt_command; proto_item *payload_item; proto_item *item; proto_tree *tree; if (signature_offset != NULL) { *signature_offset = -1; } /* We need at least signature + the header of one command */ if (remaining < (int)(sizeof(TRAILER_SIGNATURE) + 4)) { return -1; } /* We only scan the last 512 bytes for a possible trailer */ if (remaining > 512) { offset = remaining - 512; remaining = 512; } else { offset = 0; } offset += stub_offset; signature_start = tvb_find_tvb(tvb, tvb_trailer_signature, offset); if (signature_start == -1) { return -1; } payload_length = signature_start - stub_offset; payload_item = proto_tree_add_item(parent_tree, hf_dcerpc_payload_stub_data, tvb, stub_offset, payload_length, ENC_NA); proto_item_append_text(payload_item, " (%d byte%s)", payload_length, plurality(payload_length, "", "s")); if (signature_offset != NULL) { *signature_offset = signature_start; } remaining -= (signature_start - offset); offset = signature_start; tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1, ett_dcerpc_verification_trailer, &item, "Verification Trailer"); proto_tree_add_item(tree, hf_dcerpc_sec_vt_signature, tvb, offset, sizeof(TRAILER_SIGNATURE), ENC_NA); offset += (int)sizeof(TRAILER_SIGNATURE); remaining -= (int)sizeof(TRAILER_SIGNATURE); while (remaining >= 4) { sec_vt_command cmd; guint16 len, len_missalign; gboolean cmd_end, cmd_must; proto_item *ti; proto_tree *tr; tvbuff_t *cmd_tvb = NULL; cmd = (sec_vt_command)tvb_get_letohs(tvb, offset); len = tvb_get_letohs(tvb, offset + 2); cmd_end = cmd & SEC_VT_COMMAND_END; cmd_must = cmd & SEC_VT_MUST_PROCESS_COMMAND; cmd = (sec_vt_command)(cmd & SEC_VT_COMMAND_MASK); tr = proto_tree_add_subtree_format(tree, tvb, offset, 4 + len, ett_dcerpc_sec_vt_pcontext, &ti, "Command: %s", val_to_str(cmd, sec_vt_command_cmd_vals, "Unknown (0x%04x)")); if (cmd_must) { proto_item_append_text(ti, "!!!"); } if (cmd_end) { proto_item_append_text(ti, ", END"); } proto_tree_add_bitmask(tr, tvb, offset, hf_dcerpc_sec_vt_command, ett_dcerpc_sec_vt_command, sec_vt_command_fields, ENC_LITTLE_ENDIAN); offset += 2; proto_tree_add_item(tr, hf_dcerpc_sec_vt_command_length, tvb, offset, 2, ENC_LITTLE_ENDIAN); offset += 2; cmd_tvb = tvb_new_subset_length(tvb, offset, len); switch (cmd) { case SEC_VT_COMMAND_BITMASK_1: dissect_sec_vt_bitmask(tr, cmd_tvb); break; case SEC_VT_COMMAND_PCONTEXT: dissect_sec_vt_pcontext(pinfo, tr, cmd_tvb); break; case SEC_VT_COMMAND_HEADER2: dissect_sec_vt_header(pinfo, tr, cmd_tvb); break; default: proto_tree_add_item(tr, hf_dcerpc_unknown, cmd_tvb, 0, len, ENC_NA); break; } offset += len; remaining -= (4 + len); len_missalign = len & 1; if (len_missalign) { int l = 2-len_missalign; proto_tree_add_item(tr, hf_dcerpc_missalign, tvb, offset, l, ENC_NA); offset += l; remaining -= l; } if (cmd_end) { break; } } proto_item_set_end(item, tvb, offset); return offset; } static int dissect_verification_trailer(packet_info *pinfo, tvbuff_t *tvb, int stub_offset, proto_tree *parent_tree, int *signature_offset) { volatile int ret = -1; TRY { /* * Even if we found a signature we can't be sure to have a * valid verification trailer, we're only relatively sure * if we manage to dissect it completely, otherwise it * may be part of the real payload. That's why we have * a try/catch block here. */ ret = dissect_verification_trailer_impl(pinfo, tvb, stub_offset, parent_tree, signature_offset); } CATCH_NONFATAL_ERRORS { } ENDTRY; return ret; } static int dcerpc_try_handoff(packet_info *pinfo, proto_tree *tree, proto_tree *dcerpc_tree, tvbuff_t *volatile tvb, gboolean decrypted, guint8 *drep, dcerpc_info *info, dcerpc_auth_info *auth_info) { volatile gint offset = 0; guid_key key; dcerpc_dissector_data_t dissector_data; proto_item *hidden_item; /* GUID and UUID are same size, but compiler complains about structure "name" differences */ memcpy(&key.guid, &info->call_data->uuid, sizeof(key.guid)); key.ver = info->call_data->ver; dissector_data.sub_proto = (dcerpc_uuid_value *)g_hash_table_lookup(dcerpc_uuids, &key); dissector_data.info = info; dissector_data.decrypted = decrypted; dissector_data.auth_info = auth_info; dissector_data.drep = drep; dissector_data.dcerpc_tree = dcerpc_tree; /* Check the dissector table before the hash table. Hopefully the hash table entries can all be converted to use dissector table */ if ((dissector_data.sub_proto == NULL) || (!dissector_try_guid_new(uuid_dissector_table, &key, tvb, pinfo, tree, FALSE, &dissector_data))) { /* * We don't have a dissector for this UUID, or the protocol * for that UUID is disabled. */ hidden_item = proto_tree_add_boolean(dcerpc_tree, hf_dcerpc_unknown_if_id, tvb, offset, 0, TRUE); proto_item_set_hidden(hidden_item); col_append_fstr(pinfo->cinfo, COL_INFO, " %s V%u", guids_resolve_guid_to_str(&info->call_data->uuid, pinfo->pool), info->call_data->ver); show_stub_data(pinfo, tvb, 0, dcerpc_tree, auth_info, !decrypted); return -1; } tap_queue_packet(dcerpc_tap, pinfo, info); return 0; } static void dissect_dcerpc_cn_auth_move(dcerpc_auth_info *auth_info, proto_tree *dcerpc_tree) { if (auth_info->auth_item != NULL) { proto_item *last_item = proto_tree_add_item(dcerpc_tree, hf_dcerpc_auth_info, auth_info->auth_tvb, 0, 0, ENC_NA); if (last_item != NULL) { proto_item_set_hidden(last_item); proto_tree_move_item(dcerpc_tree, last_item, auth_info->auth_item); } } } static dcerpc_auth_context *find_or_create_dcerpc_auth_context(packet_info *pinfo, dcerpc_auth_info *auth_info) { dcerpc_auth_context auth_key = { .conv = find_or_create_conversation(pinfo), .transport_salt = dcerpc_get_transport_salt(pinfo), .auth_type = auth_info->auth_type, .auth_level = auth_info->auth_level, .auth_context_id = auth_info->auth_context_id, .first_frame = G_MAXUINT32, }; dcerpc_auth_context *auth_value = NULL; auth_value = (dcerpc_auth_context *)wmem_map_lookup(dcerpc_auths, &auth_key); if (auth_value != NULL) { goto return_value; } auth_value = wmem_new(wmem_file_scope(), dcerpc_auth_context); if (auth_value == NULL) { return NULL; } *auth_value = auth_key; wmem_map_insert(dcerpc_auths, auth_value, auth_value); return_value: if (pinfo->fd->num < auth_value->first_frame) { auth_value->first_frame = pinfo->fd->num; } return auth_value; } static void dissect_dcerpc_cn_auth(tvbuff_t *tvb, int stub_offset, packet_info *pinfo, proto_tree *dcerpc_tree, e_dce_cn_common_hdr_t *hdr, dcerpc_auth_info *auth_info) { volatile int offset; /* * Initially set auth_level and auth_type to zero to indicate that we * haven't yet seen any authentication level information. */ auth_info->hdr_signing = FALSE; auth_info->auth_type = 0; auth_info->auth_level = 0; auth_info->auth_context_id = 0; auth_info->auth_pad_len = 0; auth_info->auth_size = 0; auth_info->auth_fns = NULL; auth_info->auth_tvb = NULL; auth_info->auth_item = NULL; auth_info->auth_tree = NULL; auth_info->auth_hdr_tvb = NULL; /* * The authentication information is at the *end* of the PDU; in * request and response PDUs, the request and response stub data * come before it. * * Is there any authentication data (i.e., is the authentication length * non-zero), and is the authentication length valid (i.e., is it, plus * 8 bytes for the type/level/pad length/reserved/context id, less than * or equal to the fragment length minus the starting offset of the * stub data?) */ if (hdr->auth_len && ((hdr->auth_len + 8) <= (hdr->frag_len - stub_offset))) { /* * Yes, there is authentication data, and the length is valid. * Do we have all the bytes of stub data? * (If not, we'd throw an exception dissecting *that*, so don't * bother trying to dissect the authentication information and * throwing another exception there.) */ offset = hdr->frag_len - (hdr->auth_len + 8); if (offset == 0 || tvb_offset_exists(tvb, offset - 1)) { dcerpc_auth_context *auth_context = NULL; int auth_offset = offset; /* Compute the size of the auth block. Note that this should not include auth padding, since when NTLMSSP encryption is used, the padding is actually inside the encrypted stub */ auth_info->auth_size = hdr->auth_len + 8; auth_info->auth_item = proto_tree_add_item(dcerpc_tree, hf_dcerpc_auth_info, tvb, offset, auth_info->auth_size, ENC_NA); auth_info->auth_tree = proto_item_add_subtree(auth_info->auth_item, ett_dcerpc_auth_info); /* * Either there's no stub data, or the last byte of the stub * data is present in the captured data, so we shouldn't * get a BoundsError dissecting the stub data. * * Try dissecting the authentication data. * Catch all exceptions, so that even if the auth info is bad * or we don't have all of it, we still show the stuff we * dissect after this, such as stub data. */ TRY { offset = dissect_dcerpc_uint8(tvb, offset, pinfo, auth_info->auth_tree, hdr->drep, hf_dcerpc_auth_type, &auth_info->auth_type); offset = dissect_dcerpc_uint8(tvb, offset, pinfo, auth_info->auth_tree, hdr->drep, hf_dcerpc_auth_level, &auth_info->auth_level); offset = dissect_dcerpc_uint8(tvb, offset, pinfo, auth_info->auth_tree, hdr->drep, hf_dcerpc_auth_pad_len, &auth_info->auth_pad_len); offset = dissect_dcerpc_uint8(tvb, offset, pinfo, auth_info->auth_tree, hdr->drep, hf_dcerpc_auth_rsrvd, NULL); offset = dissect_dcerpc_uint32(tvb, offset, pinfo, auth_info->auth_tree, hdr->drep, hf_dcerpc_auth_ctx_id, &auth_info->auth_context_id); proto_item_append_text(auth_info->auth_item, ": %s, %s, AuthContextId(%d)", val_to_str(auth_info->auth_type, authn_protocol_vals, "AuthType(%u)"), val_to_str(auth_info->auth_level, authn_level_vals, "AuthLevel(%u)"), auth_info->auth_context_id); /* * Dissect the authentication data. */ auth_info->auth_hdr_tvb = tvb_new_subset_length_caplen(tvb, auth_offset, 8, 8); auth_info->auth_tvb = tvb_new_subset_length_caplen(tvb, offset, MIN(hdr->auth_len,tvb_reported_length_remaining(tvb, offset)), hdr->auth_len); auth_context = find_or_create_dcerpc_auth_context(pinfo, auth_info); if (auth_context != NULL) { if (hdr->ptype == PDU_BIND || hdr->ptype == PDU_ALTER) { if (auth_context->first_frame == pinfo->fd->num) { auth_context->hdr_signing = (hdr->flags & PFC_HDR_SIGNING); } } auth_info->hdr_signing = auth_context->hdr_signing; } auth_info->auth_fns = get_auth_subdissector_fns(auth_info->auth_level, auth_info->auth_type); if (auth_info->auth_fns != NULL) dissect_auth_verf(pinfo, hdr, auth_info); else proto_tree_add_item(auth_info->auth_tree, hf_dcerpc_auth_credentials, auth_info->auth_tvb, 0, hdr->auth_len, ENC_NA); } CATCH_BOUNDS_ERRORS { show_exception(tvb, pinfo, dcerpc_tree, EXCEPT_CODE, GET_MESSAGE); } ENDTRY; } } } /* We need to hash in the SMB fid number to generate a unique hash table * key as DCERPC over SMB allows several pipes over the same TCP/IP * socket. * We pass this function the transport type here to make sure we only look * at this function if it came across an SMB pipe. * Other transports might need to mix in their own extra multiplexing data * as well in the future. */ guint64 dcerpc_get_transport_salt(packet_info *pinfo) { dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); switch (decode_data->dcetransporttype) { case DCE_CN_TRANSPORT_SMBPIPE: /* DCERPC over smb */ return decode_data->dcetransportsalt; } /* Some other transport... */ return 0; } void dcerpc_set_transport_salt(guint64 dcetransportsalt, packet_info *pinfo) { dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); decode_data->dcetransportsalt = dcetransportsalt; } /* * Connection oriented packet types */ static void dissect_dcerpc_cn_bind(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *dcerpc_tree, e_dce_cn_common_hdr_t *hdr) { conversation_t *conv = find_or_create_conversation(pinfo); guint8 num_ctx_items = 0; guint i; guint16 ctx_id; guint8 num_trans_items; guint j; e_guid_t if_id; e_guid_t trans_id; guint32 trans_ver; guint16 if_ver, if_ver_minor; dcerpc_auth_info auth_info; char *uuid_str; const char *uuid_name = NULL; proto_item *iface_item = NULL; dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_max_xmit, NULL); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_max_recv, NULL); offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_assoc_group, NULL); offset = dissect_dcerpc_uint8(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_num_ctx_items, &num_ctx_items); /* padding */ offset += 3; col_append_fstr(pinfo->cinfo, COL_INFO, ", %u context items:", num_ctx_items); for (i = 0; i < num_ctx_items; i++) { proto_item *ctx_item = NULL; proto_tree *ctx_tree = NULL, *iface_tree = NULL; gint ctx_offset = offset; dissect_dcerpc_uint16(tvb, offset, pinfo, NULL, hdr->drep, hf_dcerpc_cn_ctx_id, &ctx_id); /* save context ID for use with dcerpc_add_conv_to_bind_table() */ /* (if we have multiple contexts, this might cause "decode as" * to behave unpredictably) */ decode_data->dcectxid = ctx_id; if (dcerpc_tree) { ctx_item = proto_tree_add_item(dcerpc_tree, hf_dcerpc_cn_ctx_item, tvb, offset, 0, ENC_NA); ctx_tree = proto_item_add_subtree(ctx_item, ett_dcerpc_cn_ctx); } offset = dissect_dcerpc_uint16(tvb, offset, pinfo, ctx_tree, hdr->drep, hf_dcerpc_cn_ctx_id, &ctx_id); offset = dissect_dcerpc_uint8(tvb, offset, pinfo, ctx_tree, hdr->drep, hf_dcerpc_cn_num_trans_items, &num_trans_items); if (dcerpc_tree) { proto_item_append_text(ctx_item, "[%u]: Context ID:%u", i+1, ctx_id); } /* padding */ offset += 1; dcerpc_tvb_get_uuid(tvb, offset, hdr->drep, &if_id); if (ctx_tree) { iface_item = proto_tree_add_item(ctx_tree, hf_dcerpc_cn_bind_abstract_syntax, tvb, offset, 0, ENC_NA); iface_tree = proto_item_add_subtree(iface_item, ett_dcerpc_cn_iface); uuid_str = guid_to_str(pinfo->pool, (e_guid_t*)&if_id); uuid_name = guids_get_uuid_name(&if_id, pinfo->pool); if (uuid_name) { proto_tree_add_guid_format(iface_tree, hf_dcerpc_cn_bind_if_id, tvb, offset, 16, (e_guid_t *) &if_id, "Interface: %s UUID: %s", uuid_name, uuid_str); proto_item_append_text(iface_item, ": %s", uuid_name); proto_item_append_text(ctx_item, ", %s", uuid_name); } else { proto_tree_add_guid_format(iface_tree, hf_dcerpc_cn_bind_if_id, tvb, offset, 16, (e_guid_t *) &if_id, "Interface UUID: %s", uuid_str); proto_item_append_text(iface_item, ": %s", uuid_str); proto_item_append_text(ctx_item, ", %s", uuid_str); } } offset += 16; if (hdr->drep[0] & DREP_LITTLE_ENDIAN) { offset = dissect_dcerpc_uint16(tvb, offset, pinfo, iface_tree, hdr->drep, hf_dcerpc_cn_bind_if_ver, &if_ver); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, iface_tree, hdr->drep, hf_dcerpc_cn_bind_if_ver_minor, &if_ver_minor); } else { offset = dissect_dcerpc_uint16(tvb, offset, pinfo, iface_tree, hdr->drep, hf_dcerpc_cn_bind_if_ver_minor, &if_ver_minor); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, iface_tree, hdr->drep, hf_dcerpc_cn_bind_if_ver, &if_ver); } if (ctx_tree) { proto_item_append_text(iface_item, " V%u.%u", if_ver, if_ver_minor); proto_item_set_len(iface_item, 20); } memset(&trans_id, 0, sizeof(trans_id)); for (j = 0; j < num_trans_items; j++) { proto_tree *trans_tree = NULL; proto_item *trans_item = NULL; dcerpc_tvb_get_uuid(tvb, offset, hdr->drep, &trans_id); if (ctx_tree) { trans_item = proto_tree_add_item(ctx_tree, hf_dcerpc_cn_bind_trans_syntax, tvb, offset, 0, ENC_NA); trans_tree = proto_item_add_subtree(trans_item, ett_dcerpc_cn_trans_syntax); uuid_str = guid_to_str(pinfo->pool, (e_guid_t *) &trans_id); uuid_name = guids_get_uuid_name(&trans_id, pinfo->pool); /* check for [MS-RPCE] 3.3.1.5.3 Bind Time Feature Negotiation */ if (trans_id.data1 == 0x6cb71c2c && trans_id.data2 == 0x9812 && trans_id.data3 == 0x4540) { proto_tree_add_guid_format(trans_tree, hf_dcerpc_cn_bind_trans_id, tvb, offset, 16, (e_guid_t *) &trans_id, "Transfer Syntax: Bind Time Feature Negotiation UUID:%s", uuid_str); proto_tree_add_bitmask(trans_tree, tvb, offset + 8, hf_dcerpc_cn_bind_trans_btfn, ett_dcerpc_cn_bind_trans_btfn, dcerpc_cn_bind_trans_btfn_fields, ENC_LITTLE_ENDIAN); proto_item_append_text(trans_item, "[%u]: Bind Time Feature Negotiation", j+1); proto_item_append_text(ctx_item, ", Bind Time Feature Negotiation"); } else if (uuid_name) { proto_tree_add_guid_format(trans_tree, hf_dcerpc_cn_bind_trans_id, tvb, offset, 16, (e_guid_t *) &trans_id, "Transfer Syntax: %s UUID:%s", uuid_name, uuid_str); proto_item_append_text(trans_item, "[%u]: %s", j+1, uuid_name); proto_item_append_text(ctx_item, ", %s", uuid_name); } else { proto_tree_add_guid_format(trans_tree, hf_dcerpc_cn_bind_trans_id, tvb, offset, 16, (e_guid_t *) &trans_id, "Transfer Syntax: %s", uuid_str); proto_item_append_text(trans_item, "[%u]: %s", j+1, uuid_str); proto_item_append_text(ctx_item, ", %s", uuid_str); } } offset += 16; offset = dissect_dcerpc_uint32(tvb, offset, pinfo, trans_tree, hdr->drep, hf_dcerpc_cn_bind_trans_ver, &trans_ver); if (ctx_tree) { proto_item_set_len(trans_item, 20); proto_item_append_text(trans_item, " V%u", trans_ver); } } /* if this is the first time we've seen this packet, we need to update the dcerpc_binds table so that any later calls can match to the interface. XXX We assume that BINDs will NEVER be fragmented. */ if (!(pinfo->fd->visited)) { dcerpc_bind_key *key; dcerpc_bind_value *value; key = wmem_new(wmem_file_scope(), dcerpc_bind_key); key->conv = conv; key->ctx_id = ctx_id; key->transport_salt = dcerpc_get_transport_salt(pinfo); value = wmem_new(wmem_file_scope(), dcerpc_bind_value); value->uuid = if_id; value->ver = if_ver; value->transport = trans_id; /* add this entry to the bind table */ wmem_map_insert(dcerpc_binds, key, value); } if (i > 0) col_append_fstr(pinfo->cinfo, COL_INFO, ","); col_append_fstr(pinfo->cinfo, COL_INFO, " %s V%u.%u (%s)", guids_resolve_guid_to_str(&if_id, pinfo->pool), if_ver, if_ver_minor, guids_resolve_guid_to_str(&trans_id, pinfo->pool)); if (ctx_tree) { proto_item_set_len(ctx_item, offset - ctx_offset); } } /* * XXX - we should save the authentication type *if* we have * an authentication header, and associate it with an authentication * context, so subsequent PDUs can use that context. */ dissect_dcerpc_cn_auth(tvb, offset, pinfo, dcerpc_tree, hdr, &auth_info); } static void dissect_dcerpc_cn_bind_ack(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *dcerpc_tree, e_dce_cn_common_hdr_t *hdr) { guint16 max_xmit, max_recv; guint16 sec_addr_len; guint8 num_results; guint i; guint16 result = 0; guint16 reason = 0; e_guid_t trans_id; guint32 trans_ver; dcerpc_auth_info auth_info; const char *uuid_name = NULL; const char *result_str = NULL; offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_max_xmit, &max_xmit); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_max_recv, &max_recv); offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_assoc_group, NULL); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_sec_addr_len, &sec_addr_len); if (sec_addr_len != 0) { proto_tree_add_item(dcerpc_tree, hf_dcerpc_cn_sec_addr, tvb, offset, sec_addr_len, ENC_ASCII); offset += sec_addr_len; } if (offset % 4) { offset += 4 - offset % 4; } offset = dissect_dcerpc_uint8(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_num_results, &num_results); /* padding */ offset += 3; col_append_fstr(pinfo->cinfo, COL_INFO, ", max_xmit: %u max_recv: %u, %u results:", max_xmit, max_recv, num_results); for (i = 0; i < num_results; i++) { proto_tree *ctx_tree = NULL; proto_item *ctx_item = NULL; if (dcerpc_tree) { ctx_tree = proto_tree_add_subtree_format(dcerpc_tree, tvb, offset, 24, ett_dcerpc_cn_ctx, &ctx_item, "Ctx Item[%u]:", i+1); } offset = dissect_dcerpc_uint16(tvb, offset, pinfo, ctx_tree, hdr->drep, hf_dcerpc_cn_ack_result, &result); /* [MS-RPCE] 3.3.1.5.3 check if this Ctx Item is the response to a Bind Time Feature Negotiation request */ if (result == 3) { proto_tree_add_bitmask(ctx_tree, tvb, offset, hf_dcerpc_cn_bind_trans_btfn, ett_dcerpc_cn_bind_trans_btfn, dcerpc_cn_bind_trans_btfn_fields, ENC_LITTLE_ENDIAN); offset += 2; } else if (result != 0) { offset = dissect_dcerpc_uint16(tvb, offset, pinfo, ctx_tree, hdr->drep, hf_dcerpc_cn_ack_reason, &reason); } else { /* * The reason for rejection isn't meaningful, and often isn't * set, when the syntax was accepted. */ offset += 2; } result_str = val_to_str(result, p_cont_result_vals, "Unknown result (%u)"); if (ctx_tree) { dcerpc_tvb_get_uuid(tvb, offset, hdr->drep, &trans_id); uuid_name = guids_get_uuid_name(&trans_id, pinfo->pool); if (! uuid_name) { uuid_name = guid_to_str(pinfo->pool, (e_guid_t *) &trans_id); } proto_tree_add_guid_format(ctx_tree, hf_dcerpc_cn_ack_trans_id, tvb, offset, 16, (e_guid_t *) &trans_id, "Transfer Syntax: %s", uuid_name); proto_item_append_text(ctx_item, " %s, %s", result_str, uuid_name); } offset += 16; offset = dissect_dcerpc_uint32(tvb, offset, pinfo, ctx_tree, hdr->drep, hf_dcerpc_cn_ack_trans_ver, &trans_ver); if (i > 0) col_append_fstr(pinfo->cinfo, COL_INFO, ","); col_append_fstr(pinfo->cinfo, COL_INFO, " %s", result_str); } /* * XXX - do we need to do anything with the authentication level * we get back from this? */ dissect_dcerpc_cn_auth(tvb, offset, pinfo, dcerpc_tree, hdr, &auth_info); } static void dissect_dcerpc_cn_bind_nak(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *dcerpc_tree, e_dce_cn_common_hdr_t *hdr) { guint16 reason; guint8 num_protocols; guint i; offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_reject_reason, &reason); col_append_fstr(pinfo->cinfo, COL_INFO, " reason: %s", val_to_str(reason, reject_reason_vals, "Unknown (%u)")); if (reason == PROTOCOL_VERSION_NOT_SUPPORTED) { offset = dissect_dcerpc_uint8(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_num_protocols, &num_protocols); for (i = 0; i < num_protocols; i++) { offset = dissect_dcerpc_uint8(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_protocol_ver_major, NULL); offset = dissect_dcerpc_uint8(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_protocol_ver_minor, NULL); } } } /* Return a string describing a DCE/RPC fragment as first, middle, or end fragment. */ #define PFC_FRAG_MASK 0x03 static const char * fragment_type(guint8 flags) { static const char* t[4] = { "Mid", "1st", "Last", "Single" }; return t[flags & PFC_FRAG_MASK]; } /* Dissect stub data (payload) of a DCERPC packet. */ static void dissect_dcerpc_cn_stub(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *dcerpc_tree, proto_tree *tree, e_dce_cn_common_hdr_t *hdr, dcerpc_info *di, dcerpc_auth_info *auth_info, guint32 alloc_hint _U_, guint32 frame) { gint length, reported_length; gboolean save_fragmented; fragment_head *fd_head = NULL; tvbuff_t *header_tvb = NULL, *trailer_tvb = NULL; tvbuff_t *payload_tvb, *decrypted_tvb = NULL; proto_item *pi; proto_item *parent_pi; proto_item *dcerpc_tree_item; save_fragmented = pinfo->fragmented; length = tvb_reported_length_remaining(tvb, offset); reported_length = tvb_reported_length_remaining(tvb, offset); if (reported_length < 0 || (guint32)reported_length < auth_info->auth_size) { /* We don't even have enough bytes for the authentication stuff. */ return; } reported_length -= auth_info->auth_size; if (length > reported_length) length = reported_length; header_tvb = tvb_new_subset_length_caplen(tvb, 0, offset, offset); payload_tvb = tvb_new_subset_length_caplen(tvb, offset, length, reported_length); trailer_tvb = auth_info->auth_hdr_tvb; /* Decrypt the PDU if it is encrypted */ if (auth_info->auth_type && (auth_info->auth_level == DCE_C_AUTHN_LEVEL_PKT_PRIVACY)) { /* Start out assuming we won't succeed in decrypting. */ if (auth_info->auth_fns != NULL) { tvbuff_t *result; result = decode_encrypted_data(header_tvb, payload_tvb, trailer_tvb, pinfo, hdr, auth_info); if (result) { proto_tree_add_item(dcerpc_tree, hf_dcerpc_encrypted_stub_data, payload_tvb, 0, -1, ENC_NA); add_new_data_source( pinfo, result, "Decrypted stub data"); /* We succeeded. */ decrypted_tvb = result; } } } else decrypted_tvb = payload_tvb; /* if this packet is not fragmented, just dissect it and exit */ if (PFC_NOT_FRAGMENTED(hdr)) { pinfo->fragmented = FALSE; dcerpc_try_handoff(pinfo, tree, dcerpc_tree, ((decrypted_tvb != NULL) ? decrypted_tvb : payload_tvb), ((decrypted_tvb != NULL) ? TRUE : FALSE), hdr->drep, di, auth_info); pinfo->fragmented = save_fragmented; return; } /* The packet is fragmented. */ pinfo->fragmented = TRUE; /* debug output of essential fragment data. */ /* leave it here for future debugging sessions */ /*printf("DCE num:%u offset:%u frag_len:%u tvb_len:%u\n", pinfo->num, offset, hdr->frag_len, tvb_reported_length(decrypted_tvb));*/ /* if we are not doing reassembly and this is the first fragment then just dissect it and exit XXX - if we're not doing reassembly, can we decrypt an encrypted stub? */ if ( (!dcerpc_reassemble) && (hdr->flags & PFC_FIRST_FRAG) ) { dcerpc_try_handoff(pinfo, tree, dcerpc_tree, ((decrypted_tvb != NULL) ? decrypted_tvb : payload_tvb), ((decrypted_tvb != NULL) ? TRUE : FALSE), hdr->drep, di, auth_info); expert_add_info_format(pinfo, NULL, &ei_dcerpc_fragment, "%s fragment", fragment_type(hdr->flags)); pinfo->fragmented = save_fragmented; return; } /* if we have already seen this packet, see if it was reassembled and if so dissect the full pdu. then exit */ if (pinfo->fd->visited) { fd_head = fragment_get_reassembled_id(&dcerpc_co_reassembly_table, pinfo, frame); goto end_cn_stub; } /* if we are not doing reassembly and it was neither a complete PDU nor the first fragment then there is nothing more we can do so we just have to exit */ if ( !dcerpc_reassemble || (tvb_captured_length(tvb) != tvb_reported_length(tvb)) ) goto end_cn_stub; /* if we didn't get 'frame' we don't know where the PDU started and thus it is pointless to continue */ if (!frame) goto end_cn_stub; /* from now on we must attempt to reassemble the PDU */ /* if we get here we know it is the first time we see the packet and we also know it is only a fragment and not a full PDU, thus we must reassemble it. */ /* Do we have any non-encrypted data to reassemble? */ if (decrypted_tvb == NULL) { /* No. We can't even try to reassemble. */ goto end_cn_stub; } /* defragmentation is a bit tricky, as there's no offset of the fragment * in the protocol data. * * just use fragment_add_seq_next() and hope that TCP/SMB segments coming * in with the correct sequence. */ fd_head = fragment_add_seq_next(&dcerpc_co_reassembly_table, decrypted_tvb, 0, pinfo, frame, NULL, tvb_reported_length(decrypted_tvb), !(hdr->flags & PFC_LAST_FRAG) /* more_frags */); end_cn_stub: /* if reassembly is complete and this is the last fragment * (multiple fragments in one PDU are possible!) * dissect the full PDU */ if (fd_head && (fd_head->flags & FD_DEFRAGMENTED) ) { if ((pinfo->num == fd_head->reassembled_in) && (hdr->flags & PFC_LAST_FRAG) ) { tvbuff_t *next_tvb; proto_item *frag_tree_item; next_tvb = tvb_new_chain((decrypted_tvb)?decrypted_tvb:payload_tvb, fd_head->tvb_data); add_new_data_source(pinfo, next_tvb, "Reassembled DCE/RPC"); show_fragment_tree(fd_head, &dcerpc_frag_items, tree, pinfo, next_tvb, &frag_tree_item); /* the toplevel fragment subtree is now behind all desegmented data, * move it right behind the DCE/RPC tree */ dcerpc_tree_item = proto_tree_get_parent(dcerpc_tree); if (frag_tree_item && dcerpc_tree_item) { proto_tree_move_item(tree, dcerpc_tree_item, frag_tree_item); } pinfo->fragmented = FALSE; expert_add_info_format(pinfo, frag_tree_item, &ei_dcerpc_fragment_reassembled, "%s fragment, reassembled", fragment_type(hdr->flags)); dcerpc_try_handoff(pinfo, tree, dcerpc_tree, next_tvb, TRUE, hdr->drep, di, auth_info); } else { if (decrypted_tvb) { pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_reassembled_in, decrypted_tvb, 0, 0, fd_head->reassembled_in); } else { pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_reassembled_in, payload_tvb, 0, 0, fd_head->reassembled_in); } proto_item_set_generated(pi); parent_pi = proto_tree_get_parent(dcerpc_tree); if (parent_pi != NULL) { proto_item_append_text(parent_pi, ", [Reas: #%u]", fd_head->reassembled_in); } col_append_fstr(pinfo->cinfo, COL_INFO, " [DCE/RPC %s fragment, reas: #%u]", fragment_type(hdr->flags), fd_head->reassembled_in); expert_add_info_format(pinfo, NULL, &ei_dcerpc_fragment_reassembled, "%s fragment, reassembled in #%u", fragment_type(hdr->flags), fd_head->reassembled_in); } } else { /* Reassembly not complete - some fragments are missing. Just show the stub data. */ expert_add_info_format(pinfo, NULL, &ei_dcerpc_fragment, "%s fragment", fragment_type(hdr->flags)); if (decrypted_tvb) { show_stub_data(pinfo, decrypted_tvb, 0, tree, auth_info, FALSE); } else { show_stub_data(pinfo, payload_tvb, 0, tree, auth_info, TRUE); } } pinfo->fragmented = save_fragmented; } static void dissect_dcerpc_cn_rqst(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *dcerpc_tree, proto_tree *tree, e_dce_cn_common_hdr_t *hdr) { conversation_t *conv; guint16 ctx_id; guint16 opnum; e_guid_t obj_id = DCERPC_UUID_NULL; dcerpc_auth_info auth_info; guint32 alloc_hint; proto_item *pi; proto_item *parent_pi; dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_alloc_hint, &alloc_hint); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_ctx_id, &ctx_id); parent_pi = proto_tree_get_parent(dcerpc_tree); if (parent_pi != NULL) { proto_item_append_text(parent_pi, ", Ctx: %u", ctx_id); } offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_opnum, &opnum); /* save context ID for use with dcerpc_add_conv_to_bind_table() */ decode_data->dcectxid = ctx_id; col_append_fstr(pinfo->cinfo, COL_INFO, ", opnum: %u, Ctx: %u", opnum, ctx_id); if (hdr->flags & PFC_OBJECT_UUID) { dcerpc_tvb_get_uuid(tvb, offset, hdr->drep, &obj_id); if (dcerpc_tree) { proto_tree_add_guid_format(dcerpc_tree, hf_dcerpc_obj_id, tvb, offset, 16, (e_guid_t *) &obj_id, "Object UUID: %s", guid_to_str(pinfo->pool, (e_guid_t *) &obj_id)); } offset += 16; } /* * XXX - what if this was set when the connection was set up, * and we just have a security context? */ dissect_dcerpc_cn_auth(tvb, offset, pinfo, dcerpc_tree, hdr, &auth_info); conv = find_conversation_pinfo(pinfo, 0); if (!conv) show_stub_data(pinfo, tvb, offset, dcerpc_tree, &auth_info, TRUE); else { dcerpc_matched_key matched_key, *new_matched_key; dcerpc_call_value *value; /* !!! we can NOT check visited here since this will interact badly with when SMB handles (i.e. calls the subdissector) and desegmented pdu's . Instead we check if this pdu is already in the matched table or not */ matched_key.frame = pinfo->num; matched_key.call_id = hdr->call_id; value = (dcerpc_call_value *)wmem_map_lookup(dcerpc_matched, &matched_key); if (!value) { dcerpc_bind_key bind_key; dcerpc_bind_value *bind_value; bind_key.conv = conv; bind_key.ctx_id = ctx_id; bind_key.transport_salt = dcerpc_get_transport_salt(pinfo); if ((bind_value = (dcerpc_bind_value *)wmem_map_lookup(dcerpc_binds, &bind_key)) ) { if (!(hdr->flags&PFC_FIRST_FRAG)) { dcerpc_cn_call_key call_key; dcerpc_call_value *call_value; call_key.conv = conv; call_key.call_id = hdr->call_id; call_key.transport_salt = dcerpc_get_transport_salt(pinfo); if ((call_value = (dcerpc_call_value *)wmem_map_lookup(dcerpc_cn_calls, &call_key))) { new_matched_key = wmem_new(wmem_file_scope(), dcerpc_matched_key); *new_matched_key = matched_key; wmem_map_insert(dcerpc_matched, new_matched_key, call_value); value = call_value; } } else { dcerpc_cn_call_key *call_key; dcerpc_call_value *call_value; /* We found the binding and it is the first fragment (or a complete PDU) of a dcerpc pdu so just add the call to both the call table and the matched table */ call_key = wmem_new(wmem_file_scope(), dcerpc_cn_call_key); call_key->conv = conv; call_key->call_id = hdr->call_id; call_key->transport_salt = dcerpc_get_transport_salt(pinfo); /* if there is already a matching call in the table remove it so it is replaced with the new one */ if (wmem_map_lookup(dcerpc_cn_calls, call_key)) { wmem_map_remove(dcerpc_cn_calls, call_key); } call_value = wmem_new(wmem_file_scope(), dcerpc_call_value); call_value->uuid = bind_value->uuid; call_value->ver = bind_value->ver; call_value->object_uuid = obj_id; call_value->opnum = opnum; call_value->req_frame = pinfo->num; call_value->req_time = pinfo->abs_ts; call_value->rep_frame = 0; call_value->max_ptr = 0; call_value->se_data = NULL; call_value->private_data = NULL; call_value->pol = NULL; call_value->flags = 0; if (!memcmp(&bind_value->transport, &uuid_ndr64, sizeof(uuid_ndr64))) { call_value->flags |= DCERPC_IS_NDR64; } wmem_map_insert(dcerpc_cn_calls, call_key, call_value); new_matched_key = wmem_new(wmem_file_scope(), dcerpc_matched_key); *new_matched_key = matched_key; wmem_map_insert(dcerpc_matched, new_matched_key, call_value); value = call_value; } } } if (value) { dcerpc_info *di; di = wmem_new0(pinfo->pool, dcerpc_info); /* handoff this call */ di->dcerpc_procedure_name = ""; di->conv = conv; di->call_id = hdr->call_id; di->transport_salt = dcerpc_get_transport_salt(pinfo); di->ptype = PDU_REQ; di->call_data = value; di->hf_index = -1; if (value->rep_frame != 0) { pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_response_in, tvb, 0, 0, value->rep_frame); proto_item_set_generated(pi); if (parent_pi != NULL) { proto_item_append_text(parent_pi, ", [Resp: #%u]", value->rep_frame); } } dissect_dcerpc_cn_stub(tvb, offset, pinfo, dcerpc_tree, tree, hdr, di, &auth_info, alloc_hint, value->req_frame); } else { /* no bind information, simply show stub data */ proto_tree_add_expert_format(dcerpc_tree, pinfo, &ei_dcerpc_cn_ctx_id_no_bind, tvb, offset, 0, "No bind info for interface Context ID %u - capture start too late?", ctx_id); show_stub_data(pinfo, tvb, offset, dcerpc_tree, &auth_info, TRUE); } } /* * Move the auth_info subtree to the end, * as it's also at the end of the pdu on the wire. */ dissect_dcerpc_cn_auth_move(&auth_info, dcerpc_tree); } static void dissect_dcerpc_cn_resp(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *dcerpc_tree, proto_tree *tree, e_dce_cn_common_hdr_t *hdr) { dcerpc_call_value *value = NULL; conversation_t *conv; guint16 ctx_id; dcerpc_auth_info auth_info; guint32 alloc_hint; proto_item *pi; proto_item *parent_pi; e_guid_t obj_id_null = DCERPC_UUID_NULL; dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_alloc_hint, &alloc_hint); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_ctx_id, &ctx_id); parent_pi = proto_tree_get_parent(dcerpc_tree); if (parent_pi != NULL) { proto_item_append_text(parent_pi, ", Ctx: %u", ctx_id); } /* save context ID for use with dcerpc_add_conv_to_bind_table() */ decode_data->dcectxid = ctx_id; col_append_fstr(pinfo->cinfo, COL_INFO, ", Ctx: %u", ctx_id); offset = dissect_dcerpc_uint8(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_cancel_count, NULL); /* padding */ offset++; /* * XXX - what if this was set when the connection was set up, * and we just have a security context? */ dissect_dcerpc_cn_auth(tvb, offset, pinfo, dcerpc_tree, hdr, &auth_info); conv = find_conversation_pinfo(pinfo, 0); if (!conv) { /* no point in creating one here, really */ show_stub_data(pinfo, tvb, offset, dcerpc_tree, &auth_info, TRUE); } else { dcerpc_matched_key matched_key, *new_matched_key; /* !!! we can NOT check visited here since this will interact badly with when SMB handles (i.e. calls the subdissector) and desegmented pdu's . Instead we check if this pdu is already in the matched table or not */ matched_key.frame = pinfo->num; matched_key.call_id = hdr->call_id; value = (dcerpc_call_value *)wmem_map_lookup(dcerpc_matched, &matched_key); if (!value) { dcerpc_cn_call_key call_key; dcerpc_call_value *call_value; call_key.conv = conv; call_key.call_id = hdr->call_id; call_key.transport_salt = dcerpc_get_transport_salt(pinfo); if ((call_value = (dcerpc_call_value *)wmem_map_lookup(dcerpc_cn_calls, &call_key))) { /* extra sanity check, only match them if the reply came after the request */ if (call_value->req_framenum) { new_matched_key = wmem_new(wmem_file_scope(), dcerpc_matched_key); *new_matched_key = matched_key; wmem_map_insert(dcerpc_matched, new_matched_key, call_value); value = call_value; if (call_value->rep_frame == 0) { call_value->rep_frame = pinfo->num; } } } } if (value) { dcerpc_info *di; di = wmem_new0(pinfo->pool, dcerpc_info); /* handoff this call */ di->dcerpc_procedure_name = ""; di->conv = conv; di->call_id = hdr->call_id; di->transport_salt = dcerpc_get_transport_salt(pinfo); di->ptype = PDU_RESP; di->call_data = value; pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_opnum, tvb, 0, 0, value->opnum); proto_item_set_generated(pi); /* (optional) "Object UUID" from request */ if (dcerpc_tree && (memcmp(&value->object_uuid, &obj_id_null, sizeof(obj_id_null)) != 0)) { pi = proto_tree_add_guid_format(dcerpc_tree, hf_dcerpc_obj_id, tvb, offset, 0, (e_guid_t *) &value->object_uuid, "Object UUID: %s", guid_to_str(pinfo->pool, (e_guid_t *) &value->object_uuid)); proto_item_set_generated(pi); } /* request in */ if (value->req_frame != 0) { nstime_t delta_ts; pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_request_in, tvb, 0, 0, value->req_frame); proto_item_set_generated(pi); if (parent_pi != NULL) { proto_item_append_text(parent_pi, ", [Req: #%u]", value->req_frame); } nstime_delta(&delta_ts, &pinfo->abs_ts, &value->req_time); pi = proto_tree_add_time(dcerpc_tree, hf_dcerpc_time, tvb, offset, 0, &delta_ts); proto_item_set_generated(pi); } else { proto_tree_add_expert(dcerpc_tree, pinfo, &ei_dcerpc_no_request_found, tvb, 0, 0); } dissect_dcerpc_cn_stub(tvb, offset, pinfo, dcerpc_tree, tree, hdr, di, &auth_info, alloc_hint, value->rep_frame); } else { /* no bind information, simply show stub data */ proto_tree_add_expert_format(dcerpc_tree, pinfo, &ei_dcerpc_cn_ctx_id_no_bind, tvb, offset, 0, "No bind info for interface Context ID %u - capture start too late?", ctx_id); show_stub_data(pinfo, tvb, offset, dcerpc_tree, &auth_info, TRUE); } } /* * Move the auth_info subtree to the end, * as it's also at the end of the pdu on the wire. */ dissect_dcerpc_cn_auth_move(&auth_info, dcerpc_tree); } static void dissect_dcerpc_cn_fault(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *dcerpc_tree, e_dce_cn_common_hdr_t *hdr) { dcerpc_call_value *value = NULL; conversation_t *conv; guint16 ctx_id; guint32 status; guint32 alloc_hint; dcerpc_auth_info auth_info; gint length, reported_length; tvbuff_t *stub_tvb = NULL; proto_item *pi = NULL; dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_alloc_hint, &alloc_hint); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_ctx_id, &ctx_id); offset = dissect_dcerpc_uint8(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_cancel_count, NULL); proto_tree_add_bitmask(dcerpc_tree, tvb, offset, hf_dcerpc_cn_fault_flags, ett_dcerpc_fault_flags, dcerpc_cn_fault_flags_fields, DREP_ENC_INTEGER(hdr->drep)); offset += 1; #if 0 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_status, &status); #endif status = ((hdr->drep[0] & DREP_LITTLE_ENDIAN) ? tvb_get_letohl(tvb, offset) : tvb_get_ntohl(tvb, offset)); pi = proto_tree_add_item(dcerpc_tree, hf_dcerpc_cn_status, tvb, offset, 4, DREP_ENC_INTEGER(hdr->drep)); offset+=4; expert_add_info_format(pinfo, pi, &ei_dcerpc_cn_status, "Fault: %s", val_to_str(status, reject_status_vals, "Unknown (0x%08x)")); /* save context ID for use with dcerpc_add_conv_to_bind_table() */ decode_data->dcectxid = ctx_id; col_append_fstr(pinfo->cinfo, COL_INFO, ", Ctx: %u, status: %s", ctx_id, val_to_str(status, reject_status_vals, "Unknown (0x%08x)")); /* padding */ proto_tree_add_item(dcerpc_tree, hf_dcerpc_reserved, tvb, offset, 4, ENC_NA); offset += 4; /* * XXX - what if this was set when the connection was set up, * and we just have a security context? */ dissect_dcerpc_cn_auth(tvb, offset, pinfo, dcerpc_tree, hdr, &auth_info); length = tvb_captured_length_remaining(tvb, offset); reported_length = tvb_reported_length_remaining(tvb, offset); if (reported_length < 0 || (guint32)reported_length < auth_info.auth_size) { /* We don't even have enough bytes for the authentication stuff. */ return; } reported_length -= auth_info.auth_size; if (length > reported_length) length = reported_length; stub_tvb = tvb_new_subset_length_caplen(tvb, offset, length, reported_length); conv = find_conversation_pinfo(pinfo, 0); if (!conv) { /* no point in creating one here, really */ } else { dcerpc_matched_key matched_key, *new_matched_key; /* !!! we can NOT check visited here since this will interact badly with when SMB handles (i.e. calls the subdissector) and desegmented pdu's . Instead we check if this pdu is already in the matched table or not */ matched_key.frame = pinfo->num; matched_key.call_id = hdr->call_id; value = (dcerpc_call_value *)wmem_map_lookup(dcerpc_matched, &matched_key); if (!value) { dcerpc_cn_call_key call_key; dcerpc_call_value *call_value; call_key.conv = conv; call_key.call_id = hdr->call_id; call_key.transport_salt = dcerpc_get_transport_salt(pinfo); if ((call_value = (dcerpc_call_value *)wmem_map_lookup(dcerpc_cn_calls, &call_key))) { new_matched_key = wmem_new(wmem_file_scope(), dcerpc_matched_key); *new_matched_key = matched_key; wmem_map_insert(dcerpc_matched, new_matched_key, call_value); value = call_value; if (call_value->rep_frame == 0) { call_value->rep_frame = pinfo->num; } } } if (value) { proto_tree *stub_tree = NULL; gint stub_length; dcerpc_info *di; proto_item *parent_pi; di = wmem_new0(pinfo->pool, dcerpc_info); /* handoff this call */ di->dcerpc_procedure_name = ""; di->conv = conv; di->call_id = hdr->call_id; di->transport_salt = dcerpc_get_transport_salt(pinfo); di->ptype = PDU_FAULT; di->call_data = value; pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_opnum, tvb, 0, 0, value->opnum); proto_item_set_generated(pi); if (value->req_frame != 0) { nstime_t delta_ts; pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_request_in, tvb, 0, 0, value->req_frame); proto_item_set_generated(pi); parent_pi = proto_tree_get_parent(dcerpc_tree); if (parent_pi != NULL) { proto_item_append_text(parent_pi, ", [Req: #%u]", value->req_frame); } nstime_delta(&delta_ts, &pinfo->abs_ts, &value->req_time); pi = proto_tree_add_time(dcerpc_tree, hf_dcerpc_time, tvb, offset, 0, &delta_ts); proto_item_set_generated(pi); } else { proto_tree_add_expert(dcerpc_tree, pinfo, &ei_dcerpc_no_request_found, tvb, 0, 0); } length = tvb_reported_length_remaining(stub_tvb, 0); /* as we now create a tvb in dissect_dcerpc_cn() containing only the * stub_data, the following calculation is no longer valid: * stub_length = hdr->frag_len - offset - auth_info.auth_size; * simply use the remaining length of the tvb instead. * XXX - or better use the reported_length?!? */ stub_length = length; stub_tree = proto_tree_add_subtree_format(dcerpc_tree, stub_tvb, 0, stub_length, ett_dcerpc_fault_stub_data, NULL, "Fault stub data (%d byte%s)", stub_length, plurality(stub_length, "", "s")); /* If we don't have reassembly enabled, or this packet contains the entire PDU, or if we don't have all the data in this fragment, just call the handoff directly if this is the first fragment or the PDU isn't fragmented. */ if ( (!dcerpc_reassemble) || PFC_NOT_FRAGMENTED(hdr) || !tvb_bytes_exist(stub_tvb, 0, stub_length) ) { if (hdr->flags&PFC_FIRST_FRAG) { /* First fragment, possibly the only fragment */ /* * XXX - should there be a third routine for each * function in an RPC subdissector, to handle * fault responses? The DCE RPC 1.1 spec says * three's "stub data" here, which I infer means * that it's protocol-specific and call-specific. * * It should probably get passed the status code * as well, as that might be protocol-specific. */ if (stub_length > 0) { proto_tree_add_item(stub_tree, hf_dcerpc_fault_stub_data, stub_tvb, 0, stub_length, ENC_NA); } } else { /* PDU is fragmented and this isn't the first fragment */ if (stub_length > 0) { proto_tree_add_item(stub_tree, hf_dcerpc_fragment_data, stub_tvb, 0, stub_length, ENC_NA); } } } else { /* Reassembly is enabled, the PDU is fragmented, and we have all the data in the fragment; the first two of those mean we should attempt reassembly, and the third means we can attempt reassembly. */ if (dcerpc_tree) { if (length > 0) { proto_tree_add_item(stub_tree, hf_dcerpc_fragment_data, stub_tvb, 0, stub_length, ENC_NA); } } if (hdr->flags&PFC_FIRST_FRAG) { /* FIRST fragment */ if ( (!pinfo->fd->visited) && value->rep_frame ) { fragment_add_seq_next(&dcerpc_co_reassembly_table, stub_tvb, 0, pinfo, value->rep_frame, NULL, stub_length, TRUE); } } else if (hdr->flags&PFC_LAST_FRAG) { /* LAST fragment */ if ( value->rep_frame ) { fragment_head *fd_head; fd_head = fragment_add_seq_next(&dcerpc_co_reassembly_table, stub_tvb, 0, pinfo, value->rep_frame, NULL, stub_length, TRUE); if (fd_head) { /* We completed reassembly */ tvbuff_t *next_tvb; proto_item *frag_tree_item; next_tvb = tvb_new_chain(stub_tvb, fd_head->tvb_data); add_new_data_source(pinfo, next_tvb, "Reassembled DCE/RPC"); show_fragment_tree(fd_head, &dcerpc_frag_items, dcerpc_tree, pinfo, next_tvb, &frag_tree_item); /* * XXX - should there be a third routine for each * function in an RPC subdissector, to handle * fault responses? The DCE RPC 1.1 spec says * three's "stub data" here, which I infer means * that it's protocol-specific and call-specific. * * It should probably get passed the status code * as well, as that might be protocol-specific. */ if (dcerpc_tree) { if (length > 0) { proto_tree_add_item(dcerpc_tree, hf_dcerpc_stub_data, stub_tvb, 0, stub_length, ENC_NA); } } } } } else { /* MIDDLE fragment(s) */ if ( (!pinfo->fd->visited) && value->rep_frame ) { fragment_add_seq_next(&dcerpc_co_reassembly_table, stub_tvb, 0, pinfo, value->rep_frame, NULL, stub_length, TRUE); } } } } } /* * Move the auth_info subtree to the end, * as it's also at the end of the pdu on the wire. */ dissect_dcerpc_cn_auth_move(&auth_info, dcerpc_tree); } static void dissect_dcerpc_cn_rts(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *dcerpc_tree, e_dce_cn_common_hdr_t *hdr) { proto_item *tf = NULL; proto_item *parent_pi = NULL; proto_tree *cn_rts_pdu_tree = NULL; guint16 rts_flags; guint16 commands_nb = 0; guint32 *cmd; guint32 i; const char *info_str = NULL; static int * const flags[] = { &hf_dcerpc_cn_rts_flags_ping, &hf_dcerpc_cn_rts_flags_other_cmd, &hf_dcerpc_cn_rts_flags_recycle_channel, &hf_dcerpc_cn_rts_flags_in_channel, &hf_dcerpc_cn_rts_flags_out_channel, &hf_dcerpc_cn_rts_flags_eof, NULL }; /* Dissect specific RTS header */ rts_flags = dcerpc_tvb_get_ntohs(tvb, offset, hdr->drep); proto_tree_add_bitmask_value_with_flags(dcerpc_tree, tvb, offset, hf_dcerpc_cn_rts_flags, ett_dcerpc_cn_rts_flags, flags, rts_flags, BMT_NO_APPEND); offset += 2; offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_cn_rts_commands_nb, &commands_nb); /* Create the RTS PDU tree - we do not yet know its name */ cn_rts_pdu_tree = proto_tree_add_subtree_format(dcerpc_tree, tvb, offset, -1, ett_dcerpc_cn_rts_pdu, &tf, "RTS PDU: %u commands", commands_nb); cmd = (guint32 *)wmem_alloc(pinfo->pool, sizeof (guint32) * (commands_nb + 1)); /* Dissect commands */ for (i = 0; i < commands_nb; ++i) { proto_tree *cn_rts_command_tree = NULL; const guint32 command = dcerpc_tvb_get_ntohl(tvb, offset, hdr->drep); cmd[i] = command; tf = proto_tree_add_uint(cn_rts_pdu_tree, hf_dcerpc_cn_rts_command, tvb, offset, 4, command); cn_rts_command_tree = proto_item_add_subtree(tf, ett_dcerpc_cn_rts_command); offset += 4; switch (command) { case RTS_CMD_RECEIVEWINDOWSIZE: offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_receivewindowsize, NULL); break; case RTS_CMD_FLOWCONTROLACK: offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_fack_bytesreceived, NULL); offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_fack_availablewindow, NULL); offset = dissect_dcerpc_uuid_t(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_fack_channelcookie, NULL); break; case RTS_CMD_CONNECTIONTIMEOUT: offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_connectiontimeout, NULL); break; case RTS_CMD_COOKIE: offset = dissect_dcerpc_uuid_t(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_cookie, NULL); break; case RTS_CMD_CHANNELLIFETIME: offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_channellifetime, NULL); break; case RTS_CMD_CLIENTKEEPALIVE: offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_clientkeepalive, NULL); break; case RTS_CMD_VERSION: offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_version, NULL); break; case RTS_CMD_EMPTY: break; case RTS_CMD_PADDING: { guint8 *padding; const guint32 conformance_count = dcerpc_tvb_get_ntohl(tvb, offset, hdr->drep); proto_tree_add_uint(cn_rts_command_tree, hf_dcerpc_cn_rts_command_conformancecount, tvb, offset, 4, conformance_count); offset += 4; padding = (guint8 *)tvb_memdup(pinfo->pool, tvb, offset, conformance_count); proto_tree_add_bytes(cn_rts_command_tree, hf_dcerpc_cn_rts_command_padding, tvb, offset, conformance_count, padding); offset += conformance_count; } break; case RTS_CMD_NEGATIVEANCE: break; case RTS_CMD_ANCE: break; case RTS_CMD_CLIENTADDRESS: { guint8 *padding; const guint32 addrtype = dcerpc_tvb_get_ntohl(tvb, offset, hdr->drep); proto_tree_add_uint(cn_rts_command_tree, hf_dcerpc_cn_rts_command_addrtype, tvb, offset, 4, addrtype); offset += 4; switch (addrtype) { case RTS_IPV4: { const guint32 addr4 = tvb_get_ipv4(tvb, offset); proto_tree_add_ipv4_format_value(cn_rts_command_tree, hf_dcerpc_cmd_client_ipv4, tvb, offset, 4, addr4, "%s", get_hostname(addr4)); offset += 4; } break; case RTS_IPV6: { ws_in6_addr addr6; tvb_get_ipv6(tvb, offset, &addr6); proto_tree_add_ipv6_format_value(cn_rts_command_tree, hf_dcerpc_cmd_client_ipv6, tvb, offset, 16, &addr6, "%s", get_hostname6(&addr6)); offset += 16; } break; } padding = (guint8 *)tvb_memdup(pinfo->pool, tvb, offset, 12); proto_tree_add_bytes(cn_rts_command_tree, hf_dcerpc_cn_rts_command_padding, tvb, offset, 12, padding); offset += 12; } break; case RTS_CMD_ASSOCIATIONGROUPID: offset = dissect_dcerpc_uuid_t(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_associationgroupid, NULL); break; case RTS_CMD_DESTINATION: offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_forwarddestination, NULL); break; case RTS_CMD_PINGTRAFFICSENTNOTIFY: offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_pingtrafficsentnotify, NULL); break; default: expert_add_info(pinfo, tf, &ei_dcerpc_cn_rts_command); break; } } col_set_str(pinfo->cinfo, COL_PROTOCOL, "RPCH"); /* Define which PDU Body we are dealing with */ info_str = "unknown RTS PDU"; switch (rts_flags) { case RTS_FLAG_NONE: switch (commands_nb) { case 1: if (cmd[0] == 0x2) { info_str = "CONN/A3"; } else if (cmd[0] == 0x3) { info_str = "IN_R1/A5,IN_R1/A6,IN_R2/A2,IN_R2/A5,OUT_R2/A4"; } else if (cmd[0] == 0x7) { info_str = "IN_R1/B1"; } else if (cmd[0] == 0x0) { info_str = "IN_R1/B2"; } else if (cmd[0] == 0xD) { info_str = "IN_R2/A3,IN_R2/A4"; } else if (cmd[0] == 0xA) { info_str = "OUT_R1/A9,OUT_R1/A10,OUT_R1/A11,OUT_R2/B1,OUT_R2/B2"; } break; case 2: if ((cmd[0] == 0x0) && (cmd[1] == 0x6)) { info_str = "CONN/B3"; } else if ((cmd[0] == 0xD) && (cmd[1] == 0xA)) { info_str = "OUT_R2/A5,OUT_R2/A6"; } break; case 3: if ((cmd[0] == 0x6) && (cmd[1] == 0x0) && (cmd[2] == 0x2)) { info_str = "CONN/C1,CONN/C2"; } break; case 4: if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x0)) { info_str = "CONN/A1"; } else if ((cmd[0] == 0xD) && (cmd[1] == 0x6) && (cmd[2] == 0x0) && (cmd[3] == 0x2)) { info_str = "IN_R1/A3,IN_R1/A4"; } break; case 6: if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x4) && (cmd[4] == 0x5) && (cmd[5] == 0xC)) { info_str = "CONN/B1"; } break; default: break; } break; case RTS_FLAG_PING: switch (commands_nb) { case 0: info_str = "Ping"; break; case 1: if ((cmd[0] == 0x7) || (cmd[0] == 0x8)) { info_str = "OUT_R2/C1"; } break; default: break; } break; case RTS_FLAG_OTHER_CMD: switch (commands_nb) { case 1: if (cmd[0] == 0x5) { info_str = "Keep-Alive"; } else if (cmd[0] == 0xE) { info_str = "PingTrafficSentNotify"; } else if (cmd[0] == 0x1) { info_str = "FlowControlAck"; } break; case 2: if ((cmd[0] == 0xD) && (cmd[1] == 0x1)) { info_str = "FlowControlAckWithDestination"; } break; default: break; } break; case RTS_FLAG_RECYCLE_CHANNEL: switch (commands_nb) { case 1: if (cmd[0] == 0xD) { info_str = "OUT_R1/A1,OUT_R1/A2,OUT_R2/A1,OUT_R2/A2"; } break; case 4: if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x3)) { info_str = "IN_R1/A1,IN_R2/A1"; } break; case 5: if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x3) && (cmd[4] == 0x0)) { info_str = "OUT_R1/A3,OUT_R2/A3"; } break; default: break; } break; case RTS_FLAG_IN_CHANNEL|RTS_FLAG_RECYCLE_CHANNEL: switch (commands_nb) { case 6: if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x3) && (cmd[4] == 0x0) && (cmd[5] == 0x2)) { info_str = "IN_R1/A2"; } break; default: break; } break; case RTS_FLAG_IN_CHANNEL: switch (commands_nb) { case 7: if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x0) && (cmd[4] == 0x2) && (cmd[5] == 0xC) && (cmd[6] == 0xB)) { info_str = "CONN/B2"; } break; default: break; } break; case RTS_FLAG_OUT_CHANNEL|RTS_FLAG_RECYCLE_CHANNEL: switch (commands_nb) { case 7: if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x3) && (cmd[4] == 0x4) && (cmd[5] == 0) && (cmd[6] == 0x2)) { info_str = "OUT_R1/A4"; } break; default: break; } break; case RTS_FLAG_OUT_CHANNEL: switch (commands_nb) { case 2: if ((cmd[0] == 0xD) && (cmd[1] == 0x3)) { info_str = "OUT_R1/A7,OUT_R1/A8,OUT_R2/A8"; } break; case 3: if ((cmd[0] == 0xD) && (cmd[1] == 0x6) && (cmd[2] == 0x2)) { info_str = "OUT_R1/A5,OUT_R1/A6"; } else if ((cmd[0] == 0xD) && (cmd[1] == 0x3) && (cmd[2] == 0x6)) { info_str = "OUT_R2/A7"; } break; case 5: if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x4) && (cmd[4] == 0x0)) { info_str = "CONN/A2"; } break; default: break; } break; case RTS_FLAG_EOF: switch (commands_nb) { case 1: if (cmd[0] == 0xA) { info_str = "OUT_R2/B3"; } break; default: break; } break; case RTS_FLAG_ECHO: switch (commands_nb) { case 0: info_str = "Echo"; break; default: break; } break; default: break; } col_add_fstr(pinfo->cinfo, COL_INFO, "%s, ", info_str); col_set_fence(pinfo->cinfo,COL_INFO); parent_pi = proto_tree_get_parent(dcerpc_tree); if (parent_pi != NULL) { proto_item_append_text(parent_pi, ", %s", info_str); } } /* Test to see if this looks like a connection oriented PDU */ static gboolean is_dcerpc(tvbuff_t *tvb, int offset, packet_info *pinfo _U_) { guint8 rpc_ver; guint8 rpc_ver_minor; guint8 ptype; guint8 drep[4]; guint16 frag_len; if (!tvb_bytes_exist(tvb, offset, sizeof(e_dce_cn_common_hdr_t))) return FALSE; /* not enough information to check */ rpc_ver = tvb_get_guint8(tvb, offset++); if (rpc_ver != 5) return FALSE; rpc_ver_minor = tvb_get_guint8(tvb, offset++); if ((rpc_ver_minor != 0) && (rpc_ver_minor != 1)) return FALSE; ptype = tvb_get_guint8(tvb, offset++); if (ptype > PDU_RTS) return FALSE; /* Skip flags, nothing good to check */ offset++; tvb_memcpy(tvb, (guint8 *)drep, offset, sizeof (drep)); if (drep[0]&0xee) return FALSE; if (drep[1] > DCE_RPC_DREP_FP_IBM) return FALSE; offset += (int)sizeof(drep); frag_len = dcerpc_tvb_get_ntohs(tvb, offset, drep); if (frag_len < sizeof(e_dce_cn_common_hdr_t)) { return FALSE; } return TRUE; } /* * DCERPC dissector for connection oriented calls. */ static gboolean dissect_dcerpc_cn(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, gboolean can_desegment, int *pkt_len) { static const guint8 nulls[4] = { 0 }; int start_offset; int padding = 0; int subtvb_len = 0; proto_item *ti = NULL; proto_item *tf = NULL; proto_tree *dcerpc_tree = NULL; e_dce_cn_common_hdr_t hdr; dcerpc_auth_info auth_info; tvbuff_t *fragment_tvb; dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); static int * const hdr_flags[] = { &hf_dcerpc_cn_flags_object, &hf_dcerpc_cn_flags_maybe, &hf_dcerpc_cn_flags_dne, &hf_dcerpc_cn_flags_mpx, &hf_dcerpc_cn_flags_reserved, &hf_dcerpc_cn_flags_cancel_pending, &hf_dcerpc_cn_flags_last_frag, &hf_dcerpc_cn_flags_first_frag, NULL }; /* * when done over nbt, dcerpc requests are padded with 4 bytes of null * data for some reason. * * XXX - if that's always the case, the right way to do this would * be to have a "dissect_dcerpc_cn_nb" routine which strips off * the 4 bytes of null padding, and make that the dissector * used for "netbios". */ if (tvb_memeql(tvb, offset, nulls, 4) == 0) { /* * Skip the padding. */ offset += 4; padding += 4; } /* * Check if this looks like a C/O DCERPC call */ if (!is_dcerpc(tvb, offset, pinfo)) return FALSE; start_offset = offset; hdr.rpc_ver = tvb_get_guint8(tvb, offset++); hdr.rpc_ver_minor = tvb_get_guint8(tvb, offset++); hdr.ptype = tvb_get_guint8(tvb, offset++); hdr.flags = tvb_get_guint8(tvb, offset++); tvb_memcpy(tvb, (guint8 *)hdr.drep, offset, sizeof (hdr.drep)); offset += (int)sizeof (hdr.drep); hdr.frag_len = dcerpc_tvb_get_ntohs(tvb, offset, hdr.drep); offset += 2; hdr.auth_len = dcerpc_tvb_get_ntohs(tvb, offset, hdr.drep); offset += 2; hdr.call_id = dcerpc_tvb_get_ntohl(tvb, offset, hdr.drep); /*offset += 4;*/ if (can_desegment && pinfo->can_desegment && !tvb_bytes_exist(tvb, start_offset, hdr.frag_len)) { pinfo->desegment_offset = start_offset; pinfo->desegment_len = hdr.frag_len - tvb_reported_length_remaining(tvb, start_offset); *pkt_len = 0; /* desegmentation required */ return TRUE; } col_set_str(pinfo->cinfo, COL_PROTOCOL, "DCERPC"); if (decode_data->dcectxid != 0) { /* this is not the first DCE-RPC request/response in this (TCP?-)PDU, * append a delimiter and set a column fence */ col_append_str(pinfo->cinfo, COL_INFO, " # "); col_set_fence(pinfo->cinfo,COL_INFO); } col_add_fstr(pinfo->cinfo, COL_INFO, "%s: call_id: %u", pckt_vals[hdr.ptype].strptr, hdr.call_id); if (decode_data->dcectxid != 0) { /* this is not the first DCE-RPC request/response in this (TCP?-)PDU */ expert_add_info(pinfo, NULL, &ei_dcerpc_fragment_multiple); } offset = start_offset; tvb_ensure_bytes_exist(tvb, offset, 16); if (tree) { ti = proto_tree_add_item(tree, proto_dcerpc, tvb, offset, hdr.frag_len, ENC_NA); dcerpc_tree = proto_item_add_subtree(ti, ett_dcerpc); } proto_tree_add_uint(dcerpc_tree, hf_dcerpc_ver, tvb, offset, 1, hdr.rpc_ver); offset++; proto_tree_add_uint(dcerpc_tree, hf_dcerpc_ver_minor, tvb, offset, 1, hdr.rpc_ver_minor); offset++; tf = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_packet_type, tvb, offset, 1, hdr.ptype); offset++; #if 0 /* XXX - too much "output noise", removed for now */ if (hdr.ptype == PDU_BIND || hdr.ptype == PDU_ALTER || hdr.ptype == PDU_BIND_ACK || hdr.ptype == PDU_ALTER_ACK) expert_add_info_format(pinfo, tf, &ei_dcerpc_context_change, "Context change: %s", val_to_str(hdr.ptype, pckt_vals, "(0x%x)")); #endif if (hdr.ptype == PDU_BIND_NAK) expert_add_info(pinfo, tf, &ei_dcerpc_bind_not_acknowledged); if (tree) { proto_item_append_text(ti, " %s, Fragment: %s", val_to_str(hdr.ptype, pckt_vals, "Unknown (0x%02x)"), fragment_type(hdr.flags)); } proto_tree_add_bitmask_value_with_flags(dcerpc_tree, tvb, offset, hf_dcerpc_cn_flags, ett_dcerpc_cn_flags, hdr_flags, hdr.flags, BMT_NO_APPEND); offset++; col_append_fstr(pinfo->cinfo, COL_INFO, ", Fragment: %s", fragment_type(hdr.flags)); proto_tree_add_dcerpc_drep(dcerpc_tree, tvb, offset, hdr.drep, (int)sizeof (hdr.drep)); offset += (int)sizeof (hdr.drep); proto_tree_add_uint(dcerpc_tree, hf_dcerpc_cn_frag_len, tvb, offset, 2, hdr.frag_len); offset += 2; proto_tree_add_uint(dcerpc_tree, hf_dcerpc_cn_auth_len, tvb, offset, 2, hdr.auth_len); offset += 2; proto_tree_add_uint(dcerpc_tree, hf_dcerpc_cn_call_id, tvb, offset, 4, hdr.call_id); offset += 4; if (ti) { proto_item_append_text(ti, ", FragLen: %u, Call: %u", hdr.frag_len, hdr.call_id); } /* * None of the stuff done above should throw an exception, because * we would have rejected this as "not DCE RPC" if we didn't have all * of it. (XXX - perhaps we should request reassembly if we have * enough of the header to consider it DCE RPC but not enough to * get the fragment length; in that case the stuff still wouldn't * throw an exception.) * * The rest of the stuff might, so return the PDU length to our caller. * XXX - should we construct a tvbuff containing only the PDU and * use that? Or should we have separate "is this a DCE RPC PDU", * "how long is it", and "dissect it" routines - which might let us * do most of the work in "tcp_dissect_pdus()"? */ if (pkt_len != NULL) *pkt_len = hdr.frag_len + padding; /* The remaining bytes in the current tvb might contain multiple * DCE/RPC fragments, so create a new tvb subset for this fragment. * Only limit the end of the fragment, but not the offset start, * as the authentication function dissect_dcerpc_cn_auth() will fail * (and other functions might fail as well) computing the right start * offset otherwise. */ subtvb_len = MIN(hdr.frag_len, tvb_reported_length(tvb)); fragment_tvb = tvb_new_subset_length_caplen(tvb, start_offset, subtvb_len /* length */, hdr.frag_len /* reported_length */); /* * Packet type specific stuff is next. */ switch (hdr.ptype) { case PDU_BIND: case PDU_ALTER: dissect_dcerpc_cn_bind(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr); break; case PDU_BIND_ACK: case PDU_ALTER_ACK: dissect_dcerpc_cn_bind_ack(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr); break; case PDU_AUTH3: /* * Nothing after the common header other than credentials. */ dissect_dcerpc_cn_auth(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr, &auth_info); break; case PDU_REQ: dissect_dcerpc_cn_rqst(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, tree, &hdr); break; case PDU_RESP: dissect_dcerpc_cn_resp(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, tree, &hdr); break; case PDU_FAULT: dissect_dcerpc_cn_fault(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr); break; case PDU_BIND_NAK: dissect_dcerpc_cn_bind_nak(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr); break; case PDU_CO_CANCEL: case PDU_ORPHANED: /* * Nothing after the common header other than an authentication * verifier. */ dissect_dcerpc_cn_auth(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr, &auth_info); break; case PDU_SHUTDOWN: /* * Nothing after the common header, not even an authentication * verifier. */ break; case PDU_RTS: dissect_dcerpc_cn_rts(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr); break; default: /* might as well dissect the auth info */ dissect_dcerpc_cn_auth(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr, &auth_info); break; } return TRUE; } /* * DCERPC dissector for connection oriented calls over packet-oriented * transports */ static gboolean dissect_dcerpc_cn_pk(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) { dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); /* * Only one PDU per transport packet, and only one transport * packet per PDU. */ decode_data->dcetransporttype = DCE_TRANSPORT_UNKNOWN; if (!dissect_dcerpc_cn(tvb, 0, pinfo, tree, FALSE, NULL)) { /* * It wasn't a DCERPC PDU. */ return FALSE; } else { /* * It was. */ return TRUE; } } /* * DCERPC dissector for connection oriented calls over byte-stream * transports. * we need to distinguish here between SMB and non-TCP (more in the future?) * to be able to know what kind of private_data structure to expect. */ static gboolean dissect_dcerpc_cn_bs_body(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { volatile int offset = 0; int pdu_len = 0; volatile int dcerpc_pdus = 0; volatile gboolean ret = FALSE; /* * There may be multiple PDUs per transport packet; keep * processing them. */ while (tvb_reported_length_remaining(tvb, offset) != 0) { TRY { pdu_len = 0; if (dissect_dcerpc_cn(tvb, offset, pinfo, tree, dcerpc_cn_desegment, &pdu_len)) { dcerpc_pdus++; } } CATCH_NONFATAL_ERRORS { /* * Somebody threw an exception that means that there * was a problem dissecting the payload; that means * that a dissector was found, so we don't need to * dissect the payload as data or update the protocol * or info columns. * * Just show the exception and then continue dissecting * PDUs. */ show_exception(tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE); /* * Presumably it looked enough like a DCE RPC PDU that we * dissected enough of it to throw an exception. */ dcerpc_pdus++; } ENDTRY; if (dcerpc_pdus == 0) { gboolean try_desegment = FALSE; if (dcerpc_cn_desegment && pinfo->can_desegment && !tvb_bytes_exist(tvb, offset, sizeof(e_dce_cn_common_hdr_t))) { /* look for a previous occurrence of the DCE-RPC protocol */ wmem_list_frame_t *cur; cur = wmem_list_frame_prev(wmem_list_tail(pinfo->layers)); while (cur != NULL) { if (proto_dcerpc == (gint)GPOINTER_TO_UINT(wmem_list_frame_data(cur))) { try_desegment = TRUE; break; } cur = wmem_list_frame_prev(cur); } } if (try_desegment) { /* It didn't look like DCE-RPC but we already had one DCE-RPC * layer in this packet and what we have is short. Assume that * it was just too short to tell and ask the TCP layer for more * data. */ pinfo->desegment_offset = offset; pinfo->desegment_len = (guint32)(sizeof(e_dce_cn_common_hdr_t) - tvb_reported_length_remaining(tvb, offset)); } else { /* Really not DCE-RPC */ break; } } /* * Well, we've seen at least one DCERPC PDU. */ ret = TRUE; /* if we had more than one Req/Resp in this PDU change the protocol column */ /* this will formerly contain the last interface name, which may not be the same for all Req/Resp */ if (dcerpc_pdus >= 2) col_add_fstr(pinfo->cinfo, COL_PROTOCOL, "%u*DCERPC", dcerpc_pdus); if (pdu_len == 0) { /* * Desegmentation required - bail now, but give the user a hint that desegmentation might be done later. */ proto_tree_add_uint_format(tree, hf_dcerpc_cn_deseg_req, tvb, offset, 0, tvb_reported_length_remaining(tvb, offset), "[DCE RPC: %u byte%s left, desegmentation might follow]", tvb_reported_length_remaining(tvb, offset), plurality(tvb_reported_length_remaining(tvb, offset), "", "s")); break; } /* * Step to the next PDU. */ offset += pdu_len; } return ret; } static gboolean dissect_dcerpc_cn_bs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) { dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); decode_data->dcetransporttype = DCE_TRANSPORT_UNKNOWN; return dissect_dcerpc_cn_bs_body(tvb, pinfo, tree); } static guint get_dcerpc_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_) { guint8 drep[4]; guint16 frag_len; tvb_memcpy(tvb, (guint8 *)drep, offset+4, sizeof(drep)); frag_len = dcerpc_tvb_get_ntohs(tvb, offset+8, drep); if (!frag_len) { /* tcp_dissect_pdus() interprets a 0 return value as meaning * "a PDU starts here, but the length cannot be determined yet, so * we need at least one more segment." However, a frag_len of 0 here * is instead a bogus length. Instead return 1, another bogus length * also less than our fixed length, so that the TCP dissector will * correctly interpret it as a bogus and report an error. */ frag_len = 1; } return frag_len; } static int dissect_dcerpc_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) { int pdu_len = 0; dissect_dcerpc_cn(tvb, 0, pinfo, tree, /* Desegment is already handled by TCP, don't confuse it */ FALSE, &pdu_len); return pdu_len; } static gboolean dissect_dcerpc_tcp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) { dcerpc_decode_as_data* decode_data; if (!is_dcerpc(tvb, 0, pinfo)) return 0; decode_data = dcerpc_get_decode_data(pinfo); decode_data->dcetransporttype = DCE_TRANSPORT_UNKNOWN; tcp_dissect_pdus(tvb, pinfo, tree, dcerpc_cn_desegment, sizeof(e_dce_cn_common_hdr_t), get_dcerpc_pdu_len, dissect_dcerpc_pdu, data); return TRUE; } static int dissect_dcerpc_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) { dcerpc_decode_as_data* decode_data; decode_data = dcerpc_get_decode_data(pinfo); decode_data->dcetransporttype = DCE_TRANSPORT_UNKNOWN; tcp_dissect_pdus(tvb, pinfo, tree, dcerpc_cn_desegment, sizeof(e_dce_cn_common_hdr_t), get_dcerpc_pdu_len, dissect_dcerpc_pdu, data); return tvb_captured_length(tvb); } static gboolean dissect_dcerpc_cn_smbpipe(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) { dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); decode_data->dcetransporttype = DCE_CN_TRANSPORT_SMBPIPE; return dissect_dcerpc_cn_bs_body(tvb, pinfo, tree); } static gboolean dissect_dcerpc_cn_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) { dcerpc_decode_as_data* decode_data = dcerpc_get_decode_data(pinfo); decode_data->dcetransporttype = DCE_CN_TRANSPORT_SMBPIPE; return dissect_dcerpc_cn_bs_body(tvb, pinfo, tree); } static void dissect_dcerpc_dg_auth(tvbuff_t *tvb, int offset, proto_tree *dcerpc_tree, e_dce_dg_common_hdr_t *hdr, int *auth_level_p) { proto_tree *auth_tree = NULL; guint8 protection_level; /* * Initially set "*auth_level_p" to -1 to indicate that we haven't * yet seen any authentication level information. */ if (auth_level_p != NULL) *auth_level_p = -1; /* * The authentication information is at the *end* of the PDU; in * request and response PDUs, the request and response stub data * come before it. * * If the full packet is here, and there's data past the end of the * packet body, then dissect the auth info. */ offset += hdr->frag_len; if (tvb_reported_length_remaining(tvb, offset) > 0) { switch (hdr->auth_proto) { case DCE_C_RPC_AUTHN_PROTOCOL_KRB5: auth_tree = proto_tree_add_subtree(dcerpc_tree, tvb, offset, -1, ett_dcerpc_krb5_auth_verf, NULL, "Kerberos authentication verifier"); protection_level = tvb_get_guint8(tvb, offset); if (auth_level_p != NULL) *auth_level_p = protection_level; proto_tree_add_uint(auth_tree, hf_dcerpc_krb5_av_prot_level, tvb, offset, 1, protection_level); offset++; proto_tree_add_item(auth_tree, hf_dcerpc_krb5_av_key_vers_num, tvb, offset, 1, ENC_BIG_ENDIAN); offset++; if (protection_level == DCE_C_AUTHN_LEVEL_PKT_PRIVACY) offset += 6; /* 6 bytes of padding */ else offset += 2; /* 2 bytes of padding */ proto_tree_add_item(auth_tree, hf_dcerpc_krb5_av_key_auth_verifier, tvb, offset, 16, ENC_NA); /*offset += 16;*/ break; default: proto_tree_add_item(dcerpc_tree, hf_dcerpc_authentication_verifier, tvb, offset, -1, ENC_NA); break; } } } static void dissect_dcerpc_dg_cancel_ack(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *dcerpc_tree, e_dce_dg_common_hdr_t *hdr) { guint32 version; offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_cancel_vers, &version); switch (version) { case 0: /* The only version we know about */ offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_cancel_id, NULL); /*offset = */dissect_dcerpc_uint8(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_server_accepting_cancels, NULL); break; } } static void dissect_dcerpc_dg_cancel(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *dcerpc_tree, e_dce_dg_common_hdr_t *hdr) { guint32 version; offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_cancel_vers, &version); switch (version) { case 0: /* The only version we know about */ /*offset = */dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_cancel_id, NULL); /* XXX - are NDR Booleans 32 bits? */ /* XXX - the RPC reference in chapter: "the cancel PDU" doesn't mention the accepting_cancels field (it's only in the cancel_ack PDU)! */ /*offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_server_accepting_cancels, NULL);*/ break; } } static void dissect_dcerpc_dg_fack(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *dcerpc_tree, e_dce_dg_common_hdr_t *hdr) { guint8 version; guint16 serial_num; guint16 selack_len; guint i; offset = dissect_dcerpc_uint8(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_fack_vers, &version); /* padding */ offset++; switch (version) { case 0: /* The only version documented in the DCE RPC 1.1 spec */ case 1: /* This appears to be the same */ offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_fack_window_size, NULL); offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_fack_max_tsdu, NULL); offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_fack_max_frag_size, NULL); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_fack_serial_num, &serial_num); col_append_fstr(pinfo->cinfo, COL_INFO, " serial: %u", serial_num); offset = dissect_dcerpc_uint16(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_fack_selack_len, &selack_len); for (i = 0; i < selack_len; i++) { offset = dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_fack_selack, NULL); } break; } } static void dissect_dcerpc_dg_reject_fault(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *dcerpc_tree, e_dce_dg_common_hdr_t *hdr) { guint32 status; /*offset = */dissect_dcerpc_uint32(tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_dg_status, &status); col_append_fstr (pinfo->cinfo, COL_INFO, ": status: %s", val_to_str(status, reject_status_vals, "Unknown (0x%08x)")); } static void dissect_dcerpc_dg_stub(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *dcerpc_tree, proto_tree *tree, e_dce_dg_common_hdr_t *hdr, dcerpc_info *di) { int length, reported_length, stub_length; gboolean save_fragmented; fragment_head *fd_head; tvbuff_t *next_tvb; proto_item *pi; proto_item *parent_pi; col_append_fstr(pinfo->cinfo, COL_INFO, " opnum: %u len: %u", di->call_data->opnum, hdr->frag_len ); length = tvb_reported_length_remaining(tvb, offset); reported_length = tvb_reported_length_remaining(tvb, offset); stub_length = hdr->frag_len; if (length > stub_length) length = stub_length; if (reported_length > stub_length) reported_length = stub_length; save_fragmented = pinfo->fragmented; /* If we don't have reassembly enabled, or this packet contains the entire PDU, or if this is a short frame (or a frame not reassembled at a lower layer) that doesn't include all the data in the fragment, just call the handoff directly if this is the first fragment or the PDU isn't fragmented. */ if ( (!dcerpc_reassemble) || !(hdr->flags1 & PFCL1_FRAG) || !tvb_bytes_exist(tvb, offset, stub_length) ) { if (hdr->frag_num == 0) { /* First fragment, possibly the only fragment */ /* * XXX - authentication info? */ pinfo->fragmented = (hdr->flags1 & PFCL1_FRAG); next_tvb = tvb_new_subset_length_caplen(tvb, offset, length, reported_length); dcerpc_try_handoff(pinfo, tree, dcerpc_tree, next_tvb, TRUE, hdr->drep, di, NULL); } else { /* PDU is fragmented and this isn't the first fragment */ if (length > 0) { proto_tree_add_item(dcerpc_tree, hf_dcerpc_fragment_data, tvb, offset, stub_length, ENC_NA); } } } else { /* Reassembly is enabled, the PDU is fragmented, and we have all the data in the fragment; the first two of those mean we should attempt reassembly, and the third means we can attempt reassembly. */ if (length > 0) { proto_tree_add_item(dcerpc_tree, hf_dcerpc_fragment_data, tvb, offset, stub_length, ENC_NA); } fd_head = fragment_add_seq(&dcerpc_cl_reassembly_table, tvb, offset, pinfo, hdr->seqnum, (void *)hdr, hdr->frag_num, stub_length, !(hdr->flags1 & PFCL1_LASTFRAG), 0); if (fd_head != NULL) { /* We completed reassembly... */ if (pinfo->num == fd_head->reassembled_in) { /* ...and this is the reassembled RPC PDU */ next_tvb = tvb_new_chain(tvb, fd_head->tvb_data); add_new_data_source(pinfo, next_tvb, "Reassembled DCE/RPC"); show_fragment_seq_tree(fd_head, &dcerpc_frag_items, tree, pinfo, next_tvb, &pi); /* * XXX - authentication info? */ pinfo->fragmented = FALSE; dcerpc_try_handoff(pinfo, tree, dcerpc_tree, next_tvb, TRUE, hdr->drep, di, NULL); } else { /* ...and this isn't the reassembled RPC PDU */ pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_reassembled_in, tvb, 0, 0, fd_head->reassembled_in); proto_item_set_generated(pi); parent_pi = proto_tree_get_parent(dcerpc_tree); if (parent_pi != NULL) { proto_item_append_text(parent_pi, ", [Reas: #%u]", fd_head->reassembled_in); } col_append_fstr(pinfo->cinfo, COL_INFO, " [DCE/RPC fragment, reas: #%u]", fd_head->reassembled_in); } } } pinfo->fragmented = save_fragmented; } static void dissect_dcerpc_dg_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *dcerpc_tree, proto_tree *tree, e_dce_dg_common_hdr_t *hdr, conversation_t *conv) { dcerpc_info *di; dcerpc_call_value *value; dcerpc_matched_key matched_key, *new_matched_key; proto_item *pi; proto_item *parent_pi; if (!(pinfo->fd->visited)) { dcerpc_call_value *call_value; dcerpc_dg_call_key *call_key; call_key = wmem_new(wmem_file_scope(), dcerpc_dg_call_key); call_key->conv = conv; call_key->seqnum = hdr->seqnum; call_key->act_id = hdr->act_id; call_value = wmem_new(wmem_file_scope(), dcerpc_call_value); call_value->uuid = hdr->if_id; call_value->ver = hdr->if_ver; call_value->object_uuid = hdr->obj_id; call_value->opnum = hdr->opnum; call_value->req_frame = pinfo->num; call_value->req_time = pinfo->abs_ts; call_value->rep_frame = 0; call_value->max_ptr = 0; call_value->se_data = NULL; call_value->private_data = NULL; call_value->pol = NULL; /* NDR64 is not available on dg transports ?*/ call_value->flags = 0; wmem_map_insert(dcerpc_dg_calls, call_key, call_value); new_matched_key = wmem_new(wmem_file_scope(), dcerpc_matched_key); new_matched_key->frame = pinfo->num; new_matched_key->call_id = hdr->seqnum; wmem_map_insert(dcerpc_matched, new_matched_key, call_value); } matched_key.frame = pinfo->num; matched_key.call_id = hdr->seqnum; value = (dcerpc_call_value *)wmem_map_lookup(dcerpc_matched, &matched_key); if (!value) { value = wmem_new(pinfo->pool, dcerpc_call_value); value->uuid = hdr->if_id; value->ver = hdr->if_ver; value->object_uuid = hdr->obj_id; value->opnum = hdr->opnum; value->req_frame = pinfo->num; value->rep_frame = 0; value->max_ptr = 0; value->se_data = NULL; value->private_data = NULL; } di = wmem_new0(pinfo->pool, dcerpc_info); di->dcerpc_procedure_name = ""; di->conv = conv; di->call_id = hdr->seqnum; di->transport_salt = -1; di->ptype = PDU_REQ; di->call_data = value; if (value->rep_frame != 0) { pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_response_in, tvb, 0, 0, value->rep_frame); proto_item_set_generated(pi); parent_pi = proto_tree_get_parent(dcerpc_tree); if (parent_pi != NULL) { proto_item_append_text(parent_pi, ", [Resp: #%u]", value->rep_frame); } } dissect_dcerpc_dg_stub(tvb, offset, pinfo, dcerpc_tree, tree, hdr, di); } static void dissect_dcerpc_dg_resp(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *dcerpc_tree, proto_tree *tree, e_dce_dg_common_hdr_t *hdr, conversation_t *conv) { dcerpc_info *di; dcerpc_call_value *value; dcerpc_matched_key matched_key, *new_matched_key; proto_item *pi; proto_item *parent_pi; if (!(pinfo->fd->visited)) { dcerpc_call_value *call_value; dcerpc_dg_call_key call_key; call_key.conv = conv; call_key.seqnum = hdr->seqnum; call_key.act_id = hdr->act_id; if ((call_value = (dcerpc_call_value *)wmem_map_lookup(dcerpc_dg_calls, &call_key))) { new_matched_key = wmem_new(wmem_file_scope(), dcerpc_matched_key); new_matched_key->frame = pinfo->num; new_matched_key->call_id = hdr->seqnum; wmem_map_insert(dcerpc_matched, new_matched_key, call_value); if (call_value->rep_frame == 0) { call_value->rep_frame = pinfo->num; } } } matched_key.frame = pinfo->num; matched_key.call_id = hdr->seqnum; value = (dcerpc_call_value *)wmem_map_lookup(dcerpc_matched, &matched_key); if (!value) { value = wmem_new0(pinfo->pool, dcerpc_call_value); value->uuid = hdr->if_id; value->ver = hdr->if_ver; value->object_uuid = hdr->obj_id; value->opnum = hdr->opnum; value->rep_frame = pinfo->num; } di = wmem_new0(pinfo->pool, dcerpc_info); di->dcerpc_procedure_name = ""; di->conv = conv; di->transport_salt = -1; di->ptype = PDU_RESP; di->call_data = value; if (value->req_frame != 0) { nstime_t delta_ts; pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_request_in, tvb, 0, 0, value->req_frame); proto_item_set_generated(pi); parent_pi = proto_tree_get_parent(dcerpc_tree); if (parent_pi != NULL) { proto_item_append_text(parent_pi, ", [Req: #%u]", value->req_frame); } nstime_delta(&delta_ts, &pinfo->abs_ts, &value->req_time); pi = proto_tree_add_time(dcerpc_tree, hf_dcerpc_time, tvb, offset, 0, &delta_ts); proto_item_set_generated(pi); } else { proto_tree_add_expert(dcerpc_tree, pinfo, &ei_dcerpc_no_request_found, tvb, 0, 0); } dissect_dcerpc_dg_stub(tvb, offset, pinfo, dcerpc_tree, tree, hdr, di); } static void dissect_dcerpc_dg_ping_ack(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *dcerpc_tree, e_dce_dg_common_hdr_t *hdr, conversation_t *conv) { proto_item *parent_pi; /* if (!(pinfo->fd->visited)) {*/ dcerpc_call_value *call_value; dcerpc_dg_call_key call_key; call_key.conv = conv; call_key.seqnum = hdr->seqnum; call_key.act_id = hdr->act_id; if ((call_value = (dcerpc_call_value *)wmem_map_lookup(dcerpc_dg_calls, &call_key))) { proto_item *pi; nstime_t delta_ts; pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_request_in, tvb, 0, 0, call_value->req_frame); proto_item_set_generated(pi); parent_pi = proto_tree_get_parent(dcerpc_tree); if (parent_pi != NULL) { proto_item_append_text(parent_pi, ", [Req: #%u]", call_value->req_frame); } col_append_fstr(pinfo->cinfo, COL_INFO, " [req: #%u]", call_value->req_frame); nstime_delta(&delta_ts, &pinfo->abs_ts, &call_value->req_time); pi = proto_tree_add_time(dcerpc_tree, hf_dcerpc_time, tvb, offset, 0, &delta_ts); proto_item_set_generated(pi); /* }*/ } } /* * DCERPC dissector for connectionless calls */ static gboolean dissect_dcerpc_dg(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) { proto_item *ti = NULL; proto_tree *dcerpc_tree = NULL; e_dce_dg_common_hdr_t hdr; int offset = 0; conversation_t *conv; int auth_level; char *uuid_str; const char *uuid_name = NULL; static int * const hdr_flags1[] = { &hf_dcerpc_dg_flags1_rsrvd_80, &hf_dcerpc_dg_flags1_broadcast, &hf_dcerpc_dg_flags1_idempotent, &hf_dcerpc_dg_flags1_maybe, &hf_dcerpc_dg_flags1_nofack, &hf_dcerpc_dg_flags1_frag, &hf_dcerpc_dg_flags1_last_frag, &hf_dcerpc_dg_flags1_rsrvd_01, NULL }; static int * const hdr_flags2[] = { &hf_dcerpc_dg_flags2_rsrvd_80, &hf_dcerpc_dg_flags2_rsrvd_40, &hf_dcerpc_dg_flags2_rsrvd_20, &hf_dcerpc_dg_flags2_rsrvd_10, &hf_dcerpc_dg_flags2_rsrvd_08, &hf_dcerpc_dg_flags2_rsrvd_04, &hf_dcerpc_dg_flags2_cancel_pending, &hf_dcerpc_dg_flags2_rsrvd_01, NULL }; /* * Check if this looks like a CL DCERPC call. All dg packets * have an 80 byte header on them. Which starts with * version (4), pkt_type. */ if (tvb_reported_length(tvb) < sizeof (hdr)) { return FALSE; } /* Version must be 4 */ hdr.rpc_ver = tvb_get_guint8(tvb, offset++); if (hdr.rpc_ver != 4) return FALSE; /* Type must be <= PDU_CANCEL_ACK or it's not connectionless DCE/RPC */ hdr.ptype = tvb_get_guint8(tvb, offset++); if (hdr.ptype > PDU_CANCEL_ACK) return FALSE; /* flags1 has bit 1 and 8 as reserved for implementations, with no indication that they must be set to 0, so we don't check them. */ hdr.flags1 = tvb_get_guint8(tvb, offset++); /* flags2 has bit 1 reserved for implementations, bit 2 used, and the other bits reserved for future use and specified as "must be set to 0", so if any of the other bits are set it is probably not DCE/RPC. */ hdr.flags2 = tvb_get_guint8(tvb, offset++); if (hdr.flags2&0xfc) return FALSE; tvb_memcpy(tvb, (guint8 *)hdr.drep, offset, sizeof (hdr.drep)); offset += (int)sizeof (hdr.drep); if (hdr.drep[0]&0xee) return FALSE; if (hdr.drep[1] > DCE_RPC_DREP_FP_IBM) return FALSE; col_set_str(pinfo->cinfo, COL_PROTOCOL, "DCERPC"); col_add_str(pinfo->cinfo, COL_INFO, pckt_vals[hdr.ptype].strptr); hdr.serial_hi = tvb_get_guint8(tvb, offset++); dcerpc_tvb_get_uuid(tvb, offset, hdr.drep, &hdr.obj_id); offset += 16; dcerpc_tvb_get_uuid(tvb, offset, hdr.drep, &hdr.if_id); offset += 16; dcerpc_tvb_get_uuid(tvb, offset, hdr.drep, &hdr.act_id); offset += 16; hdr.server_boot = dcerpc_tvb_get_ntohl(tvb, offset, hdr.drep); offset += 4; hdr.if_ver = dcerpc_tvb_get_ntohl(tvb, offset, hdr.drep); offset += 4; hdr.seqnum = dcerpc_tvb_get_ntohl(tvb, offset, hdr.drep); offset += 4; hdr.opnum = dcerpc_tvb_get_ntohs(tvb, offset, hdr.drep); offset += 2; hdr.ihint = dcerpc_tvb_get_ntohs(tvb, offset, hdr.drep); offset += 2; hdr.ahint = dcerpc_tvb_get_ntohs(tvb, offset, hdr.drep); offset += 2; hdr.frag_len = dcerpc_tvb_get_ntohs(tvb, offset, hdr.drep); offset += 2; hdr.frag_num = dcerpc_tvb_get_ntohs(tvb, offset, hdr.drep); offset += 2; hdr.auth_proto = tvb_get_guint8(tvb, offset++); hdr.serial_lo = tvb_get_guint8(tvb, offset++); if (tree) { ti = proto_tree_add_item(tree, proto_dcerpc, tvb, 0, -1, ENC_NA); if (ti) { dcerpc_tree = proto_item_add_subtree(ti, ett_dcerpc); proto_item_append_text(ti, " %s, Seq: %u, Serial: %u, Frag: %u, FragLen: %u", val_to_str(hdr.ptype, pckt_vals, "Unknown (0x%02x)"), hdr.seqnum, hdr.serial_hi*256+hdr.serial_lo, hdr.frag_num, hdr.frag_len); } } offset = 0; proto_tree_add_uint(dcerpc_tree, hf_dcerpc_ver, tvb, offset, 1, hdr.rpc_ver); offset++; proto_tree_add_uint(dcerpc_tree, hf_dcerpc_packet_type, tvb, offset, 1, hdr.ptype); offset++; proto_tree_add_bitmask_value(dcerpc_tree, tvb, offset, hf_dcerpc_dg_flags1, ett_dcerpc_dg_flags1, hdr_flags1, hdr.flags1); offset++; proto_tree_add_bitmask_value(dcerpc_tree, tvb, offset, hf_dcerpc_dg_flags2, ett_dcerpc_dg_flags2, hdr_flags2, hdr.flags2); offset++; if (tree) { proto_tree_add_dcerpc_drep(dcerpc_tree, tvb, offset, hdr.drep, (int)sizeof (hdr.drep)); } offset += (int)sizeof (hdr.drep); if (tree) proto_tree_add_uint(dcerpc_tree, hf_dcerpc_dg_serial_hi, tvb, offset, 1, hdr.serial_hi); offset++; if (tree) { proto_tree_add_guid_format(dcerpc_tree, hf_dcerpc_obj_id, tvb, offset, 16, (e_guid_t *) &hdr.obj_id, "Object UUID: %s", guid_to_str(pinfo->pool, (e_guid_t *) &hdr.obj_id)); } offset += 16; if (tree) { uuid_str = guid_to_str(pinfo->pool, (e_guid_t*)&hdr.if_id); uuid_name = guids_get_uuid_name(&hdr.if_id, pinfo->pool); if (uuid_name) { proto_tree_add_guid_format(dcerpc_tree, hf_dcerpc_dg_if_id, tvb, offset, 16, (e_guid_t *) &hdr.if_id, "Interface: %s UUID: %s", uuid_name, uuid_str); } else { proto_tree_add_guid_format(dcerpc_tree, hf_dcerpc_dg_if_id, tvb, offset, 16, (e_guid_t *) &hdr.if_id, "Interface UUID: %s", uuid_str); } } offset += 16; if (tree) { proto_tree_add_guid_format(dcerpc_tree, hf_dcerpc_dg_act_id, tvb, offset, 16, (e_guid_t *) &hdr.act_id, "Activity: %s", guid_to_str(pinfo->pool, (e_guid_t *) &hdr.act_id)); } offset += 16; if (tree) { nstime_t server_boot; server_boot.secs = hdr.server_boot; server_boot.nsecs = 0; if (hdr.server_boot == 0) proto_tree_add_time_format_value(dcerpc_tree, hf_dcerpc_dg_server_boot, tvb, offset, 4, &server_boot, "Unknown (0)"); else proto_tree_add_time(dcerpc_tree, hf_dcerpc_dg_server_boot, tvb, offset, 4, &server_boot); } offset += 4; if (tree) proto_tree_add_uint(dcerpc_tree, hf_dcerpc_dg_if_ver, tvb, offset, 4, hdr.if_ver); offset += 4; if (tree) proto_tree_add_uint(dcerpc_tree, hf_dcerpc_dg_seqnum, tvb, offset, 4, hdr.seqnum); col_append_fstr(pinfo->cinfo, COL_INFO, ": seq: %u", hdr.seqnum); offset += 4; if (tree) proto_tree_add_uint(dcerpc_tree, hf_dcerpc_opnum, tvb, offset, 2, hdr.opnum); offset += 2; if (tree) proto_tree_add_uint(dcerpc_tree, hf_dcerpc_dg_ihint, tvb, offset, 2, hdr.ihint); offset += 2; if (tree) proto_tree_add_uint(dcerpc_tree, hf_dcerpc_dg_ahint, tvb, offset, 2, hdr.ahint); offset += 2; if (tree) proto_tree_add_uint(dcerpc_tree, hf_dcerpc_dg_frag_len, tvb, offset, 2, hdr.frag_len); offset += 2; if (tree) proto_tree_add_uint(dcerpc_tree, hf_dcerpc_dg_frag_num, tvb, offset, 2, hdr.frag_num); if (hdr.flags1 & PFCL1_FRAG) { /* Fragmented - put the fragment number into the Info column */ col_append_fstr(pinfo->cinfo, COL_INFO, " frag: %u", hdr.frag_num); } offset += 2; if (tree) proto_tree_add_uint(dcerpc_tree, hf_dcerpc_dg_auth_proto, tvb, offset, 1, hdr.auth_proto); offset++; if (tree) proto_tree_add_uint(dcerpc_tree, hf_dcerpc_dg_serial_lo, tvb, offset, 1, hdr.serial_lo); if (hdr.flags1 & PFCL1_FRAG) { /* Fragmented - put the serial number into the Info column */ col_append_fstr(pinfo->cinfo, COL_INFO, " serial: %u", (hdr.serial_hi << 8) | hdr.serial_lo); } offset++; if (tree) { /* * XXX - for Kerberos, we get a protection level; if it's * DCE_C_AUTHN_LEVEL_PKT_PRIVACY, we can't dissect the * stub data. */ dissect_dcerpc_dg_auth(tvb, offset, dcerpc_tree, &hdr, &auth_level); } /* * keeping track of the conversation shouldn't really be necessary * for connectionless packets, because everything we need to know * to dissect is in the header for each packet. Unfortunately, * Microsoft's implementation is buggy and often puts the * completely wrong if_id in the header. go figure. So, keep * track of the seqnum and use that if possible. Note: that's not * completely correct. It should really be done based on both the * activity_id and seqnum. I haven't seen anywhere that it would * make a difference, but for future reference... */ conv = find_or_create_conversation(pinfo); /* * Packet type specific stuff is next. */ switch (hdr.ptype) { case PDU_CANCEL_ACK: /* Body is optional */ /* XXX - we assume "frag_len" is the length of the body */ if (hdr.frag_len != 0) dissect_dcerpc_dg_cancel_ack(tvb, offset, pinfo, dcerpc_tree, &hdr); break; case PDU_CL_CANCEL: /* * XXX - The DCE RPC 1.1 spec doesn't say the body is optional, * but in at least one capture none of the Cl_cancel PDUs had a * body. */ /* XXX - we assume "frag_len" is the length of the body */ if (hdr.frag_len != 0) dissect_dcerpc_dg_cancel(tvb, offset, pinfo, dcerpc_tree, &hdr); break; case PDU_NOCALL: /* Body is optional; if present, it's the same as PDU_FACK */ /* XXX - we assume "frag_len" is the length of the body */ if (hdr.frag_len != 0) dissect_dcerpc_dg_fack(tvb, offset, pinfo, dcerpc_tree, &hdr); break; case PDU_FACK: /* Body is optional */ /* XXX - we assume "frag_len" is the length of the body */ if (hdr.frag_len != 0) dissect_dcerpc_dg_fack(tvb, offset, pinfo, dcerpc_tree, &hdr); break; case PDU_REJECT: case PDU_FAULT: dissect_dcerpc_dg_reject_fault(tvb, offset, pinfo, dcerpc_tree, &hdr); break; case PDU_REQ: dissect_dcerpc_dg_rqst(tvb, offset, pinfo, dcerpc_tree, tree, &hdr, conv); break; case PDU_RESP: dissect_dcerpc_dg_resp(tvb, offset, pinfo, dcerpc_tree, tree, &hdr, conv); break; /* these requests have no body */ case PDU_ACK: case PDU_PING: dissect_dcerpc_dg_ping_ack(tvb, offset, pinfo, dcerpc_tree, &hdr, conv); break; case PDU_WORKING: default: break; } return TRUE; } static void dcerpc_auth_subdissector_list_free(gpointer p, gpointer user_data _U_) { g_free(p); } static void dcerpc_shutdown(void) { g_slist_foreach(dcerpc_auth_subdissector_list, dcerpc_auth_subdissector_list_free, NULL); g_slist_free(dcerpc_auth_subdissector_list); g_hash_table_destroy(dcerpc_uuids); tvb_free(tvb_trailer_signature); } void proto_register_dcerpc(void) { static hf_register_info hf[] = { { &hf_dcerpc_request_in, { "Request in frame", "dcerpc.request_in", FT_FRAMENUM, BASE_NONE, NULL, 0, "This packet is a response to the packet with this number", HFILL }}, { &hf_dcerpc_response_in, { "Response in frame", "dcerpc.response_in", FT_FRAMENUM, BASE_NONE, NULL, 0, "This packet will be responded in the packet with this number", HFILL }}, { &hf_dcerpc_referent_id32, { "Referent ID", "dcerpc.referent_id", FT_UINT32, BASE_HEX, NULL, 0, "Referent ID for this NDR encoded pointer", HFILL }}, { &hf_dcerpc_referent_id64, { "Referent ID", "dcerpc.referent_id64", FT_UINT64, BASE_HEX, NULL, 0, "Referent ID for this NDR encoded pointer", HFILL }}, { &hf_dcerpc_ver, { "Version", "dcerpc.ver", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_ver_minor, { "Version (minor)", "dcerpc.ver_minor", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_packet_type, { "Packet type", "dcerpc.pkt_type", FT_UINT8, BASE_DEC, VALS(pckt_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_flags, { "Packet Flags", "dcerpc.cn_flags", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_flags_first_frag, { "First Frag", "dcerpc.cn_flags.first_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_FIRST_FRAG, NULL, HFILL }}, { &hf_dcerpc_cn_flags_last_frag, { "Last Frag", "dcerpc.cn_flags.last_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_LAST_FRAG, NULL, HFILL }}, { &hf_dcerpc_cn_flags_cancel_pending, { "Cancel Pending", "dcerpc.cn_flags.cancel_pending", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_PENDING_CANCEL, NULL, HFILL }}, { &hf_dcerpc_cn_flags_reserved, { "Reserved", "dcerpc.cn_flags.reserved", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_RESERVED_1, NULL, HFILL }}, { &hf_dcerpc_cn_flags_mpx, { "Multiplex", "dcerpc.cn_flags.mpx", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_CONC_MPX, NULL, HFILL }}, { &hf_dcerpc_cn_flags_dne, { "Did Not Execute", "dcerpc.cn_flags.dne", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_DID_NOT_EXECUTE, NULL, HFILL }}, { &hf_dcerpc_cn_flags_maybe, { "Maybe", "dcerpc.cn_flags.maybe", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_MAYBE, NULL, HFILL }}, { &hf_dcerpc_cn_flags_object, { "Object", "dcerpc.cn_flags.object", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_OBJECT_UUID, NULL, HFILL }}, { &hf_dcerpc_drep, { "Data Representation", "dcerpc.drep", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_drep_byteorder, { "Byte order", "dcerpc.drep.byteorder", FT_UINT8, BASE_DEC, VALS(drep_byteorder_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_ndr_padding, { "NDR-Padding", "dcerpc.ndr_padding", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_drep_character, { "Character", "dcerpc.drep.character", FT_UINT8, BASE_DEC, VALS(drep_character_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_drep_fp, { "Floating-point", "dcerpc.drep.fp", FT_UINT8, BASE_DEC, VALS(drep_fp_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_frag_len, { "Frag Length", "dcerpc.cn_frag_len", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_auth_len, { "Auth Length", "dcerpc.cn_auth_len", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_call_id, { "Call ID", "dcerpc.cn_call_id", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_max_xmit, { "Max Xmit Frag", "dcerpc.cn_max_xmit", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_max_recv, { "Max Recv Frag", "dcerpc.cn_max_recv", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_assoc_group, { "Assoc Group", "dcerpc.cn_assoc_group", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_num_ctx_items, { "Num Ctx Items", "dcerpc.cn_num_ctx_items", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_ctx_item, { "Ctx Item", "dcerpc.cn_ctx_item", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_ctx_id, { "Context ID", "dcerpc.cn_ctx_id", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_num_trans_items, { "Num Trans Items", "dcerpc.cn_num_trans_items", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_bind_abstract_syntax, { "Abstract Syntax", "dcerpc.cn_bind_abstract_syntax", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_bind_if_id, { "Interface UUID", "dcerpc.cn_bind_to_uuid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_bind_if_ver, { "Interface Ver", "dcerpc.cn_bind_if_ver", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_bind_if_ver_minor, { "Interface Ver Minor", "dcerpc.cn_bind_if_ver_minor", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_bind_trans_syntax, { "Transfer Syntax", "dcerpc.cn_bind_trans", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_bind_trans_id, { "ID", "dcerpc.cn_bind_trans_id", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_bind_trans_ver, { "ver", "dcerpc.cn_bind_trans_ver", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_bind_trans_btfn, /* [MS-RPCE] 2.2.2.14 */ {"Bind Time Features", "dcerpc.cn_bind_trans_btfn", FT_UINT16, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_dcerpc_cn_bind_trans_btfn_01, { "Security Context Multiplexing Supported", "dcerpc.cn_bind_trans_btfn.01", FT_BOOLEAN, 16, NULL, 0x0001, NULL, HFILL }}, { &hf_dcerpc_cn_bind_trans_btfn_02, { "Keep Connection On Orphan Supported", "dcerpc.cn_bind_trans_btfn.02", FT_BOOLEAN, 16, NULL, 0x0002, NULL, HFILL }}, { &hf_dcerpc_cn_alloc_hint, { "Alloc hint", "dcerpc.cn_alloc_hint", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_sec_addr_len, { "Scndry Addr len", "dcerpc.cn_sec_addr_len", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_sec_addr, { "Scndry Addr", "dcerpc.cn_sec_addr", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_num_results, { "Num results", "dcerpc.cn_num_results", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_ack_result, { "Ack result", "dcerpc.cn_ack_result", FT_UINT16, BASE_DEC, VALS(p_cont_result_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_ack_reason, { "Ack reason", "dcerpc.cn_ack_reason", FT_UINT16, BASE_DEC, VALS(p_provider_reason_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_ack_trans_id, { "Transfer Syntax", "dcerpc.cn_ack_trans_id", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_ack_trans_ver, { "Syntax ver", "dcerpc.cn_ack_trans_ver", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_reject_reason, { "Reject reason", "dcerpc.cn_reject_reason", FT_UINT16, BASE_DEC, VALS(reject_reason_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_num_protocols, { "Number of protocols", "dcerpc.cn_num_protocols", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_protocol_ver_major, { "Protocol major version", "dcerpc.cn_protocol_ver_major", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_protocol_ver_minor, { "Protocol minor version", "dcerpc.cn_protocol_ver_minor", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_cancel_count, { "Cancel count", "dcerpc.cn_cancel_count", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_fault_flags, { "Fault flags", "dcerpc.cn_fault_flags", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_fault_flags_extended_error_info, { "Extended error information present", "dcerpc.cn_fault_flags.extended_error", FT_BOOLEAN, 8, NULL, 0x1, NULL, HFILL }}, { &hf_dcerpc_cn_status, { "Status", "dcerpc.cn_status", FT_UINT32, BASE_HEX, VALS(reject_status_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_deseg_req, { "Desegmentation Required", "dcerpc.cn_deseg_req", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_auth_type, { "Auth type", "dcerpc.auth_type", FT_UINT8, BASE_DEC, VALS(authn_protocol_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_auth_level, { "Auth level", "dcerpc.auth_level", FT_UINT8, BASE_DEC, VALS(authn_level_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_auth_pad_len, { "Auth pad len", "dcerpc.auth_pad_len", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_auth_rsrvd, { "Auth Rsrvd", "dcerpc.auth_rsrvd", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_auth_ctx_id, { "Auth Context ID", "dcerpc.auth_ctx_id", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_flags1, { "Flags1", "dcerpc.dg_flags1", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_flags1_rsrvd_01, { "Reserved for implementation", "dcerpc.dg_flags1_rsrvd_01", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_RESERVED_01, NULL, HFILL }}, { &hf_dcerpc_dg_flags1_last_frag, { "Last Fragment", "dcerpc.dg_flags1_last_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_LASTFRAG, NULL, HFILL }}, { &hf_dcerpc_dg_flags1_frag, { "Fragment", "dcerpc.dg_flags1_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_FRAG, NULL, HFILL }}, { &hf_dcerpc_dg_flags1_nofack, { "No Fack", "dcerpc.dg_flags1_nofack", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_NOFACK, NULL, HFILL }}, { &hf_dcerpc_dg_flags1_maybe, { "Maybe", "dcerpc.dg_flags1_maybe", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_MAYBE, NULL, HFILL }}, { &hf_dcerpc_dg_flags1_idempotent, { "Idempotent", "dcerpc.dg_flags1_idempotent", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_IDEMPOTENT, NULL, HFILL }}, { &hf_dcerpc_dg_flags1_broadcast, { "Broadcast", "dcerpc.dg_flags1_broadcast", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_BROADCAST, NULL, HFILL }}, { &hf_dcerpc_dg_flags1_rsrvd_80, { "Reserved for implementation", "dcerpc.dg_flags1_rsrvd_80", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_RESERVED_80, NULL, HFILL }}, { &hf_dcerpc_dg_flags2, { "Flags2", "dcerpc.dg_flags2", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_flags2_rsrvd_01, { "Reserved for implementation", "dcerpc.dg_flags2_rsrvd_01", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_01, NULL, HFILL }}, { &hf_dcerpc_dg_flags2_cancel_pending, { "Cancel Pending", "dcerpc.dg_flags2_cancel_pending", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_CANCEL_PENDING, NULL, HFILL }}, { &hf_dcerpc_dg_flags2_rsrvd_04, { "Reserved for future use (MBZ)", "dcerpc.dg_flags2_rsrvd_04", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_04, NULL, HFILL }}, { &hf_dcerpc_dg_flags2_rsrvd_08, { "Reserved for future use (MBZ)", "dcerpc.dg_flags2_rsrvd_08", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_08, NULL, HFILL }}, { &hf_dcerpc_dg_flags2_rsrvd_10, { "Reserved for future use (MBZ)", "dcerpc.dg_flags2_rsrvd_10", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_10, NULL, HFILL }}, { &hf_dcerpc_dg_flags2_rsrvd_20, { "Reserved for future use (MBZ)", "dcerpc.dg_flags2_rsrvd_20", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_20, NULL, HFILL }}, { &hf_dcerpc_dg_flags2_rsrvd_40, { "Reserved for future use (MBZ)", "dcerpc.dg_flags2_rsrvd_40", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_40, NULL, HFILL }}, { &hf_dcerpc_dg_flags2_rsrvd_80, { "Reserved for future use (MBZ)", "dcerpc.dg_flags2_rsrvd_80", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_80, NULL, HFILL }}, { &hf_dcerpc_dg_serial_lo, { "Serial Low", "dcerpc.dg_serial_lo", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_serial_hi, { "Serial High", "dcerpc.dg_serial_hi", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_ahint, { "Activity Hint", "dcerpc.dg_ahint", FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_ihint, { "Interface Hint", "dcerpc.dg_ihint", FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_frag_len, { "Fragment len", "dcerpc.dg_frag_len", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_frag_num, { "Fragment num", "dcerpc.dg_frag_num", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_auth_proto, { "Auth proto", "dcerpc.dg_auth_proto", FT_UINT8, BASE_DEC, VALS(authn_protocol_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_seqnum, { "Sequence num", "dcerpc.dg_seqnum", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_server_boot, { "Server boot time", "dcerpc.dg_server_boot", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_if_ver, { "Interface Ver", "dcerpc.dg_if_ver", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_krb5_av_prot_level, { "Protection Level", "dcerpc.krb5_av.prot_level", FT_UINT8, BASE_DEC, VALS(authn_level_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_krb5_av_key_vers_num, { "Key Version Number", "dcerpc.krb5_av.key_vers_num", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_krb5_av_key_auth_verifier, { "Authentication Verifier", "dcerpc.krb5_av.auth_verifier", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_obj_id, { "Object", "dcerpc.obj_id", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_if_id, { "Interface", "dcerpc.dg_if_id", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_act_id, { "Activity", "dcerpc.dg_act_id", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_opnum, { "Opnum", "dcerpc.opnum", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_cancel_vers, { "Cancel Version", "dcerpc.dg_cancel_vers", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_cancel_id, { "Cancel ID", "dcerpc.dg_cancel_id", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_server_accepting_cancels, { "Server accepting cancels", "dcerpc.server_accepting_cancels", FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_fack_vers, { "FACK Version", "dcerpc.fack_vers", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_fack_window_size, { "Window Size", "dcerpc.fack_window_size", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_fack_max_tsdu, { "Max TSDU", "dcerpc.fack_max_tsdu", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_fack_max_frag_size, { "Max Frag Size", "dcerpc.fack_max_frag_size", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_fack_serial_num, { "Serial Num", "dcerpc.fack_serial_num", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_fack_selack_len, { "Selective ACK Len", "dcerpc.fack_selack_len", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_fack_selack, { "Selective ACK", "dcerpc.fack_selack", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_dg_status, { "Status", "dcerpc.dg_status", FT_UINT32, BASE_HEX, VALS(reject_status_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_array_max_count, { "Max Count", "dcerpc.array.max_count", FT_UINT32, BASE_DEC, NULL, 0x0, "Maximum Count: Number of elements in the array", HFILL }}, { &hf_dcerpc_array_offset, { "Offset", "dcerpc.array.offset", FT_UINT32, BASE_DEC, NULL, 0x0, "Offset for first element in array", HFILL }}, { &hf_dcerpc_array_actual_count, { "Actual Count", "dcerpc.array.actual_count", FT_UINT32, BASE_DEC, NULL, 0x0, "Actual Count: Actual number of elements in the array", HFILL }}, { &hf_dcerpc_op, { "Operation", "dcerpc.op", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_null_pointer, { "NULL Pointer", "dcerpc.null_pointer", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_fragments, { "Reassembled DCE/RPC Fragments", "dcerpc.fragments", FT_NONE, BASE_NONE, NULL, 0x0, "DCE/RPC Fragments", HFILL }}, { &hf_dcerpc_fragment, { "DCE/RPC Fragment", "dcerpc.fragment", FT_FRAMENUM, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_fragment_overlap, { "Fragment overlap", "dcerpc.fragment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Fragment overlaps with other fragments", HFILL }}, { &hf_dcerpc_fragment_overlap_conflict, { "Conflicting data in fragment overlap", "dcerpc.fragment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Overlapping fragments contained conflicting data", HFILL }}, { &hf_dcerpc_fragment_multiple_tails, { "Multiple tail fragments found", "dcerpc.fragment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Several tails were found when defragmenting the packet", HFILL }}, { &hf_dcerpc_fragment_too_long_fragment, { "Fragment too long", "dcerpc.fragment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0, "Fragment contained data past end of packet", HFILL }}, { &hf_dcerpc_fragment_error, { "Defragmentation error", "dcerpc.fragment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0, "Defragmentation error due to illegal fragments", HFILL }}, { &hf_dcerpc_fragment_count, { "Fragment count", "dcerpc.fragment.count", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_time, { "Time from request", "dcerpc.time", FT_RELATIVE_TIME, BASE_NONE, NULL, 0, "Time between Request and Response for DCE-RPC calls", HFILL }}, { &hf_dcerpc_reassembled_in, { "Reassembled PDU in frame", "dcerpc.reassembled_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0, "The DCE/RPC PDU is completely reassembled in the packet with this number", HFILL }}, { &hf_dcerpc_reassembled_length, { "Reassembled DCE/RPC length", "dcerpc.reassembled.length", FT_UINT32, BASE_DEC, NULL, 0x0, "The total length of the reassembled payload", HFILL }}, { &hf_dcerpc_unknown_if_id, { "Unknown DCERPC interface id", "dcerpc.unknown_if_id", FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_flags, { "RTS Flags", "dcerpc.cn_rts_flags", FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_flags_ping, { "Ping", "dcerpc.cn_rts.flags.ping", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_PING, NULL, HFILL }}, { &hf_dcerpc_cn_rts_flags_other_cmd, { "Other Cmd", "dcerpc.cn_rts_flags.other_cmd", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_OTHER_CMD, NULL, HFILL }}, { &hf_dcerpc_cn_rts_flags_recycle_channel, { "Recycle Channel", "dcerpc.cn_rts_flags.recycle_channel", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_RECYCLE_CHANNEL, NULL, HFILL }}, { &hf_dcerpc_cn_rts_flags_in_channel, { "In Channel", "dcerpc.cn_rts_flags.in_channel", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_IN_CHANNEL, NULL, HFILL }}, { &hf_dcerpc_cn_rts_flags_out_channel, { "Out Channel", "dcerpc.cn_rts_flags.out_channel", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_OUT_CHANNEL, NULL, HFILL }}, { &hf_dcerpc_cn_rts_flags_eof, { "EOF", "dcerpc.cn_rts_flags.eof", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_EOF, NULL, HFILL }}, { &hf_dcerpc_cn_rts_commands_nb, { "RTS Number of Commands", "dcerpc.cn_rts_commands_nb", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command, { "RTS Command", "dcerpc.cn_rts_command", FT_UINT32, BASE_HEX, VALS(rts_command_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_receivewindowsize, {"Receive Window Size", "dcerpc.cn_rts_command.receivewindowsize", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_fack_bytesreceived, {"Bytes Received", "dcerpc.cn_rts_command.fack.bytesreceived", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_fack_availablewindow, {"Available Window", "dcerpc.cn_rts_command.fack.availablewindow", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_fack_channelcookie, {"Channel Cookie", "dcerpc.cn_rts_command.fack.channelcookie", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_connectiontimeout, {"Connection Timeout", "dcerpc.cn_rts_command.connectiontimeout", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_cookie, {"Cookie", "dcerpc.cn_rts_command.cookie", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_channellifetime, {"Channel Lifetime", "dcerpc.cn_rts_command.channellifetime", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_clientkeepalive, {"Client Keepalive", "dcerpc.cn_rts_command.clientkeepalive", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_version, {"Version", "dcerpc.cn_rts_command.version", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_conformancecount, {"Conformance Count", "dcerpc.cn_rts_command.padding.conformancecount", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_padding, { "Padding", "dcerpc.cn_rts_command.padding.padding", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL}}, { &hf_dcerpc_cn_rts_command_addrtype, { "Address Type", "dcerpc.cn_rts_command.addrtype", FT_UINT32, BASE_DEC, VALS(rts_addresstype_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_associationgroupid, {"Association Group ID", "dcerpc.cn_rts_command.associationgroupid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_forwarddestination, {"Forward Destination", "dcerpc.cn_rts_command.forwarddestination", FT_UINT32, BASE_DEC, VALS(rts_forward_destination_vals), 0x0, NULL, HFILL }}, { &hf_dcerpc_cn_rts_command_pingtrafficsentnotify, {"Ping Traffic Sent Notify", "dcerpc.cn_rts_command.pingtrafficsentnotify", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_sec_vt_signature, {"SEC_VT_SIGNATURE", "dcerpc.rpc_sec_vt.signature", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_sec_vt_command_end, {"SEC_VT_COMMAND_END", "dcerpc.rpc_sec_vt.command.end", FT_BOOLEAN, 16, NULL, 0x4000, NULL, HFILL }}, { &hf_dcerpc_sec_vt_command_must, {"SEC_VT_MUST_PROCESS_COMMAND", "dcerpc.rpc_sec_vt.command.must_process", FT_BOOLEAN, 16, NULL, 0x8000, NULL, HFILL }}, { &hf_dcerpc_sec_vt_command_cmd, {"Cmd", "dcerpc.rpc_sec_vt.command.cmd", FT_UINT16, BASE_HEX, VALS(sec_vt_command_cmd_vals), 0x3fff, NULL, HFILL }}, { &hf_dcerpc_sec_vt_command, {"Command", "dcerpc.rpc_sec_vt.command", FT_UINT16, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_dcerpc_sec_vt_command_length, {"Length", "dcerpc.rpc_sec_vt.command.length", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL}}, { &hf_dcerpc_sec_vt_bitmask, {"rpc_sec_vt_bitmask", "dcerpc.rpc_sec_vt.bitmask", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_dcerpc_sec_vt_bitmask_sign, {"CLIENT_SUPPORT_HEADER_SIGNING", "dcerpc.rpc_sec_vt.bitmask.sign", FT_BOOLEAN, 32, NULL, 0x1, NULL, HFILL }}, { &hf_dcerpc_sec_vt_pcontext_uuid, {"UUID", "dcerpc.rpc_sec_vt.pcontext.interface.uuid", FT_GUID, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_dcerpc_sec_vt_pcontext_ver, {"Version", "dcerpc.rpc_sec_vt.pcontext.interface.ver", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_dcerpc_reserved, {"Reserved", "dcerpc.reserved", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_dcerpc_unknown, {"Unknown", "dcerpc.unknown", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_dcerpc_missalign, {"missalign", "dcerpc.missalign", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, /* Generated from convert_proto_tree_add_text.pl */ { &hf_dcerpc_duplicate_ptr, { "duplicate PTR", "dcerpc.duplicate_ptr", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_encrypted_stub_data, { "Encrypted stub data", "dcerpc.encrypted_stub_data", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_decrypted_stub_data, { "Decrypted stub data", "dcerpc.decrypted_stub_data", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_payload_stub_data, { "Payload stub data", "dcerpc.payload_stub_data", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_stub_data_with_sec_vt, { "Stub data with rpc_sec_verification_trailer", "dcerpc.stub_data_with_sec_vt", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_stub_data, { "Stub data", "dcerpc.stub_data", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_auth_padding, { "Auth Padding", "dcerpc.auth_padding", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_auth_info, { "Auth Info", "dcerpc.auth_info", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_auth_credentials, { "Auth Credentials", "dcerpc.auth_credentials", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_fault_stub_data, { "Fault stub data", "dcerpc.fault_stub_data", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_fragment_data, { "Fragment data", "dcerpc.fragment_data", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cmd_client_ipv4, { "RTS Client address", "dcerpc.cmd_client_ipv4", FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_cmd_client_ipv6, { "RTS Client address", "dcerpc.cmd_client_ipv6", FT_IPv6, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_dcerpc_authentication_verifier, { "Authentication verifier", "dcerpc.authentication_verifier", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }}, }; static gint *ett[] = { &ett_dcerpc, &ett_dcerpc_cn_flags, &ett_dcerpc_cn_ctx, &ett_dcerpc_cn_iface, &ett_dcerpc_cn_trans_syntax, &ett_dcerpc_cn_trans_btfn, &ett_dcerpc_cn_bind_trans_btfn, &ett_dcerpc_cn_rts_flags, &ett_dcerpc_cn_rts_command, &ett_dcerpc_cn_rts_pdu, &ett_dcerpc_drep, &ett_dcerpc_dg_flags1, &ett_dcerpc_dg_flags2, &ett_dcerpc_pointer_data, &ett_dcerpc_string, &ett_dcerpc_fragments, &ett_dcerpc_fragment, &ett_dcerpc_krb5_auth_verf, &ett_dcerpc_auth_info, &ett_dcerpc_verification_trailer, &ett_dcerpc_sec_vt_command, &ett_dcerpc_sec_vt_bitmask, &ett_dcerpc_sec_vt_pcontext, &ett_dcerpc_sec_vt_header, &ett_dcerpc_complete_stub_data, &ett_dcerpc_fault_flags, &ett_dcerpc_fault_stub_data, }; static ei_register_info ei[] = { { &ei_dcerpc_fragment, { "dcerpc.fragment.reassemble", PI_REASSEMBLE, PI_CHAT, "Fragment", EXPFILL }}, { &ei_dcerpc_fragment_reassembled, { "dcerpc.fragment_reassembled", PI_REASSEMBLE, PI_CHAT, "Fragment, reassembled", EXPFILL }}, { &ei_dcerpc_cn_ctx_id_no_bind, { "dcerpc.cn_ctx_id.no_bind", PI_UNDECODED, PI_NOTE, "No bind info for interface Context ID", EXPFILL }}, { &ei_dcerpc_no_request_found, { "dcerpc.no_request_found", PI_SEQUENCE, PI_NOTE, "No request to this DCE/RPC call found", EXPFILL }}, { &ei_dcerpc_cn_status, { "dcerpc.cn_status.expert", PI_RESPONSE_CODE, PI_NOTE, "Fault", EXPFILL }}, { &ei_dcerpc_fragment_multiple, { "dcerpc.fragment_multiple", PI_SEQUENCE, PI_CHAT, "Multiple DCE/RPC fragments/PDU's in one packet", EXPFILL }}, #if 0 /* XXX - too much "output noise", removed for now */ { &ei_dcerpc_context_change, { "dcerpc.context_change", PI_SEQUENCE, PI_CHAT, "Context change", EXPFILL }}, #endif { &ei_dcerpc_bind_not_acknowledged, { "dcerpc.bind_not_acknowledged", PI_SEQUENCE, PI_WARN, "Bind not acknowledged", EXPFILL }}, { &ei_dcerpc_verifier_unavailable, { "dcerpc.verifier_unavailable", PI_UNDECODED, PI_WARN, "Verifier unavailable", EXPFILL }}, { &ei_dcerpc_invalid_pdu_authentication_attempt, { "dcerpc.invalid_pdu_authentication_attempt", PI_UNDECODED, PI_WARN, "Invalid authentication attempt", EXPFILL }}, /* Generated from convert_proto_tree_add_text.pl */ { &ei_dcerpc_long_frame, { "dcerpc.long_frame", PI_PROTOCOL, PI_WARN, "Long frame", EXPFILL }}, { &ei_dcerpc_cn_rts_command, { "dcerpc.cn_rts_command.unknown", PI_PROTOCOL, PI_WARN, "unknown RTS command number", EXPFILL }}, { &ei_dcerpc_not_implemented, { "dcerpc.not_implemented", PI_UNDECODED, PI_WARN, "dissection not implemented", EXPFILL }}, }; /* Decode As handling */ static build_valid_func dcerpc_da_build_value[1] = {dcerpc_value}; static decode_as_value_t dcerpc_da_values = {dcerpc_prompt, 1, dcerpc_da_build_value}; static decode_as_t dcerpc_da = {"dcerpc", "dcerpc.uuid", 1, 0, &dcerpc_da_values, NULL, NULL, dcerpc_populate_list, decode_dcerpc_binding_reset, dcerpc_decode_as_change, dcerpc_decode_as_free}; module_t *dcerpc_module; expert_module_t* expert_dcerpc; proto_dcerpc = proto_register_protocol("Distributed Computing Environment / Remote Procedure Call (DCE/RPC)", "DCERPC", "dcerpc"); proto_register_field_array(proto_dcerpc, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); expert_dcerpc = expert_register_protocol(proto_dcerpc); expert_register_field_array(expert_dcerpc, ei, array_length(ei)); uuid_dissector_table = register_dissector_table(DCERPC_TABLE_NAME, "DCE/RPC UUIDs", proto_dcerpc, FT_GUID, BASE_HEX); /* structures and data for BIND */ dcerpc_binds = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), dcerpc_bind_hash, dcerpc_bind_equal); dcerpc_auths = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), dcerpc_auth_context_hash, dcerpc_auth_context_equal); /* structures and data for CALL */ dcerpc_cn_calls = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), dcerpc_cn_call_hash, dcerpc_cn_call_equal); dcerpc_dg_calls = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), dcerpc_dg_call_hash, dcerpc_dg_call_equal); /* structure and data for MATCHED */ dcerpc_matched = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), dcerpc_matched_hash, dcerpc_matched_equal); register_init_routine(decode_dcerpc_inject_bindings); dcerpc_module = prefs_register_protocol(proto_dcerpc, NULL); prefs_register_bool_preference(dcerpc_module, "desegment_dcerpc", "Reassemble DCE/RPC messages spanning multiple TCP segments", "Whether the DCE/RPC dissector should reassemble messages" " spanning multiple TCP segments." " To use this option, you must also enable" " \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", &dcerpc_cn_desegment); prefs_register_bool_preference(dcerpc_module, "reassemble_dcerpc", "Reassemble DCE/RPC fragments", "Whether the DCE/RPC dissector should reassemble fragmented DCE/RPC PDUs", &dcerpc_reassemble); /* * XXX - addresses_ports_reassembly_table_functions? * Or can a single connection-oriented DCE RPC session persist * over multiple transport layer connections? */ reassembly_table_register(&dcerpc_co_reassembly_table, &addresses_reassembly_table_functions); reassembly_table_register(&dcerpc_cl_reassembly_table, &dcerpc_cl_reassembly_table_functions); dcerpc_uuids = g_hash_table_new_full(dcerpc_uuid_hash, dcerpc_uuid_equal, g_free, g_free); dcerpc_tap = register_tap("dcerpc"); register_decode_as(&dcerpc_da); register_srt_table(proto_dcerpc, NULL, 1, dcerpcstat_packet, dcerpcstat_init, dcerpcstat_param); tvb_trailer_signature = tvb_new_real_data(TRAILER_SIGNATURE, sizeof(TRAILER_SIGNATURE), sizeof(TRAILER_SIGNATURE)); dcerpc_tcp_handle = register_dissector("dcerpc.tcp", dissect_dcerpc_tcp, proto_dcerpc); register_shutdown_routine(dcerpc_shutdown); } void proto_reg_handoff_dcerpc(void) { heur_dissector_add("tcp", dissect_dcerpc_tcp_heur, "DCE/RPC over TCP", "dcerpc_tcp", proto_dcerpc, HEURISTIC_ENABLE); heur_dissector_add("netbios", dissect_dcerpc_cn_pk, "DCE/RPC over NetBios", "dcerpc_netbios", proto_dcerpc, HEURISTIC_ENABLE); heur_dissector_add("udp", dissect_dcerpc_dg, "DCE/RPC over UDP", "dcerpc_udp", proto_dcerpc, HEURISTIC_ENABLE); heur_dissector_add("smb_transact", dissect_dcerpc_cn_smbpipe, "DCE/RPC over SMB", "dcerpc_smb_transact", proto_dcerpc, HEURISTIC_ENABLE); heur_dissector_add("smb2_pipe_subdissectors", dissect_dcerpc_cn_smb2, "DCE/RPC over SMB2", "dcerpc_smb2", proto_dcerpc, HEURISTIC_ENABLE); heur_dissector_add("http", dissect_dcerpc_cn_bs, "DCE/RPC over HTTP", "dcerpc_http", proto_dcerpc, HEURISTIC_ENABLE); dcerpc_smb_init(proto_dcerpc); dissector_add_for_decode_as("tcp.port", dcerpc_tcp_handle); guids_add_uuid(&uuid_data_repr_proto, "32bit NDR"); guids_add_uuid(&uuid_ndr64, "64bit NDR"); guids_add_uuid(&uuid_asyncemsmdb, "async MAPI"); } /* * Editor modelines - https://www.wireshark.org/tools/modelines.html * * Local variables: * c-basic-offset: 4 * tab-width: 8 * indent-tabs-mode: nil * End: * * vi: set shiftwidth=4 tabstop=8 expandtab: * :indentSize=4:tabSize=8:noTabs=true: */