osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
wireshark/epan/dissectors/packet-wmio.c

1244 lines
50 KiB
C
Raw Permalink Blame History

/* packet-wmio.c
* Wireshark's WMIO dissector.
*
* Copyright 2024, Hiddencodes Sec <hidd3ncod3s[]gmail.com>
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "config.h"
#include <epan/packet.h>
#include "packet-dcerpc.h"
#include <packet-dcom.h>
void proto_register_WMIO (void);
void proto_reg_handoff_WMIO (void);
static int proto_WMIO;
/* IWbemClassObject Interface
* https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wmi/46710c5c-d7ab-4e4c-b4a5-ebff311fdcd1
* dc12a681-737f-11cf-884d-00aa004b2e24
*/
static e_guid_t iid_WMIO = { 0xdc12a681, 0x737f, 0x11cf, { 0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24} };
static guint32 wmio_signature = 0x12345678;
#define CLASS_HEADER_LENGTH 13
#define WMIO_OBJECT_FLAG_CIM_CLASS 0X01
#define WMIO_OBJECT_FLAG_CIM_INSTANCE 0X02
#define WMIO_OBJECT_FLAG_HAS_DECORATION 0X04
#define WMIO_OBJECT_FLAG_PROTOTYPE_RESULT_OBJECT 0X10
#define WMIO_OBJECT_FLAG_KEY_PROPERTY_MISSING 0X40
#define WBEM_FLAVOR_FLAG_PROPAGATE_TO_INSTANCE 0x01
#define WBEM_FLAVOR_FLAG_PROPAGATE_TO_DERIVED_CLASS 0x02
#define WBEM_FLAVOR_NOT_OVERRIDABLE 0x10
#define WBEM_FLAVOR_ORIGIN_PROPAGATED 0x20
#define WBEM_FLAVOR_ORIGIN_SYSTEM 0x40
#define WBEM_FLAVOR_AMENDED 0x80
#define CIM_ARRAY_FLAG 0x2000
#define INHERITED_PROPERTY_TYPE 0x4000
/* CimType
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/e137e6c6-c1cc-449e-a0b4-76fabf534480
* CimType is a 32-bit value of which only the lower 16 bits are used.
*/
#define CIM_TYPE_SINT16 2
#define CIM_TYPE_SINT32 3
#define CIM_TYPE_REAL32 4
#define CIM_TYPE_REAL64 5
#define CIM_TYPE_STRING 8
#define CIM_TYPE_BOOLEAN 11
#define CIM_TYPE_OBJECT 13
#define CIM_TYPE_SINT8 16
#define CIM_TYPE_UINT8 17
#define CIM_TYPE_UINT16 18
#define CIM_TYPE_UINT32 19
#define CIM_TYPE_SINT64 20
#define CIM_TYPE_UINT64 21
#define CIM_TYPE_DATETIME 101
#define CIM_TYPE_REFERENCE 102
#define CIM_TYPE_CHAR16 103
#define CIM_ARRAY_TYPE(X) (CIM_ARRAY_FLAG | X)
#define CIM_ARRAY_SINT8 CIM_ARRAY_TYPE(CIM_TYPE_SINT8)
#define CIM_ARRAY_UINT8 CIM_ARRAY_TYPE(CIM_TYPE_UINT8)
#define CIM_ARRAY_SINT16 CIM_ARRAY_TYPE(CIM_TYPE_SINT16)
#define CIM_ARRAY_UINT16 CIM_ARRAY_TYPE(CIM_TYPE_UINT16)
#define CIM_ARRAY_SINT32 CIM_ARRAY_TYPE(CIM_TYPE_SINT32)
#define CIM_ARRAY_UINT32 CIM_ARRAY_TYPE(CIM_TYPE_UINT32)
#define CIM_ARRAY_SINT64 CIM_ARRAY_TYPE(CIM_TYPE_SINT64)
#define CIM_ARRAY_UINT64 CIM_ARRAY_TYPE(CIM_TYPE_UINT64)
#define CIM_ARRAY_REAL32 CIM_ARRAY_TYPE(CIM_TYPE_REAL32)
#define CIM_ARRAY_REAL64 CIM_ARRAY_TYPE(CIM_TYPE_REAL64)
#define CIM_ARRAY_BOOLEAN CIM_ARRAY_TYPE(CIM_TYPE_BOOLEAN)
#define CIM_ARRAY_STRING CIM_ARRAY_TYPE(CIM_TYPE_STRING)
#define CIM_ARRAY_DATETIME CIM_ARRAY_TYPE(CIM_TYPE_DATETIME)
#define CIM_ARRAY_REFERENCE CIM_ARRAY_TYPE(CIM_TYPE_REFERENCE)
#define CIM_ARRAY_CHAR16 CIM_ARRAY_TYPE(CIM_TYPE_CHAR16)
#define CIM_ARRAY_OBJECT CIM_ARRAY_TYPE(CIM_TYPE_OBJECT)
#define STRINGFY(X) { X, #X}
static const value_string cim_types[] = {
STRINGFY(CIM_TYPE_SINT8),
STRINGFY(CIM_TYPE_UINT8),
STRINGFY(CIM_TYPE_SINT16),
STRINGFY(CIM_TYPE_UINT16),
STRINGFY(CIM_TYPE_SINT32),
STRINGFY(CIM_TYPE_UINT32),
STRINGFY(CIM_TYPE_SINT64),
STRINGFY(CIM_TYPE_UINT64),
STRINGFY(CIM_TYPE_REAL32),
STRINGFY(CIM_TYPE_REAL64),
STRINGFY(CIM_TYPE_BOOLEAN),
STRINGFY(CIM_TYPE_STRING),
STRINGFY(CIM_TYPE_DATETIME),
STRINGFY(CIM_TYPE_REFERENCE),
STRINGFY(CIM_TYPE_CHAR16),
STRINGFY(CIM_TYPE_OBJECT),
STRINGFY(CIM_ARRAY_SINT8),
STRINGFY(CIM_ARRAY_UINT8),
STRINGFY(CIM_ARRAY_SINT16),
STRINGFY(CIM_ARRAY_UINT16),
STRINGFY(CIM_ARRAY_SINT32),
STRINGFY(CIM_ARRAY_UINT32),
STRINGFY(CIM_ARRAY_SINT64),
STRINGFY(CIM_ARRAY_UINT64),
STRINGFY(CIM_ARRAY_REAL32),
STRINGFY(CIM_ARRAY_REAL64),
STRINGFY(CIM_ARRAY_BOOLEAN),
STRINGFY(CIM_ARRAY_STRING),
STRINGFY(CIM_ARRAY_DATETIME),
STRINGFY(CIM_ARRAY_REFERENCE),
STRINGFY(CIM_ARRAY_CHAR16),
STRINGFY(CIM_ARRAY_OBJECT),
{ 0, NULL } };
static int hf_wmio;
static int hf_wmio_signature;
static int hf_wmio_objectencodinglength;
static int hf_wmio_object_flags;
static int hf_wmio_object_flags_cim_class;
static int hf_wmio_object_flags_cim_instance;
static int hf_wmio_object_flags_has_decoration;
static int hf_wmio_object_flags_prototype_result_object;
static int hf_wmio_object_flags_key_property_missing;
static int hf_wmio_decoration;
static int hf_wmio_decoration_server_name;
static int hf_wmio_decoration_namespace;
static int hf_wmio_encoded_string;
static int hf_wmio_encoded_string_flags;
static int hf_wmio_encoded_string_flags_unicode;
static int hf_wmio_class_part;
static int hf_wmio_class_header;
static int hf_wmio_class_header_partlength;
static int hf_wmio_class_header_nameref;
static int hf_wmio_class_header_ndtablevaluetablelength;
static int hf_wmio_class_derivation;
static int hf_wmio_class_derivation_length;
static int hf_wmio_derivation_classname;
static int hf_wmio_class_name_length;
static int hf_wmio_qualifierset;
static int hf_wmio_qualifierset_length;
static int hf_wmio_qualifier;
static int hf_wmio_qualifiername;
static int hf_wmio_cimtype;
static int hf_wmio_qualifiervalue;
static int hf_wmio_bytes;
static int hf_wmio_flavor;
static int hf_wmio_flavor_propagate_to_instance;
static int hf_wmio_flavor_propagate_to_derived_class;
static int hf_wmio_flavor_not_overridable;
static int hf_wmio_flavor_origin_propagated;
static int hf_wmio_flavor_origin_system;
static int hf_wmio_flavor_amended;
static int hf_wmio_propertylookuptable;
static int hf_wmio_propertylookuptable_count;
static int hf_wmio_propertylookup;
static int hf_wmio_propertynameref;
static int hf_wmio_propertyinforef;
static int hf_wmio_ndtable;
static int hf_wmio_heap;
static int hf_wmio_heap_length;
static int hf_methodspart;
static int hf_methodspart_length;
static int hf_methodspart_methodcount;
static int hf_methodspart_methods;
static int hf_methodspart_methoddescription;
static int hf_methoddescription_methodname;
static int hf_methoddescription_methodflags;
static int hf_methoddescription_methodqualifiers;
static int hf_parentclass;
static int hf_currentclass;
static int hf_methoddescription_methodorigin;
static int hf_methoddescription_inputsignature;
static int hf_methoddescription_outputsignature;
static int hf_heap_offset;
static int hf_property_info;
static int hf_declaration_order;
static int hf_propertyinfo_inherited;
static int hf_propertyinfo_valuetableoffset;
static int hf_propertyinfo_classoforigin;
static int hf_methodsignature_offset;
static hf_register_info hf[] = {
{ &hf_wmio,
{ "WMIO", "wmio", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_signature,
{ "Signature", "wmio.signature", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_objectencodinglength,
{ "Object Encoding Length", "wmio.objectencodinglength", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_object_flags,
{ "Object flags", "wmio.objectflags", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_object_flags_cim_class,
{ "CIM Class", "wmio.objectflags.cim_class", FT_BOOLEAN, 8, NULL, WMIO_OBJECT_FLAG_CIM_CLASS, NULL, HFILL }},
{ &hf_wmio_object_flags_cim_instance,
{ "CIM Instance", "wmio.objectflags.cim_Instance", FT_BOOLEAN, 8, NULL, WMIO_OBJECT_FLAG_CIM_INSTANCE, NULL, HFILL }},
{ &hf_wmio_object_flags_has_decoration,
{ "Has Decoration", "wmio.objectflags.has_decoration", FT_BOOLEAN, 8, NULL, WMIO_OBJECT_FLAG_HAS_DECORATION, NULL, HFILL }},
{ &hf_wmio_object_flags_prototype_result_object,
{ "Prototype Result Object", "wmio.objectflags.prototype_result_object", FT_BOOLEAN, 8, NULL, WMIO_OBJECT_FLAG_PROTOTYPE_RESULT_OBJECT, NULL, HFILL }},
{ &hf_wmio_object_flags_key_property_missing,
{ "Key Property Missing", "wmio.objectflags.key_property_missing", FT_BOOLEAN, 8, NULL, WMIO_OBJECT_FLAG_KEY_PROPERTY_MISSING, NULL, HFILL }},
{ &hf_wmio_encoded_string,
{ "Encoded String", "wmio.encoded_string", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_encoded_string_flags,
{ "Flag", "wmio.encoded_string.flags", FT_UINT8, BASE_HEX, NULL, 0, NULL, HFILL }},
{ &hf_wmio_encoded_string_flags_unicode,
{ "Unicode", "wmio.encoded_string.flags.unicode", FT_BOOLEAN, 8, NULL, 0x1, NULL, HFILL }},
{ &hf_wmio_decoration,
{ "Decoration", "wmio.decoration", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_decoration_server_name,
{ "CIM Server Name", "wmio.decoration.server_name", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_decoration_namespace,
{ "CIM Namespace", "wmio.decoration.namespace", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_class_part,
{ "Class Part", "wmio.class.part", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
{ &hf_wmio_class_header,
{ "Class Header", "wmio.class.header", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
{ &hf_wmio_class_header_partlength,
{ "Class Header ClassPart Length", "wmio.class.header.length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_class_header_nameref,
{ "Class Name Reference", "wmio.class.header.nameref", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_class_header_ndtablevaluetablelength,
{ "NdTable ValueTable Length", "wmio.class.header.ndtablevaluetablelength", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_class_derivation,
{ "Class Derivation", "wmio.class.derivation", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
{ &hf_wmio_class_derivation_length,
{ "Class Derivation Length", "wmio.class.derivation.length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_derivation_classname,
{ "Derivation", "wmio.derivation.classname", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_class_name_length,
{ "Class Name Length", "wmio.derivation.classname_length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_qualifierset,
{ "Qualifier Set", "wmio.qualifierset", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_qualifierset_length,
{ "Qualifier Length", "wmio.derivation.qualifier_length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_qualifier,
{ "Qualifier", "wmio.qualifier", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_qualifiername,
{ "Qualifier Name", "wmio.qualifier_name", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_flavor,
{ "Flavor", "wmio.flavor", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_flavor_propagate_to_instance,
{ "Propagate To Derived Instance", "wmio.flavor.propagate_to_instance", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_FLAG_PROPAGATE_TO_INSTANCE, NULL, HFILL }},
{ &hf_wmio_flavor_propagate_to_derived_class,
{ "Propagate To Derived Class", "wmio.flavor.propagate_to_derived_class", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_FLAG_PROPAGATE_TO_DERIVED_CLASS, NULL, HFILL }},
{ &hf_wmio_flavor_not_overridable,
{ "Not Overridable", "wmio.flavor.not_overridable", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_NOT_OVERRIDABLE, NULL, HFILL }},
{ &hf_wmio_flavor_origin_propagated,
{ "Origin Propagated", "wmio.flavor.origin_propagated", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_ORIGIN_PROPAGATED, NULL, HFILL }},
{ &hf_wmio_flavor_origin_system,
{ "Origin System", "wmio.flavor.origin_system", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_ORIGIN_SYSTEM, NULL, HFILL }},
{ &hf_wmio_flavor_amended,
{ "Amended", "wmio.flavor.amended", FT_BOOLEAN, 8, NULL, WBEM_FLAVOR_AMENDED, NULL, HFILL }},
{ &hf_wmio_cimtype,
{ "CIM Type", "wmio.cim_type", FT_UINT32, BASE_HEX, VALS(cim_types), 0, NULL, HFILL }},
{ &hf_wmio_propertylookuptable,
{ "Property Lookup Table", "wmio.property_lookup_table", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_propertylookuptable_count,
{ "Property Lookup Table Count", "wmio.property_lookup_table.count", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_ndtable,
{ "NdTable", "wmio.ndtable", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_propertylookup,
{ "Property Lookup", "wmio.property_lookup", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_propertynameref,
{ "Property Name Ref", "wmio.property_lookup.propertynameref", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_propertyinforef,
{ "Property Info Ref", "wmio.property_lookup.propertyinforef", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_heap,
{ "Heap", "wmio.heap", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_heap_length,
{ "HeapLength", "wmio.heap.length", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }},
{ &hf_wmio_bytes,
{ "WMIO Bytes", "wmio.bytes", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }},
{ &hf_methodspart,
{ "Methodspart", "wmio.methodspart", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_methodspart_length,
{ "Methodspart Length", "wmio.methodspart.length", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_methodspart_methodcount,
{ "Methods Count", "wmio.methodspart.methodcount", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_methodspart_methods,
{ "Methods", "wmio.methodspart.methods", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_methodspart_methoddescription,
{ "MethodDescription", "wmio.methodspart.methoddescription", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_methoddescription_methodname,
{ "Methodname", "wmio.methodspart.methoddescription.methodname", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_methoddescription_methodflags,
{ "Methodflags", "wmio.methodspart.methoddescription.methodflags", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_methoddescription_methodorigin,
{ "Methodorigin", "wmio.methodspart.methoddescription.methodorigin", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_methoddescription_methodqualifiers,
{ "Methodqualifiers", "wmio.methodspart.methoddescription.methodqualifiers", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_methoddescription_inputsignature,
{ "Inputsignature", "wmio.methodspart.methoddescription.inputsignature", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_methoddescription_outputsignature,
{ "Outputsignature", "wmio.methodspart.methoddescription.outputsignature", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_parentclass,
{ "Parent Class", "wmio.parentclass", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_currentclass,
{ "Current Class", "wmio.currentclass", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_heap_offset,
{ "Heap Offset", "wmio.heapoffset", FT_UINT32, BASE_HEX_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_wmio_qualifiervalue,
{ "Qualifier Value", "wmio.qualifier_value", FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_property_info,
{ "Property Info", "wmio.property_info", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
{ &hf_declaration_order,
{ "Declaration Order", "wmio.declaration_order", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_propertyinfo_inherited,
{ "Inherited", "wmio.propertytype.inherited", FT_BOOLEAN, 32, NULL, INHERITED_PROPERTY_TYPE, NULL, HFILL }},
{ &hf_propertyinfo_valuetableoffset,
{ "ValueTable Offset", "wmio.propertytype.valuetableoffset", FT_UINT32, BASE_HEX_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_propertyinfo_classoforigin,
{ "ClassOfOrigin", "wmio.propertytype.classoforigin", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
{ &hf_methodsignature_offset,
{ "Methodsignature Offset", "wmio.methodsignature.offset", FT_UINT32, BASE_HEX_DEC, NULL, 0x0, NULL, HFILL }},
};
static int * const wmio_object_flags[] = {
&hf_wmio_object_flags_cim_class,
&hf_wmio_object_flags_cim_instance,
&hf_wmio_object_flags_has_decoration,
&hf_wmio_object_flags_prototype_result_object,
&hf_wmio_object_flags_key_property_missing,
NULL
};
static int * const wmio_flavor[] = {
&hf_wmio_flavor_propagate_to_instance,
&hf_wmio_flavor_propagate_to_derived_class,
&hf_wmio_flavor_not_overridable,
&hf_wmio_flavor_origin_propagated,
&hf_wmio_flavor_origin_system,
&hf_wmio_flavor_amended,
NULL
};
static int * const wmio_encoded_string_flags[] = {
&hf_wmio_encoded_string_flags_unicode,
NULL
};
static gint ett_wmio;
static gint ett_wmio_object_flags;
static gint ett_wmio_encoded_string;
static gint ett_wmio_encoded_string_flags;
static gint ett_wmio_class_part;
static gint ett_wmio_class_header;
static gint ett_wmio_decoration;
static gint ett_wmio_class_derivation;
static gint ett_wmio_qualifierset;
static gint ett_wmio_qualifier;
static gint ett_wmio_flavor;
static gint ett_wmio_propertylookuptable;
static gint ett_wmio_propertylookup;
static gint ett_wmio_heap;
static gint ett_methodspart;
static gint ett_parentclass;
static gint ett_currentclass;
static gint ett_methodspart_methods;
static gint ett_methodspart_methoddescription;
static gint ett_methodsignature;
static gint ett_property_info;
/* Tree */
static gint *ett[] = {
&ett_wmio,
&ett_wmio_object_flags,
&ett_wmio_encoded_string,
&ett_wmio_encoded_string_flags,
&ett_wmio_class_part,
&ett_wmio_class_header,
&ett_wmio_decoration,
&ett_wmio_class_derivation,
&ett_wmio_qualifierset,
&ett_wmio_qualifier,
&ett_wmio_flavor,
&ett_wmio_propertylookuptable,
&ett_wmio_propertylookup,
&ett_wmio_heap,
&ett_methodspart,
&ett_methodspart_methods,
&ett_methodspart_methoddescription,
&ett_methodsignature,
&ett_parentclass,
&ett_currentclass,
&ett_property_info,
};
static int dissect_wmio_objectblock(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree);
static int dissect_wmio_object_decoration(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree);
static int dissect_wmio_encoded_string(tvbuff_t *tvb, gint offset, int hfindex, packet_info *pinfo, proto_tree *tree, gboolean withlength, gint heapoffset);
static int dissect_wmio_encoding_classtype(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree);
static int dissect_wmio_encoding_classandmethodspart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, int hf_index, gint ett, bool methods);
static int dissect_wmio_encoding_classpart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree);
static int dissect_wmio_encoding_classheader(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, guint32 *pPartlength, guint32 *pNdLength, gint classheapoffset);
static int dissect_wmio_encoding_methodpart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree);
static int dissect_wmio_encoding_methodpart_methods(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, guint32 methodscount, gint methodsheapoffset);
static int dissect_wmio_encoding_methodpart_methoddescription(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, gint methodsheapoffset);
static int dissect_wmio_encoding_derivationlist(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree);
static int dissect_wmio_encoding_qualifierset(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *parent_tree, gint classheapoffset);
/* DictionaryReference
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/40adf451-f5bc-4b0a-ab97-d620bb638470
*/
static const gchar* stringDictionary[] =
{ "'"
, "key"
, ""
, "read"
, "write"
, "volatile"
, "provider"
, "dynamic"
, "cimwin32"
, "DWORD"
, "CIMTYPE"
};
/* Encoded-String
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/2f3afcf6-169e-41ff-80c2-367f2f74285b
* Encoded-String = Encoded-String-Flag *Character Null
* Encoded-String-Flag = OCTET
* Character = AnsiCharacter / UnicodeCharacter
* Null = Character
* AnsiCharacter = OCTET
* UnicodeCharacter = 2OCTET
*/
static int
dissect_wmio_encoded_string(tvbuff_t *tvb, gint offset, int hfindex, packet_info *pinfo,
proto_tree *tree, gboolean withlength, gint heapoffset)
{
proto_item *sub_item;
proto_tree *sub_tree;
gint old_offset = offset;
int fn_len = 0;
header_field_info *hfinfo;
char *s= NULL;
guint32 foffset = 0;
/* Make sure this really is a string field. */
hfinfo = proto_registrar_get_nth(hfindex);
DISSECTOR_ASSERT_FIELD_TYPE(hfinfo, FT_STRINGZ);
if(heapoffset > 0){
/* HeapRef
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/f9d22d98-ed26-45d7-8792-aa0f210cffb2
* HeapRef is a reference to any HeapItem and is expressed in 31 bits. If the HeapItem referred to is a string,
* and the most significant bit of the 32-bit HeapStringRef value is set, the reference is actually to an implied
* dictionary-based string entry and does not point to a literal Encoded-String within the Heap.
*/
foffset = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN);
if (foffset < 0x80000000){
offset = heapoffset + foffset;
}
}
sub_item = proto_tree_add_item(tree, hf_wmio_encoded_string, tvb, offset, -1, ENC_NA);
sub_tree = proto_item_add_subtree(sub_item, ett_wmio_encoded_string);
if((heapoffset > 0) && (foffset >= 0x80000000)){
proto_tree_add_item(sub_tree, hf_heap_offset, tvb, old_offset, 4, ENC_LITTLE_ENDIAN);
/* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/f9d22d98-ed26-45d7-8792-aa0f210cffb2
* If the value of HeapRef is 0xFFFFFFFF, then HeapItem is not present and MUST be considered NULL.
*/
if(foffset == 0xFFFFFFFF){
/* NULL String */
proto_item_set_text(sub_tree, "%s: %s", proto_registrar_get_name(hfindex), "NULL");
proto_item_set_len(sub_item, 4);
} else {
if (foffset & 0x80000000){
foffset = 0x7FFFFFFF & foffset;
if (foffset < (sizeof(stringDictionary)/sizeof(stringDictionary[0]))){
proto_item_set_text(sub_tree, "%s: %s", proto_registrar_get_name(hfindex), stringDictionary[foffset]);
} else {
proto_item_set_text(sub_tree, "%s: Unknown Index %d", proto_registrar_get_name(hfindex), hfindex);
}
proto_item_set_len(sub_item, 4);
}
}
} else {
guint64 encoded_string_flags;
if(heapoffset > 0){
proto_tree_add_item(sub_tree, hf_heap_offset, tvb, old_offset, 4, ENC_LITTLE_ENDIAN);
}
old_offset = offset;
proto_tree_add_bitmask_ret_uint64(sub_tree, tvb, offset, hf_wmio_encoded_string_flags, ett_wmio_encoded_string_flags, wmio_encoded_string_flags, ENC_NA, &encoded_string_flags);
offset++;
if (encoded_string_flags == 0){
/* ASCII */
proto_tree_add_item_ret_length(sub_tree, hfindex, tvb, offset, -1, ENC_ASCII, &fn_len);
s = tvb_get_string_enc(pinfo->pool, tvb, offset, fn_len, ENC_ASCII);
} else if (encoded_string_flags == 1){
/* UNICODE */
proto_tree_add_item_ret_length(sub_tree, hfindex, tvb, offset, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN, &fn_len);
s = tvb_get_string_enc(pinfo->pool, tvb, offset, fn_len, ENC_UTF_16);
}
offset += fn_len;
proto_item_set_text(sub_tree, "%s: %s", proto_registrar_get_name(hfindex), s);
if(withlength){
proto_tree_add_item(sub_tree, hf_wmio_class_name_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset += 4;
}
proto_item_set_len(sub_item, offset-old_offset);
}
return offset;
}
/* ObjectBlock
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/4e74c9f9-4a47-4111-9e67-6476c896b7fb
* ObjectBlock = ObjectFlags [Decoration] Encoding
*/
static int
dissect_wmio_objectblock(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree)
{
gint8 flags = tvb_get_guint8(tvb, offset);
proto_tree_add_bitmask(tree, tvb, offset, hf_wmio_object_flags,
ett_wmio_object_flags, wmio_object_flags, ENC_NA);
offset+=1;
if (WMIO_OBJECT_FLAG_HAS_DECORATION & flags){
offset = dissect_wmio_object_decoration(tvb, offset, pinfo, tree);
}
if (WMIO_OBJECT_FLAG_CIM_CLASS & flags){
offset = dissect_wmio_encoding_classtype(tvb, offset, pinfo, tree);
}
return offset;
}
/* Decoration = DecServerName DecNamespaceName
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/0650ad93-88fa-49e9-aebc-e4462e4a7786
* Decoration = DecServerName DecNamespaceName
*/
static int
dissect_wmio_object_decoration(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *parent_tree)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
item = proto_tree_add_item(parent_tree, hf_wmio_decoration, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_wmio_decoration);
offset = dissect_wmio_encoded_string(tvb, offset, hf_wmio_decoration_server_name, pinfo, tree, FALSE, 0);
offset = dissect_wmio_encoded_string(tvb, offset, hf_wmio_decoration_namespace, pinfo, tree, FALSE, 0);
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
dissect_wmio_encoding_classtype(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree)
{
// ParentClass
offset = dissect_wmio_encoding_classandmethodspart(tvb, offset, pinfo, tree, hf_parentclass, ett_parentclass, true);
// CurrentClass
offset = dissect_wmio_encoding_classandmethodspart(tvb, offset, pinfo, tree, hf_currentclass, ett_currentclass, true);
return offset;
}
/* ClassAndMethodsPart = ClassPart [MethodsPart]
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/35589520-cee8-4bb1-b09e-bb009d1d1b88
* ClassAndMethodsPart = ClassPart [MethodsPart]
*/
static int
dissect_wmio_encoding_classandmethodspart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *parent_tree, int hf_index, gint ett_id, bool methods)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_id);
offset = dissect_wmio_encoding_classpart(tvb, offset, pinfo, tree);
if (methods){
offset = dissect_wmio_encoding_methodpart(tvb, offset, pinfo, tree);
}
proto_item_set_len(item, offset-old_offset);
return offset;
}
/* Qualifier
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/f4c4ec0a-e38b-4591-8111-cbb03cc405c2
* Qualifier = QualifierName QualifierFlavor QualifierType QualifierValue
*/
static int
dissect_wmio_qualifier(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *parent_tree, gint classheapoffset)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
item = proto_tree_add_item(parent_tree, hf_wmio_qualifier, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_wmio_qualifier);
dissect_wmio_encoded_string(tvb, offset, hf_wmio_qualifiername, pinfo, tree, FALSE, classheapoffset);
offset+= 4;
proto_tree_add_bitmask(tree, tvb, offset, hf_wmio_flavor, ett_wmio_flavor, wmio_flavor, ENC_NA);
offset+= 1;
// QualifierType = CimType
// CimType is a 32-bit value
gint32 cimType = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN);
proto_tree_add_item(tree, hf_wmio_cimtype, tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset+= 4;
// QualifierValue = EncodedValue
if (cimType & CIM_ARRAY_FLAG){
guint32 array_count = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN);
offset += 4;
// CimArrayType
switch(cimType){
case CIM_ARRAY_SINT8:
offset += array_count;
break;
case CIM_ARRAY_UINT8:
offset += array_count;
break;
case CIM_ARRAY_SINT16:
offset += (sizeof(gint16) * array_count);
break;
case CIM_ARRAY_UINT16:
offset += (sizeof(guint16) * array_count);
break;
case CIM_ARRAY_SINT32:
offset += (sizeof(gint32) * array_count);
break;
case CIM_ARRAY_UINT32:
offset += (sizeof(guint32) * array_count);
break;
case CIM_ARRAY_SINT64:
offset += (sizeof(gint64) * array_count);
break;
case CIM_ARRAY_UINT64:
offset += (sizeof(guint64) * array_count);
break;
case CIM_ARRAY_REAL32:
offset += (sizeof(gint32) * array_count);
break;
case CIM_ARRAY_REAL64:
offset += (sizeof(gint64) * array_count);
break;
case CIM_ARRAY_BOOLEAN:
offset += (2 * array_count);
break;
case CIM_ARRAY_STRING:
case CIM_ARRAY_DATETIME:
case CIM_ARRAY_REFERENCE:
// TODO
break;
case CIM_ARRAY_CHAR16:
offset += (sizeof(gint16) * array_count);
break;
case CIM_ARRAY_OBJECT:
{
for (guint32 i=0; i < array_count; i++){
gint32 objEncLength = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN);
offset += objEncLength;
}
break;
}
default:
break;
}
} else {
// CimBaseType
switch(cimType){
case CIM_TYPE_SINT8:
{
proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII);
proto_item_set_text(vitem, "%s: %d", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_gint8(tvb, offset));
proto_item_set_len(vitem, 1);
offset+= 1;
}
break;
case CIM_TYPE_UINT8:
{
proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII);
proto_item_set_text(vitem, "%s: %u", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_gint8(tvb, offset));
proto_item_set_len(vitem, 1);
offset+= 1;
}
break;
case CIM_TYPE_SINT16:
case CIM_TYPE_CHAR16:
{
proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII);
proto_item_set_text(vitem, "%s: %d", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_gint16(tvb, offset, ENC_LITTLE_ENDIAN));
proto_item_set_len(vitem, 2);
offset+= 2;
}
break;
case CIM_TYPE_UINT16:
{
proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII);
proto_item_set_text(tree, "%s: %u", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_guint16(tvb, offset, ENC_LITTLE_ENDIAN));
proto_item_set_len(vitem, 2);
offset+= 2;
}
break;
case CIM_TYPE_SINT32:
{
proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII);
proto_item_set_text(vitem, "%s: %d", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_gint32(tvb, offset, ENC_LITTLE_ENDIAN));
proto_item_set_len(vitem, 4);
offset+= 4;
}
break;
case CIM_TYPE_UINT32:
{
proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII);
proto_item_set_text(vitem, "%s: %u", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN));
proto_item_set_len(vitem, 4);
offset+= 4;
}
break;
case CIM_TYPE_SINT64:
{
proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII);
proto_item_set_text(vitem, "%s: %" PRIi64, proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_gint64(tvb, offset, ENC_LITTLE_ENDIAN));
proto_item_set_len(vitem, 8);
offset+= 8;
}
break;
case CIM_TYPE_UINT64:
{
proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII);
proto_item_set_text(vitem, "%s: %" PRIu64, proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_guint64(tvb, offset, ENC_LITTLE_ENDIAN));
proto_item_set_len(vitem, 8);
offset+= 8;
}
break;
case CIM_TYPE_REAL32:
{
proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII);
proto_item_set_text(vitem, "%s: %f", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_ieee_float(tvb, offset, ENC_LITTLE_ENDIAN));
proto_item_set_len(vitem, 4);
offset+= 4;
}
break;
case CIM_TYPE_REAL64:
{
proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII);
proto_item_set_text(vitem, "%s: %lf", proto_registrar_get_name(hf_wmio_qualifiervalue), tvb_get_ieee_double(tvb, offset, ENC_LITTLE_ENDIAN));
proto_item_set_len(vitem, 8);
offset+= 8;
}
break;
case CIM_TYPE_BOOLEAN:
{
proto_item *vitem = proto_tree_add_item(tree, hf_wmio_qualifiervalue, tvb, offset, -1, ENC_ASCII);
proto_item_set_text(vitem, "%s: %s", proto_registrar_get_name(hf_wmio_qualifiervalue), 0 != tvb_get_guint16(tvb, offset, ENC_LITTLE_ENDIAN) ? "TRUE" : "FALSE");
proto_item_set_len(vitem, 2);
offset+= 2;
}
break;
case CIM_TYPE_STRING:
case CIM_TYPE_DATETIME:
case CIM_TYPE_REFERENCE:
dissect_wmio_encoded_string(tvb, offset, hf_wmio_qualifiervalue, pinfo, tree, FALSE, classheapoffset);
offset+= 4;
break;
case CIM_TYPE_OBJECT:
{
gint32 objEncLength = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN);
offset += objEncLength;
}
break;
default:
break;
}
}
proto_item_set_len(item, offset - old_offset);
return offset;
}
/* QualifierSet
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/224c7463-01df-4e09-bd71-650ec0b8adaf
* QualifierSet = EncodingLength *Qualifier
*/
static int
dissect_wmio_encoding_qualifierset(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *parent_tree, gint classheapoffset)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
guint32 length;
item = proto_tree_add_item(parent_tree, hf_wmio_qualifierset, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_wmio_qualifierset);
proto_tree_add_item_ret_uint(tree, hf_wmio_qualifierset_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
offset += 4;
while((guint32)offset < (old_offset + length)){
/* N.B. guaranteed to advance offset */
offset = dissect_wmio_qualifier(tvb, offset, pinfo, tree, classheapoffset);
}
proto_item_set_len(item, offset - old_offset);
return old_offset+length;
}
/* PropertyInfo
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/563356b2-7bc7-4016-a88b-6685d3e09b59
* PropertyInfo = PropertyType DeclarationOrder ValueTableOffset ClassOfOrigin PropertyQualifierSet
*/
static void
dissect_wmio_encoding_propertyinfo(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *parent_tree, gint classheapoffset)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
guint32 propertyinfo_offset;
gint old_offset = 0;
item = proto_tree_add_item(parent_tree, hf_property_info, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_property_info);
proto_tree_add_item_ret_uint(tree, hf_wmio_propertyinforef, tvb, offset, 4, ENC_LITTLE_ENDIAN, &propertyinfo_offset);
offset = classheapoffset + propertyinfo_offset;
old_offset = offset;
gint32 propType = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN);
proto_tree_add_uint(tree, hf_wmio_cimtype, tvb, offset, 4, propType & 0x3FFF);
proto_tree_add_boolean(tree, hf_propertyinfo_inherited, tvb, offset, 4, propType);
offset += 4;
proto_tree_add_item(tree, hf_declaration_order, tvb, offset, 2, ENC_LITTLE_ENDIAN);
offset += 2;
proto_tree_add_item(tree, hf_propertyinfo_valuetableoffset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset += 4;
proto_tree_add_item(tree, hf_propertyinfo_classoforigin, tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset += 4;
offset = dissect_wmio_encoding_qualifierset(tvb, offset, pinfo, tree, classheapoffset);
proto_item_set_len(item, offset - old_offset);
}
/* PropertyLookup
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/e401de4a-58fa-423b-89e0-4b832a99d0e9
* PropertyLookup = PropertyNameRef PropertyInfoRef
*/
static int
dissect_wmio_encoding_propertylookup(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *parent_tree, gint classheapoffset)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
item = proto_tree_add_item(parent_tree, hf_wmio_propertylookup, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_wmio_propertylookup);
dissect_wmio_encoded_string(tvb, offset, hf_wmio_propertynameref, pinfo, tree, FALSE, classheapoffset);
offset += 4;
dissect_wmio_encoding_propertyinfo(tvb, offset, pinfo, tree, classheapoffset);
offset += 4;
proto_item_set_len(item, offset - old_offset);
return offset;
}
/* PropertyLookupTable
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/d4927ca8-b358-48eb-8879-a57ea4f090c3
* PropertyLookupTable = PropertyCount *PropertyLookup
*/
static int
dissect_wmio_encoding_propertylookuptable(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *parent_tree, guint32 *property_count, gint classheapoffset)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
guint32 count;
item = proto_tree_add_item(parent_tree, hf_wmio_propertylookuptable, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_wmio_propertylookuptable);
// PropertyCount
proto_tree_add_item_ret_uint(tree, hf_wmio_propertylookuptable_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &count);
offset += 4;
for(guint32 i = 0; i < count; ++i){
offset = dissect_wmio_encoding_propertylookup(tvb, offset, pinfo, tree, classheapoffset);
}
*property_count = count;
proto_item_set_len(item, offset - old_offset);
return offset;
}
/* ClassPart
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/06ec93f3-b4df-4f7e-b2ba-090cd435becc
* ClassPart = ClassHeader DerivationList ClassQualifierSet PropertyLookupTable [NdTable ValueTable] ClassHeap
*/
static int
dissect_wmio_encoding_classpart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *parent_tree)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
gint classheapoffset = 0;
guint32 partlength, ndLength;
guint32 property_count;
item = proto_tree_add_item(parent_tree, hf_wmio_class_part, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_wmio_class_part);
{
/* Jump through the various structures to find the heap offset. */
guint32 derivationListLength = tvb_get_guint32(tvb, offset + CLASS_HEADER_LENGTH, ENC_LITTLE_ENDIAN);
guint32 classQualifierSetLength = tvb_get_guint32(tvb, offset + CLASS_HEADER_LENGTH + derivationListLength, ENC_LITTLE_ENDIAN);
guint32 propertyLookupTableLength = 4 + 8 * tvb_get_guint32(tvb, offset + CLASS_HEADER_LENGTH + derivationListLength + classQualifierSetLength, ENC_LITTLE_ENDIAN);
guint32 ndTableLength = tvb_get_guint32(tvb, offset + (CLASS_HEADER_LENGTH - 4), ENC_LITTLE_ENDIAN);
classheapoffset = offset /* Starting offset */
+ CLASS_HEADER_LENGTH /* ClassHeader */
+ derivationListLength /* DerivationList */
+ classQualifierSetLength /* ClassQualifierSet */
+ propertyLookupTableLength /* PropertyLookupTable */
+ ndTableLength; /* NdTable */
}
offset = dissect_wmio_encoding_classheader(tvb, offset, pinfo, tree, &partlength, &ndLength, classheapoffset+4);
offset = dissect_wmio_encoding_derivationlist(tvb, offset, pinfo, tree);
offset = dissect_wmio_encoding_qualifierset(tvb, offset, pinfo, tree,classheapoffset+4);
offset = dissect_wmio_encoding_propertylookuptable(tvb, offset, pinfo, tree, &property_count, classheapoffset+4);
if(ndLength > 0){
proto_tree_add_item(tree, hf_wmio_ndtable, tvb, offset, ndLength, ENC_NA);
offset += ndLength;
}
{
proto_item *heapitem = NULL;
proto_tree *heaptree = NULL;
heapitem = proto_tree_add_item(tree, hf_wmio_heap, tvb, offset, -1, ENC_NA);
heaptree = proto_item_add_subtree(heapitem, ett_wmio_heap);
gint32 heaplength = 0x7FFFFFFF & tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN);
proto_tree_add_uint(heaptree, hf_wmio_heap_length, tvb, offset, 4, heaplength);
proto_item_set_len(heapitem, heaplength);
}
proto_item_set_len(item, partlength);
return old_offset + partlength;
}
/* ClassHeader
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/b179b579-9585-47b8-bef8-8fdca9f5a94d
* ClassHeader = EncodingLength ReservedOctet ClassNameRef NdTableValueTableLength
*/
static int
dissect_wmio_encoding_classheader(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *parent_tree, guint32 *pPartlength, guint32 *pNdLength, gint classheapoffset)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
guint32 partlength, length;
item = proto_tree_add_item(parent_tree, hf_wmio_class_header, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_wmio_class_header);
proto_tree_add_item_ret_uint(tree, hf_wmio_class_header_partlength, tvb, offset, 4, ENC_LITTLE_ENDIAN, &partlength);
offset+= 4;
*pPartlength = partlength;
// ReservedOctet
offset+= 1;
dissect_wmio_encoded_string(tvb, offset, hf_wmio_class_header_nameref, pinfo, tree, FALSE, classheapoffset);
offset+= 4;
proto_tree_add_item_ret_uint(tree, hf_wmio_class_header_ndtablevaluetablelength, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
offset+= 4;
*pNdLength = length;
proto_item_set_len(item, offset-old_offset);
return offset;
}
/* DerivationList
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/3bfbcac6-318c-4b0a-ab87-13bfbc86f36f
* DerivationList = EncodingLength *ClassNameEncoding
*/
static int
dissect_wmio_encoding_derivationlist(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *parent_tree)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
guint32 length;
item = proto_tree_add_item(parent_tree, hf_wmio_class_derivation, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_wmio_class_derivation);
proto_tree_add_item_ret_uint(tree, hf_wmio_class_derivation_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
offset+= 4;
while((guint32)offset < (old_offset + length)) {
/* Offset is guaranteed to increase here as heapoffset (last arg) is 0 */
offset = dissect_wmio_encoded_string(tvb, offset, hf_wmio_derivation_classname, pinfo, tree, TRUE, 0);
}
proto_item_set_len(item, length);
return offset;
}
/* MethodSignature
* https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wmio/a9d7c0d1-f99a-4762-b460-e881a8c7d566
* MethodSignature = HeapMethodSignatureBlockRef
*/
static void
dissect_wmio_encoding_methodsignature(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *parent_tree, int hfindex, gint methodsheapoffset)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = 0;
gint32 signatureHeapOffset = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN);
old_offset = methodsheapoffset + signatureHeapOffset;
item = proto_tree_add_item(parent_tree, hfindex, tvb, old_offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_methodsignature);
proto_tree_add_item(tree, hf_methodsignature_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset = old_offset;
proto_tree_add_item(tree, hf_wmio_objectencodinglength, tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset+= 4;
offset = dissect_wmio_objectblock(tvb, offset, pinfo, tree);
proto_item_set_len(item, offset - old_offset);
}
/* MethodDescription
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/8c81e4fa-634a-469f-8434-4ef87f2f256e
* MethodDescription = MethodName MethodFlags MethodPadding MethodOrigin MethodQualifiers InputSignature OutputSignature
*/
static int
dissect_wmio_encoding_methodpart_methoddescription(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *parent_tree, gint methodsheapoffset)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
item = proto_tree_add_item(parent_tree, hf_methodspart_methoddescription, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_methodspart_methoddescription);
dissect_wmio_encoded_string(tvb, offset, hf_methoddescription_methodname, pinfo, tree, FALSE, methodsheapoffset);
offset+= 4;
proto_tree_add_item(tree, hf_methoddescription_methodflags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
offset+= 1;
// MethodPadding
offset+= 3;
proto_tree_add_item(tree, hf_methoddescription_methodorigin, tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset+= 4;
proto_tree_add_item(tree, hf_methoddescription_methodqualifiers, tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset+= 4;
dissect_wmio_encoding_methodsignature(tvb, offset, pinfo, tree, hf_methoddescription_inputsignature, methodsheapoffset);
offset+= 4;
dissect_wmio_encoding_methodsignature(tvb, offset, pinfo, tree, hf_methoddescription_outputsignature, methodsheapoffset);
offset+= 4;
proto_item_set_len(item, offset - old_offset);
return offset;
}
static int
dissect_wmio_encoding_methodpart_methods(tvbuff_t *tvb, gint offset, packet_info *pinfo,
proto_tree *parent_tree, guint32 methodscount, gint methodsheapoffset)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
item = proto_tree_add_item(parent_tree, hf_methodspart_methods, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_methodspart_methods);
for(guint32 methodi = 0; methodi < methodscount; ++methodi){
offset = dissect_wmio_encoding_methodpart_methoddescription(tvb, offset, pinfo, tree, methodsheapoffset);
}
proto_item_set_len(item, offset - old_offset);
return offset;
}
/* MethodsPart
* https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-wmio/e00d7c6c-fa1e-4b1d-85c5-5a91a5d71299
* MethodsPart = EncodingLength MethodCount MethodCountPadding *MethodDescription MethodHeap
*/
static int
dissect_wmio_encoding_methodpart(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *parent_tree)
{
proto_item *item = NULL;
proto_tree *tree = NULL;
gint old_offset = offset;
guint32 length;
guint32 methodscount;
item = proto_tree_add_item(parent_tree, hf_methodspart, tvb, offset, -1, ENC_NA);
tree = proto_item_add_subtree(item, ett_methodspart);
proto_tree_add_item_ret_uint(tree, hf_methodspart_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
offset+= 4;
proto_tree_add_item_ret_uint(tree, hf_methodspart_methodcount, tvb, offset, 2, ENC_LITTLE_ENDIAN, &methodscount);
offset+= 2;
// MethodCountPadding
offset+= 2;
if(methodscount > 0){
gint methodsHeapOffset = offset + (methodscount * 24);
methodsHeapOffset += 4;
offset = dissect_wmio_encoding_methodpart_methods(tvb, offset, pinfo, tree, methodscount, methodsHeapOffset);
}
{
proto_item *heapitem = NULL;
proto_tree *heaptree = NULL;
heapitem = proto_tree_add_item(tree, hf_wmio_heap, tvb, offset, -1, ENC_NA);
heaptree = proto_item_add_subtree(heapitem, ett_wmio_heap);
gint32 heaplength = 0x7FFFFFFF & tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN);
proto_tree_add_uint(heaptree, hf_wmio_heap_length, tvb, offset, 4, heaplength);
proto_item_set_len(heapitem, heaplength);
}
proto_item_set_len(item, length);
return old_offset+length;
}
static int
dissect_wmio(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di _U_, guint8 *drep _U_, gint size)
{
proto_item *sub_item;
proto_tree *sub_tree;
int old_offset = offset;
guint32 signature;
sub_item = proto_tree_add_item(tree, hf_wmio, tvb, offset, size, ENC_NA);
sub_tree = proto_item_add_subtree(sub_item, ett_wmio);
proto_tree_add_item_ret_uint(sub_tree, hf_wmio_signature, tvb, offset, 4, ENC_LITTLE_ENDIAN, &signature);
offset+= 4;
if (signature != wmio_signature){
return old_offset + size;
}
proto_tree_add_item(sub_tree, hf_wmio_objectencodinglength, tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset+= 4;
dissect_wmio_objectblock(tvb, offset, pinfo, sub_tree);
return old_offset + size;
}
void
register_dcom_wmio (void)
{
dcom_register_routine(dissect_wmio, &iid_WMIO);
}
void
proto_register_WMIO (void)
{
proto_WMIO = proto_register_protocol ("WMIO", "WMIO", "WMIO");
proto_register_field_array (proto_WMIO, hf, array_length (hf));
proto_register_subtree_array (ett, array_length (ett));
}
Reference in New Issue View Git Blame Copy Permalink