28 lines
883 B
INI
28 lines
883 B
INI
# Conformance file for EFS
|
|
|
|
#
|
|
# policyhandle tracking
|
|
# This block is to specify where a policyhandle is opened and where it is
|
|
# closed so that policyhandles when dissected contain nice info such as
|
|
# [opened in xxx] [closed in yyy]
|
|
#
|
|
# Policyhandles are opened in these functions
|
|
PARAM_VALUE efs_dissect_element_EfsRpcOpenFileRaw_pvContext_ PIDL_POLHND_OPEN
|
|
# Policyhandles are closed in these functions
|
|
PARAM_VALUE efs_dissect_element_EfsRpcCloseRaw_pvContext_ PIDL_POLHND_CLOSE
|
|
|
|
CODE START
|
|
static int
|
|
efs_dissect_struct_dom_sid(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, dcerpc_info* di, guint8 *drep _U_, int hf_index _U_, guint32 param _U_)
|
|
{
|
|
if(di->conformant_run){
|
|
/* just a run to handle conformant arrays, no scalars to dissect */
|
|
return offset;
|
|
}
|
|
|
|
offset=dissect_nt_sid(tvb, offset, tree, "SID", NULL, -1);
|
|
return offset;
|
|
}
|
|
|
|
CODE END
|