/* packet-dcerpc-reg.c
* Routines for SMB \PIPE\winreg packet disassembly
- * Copyright 2001, 2002 Tim Potter <tpot@samba.org>
+ * Copyright 2001-2003 Tim Potter <tpot@samba.org>
*
- * $Id: packet-dcerpc-reg.c,v 1.7 2002/07/05 07:07:34 tpot Exp $
+ * $Id: packet-dcerpc-reg.c,v 1.16 2003/04/21 01:13:41 guy Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
* Copyright 1998 Gerald Combs
- *
+ *
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
static int hf_querykey_max_valname_len = -1;
static int hf_querykey_max_valbuf_size = -1;
static int hf_querykey_secdesc = -1;
+static int hf_querykey_modtime = -1;
+
+/* OpenEntry */
+
+static int hf_keyname = -1;
+static int hf_openentry_unknown1 = -1;
+
+/* Unknown 0x1A */
+
+static int hf_unknown1A_unknown1 = -1;
/* Data that is passed to a open call */
* OpenHKLM
*/
-static int
+static int
RegOpenHKLM_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_ndr_pointer(
tvb, offset, pinfo, tree, drep,
dissect_open_data,
- NDR_POINTER_UNIQUE, "Unknown", -1, 0);
+ NDR_POINTER_UNIQUE, "Unknown", -1);
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
-static int
+static int
RegOpenHKLM_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
e_ctx_hnd policy_hnd;
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
-
/* Parse packet */
offset = dissect_nt_policy_hnd(
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
/*
* OpenHKU
*/
-static int
+static int
RegOpenHKU_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_ndr_pointer(
tvb, offset, pinfo, tree, drep,
dissect_open_data,
- NDR_POINTER_UNIQUE, "Unknown", -1, 0);
+ NDR_POINTER_UNIQUE, "Unknown", -1);
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
-static int
+static int
RegOpenHKU_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
e_ctx_hnd policy_hnd;
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
-
/* Parse packet */
offset = dissect_nt_policy_hnd(
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
/*
* OpenHKCR
*/
-static int
+static int
RegOpenHKCR_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_ndr_pointer(
tvb, offset, pinfo, tree, drep,
dissect_open_data,
- NDR_POINTER_UNIQUE, "Unknown", -1, 0);
+ NDR_POINTER_UNIQUE, "Unknown", -1);
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
-static int
+static int
RegOpenHKCR_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
e_ctx_hnd policy_hnd;
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
-
/* Parse packet */
offset = dissect_nt_policy_hnd(
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
/*
* RegClose
*/
-static int
+static int
RegClose_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_nt_policy_hnd(
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
-static int
+static int
RegClose_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
-
/* Parse packet */
offset = dissect_nt_policy_hnd(
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
/*
* RegQueryKey
*/
-static int
+static int
RegQueryKey_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
hf_hnd, NULL, FALSE, FALSE);
- offset = dissect_ndr_nt_UNICODE_STRING(
+ offset = dissect_ndr_counted_string(
tvb, offset, pinfo, tree, drep, hf_querykey_class, 0);
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
-static int
+static int
RegQueryKey_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
-
/* Parse packet */
- offset = dissect_ndr_nt_UNICODE_STRING(
+ offset = dissect_ndr_counted_string(
tvb, offset, pinfo, tree, drep, hf_querykey_class, 0);
offset = dissect_ndr_uint32(
tvb, offset, pinfo, tree, drep,
hf_querykey_secdesc, NULL);
- /* FIXME: do time properly */
+ offset = dissect_ndr_nt_NTTIME(
+ tvb, offset, pinfo, tree, drep, hf_querykey_modtime);
+
+ offset = dissect_ntstatus(
+ tvb, offset, pinfo, tree, drep, hf_rc, NULL);
+
+ dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+
+ return offset;
+}
+
+/*
+ * OpenEntry
+ */
+
+static int
+RegOpenEntry_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ /* Parse packet */
+
+ offset = dissect_nt_policy_hnd(
+ tvb, offset, pinfo, tree, drep,
+ hf_hnd, NULL, FALSE, FALSE);
+
+ offset = dissect_ndr_counted_string(
+ tvb, offset, pinfo, tree, drep, hf_querykey_class, 0);
+
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep,
+ hf_openentry_unknown1, NULL);
+
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep,
+ hf_access_mask, NULL);
- proto_tree_add_text(tree, tvb, offset, 8, "Mod time");
- offset += 8;
+ dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+
+ return offset;
+}
+
+static int
+RegOpenEntry_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ e_ctx_hnd policy_hnd;
+
+ /* Parse packet */
+
+ offset = dissect_nt_policy_hnd(
+ tvb, offset, pinfo, tree, drep,
+ hf_hnd, &policy_hnd, TRUE, FALSE);
+
+ dcerpc_smb_store_pol_name(&policy_hnd, "OpenEntry handle");
+
+ offset = dissect_ntstatus(
+ tvb, offset, pinfo, tree, drep, hf_rc, NULL);
+
+ dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+
+ return offset;
+}
+
+/*
+ * Unknown1A
+ */
+
+static int
+RegUnknown1A_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ /* Parse packet */
+
+ offset = dissect_nt_policy_hnd(
+ tvb, offset, pinfo, tree, drep,
+ hf_hnd, NULL, FALSE, FALSE);
+
+ dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+
+ return offset;
+}
+
+static int
+RegUnknown1A_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ /* Parse packet */
+
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep,
+ hf_unknown1A_unknown1, NULL);
offset = dissect_ntstatus(
tvb, offset, pinfo, tree, drep, hf_rc, NULL);
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
+
+/*
+ * EnumKey
+ */
+
+static int
+RegEnumKey_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ /* Parse packet */
+
+ offset = dissect_nt_policy_hnd(
+ tvb, offset, pinfo, tree, drep,
+ hf_hnd, NULL, FALSE, FALSE);
+
+ dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+
+ return offset;
+}
+
+static int
+RegEnumKey_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ /* Parse packet */
+
+ offset = dissect_ntstatus(
+ tvb, offset, pinfo, tree, drep, hf_rc, NULL);
+
+ dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+
+ return offset;
+}
#if 0
* FOO
*/
-static int
+static int
RegFoo_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
/* Parse packet */
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
-static int
+static int
RegFoo_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
/* Parse packet */
dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
return offset;
-}
+}
#endif
/* Registry data types */
const value_string reg_datatypes[] = {
- { REG_NONE, "REG_NONE" },
- { REG_SZ, "REG_SZ" },
- { REG_EXPAND_SZ, "REG_EXPAND_SZ" },
- { REG_BINARY, "REG_BINARY" },
- { REG_DWORD, "REG_DWORD" },
- { REG_DWORD_LE, "REG_DWORD_LE" },
- { REG_DWORD_BE, "REG_DWORD_BE" },
- { REG_LINK, "REG_LINK" },
- { REG_MULTI_SZ, "REG_MULTI_SZ" },
- { REG_RESOURCE_LIST, "REG_RESOURCE_LIST" },
- { REG_FULL_RESOURCE_DESCRIPTOR, "REG_FULL_RESOURCE_DESCRIPTOR" },
- { REG_RESOURCE_REQUIREMENTS_LIST, "REG_RESOURCE_REQUIREMENTS_LIST" },
+ { DCERPC_REG_NONE, "REG_NONE" },
+ { DCERPC_REG_SZ, "REG_SZ" },
+ { DCERPC_REG_EXPAND_SZ, "REG_EXPAND_SZ" },
+ { DCERPC_REG_BINARY, "REG_BINARY" },
+ { DCERPC_REG_DWORD, "REG_DWORD" },
+ { DCERPC_REG_DWORD_LE, "REG_DWORD_LE" },
+ { DCERPC_REG_DWORD_BE, "REG_DWORD_BE" },
+ { DCERPC_REG_LINK, "REG_LINK" },
+ { DCERPC_REG_MULTI_SZ, "REG_MULTI_SZ" },
+ { DCERPC_REG_RESOURCE_LIST, "REG_RESOURCE_LIST" },
+ { DCERPC_REG_FULL_RESOURCE_DESCRIPTOR, "REG_FULL_RESOURCE_DESCRIPTOR" },
+ { DCERPC_REG_RESOURCE_REQUIREMENTS_LIST, "REG_RESOURCE_REQUIREMENTS_LIST" },
{0, NULL }
};
{ REG_CREATE_KEY, "CreateKey", NULL, NULL },
{ REG_DELETE_KEY, "DeleteKey", NULL, NULL },
{ REG_DELETE_VALUE, "DeleteValue", NULL, NULL },
- { REG_ENUM_KEY, "EnumKey", NULL, NULL },
+ { REG_ENUM_KEY, "EnumKey", RegEnumKey_q, RegEnumKey_r },
{ REG_ENUM_VALUE, "EnumValue", NULL, NULL },
{ REG_FLUSH_KEY, "FlushKey", NULL, NULL },
{ REG_GET_KEY_SEC, "GetKeySecurity", NULL, NULL },
{ _REG_UNK_0D, "Unknown0d", NULL, NULL },
{ _REG_UNK_0E, "Unknown0e", NULL, NULL },
- { REG_OPEN_ENTRY, "OpenEntry", NULL, NULL },
+ { REG_OPEN_ENTRY, "OpenEntry", RegOpenEntry_q, RegOpenEntry_r },
{ REG_QUERY_KEY, "QueryKey", RegQueryKey_q, RegQueryKey_r },
{ REG_INFO, "Info", NULL, NULL },
{ _REG_UNK_12, "Unknown12", NULL, NULL },
{ _REG_UNK_17, "Unknown17", NULL, NULL },
{ REG_SHUTDOWN, "Shutdown", NULL, NULL },
{ REG_ABORT_SHUTDOWN, "AbortShutdown", NULL, NULL },
- { REG_UNK_1A, "Unknown1A", NULL, NULL },
+ { _REG_UNK_1A, "Unknown1A", RegUnknown1A_q, RegUnknown1A_r },
{ 0, NULL, NULL, NULL }
};
{ _REG_UNK_17, "Unknown17" },
{ REG_SHUTDOWN, "Shutdown" },
{ REG_ABORT_SHUTDOWN, "AbortShutdown" },
- { REG_UNK_1A, "Unknown1A" },
+ { _REG_UNK_1A, "Unknown1A" },
{ 0, NULL }
};
-void
+void
proto_register_dcerpc_reg(void)
{
static hf_register_info hf[] = {
/* Global indexes */
{ &hf_hnd,
- { "Context handle", "reg.hnd", FT_BYTES, BASE_NONE,
+ { "Context handle", "reg.hnd", FT_BYTES, BASE_NONE,
NULL, 0x0, "REG policy handle", HFILL }},
{ &hf_rc,
- { "Return code", "reg.rc", FT_UINT32, BASE_HEX,
+ { "Return code", "reg.rc", FT_UINT32, BASE_HEX,
VALS(NT_errors), 0x0, "REG return code", HFILL }},
{ &hf_reg_opnum,
/* OpenHKLM */
{ &hf_openhklm_unknown1,
- { "Unknown 1", "reg.openhklm.unknown1", FT_UINT16, BASE_DEC,
+ { "Unknown 1", "reg.openhklm.unknown1", FT_UINT16, BASE_HEX,
NULL, 0x0, "Unknown 1", HFILL }},
{ &hf_openhklm_unknown2,
- { "Unknown 2", "reg.openhklm.unknown2", FT_UINT16, BASE_DEC,
+ { "Unknown 2", "reg.openhklm.unknown2", FT_UINT16, BASE_HEX,
NULL, 0x0, "Unknown 2", HFILL }},
-
+
/* QueryClass */
{ &hf_querykey_class,
{ "Secdesc", "reg.querykey.secdesc", FT_UINT32, BASE_DEC,
NULL, 0x0, "Secdesc", HFILL }},
+ { &hf_querykey_modtime,
+ { "Mod time", "reg.querykey.modtime", FT_ABSOLUTE_TIME, BASE_NONE,
+ NULL, 0x0, "Secdesc", HFILL }},
+
+ /* OpenEntry */
+
+ { &hf_keyname,
+ { "Key name", "reg.keyname", FT_STRING, BASE_NONE,
+ NULL, 0x0, "Keyname", HFILL }},
+
+ { &hf_openentry_unknown1,
+ { "Unknown 1", "reg.openentry.unknown1", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "Unknown 1", HFILL }},
+
+ /* Unknown1A */
+
+ { &hf_unknown1A_unknown1,
+ { "Unknown 1", "reg.unknown1A.unknown1", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "Unknown 1", HFILL }},
+
};
static gint *ett[] = {
};
proto_dcerpc_reg = proto_register_protocol(
- "Microsoft Registry", "REG", "reg");
+ "Microsoft Registry", "WINREG", "winreg");
proto_register_field_array(proto_dcerpc_reg, hf, array_length(hf));