1 /* packet-dcerpc-svcctl.c
2 * Routines for SMB \PIPE\svcctl packet disassembly
3 * Copyright 2003, Tim Potter <tpot@samba.org>
4 * Copyright 2003, Ronnie Sahlberg, added function dissectors
5 * Copyright 2010, Brett Kuskie <fullaxx@gmail.com>
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 #include <epan/packet.h>
29 #include "packet-dcerpc.h"
30 #include "packet-dcerpc-svcctl.h"
31 #include "packet-dcerpc-nt.h"
32 #include "packet-windows-common.h"
34 void proto_register_dcerpc_svcctl(void);
35 void proto_reg_handoff_dcerpc_svcctl(void);
37 static int proto_dcerpc_svcctl = -1;
38 static int hf_svcctl_opnum = -1;
39 static int hf_svcctl_machinename = -1;
40 static int hf_svcctl_database = -1;
41 static int hf_svcctl_access_mask = -1;
42 static int hf_svcctl_scm_rights_connect = -1;
43 static int hf_svcctl_scm_rights_create_service = -1;
44 static int hf_svcctl_scm_rights_enumerate_service = -1;
45 static int hf_svcctl_scm_rights_lock = -1;
46 static int hf_svcctl_scm_rights_query_lock_status = -1;
47 static int hf_svcctl_scm_rights_modify_boot_config = -1;
48 static int hf_svcctl_hnd = -1;
49 static int hf_svcctl_lock = -1;
50 static int hf_svcctl_rc = -1;
51 static int hf_svcctl_size = -1;
52 static int hf_svcctl_required_size = -1;
53 static int hf_svcctl_is_locked = -1;
54 static int hf_svcctl_lock_duration = -1;
55 static int hf_svcctl_lock_owner = -1;
56 static int hf_svcctl_service_type = -1;
57 static int hf_svcctl_service_type_kernel_driver = -1;
58 static int hf_svcctl_service_type_fs_driver = -1;
59 static int hf_svcctl_service_type_win32_own_process = -1;
60 static int hf_svcctl_service_type_win32_share_process = -1;
61 static int hf_svcctl_service_type_interactive_process = -1;
62 static int hf_svcctl_service_state = -1;
63 static int hf_svcctl_buffer = -1;
64 /* static int hf_svcctl_bytes_needed = -1; */
65 /* static int hf_svcctl_services_returned = -1; */
66 static int hf_svcctl_resume = -1;
67 static int hf_svcctl_service_name = -1;
68 static int hf_svcctl_display_name = -1;
69 static int hf_svcctl_service_start_type = -1;
70 static int hf_svcctl_service_error_control = -1;
71 static int hf_svcctl_binarypathname = -1;
72 static int hf_svcctl_loadordergroup = -1;
73 static int hf_svcctl_tagid = -1;
74 static int hf_svcctl_dependencies = -1;
75 static int hf_svcctl_depend_size = -1;
76 static int hf_svcctl_service_start_name = -1;
77 static int hf_svcctl_password = -1;
78 static int hf_svcctl_password_size = -1;
80 static gint ett_dcerpc_svcctl = -1;
81 static gint ett_dcerpc_svcctl_service_type_bits = -1;
83 static e_guid_t uuid_dcerpc_svcctl = {
84 0x367abb81, 0x9844, 0x35f1,
85 { 0xad, 0x32, 0x98, 0xf0, 0x38, 0x00, 0x10, 0x03 }
88 static guint16 ver_dcerpc_svcctl = 2;
90 #define SVCCTL_SERVICE_TYPE_KERNEL_DRIVER 0x01
91 #define SVCCTL_SERVICE_TYPE_FILE_SYSTEM_DRIVER 0x02
92 #define SVCCTL_SERVICE_TYPE_WIN32_OWN_PROCESS 0x10
93 #define SVCCTL_SERVICE_TYPE_WIN32_SHARE_PROCESS 0x20
94 #define SVCCTL_SERVICE_TYPE_INTERACTIVE_PROCESS 0x100
95 #define SVCCTL_SERVICE_TYPE_NO_CHANGE 0xffffffff
96 static const true_false_string tfs_svcctl_service_type_kernel_driver = {
97 "Is a kernel driver service",
98 "Is not a kernel driver service"
100 static const true_false_string tfs_svcctl_service_type_fs_driver = {
101 "Is a file system driver service",
102 "Is not a file system driver service"
104 static const true_false_string tfs_svcctl_service_type_win32_own_process = {
105 "Service runs its own processes",
106 "Service does not run its own process"
108 static const true_false_string tfs_svcctl_service_type_win32_share_process = {
109 "Service shares its process",
110 "Service does not share its process"
112 static const true_false_string tfs_svcctl_service_type_interactive_process = {
113 "Service can interact with the desktop",
114 "Service cannot interact with the desktop"
118 svcctl_dissect_dwServiceType_flags(tvbuff_t *tvb, int offset,
119 packet_info *pinfo, proto_tree *parent_tree,
120 guint8 *drep, int opnum)
122 guint32 value, len = 4;
123 proto_item *item = NULL;
124 proto_tree *tree = NULL;
126 (void) dissect_dcerpc_uint32 (tvb, offset, pinfo, NULL, drep, 0, &value);
128 item = proto_tree_add_uint(parent_tree, hf_svcctl_service_type, tvb, offset, len, value);
129 tree = proto_item_add_subtree(item, ett_dcerpc_svcctl_service_type_bits);
133 case SVC_CREATE_SERVICE_W:
134 proto_tree_add_boolean(tree, hf_svcctl_service_type_interactive_process,
135 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_INTERACTIVE_PROCESS);
136 proto_tree_add_boolean(tree, hf_svcctl_service_type_win32_share_process,
137 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_WIN32_SHARE_PROCESS);
138 proto_tree_add_boolean(tree, hf_svcctl_service_type_win32_own_process,
139 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_WIN32_OWN_PROCESS);
140 proto_tree_add_boolean(tree, hf_svcctl_service_type_fs_driver,
141 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_FILE_SYSTEM_DRIVER);
142 proto_tree_add_boolean(tree, hf_svcctl_service_type_kernel_driver,
143 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_KERNEL_DRIVER);
145 case SVC_ENUM_SERVICES_STATUS_W:
146 proto_tree_add_boolean(tree, hf_svcctl_service_type_win32_share_process,
147 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_WIN32_SHARE_PROCESS);
148 proto_tree_add_boolean(tree, hf_svcctl_service_type_win32_own_process,
149 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_WIN32_OWN_PROCESS);
150 proto_tree_add_boolean(tree, hf_svcctl_service_type_fs_driver,
151 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_FILE_SYSTEM_DRIVER);
152 proto_tree_add_boolean(tree, hf_svcctl_service_type_kernel_driver,
153 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_KERNEL_DRIVER);
155 case SVC_QUERY_SERVICE_CONFIG_W:
156 proto_tree_add_boolean(tree, hf_svcctl_service_type_win32_share_process,
157 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_WIN32_SHARE_PROCESS);
158 proto_tree_add_boolean(tree, hf_svcctl_service_type_win32_own_process,
159 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_WIN32_OWN_PROCESS);
160 proto_tree_add_boolean(tree, hf_svcctl_service_type_fs_driver,
161 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_FILE_SYSTEM_DRIVER);
162 proto_tree_add_boolean(tree, hf_svcctl_service_type_kernel_driver,
163 tvb, offset, len, value & SVCCTL_SERVICE_TYPE_KERNEL_DRIVER);
171 #define SVCCTL_SERVICE_ACTIVE 0x01
172 #define SVCCTL_SERVICE_INACTIVE 0x02
173 #define SVCCTL_SERVICE_STATE_ALL 0x03
174 static const value_string svcctl_service_status_vals[] = {
175 { SVCCTL_SERVICE_ACTIVE, "SERVICE_ACTIVE" },
176 { SVCCTL_SERVICE_INACTIVE, "SERVICE_INACTIVE" },
177 { SVCCTL_SERVICE_STATE_ALL, "SERVICE_STATE_ALL" },
181 #define SVCCTL_SERVICE_BOOT_START 0x00
182 #define SVCCTL_SERVICE_SYSTEM_START 0x01
183 #define SVCCTL_SERVICE_AUTO_START 0x02
184 #define SVCCTL_SERVICE_DEMAND_START 0x03
185 #define SVCCTL_SERVICE_DISABLED 0x04
186 static const value_string svcctl_service_start_type_vals[] = {
187 { SVCCTL_SERVICE_BOOT_START, "SERVICE_BOOT_START" },
188 { SVCCTL_SERVICE_SYSTEM_START, "SERVICE_SYSTEM_START" },
189 { SVCCTL_SERVICE_AUTO_START, "SERVICE_AUTO_START" },
190 { SVCCTL_SERVICE_DEMAND_START, "SERVICE_DEMAND_START" },
191 { SVCCTL_SERVICE_DISABLED, "SERVICE_DISABLED" },
195 #define SVCCTL_SERVICE_ERROR_IGNORE 0x00
196 #define SVCCTL_SERVICE_ERROR_NORMAL 0x01
197 #define SVCCTL_SERVICE_ERROR_SEVERE 0x02
198 #define SVCCTL_SERVICE_ERROR_CRITICAL 0x03
199 static const value_string svcctl_service_error_control_vals[] = {
200 { SVCCTL_SERVICE_ERROR_IGNORE, "SERVICE_ERROR_IGNORE" },
201 { SVCCTL_SERVICE_ERROR_NORMAL, "SERVICE_ERROR_NORMAL" },
202 { SVCCTL_SERVICE_ERROR_SEVERE, "SERVICE_ERROR_SEVERE" },
203 { SVCCTL_SERVICE_ERROR_CRITICAL, "SERVICE_ERROR_CRITICAL" },
208 svcctl_dissect_pointer_long(tvbuff_t *tvb, int offset,
209 packet_info *pinfo, proto_tree *tree,
210 dcerpc_info *di, guint8 *drep)
212 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
218 svcctl_scm_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree,
221 proto_tree_add_boolean(tree, hf_svcctl_scm_rights_modify_boot_config, tvb, offset, 4, access);
222 proto_tree_add_boolean(tree, hf_svcctl_scm_rights_query_lock_status, tvb, offset, 4, access);
223 proto_tree_add_boolean(tree, hf_svcctl_scm_rights_lock, tvb, offset, 4, access);
224 proto_tree_add_boolean(tree, hf_svcctl_scm_rights_enumerate_service, tvb, offset, 4, access);
225 proto_tree_add_boolean(tree, hf_svcctl_scm_rights_create_service, tvb, offset, 4, access);
226 proto_tree_add_boolean(tree, hf_svcctl_scm_rights_connect, tvb, offset, 4, access);
229 struct access_mask_info svcctl_scm_access_mask_info = {
231 svcctl_scm_specific_rights,
232 NULL, /* Generic mapping table */
233 NULL /* Standard mapping table */
237 * IDL long OpenSCManager(
238 * IDL [in] [string] [unique] char *MachineName,
239 * IDL [in] [string] [unique] char *DatabaseName,
240 * IDL [in] long access_mask,
241 * IDL [out] SC_HANDLE handle,
245 svcctl_dissect_OpenSCManager_rqst(tvbuff_t *tvb, int offset,
246 packet_info *pinfo, proto_tree *tree,
247 dcerpc_info *di, guint8 *drep)
249 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
253 dcv->private_data=NULL;
254 offset = dissect_ndr_pointer_cb(
255 tvb, offset, pinfo, tree, di, drep,
256 dissect_ndr_char_cvstring, NDR_POINTER_UNIQUE,
257 "MachineName", hf_svcctl_machinename, cb_str_postprocess,
258 GINT_TO_POINTER(CB_STR_COL_INFO | CB_STR_SAVE | 1));
259 mn=(const char *)dcv->private_data;
264 dcv->private_data=NULL;
265 offset = dissect_ndr_pointer_cb(
266 tvb, offset, pinfo, tree, di, drep,
267 dissect_ndr_char_cvstring, NDR_POINTER_UNIQUE,
268 "Database", hf_svcctl_database, cb_str_postprocess,
269 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
270 dn=(const char *)dcv->private_data;
274 /* OpenSCManager() stores the server\database in se_data */
275 if(!pinfo->fd->flags.visited){
277 dcv->se_data=wmem_strdup_printf(wmem_file_scope(), "%s\\%s",mn,dn);
282 offset = dissect_nt_access_mask(
283 tvb, offset, pinfo, tree, di, drep, hf_svcctl_access_mask,
284 &svcctl_scm_access_mask_info, NULL);
290 svcctl_dissect_OpenSCManager_reply(tvbuff_t *tvb, int offset,
291 packet_info *pinfo, proto_tree *tree,
292 dcerpc_info *di, guint8 *drep)
294 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
295 e_ctx_hnd policy_hnd;
296 proto_item *hnd_item;
301 offset = dissect_nt_policy_hnd(
302 tvb, offset, pinfo, tree, di, drep, hf_svcctl_hnd, &policy_hnd,
303 &hnd_item, TRUE, FALSE);
305 offset = dissect_doserror(
306 tvb, offset, pinfo, tree, di, drep, hf_svcctl_rc, &status);
309 const char *pol_name;
312 pol_name = wmem_strdup_printf(wmem_packet_scope(),
313 "OpenSCManagerW(%s)", (char *)dcv->se_data);
315 pol_name = "Unknown OpenSCManagerW() handle";
317 if(!pinfo->fd->flags.visited){
318 dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name);
322 proto_item_append_text(hnd_item, ": %s", pol_name);
329 svcctl_dissect_OpenSCManagerW_rqst(tvbuff_t *tvb, int offset,
330 packet_info *pinfo, proto_tree *tree,
331 dcerpc_info *di, guint8 *drep)
333 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
337 dcv->private_data=NULL;
338 offset = dissect_ndr_pointer_cb(
339 tvb, offset, pinfo, tree, di, drep,
340 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE,
341 "MachineName", hf_svcctl_machinename, cb_wstr_postprocess,
342 GINT_TO_POINTER(CB_STR_COL_INFO | CB_STR_SAVE | 1));
343 mn=(const char *)dcv->private_data;
348 dcv->private_data=NULL;
349 offset = dissect_ndr_pointer_cb(
350 tvb, offset, pinfo, tree, di, drep,
351 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE,
352 "Database", hf_svcctl_database, cb_wstr_postprocess,
353 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
354 dn=(const char *)dcv->private_data;
358 /* OpenSCManager() stores the server\database in se_data */
359 if(!pinfo->fd->flags.visited){
361 dcv->se_data=wmem_strdup_printf(wmem_file_scope(), "%s\\%s",mn,dn);
366 offset = dissect_nt_access_mask(
367 tvb, offset, pinfo, tree, di, drep, hf_svcctl_access_mask,
368 &svcctl_scm_access_mask_info, NULL);
374 svcctl_dissect_OpenSCManagerW_reply(tvbuff_t *tvb, int offset,
375 packet_info *pinfo, proto_tree *tree,
376 dcerpc_info *di, guint8 *drep)
378 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
379 e_ctx_hnd policy_hnd;
380 proto_item *hnd_item;
385 offset = dissect_nt_policy_hnd(
386 tvb, offset, pinfo, tree, di, drep, hf_svcctl_hnd, &policy_hnd,
387 &hnd_item, TRUE, FALSE);
389 offset = dissect_doserror(
390 tvb, offset, pinfo, tree, di, drep, hf_svcctl_rc, &status);
393 const char *pol_name;
396 pol_name = wmem_strdup_printf(wmem_packet_scope(),
397 "OpenSCManagerW(%s)", (char *)dcv->se_data);
399 pol_name = "Unknown OpenSCManagerW() handle";
401 if(!pinfo->fd->flags.visited){
402 dcerpc_store_polhnd_name(&policy_hnd, pinfo, pol_name);
406 proto_item_append_text(hnd_item, ": %s", pol_name);
413 svcctl_dissect_CreateServiceW_rqst(tvbuff_t *tvb, int offset,
414 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
417 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, di, drep,
418 hf_svcctl_hnd, NULL, NULL, FALSE, FALSE);
421 offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep,
422 sizeof(guint16), hf_svcctl_service_name, TRUE, NULL);
425 offset = dissect_ndr_pointer_cb(
426 tvb, offset, pinfo, tree, di, drep,
427 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE,
428 "Display Name", hf_svcctl_display_name, cb_wstr_postprocess,
432 offset = dissect_nt_access_mask(
433 tvb, offset, pinfo, tree, di, drep, hf_svcctl_access_mask,
434 &svcctl_scm_access_mask_info, NULL);
437 offset = svcctl_dissect_dwServiceType_flags(tvb, offset, pinfo, tree, drep, SVC_CREATE_SERVICE_W);
439 /* service start type */
440 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
441 hf_svcctl_service_start_type, NULL);
443 /* service error control */
444 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
445 hf_svcctl_service_error_control, NULL);
447 /* binary path name */
448 offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep,
449 sizeof(guint16), hf_svcctl_binarypathname, TRUE, NULL);
451 /* load order group */
452 offset = dissect_ndr_pointer_cb(
453 tvb, offset, pinfo, tree, di, drep,
454 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE,
455 "Load Order Group", hf_svcctl_loadordergroup, cb_wstr_postprocess,
459 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
460 hf_svcctl_tagid, NULL);
463 offset = dissect_ndr_pointer_cb(
464 tvb, offset, pinfo, tree, di, drep,
465 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE,
466 "Dependencies", hf_svcctl_dependencies, cb_wstr_postprocess,
470 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
471 hf_svcctl_depend_size, NULL);
473 /* service start name */
474 offset = dissect_ndr_pointer_cb(
475 tvb, offset, pinfo, tree, di, drep,
476 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE,
477 "Service Start Name", hf_svcctl_service_start_name, cb_wstr_postprocess,
481 offset = dissect_ndr_pointer_cb(
482 tvb, offset, pinfo, tree, di, drep,
483 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE,
484 "Password", hf_svcctl_password, cb_wstr_postprocess,
488 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
489 hf_svcctl_password_size, NULL);
495 svcctl_dissect_CreateServiceW_reply(tvbuff_t *tvb, int offset,
496 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
499 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
500 hf_svcctl_tagid, NULL);
503 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, di, drep,
504 hf_svcctl_hnd, NULL, NULL, FALSE, FALSE);
506 offset = dissect_doserror(
507 tvb, offset, pinfo, tree, di, drep, hf_svcctl_rc, NULL);
514 * IDL BOOL CloseServiceHandle(
515 * IDL [in][out] SC_HANDLE handle
519 svcctl_dissect_CloseServiceHandle_rqst(tvbuff_t *tvb, int offset,
520 packet_info *pinfo, proto_tree *tree,
521 dcerpc_info *di, guint8 *drep)
523 e_ctx_hnd policy_hnd;
528 offset = dissect_nt_policy_hnd(
529 tvb, offset, pinfo, tree, di, drep, hf_svcctl_hnd, &policy_hnd,
532 dcerpc_fetch_polhnd_data(&policy_hnd, &pol_name, NULL, NULL, NULL,
535 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
542 svcctl_dissect_CloseServiceHandle_reply(tvbuff_t *tvb, int offset,
543 packet_info *pinfo, proto_tree *tree,
544 dcerpc_info *di, guint8 *drep)
546 offset = dissect_nt_policy_hnd(
547 tvb, offset, pinfo, tree, di, drep, hf_svcctl_hnd, NULL,
550 offset = dissect_doserror(
551 tvb, offset, pinfo, tree, di, drep, hf_svcctl_rc, NULL);
559 * IDL long LockServiceDatabase(
560 * IDL [in] SC_HANDLE dbhandle,
561 * IDL [out] SC_HANDLE lock,
565 svcctl_dissect_LockServiceDatabase_rqst(tvbuff_t *tvb, int offset,
566 packet_info *pinfo, proto_tree *tree,
567 dcerpc_info *di, guint8 *drep)
569 /* XXX - why is the "is a close" argument TRUE? */
570 offset = dissect_nt_policy_hnd(
571 tvb, offset, pinfo, tree, di, drep, hf_svcctl_hnd, NULL,
577 svcctl_dissect_LockServiceDatabase_reply(tvbuff_t *tvb, int offset,
578 packet_info *pinfo, proto_tree *tree,
579 dcerpc_info *di, guint8 *drep)
581 /* XXX - why is the "is an open" argument TRUE? */
582 offset = dissect_nt_policy_hnd(
583 tvb, offset, pinfo, tree, di, drep, hf_svcctl_lock, NULL,
586 offset = dissect_doserror(
587 tvb, offset, pinfo, tree, di, drep, hf_svcctl_rc, NULL);
595 * IDL long UnlockServiceDatabase(
596 * IDL [in][out] SC_HANDLE lock,
600 svcctl_dissect_UnlockServiceDatabase_rqst(tvbuff_t *tvb, int offset,
601 packet_info *pinfo, proto_tree *tree,
602 dcerpc_info *di, guint8 *drep)
604 /* XXX - why is the "is a close" argument TRUE? */
605 offset = dissect_nt_policy_hnd(
606 tvb, offset, pinfo, tree, di, drep, hf_svcctl_lock, NULL,
612 svcctl_dissect_UnlockServiceDatabase_reply(tvbuff_t *tvb, int offset,
613 packet_info *pinfo, proto_tree *tree,
614 dcerpc_info *di, guint8 *drep)
616 /* XXX - why is the "is an open" argument TRUE? */
617 offset = dissect_nt_policy_hnd(
618 tvb, offset, pinfo, tree, di, drep, hf_svcctl_lock, NULL,
621 offset = dissect_doserror(
622 tvb, offset, pinfo, tree, di, drep, hf_svcctl_rc, NULL);
629 * IDL typedef struct {
630 * IDL long is_locked,
631 * IDL [unique][string] char *lock_owner,
632 * IDL long lock_duration,
636 svcctl_dissect_QUERY_SERVICE_LOCK_STATUS(tvbuff_t *tvb, int offset,
637 packet_info *pinfo, proto_tree *tree,
638 dcerpc_info *di, guint8 *drep)
640 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
641 hf_svcctl_is_locked, NULL);
643 offset = dissect_ndr_pointer(
644 tvb, offset, pinfo, tree, di, drep,
645 dissect_ndr_char_cvstring, NDR_POINTER_UNIQUE,
646 "Owner", hf_svcctl_lock_owner);
648 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
649 hf_svcctl_lock_duration, NULL);
655 * IDL long QueryServiceLockStatus(
656 * IDL [in] SC_HANDLE db_handle,
657 * IDL [in] long buf_size,
658 * IDL [out][ref] QUERY_SERVICE_LOCK_STATUS *status,
659 * IDL [out][ref] long *required_buf_size
663 svcctl_dissect_QueryServiceLockStatus_rqst(tvbuff_t *tvb, int offset,
664 packet_info *pinfo, proto_tree *tree,
665 dcerpc_info *di, guint8 *drep)
667 /* XXX - why is the "is a close" argument TRUE? */
668 offset = dissect_nt_policy_hnd(
669 tvb, offset, pinfo, tree, di, drep, hf_svcctl_hnd, NULL,
672 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
673 hf_svcctl_size, NULL);
678 svcctl_dissect_QueryServiceLockStatus_reply(tvbuff_t *tvb, int offset,
679 packet_info *pinfo, proto_tree *tree,
680 dcerpc_info *di, guint8 *drep)
682 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
683 svcctl_dissect_QUERY_SERVICE_LOCK_STATUS, NDR_POINTER_REF,
686 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
687 hf_svcctl_required_size, NULL);
689 offset = dissect_doserror(
690 tvb, offset, pinfo, tree, di, drep, hf_svcctl_rc, NULL);
696 * IDL long EnumServicesStatus(
697 * IDL [in] SC_HANDLE db_handle,
698 * IDL [in] long type,
699 * IDL [in] long status,
700 * IDL [in] long buf_size,
701 * IDL [in][unique] long *resume_handle,
706 svcctl_dissect_EnumServicesStatus_rqst(tvbuff_t *tvb, int offset,
707 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
710 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, di, drep,
711 hf_svcctl_hnd, NULL, NULL, FALSE, FALSE);
714 offset = svcctl_dissect_dwServiceType_flags(tvb, offset, pinfo, tree, drep, SVC_ENUM_SERVICES_STATUS_W);
717 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
718 hf_svcctl_service_state, NULL);
721 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
722 hf_svcctl_size, NULL);
725 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
726 svcctl_dissect_pointer_long, NDR_POINTER_UNIQUE,
727 "Resume Handle", hf_svcctl_resume);
733 svcctl_dissect_OpenServiceW_rqst(tvbuff_t *tvb, int offset,
734 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
737 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, di, drep,
738 hf_svcctl_hnd, NULL, NULL, FALSE, FALSE);
741 offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep,
742 sizeof(guint16), hf_svcctl_service_name, TRUE, NULL);
745 offset = dissect_nt_access_mask(
746 tvb, offset, pinfo, tree, di, drep, hf_svcctl_access_mask,
747 &svcctl_scm_access_mask_info, NULL);
753 svcctl_dissect_OpenServiceW_reply(tvbuff_t *tvb, int offset,
754 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
757 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, di, drep,
758 hf_svcctl_hnd, NULL, NULL, FALSE, FALSE);
760 offset = dissect_doserror(
761 tvb, offset, pinfo, tree, di, drep, hf_svcctl_rc, NULL);
767 svcctl_dissect_QueryServiceConfigW_rqst(tvbuff_t *tvb, int offset,
768 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
771 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, di, drep,
772 hf_svcctl_hnd, NULL, NULL, FALSE, FALSE);
775 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
776 hf_svcctl_buffer, NULL);
781 static dcerpc_sub_dissector dcerpc_svcctl_dissectors[] = {
782 { SVC_CLOSE_SERVICE_HANDLE, "CloseServiceHandle",
783 svcctl_dissect_CloseServiceHandle_rqst,
784 svcctl_dissect_CloseServiceHandle_reply },
785 { SVC_CONTROL_SERVICE, "ControlService", NULL, NULL },
786 { SVC_DELETE_SERVICE, "DeleteService", NULL, NULL },
787 { SVC_LOCK_SERVICE_DATABASE, "LockServiceDatabase",
788 svcctl_dissect_LockServiceDatabase_rqst,
789 svcctl_dissect_LockServiceDatabase_reply },
790 { SVC_QUERY_SERVICE_OBJECT_SECURITY, "QueryServiceObjectSecurity",
792 { SVC_SET_SERVICE_OBJECT_SECURITY, "SetServiceObjectSecurity",
794 { SVC_QUERY_SERVICE_STATUS, "QueryServiceStatus",
796 { SVC_SET_SERVICE_STATUS, "SetServiceStatus",
798 { SVC_UNLOCK_SERVICE_DATABASE, "UnlockServiceDatabase",
799 svcctl_dissect_UnlockServiceDatabase_rqst,
800 svcctl_dissect_UnlockServiceDatabase_reply },
801 { SVC_NOTIFY_BOOT_CONFIG_STATUS, "NotifyBootConfigStatus",
803 { SVC_SC_SET_SERVICE_BITS_W, "ScSetServiceBitsW",
805 { SVC_CHANGE_SERVICE_CONFIG_W, "ChangeServiceConfigW",
807 { SVC_CREATE_SERVICE_W, "CreateServiceW",
808 svcctl_dissect_CreateServiceW_rqst,
809 svcctl_dissect_CreateServiceW_reply },
810 { SVC_ENUM_DEPENDENT_SERVICES_W, "EnumDependentServicesW",
812 { SVC_ENUM_SERVICES_STATUS_W, "EnumServicesStatusW",
813 svcctl_dissect_EnumServicesStatus_rqst, NULL },
814 { SVC_OPEN_SC_MANAGER_W, "OpenSCManagerW",
815 svcctl_dissect_OpenSCManagerW_rqst,
816 svcctl_dissect_OpenSCManagerW_reply },
817 { SVC_OPEN_SERVICE_W, "OpenServiceW",
818 svcctl_dissect_OpenServiceW_rqst,
819 svcctl_dissect_OpenServiceW_reply },
820 { SVC_QUERY_SERVICE_CONFIG_W, "QueryServiceConfigW",
821 svcctl_dissect_QueryServiceConfigW_rqst, NULL },
822 { SVC_QUERY_SERVICE_LOCK_STATUS_W, "QueryServiceLockStatusW",
824 { SVC_START_SERVICE_W, "StartServiceW", NULL, NULL },
825 { SVC_GET_SERVICE_DISPLAY_NAME_W, "GetServiceDisplayNameW",
827 { SVC_GET_SERVICE_KEY_NAME_W, "GetServiceKeyNameW", NULL, NULL },
828 { SVC_SC_SET_SERVICE_BITS_A, "ScSetServiceBitsA", NULL, NULL },
829 { SVC_CHANGE_SERVICE_CONFIG_A, "ChangeServiceConfigA", NULL, NULL },
830 { SVC_CREATE_SERVICE_A, "CreateServiceA", NULL, NULL },
831 { SVC_ENUM_DEPENDENT_SERVICES_A, "EnumDependentServicesA",
833 { SVC_ENUM_SERVICES_STATUS_A, "EnumServicesStatusA",
834 svcctl_dissect_EnumServicesStatus_rqst,
836 { SVC_OPEN_SC_MANAGER_A, "OpenSCManagerA",
837 svcctl_dissect_OpenSCManager_rqst,
838 svcctl_dissect_OpenSCManager_reply },
839 { SVC_OPEN_SERVICE_A, "OpenServiceA", NULL, NULL },
840 { SVC_QUERY_SERVICE_CONFIG_A, "QueryServiceConfigA", NULL, NULL },
841 { SVC_QUERY_SERVICE_LOCK_STATUS_A, "QueryServiceLockStatusA",
842 svcctl_dissect_QueryServiceLockStatus_rqst,
843 svcctl_dissect_QueryServiceLockStatus_reply },
844 { SVC_START_SERVICE_A, "StartServiceA", NULL, NULL },
845 { SVC_GET_SERVICE_DISPLAY_NAME_A, "GetServiceDisplayNameA",
847 { SVC_GET_SERVICE_KEY_NAME_A, "GetServiceKeyNameA", NULL, NULL },
848 { SVC_SC_GET_CURRENT_GROUPE_STATE_W, "ScGetCurrentGroupStateW",
850 { SVC_ENUM_SERVICE_GROUP_W, "EnumServiceGroupW",
852 { SVC_CHANGE_SERVICE_CONFIG2_A, "ChangeServiceConfig2A",
854 { SVC_CHANGE_SERVICE_CONFIG2_W, "ChangeServiceConfig2W",
856 { SVC_QUERY_SERVICE_CONFIG2_A, "QueryServiceConfig2A",
858 { SVC_QUERY_SERVICE_CONFIG2_W, "QueryServiceConfig2W",
860 { SVC_QUERY_SERVICE_STATUS_EX, "QueryServiceStatusEx",
862 { SVC_ENUM_SERVICES_STATUS_EX_A, "EnumServicesStatusExA",
864 { SVC_ENUM_SERVICES_STATUS_EX_W, "EnumServicesStatusExW",
866 { SVC_SC_SEND_TS_MESSAGE, "ScSendTSMessage",
868 {0, NULL, NULL, NULL}
872 proto_register_dcerpc_svcctl(void)
874 static hf_register_info hf[] = {
876 { "Operation", "svcctl.opnum", FT_UINT16, BASE_DEC,
877 NULL, 0x0, NULL, HFILL }},
878 { &hf_svcctl_machinename,
879 { "MachineName", "svcctl.machinename", FT_STRING, BASE_NONE,
880 NULL, 0x0, "Name of the host we want to open the database on", HFILL }},
881 { &hf_svcctl_database,
882 { "Database", "svcctl.database", FT_STRING, BASE_NONE,
883 NULL, 0x0, "Name of the database to open", HFILL }},
884 { &hf_svcctl_access_mask,
885 { "Access Mask", "svcctl.access_mask", FT_UINT32, BASE_HEX,
886 NULL, 0x0, "SVCCTL Access Mask", HFILL }},
887 { &hf_svcctl_scm_rights_connect,
888 { "Connect", "svcctl.scm_rights_connect", FT_BOOLEAN, 32,
889 TFS(&tfs_set_notset), 0x00000001, "SVCCTL Rights to connect to SCM", HFILL }},
890 { &hf_svcctl_scm_rights_create_service,
891 { "Create Service", "svcctl.scm_rights_create_service", FT_BOOLEAN, 32,
892 TFS(&tfs_set_notset), 0x00000002, "SVCCTL Rights to create services", HFILL }},
893 { &hf_svcctl_scm_rights_enumerate_service,
894 { "Enumerate Service", "svcctl.scm_rights_enumerate_service", FT_BOOLEAN, 32,
895 TFS(&tfs_set_notset), 0x00000004, "SVCCTL Rights to enumerate services", HFILL }},
896 { &hf_svcctl_scm_rights_lock,
897 { "Lock", "svcctl.scm_rights_lock", FT_BOOLEAN, 32,
898 TFS(&tfs_set_notset), 0x00000008, "SVCCTL Rights to lock database", HFILL }},
899 { &hf_svcctl_scm_rights_query_lock_status,
900 { "Query Lock Status", "svcctl.scm_rights_query_lock_status", FT_BOOLEAN, 32,
901 TFS(&tfs_set_notset), 0x00000010, "SVCCTL Rights to query database lock status", HFILL }},
902 { &hf_svcctl_scm_rights_modify_boot_config,
903 { "Modify Boot Config", "svcctl.scm_rights_modify_boot_config", FT_BOOLEAN, 32,
904 TFS(&tfs_set_notset), 0x00000020, "SVCCTL Rights to modify boot config", HFILL }},
906 { "Context Handle", "svcctl.hnd", FT_BYTES, BASE_NONE,
907 NULL, 0x0, "SVCCTL Context handle", HFILL }},
909 { "Lock", "svcctl.lock", FT_BYTES, BASE_NONE,
910 NULL, 0x0, "SVCCTL Database Lock", HFILL }},
912 { "Return code", "svcctl.rc", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
913 &DOS_errors_ext, 0x0, "SVCCTL return code", HFILL }},
915 { "Size", "svcctl.size", FT_UINT32, BASE_DEC,
916 NULL, 0x0, "SVCCTL size of buffer", HFILL }},
917 { &hf_svcctl_required_size,
918 { "Required Size", "svcctl.required_size", FT_UINT32, BASE_DEC,
919 NULL, 0x0, "SVCCTL required size of buffer for data to fit", HFILL }},
920 { &hf_svcctl_is_locked,
921 { "IsLocked", "svcctl.is_locked", FT_UINT32, BASE_DEC,
922 NULL, 0x0, "SVCCTL whether the database is locked or not", HFILL }},
923 { &hf_svcctl_lock_duration,
924 { "Duration", "svcctl.lock_duration", FT_UINT32, BASE_DEC,
925 NULL, 0x0, "SVCCTL number of seconds the database has been locked", HFILL }},
926 { &hf_svcctl_lock_owner,
927 { "Owner", "svcctl.lock_owner", FT_STRING, BASE_NONE,
928 NULL, 0x0, "SVCCTL the user that holds the database lock", HFILL }},
929 { &hf_svcctl_service_type,
930 { "Service Type", "svcctl.service_type", FT_UINT32, BASE_HEX,
931 NULL, 0x0, "SVCCTL type of service", HFILL }},
932 { &hf_svcctl_service_type_kernel_driver,
933 { "Kernel Driver Service", "svcctl.service_type.kernel", FT_BOOLEAN, 32,
934 TFS(&tfs_svcctl_service_type_kernel_driver), SVCCTL_SERVICE_TYPE_KERNEL_DRIVER, "Request includes kernel driver services?", HFILL }},
935 { &hf_svcctl_service_type_fs_driver,
936 { "File System Driver Service", "svcctl.service_type.fs", FT_BOOLEAN, 32,
937 TFS(&tfs_svcctl_service_type_fs_driver), SVCCTL_SERVICE_TYPE_FILE_SYSTEM_DRIVER, "Request includes file system driver services?", HFILL }},
938 { &hf_svcctl_service_type_win32_own_process,
939 { "Self Process Service", "svcctl.service_type.win32_own", FT_BOOLEAN, 32,
940 TFS(&tfs_svcctl_service_type_win32_own_process), SVCCTL_SERVICE_TYPE_WIN32_OWN_PROCESS, "Request includes services that run their own process?", HFILL }},
941 { &hf_svcctl_service_type_win32_share_process,
942 { "Shared Process Service", "svcctl.service_type.win32_shared", FT_BOOLEAN, 32,
943 TFS(&tfs_svcctl_service_type_win32_share_process), SVCCTL_SERVICE_TYPE_WIN32_SHARE_PROCESS, "Request includes services that share their process?", HFILL }},
944 { &hf_svcctl_service_type_interactive_process,
945 { "Interactive Process Service", "svcctl.service_type.interactive", FT_BOOLEAN, 32,
946 TFS(&tfs_svcctl_service_type_interactive_process), SVCCTL_SERVICE_TYPE_INTERACTIVE_PROCESS, "Request includes services that can interact with the desktop?", HFILL }},
947 { &hf_svcctl_service_state,
948 { "Service State", "svcctl.service_state", FT_UINT32, BASE_DEC,
949 VALS(svcctl_service_status_vals), 0x0, "SVCCTL service state", HFILL }},
951 { "Buffer", "svcctl.buffer", FT_UINT32, BASE_DEC,
952 NULL, 0x0, "SVCCTL buffer", HFILL }},
954 { &hf_svcctl_bytes_needed,
955 { "Bytes Needed", "svcctl.bytes_needed", FT_UINT32, BASE_DEC,
956 NULL, 0x0, "SVCCTL bytes needed", HFILL }},
957 { &hf_svcctl_services_returned,
958 { "Services Returned", "svcctl.services_returned", FT_UINT32, BASE_DEC,
959 NULL, 0x0, "SVCCTL services returned", HFILL }},
961 { &hf_svcctl_service_name,
962 { "Service Name", "svcctl.servicename", FT_STRING, BASE_NONE,
963 NULL, 0x0, "SVCCTL name of service", HFILL }},
964 { &hf_svcctl_display_name,
965 { "Display Name", "svcctl.displayname", FT_STRING, BASE_NONE,
966 NULL, 0x0, "SVCCTL display name", HFILL }},
967 { &hf_svcctl_service_start_type,
968 { "Service Start Type", "svcctl.service_start_type", FT_UINT32, BASE_DEC,
969 VALS(svcctl_service_start_type_vals), 0x0, "SVCCTL service start type", HFILL }},
970 { &hf_svcctl_service_error_control,
971 { "Service Error Control", "svcctl.service_error_control", FT_UINT32, BASE_DEC,
972 VALS(svcctl_service_error_control_vals), 0x0, "SVCCTL service error control", HFILL }},
973 { &hf_svcctl_binarypathname,
974 { "Binary Path Name", "svcctl.binarypathname", FT_STRING, BASE_NONE,
975 NULL, 0x0, "SVCCTL binary path name", HFILL }},
976 { &hf_svcctl_loadordergroup,
977 { "Load Order Group", "svcctl.loadordergroup", FT_STRING, BASE_NONE,
978 NULL, 0x0, "SVCCTL load order group", HFILL }},
980 { "Tag Id", "svcctl.tagid", FT_UINT32, BASE_DEC,
981 NULL, 0x0, "SVCCTL tag id", HFILL }},
982 { &hf_svcctl_dependencies,
983 { "Dependencies", "svcctl.dependencies", FT_STRING, BASE_NONE,
984 NULL, 0x0, "SVCCTL dependencies", HFILL }},
985 { &hf_svcctl_depend_size,
986 { "Depend Size", "svcctl.depend_size", FT_UINT32, BASE_DEC,
987 NULL, 0x0, "SVCCTL depend size", HFILL }},
988 { &hf_svcctl_service_start_name,
989 { "Service Start Name", "svcctl.service_start_name", FT_STRING, BASE_NONE,
990 NULL, 0x0, "SVCCTL service start name", HFILL }},
991 { &hf_svcctl_password,
992 { "Password", "svcctl.password", FT_STRING, BASE_NONE,
993 NULL, 0x0, "SVCCTL password", HFILL }},
994 { &hf_svcctl_password_size,
995 { "Password Size", "svcctl.password_size", FT_UINT32, BASE_DEC,
996 NULL, 0x0, "SVCCTL password size", HFILL }},
998 { "Resume Handle", "svcctl.resume", FT_UINT32, BASE_DEC,
999 NULL, 0x0, "SVCCTL resume handle", HFILL }},
1002 static gint *ett[] = {
1004 &ett_dcerpc_svcctl_service_type_bits,
1007 proto_dcerpc_svcctl = proto_register_protocol(
1008 "Microsoft Service Control", "SVCCTL", "svcctl");
1010 proto_register_field_array(proto_dcerpc_svcctl, hf, array_length(hf));
1011 proto_register_subtree_array(ett, array_length(ett));
1015 proto_reg_handoff_dcerpc_svcctl(void)
1017 /* Register protocol as dcerpc */
1019 dcerpc_init_uuid(proto_dcerpc_svcctl, ett_dcerpc_svcctl,
1020 &uuid_dcerpc_svcctl, ver_dcerpc_svcctl,
1021 dcerpc_svcctl_dissectors, hf_svcctl_opnum);
1025 * Editor modelines - http://www.wireshark.org/tools/modelines.html
1030 * indent-tabs-mode: t
1033 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
1034 * :indentSize=8:tabSize=8:noTabs=false: