/* packet-dcerpc-reg.c
* Routines for SMB \PIPE\winreg packet disassembly
- * Copyright 2001, 2002 Tim Potter <tpot@samba.org>
+ * Copyright 2001-2003 Tim Potter <tpot@samba.org>
*
- * $Id: packet-dcerpc-reg.c,v 1.11 2002/08/28 21:00:10 jmayer Exp $
+ * $Id: packet-dcerpc-reg.c,v 1.23 2003/10/24 00:35:29 guy Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
static int hf_rc = -1;
static int hf_hnd = -1;
static int hf_access_mask = -1;
+static int hf_keytype = -1;
+static int hf_keydata = -1;
+static int hf_offered = -1;
+static int hf_returned = -1;
+static int hf_reserved = -1;
+static int hf_unknown = -1;
/* OpenHKLM */
static int hf_openhklm_unknown1 = -1;
static int hf_openhklm_unknown2 = -1;
-/* QueryKey */
+/* QueryInfoKey */
static int hf_querykey_class = -1;
static int hf_querykey_num_subkeys = -1;
static int hf_querykey_secdesc = -1;
static int hf_querykey_modtime = -1;
-/* OpenEntry */
+/* OpenKey */
static int hf_keyname = -1;
-static int hf_openentry_unknown1 = -1;
+static int hf_openkey_unknown1 = -1;
-/* Unknown 0x1A */
+/* GetVersion */
-static int hf_unknown1A_unknown1 = -1;
+static int hf_getversion_version = -1;
+
+/* Shutdown */
+static int hf_shutdown_message = -1;
+static int hf_shutdown_seconds = -1;
+static int hf_shutdown_force = -1;
+static int hf_shutdown_reboot = -1;
+static int hf_shutdown_server = -1;
+static int hf_shutdown_reason = -1;
/* Data that is passed to a open call */
RegOpenHKLM_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_ndr_pointer(
tvb, offset, pinfo, tree, drep,
dissect_open_data,
- NDR_POINTER_UNIQUE, "Unknown", -1, 0);
-
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ NDR_POINTER_UNIQUE, "Unknown", -1);
return offset;
}
RegOpenHKLM_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
e_ctx_hnd policy_hnd;
-
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
+ proto_item *hnd_item;
+ guint32 status;
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, &policy_hnd, TRUE, FALSE);
-
- dcerpc_smb_store_pol_name(&policy_hnd, "HKLM handle");
+ hf_hnd, &policy_hnd, &hnd_item, TRUE, FALSE);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
- hf_rc, NULL);
+ hf_rc, &status);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ if (status == 0) {
+ dcerpc_smb_store_pol_name(&policy_hnd, pinfo, "HKLM handle");
+ if (hnd_item != NULL)
+ proto_item_append_text(hnd_item, ": HKLM handle");
+ }
return offset;
}
RegOpenHKU_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_ndr_pointer(
tvb, offset, pinfo, tree, drep,
dissect_open_data,
- NDR_POINTER_UNIQUE, "Unknown", -1, 0);
-
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ NDR_POINTER_UNIQUE, "Unknown", -1);
return offset;
}
RegOpenHKU_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
e_ctx_hnd policy_hnd;
-
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
+ proto_item *hnd_item;
+ guint32 status;
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, &policy_hnd, TRUE, FALSE);
-
- dcerpc_smb_store_pol_name(&policy_hnd, "HKU handle");
+ hf_hnd, &policy_hnd, &hnd_item, TRUE, FALSE);
offset = dissect_ntstatus(
- tvb, offset, pinfo, tree, drep, hf_rc, NULL);
+ tvb, offset, pinfo, tree, drep, hf_rc, &status);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ if (status == 0) {
+ dcerpc_smb_store_pol_name(&policy_hnd, pinfo, "HKU handle");
+ if (hnd_item != NULL)
+ proto_item_append_text(hnd_item, ": HKU handle");
+ }
return offset;
}
RegOpenHKCR_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_ndr_pointer(
tvb, offset, pinfo, tree, drep,
dissect_open_data,
- NDR_POINTER_UNIQUE, "Unknown", -1, 0);
-
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ NDR_POINTER_UNIQUE, "Unknown", -1);
return offset;
}
RegOpenHKCR_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
e_ctx_hnd policy_hnd;
-
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
+ proto_item *hnd_item;
+ guint32 status;
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, &policy_hnd, TRUE, FALSE);
-
- dcerpc_smb_store_pol_name(&policy_hnd, "HKCR handle");
+ hf_hnd, &policy_hnd, &hnd_item, TRUE, FALSE);
offset = dissect_ntstatus(
- tvb, offset, pinfo, tree, drep, hf_rc, NULL);
+ tvb, offset, pinfo, tree, drep, hf_rc, &status);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ if (status == 0) {
+ dcerpc_smb_store_pol_name(&policy_hnd, pinfo, "HKCR handle");
+ if (hnd_item != NULL)
+ proto_item_append_text(hnd_item, ": HKCR handle");
+ }
return offset;
}
/*
- * RegClose
+ * CloseKey
*/
static int
-RegClose_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+RegCloseKey_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, TRUE);
-
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ hf_hnd, NULL, NULL, FALSE, TRUE);
return offset;
}
static int
-RegClose_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
+RegCloseKey_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
-
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, FALSE);
+ hf_hnd, NULL, NULL, FALSE, FALSE);
offset = dissect_ntstatus(
tvb, offset, pinfo, tree, drep, hf_rc, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
/*
- * RegQueryKey
+ * QueryInfoKey
*/
static int
-RegQueryKey_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+RegQueryInfoKey_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, FALSE);
+ hf_hnd, NULL, NULL, FALSE, FALSE);
- offset = dissect_ndr_nt_UNICODE_STRING(
+ offset = dissect_ndr_counted_string(
tvb, offset, pinfo, tree, drep, hf_querykey_class, 0);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
static int
-RegQueryKey_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
+RegQueryInfoKey_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
-
/* Parse packet */
- offset = dissect_ndr_nt_UNICODE_STRING(
+ offset = dissect_ndr_counted_string(
tvb, offset, pinfo, tree, drep, hf_querykey_class, 0);
offset = dissect_ndr_uint32(
offset = dissect_ntstatus(
tvb, offset, pinfo, tree, drep, hf_rc, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
/*
- * OpenEntry
+ * OpenKey
*/
static int
-RegOpenEntry_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+RegOpenKey_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, FALSE);
+ hf_hnd, NULL, NULL, FALSE, FALSE);
- offset = dissect_ndr_nt_UNICODE_STRING(
+ offset = dissect_ndr_counted_string(
tvb, offset, pinfo, tree, drep, hf_querykey_class, 0);
offset = dissect_ndr_uint32(
tvb, offset, pinfo, tree, drep,
- hf_openentry_unknown1, NULL);
+ hf_openkey_unknown1, NULL);
offset = dissect_ndr_uint32(
tvb, offset, pinfo, tree, drep,
hf_access_mask, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
static int
-RegOpenEntry_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
+RegOpenKey_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
e_ctx_hnd policy_hnd;
-
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
+ proto_item *hnd_item;
+ guint32 status;
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, &policy_hnd, TRUE, FALSE);
-
- dcerpc_smb_store_pol_name(&policy_hnd, "OpenEntry handle");
+ hf_hnd, &policy_hnd, &hnd_item, TRUE, FALSE);
offset = dissect_ntstatus(
- tvb, offset, pinfo, tree, drep, hf_rc, NULL);
+ tvb, offset, pinfo, tree, drep, hf_rc, &status);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ if (status == 0) {
+ dcerpc_smb_store_pol_name(&policy_hnd, pinfo,
+ "OpenKey handle");
+ if (hnd_item != NULL)
+ proto_item_append_text(hnd_item, ": OpenKey handle");
+ }
return offset;
}
/*
- * Unknown1A
+ * GetVersion
*/
static int
-RegUnknown1A_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+RegGetVersion_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
-
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, FALSE);
-
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ hf_hnd, NULL, NULL, FALSE, FALSE);
return offset;
}
static int
-RegUnknown1A_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
+RegGetVersion_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
-
/* Parse packet */
offset = dissect_ndr_uint32(
tvb, offset, pinfo, tree, drep,
- hf_unknown1A_unknown1, NULL);
+ hf_getversion_version, NULL);
offset = dissect_ntstatus(
tvb, offset, pinfo, tree, drep, hf_rc, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
RegEnumKey_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
+ /* Parse packet */
+
+ offset = dissect_nt_policy_hnd(
+ tvb, offset, pinfo, tree, drep,
+ hf_hnd, NULL, NULL, FALSE, FALSE);
+
+ return offset;
+}
+
+static int
+RegEnumKey_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ /* Parse packet */
+
+ offset = dissect_ntstatus(
+ tvb, offset, pinfo, tree, drep, hf_rc, NULL);
+
+ return offset;
+}
+
+/*
+ * RegQueryValue
+ */
+
+static int
+dissect_reserved(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_reserved, NULL);
+
+ return offset;
+}
+
+static int
+dissect_offered(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_offered, NULL);
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
+ return offset;
+}
+static int
+dissect_returned(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_returned, NULL);
+
+ return offset;
+}
+
+static int
+dissect_unknown(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_unknown, NULL);
+
+ return offset;
+}
+
+static int
+RegQueryValue_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, FALSE);
+ hf_hnd, NULL, NULL, FALSE, FALSE);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ offset = dissect_ndr_counted_string(
+ tvb, offset, pinfo, tree, drep, hf_querykey_class, 0);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_reserved, NDR_POINTER_UNIQUE,
+ "Reserved", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_offered, NDR_POINTER_UNIQUE,
+ "Offered", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_unknown, NDR_POINTER_UNIQUE,
+ "Unknown", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_unknown, NDR_POINTER_UNIQUE,
+ "Unknown", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_offered, NDR_POINTER_UNIQUE,
+ "Offered", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_returned, NDR_POINTER_UNIQUE,
+ "Returned", -1);
return offset;
}
static int
-RegEnumKey_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
- proto_tree *tree, char *drep)
+dissect_key_type(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
{
- dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_keytype, NULL);
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
+ return offset;
+}
+static int
+RegQueryValue_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
/* Parse packet */
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_key_type, NDR_POINTER_UNIQUE,
+ "Key Type", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_ndr_byte_array, NDR_POINTER_UNIQUE,
+ "Key Data", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_offered, NDR_POINTER_UNIQUE,
+ "Offered", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_returned, NDR_POINTER_UNIQUE,
+ "Returned", -1);
+
offset = dissect_ntstatus(
tvb, offset, pinfo, tree, drep, hf_rc, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ return offset;
+}
+
+/* Reg Shutdown functions */
+static int
+dissect_shutdown_server(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_uint16(
+ tvb, offset, pinfo, tree, drep, hf_shutdown_server, NULL);
return offset;
}
+static int
+dissect_shutdown_message(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_counted_string(
+ tvb, offset, pinfo, tree, drep, hf_shutdown_message, 0);
+
+ return offset;
+}
+
+static int
+RegShutdown_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_shutdown_server, NDR_POINTER_UNIQUE,
+ "Server", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_shutdown_message, NDR_POINTER_UNIQUE,
+ "message", -1);
+
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_shutdown_seconds, NULL);
+
+ offset = dissect_ndr_uint8(
+ tvb, offset, pinfo, tree, drep, hf_shutdown_force, NULL);
+ offset = dissect_ndr_uint8(
+ tvb, offset, pinfo, tree, drep, hf_shutdown_reboot, NULL);
+
+ return offset;
+}
+
+static int
+RegShutdown_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ntstatus(
+ tvb, offset, pinfo, tree, drep, hf_rc, NULL);
+
+ return offset;
+}
+
+static int
+RegAbortShutdown_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_shutdown_server, NDR_POINTER_UNIQUE,
+ "Server", -1);
+
+ return offset;
+}
+
+static int
+RegShutdownEx_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = RegShutdown_q(tvb, offset, pinfo, tree, drep);
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_shutdown_reason, NULL);
+
+ return offset;
+}
+
#if 0
/* Templates for new subdissectors */
proto_tree *tree, char *drep)
{
dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->rep_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Reply in frame %u", dcv->rep_frame);
/* Parse packet */
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
proto_tree *tree, char *drep)
{
dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
- dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
-
- if (dcv->req_frame != 0)
- proto_tree_add_text(tree, tvb, offset, 0,
- "Request in frame %u", dcv->req_frame);
/* Parse packet */
offset = dissect_ntstatus(
tvb, offset, pinfo, tree, drep, hf_rc, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
/* Registry data types */
const value_string reg_datatypes[] = {
- { REG_NONE, "REG_NONE" },
- { REG_SZ, "REG_SZ" },
- { REG_EXPAND_SZ, "REG_EXPAND_SZ" },
- { REG_BINARY, "REG_BINARY" },
- { REG_DWORD, "REG_DWORD" },
- { REG_DWORD_LE, "REG_DWORD_LE" },
- { REG_DWORD_BE, "REG_DWORD_BE" },
- { REG_LINK, "REG_LINK" },
- { REG_MULTI_SZ, "REG_MULTI_SZ" },
- { REG_RESOURCE_LIST, "REG_RESOURCE_LIST" },
- { REG_FULL_RESOURCE_DESCRIPTOR, "REG_FULL_RESOURCE_DESCRIPTOR" },
- { REG_RESOURCE_REQUIREMENTS_LIST, "REG_RESOURCE_REQUIREMENTS_LIST" },
+ { DCERPC_REG_NONE, "REG_NONE" },
+ { DCERPC_REG_SZ, "REG_SZ" },
+ { DCERPC_REG_EXPAND_SZ, "REG_EXPAND_SZ" },
+ { DCERPC_REG_BINARY, "REG_BINARY" },
+ { DCERPC_REG_DWORD, "REG_DWORD" },
+ { DCERPC_REG_DWORD_LE, "REG_DWORD_LE" },
+ { DCERPC_REG_DWORD_BE, "REG_DWORD_BE" },
+ { DCERPC_REG_LINK, "REG_LINK" },
+ { DCERPC_REG_MULTI_SZ, "REG_MULTI_SZ" },
+ { DCERPC_REG_RESOURCE_LIST, "REG_RESOURCE_LIST" },
+ { DCERPC_REG_FULL_RESOURCE_DESCRIPTOR, "REG_FULL_RESOURCE_DESCRIPTOR" },
+ { DCERPC_REG_RESOURCE_REQUIREMENTS_LIST, "REG_RESOURCE_REQUIREMENTS_LIST" },
{0, NULL }
};
static dcerpc_sub_dissector dcerpc_reg_dissectors[] = {
{ REG_OPEN_HKCR, "OpenHKCR", RegOpenHKCR_q, RegOpenHKCR_r },
- { _REG_UNK_01, "Unknown01", NULL, NULL },
+ { REG_OPEN_HKCU, "OpenHKCU", NULL, NULL },
{ REG_OPEN_HKLM, "OpenHKLM", RegOpenHKLM_q, RegOpenHKLM_r },
- { _REG_UNK_03, "Unknown03", NULL, NULL },
+ { REG_OPEN_HKPD, "OpenHKPD", NULL, NULL },
{ REG_OPEN_HKU, "OpenHKU", RegOpenHKU_q, RegOpenHKU_r },
- { REG_CLOSE, "Close", RegClose_q, RegClose_r },
+ { REG_CLOSE_KEY, "CloseKey", RegCloseKey_q, RegCloseKey_r },
{ REG_CREATE_KEY, "CreateKey", NULL, NULL },
{ REG_DELETE_KEY, "DeleteKey", NULL, NULL },
{ REG_DELETE_VALUE, "DeleteValue", NULL, NULL },
{ REG_ENUM_VALUE, "EnumValue", NULL, NULL },
{ REG_FLUSH_KEY, "FlushKey", NULL, NULL },
{ REG_GET_KEY_SEC, "GetKeySecurity", NULL, NULL },
- { _REG_UNK_0D, "Unknown0d", NULL, NULL },
- { _REG_UNK_0E, "Unknown0e", NULL, NULL },
- { REG_OPEN_ENTRY, "OpenEntry", RegOpenEntry_q, RegOpenEntry_r },
- { REG_QUERY_KEY, "QueryKey", RegQueryKey_q, RegQueryKey_r },
- { REG_INFO, "Info", NULL, NULL },
- { _REG_UNK_12, "Unknown12", NULL, NULL },
- { _REG_UNK_13, "Unknown13", NULL, NULL },
- { _REG_UNK_14, "Unknown14", NULL, NULL },
+ { REG_LOAD_KEY, "LoadKey", NULL, NULL },
+ { REG_NOTIFY_CHANGE_KEY_VALUE, "NotifyChangeKeyValue", NULL, NULL },
+ { REG_OPEN_KEY, "OpenKey", RegOpenKey_q, RegOpenKey_r },
+ { REG_QUERY_INFO_KEY, "QueryInfoKey", RegQueryInfoKey_q, RegQueryInfoKey_r },
+ { REG_QUERY_VALUE, "QueryValue", RegQueryValue_q, RegQueryValue_r },
+ { REG_REPLACE_KEY, "ReplaceKey", NULL, NULL },
+ { REG_RESTORE_KEY, "RestoreKey", NULL, NULL },
+ { REG_SAVE_KEY, "SaveKey", NULL, NULL },
{ REG_SET_KEY_SEC, "SetKeySecurity", NULL, NULL },
- { REG_CREATE_VALUE, "CreateValue", NULL, NULL },
- { _REG_UNK_17, "Unknown17", NULL, NULL },
- { REG_SHUTDOWN, "Shutdown", NULL, NULL },
- { REG_ABORT_SHUTDOWN, "AbortShutdown", NULL, NULL },
- { REG_UNK_1A, "Unknown1A", RegUnknown1A_q, RegUnknown1A_r },
-
+ { REG_SET_VALUE, "SetValue", NULL, NULL },
+ { REG_UNLOAD_KEY, "UnLoadKey", NULL, NULL },
+ { REG_INITIATE_SYSTEM_SHUTDOWN, "InitiateSystemShutdown",
+ RegShutdown_q, RegShutdown_r },
+ { REG_ABORT_SYSTEM_SHUTDOWN, "AbortSystemShutdown",
+ RegAbortShutdown_q, RegShutdown_r },
+ { REG_GET_VERSION, "GetVersion", RegGetVersion_q, RegGetVersion_r },
+ { REG_OPEN_HKCC, "OpenHKCC", NULL, NULL },
+ { REG_OPEN_HKDD, "OpenHKDD", NULL, NULL },
+ { REG_QUERY_MULTIPLE_VALUES, "QueryMultipleValues", NULL, NULL },
+ { REG_INITIATE_SYSTEM_SHUTDOWN_EX, "InitiateSystemShutdownEx",
+ RegShutdownEx_q, RegShutdown_r },
+ { REG_SAVE_KEY_EX, "SaveKeyEx", NULL, NULL },
+ { REG_OPEN_HKPT, "OpenHKPT", NULL, NULL },
+ { REG_OPEN_HKPN, "OpenHKPN", NULL, NULL },
+ { REG_QUERY_MULTIPLE_VALUES_2, "QueryMultipleValues2", NULL, NULL },
{ 0, NULL, NULL, NULL }
};
-static const value_string reg_opnum_vals[] = {
- { REG_OPEN_HKCR, "OpenHKCR" },
- { _REG_UNK_01, "Unknown01" },
- { REG_OPEN_HKLM, "OpenHKLM" },
- { _REG_UNK_03, "Unknown03" },
- { REG_OPEN_HKU, "OpenHKU" },
- { REG_CLOSE, "Close" },
- { REG_CREATE_KEY, "CreateKey" },
- { REG_DELETE_KEY, "DeleteKey" },
- { REG_DELETE_VALUE, "DeleteValue" },
- { REG_ENUM_KEY, "EnumKey" },
- { REG_ENUM_VALUE, "EnumValue" },
- { REG_FLUSH_KEY, "FlushKey" },
- { REG_GET_KEY_SEC, "GetKeySecurity" },
- { _REG_UNK_0D, "Unknown0d" },
- { _REG_UNK_0E, "Unknown0e" },
- { REG_OPEN_ENTRY, "OpenEntry" },
- { REG_QUERY_KEY, "QueryKey" },
- { REG_INFO, "Info" },
- { _REG_UNK_12, "Unknown12" },
- { _REG_UNK_13, "Unknown13" },
- { _REG_UNK_14, "Unknown14" },
- { REG_SET_KEY_SEC, "SetKeySecurity" },
- { REG_CREATE_VALUE, "CreateValue" },
- { _REG_UNK_17, "Unknown17" },
- { REG_SHUTDOWN, "Shutdown" },
- { REG_ABORT_SHUTDOWN, "AbortShutdown" },
- { REG_UNK_1A, "Unknown1A" },
- { 0, NULL }
-};
-
void
proto_register_dcerpc_reg(void)
{
{ &hf_reg_opnum,
{ "Operation", "reg.opnum", FT_UINT16, BASE_DEC,
- VALS(reg_opnum_vals), 0x0, "Operation", HFILL }},
+ NULL, 0x0, "Operation", HFILL }},
{ &hf_access_mask,
{ "Access mask", "reg.access_mask", FT_UINT32, BASE_HEX,
NULL, 0x0, "Access mask", HFILL }},
+ { &hf_keytype,
+ { "Key type", "reg.type", FT_UINT32, BASE_DEC,
+ VALS(reg_datatypes), 0x0, "Key type", HFILL }},
+
+ { &hf_keydata,
+ { "Key data", "reg.data", FT_BYTES, BASE_HEX,
+ NULL, 0x0, "Key data", HFILL }},
+
+ { &hf_offered,
+ { "Offered", "reg.offered", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Offered", HFILL }},
+
+ { &hf_returned,
+ { "Returned", "reg.returned", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Returned", HFILL }},
+
+ { &hf_reserved,
+ { "Reserved", "reg.reserved", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "Reserved", HFILL }},
+
+ { &hf_unknown,
+ { "Unknown", "reg.unknown", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "Unknown", HFILL }},
+
/* OpenHKLM */
{ &hf_openhklm_unknown1,
{ "Mod time", "reg.querykey.modtime", FT_ABSOLUTE_TIME, BASE_NONE,
NULL, 0x0, "Secdesc", HFILL }},
- /* OpenEntry */
+ /* OpenKey */
{ &hf_keyname,
{ "Key name", "reg.keyname", FT_STRING, BASE_NONE,
NULL, 0x0, "Keyname", HFILL }},
- { &hf_openentry_unknown1,
- { "Unknown 1", "reg.openentry.unknown1", FT_UINT32, BASE_HEX,
+ { &hf_openkey_unknown1,
+ { "Unknown 1", "reg.openkey.unknown1", FT_UINT32, BASE_HEX,
NULL, 0x0, "Unknown 1", HFILL }},
- /* Unknown1A */
+ /* GetVersion */
- { &hf_unknown1A_unknown1,
- { "Unknown 1", "reg.unknown1A.unknown1", FT_UINT32, BASE_HEX,
- NULL, 0x0, "Unknown 1", HFILL }},
+ { &hf_getversion_version,
+ { "Version", "reg.getversion.version", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "Version", HFILL }},
+
+ /* Shutdown */
+ { &hf_shutdown_message,
+ { "Message", "reg.shutdown.message", FT_STRING, BASE_NONE,
+ NULL, 0x0, "Message", HFILL }},
+
+ { &hf_shutdown_seconds,
+ { "Seconds", "reg.shutdown.seconds", FT_UINT32, BASE_DEC,
+ NULL, 0x00, "Seconds", HFILL }},
+
+ { &hf_shutdown_force,
+ { "Force applications shut", "reg.shutdown.force", FT_UINT8,
+ BASE_DEC, NULL, 0x00, "Force applications shut", HFILL }},
+
+ { &hf_shutdown_reboot,
+ { "Reboot", "reg.shutdown.reboot", FT_UINT8, BASE_DEC,
+ NULL, 0x00, "Reboot", HFILL }},
+
+ { &hf_shutdown_server,
+ { "Server", "reg.shutdown.server", FT_UINT16, BASE_HEX,
+ NULL, 0x00, "Server", HFILL }},
+
+ { &hf_shutdown_reason,
+ { "Reason", "reg.shutdown.reason", FT_UINT32, BASE_HEX,
+ NULL, 0x00, "Reason", HFILL }}
};
git.samba.org / obnox / wireshark / wip.git / blobdiff