* Routines for SMB \PIPE\winreg packet disassembly
* Copyright 2001-2003 Tim Potter <tpot@samba.org>
*
- * $Id: packet-dcerpc-reg.c,v 1.16 2003/04/21 01:13:41 guy Exp $
+ * $Id: packet-dcerpc-reg.c,v 1.21 2003/08/04 02:49:02 tpot Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
static int hf_rc = -1;
static int hf_hnd = -1;
static int hf_access_mask = -1;
+static int hf_keytype = -1;
+static int hf_keydata = -1;
+static int hf_offered = -1;
+static int hf_returned = -1;
+static int hf_reserved = -1;
+static int hf_unknown = -1;
/* OpenHKLM */
dissect_open_data,
NDR_POINTER_UNIQUE, "Unknown", -1);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
proto_tree *tree, char *drep)
{
e_ctx_hnd policy_hnd;
+ proto_item *hnd_item;
+ guint32 status;
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, &policy_hnd, TRUE, FALSE);
-
- dcerpc_smb_store_pol_name(&policy_hnd, "HKLM handle");
+ hf_hnd, &policy_hnd, &hnd_item, TRUE, FALSE);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
- hf_rc, NULL);
+ hf_rc, &status);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ if (status == 0) {
+ dcerpc_smb_store_pol_name(&policy_hnd, pinfo, "HKLM handle");
+ if (hnd_item != NULL)
+ proto_item_append_text(hnd_item, ": HKLM handle");
+ }
return offset;
}
dissect_open_data,
NDR_POINTER_UNIQUE, "Unknown", -1);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
proto_tree *tree, char *drep)
{
e_ctx_hnd policy_hnd;
+ proto_item *hnd_item;
+ guint32 status;
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, &policy_hnd, TRUE, FALSE);
-
- dcerpc_smb_store_pol_name(&policy_hnd, "HKU handle");
+ hf_hnd, &policy_hnd, &hnd_item, TRUE, FALSE);
offset = dissect_ntstatus(
- tvb, offset, pinfo, tree, drep, hf_rc, NULL);
+ tvb, offset, pinfo, tree, drep, hf_rc, &status);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ if (status == 0) {
+ dcerpc_smb_store_pol_name(&policy_hnd, pinfo, "HKU handle");
+ if (hnd_item != NULL)
+ proto_item_append_text(hnd_item, ": HKU handle");
+ }
return offset;
}
dissect_open_data,
NDR_POINTER_UNIQUE, "Unknown", -1);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
proto_tree *tree, char *drep)
{
e_ctx_hnd policy_hnd;
+ proto_item *hnd_item;
+ guint32 status;
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, &policy_hnd, TRUE, FALSE);
-
- dcerpc_smb_store_pol_name(&policy_hnd, "HKCR handle");
+ hf_hnd, &policy_hnd, &hnd_item, TRUE, FALSE);
offset = dissect_ntstatus(
- tvb, offset, pinfo, tree, drep, hf_rc, NULL);
+ tvb, offset, pinfo, tree, drep, hf_rc, &status);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ if (status == 0) {
+ dcerpc_smb_store_pol_name(&policy_hnd, pinfo, "HKCR handle");
+ if (hnd_item != NULL)
+ proto_item_append_text(hnd_item, ": HKCR handle");
+ }
return offset;
}
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, TRUE);
-
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ hf_hnd, NULL, NULL, FALSE, TRUE);
return offset;
}
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, FALSE);
+ hf_hnd, NULL, NULL, FALSE, FALSE);
offset = dissect_ntstatus(
tvb, offset, pinfo, tree, drep, hf_rc, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, FALSE);
+ hf_hnd, NULL, NULL, FALSE, FALSE);
offset = dissect_ndr_counted_string(
tvb, offset, pinfo, tree, drep, hf_querykey_class, 0);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
offset = dissect_ntstatus(
tvb, offset, pinfo, tree, drep, hf_rc, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, FALSE);
+ hf_hnd, NULL, NULL, FALSE, FALSE);
offset = dissect_ndr_counted_string(
tvb, offset, pinfo, tree, drep, hf_querykey_class, 0);
tvb, offset, pinfo, tree, drep,
hf_access_mask, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
proto_tree *tree, char *drep)
{
e_ctx_hnd policy_hnd;
+ proto_item *hnd_item;
+ guint32 status;
/* Parse packet */
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, &policy_hnd, TRUE, FALSE);
-
- dcerpc_smb_store_pol_name(&policy_hnd, "OpenEntry handle");
+ hf_hnd, &policy_hnd, &hnd_item, TRUE, FALSE);
offset = dissect_ntstatus(
- tvb, offset, pinfo, tree, drep, hf_rc, NULL);
+ tvb, offset, pinfo, tree, drep, hf_rc, &status);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ if (status == 0) {
+ dcerpc_smb_store_pol_name(&policy_hnd, pinfo,
+ "OpenEntry handle");
+ if (hnd_item != NULL)
+ proto_item_append_text(hnd_item, ": OpenEntry handle");
+ }
return offset;
}
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, FALSE);
-
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ hf_hnd, NULL, NULL, FALSE, FALSE);
return offset;
}
offset = dissect_ntstatus(
tvb, offset, pinfo, tree, drep, hf_rc, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
offset = dissect_nt_policy_hnd(
tvb, offset, pinfo, tree, drep,
- hf_hnd, NULL, FALSE, FALSE);
-
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ hf_hnd, NULL, NULL, FALSE, FALSE);
return offset;
}
offset = dissect_ntstatus(
tvb, offset, pinfo, tree, drep, hf_rc, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
+ return offset;
+}
+
+/*
+ * RegQueryValue
+ */
+
+static int
+dissect_reserved(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_reserved, NULL);
+
+ return offset;
+}
+
+static int
+dissect_offered(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_offered, NULL);
+
+ return offset;
+}
+
+static int
+dissect_returned(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_returned, NULL);
+
+ return offset;
+}
+
+static int
+dissect_unknown(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_unknown, NULL);
+
+ return offset;
+}
+
+static int
+RegQueryValue_q(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ /* Parse packet */
+
+ offset = dissect_nt_policy_hnd(
+ tvb, offset, pinfo, tree, drep,
+ hf_hnd, NULL, NULL, FALSE, FALSE);
+
+ offset = dissect_ndr_counted_string(
+ tvb, offset, pinfo, tree, drep, hf_querykey_class, 0);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_reserved, NDR_POINTER_UNIQUE,
+ "Reserved", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_offered, NDR_POINTER_UNIQUE,
+ "Offered", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_unknown, NDR_POINTER_UNIQUE,
+ "Unknown", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_unknown, NDR_POINTER_UNIQUE,
+ "Unknown", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_offered, NDR_POINTER_UNIQUE,
+ "Offered", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_returned, NDR_POINTER_UNIQUE,
+ "Returned", -1);
+
+ return offset;
+}
+
+static int
+dissect_key_type(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_uint32(
+ tvb, offset, pinfo, tree, drep, hf_keytype, NULL);
+
+ return offset;
+}
+
+static int
+RegQueryValue_r(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
+{
+ /* Parse packet */
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_key_type, NDR_POINTER_UNIQUE,
+ "Key Type", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_ndr_byte_array, NDR_POINTER_UNIQUE,
+ "Key Data", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_offered, NDR_POINTER_UNIQUE,
+ "Offered", -1);
+
+ offset = dissect_ndr_pointer(
+ tvb, offset, pinfo, tree, drep,
+ dissect_returned, NDR_POINTER_UNIQUE,
+ "Returned", -1);
+
+ offset = dissect_ntstatus(
+ tvb, offset, pinfo, tree, drep, hf_rc, NULL);
return offset;
}
/* Parse packet */
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
offset = dissect_ntstatus(
tvb, offset, pinfo, tree, drep, hf_rc, NULL);
- dcerpc_smb_check_long_frame(tvb, offset, pinfo, tree);
-
return offset;
}
{ _REG_UNK_0E, "Unknown0e", NULL, NULL },
{ REG_OPEN_ENTRY, "OpenEntry", RegOpenEntry_q, RegOpenEntry_r },
{ REG_QUERY_KEY, "QueryKey", RegQueryKey_q, RegQueryKey_r },
- { REG_INFO, "Info", NULL, NULL },
+ { REG_QUERY_VALUE, "QueryValue", RegQueryValue_q, RegQueryValue_r },
{ _REG_UNK_12, "Unknown12", NULL, NULL },
{ _REG_UNK_13, "Unknown13", NULL, NULL },
{ _REG_UNK_14, "Unknown14", NULL, NULL },
{ 0, NULL, NULL, NULL }
};
-static const value_string reg_opnum_vals[] = {
- { REG_OPEN_HKCR, "OpenHKCR" },
- { _REG_UNK_01, "Unknown01" },
- { REG_OPEN_HKLM, "OpenHKLM" },
- { _REG_UNK_03, "Unknown03" },
- { REG_OPEN_HKU, "OpenHKU" },
- { REG_CLOSE, "Close" },
- { REG_CREATE_KEY, "CreateKey" },
- { REG_DELETE_KEY, "DeleteKey" },
- { REG_DELETE_VALUE, "DeleteValue" },
- { REG_ENUM_KEY, "EnumKey" },
- { REG_ENUM_VALUE, "EnumValue" },
- { REG_FLUSH_KEY, "FlushKey" },
- { REG_GET_KEY_SEC, "GetKeySecurity" },
- { _REG_UNK_0D, "Unknown0d" },
- { _REG_UNK_0E, "Unknown0e" },
- { REG_OPEN_ENTRY, "OpenEntry" },
- { REG_QUERY_KEY, "QueryKey" },
- { REG_INFO, "Info" },
- { _REG_UNK_12, "Unknown12" },
- { _REG_UNK_13, "Unknown13" },
- { _REG_UNK_14, "Unknown14" },
- { REG_SET_KEY_SEC, "SetKeySecurity" },
- { REG_CREATE_VALUE, "CreateValue" },
- { _REG_UNK_17, "Unknown17" },
- { REG_SHUTDOWN, "Shutdown" },
- { REG_ABORT_SHUTDOWN, "AbortShutdown" },
- { _REG_UNK_1A, "Unknown1A" },
- { 0, NULL }
-};
-
void
proto_register_dcerpc_reg(void)
{
{ &hf_reg_opnum,
{ "Operation", "reg.opnum", FT_UINT16, BASE_DEC,
- VALS(reg_opnum_vals), 0x0, "Operation", HFILL }},
+ NULL, 0x0, "Operation", HFILL }},
{ &hf_access_mask,
{ "Access mask", "reg.access_mask", FT_UINT32, BASE_HEX,
NULL, 0x0, "Access mask", HFILL }},
+ { &hf_keytype,
+ { "Key type", "reg.type", FT_UINT32, BASE_DEC,
+ VALS(reg_datatypes), 0x0, "Key type", HFILL }},
+
+ { &hf_keydata,
+ { "Key data", "reg.data", FT_BYTES, BASE_HEX,
+ NULL, 0x0, "Key data", HFILL }},
+
+ { &hf_offered,
+ { "Offered", "reg.offered", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Offered", HFILL }},
+
+ { &hf_returned,
+ { "Returned", "reg.returned", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Returned", HFILL }},
+
+ { &hf_reserved,
+ { "Reserved", "reg.reserved", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "Reserved", HFILL }},
+
+ { &hf_unknown,
+ { "Unknown", "reg.unknown", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "Unknown", HFILL }},
+
/* OpenHKLM */
{ &hf_openhklm_unknown1,