diff options
| author | Anders Broman <anders.broman@ericsson.com> | 2012-09-01 11:22:29 +0000 |
|---|---|---|
| committer | Anders Broman <anders.broman@ericsson.com> | 2012-09-01 11:22:29 +0000 |
| commit | c44a7fba0d98390e3ab05160d93f89db4f7c551b (patch) | |
| tree | 8be7af1c043f724cf101b432a4b8dcff94ced169 /epan | |
| parent | 607d32b00dff6bf4f1842b84a470377b04571397 (diff) | |
| download | wireshark-c44a7fba0d98390e3ab05160d93f89db4f7c551b.tar.gz | |
From Litao Gao:
Implementation of IRemoteSCMActivator::RemoteCreateInstance and some minor bug fix
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7673
svn path=/trunk/; revision=44721
Diffstat (limited to 'epan')
| -rw-r--r-- | epan/dissectors/packet-dcerpc-epm.c | 4 | ||||
| -rw-r--r-- | epan/dissectors/packet-dcerpc-ndr.c | 5 | ||||
| -rw-r--r-- | epan/dissectors/packet-dcerpc.c | 1 | ||||
| -rw-r--r-- | epan/dissectors/packet-dcom-sysact.c | 1264 | ||||
| -rw-r--r-- | epan/dissectors/packet-dcom.c | 163 | ||||
| -rw-r--r-- | epan/dissectors/packet-dcom.h | 14 |
6 files changed, 1411 insertions, 40 deletions
diff --git a/epan/dissectors/packet-dcerpc-epm.c b/epan/dissectors/packet-dcerpc-epm.c index 5134effe50..1c334f042d 100644 --- a/epan/dissectors/packet-dcerpc-epm.c +++ b/epan/dissectors/packet-dcerpc-epm.c @@ -481,7 +481,7 @@ epm_dissect_tower (tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { - guint32 len; + guint3264 len; dcerpc_info *di; di=pinfo->private_data; @@ -491,7 +491,7 @@ epm_dissect_tower (tvbuff_t *tvb, int offset, /* first one is the header of the conformant array, second one is the length field */ - offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, + offset = dissect_ndr_uint3264 (tvb, offset, pinfo, tree, drep, hf_epm_tower_length, &len); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_epm_tower_length, NULL); diff --git a/epan/dissectors/packet-dcerpc-ndr.c b/epan/dissectors/packet-dcerpc-ndr.c index aa7c9c8c0f..37499d359f 100644 --- a/epan/dissectors/packet-dcerpc-ndr.c +++ b/epan/dissectors/packet-dcerpc-ndr.c @@ -359,7 +359,10 @@ dissect_ndr_uint64(tvbuff_t *tvb, gint offset, packet_info *pinfo, } if (!di->no_align && (offset % 8)) { - offset += 8 - (offset % 8); + gint padding = 8 - (offset % 8); + offset += padding; + /*add the item for padding bytes*/ + proto_tree_add_text(tree, tvb, offset, padding, "NDR-Padding: %d bytes", padding); } return dissect_dcerpc_uint64(tvb, offset, pinfo, tree, drep, hfindex, pdata); diff --git a/epan/dissectors/packet-dcerpc.c b/epan/dissectors/packet-dcerpc.c index ae0dd08f94..3ba4d08370 100644 --- a/epan/dissectors/packet-dcerpc.c +++ b/epan/dissectors/packet-dcerpc.c @@ -1968,6 +1968,7 @@ dissect_deferred_pointers(packet_info *pinfo, tvbuff_t *tvb, int offset, guint8 offset = (*(fnct))(tvb, offset, pinfo, tnpd->tree, drep); if (tnpd->callback) tnpd->callback(pinfo, tnpd->tree, tnpd->item, tvb, old_offset, offset, tnpd->callback_args); + proto_item_set_len(tnpd->item, offset - old_offset); break; } } diff --git a/epan/dissectors/packet-dcom-sysact.c b/epan/dissectors/packet-dcom-sysact.c index 58b5303312..da4f098fd0 100644 --- a/epan/dissectors/packet-dcom-sysact.c +++ b/epan/dissectors/packet-dcom-sysact.c @@ -1,6 +1,7 @@ /* packet-dcerpc-sysact.c * Routines for the ISystemActivator interface * Copyright 2004, Jelmer Vernooij <jelmer@samba.org> + * Copyright 2012, Litao Gao <ltgao@juniper.net> * * $Id$ * @@ -35,41 +36,1094 @@ static int proto_ISystemActivator = -1; +static gint ett_isystemactivator = -1; static int hf_opnum = -1; +static int hf_sysact_actproperties = -1; static int hf_sysact_unknown = -1; -static gint ett_ISystemActivator = -1; +static gint ett_actproperties = -1; +static int hf_sysact_totalsize = -1; +static int hf_sysact_res = -1; + +static gint ett_commonheader = -1; +static gint ett_propguids = -1; +static gint ett_properties = -1; +static int hf_sysact_customhdrsize = -1; +static int hf_sysact_dstctx = -1; +static int hf_sysact_actpropnumber = -1; +static int hf_sysact_actpropclsinfoid = -1; +static int hf_sysact_actpropclsids = -1; +static int hf_sysact_actpropclsid = -1; +static int hf_sysact_actpropsizes = -1; +static int hf_sysact_actpropsize = -1; + + +static gint ett_dcom_spclsysprop = -1; +static gint ett_dcom_reserved = -1; +static int hf_sysact_spsysprop_sid = -1; +static int hf_sysact_spsysprop_remotethissid = -1; +static int hf_sysact_spsysprop_cltimpersonating = -1; +static int hf_sysact_spsysprop_partitionid = -1; +static int hf_sysact_spsysprop_defauthlvl = -1; +static int hf_sysact_spsysprop_partition = -1; +static int hf_sysact_spsysprop_procrqstflgs = -1; +static int hf_sysact_spsysprop_origclsctx = -1; +static int hf_sysact_spsysprop_flags = -1; +static int hf_sysact_spsysprop_procid = -1; +static int hf_sysact_spsysprop_hwnd = -1; + +static gint ett_dcom_instantianinfo = -1; +static int hf_sysact_instninfo_clsid = -1; +static int hf_sysact_instninfo_clsctx = -1; +static int hf_sysact_instninfo_actflags = -1; +static int hf_sysact_instninfo_issurrogate = -1; +static int hf_sysact_instninfo_iidcount = -1; +static int hf_sysact_instninfo_instflags = -1; +static int hf_sysact_instninfo_entiresize = -1; +static int hf_sysact_instninfo_iid = -1; + +static gint ett_dcom_actctxinfo = -1; +static int hf_sysact_actctxinfo_cltok = -1; +static int hf_sysact_context = -1; + +static gint ett_dcom_context = -1; +static int hf_sysact_ctx_id = -1; +static int hf_sysact_ctx_flags = -1; +static int hf_sysact_ctx_res = -1; +static int hf_sysact_ctx_numextents = -1; +static int hf_sysact_ctx_extentscnt = -1; +static int hf_sysact_ctx_mashflags = -1; +static int hf_sysact_ctx_count = -1; +static int hf_sysact_ctx_frozen = -1; + +static gint ett_dcom_securityinfo = -1; +static int hf_sysact_si_authflalgs = -1; +static int hf_sysact_si_ci_res = -1; +static int hf_sysact_si_ci_string = -1; +static int hf_sysact_si_serverinfo = -1; + +static gint ett_dcom_locationinfo = -1; +static int hf_sysact_li_string = -1; +static int hf_sysact_li_procid = -1; +static int hf_sysact_li_apartid = -1; +static int hf_sysact_li_ctxid = -1; + +static gint ett_dcom_scmrqstinfo = -1; +static gint ett_dcom_rmtrqst = -1; + +static int hf_sysact_sri_cltimplvl = -1; +static int hf_sysact_sri_protseqnum = -1; +static int hf_sysact_sri_protseq = -1; + +static gint ett_dcom_propsoutput = -1; +static int hf_sysact_pi_ifnum = -1; +static int hf_sysact_pi_retval = -1; +static int hf_sysact_pi_interf = -1; +static int hf_sysact_pi_iid = -1; + +static gint ett_dcom_scmrespinfo = -1; +static gint ett_dcom_rmtresp = -1; +static gint ett_dcom_oxidbinding = -1; +static int hf_sysact_scmri_rmtunknid = -1; +static int hf_sysact_scmri_authhint = -1; +static int hf_sysact_scmri_binding = -1; +static int hf_sysact_scmri_oxid = -1; + +static gint ett_typeszcommhdr = -1; +static gint ett_typeszprivhdr = -1; +static int hf_typeszch = -1; +static int hf_typeszph = -1; +static int hf_typesz_ver = -1; +static int hf_typesz_endianess = -1; +static int hf_typesz_commhdrlen = -1; +static int hf_typesz_filler = -1; +static int hf_typesz_buflen = -1; static e_uuid_t uuid_ISystemActivator = { 0x000001a0, 0x0000, 0x0000, { 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 } }; static guint16 ver_ISystemActivator = 0; +/*static e_uuid_t clsid_ActivationPropertiesIn = { 0x00000338, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} };*/ +/*static e_uuid_t clsid_ActivationPropertiesOut = { 0x00000339, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} };*/ +static e_uuid_t iid_ActivationPropertiesIn = { 0x000001a2, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +static e_uuid_t iid_ActivationPropertiesOut = { 0x000001a3, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; + +static e_uuid_t clsid_SpecialSystemProperties = { 0x000001b9, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +static e_uuid_t clsid_InstantiationInfo = { 0x000001ab, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +static e_uuid_t clsid_ActivationContextInfo = { 0x000001a5, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +static e_uuid_t clsid_ContextMarshaler = { 0x0000033b, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +static e_uuid_t clsid_SecurityInfo = { 0x000001a6, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +static e_uuid_t clsid_ServerLocationInfo = { 0x000001a4, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +static e_uuid_t clsid_ScmRequestInfo = { 0x000001aa, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +static e_uuid_t clsid_PropsOutInfo = { 0x00000339, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +static e_uuid_t clsid_ScmReplyInfo = { 0x000001b6, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +/*static e_uuid_t clsid_InstanceInfo = { 0x000001ad, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} };*/ + + +static const value_string instninfo_actflags[] = { + { 0x00000002, "ACTVFLAGS_DISABLE_AAA" }, + { 0x00000004, "ACTVFLAGS_ACTIVATE_32_BIT_SERVER" }, + { 0x00000008, "ACTVFLAGS_ACTIVATE_64_BIT_SERVER" }, + { 0x00000020, "ACTVFLAGS_NO_FAILURE_LOG" }, + { 0, NULL } +}; + +static const value_string boolean_flag_vals[] = { + { 0x00000001, "TRUE" }, + { 0x00000000, "FALSE" }, + { 0, NULL } +}; + +static const value_string dcom_context_flag_vals[] = { + { 0x00000002, "MarshalByValue" }, + { 0, NULL } +}; + +static const value_string ts_endian_vals[] = { + { 0x10, "Little-endian" }, + { 0x00, "Big-endian" }, + { 0, NULL } +}; + +/* MS-DCOM 2.2.28.1 */ +#define MIN_ACTPROP_LIMIT 1 +#define MAX_ACTPROP_LIMIT 10 + +typedef struct property_guids { + e_uuid_t guid[MAX_ACTPROP_LIMIT]; + guint32 size[MAX_ACTPROP_LIMIT]; + guint32 id_idx; + guint32 size_idx; +} property_guids_t; + +/* Type Serialization Version 1 */ +int +dissect_TypeSzCommPrivHdr(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep) +{ + proto_item *sub_item; + proto_tree *sub_tree; + guint8 drep_tmp; + guint8 endian = 0x10; + gint old_offset; + + /* Common Header use little endian */ + sub_item = proto_tree_add_item(tree, hf_typeszch, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_typeszcommhdr); + + old_offset = offset; + offset = dissect_dcom_BYTE(tvb, offset, pinfo, sub_tree, drep, + hf_typesz_ver, NULL); + + offset = dissect_dcom_BYTE(tvb, offset, pinfo, sub_tree, drep, + hf_typesz_endianess, &endian); + if (endian == 0x10) + *drep = DREP_LITTLE_ENDIAN; + else + *drep &= ~DREP_LITTLE_ENDIAN; + + drep_tmp = DREP_LITTLE_ENDIAN; + offset = dissect_dcom_WORD(tvb, offset, pinfo, sub_tree, &drep_tmp, + hf_typesz_commhdrlen, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, &drep_tmp, + hf_typesz_filler, NULL); + proto_item_set_len(sub_item, offset - old_offset); + + /* Private Header */ + old_offset = offset; + sub_item = proto_tree_add_item(tree, hf_typeszph, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_typeszprivhdr); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_typesz_buflen, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_typesz_filler, NULL); + proto_item_set_len(sub_item, offset - old_offset); + + return offset; +} + + + +static int +dissect_dcom_Property_Guid(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep) +{ + dcerpc_info *di; + property_guids_t *pg; + + di = pinfo->private_data; + pg = (property_guids_t*)di->private_data; + + DISSECTOR_ASSERT(pg->id_idx < MAX_ACTPROP_LIMIT); + offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, drep, + hf_sysact_actpropclsid, &pg->guid[pg->id_idx++]); + + return offset; +} + +static int +dissect_dcom_ActivationPropertiesCustomerHdr_PropertyGuids(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, dissect_dcom_Property_Guid); + return offset; +} + +static int +dissect_dcom_Property_Size(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep) +{ + dcerpc_info *di; + property_guids_t *pg; + + di = pinfo->private_data; + pg = (property_guids_t*)di->private_data; + + DISSECTOR_ASSERT(pg->size_idx < MAX_ACTPROP_LIMIT); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep, + hf_sysact_actpropsize, &pg->size[pg->size_idx++]); + + return offset; +} + +static int +dissect_dcom_ActivationPropertiesCustomerHdr_PropertySizes(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, dissect_dcom_Property_Size); + return offset; +} + +static int +dissect_dcom_ActivationPropertiesCustomerHdr(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep) +{ + guint32 u32TotalSize; + guint32 u32CustomHdrSize; + guint32 u32ActPropNumber; + gint old_offset; + + proto_item *sub_item; + proto_tree *sub_tree; + + sub_item = proto_tree_add_text(tree, tvb, offset, 0, "CustomHeader"); + + sub_tree = proto_item_add_subtree(sub_item, ett_commonheader); + + old_offset = offset; + offset = dissect_TypeSzCommPrivHdr(tvb, offset, pinfo, sub_tree, drep); + + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_totalsize, &u32TotalSize); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_customhdrsize, &u32CustomHdrSize); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_res, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_dstctx, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_actpropnumber, &u32ActPropNumber); + offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_actpropclsinfoid, NULL); + + /* ClsIdPtr, SizesPtr */ + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_dcom_ActivationPropertiesCustomerHdr_PropertyGuids, NDR_POINTER_UNIQUE, + "ClsIdPtr",hf_sysact_actpropclsid); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_dcom_ActivationPropertiesCustomerHdr_PropertySizes, NDR_POINTER_UNIQUE, + "ClsSizesPtr",hf_sysact_actpropclsid); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + NULL, NDR_POINTER_UNIQUE, "OpaqueDataPtr: Pointer To NULL", 0); + + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + proto_item_set_len(sub_item, offset - old_offset); + + return offset; +} + + +static int +dissect_dcom_ActivationProperty(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, e_uuid_t *clsid, gint size) +{ + dcom_dissect_fn_t routine = NULL; + + /* the following data depends on the clsid, get the routine by clsid */ + routine = dcom_get_rountine_by_uuid(clsid); + if (routine){ + offset = routine(tvb, offset, pinfo, tree, drep, size); + } + + return offset; +} + + + +static int +dissect_dcom_ActivationPropertiesBody(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep) +{ + gint old_offset; + + proto_item *sub_item; + proto_tree *sub_tree; + dcerpc_info *di; + property_guids_t *pg; + guint32 i; + + di = pinfo->private_data; + pg = (property_guids_t*)di->private_data; + + DISSECTOR_ASSERT(pg->id_idx == pg->size_idx); + + sub_item = proto_tree_add_text(tree, tvb, offset, 0, "Properties"); + sub_tree = proto_item_add_subtree(sub_item, ett_properties); + + old_offset = offset; + for (i = 0; i < pg->id_idx; i++) { + offset = dissect_dcom_ActivationProperty(tvb, offset, pinfo, sub_tree, drep, + &pg->guid[i], pg->size[i]); + } + proto_item_set_len(sub_item, offset - old_offset); + + return offset; +} + +int +dissect_dcom_ActivationProperties(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, gint size _U_) +{ + dcerpc_info *di; + proto_item *sub_item; + proto_tree *sub_tree; + + guint32 u32TotalSize; + guint32 u32Res; + + sub_item = proto_tree_add_item(tree, hf_sysact_actproperties, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_actproperties); + + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_totalsize, &u32TotalSize); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_res, &u32Res); + + di = pinfo->private_data; + if (di->private_data) { + g_free(di->private_data); + } + di->private_data = g_malloc(sizeof(property_guids_t)); + memset(di->private_data, 0, sizeof(property_guids_t)); + + offset = dissect_dcom_ActivationPropertiesCustomerHdr(tvb, offset, pinfo, sub_tree, drep); + offset = dissect_dcom_ActivationPropertiesBody(tvb, offset, pinfo, sub_tree, drep); + + g_free(di->private_data); + + return offset; +} + +static int +dissect_dcom_ContextMarshaler(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, gint size _U_) +{ + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset; + + guint32 u32Count; + + old_offset = offset; + sub_item = proto_tree_add_text(tree, tvb, offset, 0, "Context"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_context); + + offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, sub_tree, drep, + NULL, NULL); + offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_ctx_id, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_ctx_flags, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_ctx_res, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_ctx_numextents, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_ctx_extentscnt, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_ctx_mashflags, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_ctx_count, &u32Count); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_ctx_frozen, NULL); + + if (u32Count) { + /*PropMarshalHeader array*/ + /*TBD*/ + } + + proto_item_set_len(sub_item, offset - old_offset); + + return offset; +} + +static int +dissect_dcom_SpecialSystemProperties(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, gint size) +{ + proto_item *sub_item, *it; + proto_tree *sub_tree, *tr; + gint old_offset, len, i; + + old_offset = offset; + + sub_item = proto_tree_add_text(tree, tvb, offset, size, "SpecialSystemProperties"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_spclsysprop); + + offset = dissect_TypeSzCommPrivHdr(tvb, offset, pinfo, sub_tree, drep); + + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_spsysprop_sid, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_spsysprop_remotethissid, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_spsysprop_cltimpersonating, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_spsysprop_partitionid, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_spsysprop_defauthlvl, NULL); + offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_spsysprop_partition, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_spsysprop_procrqstflgs, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_spsysprop_origclsctx, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_spsysprop_flags, NULL); +/* + * + * offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + * hf_sysact_spsysprop_procid, NULL); + * offset = dissect_dcom_I8(tvb, offset, pinfo, sub_tree, drep, + * hf_sysact_spsysprop_hwnd, NULL); + * + */ + it = proto_tree_add_text(sub_tree, tvb, offset, sizeof(guint32)*8, + "Reserved: 8 DWORDs"); + tr = proto_item_add_subtree(it, ett_dcom_reserved); + for (i = 0; i < 8; i++) { + offset = dissect_dcom_DWORD(tvb, offset, pinfo, tr, drep, + hf_sysact_res, NULL); + } + + len = offset - old_offset; + DISSECTOR_ASSERT(len <= size); + if (size-len) { + proto_tree_add_text(sub_tree, tvb, offset, size - len, + "UnusedBuffer: %d bytes", size - len); + } + + offset = old_offset + size; + return offset; +} + +static int +dissect_dcom_InterfaceId(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep) +{ + offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, drep, + hf_sysact_instninfo_iid, NULL); + return offset; +} + +static int +dissect_InstantiationInfoIids(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, + dissect_dcom_InterfaceId); + + return offset; +} + +static int +dissect_dcom_InstantiationInfo(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, gint size) +{ + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset, len; + + old_offset = offset; + + sub_item = proto_tree_add_text(tree, tvb, offset, size, "InstantiationInfo"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_instantianinfo); + + offset = dissect_TypeSzCommPrivHdr(tvb, offset, pinfo, sub_tree, drep); + + offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_instninfo_clsid, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_instninfo_clsctx, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_instninfo_actflags, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_instninfo_issurrogate, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_instninfo_iidcount, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_instninfo_instflags, NULL); + + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_InstantiationInfoIids, NDR_POINTER_UNIQUE, + "InterfaceIdsPtr", -1); + + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_instninfo_entiresize, NULL); + offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, sub_tree, drep, + NULL, NULL); + + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + + len = offset - old_offset; + DISSECTOR_ASSERT(len <= size); + if (size-len) { + proto_tree_add_text(sub_tree, tvb, offset, size - len, + "UnusedBuffer: %d bytes", size - len); + } + + offset = old_offset + size; + return offset; +} + +static int +dissect_ActCtxInfo_PropCtx(tvbuff_t *tvb _U_, gint offset _U_, + packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + /*TBD*/ + return offset; +} + + +static int +dissect_ActCtxInfo_CltCtx(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + dcerpc_info *di; + + di = pinfo->private_data; + if (di->conformant_run) { + return offset; + } + + offset = dissect_dcom_MInterfacePointer(tvb, offset, pinfo, tree, drep, + hf_sysact_context, NULL); + return offset; +} + +static int +dissect_dcom_ActivationContextInfo(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, gint size) +{ + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset, len; + + old_offset = offset; + + sub_item = proto_tree_add_text(tree, tvb, offset, size, "ActivationContextInfo"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_actctxinfo); + + offset = dissect_TypeSzCommPrivHdr(tvb, offset, pinfo, sub_tree, drep); + + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_actctxinfo_cltok, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_res, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_res, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_res, NULL); + + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_ActCtxInfo_CltCtx, NDR_POINTER_UNIQUE, + "ClientPtr", -1); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_ActCtxInfo_PropCtx, NDR_POINTER_UNIQUE, + "PrototypePtr", -1); + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + + len = offset - old_offset; + DISSECTOR_ASSERT(len <= size); + if (size-len) { + proto_tree_add_text(sub_tree, tvb, offset, size - len, + "UnusedBuffer: %d bytes", size - len); + } + + offset = old_offset + size; + return offset; +} + + +static int +dissect_dcom_COSERVERINFO(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep, int hfindex) +{ + dcerpc_info *di; + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset; + + di = pinfo->private_data; + if (di->conformant_run) { + return offset; + } + + sub_item = proto_tree_add_item(tree, hfindex, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_securityinfo); + + old_offset = offset; + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_si_ci_res, NULL); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Name(wstring)", + hf_sysact_si_ci_string); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + NULL, NDR_POINTER_UNIQUE, "AuthInfoPtr", -1); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_si_ci_res, NULL); + + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + + proto_item_set_len(sub_item, offset - old_offset); + + return offset; +} + +static int +dissect_dcom_SI_ServerInfo(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset = dissect_dcom_COSERVERINFO(tvb, offset, pinfo, tree, drep, + hf_sysact_si_serverinfo); + return offset; +} + +static int +dissect_dcom_SecurtiyInfo(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, gint size) +{ + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset, len; + + old_offset = offset; + + sub_item = proto_tree_add_text(tree, tvb, offset, size, "SecurityInfo"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_securityinfo); + + offset = dissect_TypeSzCommPrivHdr(tvb, offset, pinfo, sub_tree, drep); + + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_si_authflalgs, NULL); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_dcom_SI_ServerInfo, NDR_POINTER_UNIQUE, "ServerInfoPtr", -1); + /*This SHOULD be NULL and MUST be ignored on receipt*/ + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + NULL, NDR_POINTER_UNIQUE, "ReservedPtr", -1); + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + + len = offset - old_offset; + DISSECTOR_ASSERT(len <= size); + if (size-len) { + proto_tree_add_text(sub_tree, tvb, offset, size - len, + "UnusedBuffer: %d bytes", size - len); + } + + offset = old_offset + size; + return offset; +} + +static int +dissect_dcom_LocationInfo(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, gint size) +{ + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset, len; + + old_offset = offset; + + sub_item = proto_tree_add_text(tree, tvb, offset, size, "LocationInfo"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_locationinfo); + + offset = dissect_TypeSzCommPrivHdr(tvb, offset, pinfo, sub_tree, drep); + + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "MachineNamePtr", + hf_sysact_li_string); + + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_li_procid, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_li_apartid, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_li_ctxid, NULL); + + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + + len = offset - old_offset; + DISSECTOR_ASSERT(len <= size); + if (size-len) { + proto_tree_add_text(sub_tree, tvb, offset, size - len, + "UnusedBuffer: %d bytes", size - len); + } + + offset = old_offset + size; + + return offset; +} + +static int +dissect_dcom_ProtoSeq(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep) +{ + offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep, + hf_sysact_sri_protseq, NULL); + + return offset; +} + +static int +dissect_dcom_ProtoSeqArray(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, + dissect_dcom_ProtoSeq); + return offset; +} + +static int +dissect_dcom_customREMOTE_REQUEST_SCM_INFO(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + dcerpc_info *di; + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset; + + di = pinfo->private_data; + if (di->conformant_run) { + return offset; + } + + sub_item = proto_tree_add_text(tree, tvb, offset, 0, "RemoteRequest"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_rmtrqst); + + old_offset = offset; + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_sri_cltimplvl, NULL); + offset = dissect_dcom_WORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_sri_protseqnum, NULL); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_dcom_ProtoSeqArray, NDR_POINTER_UNIQUE, "ProtocolSeqsArrayPtr", -1); + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + + proto_item_set_len(sub_item, offset - old_offset); + + return offset; +} + +static int +dissect_dcom_ScmRqstInfo(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, gint size) +{ + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset, len; + + old_offset = offset; + + sub_item = proto_tree_add_text(tree, tvb, offset, size, "ScmRequestInfo"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_scmrqstinfo); + + offset = dissect_TypeSzCommPrivHdr(tvb, offset, pinfo, sub_tree, drep); + + /*This MUST be set to NULL and MUST be ignored on receipt*/ + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + NULL, NDR_POINTER_UNIQUE, "Ptr", -1); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_dcom_customREMOTE_REQUEST_SCM_INFO, NDR_POINTER_UNIQUE, + "RemoteRequestPtr", -1); + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + + len = offset - old_offset; + DISSECTOR_ASSERT(len <= size); + if (size-len) { + proto_tree_add_text(sub_tree, tvb, offset, size - len, + "UnusedBuffer: %d bytes", size - len); + } + + offset = old_offset + size; + + return offset; +} + +static int +dissect_dcom_IfId(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep) +{ + offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, drep, + hf_sysact_pi_iid, NULL); + return offset; +} + +static int +dissect_dcom_IfIds(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, + dissect_dcom_IfId); + return offset; +} + +static int +dissect_dcom_ReturnVal(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep) +{ + offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep, + hf_sysact_pi_retval, NULL); + return offset; +} + +static int +dissect_dcom_ReturnVals(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, + dissect_dcom_ReturnVal); + return offset; +} + +static int +dissect_OneInterfData(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset = dissect_dcom_MInterfacePointer(tvb, offset, pinfo, tree, drep, + hf_sysact_pi_interf, NULL); + return offset; +} + +static int +dissect_dcom_OneInterfDataPtr(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep) +{ + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, + dissect_OneInterfData, NDR_POINTER_UNIQUE, "InterfacePtr", -1); + return offset; +} + +/* + * This MUST be an array of MInterfacePointer pointers containing the OBJREFs for + * the interfaces returned by the server. + */ +static int +dissect_dcom_InterfData(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, + dissect_dcom_OneInterfDataPtr); + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + return offset; +} + +static int +dissect_dcom_PropsOutInfo(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, gint size) +{ + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset, len; + + old_offset = offset; + + sub_item = proto_tree_add_text(tree, tvb, offset, size, "PropertiesOutput"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_propsoutput); + + offset = dissect_TypeSzCommPrivHdr(tvb, offset, pinfo, sub_tree, drep); + + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_pi_ifnum, NULL); + + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_dcom_IfIds, NDR_POINTER_UNIQUE, "InterfaceIdsPtr", -1); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_dcom_ReturnVals, NDR_POINTER_UNIQUE, "ReturnValuesPtr", -1); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_dcom_InterfData, NDR_POINTER_UNIQUE, "InterfacePtrsPtr", -1); + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + + len = offset - old_offset; + DISSECTOR_ASSERT(len <= size); + if (size-len) { + proto_tree_add_text(sub_tree, tvb, offset, size - len, + "UnusedBuffer: %d bytes", size - len); + } + + offset = old_offset + size; + + return offset; +} + + +/* + *typedef struct tagDUALSTRINGARRAY { + * unsigned short wNumEntries; + * unsigned short wSecurityOffset; + * [size_is(wNumEntries)] unsigned short aStringArray[]; + *} DUALSTRINGARRAY; + */ +static int +dissect_dcom_OxidBindings(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + dcerpc_info *di; + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset; + + di = pinfo->private_data; + if (di->conformant_run) { + return offset; + } + + old_offset = offset; + sub_item = proto_tree_add_text(tree, tvb, offset, 0, "OxidBindings"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_oxidbinding); + + offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, sub_tree, drep, NULL); + offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_scmri_binding, NULL); + + proto_item_set_len(sub_item, offset - old_offset); + return offset; +} + + +static int +dissect_dcom_customREMOTE_REPLY_SCM_INFO(tvbuff_t *tvb, gint offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + dcerpc_info *di; + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset; + + di = pinfo->private_data; + if (di->conformant_run) { + return offset; + } + + sub_item = proto_tree_add_text(tree, tvb, offset, 0, "RemoteReply"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_rmtresp); + + old_offset = offset; + offset = dissect_dcom_ID(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_scmri_oxid, NULL); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_dcom_OxidBindings, NDR_POINTER_UNIQUE, "OxidBindingsPtr", -1); + offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_scmri_rmtunknid, NULL); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_sysact_scmri_authhint, NULL); + offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, sub_tree, drep, + NULL, NULL); + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + + proto_item_set_len(sub_item, offset - old_offset); + + return offset; +} + + +static int +dissect_dcom_ScmReplyInfo(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, gint size) +{ + proto_item *sub_item; + proto_tree *sub_tree; + gint old_offset, len; + + old_offset = offset; + + sub_item = proto_tree_add_text(tree, tvb, offset, size, "ScmReplyInfo"); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_scmrespinfo); + + offset = dissect_TypeSzCommPrivHdr(tvb, offset, pinfo, sub_tree, drep); + + /*This MUST be set to NULL and MUST be ignored on receipt*/ + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + NULL, NDR_POINTER_UNIQUE, "Ptr", -1); + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, sub_tree, drep, + dissect_dcom_customREMOTE_REPLY_SCM_INFO, NDR_POINTER_UNIQUE, + "RemoteRequestPtr", -1); + offset = dissect_deferred_pointers(pinfo, tvb, offset, drep); + + len = offset - old_offset; + DISSECTOR_ASSERT(len <= size); + if (size-len) { + proto_tree_add_text(sub_tree, tvb, offset, size - len, + "UnusedBuffer: %d bytes", size - len); + } + + offset = old_offset + size; + + return offset; +} + +void +sysact_register_routines(void) +{ + dcom_register_rountine(dissect_dcom_ActivationProperties, &iid_ActivationPropertiesIn); + dcom_register_rountine(dissect_dcom_ActivationProperties, &iid_ActivationPropertiesOut); + dcom_register_rountine(dissect_dcom_SpecialSystemProperties, &clsid_SpecialSystemProperties); + dcom_register_rountine(dissect_dcom_InstantiationInfo, &clsid_InstantiationInfo); + dcom_register_rountine(dissect_dcom_ActivationContextInfo, &clsid_ActivationContextInfo); + dcom_register_rountine(dissect_dcom_ContextMarshaler, &clsid_ContextMarshaler); + dcom_register_rountine(dissect_dcom_SecurtiyInfo, &clsid_SecurityInfo); + dcom_register_rountine(dissect_dcom_LocationInfo, &clsid_ServerLocationInfo); + dcom_register_rountine(dissect_dcom_ScmRqstInfo, &clsid_ScmRequestInfo); + dcom_register_rountine(dissect_dcom_PropsOutInfo, &clsid_PropsOutInfo); + dcom_register_rountine(dissect_dcom_ScmReplyInfo, &clsid_ScmReplyInfo); + + return; +} static int dissect_remsysact_remotecreateinstance_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + sysact_register_routines(); + offset = dissect_dcom_this(tvb, offset, pinfo, tree, drep); /* XXX - what is this? */ offset = dissect_dcom_nospec_data(tvb, offset, pinfo, tree, drep, 4); - offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, - hf_sysact_unknown, NULL /* XXX */); - + hf_sysact_actproperties, NULL /* XXX */); return offset; } - static int dissect_remsysact_remotecreateinstance_resp(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + sysact_register_routines(); offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep); offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, - hf_sysact_unknown, NULL /* XXX */); + hf_sysact_actproperties, NULL /* XXX */); offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, NULL /* pu32HResult */); @@ -78,8 +1132,6 @@ dissect_remsysact_remotecreateinstance_resp(tvbuff_t *tvb, int offset, } - - static dcerpc_sub_dissector ISystemActivator_dissectors[] = { { 0, "QueryInterfaceIRemoteSCMActivator", NULL, NULL }, { 1, "AddRefIRemoteISCMActivator", NULL, NULL }, @@ -92,19 +1144,202 @@ static dcerpc_sub_dissector ISystemActivator_dissectors[] = { void proto_register_ISystemActivator (void) { + /* fields */ static hf_register_info hf[] = { { &hf_opnum, { "Operation", "isystemactivator.opnum", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_actproperties, + { "IActProperties", "isystemactivator.actproperties", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, { &hf_sysact_unknown, { "IUnknown", "isystemactivator.unknown", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, }; + + static hf_register_info hf_actproperties[] = { + { &hf_sysact_totalsize, + { "Totalsize", "isystemactivator.actproperties.size", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_res, + { "Reserved", "isystemactivator.actproperties.resv", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + + { &hf_sysact_customhdrsize, + { "CustomHeaderSize", "isystemactivator.customhdr.size", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_dstctx, + { "DestinationContext", "isystemactivator.customhdr.dc", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_actpropnumber, + { "NumActivationPropertyStructs", "isystemactivator.customhdr.actpropnumber", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_actpropclsinfoid, + { "ClassInfoClsid", "isystemactivator.customhdr.clsinfoid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_actpropclsids, + { "PropertyGuids", "isystemactivator.customhdr.clsids", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_actpropclsid, + { "PropertyStructGuid", "isystemactivator.customhdr.clsid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_actpropsizes, + { "PropertyDataSizes", "isystemactivator.customhdr.datasizes", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_actpropsize, + { "PropertyDataSize", "isystemactivator.customhdr.datasize", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + + /*SpecialSystemProperties*/ + { &hf_sysact_spsysprop_sid, + { "SessionID", "isystemactivator.properties.spcl.sid", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, "A value that uniquely identifies a logon session on the server", HFILL }}, + { &hf_sysact_spsysprop_remotethissid, + { "RemoteThisSessionID", "isystemactivator.properties.spcl.remotesid", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_spsysprop_cltimpersonating, + { "ClientImpersonating", "isystemactivator.properties.spcl.cltimp", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_spsysprop_partitionid, + { "PartitionIDPresent", "isystemactivator.properties.spcl.cltimp", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_spsysprop_defauthlvl, + { "DefaultAuthnLevel", "isystemactivator.properties.spcl.defauthlvl", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_spsysprop_partition, + { "PartitionGuid", "isystemactivator.properties.spcl.partition", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_spsysprop_procrqstflgs, + { "ProcessRequestFlags", "isystemactivator.properties.spcl.procreqstflgs", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_spsysprop_origclsctx, + { "OriginalClassContext", "isystemactivator.properties.spcl.origclsctx", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_spsysprop_flags, + { "Flags", "isystemactivator.properties.spcl.flags", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_spsysprop_procid, + { "ProcessID", "isystemactivator.properties.spcl.procid", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_spsysprop_hwnd, + { "hWnd", "isystemactivator.properties.spcl.hwnd", FT_UINT64, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + + /*InstantiationInfo*/ + { &hf_sysact_instninfo_clsid, + { "InstantiatedObjectClsId", "isystemactivator.properties.instninfo.clsid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_instninfo_clsctx, + { "ClassContext", "isystemactivator.properties.instninfo.clsctx", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_instninfo_actflags, + { "ActivationFlags", "isystemactivator.properties.instninfo.actflags", FT_UINT32, BASE_DEC_HEX, VALS(instninfo_actflags), 0x0, NULL, HFILL }}, + { &hf_sysact_instninfo_issurrogate, + { "FlagsSurrogate", "isystemactivator.properties.instninfo.actflags", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_instninfo_iidcount, + { "InterfaceIdCount", "isystemactivator.properties.instninfo.iidcount", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_instninfo_instflags, + { "InstantiationFlag", "isystemactivator.properties.instninfo.instflags", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_instninfo_entiresize, + { "EntirePropertySize", "isystemactivator.properties.instninfo.entiresize", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_instninfo_iid, + { "InterfaceIds", "isystemactivator.properties.instninfo.iid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + + /*ActivationContextInfo*/ + { &hf_sysact_actctxinfo_cltok, + { "ClientOk", "isystemactivator.properties.actctxinfo.cltok", FT_INT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_context, + { "ClientContext", "isystemactivator.properties.context", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + + /*dcom Context*/ + { &hf_sysact_ctx_id, + { "ContextID", "isystemactivator.properties.context.id", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_ctx_flags, + { "Flags", "isystemactivator.properties.context.flags", FT_UINT32, BASE_HEX, VALS(dcom_context_flag_vals), 0x0, NULL, HFILL }}, + { &hf_sysact_ctx_res, + { "Reserved", "isystemactivator.properties.context.res", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_ctx_numextents, + { "NumExtents", "isystemactivator.properties.context.numext", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_ctx_extentscnt, + { "ExtentCount", "isystemactivator.properties.context.extcnt", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_ctx_mashflags, + { "MarshalFlags", "isystemactivator.properties.context.mashflags", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_ctx_count, + { "ContextPropertyCount", "isystemactivator.properties.context.cnt", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_ctx_frozen, + { "Frozen", "isystemactivator.properties.context.frz", FT_UINT32, BASE_HEX, VALS(boolean_flag_vals), 0x0, NULL, HFILL }}, + + /*Security Info*/ + { &hf_sysact_si_authflalgs, + { "AuthenticationFlags", "isystemactivator.properties.si.authflags", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_si_serverinfo, + { "ServerInfo", "isystemactivator.properties.si.ci", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_sysact_si_ci_res, + { "Reserved", "isystemactivator.properties.si.ci.res", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_si_ci_string, + { "String", "isystemactivator.properties.si.ci.name", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, + + /*Location info*/ + { &hf_sysact_li_string, + { "String", "isystemactivator.properties.li.name", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_sysact_li_procid, + { "ProcessId", "isystemactivator.properties.li.procid", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_li_apartid, + { "ApartmentId", "isystemactivator.properties.li.apartid", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_li_ctxid, + { "ContextId", "isystemactivator.properties.li.ctxid", FT_UINT32, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }}, + + /*ScmRequst info*/ + { &hf_sysact_sri_cltimplvl, + { "ClientImpersonationLevel", "isystemactivator.properties.sri.cltimplvl", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_sri_protseqnum, + { "NumProtocolSequences", "isystemactivator.properties.sri.protseqnum", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_sri_protseq, + { "ProtocolSeq", "isystemactivator.properties.sri.protseq", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + + /*PropsOutInfo*/ + { &hf_sysact_pi_ifnum, + { "NumInterfaces", "isystemactivator.properties.pi.ifnum", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_pi_retval, + { "ReturnValue", "isystemactivator.properties.retval", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_pi_interf, + { "Interface", "isystemactivator.properties.interf", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_pi_iid, + { "IID", "isystemactivator.properties.iid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + + /*ScmReply info*/ + { &hf_sysact_scmri_rmtunknid, + { "IRemUnknownInterfacePointerId", "isystemactivator.properties.scmresp.rmtunknid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_scmri_authhint, + { "AuthenticationHint", "isystemactivator.properties.scmresp.authhint", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_scmri_binding, + { "Bindings", "isystemactivator.properties.scmresp.binding", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_sysact_scmri_oxid, + { "OXID", "isystemactivator.properties.scmresp.oxid", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }}, + }; + + static hf_register_info hf_tshdr[] = { + { &hf_typeszch, + { "CommonHeader", "isystemactivator.actproperties.ts.hdr", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_typeszph, + { "PrivateHeader", "isystemactivator.actproperties.ts.hdr", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + { &hf_typesz_ver, + { "Version", "isystemactivator.actproperties.ts.ver", FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_typesz_endianess, + { "Endianess", "isystemactivator.actproperties.ts.end", FT_UINT8, BASE_HEX, VALS(ts_endian_vals), 0x0, NULL, HFILL }}, + { &hf_typesz_commhdrlen, + { "CommonHeaderLength", "isystemactivator.actproperties.ts.chl", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + { &hf_typesz_filler, + { "Filler", "isystemactivator.actproperties.ts.fil", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, + { &hf_typesz_buflen, + { "ObjectBufferLength", "isystemactivator.actproperties.ts.buflen", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }}, + }; + + + /* Tree */ static gint *ett[] = { - &ett_ISystemActivator + &ett_isystemactivator, + &ett_actproperties, + &ett_properties, + &ett_commonheader, + &ett_propguids, + &ett_typeszcommhdr, + &ett_typeszprivhdr, + &ett_dcom_spclsysprop, + &ett_dcom_reserved, + &ett_dcom_instantianinfo, + &ett_dcom_actctxinfo, + &ett_dcom_context, + &ett_dcom_securityinfo, + &ett_dcom_locationinfo, + &ett_dcom_scmrqstinfo, + &ett_dcom_rmtrqst, + + &ett_dcom_propsoutput, + &ett_dcom_scmrespinfo, + &ett_dcom_rmtresp, + &ett_dcom_oxidbinding, + }; - proto_ISystemActivator = proto_register_protocol ("ISystemActivator ISystemActivator Resolver", - "ISystemActivator", - "isystemactivator"); + + proto_ISystemActivator = proto_register_protocol ("ISystemActivator ISystemActivator Resolver", "ISystemActivator", "isystemactivator"); proto_register_field_array (proto_ISystemActivator, hf, array_length (hf)); + proto_register_field_array (proto_ISystemActivator, hf_actproperties, array_length (hf_actproperties)); + proto_register_field_array(proto_ISystemActivator, hf_tshdr, array_length(hf_tshdr)); proto_register_subtree_array (ett, array_length (ett)); } @@ -112,7 +1347,6 @@ void proto_reg_handoff_ISystemActivator (void) { /* Register the protocol as dcerpc */ - dcerpc_init_uuid (proto_ISystemActivator, ett_ISystemActivator, - &uuid_ISystemActivator, ver_ISystemActivator, - ISystemActivator_dissectors, hf_opnum); + dcerpc_init_uuid (proto_ISystemActivator, ett_isystemactivator, &uuid_ISystemActivator, + ver_ISystemActivator, ISystemActivator_dissectors, hf_opnum); } diff --git a/epan/dissectors/packet-dcom.c b/epan/dissectors/packet-dcom.c index 45348667fc..20d15470c5 100644 --- a/epan/dissectors/packet-dcom.c +++ b/epan/dissectors/packet-dcom.c @@ -154,6 +154,10 @@ int hf_dcom_oxid = -1; int hf_dcom_oid = -1; int hf_dcom_ipid = -1; + +static gint ett_dcom_custobjref = -1; +static int hf_dcom_custobjref = -1; + static gint ett_dcom_dualstringarray = -1; static gint ett_dcom_dualstringarray_binding = -1; static int hf_dcom_dualstringarray_num_entries = -1; @@ -219,6 +223,8 @@ static int hf_dcom_vt_bstr = -1; static int hf_dcom_vt_byref = -1; static int hf_dcom_vt_dispatch = -1; + + /* this/that extension UUIDs */ static e_uuid_t uuid_debug_ext = { 0xf1f19680, 0x4d2a, 0x11ce, { 0xa6, 0x6a, 0x00, 0x20, 0xaf, 0x6e, 0x72, 0xf4} }; static e_uuid_t uuid_ext_error_ext ={ 0xf1f19681, 0x4d2a, 0x11ce, { 0xa6, 0x6a, 0x00, 0x20, 0xaf, 0x6e, 0x72, 0xf4} }; @@ -228,9 +234,12 @@ static const e_uuid_t ipid_rem_unknown = { 0x00000131, 0x1234, 0x5678, { 0xCA, static const e_uuid_t iid_unknown = { 0x00000000, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; static const e_uuid_t uuid_null = { 0x00000000, 0x0000, 0x0000, { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} }; static const e_uuid_t iid_class_factory = { 0x00000001, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +static const e_uuid_t iid_act_prop_in = { 0x000001A2, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; +static const e_uuid_t iid_act_prop_out = { 0x000001A3, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} }; static GList *dcom_machines = NULL; static GList *dcom_interfaces = NULL; +static GList *dcom_marshalers = NULL; static const value_string dcom_thisthat_flag_vals[] = { { 0, "INFO_NULL" }, @@ -238,7 +247,11 @@ static const value_string dcom_thisthat_flag_vals[] = { { 0, NULL } }; - +static const value_string dcom_boolean_flag_vals[] = { + { 0x00000001, "TRUE" }, + { 0x00000000, "FALSE" }, + { 0, NULL } +}; void dcom_interface_dump(void) { dcom_machine_t *machine; @@ -1899,6 +1912,114 @@ dissect_dcom_STDOBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo, } + +/* + * + *static void + *print_uuid(const e_uuid_t* uuid) +*{ + * proto_tree_add_debug_text(NULL, "UUID:(%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x)\n", + * uuid->Data1, uuid->Data2, uuid->Data3, + * uuid->Data4[0], uuid->Data4[1], + * uuid->Data4[2], uuid->Data4[3], + * uuid->Data4[4], uuid->Data4[5], + * uuid->Data4[6], uuid->Data4[7]); + * + * return; + *} + * + */ + +int +dcom_register_rountine(dcom_dissect_fn_t routine, e_uuid_t* uuid) +{ + dcom_marshaler_t *marshaler; + + + /* check if exists already */ + if (dcom_get_rountine_by_uuid(uuid)) + return -1; + + marshaler = se_alloc(sizeof(dcom_marshaler_t)); + if (!marshaler) { + /*memory error*/ + return -1; + } + + marshaler->parent = NULL; + marshaler->private_data = NULL; + marshaler->uuid = *uuid; + marshaler->routine = routine; + + dcom_marshalers = g_list_append(dcom_marshalers, marshaler); + + return 0; +} + + +dcom_dissect_fn_t +dcom_get_rountine_by_uuid(const e_uuid_t* uuid) +{ + dcom_marshaler_t *marsh; + GList *marshalers; + + if(memcmp(uuid, &uuid_null, sizeof(uuid_null)) == 0) { + return NULL; + } + + for(marshalers = dcom_marshalers; marshalers!= NULL; + marshalers = g_list_next(marshalers)) { + marsh = marshalers->data; + /*print_uuid(&marsh->uuid);*/ + /*print_uuid(uuid);*/ + if(memcmp(&marsh->uuid, uuid, sizeof(e_uuid_t)) == 0) { + return marsh->routine; + } + } + + return NULL; +} + +/* dissect an CUSTOM */ +int +dissect_dcom_CUSTOBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, int hfindex, + e_uuid_t *clsid, e_uuid_t *iid) +{ + guint32 u32CBExtension; + guint32 u32Size; + guint32 u32SubStart; + proto_item *sub_item; + proto_tree *sub_tree; + dcom_dissect_fn_t routine = NULL; + + + /* add subtree header */ + hfindex = hf_dcom_custobjref; + sub_item = proto_tree_add_item(tree, hfindex, tvb, offset, 0, ENC_NA); + sub_tree = proto_item_add_subtree(sub_item, ett_dcom_custobjref); + + u32SubStart = offset; + offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep, + hf_dcom_clsid, clsid); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_dcom_objref_cbextension, &u32CBExtension); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, + hf_dcom_objref_size, &u32Size); + + /* the following data depends on the iid, get the routine by iid */ + routine = dcom_get_rountine_by_uuid(iid); + if (routine){ + offset = routine(tvb, offset, pinfo, sub_tree, drep, 0); + } + + /* append info to subtree header */ + //proto_item_append_text(sub_item, ": ActivationPropertiesIn"); + proto_item_set_len(sub_item, offset - u32SubStart); + + return offset; +} + /* dissect an OBJREF */ int dissect_dcom_OBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo, @@ -1911,8 +2032,6 @@ dissect_dcom_OBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_item *sub_item; proto_tree *sub_tree; guint32 u32SubStart; - guint32 u32CBExtension; - guint32 u32Size; guint64 oxid; guint64 oid; e_uuid_t ipid; @@ -1950,15 +2069,9 @@ dissect_dcom_OBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo, hf_dcom_objref_resolver_address, ip); break; case(0x4): /* custom */ - offset = dissect_dcom_UUID(tvb, offset, pinfo, sub_tree, drep, - hf_dcom_clsid, &clsid); - offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, - hf_dcom_objref_cbextension, &u32CBExtension); - offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, - hf_dcom_objref_size, &u32Size); - /* the following data depends on the CLSID, no docs available on this */ - offset = dissect_dcom_nospec_data(tvb, offset, pinfo, sub_tree, drep, u32Size); - break; + offset = dissect_dcom_CUSTOBJREF(tvb, offset, pinfo, sub_tree, drep, hfindex, + &clsid, &iid); + break; } if(u32Flags == 0x1 || u32Flags == 0x2) { @@ -1980,8 +2093,6 @@ dissect_dcom_OBJREF(tvbuff_t *tvb, gint offset, packet_info *pinfo, return offset; } - - /* dissect an MInterfacePointer */ int dissect_dcom_MInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, @@ -2002,11 +2113,11 @@ dissect_dcom_MInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, sub_item = proto_tree_add_item(tree, hfindex, tvb, offset, 0, ENC_BIG_ENDIAN); sub_tree = proto_item_add_subtree(sub_item, ett_dcom_interface_pointer); + offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, sub_tree, drep, &u32ArraySize); + u32SubStart = offset - 4; /* should use this trick to deal with align pad if any */ + offset = dissect_dcom_DWORD(tvb, offset, pinfo, sub_tree, drep, hf_dcom_ip_cnt_data, &u32CntData); - u32SubStart = offset - 4; - - offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, sub_tree, drep, &u32ArraySize); offset = dissect_dcom_OBJREF(tvb, offset, pinfo, sub_tree, drep, hfindex, interf); @@ -2016,7 +2127,6 @@ dissect_dcom_MInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, return offset; } - /* dissect a pointer to a MInterfacePointer */ int dissect_dcom_PMInterfacePointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, @@ -2082,13 +2192,14 @@ static void dcom_reinit( void) { g_list_free(dcom_interfaces); dcom_interfaces = NULL; } + + return; } void proto_register_dcom (void) { - static hf_register_info hf_dcom_this_array[] = { { &hf_dcom_this_version_major, { "VersionMajor", "dcom.this.version_major", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, @@ -2098,8 +2209,8 @@ proto_register_dcom (void) { "Flags", "dcom.this.flags", FT_UINT32, BASE_HEX, VALS(dcom_thisthat_flag_vals), 0x0, NULL, HFILL }}, { &hf_dcom_this_res, { "Reserved", "dcom.this.res", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }}, - { &hf_dcom_this_cid, - { "Causality ID", "dcom.this.uuid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }} + { &hf_dcom_this_cid, + { "Causality ID", "dcom.this.uuid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }} }; static hf_register_info hf_dcom_that_array[] = { @@ -2198,6 +2309,12 @@ proto_register_dcom (void) { "IPID", "dcom.ipid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }} }; + static hf_register_info hf_dcom_custobjref_array[] = { + { &hf_dcom_custobjref, + { "CUSTOMOBJREF", "dcom.custobjref", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }}, + }; + + static hf_register_info hf_dcom_dualstringarray_array[] = { { &hf_dcom_dualstringarray_num_entries, { "NumEntries", "dcom.dualstringarray.num_entries", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }}, @@ -2306,11 +2423,12 @@ proto_register_dcom (void) &ett_dcom_interface_pointer, &ett_dcom_objref, &ett_dcom_stdobjref, + &ett_dcom_custobjref, &ett_dcom_dualstringarray, &ett_dcom_dualstringarray_binding, &ett_dcom_variant, &ett_dcom_safearray, - &ett_dcom_sa_features + &ett_dcom_sa_features, }; module_t *dcom_module; @@ -2324,6 +2442,7 @@ proto_register_dcom (void) proto_register_field_array(proto_dcom, hf_dcom_array, array_length(hf_dcom_array)); proto_register_field_array(proto_dcom, hf_dcom_objref_array, array_length(hf_dcom_objref_array)); proto_register_field_array(proto_dcom, hf_dcom_stdobjref_array, array_length(hf_dcom_stdobjref_array)); + proto_register_field_array(proto_dcom, hf_dcom_custobjref_array, array_length(hf_dcom_custobjref_array)); proto_register_field_array(proto_dcom, hf_dcom_dualstringarray_array, array_length(hf_dcom_dualstringarray_array)); proto_register_field_array(proto_dcom, hf_dcom_interface_pointer_array, array_length(hf_dcom_interface_pointer_array)); proto_register_field_array(proto_dcom, hf_dcom_vt_array, array_length(hf_dcom_vt_array)); diff --git a/epan/dissectors/packet-dcom.h b/epan/dissectors/packet-dcom.h index e083982fa1..3e840bb6ca 100644 --- a/epan/dissectors/packet-dcom.h +++ b/epan/dissectors/packet-dcom.h @@ -68,11 +68,25 @@ typedef struct dcom_interface_s { e_uuid_t ipid; /* the DCE/RPC Object UUID */ } dcom_interface_t; +typedef int (*dcom_dissect_fn_t) (tvbuff_t *tvb, gint offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep, gint size); + +typedef struct dcom_marshaler_s { + dcom_object_t *parent; + void *private_data; + + e_uuid_t uuid; + dcom_dissect_fn_t routine; +} dcom_marshaler_t; extern dcom_interface_t *dcom_interface_new(packet_info *pinfo, const guint8 *ip, e_uuid_t *iid, guint64 oxid, guint64 oid, e_uuid_t *ipid); extern dcom_interface_t *dcom_interface_find(packet_info *pinfo, const guint8 *ip, e_uuid_t *ipid); extern void dcom_interface_dump(void); +extern int dcom_register_rountine(dcom_dissect_fn_t routine, e_uuid_t* uuid); +extern void dcom_register_common_routines_(void); + +extern dcom_dissect_fn_t dcom_get_rountine_by_uuid(const e_uuid_t* uuid); /* the essential DCOM this and that, starting every call */ extern int |