diff options
| author | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2005-03-19 09:11:56 +0000 |
|---|---|---|
| committer | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2005-03-19 09:11:56 +0000 |
| commit | 20d135115b7493f3a5d857868b3811e57c16a3fe (patch) | |
| tree | ab6f9e57e814debc57a4eea4f5f4aecbfcd2eca0 /epan/dissectors/packet-dcerpc-efs.c | |
| parent | de69f70b4722d464f0b03358e695cb27fc287514 (diff) | |
| download | wireshark-20d135115b7493f3a5d857868b3811e57c16a3fe.tar.gz wireshark-20d135115b7493f3a5d857868b3811e57c16a3fe.tar.bz2 wireshark-20d135115b7493f3a5d857868b3811e57c16a3fe.zip | |
bugfix to idl2eth : handle the case when pointers were not explicitely specified
and we have a pointer to an array of pointers
make the EFS dissector autogenerated by idl2eth
svn path=/trunk/; revision=13806
Diffstat (limited to 'epan/dissectors/packet-dcerpc-efs.c')
| -rw-r--r-- | epan/dissectors/packet-dcerpc-efs.c | 1365 |
1 files changed, 938 insertions, 427 deletions
diff --git a/epan/dissectors/packet-dcerpc-efs.c b/epan/dissectors/packet-dcerpc-efs.c index 5487912024..fe074f3e89 100644 --- a/epan/dissectors/packet-dcerpc-efs.c +++ b/epan/dissectors/packet-dcerpc-efs.c @@ -1,6 +1,12 @@ +/* DO NOT EDIT + * This dissector is autogenerated + */ + /* packet-dcerpc-efs.c - * Routines for the efsrpc MSRPC interface - * Copyright 2004 Ronnie Sahlberg, Jean-Baptiste Marchand + * Routines for EFS packet disassembly + * ronnie sahlberg 2005 + * Autogenerated based on the IDL definitions by + * Jean-Baptiste Marchand * * $Id$ * @@ -23,676 +29,1181 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - #ifdef HAVE_CONFIG_H #include "config.h" #endif #include <glib.h> +#include <string.h> + #include <epan/packet.h> #include "packet-dcerpc.h" #include "packet-dcerpc-nt.h" -#include "packet-dcerpc-efs.h" #include "packet-windows-common.h" +#include "packet-dcerpc-efs.h" +static int proto_efs = -1; + + +/* INCLUDED FILE : ETH_HF */ +static int hf_efs_opnum = -1; +static int hf_efs_rc = -1; +static int hf_efs_EfsRpcOpenFileRaw_pvContext = -1; +static int hf_efs_EfsRpcOpenFileRaw_FileName = -1; +static int hf_efs_EfsRpcOpenFileRaw_Flags = -1; +static int hf_efs_EfsRpcReadFileRaw_pvContext = -1; +static int hf_efs_EfsRpcWriteFileRaw_pvContext = -1; +static int hf_efs_EfsRpcCloseRaw_pvContext = -1; +static int hf_efs_EfsRpcEncryptFileSrv_Filename = -1; +static int hf_efs_EfsRpcDecryptFileSrv_FileName = -1; +static int hf_efs_EfsRpcDecryptFileSrv_Reserved = -1; +static int hf_efs_EFS_HASH_BLOB_cbData = -1; +static int hf_efs_EFS_HASH_BLOB_pbData = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers = -1; +static int hf_efs_EfsRpcQueryUsersOnFile_FileName = -1; +static int hf_efs_EfsRpcQueryUsersOnFile_pUsers = -1; +static int hf_efs_EfsRpcQueryRecoveryAgents_FileName = -1; +static int hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents = -1; +static int hf_efs_EfsRpcRemoveUsersFromFile_FileName = -1; +static int hf_efs_EfsRpcAddUsersToFile_FileName = -1; +static int hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType = -1; +static int hf_efs_EFS_CERTIFICATE_BLOB_cbData = -1; +static int hf_efs_EFS_CERTIFICATE_BLOB_pbData = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_TotalLength = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_pUserSid = -1; +static int hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob = -1; +static int hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate = -1; +/* END OF INCLUDED FILE : ETH_HF */ + + + + + +/* INCLUDED FILE : ETH_ETT */ +static gint ett_efs = -1; +static gint ett_efs_EFS_HASH_BLOB = -1; +static gint ett_efs_ENCRYPTION_CERTIFICATE_HASH = -1; +static gint ett_efs_ENCRYPTION_CERTIFICATE_HASH_LIST = -1; +static gint ett_efs_EFS_CERTIFICATE_BLOB = -1; +static gint ett_efs_ENCRYPTION_CERTIFICATE = -1; +/* END OF INCLUDED FILE : ETH_ETT */ + + + + + +/* INCLUDED FILE : ETH_CODE */ +static e_uuid_t uuid_dcerpc_efs = { + 0xc681d488, 0xd850, 0x11d0, + { 0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e} +}; -static int proto_dcerpc_efs = -1; -static int hf_efsrpc_opnum = -1; -static int hf_efsrpc_rc = -1; -static int hf_efsrpc_filename = -1; -static int hf_efsrpc_flags = -1; -static int hf_efsrpc_hnd = -1; -static int hf_efsrpc_reserved = -1; -static int hf_efsrpc_num_entries = -1; -static int hf_efsrpc_data_size = -1; -static int hf_efsrpc_cert_dn = -1; +static guint16 ver_efs = 1; -static gint ett_dcerpc_efs = -1; -static gint ett_dcerpc_efs_cert_hash = -1; +static e_ctx_hnd policy_hnd; +static proto_item *hnd_item; -/* -IDL [ uuid(c681d488-d850-11d0-8c52-00c04fd90f7e), -IDL version(1.0), -IDL implicit_handle(handle_t rpc_binding) -IDL ] interface efsrpc -*/ +static int +efs_dissect_policy_handle(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param) +{ + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_index, &policy_hnd, &hnd_item, + param&0x01, param&0x02); + return offset; +} +static int +efs_dissect_EfsRpcOpenFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_policy_handle(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcOpenFileRaw_pvContext, param); + return offset; +} -static e_uuid_t uuid_dcerpc_efs = { - 0xc681d488, 0xd850, 0x11d0, - { 0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e } -}; +static int +ref_efs_dissect_EfsRpcOpenFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcOpenFileRaw_pvContext, NDR_POINTER_REF, "pvContext", -1); + return offset; +} -static guint16 ver_dcerpc_efs = 1; +static int +efs_dissect_unistr(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + offset=dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, 2, hf_index, FALSE, NULL); + return offset; +} + +static int +efs_dissect_EfsRpcOpenFileRaw_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcOpenFileRaw_FileName, param); + return offset; +} -/* -IDL long EfsRpcOpenFileRaw( -IDL [out] [context_handle] void *pvContext, -IDL [in] [string] wchar_t FileName, -IDL [in] long Flags -IDL ); -*/ static int -efsrpc_dissect_open_file_raw_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_long(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param _U_) { + offset=dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_index, NULL); + return offset; +} + +static int +efs_dissect_EfsRpcOpenFileRaw_Flags(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcOpenFileRaw_Flags, param); + return offset; +} + - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); +static int +efs_dissect_EfsRpcOpenFileRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=efs_dissect_EfsRpcOpenFileRaw_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_flags, NULL); + offset=efs_dissect_EfsRpcOpenFileRaw_Flags(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - return offset; + return offset; } static int -efsrpc_dissect_open_file_raw_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcOpenFileRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, - hf_efsrpc_hnd, NULL, NULL, TRUE, FALSE); + offset=ref_efs_dissect_EfsRpcOpenFileRaw_pvContext(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - return offset; + + return offset; +} +static int +efs_dissect_EfsRpcReadFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_policy_handle(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcReadFileRaw_pvContext, param); + return offset; } +static int +ref_efs_dissect_EfsRpcReadFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcReadFileRaw_pvContext, NDR_POINTER_REF, "pvContext", -1); + return offset; +} -/* -IDL long EfsRpcReadFileRaw( -IDL [in] [context_handle] void *pvContext, -IDL [out] ??? element_5 -IDL ); -*/ +static int +efs_dissect_EfsRpcReadFileRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=ref_efs_dissect_EfsRpcReadFileRaw_pvContext(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + + return offset; +} static int -efsrpc_dissect_read_file_raw_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcReadFileRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, - hf_efsrpc_hnd, NULL, NULL, FALSE, FALSE); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcWriteFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_policy_handle(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcWriteFileRaw_pvContext, param); + return offset; +} +static int +ref_efs_dissect_EfsRpcWriteFileRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcWriteFileRaw_pvContext, NDR_POINTER_REF, "pvContext", -1); + return offset; } -/* -IDL long EfsRpcWriteFileRaw( -IDL [in] [context_handle] void *pvContext, -IDL [in] ??? element_7 -IDL ); -*/ +static int +efs_dissect_EfsRpcWriteFileRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=ref_efs_dissect_EfsRpcWriteFileRaw_pvContext(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + return offset; +} static int -efsrpc_dissect_write_file_raw_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcWriteFileRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, - hf_efsrpc_hnd, NULL, NULL, FALSE, FALSE); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcCloseRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_policy_handle(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcCloseRaw_pvContext, param); + return offset; +} +static int +ref_efs_dissect_EfsRpcCloseRaw_pvContext(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcCloseRaw_pvContext, NDR_POINTER_REF, "pvContext", -1); + return offset; } static int -efsrpc_dissect_write_file_raw_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcCloseRaw_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=ref_efs_dissect_EfsRpcCloseRaw_pvContext(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + + return offset; +} + +static int +efs_dissect_EfsRpcCloseRaw_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=ref_efs_dissect_EfsRpcCloseRaw_pvContext(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcEncryptFileSrv_Filename(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcEncryptFileSrv_Filename, param); + return offset; } -/* -IDL -IDL void EfsRpcCloseRaw( -IDL [in,out] [context_handle] void *pvContext, -IDL ); -*/ +static int +efs_dissect_EfsRpcEncryptFileSrv_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=efs_dissect_EfsRpcEncryptFileSrv_Filename(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + return offset; +} static int -efsrpc_dissect_close_file_raw_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcEncryptFileSrv_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, - hf_efsrpc_hnd, NULL, NULL, FALSE, TRUE); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcDecryptFileSrv_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcDecryptFileSrv_FileName, param); + return offset; +} +static int +efs_dissect_EfsRpcDecryptFileSrv_Reserved(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcDecryptFileSrv_Reserved, param); + return offset; } static int -efsrpc_dissect_close_file_raw_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcDecryptFileSrv_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=efs_dissect_EfsRpcDecryptFileSrv_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, - hf_efsrpc_hnd, NULL, NULL, FALSE, FALSE); + offset=efs_dissect_EfsRpcDecryptFileSrv_Reserved(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - return offset; + return offset; } +static int +efs_dissect_EfsRpcDecryptFileSrv_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); -/* -IDL long EfsRpcEncryptFileSrv( -IDL [in] [string] wchar_t Filename -IDL ); - */ - + return offset; +} static int -efsrpc_dissect_encrypt_file_srv_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EFS_HASH_BLOB_cbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_EFS_HASH_BLOB_cbData, param); + return offset; +} - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); - return offset; +static int +efs_dissect_uint8(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + offset=dissect_ndr_uint8(tvb, offset, pinfo, tree, drep, hf_index, NULL); + return offset; +} +static int +efs_dissect_EFS_HASH_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_uint8(tvb, offset, pinfo, tree, drep, hf_efs_EFS_HASH_BLOB_pbData, param); + return offset; } +static int +ucarray_efs_dissect_EFS_HASH_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, efs_dissect_EFS_HASH_BLOB_pbData); + return offset; +} static int -efsrpc_dissect_encrypt_file_srv_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +unique_ucarray_efs_dissect_EFS_HASH_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, ucarray_efs_dissect_EFS_HASH_BLOB_pbData, NDR_POINTER_UNIQUE, "pbData", -1); + return offset; +} + - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); +int +efs_dissect_EFS_HASH_BLOB(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + int old_offset; - return offset; + ALIGN_TO_4_BYTES; -} + old_offset=offset; + if(parent_tree){ + item=proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + tree=proto_item_add_subtree(item, ett_efs_EFS_HASH_BLOB); + } + offset=efs_dissect_EFS_HASH_BLOB_cbData(tvb, offset, pinfo, tree, drep); -/* -IDL long EfsRpcDecryptFileSrv( -IDL [in] [string] wchar_t FileName, -IDL [in] long Reserved -IDL ); -*/ + offset=unique_ucarray_efs_dissect_EFS_HASH_BLOB_pbData(tvb, offset, pinfo, tree, drep); + proto_item_set_len(item, offset-old_offset); + return offset; +} static int -efsrpc_dissect_decrypt_file_srv_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength, param); + return offset; +} - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_reserved, NULL); +static int +efs_dissect_SID(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index, guint32 param) +{ + dcerpc_info *di = (dcerpc_info *)pinfo->private_data; - return offset; + di->hf_index=hf_index; + offset=dissect_ndr_nt_SID_with_options(tvb, offset, pinfo, tree, drep, param); + return offset; +} +static int +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pUserSid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_SID(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid, param); + return offset; } +static int +unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pUserSid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pUserSid, NDR_POINTER_UNIQUE, "pUserSid", -1); + return offset; +} static int -efsrpc_dissect_decrypt_file_srv_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pHash(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + guint32 param=0; + offset=efs_dissect_EFS_HASH_BLOB(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash, param); + return offset; +} - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); +static int +unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pHash(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pHash, NDR_POINTER_UNIQUE, "pHash", -1); + return offset; +} - return offset; +static int +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation, param); + return offset; +} +static int +unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation, NDR_POINTER_UNIQUE, "lpDisplayInformation", -1); + return offset; } -/* -IDL typedef struct { -IDL long cbData; -IDL [size_is(cbData)] void *pbData; -IDL } EFS_HASH_BLOB; -*/ +int +efs_dissect_ENCRYPTION_CERTIFICATE_HASH(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + int old_offset; + + ALIGN_TO_4_BYTES; + + old_offset=offset; + if(parent_tree){ + item=proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + tree=proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE_HASH); + } + + offset=efs_dissect_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength(tvb, offset, pinfo, tree, drep); + + offset=unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pUserSid(tvb, offset, pinfo, tree, drep); + + offset=unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_pHash(tvb, offset, pinfo, tree, drep); + + offset=unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation(tvb, offset, pinfo, tree, drep); + + proto_item_set_len(item, offset-old_offset); + return offset; +} static int -efsrpc_dissect_EFS_HASH_BLOB_data(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - guint8 *drep) +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { - guint32 size; - dcerpc_info *di = (dcerpc_info *)pinfo->private_data; + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash, param); + return offset; +} - if(di->conformant_run){ - return offset; /* cant modify offset while performing conformant run */ - } +static int +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_ENCRYPTION_CERTIFICATE_HASH(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers, param); + return offset; +} - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_data_size, &size); +static int +unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers, NDR_POINTER_UNIQUE, "pUsers", -1); + return offset; +} - /* XXX insert some sort of proto_tree_add_item here and show hex data - of the blob */ - offset += size; - return offset; +static int +ucarray_unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers); + return offset; } static int -efsrpc_dissect_EFS_HASH_BLOB(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - guint8 *drep) +unique_ucarray_unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { - guint32 size; + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, ucarray_unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers, NDR_POINTER_UNIQUE, "pUsers", -1); + return offset; +} - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_data_size, &size); - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_EFS_HASH_BLOB_data, NDR_POINTER_UNIQUE, - "HASH_BLOB", -1); +int +efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + int old_offset; - return offset; -} + ALIGN_TO_4_BYTES; + old_offset=offset; + if(parent_tree){ + item=proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + tree=proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE_HASH_LIST); + } + offset=efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash(tvb, offset, pinfo, tree, drep); + + offset=unique_ucarray_unique_efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers(tvb, offset, pinfo, tree, drep); + + proto_item_set_len(item, offset-old_offset); + + return offset; +} static int -efsrpc_dissect_efs_SID_ptr(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - guint8 *drep) +efs_dissect_EfsRpcQueryUsersOnFile_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { - offset = dissect_ndr_nt_SID(tvb, offset, pinfo, tree, drep); + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcQueryUsersOnFile_FileName, param); + return offset; +} + +static int +efs_dissect_EfsRpcQueryUsersOnFile_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcQueryUsersOnFile_pUsers, param); + return offset; +} - return offset; +static int +unique_efs_dissect_EfsRpcQueryUsersOnFile_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcQueryUsersOnFile_pUsers, NDR_POINTER_UNIQUE, "pUsers", -1); + return offset; } +static int +ref_unique_efs_dissect_EfsRpcQueryUsersOnFile_pUsers(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, unique_efs_dissect_EfsRpcQueryUsersOnFile_pUsers, NDR_POINTER_REF, "pUsers", -1); + return offset; +} -/* -IDL typedef struct { -IDL long cbTotalLength; -IDL SID *pUserSid; -IDL EFS_HASH_BLOB *pHash; -IDL [string] wchar_t lpDisplayInformation; -IDL } ENCRYPTION_CERTIFICATE_HASH; -*/ static int -efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *parent_tree, - guint8 *drep) +efs_dissect_EfsRpcQueryUsersOnFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - proto_item *item = NULL; - proto_tree *tree = NULL; + offset=efs_dissect_EfsRpcQueryUsersOnFile_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - if (parent_tree) { - item = proto_tree_add_text(parent_tree, tvb, offset, -1, "ENCRYPTION_CERTIFICATE_HASH"); - tree = proto_item_add_subtree(item, ett_dcerpc_efs_cert_hash); - } - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_data_size, NULL); + return offset; +} - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_efs_SID_ptr, NDR_POINTER_UNIQUE, - "SID", -1); +static int +efs_dissect_EfsRpcQueryUsersOnFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=ref_unique_efs_dissect_EfsRpcQueryUsersOnFile_pUsers(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_EFS_HASH_BLOB, NDR_POINTER_UNIQUE, - "EFS_HASH_BLOB", -1); + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_ndr_pointer_cb( - tvb, offset, pinfo, tree, drep, - dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, - "Certificate DN", hf_efsrpc_cert_dn, cb_wstr_postprocess, - GINT_TO_POINTER(CB_STR_COL_INFO | 1)); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcQueryRecoveryAgents_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcQueryRecoveryAgents_FileName, param); + return offset; } +static int +efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents, param); + return offset; +} static int -efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_ptr(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - guint8 *drep) +unique_efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents, NDR_POINTER_UNIQUE, "pRecoveryAgents", -1); + return offset; +} - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH, NDR_POINTER_UNIQUE, - "ENCRYPTION_CERTIFICATE_HASH", -1); +static int +ref_unique_efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, unique_efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents, NDR_POINTER_REF, "pRecoveryAgents", -1); + return offset; +} - return offset; -} +static int +efs_dissect_EfsRpcQueryRecoveryAgents_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=efs_dissect_EfsRpcQueryRecoveryAgents_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + return offset; +} static int -efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_array(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - guint8 *drep) +efs_dissect_EfsRpcQueryRecoveryAgents_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_ptr); + offset=ref_unique_efs_dissect_EfsRpcQueryRecoveryAgents_pRecoveryAgents(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); + - return offset; + return offset; +} +static int +efs_dissect_EfsRpcRemoveUsersFromFile_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcRemoveUsersFromFile_FileName, param); + return offset; } -/* -IDL typedef struct { -IDL long nCert_Hash; -IDL [size_is(nCert_Hash)] [unique] ENCRYPTION_CERTIFICATE_HASH *pUsers; -IDL } ENCRYPTION_CERTIFICATE_HASH_LIST; -*/ -static int -efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +static int +efs_dissect_EfsRpcRemoveUsersFromFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=efs_dissect_EfsRpcRemoveUsersFromFile_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_efsrpc_num_entries, NULL); - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_array, NDR_POINTER_UNIQUE, - "ENCRYPTION_CERTIFICATE_HASH array:", -1); + return offset; +} + +static int +efs_dissect_EfsRpcRemoveUsersFromFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - return offset; + return offset; +} +static int +efs_dissect_EfsRpcAddUsersToFile_FileName(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_unistr(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcAddUsersToFile_FileName, param); + return offset; } +static int +efs_dissect_EfsRpcAddUsersToFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=efs_dissect_EfsRpcAddUsersToFile_FileName(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); -/* -IDL long EfsRpcQueryUsersOnFile( -IDL [in] [string] wchar_t FileName, -IDL [out] [ref] ENCRYPTION_CERTIFICATE_HASH_LIST **pUsers -IDL ); -*/ + return offset; +} static int -efsrpc_dissect_query_users_on_file_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcAddUsersToFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); + return offset; +} +static int +efs_dissect_EFS_CERTIFICATE_BLOB_dwCertEncodingType(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType, param); + return offset; +} - return offset; +static int +efs_dissect_EFS_CERTIFICATE_BLOB_cbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_EFS_CERTIFICATE_BLOB_cbData, param); + return offset; +} +static int +efs_dissect_EFS_CERTIFICATE_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_uint8(tvb, offset, pinfo, tree, drep, hf_efs_EFS_CERTIFICATE_BLOB_pbData, param); + return offset; } +static int +ucarray_efs_dissect_EFS_CERTIFICATE_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, efs_dissect_EFS_CERTIFICATE_BLOB_pbData); + return offset; +} static int -efsrpc_dissect_query_users_on_file_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +unique_ucarray_efs_dissect_EFS_CERTIFICATE_BLOB_pbData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST, NDR_POINTER_UNIQUE, - "ENCRYPTION_CERTIFICATE_HASH_LIST", -1); + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, ucarray_efs_dissect_EFS_CERTIFICATE_BLOB_pbData, NDR_POINTER_UNIQUE, "pbData", -1); + return offset; +} - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); - return offset; +int +efs_dissect_EFS_CERTIFICATE_BLOB(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + int old_offset; -} + ALIGN_TO_4_BYTES; + + old_offset=offset; + if(parent_tree){ + item=proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + tree=proto_item_add_subtree(item, ett_efs_EFS_CERTIFICATE_BLOB); + } + + offset=efs_dissect_EFS_CERTIFICATE_BLOB_dwCertEncodingType(tvb, offset, pinfo, tree, drep); + + offset=efs_dissect_EFS_CERTIFICATE_BLOB_cbData(tvb, offset, pinfo, tree, drep); + + offset=unique_ucarray_efs_dissect_EFS_CERTIFICATE_BLOB_pbData(tvb, offset, pinfo, tree, drep); -/* -IDL long EfsRpcQueryRecoveryAgents( -IDL [in] [string] wchar_t FileName, -IDL [out] [ref] ENCRYPTION_CERTIFICATE_HASH_LIST **pRecoveryAgents -IDL ); -*/ + proto_item_set_len(item, offset-old_offset); + return offset; +} static int -efsrpc_dissect_query_recovery_agents_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_ENCRYPTION_CERTIFICATE_TotalLength(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + guint32 param=0; + offset=efs_dissect_long(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_TotalLength, param); + return offset; +} - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); - - return offset; +static int +efs_dissect_ENCRYPTION_CERTIFICATE_pUserSid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_SID(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_pUserSid, param); + return offset; +} +static int +unique_efs_dissect_ENCRYPTION_CERTIFICATE_pUserSid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_pUserSid, NDR_POINTER_UNIQUE, "pUserSid", -1); + return offset; } +static int +efs_dissect_ENCRYPTION_CERTIFICATE_pCertBlob(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 param=0; + offset=efs_dissect_EFS_CERTIFICATE_BLOB(tvb, offset, pinfo, tree, drep, hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob, param); + return offset; +} static int -efsrpc_dissect_query_recovery_agents_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +unique_efs_dissect_ENCRYPTION_CERTIFICATE_pCertBlob(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + offset=dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_ENCRYPTION_CERTIFICATE_pCertBlob, NDR_POINTER_UNIQUE, "pCertBlob", -1); + return offset; +} - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - efsrpc_dissect_ENCRYPTION_CERTIFICATE_HASH_LIST, NDR_POINTER_UNIQUE, - "ENCRYPTION_CERTIFICATE_HASH_LIST", -1); - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); +int +efs_dissect_ENCRYPTION_CERTIFICATE(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, guint8 *drep, int hf_index, guint32 param _U_) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + int old_offset; - return offset; + ALIGN_TO_4_BYTES; + old_offset=offset; + if(parent_tree){ + item=proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE); + tree=proto_item_add_subtree(item, ett_efs_ENCRYPTION_CERTIFICATE); + } -} + offset=efs_dissect_ENCRYPTION_CERTIFICATE_TotalLength(tvb, offset, pinfo, tree, drep); + offset=unique_efs_dissect_ENCRYPTION_CERTIFICATE_pUserSid(tvb, offset, pinfo, tree, drep); + offset=unique_efs_dissect_ENCRYPTION_CERTIFICATE_pCertBlob(tvb, offset, pinfo, tree, drep); -/* -IDL long EfsRpcRemoveUsersFromFile( -IDL [in] [string] wchar_t FileName, -IDL [in] ENCRYPTION_CERTIFICATE_LIST Hashes -IDL ); -*/ + proto_item_set_len(item, offset-old_offset); + return offset; +} static int -efsrpc_dissect_remove_users_from_file_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcSetFileEncryptionKey_pEncryptionCertificate(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { + guint32 param=0; + offset=efs_dissect_ENCRYPTION_CERTIFICATE(tvb, offset, pinfo, tree, drep, hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate, param); + return offset; +} - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); -#if 0 - offset = efsrpc_dissect_ENCRYPTION_CERTIFICATE_LIST(tvb, offset, - pinfo, tree, drep); -#endif - return offset; +static int +unique_efs_dissect_EfsRpcSetFileEncryptionKey_pEncryptionCertificate(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + offset=dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, efs_dissect_EfsRpcSetFileEncryptionKey_pEncryptionCertificate, NDR_POINTER_UNIQUE, "pEncryptionCertificate", -1); + return offset; +} + +static int +efs_dissect_EfsRpcSetFileEncryptionKey_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=unique_efs_dissect_EfsRpcSetFileEncryptionKey_pEncryptionCertificate(tvb, offset, pinfo, tree, drep); + offset=dissect_deferred_pointers(pinfo, tvb, offset, drep); + + + return offset; } +static int +efs_dissect_EfsRpcSetFileEncryptionKey_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); + + + return offset; +} static int -efsrpc_dissect_remove_users_from_file_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcNotSupported_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); + return offset; +} - return offset; +static int +efs_dissect_EfsRpcNotSupported_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); + + return offset; } -/* -IDL long EfsRpcAddUsersToFile( -IDL [in] [string] wchar_t FileName, -IDL [in] ENCRYPTION_CERTIFICATE_LIST Hashes -IDL ); -*/ +static int +efs_dissect_EfsRpcFileKeyInfo_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + + return offset; +} static int -efsrpc_dissect_add_users_from_file_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) +efs_dissect_EfsRpcFileKeyInfo_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - offset = dissect_ndr_cvstring(tvb, offset, pinfo, tree, drep, - sizeof(guint16), - hf_efsrpc_filename, TRUE, NULL); -#if 0 - offset = efsrpc_dissect_ENCRYPTION_CERTIFICATE_LIST(tvb, offset, - pinfo, tree, drep); -#endif - return offset; - -} - - -static int -efsrpc_dissect_add_users_from_file_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, guint8 *drep) -{ - - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_efsrpc_rc, NULL); - - return offset; - -} - - -/* -IDL typedef struct { -IDL long dwCertEncodingType; -IDL long cbData; -IDL [size_is(cbData)] [unique] byte *pbData -IDL } EFS_CERTIFICATE_BLOB; -*/ - -/* -IDL typedef struct { -IDL long TotalLength; -IDL [unique] SID *pUserSid; -IDL [unique] EFS_CERTIFICATE_BLOB *pCertBlob; -IDL } ENCRYPTION_CERTIFICATE; -*/ - -/* -IDL long EfsRpcSetFileEncryptionKey( -IDL [in] [unique] ENCRYPTION_CERTIFICATE *pEncryptionCertificate -IDL ); -*/ - -static dcerpc_sub_dissector dcerpc_efs_dissectors[] = { - { EFS_RPC_OPEN_FILE_RAW , "EfsRpcOpenFileRaw", - efsrpc_dissect_open_file_raw_rqst, - efsrpc_dissect_open_file_raw_reply }, - { EFS_RPC_READ_FILE_RAW, "EfsRpcReadFileRaw", - efsrpc_dissect_read_file_raw_rqst, - NULL }, - { EFS_RPC_WRITE_FILE_RAW, "EfsRpcWriteFileRaw", - efsrpc_dissect_write_file_raw_rqst, - efsrpc_dissect_write_file_raw_reply }, - { EFS_RPC_CLOSE_RAW, "EfsRpcCloseRaw", - efsrpc_dissect_close_file_raw_rqst, - efsrpc_dissect_close_file_raw_reply }, - { EFS_RPC_ENCRYPT_FILE_SRV, "EfsRpcEncryptFileSrv", - efsrpc_dissect_encrypt_file_srv_rqst, - efsrpc_dissect_encrypt_file_srv_reply }, - { EFS_RPC_DECRYPT_FILE_SRV, "EfsRpcDecryptFileSrv", - efsrpc_dissect_decrypt_file_srv_rqst, - efsrpc_dissect_decrypt_file_srv_reply }, - { EFS_RPC_QUERY_USERS_ON_FILE, "EfsRpcQueryUsersOnFile", - efsrpc_dissect_query_users_on_file_rqst, - efsrpc_dissect_query_users_on_file_reply }, - { EFS_RPC_QUERY_RECOVERY_AGENTS, "EfsRpcQueryRecoveryAgents", - efsrpc_dissect_query_recovery_agents_rqst, - efsrpc_dissect_query_recovery_agents_reply }, - { EFS_RPC_REMOVE_USERS_FROM_FILE, "EfsRpcRemoveUsersFromFile", - efsrpc_dissect_remove_users_from_file_rqst, - efsrpc_dissect_remove_users_from_file_reply }, - { EFS_RPC_ADD_USERS_TO_FILE, "EfsRpcAddUsersToFile", - efsrpc_dissect_add_users_from_file_rqst, - efsrpc_dissect_add_users_from_file_reply }, - { EFS_RPC_SET_FILE_ENCRYPTION_KEY, "EfsRpcSetFileEncryptionKey" - , NULL, NULL }, - { EFS_RPC_NOT_SUPPORTED, "EfsRpcNotSupported" - , NULL, NULL }, - { EFS_RPC_FILE_KEY_INFO, "EfsRpcFileKeyInfo" - , NULL, NULL }, - { EFS_RPC_DUPLICATE_ENCRYPTION_INFO_FILE, - "EfsRpcDuplicateEncryptionInfoFile", NULL, NULL }, - { 0, NULL, NULL, NULL } -}; -void -proto_register_dcerpc_efs(void) + return offset; +} + +static int +efs_dissect_EfsRpcDuplicateEncryptionInfoFile_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) { -static hf_register_info hf[] = { - { &hf_efsrpc_opnum, { - "Operation", "efsrpc.opnum", FT_UINT16, BASE_DEC, - NULL, 0x0, "", HFILL }}, - { &hf_efsrpc_rc, { - "Return code", "efsrpc.rc", FT_UINT32, BASE_HEX, - VALS(NT_errors), 0x0, "EFSRPC return code", HFILL }}, - { &hf_efsrpc_filename, - { "Filename", "efsrpc.filename", FT_STRING, BASE_NONE, - NULL, 0x0, "File name", HFILL}}, - { &hf_efsrpc_flags, { - "Flags", "efsrpc.flags", FT_UINT32, BASE_HEX, - NULL, 0x0, "EFSRPC Flags", HFILL }}, + return offset; +} - { &hf_efsrpc_hnd, { - "Context Handle", "efsrpc.hnd", FT_BYTES, - BASE_NONE, NULL, 0x0, "Context Handle", HFILL}}, +static int +efs_dissect_EfsRpcDuplicateEncryptionInfoFile_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_) +{ + offset=dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_efs_rc, NULL); - { &hf_efsrpc_reserved, { - "Reserved value", "efsrpc.reserved", FT_UINT32, BASE_HEX, - NULL, 0x0, "Reserved value", HFILL }}, - { &hf_efsrpc_num_entries, - { "Number of entries", "efsrpc.num_entries", FT_UINT32, - BASE_DEC, NULL, 0x0, "Number of Entries", HFILL}}, + return offset; +} +/* END OF INCLUDED FILE : ETH_CODE */ + - { &hf_efsrpc_data_size, - { "Size of data structure", "efsrpc.data_size", FT_UINT32, - BASE_DEC, NULL, 0x0, "Size of data structure", HFILL}}, - { &hf_efsrpc_cert_dn, - { "Certificate DN", "efsrpc.cert_dn", FT_STRING, BASE_NONE, - NULL, 0x0, "Distinguished Name of EFS certificate", HFILL}}, +void +proto_register_efs(void) +{ + static hf_register_info hf[] = { + + +/* INCLUDED FILE : ETH_HFARR */ + { &hf_efs_opnum, + { "Operation", "efs.opnum", FT_UINT16, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_rc, + { "Return code", "efs.rc", FT_UINT32, BASE_HEX, + VALS(NT_errors), 0, + "", HFILL }}, + + { &hf_efs_EfsRpcOpenFileRaw_pvContext, + { "pvContext", "efs.EfsRpcOpenFileRaw.pvContext", FT_BYTES, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcOpenFileRaw_FileName, + { "FileName", "efs.EfsRpcOpenFileRaw.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcOpenFileRaw_Flags, + { "Flags", "efs.EfsRpcOpenFileRaw.Flags", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcReadFileRaw_pvContext, + { "pvContext", "efs.EfsRpcReadFileRaw.pvContext", FT_BYTES, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcWriteFileRaw_pvContext, + { "pvContext", "efs.EfsRpcWriteFileRaw.pvContext", FT_BYTES, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcCloseRaw_pvContext, + { "pvContext", "efs.EfsRpcCloseRaw.pvContext", FT_BYTES, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcEncryptFileSrv_Filename, + { "Filename", "efs.EfsRpcEncryptFileSrv.Filename", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcDecryptFileSrv_FileName, + { "FileName", "efs.EfsRpcDecryptFileSrv.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcDecryptFileSrv_Reserved, + { "Reserved", "efs.EfsRpcDecryptFileSrv.Reserved", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EFS_HASH_BLOB_cbData, + { "cbData", "efs.EFS_HASH_BLOB.cbData", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EFS_HASH_BLOB_pbData, + { "pbData", "efs.EFS_HASH_BLOB.pbData", FT_UINT8, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_cbTotalLength, + { "cbTotalLength", "efs.ENCRYPTION_CERTIFICATE_HASH.cbTotalLength", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_pUserSid, + { "pUserSid", "efs.ENCRYPTION_CERTIFICATE_HASH.pUserSid", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_pHash, + { "pHash", "efs.ENCRYPTION_CERTIFICATE_HASH.pHash", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_lpDisplayInformation, + { "lpDisplayInformation", "efs.ENCRYPTION_CERTIFICATE_HASH.lpDisplayInformation", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_nCert_Hash, + { "nCert_Hash", "efs.ENCRYPTION_CERTIFICATE_HASH_LIST.nCert_Hash", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_HASH_LIST_pUsers, + { "pUsers", "efs.ENCRYPTION_CERTIFICATE_HASH_LIST.pUsers", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcQueryUsersOnFile_FileName, + { "FileName", "efs.EfsRpcQueryUsersOnFile.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcQueryUsersOnFile_pUsers, + { "pUsers", "efs.EfsRpcQueryUsersOnFile.pUsers", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcQueryRecoveryAgents_FileName, + { "FileName", "efs.EfsRpcQueryRecoveryAgents.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcQueryRecoveryAgents_pRecoveryAgents, + { "pRecoveryAgents", "efs.EfsRpcQueryRecoveryAgents.pRecoveryAgents", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcRemoveUsersFromFile_FileName, + { "FileName", "efs.EfsRpcRemoveUsersFromFile.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcAddUsersToFile_FileName, + { "FileName", "efs.EfsRpcAddUsersToFile.FileName", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EFS_CERTIFICATE_BLOB_dwCertEncodingType, + { "dwCertEncodingType", "efs.EFS_CERTIFICATE_BLOB.dwCertEncodingType", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EFS_CERTIFICATE_BLOB_cbData, + { "cbData", "efs.EFS_CERTIFICATE_BLOB.cbData", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EFS_CERTIFICATE_BLOB_pbData, + { "pbData", "efs.EFS_CERTIFICATE_BLOB.pbData", FT_UINT8, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_TotalLength, + { "TotalLength", "efs.ENCRYPTION_CERTIFICATE.TotalLength", FT_INT32, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_pUserSid, + { "pUserSid", "efs.ENCRYPTION_CERTIFICATE.pUserSid", FT_STRING, BASE_DEC, + NULL, 0, + "", HFILL }}, + + { &hf_efs_ENCRYPTION_CERTIFICATE_pCertBlob, + { "pCertBlob", "efs.ENCRYPTION_CERTIFICATE.pCertBlob", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + + { &hf_efs_EfsRpcSetFileEncryptionKey_pEncryptionCertificate, + { "pEncryptionCertificate", "efs.EfsRpcSetFileEncryptionKey.pEncryptionCertificate", FT_NONE, BASE_NONE, + NULL, 0, + "", HFILL }}, + +/* END OF INCLUDED FILE : ETH_HFARR */ }; static gint *ett[] = { - &ett_dcerpc_efs, - &ett_dcerpc_efs_cert_hash - }; - proto_dcerpc_efs = proto_register_protocol( - "Microsoft Encrypted File System Service", "EFSRPC", "efsrpc"); - proto_register_field_array(proto_dcerpc_efs, hf, - array_length(hf)); +/* INCLUDED FILE : ETH_ETTARR */ + &ett_efs, + &ett_efs_EFS_HASH_BLOB, + &ett_efs_ENCRYPTION_CERTIFICATE_HASH, + &ett_efs_ENCRYPTION_CERTIFICATE_HASH_LIST, + &ett_efs_EFS_CERTIFICATE_BLOB, + &ett_efs_ENCRYPTION_CERTIFICATE, +/* END OF INCLUDED FILE : ETH_ETTARR */ + + }; + + proto_efs = proto_register_protocol( + "Microsoft Encrypted File System Service", + "EFS", "efs"); + proto_register_field_array(proto_efs, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); } +static dcerpc_sub_dissector function_dissectors[] = { + + +/* INCLUDED FILE : ETH_FT */ + { 0, "EfsRpcOpenFileRaw", + efs_dissect_EfsRpcOpenFileRaw_request, + efs_dissect_EfsRpcOpenFileRaw_response }, + { 1, "EfsRpcReadFileRaw", + efs_dissect_EfsRpcReadFileRaw_request, + efs_dissect_EfsRpcReadFileRaw_response }, + { 2, "EfsRpcWriteFileRaw", + efs_dissect_EfsRpcWriteFileRaw_request, + efs_dissect_EfsRpcWriteFileRaw_response }, + { 3, "EfsRpcCloseRaw", + efs_dissect_EfsRpcCloseRaw_request, + efs_dissect_EfsRpcCloseRaw_response }, + { 4, "EfsRpcEncryptFileSrv", + efs_dissect_EfsRpcEncryptFileSrv_request, + efs_dissect_EfsRpcEncryptFileSrv_response }, + { 5, "EfsRpcDecryptFileSrv", + efs_dissect_EfsRpcDecryptFileSrv_request, + efs_dissect_EfsRpcDecryptFileSrv_response }, + { 6, "EfsRpcQueryUsersOnFile", + efs_dissect_EfsRpcQueryUsersOnFile_request, + efs_dissect_EfsRpcQueryUsersOnFile_response }, + { 7, "EfsRpcQueryRecoveryAgents", + efs_dissect_EfsRpcQueryRecoveryAgents_request, + efs_dissect_EfsRpcQueryRecoveryAgents_response }, + { 8, "EfsRpcRemoveUsersFromFile", + efs_dissect_EfsRpcRemoveUsersFromFile_request, + efs_dissect_EfsRpcRemoveUsersFromFile_response }, + { 9, "EfsRpcAddUsersToFile", + efs_dissect_EfsRpcAddUsersToFile_request, + efs_dissect_EfsRpcAddUsersToFile_response }, + { 10, "EfsRpcSetFileEncryptionKey", + efs_dissect_EfsRpcSetFileEncryptionKey_request, + efs_dissect_EfsRpcSetFileEncryptionKey_response }, + { 11, "EfsRpcNotSupported", + efs_dissect_EfsRpcNotSupported_request, + efs_dissect_EfsRpcNotSupported_response }, + { 12, "EfsRpcFileKeyInfo", + efs_dissect_EfsRpcFileKeyInfo_request, + efs_dissect_EfsRpcFileKeyInfo_response }, + { 13, "EfsRpcDuplicateEncryptionInfoFile", + efs_dissect_EfsRpcDuplicateEncryptionInfoFile_request, + efs_dissect_EfsRpcDuplicateEncryptionInfoFile_response }, +/* END OF INCLUDED FILE : ETH_FT */ + + + { 0, NULL, NULL, NULL }, +}; + void -proto_reg_handoff_dcerpc_efs(void) +proto_reg_handoff_efs(void) { - /* Register protocol as dcerpc */ - dcerpc_init_uuid(proto_dcerpc_efs, ett_dcerpc_efs, - &uuid_dcerpc_efs, ver_dcerpc_efs, - dcerpc_efs_dissectors, hf_efsrpc_opnum); + +/* INCLUDED FILE : ETH_HANDOFF */ + dcerpc_init_uuid(proto_efs, ett_efs, + &uuid_dcerpc_efs, ver_efs, + function_dissectors, hf_efs_opnum); +/* END OF INCLUDED FILE : ETH_HANDOFF */ + + } + |