int dissect_IDispatch_GetIDsOfNames_resp(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { guint32 u32DispId; guint32 u32ArraySize; guint32 u32Tmp; guint32 u32HResult; offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep); offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep, &u32ArraySize); u32Tmp = u32ArraySize; while (u32Tmp--) { offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep, hf_dispatch_id, &u32DispId); if (check_col(pinfo->cinfo, COL_INFO)) { col_append_fstr(pinfo->cinfo, COL_INFO, " ID=0x%x", u32DispId); } } /* HRESULT of call */ offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, &u32HResult); if (check_col(pinfo->cinfo, COL_INFO)) { col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s", val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") ); } return offset; }
int dissect_IDispatch_GetTypeInfo_resp(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { guint32 u32HResult; guint32 u32Pointer; offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep); offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep, &u32Pointer); if (u32Pointer) { offset = dissect_dcom_MInterfacePointer(tvb, offset, pinfo, tree, drep, hf_dispatch_itinfo, NULL /* XXX */); } /* HRESULT of call */ offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, &u32HResult); if (check_col(pinfo->cinfo, COL_INFO)) { col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s", val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") ); } return offset; }
static int dissect_remsysact_remotecreateinstance_resp(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep); offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, drep, hf_sysact_unknown, NULL /* XXX */); offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, NULL /* pu32HResult */); return offset; }
int dissect_IDispatch_GetTypeInfoCount_resp(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { guint32 u32TInfo; guint32 u32HResult; offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep); offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep, hf_dispatch_tinfo, &u32TInfo); /* HRESULT of call */ offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, &u32HResult); col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s", val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") ); return offset; }
static int dissect_remact_remote_activation_resp(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) { guint32 u32Pointer; e_guid_t ipid; guint32 u32AuthnHint; guint16 u16VersionMajor; guint16 u16VersionMinor; guint32 u32HResult; guint32 u32ArraySize; guint32 u32Idx; guint32 u32VariableOffset; offset = dissect_dcom_that(tvb, offset, pinfo, tree, di, drep); offset = dissect_dcom_ID(tvb, offset, pinfo, tree, di, drep, hf_dcom_oxid, NULL); offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, di, drep, &u32Pointer); if (u32Pointer) { offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, di, drep, &u32ArraySize); offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, di, drep, hf_remact_oxid_bindings, NULL); } offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, di, drep, hf_dcom_ipid, &ipid); offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, di, drep, hf_remact_authn_hint, &u32AuthnHint); offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, tree, di, drep, &u16VersionMajor, &u16VersionMinor); offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, di, drep, &u32HResult); offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, di, drep, &u32ArraySize); u32VariableOffset = offset + u32ArraySize * 4; while (u32ArraySize--) { offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, di, drep, &u32Pointer); if (u32Pointer) { u32VariableOffset = dissect_dcom_MInterfacePointer(tvb, u32VariableOffset, pinfo, tree, di, drep, hf_remact_interface_data, NULL /* XXX */); } } offset = u32VariableOffset; offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, di, drep, &u32ArraySize); u32Idx = 1; while (u32ArraySize--) { offset = dissect_dcom_indexed_HRESULT(tvb, offset, pinfo, tree, di, drep, &u32HResult, u32Idx); /* update column info now */ col_append_fstr(pinfo->cinfo, COL_INFO, " %s[%u]", val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)"), u32Idx); u32Idx++; } offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, di, drep, &u32HResult); /* update column info now */ col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s", val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)")); return offset; }
int dissect_IDispatch_Invoke_resp(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { guint32 u32Pointer; guint32 u32Pointer2; guint32 u32Pointer3; guint32 u32VariableOffset; guint32 u32ArraySize; guint32 u32SubStart; guint16 u16Code; guint16 u16Reserved; guint32 u32HelpContext; guint32 u32Reserved; guint32 u32DeferredFillIn; guint32 u32ArgErr; guint32 u32HResult; guint32 u32SCode; guint32 u32VarRef; gchar szName[1000] = { 0 }; proto_item *excepinfo_item; proto_tree *excepinfo_tree; offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep); offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep, &u32Pointer); if (u32Pointer) { offset = dissect_dcom_VARIANT(tvb, offset, pinfo, tree, drep, hf_dispatch_varresult); } /* ExcepInfo */ excepinfo_item = proto_tree_add_item(tree, hf_dispatch_excepinfo, tvb, offset, 0, FALSE); excepinfo_tree = proto_item_add_subtree (excepinfo_item, ett_dispatch_excepinfo); u32SubStart = offset; offset = dissect_dcom_WORD(tvb, offset, pinfo, excepinfo_tree, drep, hf_dispatch_code, &u16Code); offset = dissect_dcom_WORD(tvb, offset, pinfo, excepinfo_tree, drep, hf_dispatch_reserved16, &u16Reserved); offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, excepinfo_tree, drep, &u32Pointer); offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, excepinfo_tree, drep, &u32Pointer2); offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, excepinfo_tree, drep, &u32Pointer3); offset = dissect_dcom_DWORD(tvb, offset, pinfo, excepinfo_tree, drep, hf_dispatch_help_context, &u32HelpContext); offset = dissect_dcom_DWORD(tvb, offset, pinfo, excepinfo_tree, drep, hf_dispatch_reserved32, &u32Reserved); offset = dissect_dcom_DWORD(tvb, offset, pinfo, excepinfo_tree, drep, hf_dispatch_deferred_fill_in, &u32DeferredFillIn); offset = dissect_dcom_DWORD(tvb, offset, pinfo, excepinfo_tree, drep, hf_dispatch_scode, &u32SCode); if (u32Pointer) { offset = dissect_dcom_BSTR(tvb, offset, pinfo, excepinfo_tree, drep, hf_dispatch_source, szName, sizeof(szName)); } if (u32Pointer2) { offset = dissect_dcom_BSTR(tvb, offset, pinfo, excepinfo_tree, drep, hf_dispatch_description, szName, sizeof(szName)); } if (u32Pointer3) { offset = dissect_dcom_BSTR(tvb, offset, pinfo, excepinfo_tree, drep, hf_dispatch_help_file, szName, sizeof(szName)); } proto_item_append_text(excepinfo_item, ", SCode: %s", val_to_str(u32SCode, dcom_hresult_vals, "Unknown (0x%08x)")); proto_item_set_len(excepinfo_item, offset - u32SubStart); /* end of ExcepInfo */ offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep, hf_dispatch_arg_err, &u32ArgErr); /* rgVarRef: VARIANT[u32VarRef] */ offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep, &u32ArraySize); u32VarRef = u32ArraySize; u32VariableOffset = offset + u32ArraySize * 4; while(u32ArraySize--) { offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep, &u32Pointer); if (u32Pointer) { u32VariableOffset = dissect_dcom_VARIANT(tvb, u32VariableOffset, pinfo, tree, drep, hf_dispatch_varrefarg); } } offset = u32VariableOffset; /* HRESULT of call */ offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, &u32HResult); if (check_col(pinfo->cinfo, COL_INFO)) { col_append_fstr(pinfo->cinfo, COL_INFO, " SCode=%s VarRef=%u -> %s", val_to_str(u32SCode, dcom_hresult_vals, "Unknown (0x%08x)"), u32VarRef, val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") ); } return offset; }
static int dissect_remunk_remqueryinterface_resp(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { guint32 u32Pointer; guint32 u32ArraySize; guint32 u32ItemIdx; proto_item *sub_item; proto_tree *sub_tree; guint32 u32HResult; guint32 u32SubStart; e_uuid_t iid; e_uuid_t iid_null = DCERPC_UUID_NULL; dcerpc_info *info = (dcerpc_info *) pinfo->private_data; remunk_remqueryinterface_call_t *call = (remunk_remqueryinterface_call_t *)info->call_data->private_data; guint64 oxid; guint64 oid; e_uuid_t ipid; offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep); offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep, &u32Pointer); offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep, &u32ArraySize); u32ItemIdx = 1; while (u32ArraySize--) { /* add subtree */ sub_item = proto_tree_add_item(tree, hf_remunk_qiresult, tvb, offset, 0, ENC_NA); sub_tree = proto_item_add_subtree(sub_item, ett_remunk_rqi_result); /* REMQIRESULT */ offset = dissect_dcom_HRESULT(tvb, offset, pinfo, sub_tree, drep, &u32HResult); u32SubStart = offset - 4; offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, sub_tree, drep, &u32Pointer); /* try to read the iid from the request */ if(call != NULL && u32ItemIdx <= call->iid_count) { iid = call->iids[u32ItemIdx-1]; } else { iid = iid_null; } /* XXX - this doesn't seem to be dependent on the pointer above?!? */ /*if (u32Pointer) {*/ offset = dissect_dcom_STDOBJREF(tvb, offset, pinfo, sub_tree, drep, 0 /* hfindex */, &oxid, &oid, &ipid); /*}*/ /* add interface instance to database (we currently only handle IPv4) */ if(pinfo->net_src.type == AT_IPv4) { dcom_interface_new(pinfo, (guint8 *)pinfo->net_src.data, &iid, oxid, oid, &ipid); } /* update subtree */ proto_item_append_text(sub_item, "[%u]: %s", u32ItemIdx, val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") ); proto_item_set_len(sub_item, offset - u32SubStart); /* update column info now */ col_append_fstr(pinfo->cinfo, COL_INFO, " %s[%u]", val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)"), u32ItemIdx); u32ItemIdx++; } /* HRESULT of call */ offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, &u32HResult); /* update column info now */ col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s", val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)")); return offset; }